Welcome to the Linux Foundation Forum!

LAB 8.7: econet kernel vulnerability on ubuntu-10.04

Hello,

I'm struggling with lab 8.7 and I can't figure out what I am doing wrong so help would be greatly appreciated.

When I run ./full-nelson it doesn't hang but returns "Exploit failed to get root".

  • sysctl kernel.modules_disabled = 0
  • commented out blacklist econet and blacklist rds in /etc/modprobe.d/blacklist.conf
  • network adapter is eth0
  • rds exploit is working

./full-nelson output

[*] Resolving kernel addresses...
[+] Resolved econet_ioctl to 0xf8ef02d0
[+] Resolved econet_ops to 0xf8ef03c0
[+] Resolved commit_creds to 0xc0176140
[+] Resolved prepare_kernel_cred to 0xc0176480
[*] Calculating target...
[*] Triggering payload...
[*] Exploit failed to get root.

What am I missing ?

Thanks in advance !

Welcome!

It looks like you're new here. Sign in or register to get started.
Sign In

Comments

  • Posts: 380

    Hi k0dard,
    It sounds like everything is set, did you modify the 70-persistent-net.rules file to change the adapter name to eth0?
    I just ran through the exercise and it worked. Please reboot after rds-fail and full-nelson.

    The only hiccup in this exercise is usually the adapter name.
    You used the compiler in Ubuntu 10.4 ?

    Can you post the entire output from full-nelson in a file, maybe a clue in there.

    Regards Lee

  • Posts: 115

    Hello Lee,
    Thanks for your prompt reply.

    Original adapter name was eth1 but changed to eth0 after I deleted the 70-persistent-net.rules file, as suggested in lab 8.5 solution.
    I've compiled full-nelson.c with Ubuntu 10.04 compiler.

    So, I tried to redirect output of full-nelson to a file and only the above output (from my first post) redirects, although there is a lot of output on the screen :/ I've tried also to redirect error output, no success.

    Then I tried executing full-nelson and saving output from vim, but couldn't save the output either... I did screen capture with some of the output.

    Then I tried script -c "./full-nelson" error.log and surprisingly I got the root shell

    So I guess all this has to do with starting new shells, but I have no idea what happened. The exploit still doesn't work without script...

    Any ideas on what's going on ?

    Maybe it's worth specifying that I'm using KVM with qemu image and virtual machine manager

    Thanks a lot for your help !

    k0dard

  • Posts: 380

    Ahh, we are getting closer. The full-nelson is two parts, in the first screen , run full-nelson and it should hang. Move to the second screen and run full-nelson again. The second instance gets the "root" privileges and /bin/sh, while the first screen will terminate the program.

    Now your observation, I'll bet there was a full-nelson running without a screen from a previous attempt and when you ran the script it found the running copy and got root.

  • Posts: 115

    Hmm, I know it's two parts, however full-nelson does not hang on the first screen, it just exits with "Exploit failed to get root"

    On the other hand, I reboot the VM, I login and run script -c "./full-nelson" and I have root without ever running a second instance of full-nelson.

    Btw, a stupid question - when you say screen, you mean switching virtual terminal, CTRL-ALT-F(something) ?

  • Posts: 380

    My fault for not being clear, "open another terminal session in the GUI" or "open another Virtual Terminal on the console" .
    I will continue to investigate and see if I can re-create what you are seeing.

  • Posts: 115

    OK, I thought so :)
    There's no GUI on ubuntu 10.04 VM, at least not on mine...
    Thanks for your help !

Welcome!

It looks like you're new here. Sign in or register to get started.
Sign In

Welcome!

It looks like you're new here. Sign in or register to get started.
Sign In

Categories

Upcoming Training