Re: local root exploit

To: debian-security@lists.debian.org
Subject: Re: local root exploit
From: Brett Parker <iDunno@sommitrealweird.co.uk>
Date: Tue, 11 Jan 2005 10:20:37 +0000
Message-id: <[🔎] 20050111102037.GJ76139@amnesiac.heapspace.net>
Mail-followup-to: debian-security@lists.debian.org
In-reply-to: <[🔎] 41E399F6.9050003@sphaero.org>
References: <[🔎] 200501101519.33354.vladislav.kurz@webstep.net> <[🔎] 41E29FA5.2050008@publicityweb.com> <[🔎] 41E399F6.9050003@sphaero.org>

On Tue, Jan 11, 2005 at 10:18:46AM +0100, A.J. Loonstra wrote:
> I tried modifying the exploit not to use /dev/shm... but this is wat
> happens:
> 
> ~$ ./a.out
> 
> [+] SLAB cleanup
>     child 1 VMAs 287
> [+] moved stack bfffe000, task_size=0xc0000000, map_base=0xbf800000
> [+] vmalloc area 0xc5000000 - 0xc9d17000
>     Wait... |
> [+] race won maps=6768
>     expanded VMA (0xbfffc000-0xffffe000)
> [!] try to exploit 0xc594b000
> [+] gate modified ( 0xffec94bf 0x0804ec00 )
> [+] exploited, uid=0
> 
> sh-2.05a$ whoami
> arnaud
> sh-2.05a$ mount
> /dev/hda1 on / type ext2 (rw,errors=remount-ro)
> proc on /proc type proc (rw)
> devpts on /dev/pts type devpts (rw,gid=5,mode=620)
> /dev/hda2 on /home type ext3 (rw)
> $sh-2.05a$ echo $UID
> 0
> 
> It says it did exploit but it didn't...

UID of 0 looks like it has to me, but I could be wrong.

Cheers,
-- 
Brett Parker

Reply to:

References:
- Re: local root exploit
  - From: Vladislav Kurz <vladislav.kurz@webstep.net>
- Re: local root exploit
  - From: Christophe Chisogne <christophe@publicityweb.com>
- Re: local root exploit
  - From: "A.J. Loonstra" <arnaud@sphaero.org>

Prev by Date: Re: local root exploit
Next by Date: Re: local root exploit
Previous by thread: Re: local root exploit
Next by thread: Re: local root exploit
Index(es):
- Date
- Thread