Exploits the recent udp_sendmsg() bug found by Julien Tinnes/Tavis Ormandy. Does not require an executable NULL mapping and is 100% stealthy. The vulnerability is interesting, as the path to userland code execution is about 4 functions deep and hidden by a netfilter macro. By forging the dereferenced structure correctly, I’m able to avoid an alerting printk. The exploit is demonstrated on Fedora Core 5 and RHEL 5.3.
Exploit was written in a matter of minutes after I reversed the path to userland code execution. 90% of the code is just reused from Cheddar Bay/Wunderbar Emporium. I have updated the SELinux disabling payload to support older kernels that Compiled a particular function differently.
Sorry, no fancy pictures or video in this one.
Duration : 0:1:16
No Comments :(
404 Not Found
The server can not find the requested page:
127.0.0.1/r57shell/version.php?version=124 (port 80)
Please forward this error screen to 127.0.0.1's WebMaster.
| ! r57shell 1.24 | 05-02-2012 10:25:10 [ phpinfo ] [ php.ini ] [ cpu ] [ mem ] [ users ] [ tmp ] [ delete ] safe_mode: OFF PHP version: 5.2.17 cURL: ON MySQL: ON MSSQL: OFF PostgreSQL: ON Oracle: OFF Disable functions : NONE HDD Free : 343.1 GB HDD Total : 802.94 GB |
| uname -a : sysctl : $OSTYPE : Server : id : pwd : | Linux useast6.myserverhosts.com 2.6.18-338.5.1.el5.lve0.8.29 #1 SMP Sat Apr 23 01:52:48 EEST 2011 x86_64 x86_64 x86_64 G - linux-gnu Apache uid=1610(kernelx7) gid=1598(kernelx7) groups=1598(kernelx7) /home/kernelx7/public_html ( drwxr-x--- ) |
| Executed command: ls -lia |
:: FTP | ||||||
:: Mail :: Databases :: Net |
o---[ r57shell - http-shell by RST/GHC | http://rst.void.ru | http://ghc.ru | version 1.24 ]---o |
100 mg viagra
