Skip to content

Hardcore corruption of my execve() vulnerability in WSL

Notifications You must be signed in to change notification settings

saaramar/execve_exploit

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

6 Commits
 
 
 
 
 
 
 
 

Repository files navigation

execve_exploit

This repo contains my slides and full exploit for my execve() vulnerability in WSL, CVE-2018-0743.

A detailed explanation of the vulnerability and exploit was presented at Bluehat IL 2018. Slides are in the repo, video here

The patch available here

Notes:

  1. All the offsets, values and constants are based on Win10 16179 (10.0.16179). These can easily be changed to support other versions. While I haven’t tested many other versions, the same exploit should work as long as the vulnerability is unpatched.
  2. To allocate large chunks of memory, the exploit calls fcntl(F_SETPIPE_SZ), setting the limit to a fairly large size. This requires root privileges in the context of WSL (which is still low-privileged in Windows). The same exploit would work from a low-privileged user in WSL context if you replace this with a different way to allocate similarly sized chunks. It shouldn’t be too hard and is left as an exercise to the reader :)

alt text

About

Hardcore corruption of my execve() vulnerability in WSL

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages