Linux Kernel 2.6.x PRCTL Core Dump Handling – Local r00t Exploit ( BID 18874 / CVE-2006-2451 )


A working version of the exploit used to escalate privileges to root in the recent Debian breakin, ah another root kernel exploit.

It’s to do with the way the kernel handles file permissions (or lack of) on core dumps.

Linux kernel is prone to a local privilege-escalation vulnerability.

A local attacker may gain elevated privileges by creating a coredump file in a directory that they do not have write access to.

A successful attack may result in a complete compromise.

Linux kernel versions prior to 2.6.17.4 are vulnerable.

/*****************************************************/
/* Local r00t Exploit for: */
/* Linux Kernel PRCTL Core Dump Handling */
/* ( BID 18874 / CVE-2006-2451 ) */
/* Kernel 2.6.x (>= 2.6.13 && < 2.6.17.4) */ /* By: */ /* - dreyer (main PoC code) */
/* - RoMaNSoFt (local root code) */
/* [ 10.Jul.2006 ] */
/*****************************************************/

#include stdio.h
#include sys/time.h
#include sys/resource.h
#include unistd.h
#include linux/prctl.h
#include stdlib.h
#include sys/types.h
#include signal.h

You can download it here:

Linux Kernel 2.6.x PRCTL Core Dump Handling Exploit

Posted in: Exploits/Vulnerabilities, Linux Hacking

, , , ,


Latest Posts:


RandIP - Network Mapper To Find Servers RandIP – Network Mapper To Find Servers
RandIP is a nim-based network mapper application that generates random IP addresses and uses sockets to test whether the connection is valid or not with additional tests for Telnet and SSH.
Nipe - Make Tor Default Gateway For Network Nipe – Make Tor Default Gateway For Network
Nipe is a Perl script to make Tor default gateway for network, this script enables you to directly route all your traffic from your computer to the Tor network.
Mosca - Manual Static Analysis Tool To Find Bugs Mosca – Manual Static Analysis Tool To Find Bugs
Mosca is a manual static analysis tool written in C designed to find bugs in the code before it is compiled, much like a grep unix command.
Slurp - Amazon AWS S3 Bucket Enumerator Slurp – Amazon AWS S3 Bucket Enumerator
Slurp is a blackbox/whitebox S3 bucket enumerator written in Go that can use a permutations list to scan externally or an AWS API to scan internally.
US Government Cyber Security Still Inadequate US Government Cyber Security Still Inadequate
Surprise, surprise, surprise - an internal audit of the US Government cyber security situation has uncovered widespread weaknesses, legacy systems and poor adoption of cyber controls and tooling.
BloodHound - Hacking Active Directory Trust Relationships BloodHound – Hacking Active Directory Trust Relationships
BloodHound is for hacking active directory trust relationships and it uses graph theory to reveal the hidden and often unintended relationships within an AD environment.


2 Responses to Linux Kernel 2.6.x PRCTL Core Dump Handling – Local r00t Exploit ( BID 18874 / CVE-2006-2451 )

  1. Silahsiz Kuvvetler August 6, 2006 at 1:07 am #

    this exploit is not bad but it is not the best too…but you published the little part of it..it’s not whole

  2. darren September 6, 2006 at 11:46 am #

    Silahsiz Kuvvetler which one do you use?