Re: Linux kernel exploit

["Cal Leeming [Simplicity Media Ltd]" <cal.leeming () simplicitymedialtd co uk>]

I've seen far too many people just sending back "Failed to open file
descriptors" without giving any indication as to what could have happened.
:| Can people *please* remember to send the author as much debug as possible
(at the very least, an strace), so they can at least see what's going on.
Can people also use uname -a, rather than just -r, so it indicates what arch
is being used.


Anyways, the code failed on our sandbox.. see below:

 foxx () sandbox01 simplicitymedialtd co uk [~] > gcc test.c -o full-nelson

 foxx () sandbox01 simplicitymedialtd co uk [~] > ./full-nelson
[*] Failed to open file descriptors.

 foxx () sandbox01 simplicitymedialtd co uk [~] > uname -a
Linux sandbox01.simplicitymedialtd.co.uk 2.6.32.25-grsec #1 SMP Wed Nov 24
02:26:04 GMT 2010 x86_64 GNU/Linux

 foxx () sandbox01 simplicitymedialtd co uk [~] > cat /etc/issue
Debian GNU/Linux 5.0 \n \l

 foxx () courtney simplicitymedialtd co uk [~] > strace ./full-nelson
execve("./full-nelson", ["./full-nelson"], [/* 17 vars */]) = 0
brk(0)                                  = 0x601a98
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
0x7f016b504000
access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or
directory)
mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
0x7f016b502000
access("/etc/ld.so.preload", R_OK)      = -1 ENOENT (No such file or
directory)
open("/etc/ld.so.cache", O_RDONLY)      = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=15513, ...}) = 0
mmap(NULL, 15513, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7f016b4fe000
close(3)                                = 0
access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or
directory)
open("/lib/libc.so.6", O_RDONLY)        = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\300\342\1\0\0\0\0\0@"...,
832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=1375536, ...}) = 0
mmap(NULL, 3482232, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) =
0x7f016af98000
mprotect(0x7f016b0e2000, 2093056, PROT_NONE) = 0
mmap(0x7f016b2e1000, 20480, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x149000) = 0x7f016b2e1000
mmap(0x7f016b2e6000, 17016, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f016b2e6000
close(3)                                = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
0x7f016b4fd000
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
0x7f016b4fc000
arch_prctl(ARCH_SET_FS, 0x7f016b4fc6e0) = 0
mprotect(0x7f016b2e1000, 12288, PROT_READ) = 0
munmap(0x7f016b4fe000, 15513)           = 0
pipe([3, 4])                            = 0
socket(PF_ECONET, SOCK_DGRAM, 0)        = -1 EAFNOSUPPORT (Address family
not supported by protocol)
open("/dev/zero", O_RDONLY)             = 5
fstat(1, {st_mode=S_IFCHR|0620, st_rdev=makedev(136, 11), ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
0x7f016b501000
write(1, "[*] Failed to open file descripto"..., 37[*] Failed to open file
descriptors.
) = 37
exit_group(-1)                          = ?



On Mon, Dec 13, 2010 at 6:12 PM, Ariel Biener <ariel () post tau ac il> wrote:

> But he said that RedHat (and thus CentOS) doesn't have Econet enabled by
> default.
>
> --Ariel
>
> firebits () backtrack com br wrote:
> > I tested it on a VM with CentOS 5.5 i386 updated and did not work.
> >
> > Last login: Tue Dec 13 12:48:54 2010
> > [root@localhost~]#nano full-nelson.c
> > [root@localhost~]#gcc-o full-nelson.c full-nelson
> > [root@localhost~]#./full-nelson
> > [*] Failed to open file descriptors.
> > [root@localhost~]# uname-a
> > Linux localhost.localdomain 2.6.18-194.26.1.el5 # 1 SMP Thu Nov 9
> 12:54:40 EST 2010 i686 i686 i386 GNU/Linux
> > [root@localhost~]#
> >
> > My 10 cents:)
> >
> > @firebitsbr
>
> --
>  --
>  Ariel Biener
>  e-mail: ariel () post tau ac il
>  PGP: http://www.tau.ac.il/~ariel/pgp.html
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/



-- 

Cal Leeming

Operational Security & Support Team

*Out of Hours: *+44 (07534) 971120 | *Support Tickets: *
support () simplicitymedialtd co uk
*Fax: *+44 (02476) 578987 | *Email: *cal.leeming () simplicitymedialtd co uk
*IM: *AIM / ICQ / MSN / Skype (available upon request)
Simplicity Media Ltd. All rights reserved.
Registered company number 7143564

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/