The unixasm is a set of assembly components for proof of concept codes on different operating systems and architectures. These components were carefully designed and implemented for maximum reliability, following strict coding standards and requirements, such as system call invocation standards, position independent, register independent and zero free code. A special attention was put on code length when designing and implementing them, resulting in the most reliable and shortest codes for such purpose available today.

Changes in this version:

• Add support to AIX Versions 6.1.4, 6.1.3, 6.1.2, 6.1.1, 5.3.10, 5.3.9, 5.3.8, 5.3.7.
• Change the base value used for calculating the system call numbers and arguments to avoid null bytes in newer versions of AIX.

These components are also available as part of Metasploit Penetration Testing Framework and Metasploit Express as payload modules.

The unixasm project is now controlled by Git and hosted at GitHub, you can view the project’s page or view project’s repository on GitHub.

I released a new patch for VMware Server 2.0.2 which brings some improvements, adds support for newer versions of the Linux kernel and fixes all the problems mentioned in the previous post. The patch was made to be the least intrusive as possible in the VMware Server 2.0.2 code. It was tested on Ubuntu 9.10 (2.6.31-17-generic) and Fedora 12 (2.6.32.10-90.fc12).

The patch has the following features:

• Add support for versions of the Linux Kernel that implement COW credentials.
• Add support for net_device_ops structure.
• Add support for netdev_priv().
• Remove references to init_mm structure by removing APIC support for 2.6.25 and later (APIC code currently uses the macro pgd_offset_k).
• Suppress GCC warnings.
• Fix the vsock use of exported symbols from from vmci module problem.
• Fix the ether_setup() (misplaced) problem introduced by the previous patch (the NAT network connection problem).
• Fix other known issues.

The following are instructions on how to apply the patch:

Download the VMware Server (VMware-server-2.0.2-203138.i386.tar.gz).

Download the VMware Server 2 update patch #2:

$ wget -N http://risesecurity.org/~rcvalle/VMware-server-2.0.2-203138-update-2.patch

Extract VMware Server:

$ tar -xzf VMware-server-2.0.2-203138.i386.tar.gz

Extract VMware Server modules:

Change working directory to vmware-server-distrib/lib/modules/source/
$ tar -xf vmci.tar
$ tar -xf vmmon.tar
$ tar -xf vmnet.tar
$ tar -xf vsock.tar

Apply the patch:

Change working directory to vmware-server-distrib/
patch -p1 < ../VMware-server-2.0.2-203138-update-2.patch

Archive VMware Server modules again:

Change working directory to vmware-server-distrib/lib/modules/source/
$ rm -f vmci.tar
$ rm -f vmmon.tar
$ rm -f vmnet.tar
$ rm -f vsock.tar
$ tar -cf vmci.tar vmci-only/
$ tar -cf vmmon.tar vmmon-only/
$ tar -cf vmnet.tar vmnet-only/
$ tar -cf vsock.tar vsock-only/

Run installer script as root:

Change working directory to vmware-server-distrib/
$ sudo ./vmware-install.pl

Note for Ubuntu users:

When asked for the current administrative user for VMware Server, specify your user as a different administrator.

Note about VMware Remote Console Plug-in:

The VMware Remote Console Plug-in does not work properly on Ubuntu 9.10, Fedora 12 and other newer distributions. A workaround for this is to set the environment variable VMWARE_USE_SHIPPED_GTK before running the VMware Remote Console Plug-in. To set this environment variable at login time, add the following line to your ~/.profile:

export VMWARE_USE_SHIPPED_GTK=yes

January 18, 2010: Radu Cotescu integrated this patch to the latest version of his script, that now applies the patch automatically in Ubuntu, Fedora and openSUSE. The script is available here.

It has been a while since VMware updates VMware Server to add support for newer versions of the Linux kernel. This is a problem for users of newer distributions such as Ubuntu 9.10 (Karmic Koala) and Fedora 12 (Constantine) who want to use VMware Server.

To resolve this, some unofficial patches that update VMware Server to add support for newer versions of the Linux kernel have been released. However, these patches do not properly add support and have several problems, some of them even require the Linux kernel to be recompiled.

I released a patch for VMware Server 2.0.2 that properly add support for newer versions of the Linux kernel and does not require it to be recompiled. This patch was tested on Ubuntu 9.10 and Fedora 12.

The patch has the following features:

• Add support for versions of the Linux Kernel that implement COW credentials.
• Add support for net_device_ops structure.
• Remove references to init_mm structure by removing APIC support for 2.6.25 and later (APIC code currently uses the macro pgd_offset_k).
• Remove references to dev->priv by using netdev_priv().
• Suppress GCC warnings.
• Fix other known issues.

The following are instructions on how to apply the patch:

Download the VMware Server (VMware-server-2.0.2-203138.i386.tar.gz).

Download the VMware Server update patch:

$ wget -N http://risesecurity.org/~rcvalle/VMware-server-2.0.2-203138-update.patch

Extract VMware Server:

$ tar -xzf VMware-server-2.0.2-203138.i386.tar.gz

Extract VMware Server modules:

Change working directory to vmware-server-distrib/lib/modules/source/
$ tar -xf vmci.tar
$ tar -xf vmmon.tar
$ tar -xf vmnet.tar
$ tar -xf vsock.tar

Apply the patch:

Change working directory to vmware-server-distrib/
patch -p1 < ../VMware-server-2.0.2-203138-update.patch

Archive VMware Server modules again:

Change working directory to vmware-server-distrib/lib/modules/source/
$ rm -f vmci.tar
$ rm -f vmmon.tar
$ rm -f vmnet.tar
$ rm -f vsock.tar
$ tar -cf vmci.tar vmci-only/
$ tar -cf vmmon.tar vmmon-only/
$ tar -cf vmnet.tar vmnet-only/
$ tar -cf vsock.tar vsock-only/

Run installer script as root:

Change working directory to vmware-server-distrib/
$ sudo ./vmware-install.pl

Note for Ubuntu users:

When asked for the current administrative user for VMware Server, specify your user as a different administrator.

Note about VMware Remote Console Plug-in:

The VMware Remote Console Plug-in does not work properly on Ubuntu 9.10, Fedora 12 and other newer distributions. A workaround for this is to set the environment variable VMWARE_USE_SHIPPED_GTK before running the VMware Remote Console Plug-in. To set this environment variable at login time, add the following line to your ~/.profile:

export VMWARE_USE_SHIPPED_GTK=yes

September 7, 2009: I released a second version of the exploit. Now, it also works with Linux Kernel versions which implements COW credentials (e.g. Fedora 11). For SELinux enforced systems, it automatically searches in the SELinux policy rules for types with mmap_zero permission it can transition, and tries to exploit the system with these types. The second version of the exploit is available here.

September 4, 2009: I updated the list of distributions the exploit was tested.

I released an exploit for the Linux sock_sendpage() NULL Pointer Dereference, discovered by Tavis Ormandy and Julien Tinnes. This exploit was written to illustrate the exploitability of this vulnerability on Power/Cell BE architecture.

The exploit makes use of the SELinux and the mmap_min_addr problem to exploit this vulnerability on Red Hat Enterprise Linux 5.3 and CentOS 5.3. The problem, first noticed by Brad Spengler, was described by Red Hat in the Red Hat Knowledgebase article: Security-Enhanced Linux (SELinux) policy and the mmap_min_addr protection.

Support for i386 and x86_64 was added for completeness. For a more complete implementation, refer to Brad Spengler’s exploit, which also implements the personality trick published by Tavis Ormandy and Julien Tinnes.

Linux kernel versions from 2.4.4 to 2.4.37.4, and from 2.6.0 to 2.6.30.4 are vulnerable.

The exploit was tested on:

• CentOS 5.3 (2.6.18-128.7.1.el5) is not vulnerable
• CentOS 5.3 (2.6.18-128.4.1.el5)
• CentOS 5.3 (2.6.18-128.2.1.el5)
• CentOS 5.3 (2.6.18-128.1.16.el5)
• CentOS 5.3 (2.6.18-128.1.14.el5)
• CentOS 5.3 (2.6.18-128.1.10.el5)
• CentOS 5.3 (2.6.18-128.1.6.el5)
• CentOS 5.3 (2.6.18-128.1.1.el5)
• CentOS 5.3 (2.6.18-128.el5)
• CentOS 4.8 (2.6.9-89.0.9.EL) is not vulnerable
• CentOS 4.8 (2.6.9-89.0.7.EL)
• CentOS 4.8 (2.6.9-89.0.3.EL)
• CentOS 4.8 (2.6.9-89.EL)
• Fedora 11 (2.6.29.4-167.fc11)
• Fedora 10 (2.6.27.5-117.fc10)
• Red Hat Enterprise Linux 5.3 (2.6.18-128.7.1.el5) is not vulnerable
• Red Hat Enterprise Linux 5.3 (2.6.18-128.4.1.el5)
• Red Hat Enterprise Linux 5.3 (2.6.18-128.2.1.el5)
• Red Hat Enterprise Linux 5.3 (2.6.18-128.1.16.el5)
• Red Hat Enterprise Linux 5.3 (2.6.18-128.1.14.el5)
• Red Hat Enterprise Linux 5.3 (2.6.18-128.1.10.el5)
• Red Hat Enterprise Linux 5.3 (2.6.18-128.1.6.el5)
• Red Hat Enterprise Linux 5.3 (2.6.18-128.1.1.el5)
• Red Hat Enterprise Linux 5.3 (2.6.18-128.el5)
• Red Hat Enterprise Linux 4.8 (2.6.9-89.0.9.EL) is not vulnerable
• Red Hat Enterprise Linux 4.8 (2.6.9-89.0.7.EL)
• Red Hat Enterprise Linux 4.8 (2.6.9-89.0.3.EL)
• Red Hat Enterprise Linux 4.8 (2.6.9-89.EL)
• SUSE Linux Enterprise Server 11 (2.6.27.29-0.1) is not vulnerable
• SUSE Linux Enterprise Server 11 (2.6.27.25-0.1)
• SUSE Linux Enterprise Server 11 (2.6.27.23-0.1)
• SUSE Linux Enterprise Server 11 (2.6.27.21-0.1)
• SUSE Linux Enterprise Server 11 (2.6.27.19-5)
• SUSE Linux Enterprise Server 10 SP2 (2.6.16.60-0.42.4) is not vulnerable
• SUSE Linux Enterprise Server 10 SP2 (2.6.16.60-0.39.3)
• SUSE Linux Enterprise Server 10 SP2 (2.6.16.60-0.37_f594963d)
• SUSE Linux Enterprise Server 10 SP2 (2.6.16.60-0.34)
• SUSE Linux Enterprise Server 10 SP2 (2.6.16.60-0.33)
• SUSE Linux Enterprise Server 10 SP2 (2.6.16.60-0.31)
• SUSE Linux Enterprise Server 10 SP2 (2.6.16.60-0.29)
• SUSE Linux Enterprise Server 10 SP2 (2.6.16.60-0.27)
• SUSE Linux Enterprise Server 10 SP2 (2.6.16.60-0.23)
• SUSE Linux Enterprise Server 10 SP2 (2.6.16.60-0.21)
• Ubuntu 8.10 (2.6.27-14) is not vulnerable
• Ubuntu 8.10 (2.6.27-11)
• Ubuntu 8.10 (2.6.27-9)
• Ubuntu 8.10 (2.6.27-7)
• openSUSE 11.1 (2.6.27.29-0.1) is not vulnerable
• openSUSE 11.1 (2.6.27.25-0.1)
• openSUSE 11.1 (2.6.27.23-0.1)
• openSUSE 11.1 (2.6.27.21-0.1)
• openSUSE 11.1 (2.6.27.19-3.2)
• openSUSE 11.1 (2.6.27.7-9)

It should also work on early versions of these distributions. The exploit is available here.

Hacking the Cell Broadband Engine Architecture, SPE software exploitation
Hacking the Cell Broadband Engine Architecture, SPE software exploitation (Phrack Magazine)

Linux on Power/Cell BE Architecture Buffer Overflow Vulnerabilities
LoP/Cell/B.E.: Buffer overflow vulnerabilities, Part 1 (IBM developerWorks)
LoP/Cell/B.E.: Buffer overflow vulnerabilities, Part 2 (IBM developerWorks)

Linux Slab Allocator Buffer Overflow Vulnerabilities
Linux Slab Allocator Buffer Overflow Vulnerabilities (IBM developerWorks Brasil)

The unixasm is a set of assembly components for proof of concept codes on different operating systems and architectures. These components were carefully designed and implemented for maximum reliability, following strict coding standards and requirements, such as system call invocation standards, position independent, register independent and zero free code. A special attention was put on code length when designing and implementing them, resulting in the most reliable and shortest codes for such purpose available today.

Changes in this version:

• Bug fixes to AIX POWER/PowerPC assembly components and payload modules.
• New assembly components and payload modules for AIX POWER/PowerPC.
• New assembly components and payload modules for Linux POWER/PowerPC/Cell BE.
• New assembly components and payload modules for Linux POWER/PowerPC/Cell BE (64-bit).

These components are also available as part of The Metasploit Framework as payload modules.

The unixasm is a set of assembly components for proof of concept codes on different operating systems and architectures. These components were carefully designed and implemented for maximum reliability, following strict coding standards and requirements, such as system call invocation standards, position independent, register independent and zero free code. A special attention was put on code length when designing and implementing them, resulting in the most reliable and shortest codes for such purpose available today.

Changes in this version:

• New assembly components and payload modules for AIX POWER/PowerPC.

These components are also available as part of The Metasploit Framework as payload modules.

The unixasm is a set of assembly components for proof of concept codes on different operating systems and architectures. These components were carefully designed and implemented for maximum reliability, following strict coding standards and requirements, such as system call invocation standards, position independent, register independent and zero free code. A special attention was put on code length when designing and implementing them, resulting in the most reliable and shortest codes for such purpose available today.

Changes in this version:

• New Find socket code (fndsockcode) assembly components for all already supported operating systems and architectures.
• New assembly components and payload modules for Mac OS X x86.

These components are also available as part of The Metasploit Framework as payload modules.