[local exploits] - Linux Kernel 2.6.32 Local Root Exploit (x
Posted on 26 October 2010
<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Strict//EN' 'http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd'><html xmlns='http://www.w3.org/1999/xhtml'><head><meta http-equiv='Content-Type' content='text/html; charset=utf-8' /><meta http-equiv='Content-Language' content='en' /><title>Linux Kernel 2.6.32 Local Root Exploit (x86_64) | Inj3ct0r - exploit database : vulnerability : 0day : shellcode</title><meta name='description' content='Linux Kernel 2.6.32 Local Root Exploit (x86_64) by FuRty in local exploits | Inj3ct0r - exploit database : vulnerability : 0day : shellcode' /><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon' /><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss' /><script type='text/javascript'>var _gaq = _gaq || [];_gaq.push(["_setAccount", "UA-12725838-1"]);_gaq.push(["_trackPageview"]);(function(){var ga = document.createElement("script"); ga.type = "text/javascript"; ga.async = true;ga.src = ("https:" == document.location.protocol ? "https://ssl" : "http://www") + ".google-analytics.com/ga.js";var s = document.getElementsByTagName("script")[0]; s.parentNode.insertBefore(ga, s);})();</script></head><body><pre>=============================================== Linux Kernel 2.6.32 Local Root Exploit (x86_64) =============================================== =============================================== Linux Kernel 2.6.32 Local Root Exploit (x86_64) =============================================== Tested on: Windows XP Exploit Tested: 2.6.32.9-rscloud #6 SMP Thu Mar 11 14:32:05 UTC 2010 x86_64 GNU/Linux # Author: FuRty # Email : fir4t@fir4t.org # Web : www.mykingdom.us # Greetz: RedGuard, Trsniper # Special Thanks : KnocKout and Inj3ct0r Team # Video : http://www.facebook.com/video/video.php?v=101428079927069 -------------------------------------------- #define _GNU_SOURCE #include <stdio.h> #include <stdlib.h> #include <string.h> #include <ctype.h> #define KSYM_NAME_LEN 127 struct sym_entry { unsigned long long addr; unsigned int len; unsigned char *sym; }; static struct sym_entry *table; static unsigned int table_size, table_cnt; static unsigned long long _text, _stext, _etext, _sinittext, _einittext, _sextratext, _eextratext; static int all_symbols = 0; static char symbol_prefix_char = '�'; int token_profit[0x10000]; /* the table that holds the result of the compression */ unsigned char best_table[256][2]; unsigned char best_table_len[256]; static void usage(void) { fprintf(stderr, "Usage: kallsyms [--all-symbols] [--symbol-prefix=<prefix char>] < in.map > out.S "); exit(1); } /* * This ignores the intensely annoying "mapping symbols" found * in ARM ELF files: $a, $t and $d. */ static inline int is_arm_mapping_symbol(const char *str) { return str[0] == '$' && strchr("atd", str[1]) && (str[2] == '�' || str[2] == '.'); } static int read_symbol(FILE *in, struct sym_entry *s) { char str[500]; char *sym, stype; int rc; rc = fscanf(in, "%llx %c %499s ", &s->addr, &stype, str); if (rc != 3) { if (rc != EOF) { /* skip line */ fgets(str, 500, in); } return -1; } sym = str; /* skip prefix char */ if (symbol_prefix_char && str[0] == symbol_prefix_char) sym++; /* Ignore most absolute/undefined (?) symbols. */ if (strcmp(sym, "_text") == 0) _text = s->addr; else if (strcmp(sym, "_stext") == 0) _stext = s->addr; else if (strcmp(sym, "_etext") == 0) _etext = s->addr; else if (strcmp(sym, "_sinittext") == 0) _sinittext = s->addr; else if (strcmp(sym, "_einittext") == 0) _einittext = s->addr; else if (strcmp(sym, "_sextratext") == 0) _sextratext = s->addr; else if (strcmp(sym, "_eextratext") == 0) _eextratext = s->addr; else if (toupper(stype) == 'A') { /* Keep these useful absolute symbols */ if (strcmp(sym, "__kernel_syscall_via_break") && strcmp(sym, "__kernel_syscall_via_epc") && strcmp(sym, "__kernel_sigtramp") && strcmp(sym, "__gp")) return -1; } else if (toupper(stype) == 'U' || is_arm_mapping_symbol(sym)) return -1; /* exclude also MIPS ELF local symbols ($L123 instead of .L123) */ else if (str[0] == '$') return -1; /* include the type field in the symbol name, so that it gets * compressed together */ s->len = strlen(str) + 1; s->sym = malloc(s->len + 1); if (!s->sym) { fprintf(stderr, "kallsyms failure: " "unable to allocate required amount of memory "); exit(EXIT_FAILURE); } strcpy((char *)s->sym + 1, str); s->sym[0] = stype; return 0; } static int symbol_valid(struct sym_entry *s) { /* Symbols which vary between passes. Passes 1 and 2 must have * identical symbol lists. The kallsyms_* symbols below are only added * after pass 1, they would be included in pass 2 when --all-symbols is * specified so exclude them to get a stable symbol list. */ static char *special_symbols[] = { "kallsyms_addresses", "kallsyms_num_syms", "kallsyms_names", "kallsyms_markers", "kallsyms_token_table", "kallsyms_token_index", /* Exclude linker generated symbols which vary between passes */ "_SDA_BASE_", /* ppc */ "_SDA2_BASE_", /* ppc */ NULL }; int i; int offset = 1; /* skip prefix char */ if (symbol_prefix_char && *(s->sym + 1) == symbol_prefix_char) offset++; /* if --all-symbols is not specified, then symbols outside the text * and inittext sections are discarded */ if (!all_symbols) { if ((s->addr < _stext || s->addr > _etext) && (s->addr < _sinittext || s->addr > _einittext) && (s->addr < _sextratext || s->addr > _eextratext)) return 0; /* Corner case. Discard any symbols with the same value as * _etext _einittext or _eextratext; they can move between pass * 1 and 2 when the kallsyms data are added. If these symbols * move then they may get dropped in pass 2, which breaks the * kallsyms rules. */ if ((s->addr == _etext && strcmp((char*)s->sym + offset, "_etext")) || (s->addr == _einittext && strcmp((char*)s->sym + offset, "_einittext")) || (s->addr == _eextratext && strcmp((char*)s->sym + offset, "_eextratext"))) return 0; } /* Exclude symbols which vary between passes. */ if (strstr((char *)s->sym + offset, "_compiled.")) return 0; for (i = 0; special_symbols[i]; i++) if( strcmp((char *)s->sym + offset, special_symbols[i]) == 0 ) return 0; return 1; } static void read_map(FILE *in) { while (!feof(in)) { if (table_cnt >= table_size) { table_size += 10000; table = realloc(table, sizeof(*table) * table_size); if (!table) { fprintf(stderr, "out of memory "); exit (1); } } if (read_symbol(in, &table[table_cnt]) == 0) table_cnt++; } } static void output_label(char *label) { if (symbol_prefix_char) printf(".globl %c%s ", symbol_prefix_char, label); else printf(".globl %s ", label); printf(" ALGN "); if (symbol_prefix_char) printf("%c%s: ", symbol_prefix_char, label); else printf("%s: ", label); } /* uncompress a compressed symbol. When this function is called, the best table * might still be compressed itself, so the function needs to be recursive */ static int expand_symbol(unsigned char *data, int len, char *result) { int c, rlen, total=0; while (len) { c = *data; /* if the table holds a single char that is the same as the one * we are looking for, then end the search */ if (best_table[c][0]==c && best_table_len[c]==1) { *result++ = c; total++; } else { /* if not, recurse and expand */ rlen = expand_symbol(best_table[c], best_table_len[c], result); total += rlen; result += rlen; } data++; len--; } *result=0; return total; } static void write_src(void) { unsigned int i, k, off; unsigned int best_idx[256]; unsigned int *markers; char buf[KSYM_NAME_LEN+1]; printf("#include <asm/types.h> "); printf("#if BITS_PER_LONG == 64 "); printf("#define PTR .quad "); printf("#define ALGN .align 8 "); printf("#else "); printf("#define PTR .long "); printf("#define ALGN .align 4 "); printf("#endif "); printf(".data "); /* Provide proper symbols relocatability by their '_text' * relativeness. The symbol names cannot be used to construct * normal symbol references as the list of symbols contains * symbols that are declared static and are private to their * .o files. This prevents .tmp_kallsyms.o or any other * object from referencing them. */ output_label("kallsyms_addresses"); for (i = 0; i < table_cnt; i++) { if (toupper(table[i].sym[0]) != 'A') { printf(" PTR _text + %#llx ", table[i].addr - _text); } else { printf(" PTR %#llx ", table[i].addr); } } printf(" "); output_label("kallsyms_num_syms"); printf(" PTR %d ", table_cnt); printf(" "); /* table of offset markers, that give the offset in the compressed stream * every 256 symbols */ markers = malloc(sizeof(unsigned int) * ((table_cnt + 255) / 256)); if (!markers) { fprintf(stderr, "kallsyms failure: " "unable to allocate required memory "); exit(EXIT_FAILURE); } output_label("kallsyms_names"); off = 0; for (i = 0; i < table_cnt; i++) { if ((i & 0xFF) == 0) markers[i >> 8] = off; printf(" .byte 0x%02x", table[i].len); for (k = 0; k < table[i].len; k++) printf(", 0x%02x", table[i].sym[k]); printf(" "); off += table[i].len + 1; } printf(" "); output_label("kallsyms_markers"); for (i = 0; i < ((table_cnt + 255) >> 8); i++) printf(" PTR %d ", markers[i]); printf(" "); free(markers); output_label("kallsyms_token_table"); off = 0; for (i = 0; i < 256; i++) { best_idx[i] = off; expand_symbol(best_table[i], best_table_len[i], buf); printf(" .asciz "%s" ", buf); off += strlen(buf) + 1; } printf(" "); output_label("kallsyms_token_index"); for (i = 0; i < 256; i++) printf(" .short %d ", best_idx[i]); printf(" "); } /* table lookup compression functions */ /* count all the possible tokens in a symbol */ static void learn_symbol(unsigned char *symbol, int len) { int i; for (i = 0; i < len - 1; i++) token_profit[ symbol[i] + (symbol[i + 1] << 8) ]++; } /* decrease the count for all the possible tokens in a symbol */ static void forget_symbol(unsigned char *symbol, int len) { int i; for (i = 0; i < len - 1; i++) token_profit[ symbol[i] + (symbol[i + 1] << 8) ]--; } /* remove all the invalid symbols from the table and do the initial token count */ static void build_initial_tok_table(void) { unsigned int i, pos; pos = 0; for (i = 0; i < table_cnt; i++) { if ( symbol_valid(&table[i]) ) { if (pos != i) table[pos] = table[i]; learn_symbol(table[pos].sym, table[pos].len); pos++; } } table_cnt = pos; } /* replace a given token in all the valid symbols. Use the sampled symbols * to update the counts */ static void compress_symbols(unsigned char *str, int idx) { unsigned int i, len, size; unsigned char *p1, *p2; for (i = 0; i < table_cnt; i++) { len = table[i].len; p1 = table[i].sym; /* find the token on the symbol */ p2 = memmem(p1, len, str, 2); if (!p2) continue; /* decrease the counts for this symbol's tokens */ forget_symbol(table[i].sym, len); size = len; do { *p2 = idx; p2++; size -= (p2 - p1); memmove(p2, p2 + 1, size); p1 = p2; len--; if (size < 2) break; /* find the token on the symbol */ p2 = memmem(p1, size, str, 2); } while (p2); table[i].len = len; /* increase the counts for this symbol's new tokens */ learn_symbol(table[i].sym, len); } } /* search the token with the maximum profit */ static int find_best_token(void) { int i, best, bestprofit; bestprofit=-10000; best = 0; for (i = 0; i < 0x10000; i++) { if (token_profit[i] > bestprofit) { best = i; bestprofit = token_profit[i]; } } return best; } /* this is the core of the algorithm: calculate the "best" table */ static void optimize_result(void) { int i, best; /* using the '�' symbol last allows compress_symbols to use standard * fast string functions */ for (i = 255; i >= 0; i--) { /* if this table slot is empty (it is not used by an actual * original char code */ if (!best_table_len[i]) { /* find the token with the breates profit value */ best = find_best_token(); /* place it in the "best" table */ best_table_len[i] = 2; best_table[i][0] = best & 0xFF; best_table[i][1] = (best >> 8) & 0xFF; /* replace this token in all the valid symbols */ compress_symbols(best_table[i], i); } } } /* start by placing the symbols that are actually used on the table */ static void insert_real_symbols_in_table(void) { unsigned int i, j, c; memset(best_table, 0, sizeof(best_table)); memset(best_table_len, 0, sizeof(best_table_len)); for (i = 0; i < table_cnt; i++) { for (j = 0; j < table[i].len; j++) { c = table[i].sym[j]; best_table[c][0]=c; best_table_len[c]=1; } } } static void optimize_token_table(void) { build_initial_tok_table(); insert_real_symbols_in_table(); /* When valid symbol is not registered, exit to error */ if (!table_cnt) { fprintf(stderr, "No valid symbol. "); exit(1); } optimize_result(); } int main(int argc, char **argv) { if (argc >= 2) { int i; for (i = 1; i < argc; i++) { if(strcmp(argv[i], "--all-symbols") == 0) all_symbols = 1; else if (strncmp(argv[i], "--symbol-prefix=", 16) == 0) { char *p = &argv[i][16]; /* skip quote */ if ((*p == '"' && *(p+2) == '"') || (*p == ''' && *(p+2) == ''')) p++; symbol_prefix_char = *p; } else usage(); } } else if (argc != 1) usage(); read_map(stdin); optimize_token_table(); write_src(); return 0; } # <a href='http://inj3ct0r.com/'>Inj3ct0r.com</a> [2010-10-26]</pre></body></html>
