/*
* Linux Kernel <= 2.6.36-rc8 RDS privilege escalation exploit |
* CVE-2010-3904 |
* by Dan Rosenberg |
* |
* Copyright 2010 Virtual Security Research, LLC |
* |
* The handling functions for sending and receiving RDS messages |
* use unchecked __copy_*_user_inatomic functions without any |
* access checks on user-provided pointers. As a result, by |
* passing a kernel address as an iovec base address in recvmsg-style |
* calls, a local user can overwrite arbitrary kernel memory, which |
* can easily be used to escalate privileges to root. Alternatively, |
* an arbitrary kernel read can be performed via sendmsg calls. |
* |
* This exploit is simple - it resolves a few kernel symbols, |
* sets the security_ops to the default structure, then overwrites |
* a function pointer (ptrace_traceme) in that structure to point |
* to the payload. After triggering the payload, the original |
* value is restored. Hard-coding the offset of this function |
* pointer is a bit inelegant, but I wanted to keep it simple and |
* architecture-independent (i.e. no inline assembly). |
* |
* The vulnerability is yet another example of why you shouldn't |
* allow loading of random packet families unless you actually |
* need them. |
* |
* Greets to spender, kees, taviso, hawkes, team lollerskaters, |
* joberheide, bla, sts, and VSR |
* |
*/ |
#include |
#include |
#include |
#include |
#include |
#include |
#include |
#include |
#include |
#include |
#include |
#define RECVPORT 5555 |
#define SENDPORT 6666 |
int
prep_sock(
int
port)
Download Full