diff --git a/CHANGELOG.md b/CHANGELOG.md index 64b9c7b..c746bc6 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -27,7 +27,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/), - Only run kernel exploit once by checking setuid by @JTAG7371 - ~~Restore syscall 661 (`sys_aio_submit()`) after patching by @janisslsm~~ - Was not actually restoring syscall. Used a different method/rewrote to - restore in kpatch. + restore in kpatch. (Shellcode change 4) - Shellcode from 345 bytes to 444 bytes ### Changed @@ -39,11 +39,14 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/), - Simplify shellcode a little bit more - No external headers - Added `-fcf-protection=none` flag to skip added "endbr64" instructions + (Shellcode change 1) - 307 bytes to 295 bytes - - Changed `restore` and `do_patch` to be inlined + - Changed `restore` and `do_patch` to be inlined (Shellcode change 2) - 307 bytes to 282 bytes - - Changed to `-03` for execution speed optimization + - Changed to `-03` for execution speed optimization (Shellcode change 3) - 282 bytes to 345 bytes + - Move kbase calc to main function (Shellcode change 5) + - 444 bytes to 418 bytes ## [1.5.1] - 2025-05-12 diff --git a/src/kpatch/700.c b/src/kpatch/700.c index 33194fb..33300f6 100644 --- a/src/kpatch/700.c +++ b/src/kpatch/700.c @@ -29,18 +29,22 @@ struct kexec_args { u64 arg5; }; -static inline void restore(struct kexec_args *uap); -static inline void do_patch(void); +static inline void restore(void *kbase, struct kexec_args *uap); +static inline void do_patch(void *kbase); __attribute__((section (".text.start"))) int kpatch(void *td, struct kexec_args *uap) { - do_patch(); - restore(uap); + const u64 xfast_syscall_off = 0x1c0; + void * const kbase = (void *)rdmsr(0xc0000082) - xfast_syscall_off; + + do_patch(kbase); + restore(kbase, uap); + return 0; } __attribute__((always_inline)) -static inline void restore(struct kexec_args *uap) { +static inline void restore(void *kbase, struct kexec_args *uap) { u8 *pipe = uap->arg1; u8 *pipebuf = uap->arg2; for (int i = 0; i < 0x18; i++) { @@ -51,10 +55,6 @@ static inline void restore(struct kexec_args *uap) { u64 *pktinfo_field2 = uap->arg4; *pktinfo_field2 = 0; - // get kernel base - const u64 xfast_syscall_off = 0x1c0; - void * const kbase = (void *)rdmsr(0xc0000082) - xfast_syscall_off; - u64 *sysent_661_save = uap->arg5; for (int i = 0; i < 0x30; i += 8) { write64(kbase, 0x112d250 + i, sysent_661_save[i / 8]); @@ -62,11 +62,7 @@ static inline void restore(struct kexec_args *uap) { } __attribute__((always_inline)) -static inline void do_patch(void) { - // get kernel base - const u64 xfast_syscall_off = 0x1c0; - void * const kbase = (void *)rdmsr(0xc0000082) - xfast_syscall_off; - +static inline void do_patch(void *kbase) { disable_cr0_wp(); // ChendoChap's patches from pOOBs4 diff --git a/src/kpatch/750.c b/src/kpatch/750.c index d930c27..b1416f7 100644 --- a/src/kpatch/750.c +++ b/src/kpatch/750.c @@ -29,18 +29,22 @@ struct kexec_args { u64 arg5; }; -static inline void restore(struct kexec_args *uap); -static inline void do_patch(void); +static inline void restore(void *kbase, struct kexec_args *uap); +static inline void do_patch(void *kbase); __attribute__((section (".text.start"))) int kpatch(void *td, struct kexec_args *uap) { - do_patch(); - restore(uap); + const u64 xfast_syscall_off = 0x1c0; + void * const kbase = (void *)rdmsr(0xc0000082) - xfast_syscall_off; + + do_patch(kbase); + restore(kbase, uap); + return 0; } __attribute__((always_inline)) -static inline void restore(struct kexec_args *uap) { +static inline void restore(void *kbase, struct kexec_args *uap) { u8 *pipe = uap->arg1; u8 *pipebuf = uap->arg2; for (int i = 0; i < 0x18; i++) { @@ -51,10 +55,6 @@ static inline void restore(struct kexec_args *uap) { u64 *pktinfo_field2 = uap->arg4; *pktinfo_field2 = 0; - // get kernel base - const u64 xfast_syscall_off = 0x1c0; - void * const kbase = (void *)rdmsr(0xc0000082) - xfast_syscall_off; - u64 *sysent_661_save = uap->arg5; for (int i = 0; i < 0x30; i += 8) { write64(kbase, 0x1129f30 + i, sysent_661_save[i / 8]); @@ -62,11 +62,7 @@ static inline void restore(struct kexec_args *uap) { } __attribute__((always_inline)) -static inline void do_patch(void) { - // get kernel base - const u64 xfast_syscall_off = 0x1c0; - void * const kbase = (void *)rdmsr(0xc0000082) - xfast_syscall_off; - +static inline void do_patch(void *kbase) { disable_cr0_wp(); // ChendoChap's patches from pOOBs4 diff --git a/src/kpatch/800.c b/src/kpatch/800.c index da80795..e1ea7ad 100644 --- a/src/kpatch/800.c +++ b/src/kpatch/800.c @@ -29,18 +29,22 @@ struct kexec_args { u64 arg5; }; -static inline void restore(struct kexec_args *uap); -static inline void do_patch(void); +static inline void restore(void *kbase, struct kexec_args *uap); +static inline void do_patch(void *kbase); __attribute__((section (".text.start"))) int kpatch(void *td, struct kexec_args *uap) { - do_patch(); - restore(uap); + const u64 xfast_syscall_off = 0x1c0; + void * const kbase = (void *)rdmsr(0xc0000082) - xfast_syscall_off; + + do_patch(kbase); + restore(kbase, uap); + return 0; } __attribute__((always_inline)) -static inline void restore(struct kexec_args *uap) { +static inline void restore(void *kbase, struct kexec_args *uap) { u8 *pipe = uap->arg1; u8 *pipebuf = uap->arg2; for (int i = 0; i < 0x18; i++) { @@ -51,10 +55,6 @@ static inline void restore(struct kexec_args *uap) { u64 *pktinfo_field2 = uap->arg4; *pktinfo_field2 = 0; - // get kernel base - const u64 xfast_syscall_off = 0x1c0; - void * const kbase = (void *)rdmsr(0xc0000082) - xfast_syscall_off; - u64 *sysent_661_save = uap->arg5; for (int i = 0; i < 0x30; i += 8) { write64(kbase, 0x11040c0 + i, sysent_661_save[i / 8]); @@ -62,11 +62,7 @@ static inline void restore(struct kexec_args *uap) { } __attribute__((always_inline)) -static inline void do_patch(void) { - // get kernel base - const u64 xfast_syscall_off = 0x1c0; - void * const kbase = (void *)rdmsr(0xc0000082) - xfast_syscall_off; - +static inline void do_patch(void *kbase) { disable_cr0_wp(); // ChendoChap's patches from pOOBs4 diff --git a/src/kpatch/850.c b/src/kpatch/850.c index 0b1d3aa..33e6657 100644 --- a/src/kpatch/850.c +++ b/src/kpatch/850.c @@ -29,18 +29,22 @@ struct kexec_args { u64 arg5; }; -static inline void restore(struct kexec_args *uap); -static inline void do_patch(void); +static inline void restore(void *kbase, struct kexec_args *uap); +static inline void do_patch(void *kbase); __attribute__((section (".text.start"))) int kpatch(void *td, struct kexec_args *uap) { - do_patch(); - restore(uap); + const u64 xfast_syscall_off = 0x1c0; + void * const kbase = (void *)rdmsr(0xc0000082) - xfast_syscall_off; + + do_patch(kbase); + restore(kbase, uap); + return 0; } __attribute__((always_inline)) -static inline void restore(struct kexec_args *uap) { +static inline void restore(void *kbase, struct kexec_args *uap) { u8 *pipe = uap->arg1; u8 *pipebuf = uap->arg2; for (int i = 0; i < 0x18; i++) { @@ -51,11 +55,6 @@ static inline void restore(struct kexec_args *uap) { u64 *pktinfo_field2 = uap->arg4; *pktinfo_field2 = 0; - // get kernel base - const u64 xfast_syscall_off = 0x1c0; - void * const kbase = (void *)rdmsr(0xc0000082) - xfast_syscall_off; - - u64 *sysent_661_save = uap->arg5; for (int i = 0; i < 0x30; i += 8) { write64(kbase, 0x11041b0 + i, sysent_661_save[i / 8]); @@ -63,11 +62,7 @@ static inline void restore(struct kexec_args *uap) { } __attribute__((always_inline)) -static inline void do_patch(void) { - // get kernel base - const u64 xfast_syscall_off = 0x1c0; - void * const kbase = (void *)rdmsr(0xc0000082) - xfast_syscall_off; - +static inline void do_patch(void *kbase) { disable_cr0_wp(); // ChendoChap's patches from pOOBs4 diff --git a/src/kpatch/900.c b/src/kpatch/900.c index 6095c14..cdaa7e1 100644 --- a/src/kpatch/900.c +++ b/src/kpatch/900.c @@ -29,18 +29,22 @@ struct kexec_args { u64 arg5; }; -static inline void restore(struct kexec_args *uap); -static inline void do_patch(void); +static inline void restore(void *kbase, struct kexec_args *uap); +static inline void do_patch(void *kbase); __attribute__((section (".text.start"))) int kpatch(void *td, struct kexec_args *uap) { - do_patch(); - restore(uap); + const u64 xfast_syscall_off = 0x1c0; + void * const kbase = (void *)rdmsr(0xc0000082) - xfast_syscall_off; + + do_patch(kbase); + restore(kbase, uap); + return 0; } __attribute__((always_inline)) -static inline void restore(struct kexec_args *uap) { +static inline void restore(void *kbase, struct kexec_args *uap) { u8 *pipe = uap->arg1; u8 *pipebuf = uap->arg2; for (int i = 0; i < 0x18; i++) { @@ -51,10 +55,6 @@ static inline void restore(struct kexec_args *uap) { u64 *pktinfo_field2 = uap->arg4; *pktinfo_field2 = 0; - // get kernel base - const u64 xfast_syscall_off = 0x1c0; - void * const kbase = (void *)rdmsr(0xc0000082) - xfast_syscall_off; - u64 *sysent_661_save = uap->arg5; for (int i = 0; i < 0x30; i += 8) { write64(kbase, 0x1107f00 + i, sysent_661_save[i / 8]); @@ -62,11 +62,7 @@ static inline void restore(struct kexec_args *uap) { } __attribute__((always_inline)) -static inline void do_patch(void) { - // get kernel base - const u64 xfast_syscall_off = 0x1c0; - void * const kbase = (void *)rdmsr(0xc0000082) - xfast_syscall_off; - +static inline void do_patch(void *kbase) { disable_cr0_wp(); // ChendoChap's patches from pOOBs4 diff --git a/src/kpatch/903.c b/src/kpatch/903.c index 477e4a8..2eb8f59 100644 --- a/src/kpatch/903.c +++ b/src/kpatch/903.c @@ -29,18 +29,22 @@ struct kexec_args { u64 arg5; }; -static inline void restore(struct kexec_args *uap); -static inline void do_patch(void); +static inline void restore(void *kbase, struct kexec_args *uap); +static inline void do_patch(void *kbase); __attribute__((section (".text.start"))) int kpatch(void *td, struct kexec_args *uap) { - do_patch(); - restore(uap); + const u64 xfast_syscall_off = 0x1c0; + void * const kbase = (void *)rdmsr(0xc0000082) - xfast_syscall_off; + + do_patch(kbase); + restore(kbase, uap); + return 0; } __attribute__((always_inline)) -static inline void restore(struct kexec_args *uap) { +static inline void restore(void *kbase, struct kexec_args *uap) { u8 *pipe = uap->arg1; u8 *pipebuf = uap->arg2; for (int i = 0; i < 0x18; i++) { @@ -51,10 +55,6 @@ static inline void restore(struct kexec_args *uap) { u64 *pktinfo_field2 = uap->arg4; *pktinfo_field2 = 0; - // get kernel base - const u64 xfast_syscall_off = 0x1c0; - void * const kbase = (void *)rdmsr(0xc0000082) - xfast_syscall_off; - u64 *sysent_661_save = uap->arg5; for (int i = 0; i < 0x30; i += 8) { write64(kbase, 0x1103f00 + i, sysent_661_save[i / 8]); @@ -62,11 +62,7 @@ static inline void restore(struct kexec_args *uap) { } __attribute__((always_inline)) -static inline void do_patch(void) { - // get kernel base - const u64 xfast_syscall_off = 0x1c0; - void * const kbase = (void *)rdmsr(0xc0000082) - xfast_syscall_off; - +static inline void do_patch(void *kbase) { disable_cr0_wp(); // ChendoChap's patches from pOOBs4 diff --git a/src/kpatch/950.c b/src/kpatch/950.c index 5db157d..e2e11c1 100644 --- a/src/kpatch/950.c +++ b/src/kpatch/950.c @@ -29,18 +29,22 @@ struct kexec_args { u64 arg5; }; -static inline void restore(struct kexec_args *uap); -static inline void do_patch(void); +static inline void restore(void *kbase, struct kexec_args *uap); +static inline void do_patch(void *kbase); __attribute__((section (".text.start"))) int kpatch(void *td, struct kexec_args *uap) { - do_patch(); - restore(uap); + const u64 xfast_syscall_off = 0x1c0; + void * const kbase = (void *)rdmsr(0xc0000082) - xfast_syscall_off; + + do_patch(kbase); + restore(kbase, uap); + return 0; } __attribute__((always_inline)) -static inline void restore(struct kexec_args *uap) { +static inline void restore(void *kbase, struct kexec_args *uap) { u8 *pipe = uap->arg1; u8 *pipebuf = uap->arg2; for (int i = 0; i < 0x18; i++) { @@ -51,10 +55,6 @@ static inline void restore(struct kexec_args *uap) { u64 *pktinfo_field2 = uap->arg4; *pktinfo_field2 = 0; - // get kernel base - const u64 xfast_syscall_off = 0x1c0; - void * const kbase = (void *)rdmsr(0xc0000082) - xfast_syscall_off; - u64 *sysent_661_save = uap->arg5; for (int i = 0; i < 0x30; i += 8) { write64(kbase, 0x1100ee0 + i, sysent_661_save[i / 8]); @@ -62,11 +62,7 @@ static inline void restore(struct kexec_args *uap) { } __attribute__((always_inline)) -static inline void do_patch(void) { - // get kernel base - const u64 xfast_syscall_off = 0x1c0; - void * const kbase = (void *)rdmsr(0xc0000082) - xfast_syscall_off; - +static inline void do_patch(void *kbase) { disable_cr0_wp(); // ChendoChap's patches from pOOBs4