Mijn 64-bit Ubuntu 10.04 LTS draait met kernel 2.6.32-37-generic en daar werkt deze exploit niet op.
===============================
= Mempodipper =
= by zx2c4 =
= Jan 21, 2012 =
===============================
[+] Opening socketpair.
[+] Waiting for transferred fd in parent.
[+] Executing child from child fork.
[+] Opening parent mem /proc/14812/mem in child.
[+] Sending fd 5 to parent.
[+] Received fd at 5.
[+] Assigning fd 5 to stderr.
[+] Reading su for exit@plt.
[+] Resolved exit@plt to 0x402028.
[+] Calculating su padding.
[+] Seeking to offset 0x40201b.
[+] Executing su with shellcode.
bloom@Happy:~$ id
uid=1000(bloom) gid=1000(bloom) groepen=4(adm),20(dialout),21(fax),24(cdrom),25(floppy),26(tape),29(audio),30(dip),44(video),46(plugdev),104(fuse),105(lpadmin),112(netdev),119(admin),122(sambashare),123(vboxusers),1000(bloom)
bloom@Happy:~$ whoami
bloom
Vanaf kernel 2.6.39 inderdaad wel. Maar ook op kernel 3.1.0-1 die ik op mijn Debian server en blokkendoosjes heb draaien. Daar moet dus nog duidelijk een fix voor uitkomen...
===============================
= Mempodipper =
= by zx2c4 =
= Jan 21, 2012 =
===============================
[+] Opening socketpair.
[+] Waiting for transferred fd in parent.
[+] Executing child from child fork.
[+] Opening parent mem /proc/9646/mem in child.
[+] Sending fd 5 to parent.
[+] Received fd at 5.
[+] Assigning fd 5 to stderr.
[+] Reading su for exit@plt.
[+] Resolved exit@plt to 0x401fa8.
[+] Calculating su padding.
[+] Seeking to offset 0x401f9b.
[+] Executing su with shellcode.
# id
uid=0(root) gid=0(root) groups=0(root),20(dialout),24(cdrom),25(floppy),29(audio),44(video),46(plugdev),1000(bloom)
# whoami
root
En dus exploit geslaagd!