Some setuid applications like su and sudo do not fail / ask for a password if they think the user is already root.
This is the case, for instance, if the getuid syscall returns 0 ( = uid of root).
This proof of concept shows that an attacker can patch the code of getuid in the Linux kernel to make the getuid syscall always return 0.
And, by extension elevate privileges to root.
This proof-of-concept should be executed on a CPU vulnerable to GhostWrite.
First, you need to compile the exploit and the reader helper binary using make.
We assume an attacker has knowledge of the physical address layout of the kernel.
This layout does not change across reboots and is determined solely by the used hardware and kernel version.
We further assume an attacker knows the original code of the getuid function.
This is only required to re-set the function after a successful attack.
Since the physical layout and code differs between boards and kernel versions, we provide a privileged way to determine these requirements.
To gather this information, you can run physhelper.py as root.
This will write the first 12 bytes of the getuid syscall code and its physical address to phys_data.py.
For Example:
$ sudo python3 physhelper.py
$ cat phys_data.py
get_uid_code = b'A\x11"\xe0\x06\xe4\x00\x08\x837\x02o\xccC'
get_uid_addr = 0x4042bb58
Once this is done, you can run the exploit python script (python3 exploit.py).
The exploit will run su once before patching sys_getuid, thus, you should be prompted for a password.
Once a wrong password is entered or su is otherwise terminated, the exploit patches sys_getuid to always return 0.
Then, it starts su again, which should now open a root terminal without requiring a password.
Once the terminal is closed (e.g. using exit), sys_getuid is patched back to its original content.
After this, the exploits executes su one last time which should now require a password again.