This repo contains my slides and full exploit for my execve() vulnerability in WSL, CVE-2018-0743.
A detailed explanation of the vulnerability and exploit was presented at Bluehat IL 2018. Slides are in the repo, video here
The patch available here
- All the offsets, values and constants are based on Win10 16179 (10.0.16179). These can easily be changed to support other versions. While I haven’t tested many other versions, the same exploit should work as long as the vulnerability is unpatched.
- To allocate large chunks of memory, the exploit calls fcntl(F_SETPIPE_SZ), setting the limit to a fairly large size. This requires root privileges in the context of WSL (which is still low-privileged in Windows). The same exploit would work from a low-privileged user in WSL context if you replace this with a different way to allocate similarly sized chunks. It shouldn’t be too hard and is left as an exercise to the reader :)