Local root exploit code for Ubuntu?
June 11, 2013 9:54 AM   Subscribe

Motivated by a combination of curiosity and laziness, I want to gain root privileges on an Ubuntu 10.04 machine (which belongs to me). I'm pretty sure I failed to apply any security updates, so hopefully there are some unpatched holes. I have an account which I can log in to, but I have forgotten my password so I can no longer sudo. It's not easy to physically access the machine, so I can't boot to single user mode. I have found sites which provide exploit code, but the exploits seem to be crippled in a highly responsible way. Where are the non-crippled versions?
posted by beniamino to Computers & Internet (10 answers total)
 
Best answer: There was a recently publicized Linux kernel vulnerability which allows a local user to gain root privileges. The vulnerability was silently patched at one point, but if your machine has not been updated in a while, you may still have a vulnerable kernel.

I believe that the exploit code linked in the Ars article is intended to work, but it apparently requires a specific GCC version to compile.

http://packetstormsecurity.com/files/121616/semtex.c
posted by jingzuo at 10:07 AM on June 11, 2013


Is the disk encrypted? If not, the easiest way is to boot off a live CD or something, mount the partition holding /etc and then replace the password hash for your account in /etc/shadow with one for a known password.

Or is that too simple?
posted by Good Brain at 11:09 AM on June 11, 2013


(Good Brain: He says he doesn't have physical access.)
posted by Now there are two. There are two _______. at 11:22 AM on June 11, 2013


Why doesn't he have physical access? If it is his, this should be easy. I am suspicious.
posted by squirbel at 11:25 AM on June 11, 2013 [2 favorites]


Can you explain more of the details here?

* How are you logging in without a password? Stored ssh keys or something?
* If it is your machine, how can you not physically access it?

I too am suspicious.

That said, the full kernel version and glibc versions will help people help you.
posted by ish__ at 11:29 AM on June 11, 2013


Response by poster: > Why doesn't he have physical access?
> If it is his, this should be easy. I am suspicious.

To attempt to put your minds at rest: The machine is awkward to access, rather than impossible (hence the laziness) -- I need to go to where it is, bring a monitor with me, dig out cables. I normally access the machine (which is several years old) with an ssh key, which is how I have managed to forget my password.

> That said, the full kernel version and glibc
> versions will help people help you.

$ uname -a
Linux machinename 2.6.32-41-generic #90-Ubuntu SMP Tue May 22 11:29:51 UTC 2012 x86_64 GNU/Linux

$ /lib/libc.so.6
GNU C Library (Ubuntu EGLIBC 2.11.1-0ubuntu7.10) stable release version 2.11.1, by Roland McGrath et al.
posted by beniamino at 11:50 AM on June 11, 2013


Best answer: If you want to do this just an exercise in exploiting a machine, get yourself a copy (via a livecd or VM) of BackTrack5. Metasploit will be your tool of choice, but the learning curve can be a little steep. There used to be an 'auto-pwn' tool that leveraged metasploit, but I think it's been removed from the most recent releases of BT.
posted by jquinby at 11:59 AM on June 11, 2013


Response by poster: p.s. semtex.c looks good, but I've failed so far to compile gcc 4.6.
posted by beniamino at 11:59 AM on June 11, 2013


Best answer: If you applied no patches, this exploit was verified to work on 10.04.
posted by nerdinexile at 8:15 PM on June 11, 2013


Response by poster: Couldn't compile semtex, metasploit was too hard, and the MOTD thing didn't work. Oh well, I went and dug out the machine and did it the legit way.
posted by beniamino at 3:18 AM on June 12, 2013


« Older More poems like Millay's Recuerdo?   |   Need a productivity system for scheduling multiple... Newer »
This thread is closed to new comments.


Tags

Share