saelo / cve-2014-0038 Goto Github PK

View Code? Open in Web Editor NEW

191.0 18.0 47.0 294 KB

Linux local root exploit for CVE-2014-0038

Shell 8.55% C 91.45%

linux exploit kernel

cve-2014-0038's Introduction

Local root exploit for CVE-2014-0038

Bug:

The X86_X32 recvmmsg syscall does not properly sanitize the timeout pointer passed from userspace.

Exploit primitive:

Pass a pointer to a kernel address as timeout for recvmmsg, if the original byte at that address is known it can be overwritten with known data. If the least significant byte is 0xff, waiting 255 seconds will turn it into a 0x00.

Restrictions:

The first long at the passed address (tv_sec) has to be positive and the second long (tv_nsec) has to be smaller than 1000000000.

Overview:

Target the release function pointer of the ptmx_fops structure located in non initialized (and thus writable) kernel memory. Zero out the three most significant bytes and thus turn it into a pointer to an address mappable in user space. The release pointer is used as it is followed by 16 0x00 bytes (so the tv_nsec is valid). Open /dev/ptmx, close it and enjoy.

Not very beautiful but should be fairly reliable if symbols can be resolved.

Tested on Ubuntu 13.10

Run:

Retrieve addresses from /proc/kallsyms and run the exploit:

./build.sh && ./timeoutpwn

If you would like to build the binary for a remote server, try this:

ssh user@host 'cat /proc/kallsyms' > syms.txt
CFLAGS=-static ./build.sh syms.txt
scp timeoutpwn user@host:
...

If ptmx_fops cannot be found in kallsyms, try extracting it from the vmlinux as provided with the headers package (linux-headers on Arch Linux):

nm /lib/modules/$(uname -r)/build/vmlinux > syms.txt

cve-2014-0038's People

Contributors

Stargazers

Watchers

cve-2014-0038's Issues

Add README a .md extension is appreciated

You must know it. Without .md extension, README would be displayed as plain text, which looks not good.

Doesn't work on arch linux

uname -a output:

Linux heater 3.12.9-2-ARCH #1 SMP PREEMPT Fri Jan 31 10:22:54 CET 2014 x86_64 GNU/Linux

Output from running the exploit:

preparing payload buffer...
changing kernel pointer to point into controlled buffer...
clearing byte at 0xffffffff81fb312f
address can't be written to, not a valid timespec struct
waiting 255 seconds...
0s/255s
...

What versions of linux is this supposed to work on? It did the same thing on CentOS 2.6.32-431.1.2.0.1.el6.x86_64

error while compiling

./build.sh
ptmx_fops: address not found

What should i do next to fix it? can you tell me?

it doesn't work on Ubuntu x64 OS (3.8.0-44)

Samuel,

on Ubuntu 3.8.0-44 OS, after building, when running ./timeoutpwn, the error log "address can't be written to, not a valid timespec struct" printed.

however, I tried the same steps on 3.8.0-29. it works perfect. and also OK on kernel version 3.8.0.

Thanks.

Exploit takes too long

It takes almost 5 minutes to run this exploit!

This is not enterprise ready.

issues in compiling

tried to compile it with gcc but i got this :
In file included from p.c:41:0:
/usr/include/sys/syscall.h:1:1: erreur: caractère ' de terminaison manquant
I've now applied this patch which makes the bits/syscall.h generation work
^
/usr/include/sys/syscall.h:1:1: erreur: unknown type name ‘I’
/usr/include/sys/syscall.h:2:6: erreur: expected ‘=’, ‘,’, ‘;’, ‘asm’ or ‘attribute’ before ‘the’
with the generic support for triarch (etc.) header generation, replacing
^
/usr/include/sys/syscall.h:2:6: erreur: unknown type name ‘the’
/usr/include/sys/syscall.h:4:47: erreur: unknown type name ‘we’
MIPSspecific sys/syscall.h, are also removed; we now require Linux 2.6 or
^
/usr/include/sys/syscall.h:4:54: erreur: expected ‘=’, ‘,’, ‘;’, ‘asm’ or ‘attribute’ before ‘require’
MIPSspecific sys/syscall.h, are also removed; we now require Linux 2.6 or
^
/usr/include/sys/syscall.h:4:54: erreur: unknown type name ‘require’
/usr/include/sys/syscall.h:9:7: erreur: suffixe « bed..8e60fb2 » invalide pour une constante entière
index 2779bed..8e60fb2 100644
^
/usr/include/sys/syscall.h:12:1: erreur: stray ‘@’ in program
@@ 1,5 +1,19 @@
^
/usr/include/sys/syscall.h:12:2: erreur: stray ‘@’ in program
@@ 1,5 +1,19 @@
^
/usr/include/sys/syscall.h:12:14: erreur: stray ‘@’ in program
@@ 1,5 +1,19 @@
^
/usr/include/sys/syscall.h:12:15: erreur: stray ‘@’ in program
@@ 1,5 +1,19 @@
^
/usr/include/sys/syscall.h:13:33: erreur: stray ‘@’ in program
20111222 Joseph Myers [email protected]
^
/usr/include/sys/syscall.h:22:1: erreur: caractère ' de terminaison manquant

* sysdeps/unix/sysv/linux/mips/configure.in: Don't generate
^
/usr/include/sys/syscall.h:27:33: erreur: stray ‘@’ in program
+20111222 Joseph Myers [email protected]
^
/usr/include/sys/syscall.h:29:7: erreur: stray ‘#’ in program
[BZ #13538]
^
/usr/include/sys/syscall.h:36:1: erreur: stray ‘@’ in program
@@ 7,124 +7,14 @@ sysdep_routines += cachectl cacheflush sysmips _test_and_set
^
/usr/include/sys/syscall.h:36:2: erreur: stray ‘@’ in program
@@ 7,124 +7,14 @@ sysdep_routines += cachectl cacheflush sysmips _test_and_set
^
/usr/include/sys/syscall.h:36:16: erreur: stray ‘@’ in program
@@ 7,124 +7,14 @@ sysdep_routines += cachectl cacheflush sysmips _test_and_set
^
/usr/include/sys/syscall.h:36:17: erreur: stray ‘@’ in program
@@ 7,124 +7,14 @@ sysdep_routines += cachectl cacheflush sysmips _test_and_set
^
/usr/include/sys/syscall.h:107:27: erreur fatale: linux/types.h : No such file or directory
#include <linux/types.h>
^