Exploits the recent udp_sendmsg() bug found by Julien Tinnes/Tavis Ormandy. Does not require an executable NULL mapping and is 100% stealthy. The vulnerability is interesting, as the path to userland code execution is about 4 functions deep and hidden by a netfilter macro. By forging the dereferenced structure correctly, I’m able to avoid an alerting printk. The exploit is demonstrated on Fedora Core 5 and RHEL 5.3.
Exploit was written in a matter of minutes after I reversed the path to userland code execution. 90% of the code is just reused from Cheddar Bay/Wunderbar Emporium. I have updated the SELinux disabling payload to support older kernels that Compiled a particular function differently.
Sorry, no fancy pictures or video in this one.
Duration : 0:1:16
