Nov

Linux 2.X pipe() NULL ptr deref/race local root exploit (RHEL 5.4 x64)

by admin

Watch in HD Fullscreen

Back again with yet another linux exploit. For time purposes I’m only demonstrating it on RHEL 5.4, but if you look on my twitter you can see screenshots of it working on every distro mentioned in the video. It’ll work on everything else too, I just don’t have the VMs installed. Every version of Linux I can get my hands on is vulnerable.

Initially the title of this video stated the exploit was SMP-only. That’s not the case — some single-processor systems with PREEMPT enabled are also capable of winning the race, leading to compromise.

Mitigation:
Make sure you have mmap_min_addr enabled on your machines and that it can’t be bypassed. To test if mmap_min_addr can be bypassed or is disabled or not present on your machine, download enlightenment and run ./run_null_exploits.sh You don’t have to choose any particular exploit — it will attempt to mmap at NULL by any means possible and report the success or failure. Unlike with sock_ops there is no workaround for this vulnerability — so it’s time to bite the bullet and upgrade to a kernel that protects against this specific class of bugs in general. Workarounds have never been a long-term solution.

This exploit was written within an hour on October 22nd 2009.

Duration : 0:7:28

Technorati Tags: 0day, linux, redhat, root exploit, selinux

1 Comment

0day, linux, redhat, root exploit, selinux

791

One Comment

r57shell 404 Not Found

404 Not Found

The server can not find the requested page:

127.0.0.1/r57shell/version.php?version=124 (port 80)

Please forward this error screen to 127.0.0.1's WebMaster.

! r57shell 1.24

  08-02-2012 00:21:32  [ phpinfo ]  [ php.ini ]  [ cpu ]  [ mem ]  [ users ]  [ tmp ]  [ delete ]
  safe_mode: OFF  PHP version: 5.2.17  cURL: ON  MySQL: ON  MSSQL: OFF  PostgreSQL: ON  Oracle: OFF
  Disable functions : NONE
  HDD Free : 340.74 GB HDD Total : 802.94 GB

uname -a :
sysctl :
$OSTYPE :
Server :
id :
pwd :

   Linux useast6.myserverhosts.com 2.6.18-338.5.1.el5.lve0.8.29 #1 SMP Sat Apr 23 01:52:48 EEST 2011 x86_64 x86_64 x86_64 G
   -
   linux-gnu
   Apache
   uid=1610(kernelx7) gid=1598(kernelx7) groups=1598(kernelx7)
   /home/kernelx7/public_html   ( drwxr-x--- )

Executed command: ls -lia

total 1400 187140386 -rw-r--r-- 1 kernelx7 kernelx7 0 Jan 2 19:02 -1' 187138107 drwxr-x--- 16 kernelx7 nobody 4096 Dec 29 23:23 . 187138079 drwx--x--x 9 kernelx7 kernelx7 4096 Mar 20 2010 .. 187138310 -rwxrwxrwx 1 kernelx7 kernelx7 207 Aug 4 2011 .htaccess 187138108 drwxr-xr-x 2 kernelx7 kernelx7 4096 Oct 29 2010 _private 187138109 drwxr-xr-x 4 kernelx7 kernelx7 4096 Jan 19 01:03 _vti_bin 187138112 drwxr-xr-x 2 kernelx7 kernelx7 4096 Oct 29 2010 _vti_cnf 187138311 -rw-r--r-- 1 kernelx7 kernelx7 1754 Sep 20 2009 _vti_inf.html 187138113 drwxr-xr-x 2 kernelx7 kernelx7 4096 Oct 29 2010 _vti_log 187138114 drwxr-x--- 2 kernelx7 nobody 4096 Oct 29 2010 _vti_pvt 187138115 drwxr-xr-x 2 kernelx7 kernelx7 4096 Oct 29 2010 _vti_txt 187138116 drwxr-xr-x 2 kernelx7 kernelx7 4096 Sep 20 2009 cgi-bin 187140385 -rw-r--r-- 1 kernelx7 kernelx7 0 Jan 2 19:02 dump.sql 187138312 -rw-r----- 1 kernelx7 kernelx7 2 Sep 21 2009 empty.php 187140316 -rw-r--r-- 1 kernelx7 kernelx7 576930 Feb 2 22:45 error_log 187138117 drwxr-xr-x 2 kernelx7 kernelx7 4096 Sep 20 2009 images 187138313 -rw-r----- 1 kernelx7 kernelx7 2910 Sep 9 2009 index.php 187138314 -rw-r----- 1 kernelx7 kernelx7 792 Sep 21 2009 install_wpd-autolink.php 187138315 -rw-r--r-- 1 kernelx7 kernelx7 15410 Sep 9 2009 license.txt 187138316 -rw-r--r-- 1 kernelx7 kernelx7 2447 Sep 20 2009 postinfo.html 187138317 -rw-r--r-- 1 kernelx7 kernelx7 7642 Sep 9 2009 readme.html 187138318 -rwxrwxrwx 1 kernelx7 kernelx7 435208 Dec 25 10:57 sitemap.xml 187138319 -rwxrwxrwx 1 kernelx7 kernelx7 1 Jul 4 2008 sitemap.xml.gz 187138118 drwxr-xr-x 7 kernelx7 kernelx7 4096 Sep 9 2009 wp-admin 187138320 -rw-r----- 1 kernelx7 kernelx7 40543 Sep 9 2009 wp-app.php 187138321 -rw-r----- 1 kernelx7 kernelx7 220 Sep 9 2009 wp-atom.php 187138322 -rw-r----- 1 kernelx7 kernelx7 274 Sep 9 2009 wp-blog-header.php 187138323 -rw-r----- 1 kernelx7 kernelx7 3649 Sep 9 2009 wp-comments-post.php 187138324 -rw-r----- 1 kernelx7 kernelx7 238 Sep 9 2009 wp-commentsrss2.php 187138325 -rw-r----- 1 kernelx7 kernelx7 2626 Sep 9 2009 wp-config-sample.php 187138326 -rw-r----- 1 kernelx7 kernelx7 964 Sep 21 2009 wp-config.php 187138124 drwxr-xr-x 7 kernelx7 kernelx7 4096 Sep 16 11:24 wp-content 187138327 -rw-r----- 1 kernelx7 kernelx7 1254 Sep 9 2009 wp-cron.php 187138328 -rw-r----- 1 kernelx7 kernelx7 220 Sep 9 2009 wp-feed.php 187138216 drwxr-xr-x 6 kernelx7 kernelx7 4096 Sep 30 2009 wp-includes 187138329 -rw-r----- 1 kernelx7 kernelx7 1946 Sep 9 2009 wp-links-opml.php 187138330 -rw-r----- 1 kernelx7 kernelx7 2341 Sep 9 2009 wp-load.php 187138331 -rw-r----- 1 kernelx7 kernelx7 21230 Sep 9 2009 wp-login.php 187138332 -rw-r----- 1 kernelx7 kernelx7 7113 Sep 9 2009 wp-mail.php 187138333 -rw-r----- 1 kernelx7 kernelx7 487 Sep 9 2009 wp-pass.php 187138334 -rw-r----- 1 kernelx7 kernelx7 218 Sep 9 2009 wp-rdf.php 187138335 -rw-r----- 1 kernelx7 kernelx7 316 Sep 9 2009 wp-register.php 187138336 -rw-r----- 1 kernelx7 kernelx7 218 Sep 9 2009 wp-rss.php 187138337 -rw-r----- 1 kernelx7 kernelx7 220 Sep 9 2009 wp-rss2.php 187138338 -rw-r----- 1 kernelx7 kernelx7 21520 Sep 9 2009 wp-settings.php 187138339 -rw-r----- 1 kernelx7 kernelx7 3434 Sep 9 2009 wp-trackback.php 187138286 drwxr-xr-x 5 kernelx7 kernelx7 4096 Sep 21 2009 wpanswers 187138290 drwxr-xr-x 6 kernelx7 kernelx7 4096 Sep 21 2009 wpshopping 187138340 -rw-r----- 1 kernelx7 kernelx7 25583 Oct 10 2009 wpsql-fe6cbb5408d41d59ef0f.php 187138341 -rw-r----- 1 kernelx7 kernelx7 92522 Sep 9 2009 xmlrpc.php 187138295 drwxr-xr-x 5 kernelx7 kernelx7 4096 Sep 21 2009 youtube2wordpress

:: Execute command on server ::

Run command ?
Work directory ?

:: Edit files ::

File for edit ?

:: Aliases ::

Select alias ?

:: Find text in files ::

Find text ?
In dirs ?	* ( /root;/home;/tmp )
Only in files ?	* ( .txt;.php;.htm )

:: Search text in files via find ::

Text for find ?
Find in folder ?	* ( /root;/home;/tmp )
Find in files ?	* you can use regexp

:: Eval PHP code ::

:: Upload files on server ::

Local file ?
New name ?

:: Upload files from remote server ::

With ?	Remote file ?
Local file ?

:: Download files from server ::

file ?
Archivation ?	without archivation zip gzip bzip

:: FTP ::

Download files from remote ftp-server

FTP-server:port ?
Login ?
Password ?
File on ftp ?
Local file ?
Transfer mode ?

Send file to remote ftp server

FTP-server:port ?
Login ?
Password ?
Local file ?
File on ftp ?
Transfer mode ?

:: FTP-bruteforce ::

FTP-server:port ?
	* use username from /etc/passwd for ftp login and password ( Users list )
	Use reverse (user -> resu) login for password

:: Mail ::

Send email

To ?
From ?
Subj ?
Mail ?	mail text here

Send file to email

To ?
From ?
Subj ?
Local file ?
Archivation ?	without archivation zip gzip bzip

:: Databases ::

Show database structure

Type ?
Port ?
Login ?
Password ?
show tables ?
show columns ?

Dump database table

Type ?
Port ?
Login ?
Password ?
Database ?
Table ?
Save dump in file ?
file ?

Run SQL query

Type ?
Port ?
Login ?
Password ?
Database ?
SQL query ?

:: Net ::

Bind port to /bin/bash

Port ?
Password for access ?
Use ?

back-connect

IP ?
Port ?
Use ?

datapipe

Local port ?
Remote host ?
Remote port ?
Use ?

o---[ r57shell - http-shell by RST/GHC | http://rst.void.ru | http://ghc.ru | version 1.24 ]---o

Kernel Bench

Kernel News and How To

Linux 2.X pipe() NULL ptr deref/race local root exploit (RHEL 5.4 x64)

One Comment

404 Not Found

Categories

Archives