Archive for the ‘Cool Stuff’ Category

Linux kernel 2.6.31 perf_counter_open exploit

Thursday, September 24th, 2009

Well, it has been a while since my last technical post … More than 1 year ?!? Wow, time runs so fast :)

So let’s go for a post about Linux kernel exploitation (yeah, I know, sounds cool). We will exploit a quite recent bug in kernel 2.6.31 (still unpatched while writing this) in the perf_counter_open syscall (CVE 2009-3234) to gain root privileges. As real hackers say, f34R.

But, let’s start by the begining: the bug.

perf_copy_attr and the dual fail
The perf_copy_attr method is meant to copy a data structure (of type perf_count_attr) from user space to kernel space. Its definition is:

1
2

static int perf_copy_attr(struct perf_counter_attr __user *uattr,  
                          struct perf_counter_attr *attr)

With uattr being a pointer to the (source) user space structure, and attr being a pointer to the (destination) kernel space structure.
(more…)

Posted in Cool Stuff, Exploits | 14 Comments »

Intel(r) switches backdoor

Monday, May 19th, 2008

I recently got an Intel(r) Express 530T switch from eBay. It’s a “Manageable” switch, this means that you can connect to the switch through a null modem cable, telnet or a web interface to modify the switch configuration (Change MAC address filtering, create/delete VLANs, change ports speeds an priority, …).

But when I tried to connect to the switch, I discovered that the switch hadn’t been reseted, and that the seller didn’t gave me the username and password needed to manage the switch.
(more…)

Posted in Cool Stuff | 27 Comments »