I wasn't able to make it work either, getting exactly the same output (without GCC's warnings). I'm on a Debian 2.6.11-7 kernel. I just tested but really didn't even look what it failed, not even gdb'ed the core. If someone notices what's wrong on the POC please, let me know. Thanks, Pablo Fernandez
--- Begin Message ---
- To: bugtraq@xxxxxxxxxxxxxxxxx
- Subject: Re: Linux kernel ELF core dump privilege elevation
- From: Bruno Lustosa <bruno.lists@xxxxxxxxx>
- Date: Wed, 11 May 2005 16:34:58 -0300
- Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=PniZvZ8k2IiY//WW06LhDcBVqGStVXtMnaYjbPFsLZJQEII7qeVbOlBe4pzPxuOc0ZdIMrqYxpUUxI205Gl5FavcaAnayuQy5852K01/7XTgYCoZ63oFE4ihDX5n0WHHsNypLdy+XZpUnBSP1gxPnsT+GoJ376KlgXQbdwquxkY=
- In-reply-to: <Pine.LNX.4.44.0505101615410.1618-100000@xxxxxxx>
- List-help: <mailto:bugtraq-help@securityfocus.com>
- List-id: <bugtraq.list-id.securityfocus.com>
- List-post: <mailto:bugtraq@securityfocus.com>
- List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
- List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
- Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
- References: <Pine.LNX.4.44.0505101615410.1618-100000@xxxxxxx>
- Reply-to: Bruno Lustosa <bruno.lists@xxxxxxxxx>
On 5/11/05, Paul Starzetz <ihaquer@xxxxxxx> wrote: > since it became clear from the discussion in January about the uselib() > vulnerability, that the Linux community prefers full, non-embargoed > disclosure of kernel bugs, I release full details right now. However to > follows at least some of the responsable disclosure rules, no exploit code > will be > released. Instead, only a proof-of-concept code is released to demonstrate > the vulnerability. Paul, I was unable to make it work on my amd64. Running Gentoo on kernel 2.6.11. This was the output: [+] Compiling...elfcd1.c: In function `main': elfcd1.c:48: warning: implicit declaration of function `strlen' elfcd1.c:54: warning: implicit declaration of function `memset' elfcd1.c:60: warning: implicit declaration of function `strcmp' /usr/lib/gcc/x86_64-pc-linux-gnu/3.4.3/../../../../x86_64-pc-linux-gnu/bin/ld: warning: i386:x86-64 architecture of input file `/tmp/ccSCdKeo.o' is incompatible with i386 output [+] ./elfcd1 argv_start=0x7ffffffff451 argv_end=0x7ffffffff459 ESP: 0xfffff0e0 [+] phase 1 [+] AAAA argv_start=0x7fffffff6fea argv_end=0x7fffffff6fee ESP: 0xffff6de0 [+] phase 2, <RET> to crash Segmentation fault (core dumped) -- Bruno Lustosa, aka Lofofora | Email: bruno@xxxxxxxxxxx Network Administrator/Web Programmer | ICQ: 1406477 Rio de Janeiro - Brazil |
--- End Message ---