n4sm/main.c

## main.c
#include <linux/init.h>
#include <linux/module.h>
#include <linux/kernel.h>
#include <linux/vmalloc.h>
#include <linux/slab.h>
#include <linux/uaccess.h>
#include <linux/fs.h>
#include <linux/miscdevice.h>

MODULE_LICENSE("GPL");
MODULE_AUTHOR("n4sm");
MODULE_VERSION("1.3.3.7");
MODULE_DESCRIPTION("LKM Buffer Overflow");

#define VULN_NAME "vuln1"
#define LEN_MAX 16
#define LEN_WRITE 72+19*8
#define WRITE_IOCTL 1337

typedef struct write_buf {
  unsigned long length;
  unsigned char *rbuf;
} wr_struct;

static int vuln1_open(struct inode *inode, struct file *file);
static int vuln1_release(struct inode *inode, struct file *file);
static ssize_t vuln1_write(struct file *file, const char __user *buf, size_t user_count, loff_t *offt);
static long vuln1_ioctl(struct file *file, unsigned int cmd, unsigned long argp);

static const struct file_operations f_op = {
  .owner = THIS_MODULE,
  .open = vuln1_open,
  .release = vuln1_release,
  .write = vuln1_write,
  .unlocked_ioctl = vuln1_ioctl
};

static struct miscdevice device = {
  .minor = MISC_DYNAMIC_MINOR,
  .name = VULN_NAME,
  .fops = &f_op,
  .mode = 0666
};

static ssize_t vuln1_write(struct file *file, const char __user *buf, size_t user_count, loff_t *offt) {

  ssize_t i;
  unsigned char k_buf[LEN_MAX] = {0};

  wr_struct *argp = (wr_struct *)buf;

  if (argp->length > LEN_MAX) {
    printk(KERN_INFO "[OVERFLOW DETECTED]\n");
    return -1;
  }

  argp = NULL;

  for (i = 0x0; i < (unsigned long)argp->length; i++) {
    printk(KERN_INFO "%lx -> [%x] %x", (unsigned long)(k_buf+i), argp->rbuf[i], k_buf[i]);
    k_buf[i] = argp->rbuf[i]; //
  }

  return 0;
}

static int vuln1_open(struct inode *inode, struct file *file) {
  printk(KERN_INFO "[Open]\n");
  return 0;
}

static int vuln1_release(struct inode *inode, struct file *file) {
  printk(KERN_INFO "[Release]\n");
  return 0;
}

static long vuln1_ioctl(struct file *file, unsigned int cmd, unsigned long argp) {

  switch (cmd) {
    default:
      return -EINVAL;
  }

  return 0;
}

static int __init vuln1_init(void) {
  int err;

  err = misc_register(&device);
  if (err < 0) {
    printk(KERN_ALERT "vuln1: Init Error\n");
    return err;
  }

  printk(KERN_INFO "vuln1: Init\n");
  return 0;
}

static void __exit vuln1_exit(void) {
  misc_deregister(&device);

  printk(KERN_INFO "vuln1: Exit\n");
}

module_init(vuln1_init);
module_exit(vuln1_exit);

/*

Makefile:

#=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

obj-m    := main.o

KDIR    := /lib/modules/$(shell uname -r)/build
PWD    := $(shell pwd)

OBJF := main.ko
EXP := exploit

default:
	$(MAKE) -C $(KDIR) SUBDIRS=$(PWD) modules EXTRA_CFLAGS="-fno-stack-protector -g"

mreload:
	rmmod $(OBJF) && insmod $(OBJF) && gcc $(EXP).c -no-pie -g -o $(EXP) && ./$(EXP)

#=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

*/
	#include <linux/init.h>
	#include <linux/module.h>
	#include <linux/kernel.h>
	#include <linux/vmalloc.h>
	#include <linux/slab.h>
	#include <linux/uaccess.h>
	#include <linux/fs.h>
	#include <linux/miscdevice.h>

	MODULE_LICENSE("GPL");
	MODULE_AUTHOR("n4sm");
	MODULE_VERSION("1.3.3.7");
	MODULE_DESCRIPTION("LKM Buffer Overflow");

	#define VULN_NAME "vuln1"
	#define LEN_MAX 16
	#define LEN_WRITE 72+19*8
	#define WRITE_IOCTL 1337

	typedef struct write_buf {
	unsigned long length;
	unsigned char *rbuf;
	} wr_struct;

	static int vuln1_open(struct inode inode, struct file file);
	static int vuln1_release(struct inode inode, struct file file);
	static ssize_t vuln1_write(struct file file, const char __user buf, size_t user_count, loff_t *offt);
	static long vuln1_ioctl(struct file *file, unsigned int cmd, unsigned long argp);

	static const struct file_operations f_op = {
	.owner = THIS_MODULE,
	.open = vuln1_open,
	.release = vuln1_release,
	.write = vuln1_write,
	.unlocked_ioctl = vuln1_ioctl
	};

	static struct miscdevice device = {
	.minor = MISC_DYNAMIC_MINOR,
	.name = VULN_NAME,
	.fops = &f_op,
	.mode = 0666
	};

	static ssize_t vuln1_write(struct file file, const char __user buf, size_t user_count, loff_t *offt) {

	ssize_t i;
	unsigned char k_buf[LEN_MAX] = {0};

	wr_struct argp = (wr_struct )buf;

	if (argp->length > LEN_MAX) {
	printk(KERN_INFO "[OVERFLOW DETECTED]\n");
	return -1;
	}

	argp = NULL;

	for (i = 0x0; i < (unsigned long)argp->length; i++) {
	printk(KERN_INFO "%lx -> [%x] %x", (unsigned long)(k_buf+i), argp->rbuf[i], k_buf[i]);
	k_buf[i] = argp->rbuf[i]; //
	}

	return 0;
	}

	static int vuln1_open(struct inode inode, struct file file) {
	printk(KERN_INFO "[Open]\n");
	return 0;
	}

	static int vuln1_release(struct inode inode, struct file file) {
	printk(KERN_INFO "[Release]\n");
	return 0;
	}

	static long vuln1_ioctl(struct file *file, unsigned int cmd, unsigned long argp) {

	switch (cmd) {
	default:
	return -EINVAL;
	}

	return 0;
	}

	static int __init vuln1_init(void) {
	int err;

	err = misc_register(&device);
	if (err < 0) {
	printk(KERN_ALERT "vuln1: Init Error\n");
	return err;
	}

	printk(KERN_INFO "vuln1: Init\n");
	return 0;
	}

	static void __exit vuln1_exit(void) {
	misc_deregister(&device);

	printk(KERN_INFO "vuln1: Exit\n");
	}

	module_init(vuln1_init);
	module_exit(vuln1_exit);

	/*

	Makefile:

	#=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

	obj-m := main.o

	KDIR := /lib/modules/$(shell uname -r)/build
	PWD := $(shell pwd)

	OBJF := main.ko
	EXP := exploit

	default:
	$(MAKE) -C $(KDIR) SUBDIRS=$(PWD) modules EXTRA_CFLAGS="-fno-stack-protector -g"

	mreload:
	rmmod $(OBJF) && insmod $(OBJF) && gcc $(EXP).c -no-pie -g -o $(EXP) && ./$(EXP)

	#=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

	*/