execve_exploit

by saaramar

saaramar / execve_exploit

Hardcore corruption of my execve() vulnerability in WSL

203 Stars 40 Forks Last release: Not found 6 Commits 0 Releases

Available items

No Items, yet!

The developer of this repository has not created any items for sale yet. Need a bug fixed? Help with integration? A different license? Create a request here:

execve_exploit

This repo contains my slides and full exploit for my execve() vulnerability in WSL, CVE-2018-0743.

A detailed explanation of the vulnerability and exploit was presented at Bluehat IL 2018. Slides are in the repo, video here

The patch available here

Notes:

  1. All the offsets, values and constants are based on Win10 16179 (10.0.16179). These can easily be changed to support other versions. While I haven’t tested many other versions, the same exploit should work as long as the vulnerability is unpatched.
  2. To allocate large chunks of memory, the exploit calls fcntl(FSETPIPESZ), setting the limit to a fairly large size. This requires root privileges in the context of WSL (which is still low-privileged in Windows). The same exploit would work from a low-privileged user in WSL context if you replace this with a different way to allocate similarly sized chunks. It shouldn’t be too hard and is left as an exercise to the reader :)

alt text

We use cookies. If you continue to browse the site, you agree to the use of cookies. For more information on our use of cookies please see our Privacy Policy.