Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
Re: Linux kernel ELF core dump privilege elevation
From: codeQ (newsclientteamq.info)
Date: Thu May 12 2005 - 12:52:53 CDT
I wasn't able to make it work either, getting exactly the same output
(without GCC's warnings). I'm on a Debian 2.6.11-7 kernel. I just tested
but really didn't even look what it failed, not even gdb'ed the core.
If someone notices what's wrong on the POC please, let me know.
attached mail follows:
On 5/11/05, Paul Starzetz <ihaquerisec.pl> wrote:
> since it became clear from the discussion in January about the uselib()
> vulnerability, that the Linux community prefers full, non-embargoed
> disclosure of kernel bugs, I release full details right now. However to
> follows at least some of the responsable disclosure rules, no exploit code will be
> released. Instead, only a proof-of-concept code is released to demonstrate
> the vulnerability.
Paul, I was unable to make it work on my amd64.
Running Gentoo on kernel 2.6.11.
This was the output:
[+] Compiling...elfcd1.c: In function `main':
elfcd1.c:48: warning: implicit declaration of function `strlen'
elfcd1.c:54: warning: implicit declaration of function `memset'
elfcd1.c:60: warning: implicit declaration of function `strcmp'
warning: i386:x86-64 architecture of input file `/tmp/ccSCdKeo.o' is
incompatible with i386 output
[+] ./elfcd1 argv_start=0x7ffffffff451 argv_end=0x7ffffffff459 ESP: 0xfffff0e0
[+] phase 1
[+] AAAA argv_start=0x7fffffff6fea argv_end=0x7fffffff6fee ESP: 0xffff6de0
[+] phase 2, <RET> to crash Segmentation fault (core dumped)
Bruno Lustosa, aka Lofofora | Email: brunolustosa.net
Network Administrator/Web Programmer | ICQ: 1406477
Rio de Janeiro - Brazil |