Welcome to HBH! If you have tried to register and didn't get a verification email, please using the following link to resend the verification email.

Possible exploit?

  1. Home
  2. Forum
  3. Hacking in general
  4. Possible exploit?

ghost's Avatar

ghost

0 0

Something interesting happened to me today. I log onto a Fedora8 terminal remotely to do the majority of my work using VNC. While I was working the contents of a flash drive opened to me randomly. I found out later that a person who was physically at the terminal had plugged in their thumb drive and some how this triggers every one logged onto the terminal to see the contents of the drive.

Here's the interesting part… I noticed that I had full permissions of the drive and everything in it (including execute).

Consider…

Would it be possible to make a thumb drive containing an autorun.sh with the following contents


cp /etc/shadow /home/ME/
chown ME /home/ME/shadow

It works on my old suse box but I'm not sure if gnome has been updated to stop this from happening. I'm assuming that this is happening because of a gnome script but I don't have access to these folders.

Any knowledge is greatly appreciated.

-Scobe

EDIT: Will JTR work on shadow? I've never messed with linux passwords.


Uber0n's Avatar

Uber0n

Member
0 0

There's only one way to find out if this works ;) don't forget to post your results here if you try it out!


clone4's Avatar

clone4

Perl-6 Wisdom Seeker
0 0

scobe wrote: Something interesting happened to me today. I log onto a Fedora8 terminal remotely to do the majority of my work using VNC. While I was working the contents of a flash drive opened to me randomly. I found out later that a person who was physically at the terminal had plugged in their thumb drive and some how this triggers every one logged onto the terminal to see the contents of the drive.

Here's the interesting part… I noticed that I had full permissions of the drive and everything in it (including execute).

Consider…

Would it be possible to make a thumb drive containing an autorun.sh with the following contents


cp /etc/shadow /home/ME/
chown ME /home/ME/shadow

It works on my old suse box but I'm not sure if gnome has been updated to stop this from happening. I'm assuming that this is happening because of a gnome script but I don't have access to these folders.

Any knowledge is greatly appreciated.

-Scobe

EDIT: Will JTR work on shadow? I've never messed with linux passwords.

Yes you can use JTR to crack the passwd hashes. Problem is that now in most of distros you have shadowed passwords, and shadow file can be only accessed by root. So the user would have to be either retarded or running root as default user, or you know messed up access rights on his system, this stuff happens sometimes though. It's sweet yet I'd say out dated exploit, that you won't find much use of.

Also whether the thumb drive gets actually executed very much depends on particular distro and system configuration


ghost's Avatar

ghost

0 0

Hmm.. Well I think I've heard enough good that it's at least worth a try. Next time I'm physically at a terminal won't be until next Wednesday (apr. 1) I'll post results.


ghost's Avatar

ghost

0 0

There's a tool out there called the USB pocketknife (a.k.a. USB Hacksaw/Siwtchblade) that does something very similar to this (along with a bunch of other stuff) for windows machines.

Anyway, how often do you have physical access to other people's servers? I don't ever have it, but you might be different.

If you do have physical access a lot, maybe you should code a tool for linux to do some cool stuff when a flash drive is plugged in.


ghost's Avatar

ghost

0 0

I'm physically at the terminal roughly every two weeks. Problem is I don't have root privileges. Also if I reboot the machine I'll get my ass chewed. Anyone else have an idea how to get the shadow file if this doesn't work?


clone4's Avatar

clone4

Perl-6 Wisdom Seeker
0 0

scobe wrote: I'm physically at the terminal roughly every two weeks. Problem is I don't have root privileges. Also if I reboot the machine I'll get my ass chewed. Anyone else have an idea how to get the shadow file if this doesn't work?

Linux kernel local root exploit?


ghost's Avatar

ghost

0 0

I'm not exactly sure what that is / how to exploit it… I'll look into it, thanks for the idea.


ghost's Avatar

ghost

0 0

[x] Check out some rooting material like RTB or STS. [x] Go learn about exploits and how they work. [x] Learn about different ways to use the exploit you've found. (You might not have sufficient privileges to just upload it, compile it, or run it normally, in which case you should look into how to obtain the proper permissions.)


yours31f's Avatar

yours31f

Retired
10 0

SU?


ghost's Avatar

ghost

0 0

lol…


spyware's Avatar

spyware

Banned
0 0

yours31f wrote: SU?

Hope you were kidding.


fuser's Avatar

fuser

Member
0 -1

Oh god. In case anyone is wondering, the "su" command don't work in scobe's case as he himself had mentioned that he does'nt have root access,and since the command requires the root password for it to execute, it won't work for him.

Oh, and typing su in capitals doesn't work since *nix/Linux is case-sensitive.

I hope I didn't make any mistakes.


clone4's Avatar

clone4

Perl-6 Wisdom Seeker
0 0

fuser wrote: Oh god. In case anyone is wondering, the "su" command don't work in scobe's case as he himself had mentioned that he does'nt have root access,and since the command requires the root password for it to execute, it won't work for him.

Oh, and typing su in capitals doesn't work since *nix/Linux is case-sensitive.

I hope I didn't make any mistakes.

well theoretically there could be blank root password, so su would give you root straight away :D

but then again we aren't talking about linux that was set up but a retarded person, I guess…