-
Notifications
You must be signed in to change notification settings - Fork 34
/
Copy pathdrv.c
90 lines (74 loc) · 2.09 KB
/
drv.c
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
/**
* Vulnerable kernel driver
*
* This module is vulnerable to OOB access and allows arbitrary code
* execution.
* An arbitrary offset can be passed from user space via the provided ioctl().
* This offset is then used as an index for the 'ops' array to obtain the
* function address to be executed.
*
*
* Full article: https://cyseclabs.com/page?n=17012016
*
* Author: Vitaly Nikolenko
* Email: [email protected]
**/
#include <linux/module.h>
#include <linux/kernel.h>
#include <linux/fs.h>
#include <linux/device.h>
#include "drv.h"
#define DEVICE_NAME "vulndrv"
#define DEVICE_PATH "/dev/vulndrv"
static int device_open(struct inode *, struct file *);
static long device_ioctl(struct file *, unsigned int, unsigned long);
static int device_release(struct inode *, struct file *f);
static struct class *class;
unsigned long *ops[3];
static int major_no;
static struct file_operations fops = {
.open = device_open,
.release = device_release,
.unlocked_ioctl = device_ioctl
};
static int device_release(struct inode *i, struct file *f) {
printk(KERN_INFO "device released!\n");
return 0;
}
static int device_open(struct inode *i, struct file *f) {
printk(KERN_INFO "device opened!\n");
return 0;
}
static long device_ioctl(struct file *file, unsigned int cmd, unsigned long args) {
struct drv_req *req;
void (*fn)(void);
switch(cmd) {
case 0:
req = (struct drv_req *)args;
printk(KERN_INFO "size = %lx\n", req->offset);
printk(KERN_INFO "fn is at %p\n", &ops[req->offset]);
fn = &ops[req->offset];
fn();
break;
default:
break;
}
return 0;
}
static int m_init(void) {
printk(KERN_INFO "addr(ops) = %p\n", &ops);
major_no = register_chrdev(0, DEVICE_NAME, &fops);
class = class_create(THIS_MODULE, DEVICE_NAME);
device_create(class, NULL, MKDEV(major_no, 0), NULL, DEVICE_NAME);
return 0;
}
static void m_exit(void) {
device_destroy(class, MKDEV(major_no, 0));
class_unregister(class);
class_destroy(class);
unregister_chrdev(major_no, DEVICE_NAME);
printk(KERN_INFO "Driver unloaded\n");
}
module_init(m_init);
module_exit(m_exit);
MODULE_LICENSE("GPL");