Full Disclosure mailing list archives
Re: Linux kernel exploit
From: "Cal Leeming [Simplicity Media Ltd]" <cal.leeming () simplicitymedialtd co uk>
Date: Mon, 13 Dec 2010 20:40:45 +0000
I've seen far too many people just sending back "Failed to open file descriptors" without giving any indication as to what could have happened. :| Can people *please* remember to send the author as much debug as possible (at the very least, an strace), so they can at least see what's going on. Can people also use uname -a, rather than just -r, so it indicates what arch is being used. Anyways, the code failed on our sandbox.. see below: foxx () sandbox01 simplicitymedialtd co uk [~] > gcc test.c -o full-nelson foxx () sandbox01 simplicitymedialtd co uk [~] > ./full-nelson [*] Failed to open file descriptors. foxx () sandbox01 simplicitymedialtd co uk [~] > uname -a Linux sandbox01.simplicitymedialtd.co.uk 2.6.32.25-grsec #1 SMP Wed Nov 24 02:26:04 GMT 2010 x86_64 GNU/Linux foxx () sandbox01 simplicitymedialtd co uk [~] > cat /etc/issue Debian GNU/Linux 5.0 \n \l foxx () courtney simplicitymedialtd co uk [~] > strace ./full-nelson execve("./full-nelson", ["./full-nelson"], [/* 17 vars */]) = 0 brk(0) = 0x601a98 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f016b504000 access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory) mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f016b502000 access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory) open("/etc/ld.so.cache", O_RDONLY) = 3 fstat(3, {st_mode=S_IFREG|0644, st_size=15513, ...}) = 0 mmap(NULL, 15513, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7f016b4fe000 close(3) = 0 access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory) open("/lib/libc.so.6", O_RDONLY) = 3 read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\300\342\1\0\0\0\0\0@"..., 832) = 832 fstat(3, {st_mode=S_IFREG|0755, st_size=1375536, ...}) = 0 mmap(NULL, 3482232, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f016af98000 mprotect(0x7f016b0e2000, 2093056, PROT_NONE) = 0 mmap(0x7f016b2e1000, 20480, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x149000) = 0x7f016b2e1000 mmap(0x7f016b2e6000, 17016, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f016b2e6000 close(3) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f016b4fd000 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f016b4fc000 arch_prctl(ARCH_SET_FS, 0x7f016b4fc6e0) = 0 mprotect(0x7f016b2e1000, 12288, PROT_READ) = 0 munmap(0x7f016b4fe000, 15513) = 0 pipe([3, 4]) = 0 socket(PF_ECONET, SOCK_DGRAM, 0) = -1 EAFNOSUPPORT (Address family not supported by protocol) open("/dev/zero", O_RDONLY) = 5 fstat(1, {st_mode=S_IFCHR|0620, st_rdev=makedev(136, 11), ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f016b501000 write(1, "[*] Failed to open file descripto"..., 37[*] Failed to open file descriptors. ) = 37 exit_group(-1) = ? On Mon, Dec 13, 2010 at 6:12 PM, Ariel Biener <ariel () post tau ac il> wrote:
But he said that RedHat (and thus CentOS) doesn't have Econet enabled by default. --Ariel firebits () backtrack com br wrote:I tested it on a VM with CentOS 5.5 i386 updated and did not work. Last login: Tue Dec 13 12:48:54 2010 [root@localhost~]#nano full-nelson.c [root@localhost~]#gcc-o full-nelson.c full-nelson [root@localhost~]#./full-nelson [*] Failed to open file descriptors. [root@localhost~]# uname-a Linux localhost.localdomain 2.6.18-194.26.1.el5 # 1 SMP Thu Nov 912:54:40 EST 2010 i686 i686 i386 GNU/Linux[root@localhost~]# My 10 cents:) @firebitsbr-- -- Ariel Biener e-mail: ariel () post tau ac il PGP: http://www.tau.ac.il/~ariel/pgp.html _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
-- Cal Leeming Operational Security & Support Team *Out of Hours: *+44 (07534) 971120 | *Support Tickets: * support () simplicitymedialtd co uk *Fax: *+44 (02476) 578987 | *Email: *cal.leeming () simplicitymedialtd co uk *IM: *AIM / ICQ / MSN / Skype (available upon request) Simplicity Media Ltd. All rights reserved. Registered company number 7143564
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: Linux kernel exploit, (continued)
- Re: Linux kernel exploit John Jacobs (Dec 08)
- Re: Linux kernel exploit Sherif Mousa (Dec 09)
- Re: Linux kernel exploit Kai (Dec 08)
- Re: Linux kernel exploit Marcus Meissner (Dec 08)
- Re: Linux kernel exploit niklas | brueckenschlaeger (Dec 08)
- Re: Linux kernel exploit Francisco J (Dec 13)
- Re: Linux kernel exploit R0me0 *** (Dec 13)
- Re: Linux kernel exploit firebits (Dec 13)
- Re: Linux kernel exploit Benji (Dec 13)
- Re: Linux kernel exploit Ariel Biener (Dec 13)
- Re: Linux kernel exploit Cal Leeming [Simplicity Media Ltd] (Dec 13)
- Re: Linux kernel exploit coderman (Dec 13)
- Re: Linux kernel exploit dan . j . rosenberg (Dec 13)
- Re: Linux kernel exploit Cal Leeming [Simplicity Media Ltd] (Dec 13)
- Re: Linux kernel exploit Benji (Dec 13)
- Re: Linux kernel exploit Cal Leeming [Simplicity Media Ltd] (Dec 13)
- Re: Linux kernel exploit Benji (Dec 13)
- Re: Linux kernel exploit Cal Leeming [Simplicity Media Ltd] (Dec 13)
- Re: Linux kernel exploit Eyeballing Weev (Dec 13)