Welcome to the Linux Foundation Forum!

LAB 8.7: econet kernel vulnerability on ubuntu-10.04

Options
k0dard
k0dard Posts: 115
in LFS216 Class Forum

Hello,

I'm struggling with lab 8.7 and I can't figure out what I am doing wrong so help would be greatly appreciated.

When I run ./full-nelson it doesn't hang but returns "Exploit failed to get root".

  • sysctl kernel.modules_disabled = 0
  • commented out blacklist econet and blacklist rds in /etc/modprobe.d/blacklist.conf
  • network adapter is eth0
  • rds exploit is working

./full-nelson output

[*] Resolving kernel addresses...
[+] Resolved econet_ioctl to 0xf8ef02d0
[+] Resolved econet_ops to 0xf8ef03c0
[+] Resolved commit_creds to 0xc0176140
[+] Resolved prepare_kernel_cred to 0xc0176480
[*] Calculating target...
[*] Triggering payload...
[*] Exploit failed to get root.

What am I missing ?

Thanks in advance !

Comments

  • lee42x
    lee42x Posts: 380
    Options

    Hi k0dard,
    It sounds like everything is set, did you modify the 70-persistent-net.rules file to change the adapter name to eth0?
    I just ran through the exercise and it worked. Please reboot after rds-fail and full-nelson.

    The only hiccup in this exercise is usually the adapter name.
    You used the compiler in Ubuntu 10.4 ?

    Can you post the entire output from full-nelson in a file, maybe a clue in there.

    Regards Lee

  • k0dard
    k0dard Posts: 115
    Options

    Hello Lee,
    Thanks for your prompt reply.

    Original adapter name was eth1 but changed to eth0 after I deleted the 70-persistent-net.rules file, as suggested in lab 8.5 solution.
    I've compiled full-nelson.c with Ubuntu 10.04 compiler.

    So, I tried to redirect output of full-nelson to a file and only the above output (from my first post) redirects, although there is a lot of output on the screen :/ I've tried also to redirect error output, no success.

    Then I tried executing full-nelson and saving output from vim, but couldn't save the output either... I did screen capture with some of the output.

    Then I tried script -c "./full-nelson" error.log and surprisingly I got the root shell

    So I guess all this has to do with starting new shells, but I have no idea what happened. The exploit still doesn't work without script...

    Any ideas on what's going on ?

    Maybe it's worth specifying that I'm using KVM with qemu image and virtual machine manager

    Thanks a lot for your help !

    k0dard

  • lee42x
    lee42x Posts: 380
    Options

    Ahh, we are getting closer. The full-nelson is two parts, in the first screen , run full-nelson and it should hang. Move to the second screen and run full-nelson again. The second instance gets the "root" privileges and /bin/sh, while the first screen will terminate the program.

    Now your observation, I'll bet there was a full-nelson running without a screen from a previous attempt and when you ran the script it found the running copy and got root.

  • k0dard
    k0dard Posts: 115
    Options

    Hmm, I know it's two parts, however full-nelson does not hang on the first screen, it just exits with "Exploit failed to get root"

    On the other hand, I reboot the VM, I login and run script -c "./full-nelson" and I have root without ever running a second instance of full-nelson.

    Btw, a stupid question - when you say screen, you mean switching virtual terminal, CTRL-ALT-F(something) ?

  • lee42x
    lee42x Posts: 380
    Options

    My fault for not being clear, "open another terminal session in the GUI" or "open another Virtual Terminal on the console" .
    I will continue to investigate and see if I can re-create what you are seeing.

  • k0dard
    k0dard Posts: 115
    Options

    OK, I thought so :)
    There's no GUI on ubuntu 10.04 VM, at least not on mine...
    Thanks for your help !

Categories

Upcoming Training