Re: local root exploit
In-Reply-To=<[🔎] 41DF1353.9030607@sphaero.org>
Same behaviour here; custom 2.4.27 uml kernel on woody.
$ ./elflbl
[+] SLAB cleanup
child 1 VMAs 70
[+] moved stack bfffe000, task_size=0xc0000000, map_base=0xbf800000
[+] vmalloc area 0xc6c00000 - 0xcd5dd000
[-] FAILED: open lib (/dev/shm/_elf_lib not writable?) (No such file or directory)
Killed
I can't even get the exploit to build on sarge/sid. Running the woody-built binary results in different behaviors on different systems:
On sid, 2.6.9-1-686 kernel:
$ ./elflbl
child 1 VMAs 0
[+] moved stack bfffe000, task_size=0xc0000000, map_base=0xbf800000
[+] vmalloc area 0xcfc00000 - 0xdf69b000
Segmentation fault
Sarge, 2.6.7-1-686 and sid, 2.6.9 custom kernel (same behavior):
$ ./elflbl
child 1 VMAs 0
[+] moved stack bfffe000, task_size=0xc0000000, map_base=0xbf800000
[+] vmalloc area 0xc8000000 - 0xcfc32000
(at this point it eats all the cpu and ram it can get, until killed)
I'm not really sure what this particular exploit code is supposed to do, but on these last two systems it seems to do SOMETHING bad.
Cheers,
L
> Just tried the newly found exploits on a Woody system, it doesn't work...
> I get:
> [+] SLAB cleanup
> child 1 VMAs 143
> [+] moved stack bfffe000, task_size=0xc0000000, map_base=0xbf800000
> [+] vmalloc area 0xc5000000 - 0xc9d17000
> [-] FAILED: open lib (/dev/shm/_elf_lib not writable?) (No such file or directory)
> Killed
>
>
> http://isec.pl/vulnerabilities/isec-0021-uselib.txt
>
> Any others any other findings?
>
> A. Loonstra
Reply to: