n4sm · July 11, 2020 13:09
diff --git a/main.c b/main.c
 #include <linux/init.h>
 #include <linux/module.h>
 #include <linux/kernel.h>
 #include <linux/vmalloc.h>
 #include <linux/slab.h>
 #include <linux/uaccess.h>
 #include <linux/fs.h>
 #include <linux/miscdevice.h>

 MODULE_LICENSE("GPL");
 MODULE_AUTHOR("n4sm");
 MODULE_VERSION("1.3.3.7");
 MODULE_DESCRIPTION("LKM Buffer Overflow");

 #define VULN_NAME "vuln1"
 #define LEN_MAX 16
 #define LEN_WRITE 72+19*8
 #define WRITE_IOCTL 1337

 typedef struct write_buf {
  unsigned long length;
  unsigned char *rbuf;
 } wr_struct;

 static int vuln1_open(struct inode *inode, struct file *file);
 static int vuln1_release(struct inode *inode, struct file *file);
 static ssize_t vuln1_write(struct file *file, const char __user *buf, size_t user_count, loff_t *offt);
 static long vuln1_ioctl(struct file *file, unsigned int cmd, unsigned long argp);

 static const struct file_operations f_op = {
  .owner = THIS_MODULE,
  .open = vuln1_open,
  .release = vuln1_release,
  .write = vuln1_write,
  .unlocked_ioctl = vuln1_ioctl
 };

 static struct miscdevice device = {
  .minor = MISC_DYNAMIC_MINOR,
  .name = VULN_NAME,
  .fops = &f_op,
  .mode = 0666
 };

 static ssize_t vuln1_write(struct file *file, const char __user *buf, size_t user_count, loff_t *offt) {

  ssize_t i;
  unsigned char k_buf[LEN_MAX] = {0};

  wr_struct *argp = (wr_struct *)buf;

  if (argp->length > LEN_MAX) {
    printk(KERN_INFO "[OVERFLOW DETECTED]\n");
    return -1;
  }

  argp = NULL;

  for (i = 0x0; i < (unsigned long)argp->length; i++) {
    printk(KERN_INFO "%lx -> [%x] %x", (unsigned long)(k_buf+i), argp->rbuf[i], k_buf[i]);
    k_buf[i] = argp->rbuf[i]; // 
  }

  return 0;
 }

 static int vuln1_open(struct inode *inode, struct file *file) {
  printk(KERN_INFO "[Open]\n");
  return 0;
 }

 static int vuln1_release(struct inode *inode, struct file *file) {
  printk(KERN_INFO "[Release]\n");
  return 0;
 }

 static long vuln1_ioctl(struct file *file, unsigned int cmd, unsigned long argp) {

  switch (cmd) {
    default:
      return -EINVAL;
  }

  return 0;
 }

 static int __init vuln1_init(void) {
  int err;

  err = misc_register(&device);
  if (err < 0) {
    printk(KERN_ALERT "vuln1: Init Error\n");
    return err;
  }

  printk(KERN_INFO "vuln1: Init\n");
  return 0;
 }

 static void __exit vuln1_exit(void) {
  misc_deregister(&device);

  printk(KERN_INFO "vuln1: Exit\n");
 }

 module_init(vuln1_init);
 module_exit(vuln1_exit);

 /*

 Makefile:

 #=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

 obj-m    := main.o

 KDIR    := /lib/modules/$(shell uname -r)/build
 PWD    := $(shell pwd)

 OBJF := main.ko
 EXP := exploit

 default:
 	$(MAKE) -C $(KDIR) SUBDIRS=$(PWD) modules EXTRA_CFLAGS="-fno-stack-protector -g"

 mreload:
 	rmmod $(OBJF) && insmod $(OBJF) && gcc $(EXP).c -no-pie -g -o $(EXP) && ./$(EXP)
  
 #=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

 */
	#include <linux/init.h>
	#include <linux/module.h>
	#include <linux/kernel.h>
	#include <linux/vmalloc.h>
	#include <linux/slab.h>
	#include <linux/uaccess.h>
	#include <linux/fs.h>
	#include <linux/miscdevice.h>

	MODULE_LICENSE("GPL");
	MODULE_AUTHOR("n4sm");
	MODULE_VERSION("1.3.3.7");
	MODULE_DESCRIPTION("LKM Buffer Overflow");

	#define VULN_NAME "vuln1"
	#define LEN_MAX 16
	#define LEN_WRITE 72+19*8
	#define WRITE_IOCTL 1337

	typedef struct write_buf {
	unsigned long length;
	unsigned char *rbuf;
	} wr_struct;

	static int vuln1_open(struct inode inode, struct file file);
	static int vuln1_release(struct inode inode, struct file file);
	static ssize_t vuln1_write(struct file file, const char __user buf, size_t user_count, loff_t *offt);
	static long vuln1_ioctl(struct file *file, unsigned int cmd, unsigned long argp);

	static const struct file_operations f_op = {
	.owner = THIS_MODULE,
	.open = vuln1_open,
	.release = vuln1_release,
	.write = vuln1_write,
	.unlocked_ioctl = vuln1_ioctl
	};

	static struct miscdevice device = {
	.minor = MISC_DYNAMIC_MINOR,
	.name = VULN_NAME,
	.fops = &f_op,
	.mode = 0666
	};

	static ssize_t vuln1_write(struct file file, const char __user buf, size_t user_count, loff_t *offt) {

	ssize_t i;
	unsigned char k_buf[LEN_MAX] = {0};

	wr_struct argp = (wr_struct )buf;

	if (argp->length > LEN_MAX) {
	printk(KERN_INFO "[OVERFLOW DETECTED]\n");
	return -1;
	}

	argp = NULL;

	for (i = 0x0; i < (unsigned long)argp->length; i++) {
	printk(KERN_INFO "%lx -> [%x] %x", (unsigned long)(k_buf+i), argp->rbuf[i], k_buf[i]);
	k_buf[i] = argp->rbuf[i]; //
	}

	return 0;
	}

	static int vuln1_open(struct inode inode, struct file file) {
	printk(KERN_INFO "[Open]\n");
	return 0;
	}

	static int vuln1_release(struct inode inode, struct file file) {
	printk(KERN_INFO "[Release]\n");
	return 0;
	}

	static long vuln1_ioctl(struct file *file, unsigned int cmd, unsigned long argp) {

	switch (cmd) {
	default:
	return -EINVAL;
	}

	return 0;
	}

	static int __init vuln1_init(void) {
	int err;

	err = misc_register(&device);
	if (err < 0) {
	printk(KERN_ALERT "vuln1: Init Error\n");
	return err;
	}

	printk(KERN_INFO "vuln1: Init\n");
	return 0;
	}

	static void __exit vuln1_exit(void) {
	misc_deregister(&device);

	printk(KERN_INFO "vuln1: Exit\n");
	}

	module_init(vuln1_init);
	module_exit(vuln1_exit);

	/*

	Makefile:

	#=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

	obj-m := main.o

	KDIR := /lib/modules/$(shell uname -r)/build
	PWD := $(shell pwd)

	OBJF := main.ko
	EXP := exploit

	default:
	$(MAKE) -C $(KDIR) SUBDIRS=$(PWD) modules EXTRA_CFLAGS="-fno-stack-protector -g"

	mreload:
	rmmod $(OBJF) && insmod $(OBJF) && gcc $(EXP).c -no-pie -g -o $(EXP) && ./$(EXP)

	#=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

	*/