/*
- expand_stack SMP race local root exploit
- Copyright (C) 2005 Christophe Devine and Julien Tinnes
- This program is quite unreliable - you may have to run it
- several times before getting a rootshell. It was only tested
- so far on a bi-xeon running Debian testing / Linux 2.4.29-rc1.
- Vulnerability discovered by Paul Starzetz
- http://www.isec.pl/vulnerabilities/isec-0022-pagefault.txt
Nice try, I'll give them that.
I got a call from Dan the Network engineer that a machine I manage had registered a large network spike overnight. When I heard that it was a large spike from the machine, I knew it wasn't a DoS (Denial of Service) attack, but was probably participating in one.
I unplugged the machine from the network then logged in from the console. I was able to find the rouge process (masquerading as an Apache process—nice job!) listening in one some randomly picked port, giving anyone that connected to that port a commande line:
#!/usr/bin/perl
Telnet-like Standard Daemon 1.0
Dark_Anjo - dark_anjo666@hotmail.com
- dark_anjo@nucleozero.com.br
- www.xn.rg3.net
- www.red.not.br/xn
For those guys that still like to open ports
and use non-rooted boxes
This has been developed to join in the TocToc
project code, now it's done and I'm distributing
this separated
This one i made without IO::Pty so it uses
only standard modules... enjoy it
tested on linux boxes.. probably will work fine on others
any problem... #expl0its@irc.brasnet.org
But fortunately, the exploit (quoted at the top) didn't work on the machine so the shell obtained was a non-root shell.
Apparently, the customer account information was leaked and the crackers were able to FTP their scripts onto the server. Not much that can be done about that, other than telling the customer to keep a tighter lid on their login information.
And as I like to remind myself, it could have been worse [1] …
=> Gemini Mention this post | Contact the author This content has been proxied by September (3851b).Proxy Information
text/gemini