在milw0rm上有两个,第一个:
http://www.milw0rm.com/exploits/9575
/*********************************************************** * hoagie_udp_sendmsg.c * LOCAL LINUX KERNEL ROOT EXPLOIT (< 2.6.19) - CVE-2009-2698 * * udp_sendmsg bug exploit via (*output) callback function * used in dst_entry / rtable *阅读全文
/* * Linux sock_sendpage() NULL pointer dereference * Copyright 2009 Ramon de Carvalho Valle <ramon@risesecurity.org> * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation; either version 2 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA阅读全文
From: SecuriTeam
This summer may have caused a few burden’s on linux administrators. By all the patching necessary to keep their systems out of the hands of those who would choose to exploit it, unless your using something like Ksplice, you’ve more than likely rebooted many times already. Well, here is one more reason to wake this early this morning…
New exploits for the “Linux NULL pointer dereference due to incorrect proto_ops initializations” vulnerability have been released, here and here. I just tried the second one out myself on a (currently) fully updated Ubuntu Jaunty workstation, with (_default_) successful results.
阅读全文
From:milw0rm #!/bin/sh ################################################################################### # gw-notexit.sh: Linux kernel <2.6.29 exit_notify() local root exploit # # by Milen Rangelov (gat3way-at-gat3way-dot-eu) # # Based on 'exit_notify()' CAP_KILL verification bug found by Oleg Nestorov. # Basically it allows us to send arbitrary signals to a privileged (suidroot) # parent process. Due to a bad check, the child process with appropriate exit signal # already set can first execute a suidroot binary then exit() and thus bypass # in-kernel privilege checks. We use chfn and gpasswd for that purpose. # # !!!!!!!!!!! # Needs /proc/sys/fs/suid_dumpable set to 1 or 2. The default is 0阅读全文
