Re: local root exploit
On Tue, Jan 11, 2005 at 10:18:46AM +0100, A.J. Loonstra wrote:
> I tried modifying the exploit not to use /dev/shm... but this is wat
> happens:
>
> ~$ ./a.out
>
> [+] SLAB cleanup
> child 1 VMAs 287
> [+] moved stack bfffe000, task_size=0xc0000000, map_base=0xbf800000
> [+] vmalloc area 0xc5000000 - 0xc9d17000
> Wait... |
> [+] race won maps=6768
> expanded VMA (0xbfffc000-0xffffe000)
> [!] try to exploit 0xc594b000
> [+] gate modified ( 0xffec94bf 0x0804ec00 )
> [+] exploited, uid=0
>
> sh-2.05a$ whoami
> arnaud
> sh-2.05a$ mount
> /dev/hda1 on / type ext2 (rw,errors=remount-ro)
> proc on /proc type proc (rw)
> devpts on /dev/pts type devpts (rw,gid=5,mode=620)
> /dev/hda2 on /home type ext3 (rw)
> $sh-2.05a$ echo $UID
> 0
>
> It says it did exploit but it didn't...
UID of 0 looks like it has to me, but I could be wrong.
Cheers,
--
Brett Parker
Reply to: