[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <AANLkTimopVzciBjJ-0ZaUpLrpSyEDpiFk1BmTQN7qhxj@mail.gmail.com>
Date: Mon, 13 Dec 2010 20:40:45 +0000
From: "Cal Leeming [Simplicity Media Ltd]"
<cal.leeming@...plicitymedialtd.co.uk>
To: Ariel Biener <ariel@...t.tau.ac.il>
Cc: leandro_lista@...tari.com.br, firebits@...ktrack.com.br,
bugtraq@...urityfocus.com, full-disclosure@...ts.grok.org.uk
Subject: Re: Linux kernel exploit
I've seen far too many people just sending back "Failed to open file
descriptors" without giving any indication as to what could have happened.
:| Can people *please* remember to send the author as much debug as possible
(at the very least, an strace), so they can at least see what's going on.
Can people also use uname -a, rather than just -r, so it indicates what arch
is being used.
Anyways, the code failed on our sandbox.. see below:
foxx@...dbox01.simplicitymedialtd.co.uk [~] > gcc test.c -o full-nelson
foxx@...dbox01.simplicitymedialtd.co.uk [~] > ./full-nelson
[*] Failed to open file descriptors.
foxx@...dbox01.simplicitymedialtd.co.uk [~] > uname -a
Linux sandbox01.simplicitymedialtd.co.uk 2.6.32.25-grsec #1 SMP Wed Nov 24
02:26:04 GMT 2010 x86_64 GNU/Linux
foxx@...dbox01.simplicitymedialtd.co.uk [~] > cat /etc/issue
Debian GNU/Linux 5.0 \n \l
foxx@...rtney.simplicitymedialtd.co.uk [~] > strace ./full-nelson
execve("./full-nelson", ["./full-nelson"], [/* 17 vars */]) = 0
brk(0) = 0x601a98
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
0x7f016b504000
access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or
directory)
mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
0x7f016b502000
access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or
directory)
open("/etc/ld.so.cache", O_RDONLY) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=15513, ...}) = 0
mmap(NULL, 15513, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7f016b4fe000
close(3) = 0
access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or
directory)
open("/lib/libc.so.6", O_RDONLY) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\300\342\1\0\0\0\0\0@"...,
832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=1375536, ...}) = 0
mmap(NULL, 3482232, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) =
0x7f016af98000
mprotect(0x7f016b0e2000, 2093056, PROT_NONE) = 0
mmap(0x7f016b2e1000, 20480, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x149000) = 0x7f016b2e1000
mmap(0x7f016b2e6000, 17016, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f016b2e6000
close(3) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
0x7f016b4fd000
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
0x7f016b4fc000
arch_prctl(ARCH_SET_FS, 0x7f016b4fc6e0) = 0
mprotect(0x7f016b2e1000, 12288, PROT_READ) = 0
munmap(0x7f016b4fe000, 15513) = 0
pipe([3, 4]) = 0
socket(PF_ECONET, SOCK_DGRAM, 0) = -1 EAFNOSUPPORT (Address family
not supported by protocol)
open("/dev/zero", O_RDONLY) = 5
fstat(1, {st_mode=S_IFCHR|0620, st_rdev=makedev(136, 11), ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
0x7f016b501000
write(1, "[*] Failed to open file descripto"..., 37[*] Failed to open file
descriptors.
) = 37
exit_group(-1) = ?
On Mon, Dec 13, 2010 at 6:12 PM, Ariel Biener <ariel@...t.tau.ac.il> wrote:
> But he said that RedHat (and thus CentOS) doesn't have Econet enabled by
> default.
>
> --Ariel
>
> firebits@...ktrack.com.br wrote:
> > I tested it on a VM with CentOS 5.5 i386 updated and did not work.
> >
> > Last login: Tue Dec 13 12:48:54 2010
> > [root@...alhost~]#nano full-nelson.c
> > [root@...alhost~]#gcc-o full-nelson.c full-nelson
> > [root@...alhost~]#./full-nelson
> > [*] Failed to open file descriptors.
> > [root@...alhost~]# uname-a
> > Linux localhost.localdomain 2.6.18-194.26.1.el5 # 1 SMP Thu Nov 9
> 12:54:40 EST 2010 i686 i686 i386 GNU/Linux
> > [root@...alhost~]#
> >
> > My 10 cents:)
> >
> > @firebitsbr
> >
> >
>
> --
> --
> Ariel Biener
> e-mail: ariel@...t.tau.ac.il
> PGP: http://www.tau.ac.il/~ariel/pgp.html
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
--
Cal Leeming
Operational Security & Support Team
*Out of Hours: *+44 (07534) 971120 | *Support Tickets: *
support@...plicitymedialtd.co.uk
*Fax: *+44 (02476) 578987 | *Email: *cal.leeming@...plicitymedialtd.co.uk
*IM: *AIM / ICQ / MSN / Skype (available upon request)
Simplicity Media Ltd. All rights reserved.
Registered company number 7143564
Content of type "text/html" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists