LAB 8.7: econet kernel vulnerability on ubuntu-10.04

k0dard

Hello,

I'm struggling with lab 8.7 and I can't figure out what I am doing wrong so help would be greatly appreciated.

When I run ./full-nelson it doesn't hang but returns "Exploit failed to get root".

• sysctl kernel.modules_disabled = 0
• commented out blacklist econet and blacklist rds in /etc/modprobe.d/blacklist.conf
• network adapter is eth0
• rds exploit is working

./full-nelson output

[*] Resolving kernel addresses...
[+] Resolved econet_ioctl to 0xf8ef02d0
[+] Resolved econet_ops to 0xf8ef03c0
[+] Resolved commit_creds to 0xc0176140
[+] Resolved prepare_kernel_cred to 0xc0176480
[*] Calculating target...
[*] Triggering payload...
[*] Exploit failed to get root.

What am I missing ?

Thanks in advance !

lee42x

Hi k0dard,
It sounds like everything is set, did you modify the 70-persistent-net.rules file to change the adapter name to eth0?
I just ran through the exercise and it worked. Please reboot after rds-fail and full-nelson.

The only hiccup in this exercise is usually the adapter name.
You used the compiler in Ubuntu 10.4 ?

Can you post the entire output from full-nelson in a file, maybe a clue in there.

Regards Lee

k0dard

Hello Lee,
Thanks for your prompt reply.

Original adapter name was eth1 but changed to eth0 after I deleted the 70-persistent-net.rules file, as suggested in lab 8.5 solution.
I've compiled full-nelson.c with Ubuntu 10.04 compiler.

So, I tried to redirect output of full-nelson to a file and only the above output (from my first post) redirects, although there is a lot of output on the screen I've tried also to redirect error output, no success.

Then I tried executing full-nelson and saving output from vim, but couldn't save the output either... I did screen capture with some of the output.

Then I tried script -c "./full-nelson" error.log and surprisingly I got the root shell

So I guess all this has to do with starting new shells, but I have no idea what happened. The exploit still doesn't work without script...

Any ideas on what's going on ?

Maybe it's worth specifying that I'm using KVM with qemu image and virtual machine manager

Thanks a lot for your help !

k0dard

lee42x

Ahh, we are getting closer. The full-nelson is two parts, in the first screen , run full-nelson and it should hang. Move to the second screen and run full-nelson again. The second instance gets the "root" privileges and /bin/sh, while the first screen will terminate the program.

Now your observation, I'll bet there was a full-nelson running without a screen from a previous attempt and when you ran the script it found the running copy and got root.

k0dard

Hmm, I know it's two parts, however full-nelson does not hang on the first screen, it just exits with "Exploit failed to get root"

On the other hand, I reboot the VM, I login and run script -c "./full-nelson" and I have root without ever running a second instance of full-nelson.

Btw, a stupid question - when you say screen, you mean switching virtual terminal, CTRL-ALT-F(something) ?

lee42x

My fault for not being clear, "open another terminal session in the GUI" or "open another Virtual Terminal on the console" .
I will continue to investigate and see if I can re-create what you are seeing.

k0dard

OK, I thought so
There's no GUI on ubuntu 10.04 VM, at least not on mine...
Thanks for your help !