djrbliss/rose-exploit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
master
Could not load branches
Nothing to show
Could not load tags
Nothing to show
{{ refName }}
default
Name already in use
A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Code
-
Clone
Use Git or checkout with SVN using the web URL.
Work fast with our official CLI. Learn more about the CLI.
- Open with GitHub Desktop
- Download ZIP
Sign In Required
Please sign in to use Codespaces.
Launching GitHub Desktop
If nothing happens, download GitHub Desktop and try again.
Launching GitHub Desktop
If nothing happens, download GitHub Desktop and try again.
Launching Xcode
If nothing happens, download Xcode and try again.
Launching Visual Studio Code
Your codespace will open once ready.
There was a problem preparing your codespace, please try again.
******************************** * ROSE remote kernel exploit * * by Dan Rosenberg (@djrbliss) * ******************************** This is an exploit for CVE-2011-1493, a remote stack overflow in the Linux implementation of the ROSE amateur radio protocol. THIS IS PROOF OF CONCEPT. It should work very reliably on the kernel I tested (Ubuntu Server 10.04), but I make no promises about other kernels. Obviously, any hard-coded addresses and offsets (in payload.h) must be adjusted for the targeted kernel. Before running this, you'll need the ax25-tools package and the kernel headers for the attacker machine's kernel. The directory structure and instructions are as follows: module/ The actual exploit, included as a modification to the original ROSE kernel module. This should be built against the attack machine's kernel by running: $ make -C /lib/modules/$(uname -r)/build SUBDIRS=$PWD modules This will work out of the box on some kernels. If this fails to compile against your kernel, download the appropriate ROSE kernel module for your kernel and make the following modifications: 1. Add an #include "payload.h" in rose_subr.c. 2. Copy-paste the rose_create_facilities() function from the included module into the new rose_subr.c. 3. Copy the .S assembly files, payload.c, and payload.h into the new directory. 4. Copy the Makefile into the new directory. At this point, the module should build against your kernel, resulting in a rose.ko file. conf/ Configuration files necessary for setting up a ROSE stack. Extract server-conf.tar.gz to the root directory of the victim machine (as root), and extract client-conf.tar.gz to the root directory of the attacker machine (as root). scripts/ Scripts to configure and enable the ROSE stacks. Before using the client script, edit it and replace the path to the ROSE kernel module with the full path of the recently compiled exploit module (rose.ko). When you are ready to run the exploit, run ./rose_server.sh as root on the victim machine, and ./rose_client.sh as root on the attacker machine. Next, to run the exploit and install a kernel-mode ICMP backdoor into the victim machine, run the following: $ rose_call rose ELITE-1 LOSER-1 6060606060 This will place a ROSE connection from the attacker to the victim. This connection will hang, so you'll need to ctrl+c the rose_call command. icmp/ The code for installing and triggering payloads using the ICMP backdoor. First, compile magicping.c: $ gcc magicping.c -o magicping This tool must be run as root or with CAP_NET_RAW (in order to open a raw socket for our ICMP packets). One sample payload is provided: connect.S, a standard connect-back shellcode. Also included is a calibrate.py script, which will allow you to easily modify connect.S to point to your IP and port. The payload can be prepared as follows: $ as connect.S -o connect.out $ objcopy -O binary -j .text connect.out connect.o The payload can then be installed on the remote kernel as follows: $ ./magicping -i connect.o [remote ip] This payload can be triggered by hooking a system call of choice as follows: $ ./magicping -t [syscall number] [remote ip]
About
Remote kernel exploit for ROSE amateur radio
Resources
Stars
Watchers
Forks
Releases
No releases published
Packages 0
No packages published