Re: Linux kernel ELF core dump privilege elevation

[codeQ <newsclient () teamq info>]

I wasn't able to make it work either, getting exactly the same output
(without GCC's warnings). I'm on a Debian 2.6.11-7 kernel. I just tested
but really didn't even look what it failed, not even gdb'ed the core.

If someone notices what's wrong on the POC please, let me know.

Thanks,
Pablo Fernandez

> --- Begin Message ---
>
>
> From: Bruno Lustosa <bruno.lists () gmail com>
>
> Date: Wed, 11 May 2005 16:34:58 -0300
>
> On 5/11/05, Paul Starzetz <ihaquer () isec pl> wrote:
> > since it became clear from the discussion in January about the uselib()
> > vulnerability, that the Linux community prefers full, non-embargoed
> > disclosure of kernel bugs, I release full details right now. However to
> > follows at least some of the responsable disclosure rules, no exploit code will be
> > released. Instead, only a proof-of-concept code is released to demonstrate
> > the vulnerability.
>
> Paul, I was unable to make it work on my amd64.
> Running Gentoo on kernel 2.6.11.
> This was the output:
>
> [+] Compiling...elfcd1.c: In function `main':
> elfcd1.c:48: warning: implicit declaration of function `strlen'
> elfcd1.c:54: warning: implicit declaration of function `memset'
> elfcd1.c:60: warning: implicit declaration of function `strcmp'
> /usr/lib/gcc/x86_64-pc-linux-gnu/3.4.3/../../../../x86_64-pc-linux-gnu/bin/ld:
> warning: i386:x86-64 architecture of input file `/tmp/ccSCdKeo.o' is
> incompatible with i386 output
>
> [+] ./elfcd1 argv_start=0x7ffffffff451 argv_end=0x7ffffffff459  ESP: 0xfffff0e0
> [+] phase 1
> [+] AAAA argv_start=0x7fffffff6fea argv_end=0x7fffffff6fee  ESP: 0xffff6de0
> [+] phase 2, <RET> to crash Segmentation fault (core dumped)
>
> -- 
> Bruno Lustosa, aka Lofofora          | Email: bruno () lustosa net
> Network Administrator/Web Programmer | ICQ: 1406477
> Rio de Janeiro - Brazil              |
>
> --- End Message ---