Tails,cause we care about our privacy

tails-torTails, is a live system that aims at preserving your privacy and anonymity. It helps you to use the Internet anonymously almost anywhere you go and on any computer but leave no trace using unless you ask it explicitly.

How does this work you might ask?

Tails relies on the Tor anonymity network to protect your privacy online: all software are configured to connect through Tor, and direct (non-anonymous) connections are blocked.

Tor is free software and an open network that helps you defend against a form of network surveillance that threatens personal freedom and privacy, confidential business activities and relationships, and state security known as traffic analysis.

Tor protects you by bouncing your communications around a distributed network of relays run by volunteers all around the world: it prevents somebody watching your Internet connection from learning what sites you visit, and it prevents the sites you visit from learning your physical location.

In short if you have every used a bootable Live CD/DVD/USB media before its the same concept just that this project focus on your privacy.

What’s under the hood?

A set of note worthy Firefox extension:

  • Adblock Plus
  • Cookie Monster
  • FoxyProxy Standard
  • HTTPS-Everywhere
  • NoScript
  • Torbutton

Screen Shot 2013-05-26 at 1.14.06 PM

 

A few extra bonus applications for the paranoid at heart:

  • Create ecycrpted volumes with TrueCrypt
  • Securely delete files with Nautilus
  • Manage passwords using KeePassX
  • By default your browser is pointed to https://startpage.com/, the world’s most private search engine.

Lastly, another option that felt was nice was the ability to use the “Windows Camouflage” mode, this basically makes Tails look more like Microsoft Windows XP. This is useful in public places in order to avoid attracting suspicion.

So now you have a new OS to enhanced your desire for privacy. Have fun and please let us know what other methods you are using.

My first expirience at installing a custom rom

  So after having my Droid Bionic for a few months now I have decided to take the leap from rooting to roming. A quick definition on Rooting and Roming from the nice people over at droidlessons.com:

What is Rooting?

“Rooting” your device means obtaining “superuser” rights and permissions to your Android’s software. With these elevated user privileges, you gain the ability to load custom software (ROM’s), install custom themes, increase performance, increase battery life, and the ability to install software that would otherwise cost extra money (ex: WiFi tethering). Rooting is essentially “hacking” your Android device. In the iPhone world, this would be the equivalent to “Jailbreaking” your phone.

Custom Software (ROM’s)

You may have heard of people loading custom “ROM’s” on their devices. A “ROM” is the software that runs your device. It is stored in the “Read Only Memory” of your device. There are many great custom ROM’s available that can make your Android device look and perform drastically different.

After hanging around rootzwiki forum, listening to Droid Nation and Android App Addictspodcast I felt like I was ready to install my first custom  rom. My rom of choice was [K]IN3TX v1.0 some features about this rom:

  • Latest BusyBox
  • Superuser (Updated Binary)
  • Battery Optimization
  • Fully ROOTED
  • SD Card Read tweaks
  • Built Off of 5.8.894 OTA
  • Advance Power Menu
  • Scrollable Power Toggles in Pull Down
  • FULL Custom UI
  • PNG Optimization
  • init.d Run Support

Just to name a few..

You can read the full posting about this rom over at the rootzwiki forum their you will also find the various downloads that you would need. However I will highlight a few steps I took:

After you are finish installing log-in setup your device, then you can boot back into CWM wipe your cache, and dalvik then install add-on or tpak of your choice, I installed the ICS tpak.

Now as anyone might expect the first time you are doing something like this you have to realize that you might make a mistake, but you can only hope it doesn’t hurt you too much. The mistake I made was that I copied the wrong add-on pack to my sdcard but not the base rom, and since I already wiped my system partition I was unable to reboot my phone into recovery mode after I copied the correct file via another device.

How I corrected this issue you might ask yourself, I had some help from my buddy Highlander-:  over at the Podnutz IRC chat room. He pointed me to a tool call RSDlite, which allowed me to flash my phone back to the stock rom and from there I followed the steps outlined above and all was well the second time around :). You have got to love the power of the Internet and great communities.

Have fun roming and you can comment back and let me know which rom is your favorite. I have only tried one and I must say I absolutely love it!

Reference Links:

http://droidlessons.com/what-is-rooting-on-android-the-advantages-and-disadvantages/
http://forum.xda-developers.com/showthread.php?t=1348587
http://www.addictivetips.com/mobile/unbrick-motorola-droid-bionic-with-rsd-lite-5-5-guide/

 

 

My Fedora 15 experience

So as most of you might know by now the development team over at Fedora has release a new version of the ever popular Linux distribution; Fedora 15 code name “LoveLock”. This posting is not to get into too much details about the new version or various ways in which you can  install it or anything of the sort for that you can visit Fedora documentation wiki.

The following are major features for Fedora 15:
  • GNOME 3 including the new GNOME 3 shell
  • KDE 4.6 with the improved Plasma workspace, enhanced core applications, and greater memory efficiency.
  • XFCE 4.8 with a new panel, Thunar enhancements and more.
  • Virtualization improvements including Spice support in virt-manager and support for Xen hosts.

Those features listed above are just a few of the great improvements that the new version has to offer, but as with anything new the are some give and take. I took the leaf of faith and installed the new version the day after it was released and I must say it was not what I was expecting at all.

Since I was running Fedora 14 on my Eee PC I figured it was going to be a quick and easy upgrade, so I went over the the wiki and fellowed the below steps:

First install the new fedora 15 gpg key. You may wish to verify this package against https://fedoraproject.org/keys and the fedora ssl certificate.

rpm --import https://fedoraproject.org/static/069C8460.txt

Upgrade all packages with

yum update yum
yum clean all
yum --releasever=15 --disableplugin=presto distro-sync

Problem #1

As simple as the above upgrade looked it didn’t turn out to be so simple for me, the upgrade processes kept failing and when it finally worked and I was prompted to reboot the system would hang at the logo.

If  I hit the ESC key during boot up I would notice that the system was hanging at  “Starting SYSV: Late init script for  live image, Started SYSV: Late init script for live image”.

At this point I know it was time to signup for the mailing list and visit freenode.net #fedora in search of an answer, but since it was a new release everyone else was also asking for help so I had to wait a bit.

I tried a few things but in the ended wiping out my Fedora 14 and installing Fedora 15. At that point I got a potential fix in a reply to my mailing list cry for help, the suggestion was to:

Log into single user mode  and removed all kmod packages, then installed akmod packages through command line.

Once my new install was finish I realized quickly that Gnome 3 was not the way to go on my Eee Netbook, I quickly had the following issues:

  • Screen kept diming eventhough I chaged the power management  and other setting.
  • My wireless connection strength dropped by about 50% even though I was in the same room with the AP, prior to that Fedora 15 I had near perfect signal.
  • The entire windowing experience was too slow, and bulky looking for my Netbook, It was hard to work with two windows side by side.

Filtering Gmail/Facebook/Twitter with IPtables

In most cases port base filtering  is an all or none approach. For example if you want to block  a user from accessing a certain website, blocking that user’s access to port 80/443 outbound will stop them from accessing all websites not just that one. If you would like to get more granular then you would need some sort of  web content filtering systems.

Good news is, if you are still using iptables you are now able to filter traffic destined to sites such as Facebook, Twitter, Gmail etc. You can accomplish this by using iptables to block a given hex string that will appear in the initial packet handshake. I first saw this technique being discussed in a full-disclouser posting and I figured it was worth trying out.

The tools of choice here is Ngrep (Network Grep) and IPTables .

Step one: Capture the X.509 certificate

You will be doing this by using ngrep:

[infolookup@Test ~]# ngrep -d eth2 -q -x ‘Twitter’
interface: eth2 (10.100.0.0/255.255.255.128)
match: Twitter

You will then notice the following output in your terminal:

<snip>

T 199.59.148.11:443 -> 10.100.0.119:38414 [A]

  1. 30 30 31 16 30 14 06 03    55 04 0a 14 0d 54 77 69    001.0…U….Twi
  2. 74 74 65 72 2c 20 49 6e    63 2e 31 1c 30 1a 06 03    tter, Inc.1.0…
  3. 55 04 0b 14 13 54 77 69    74 74 65 72 20 20 4f 70    U….Twitter  Op

</snip>

Step two: Creating your IPtable rule

You will be building your rule based on the hex string obtained above.

Prior to applying the rule I able to run the following command:

[infolookup@Test]$ curl –connect-timeout 60 https://www.twitter.com/
<!DOCTYPE HTML PUBLIC “-//IETF//DTD HTML 2.0//EN”>
<html><head>
<title>301 Moved Permanently</title>
</head><body><h1>Moved Permanently</h1>
<p>The document has moved <a href=”https://twitter.com/”>here</a&gt;.</p>
</body></html>

IPtable rules to use:
http://pastebin.com/1HQD017A

sudo iptables -I INPUT -m string –algo bm –hex-string ‘|303031163014060355040a140d547769747465722c20496e632e311c301a060355040b141354776974|’ -j DROP

sudo iptables -I INPUT -m string –algo bm –hex-string ‘|303031163014060355040a140d547769747465722c20496e632e311c301a060355040b141354776974|’ -j LOG

The first rule will drop the connection to twitter and the second rule will log the entry. If you take a look at your /var/log/message you will see the following entry over and over:

Apr  7 00:05:11 Test kernel: [870656.036848] IN=eth2 OUT= MAC=00:50:56:b2:53:90:00:23:5e:a4:f2:bf:08:00 SRC=199.59.148.11 DST=10.100.0.119 LEN=1420 TOS=0x00 PREC=0x00 TTL=44 ID=58494 DF PROTO=TCP SPT=443 DPT=49542 WINDOW=23 RES=0x00 ACK URGP=0

Apr  7 00:05:19 Test kernel: [870664.675930] IN=eth2 OUT= MAC=00:50:56:b2:53:90:00:23:5e:a4:f2:bf:08:00 SRC=199.59.148.11 DST=10.100.0.119 LEN=1420 TOS=0x00 PREC=0x00 TTL=44 ID=58496 DF PROTO=TCP SPT=443 DPT=49542 WINDOW=23 RES=0x00 ACK URGP=0

If you try to access http://www.twitter.com you will get to the site, but when you try login the session will set there and just timeout.

[infolookup@Test]$ curl –connect-timeout 60 https://www.twitter.com/
curl: (35) SSL connect error

Note:

I was unable to use the following IPtable rule on a Ubuntu based system but it worked fine on my Fedora 14 test box. Also another thing to look out for is if you use too short of a hex string will will get an error the one I used was about 85 characters give or take.

Have fun filtering and post your comments about how you are currently using IPtables.

 

Notes for Linux Basix Episode 39

I  will be joining the guys over at the   Linux Basix podcast tonight and below are some of the things I intend to discuss.

Discussion Links:

  1. 7 Best Network Security Linux Distributions (DoortoDoor): A list of special purpose distros [BackTrack, Network Security Toolkit(NST),Pentoo, nUbuntu(Network Ubuntu),Security Tools Distribution(STD),Helix,Damn Vulnerable Linux]. These distributions are mainly designed to perform network security tasks such as vulnerability assessment and penetration testing in order to prevent and monitor unauthorized entry, abuse, alteration, or denial of computer network resources. Since most of these distros are available as Live CDs, you could instantly try or use them without hard disk installation. Read more over at http://www.junauza.com/2011/01/network-security-linux-distros.html
  2. Soundminer: A Stealthy and Context-AwareSound Trojan for Smartphones: Researchers have developed a low-profile Trojan horse program for Google’s Android mobile OS that steals data in a way that is unlikely to be detected by either a user or antivirus software. The malware, called Soundminer, monitors phone calls and records when a person, for example, says their credit card number or enters one on the phone’s keypad, according to the study.Using various analysis techniques, Soundminer trims the extraneous recorded information down to the most essential, such as the credit card number itself, and sends just that small bit of information back to the attacker over the network, the researchers said. Read more over at http://www.csoonline.com/article/656264/soundminer-android-malware-listens-then-steals-phone-data

Tech Segment: Password reset the hard way

Problem: I was tasked with retrieving or resetting the web login password to a Linux based custom build system, very similar to an appliance. I currently had limited shell access to the system however I was not certain if the password was stored in /etc/passwd or in some sort of database on the system.

**Before we begin just know that everything mentioned here will probably not work on a normal Ubuntu based system, the manufacture possibly used their know custom Kernel and other system tweaks.**

Commands used:

  1. netstat – a command-line tool that displays network connections, routing tables, and a number of network interface statistics.
  2. fuser – a command line tool to identify processes using files or sockets.
  3. lsof – a command line tool to list open files under Linux / UNIX to report a list of all open files and the processes that opened them.
  4. /proc/$pid/ file system – Under Linux /proc includes a directory for each running process (including kernel processes) at /proc/PID, containing information about that process, notably including the processes name that opened port.
  5. uname- Print name of current system

Phase one “Getting to know the system”:

I started off with a few simple commands to try and identify what various of Linux was the system running:

uname -a (Verify what kernel version I was up against)

yum (To see if it was a Fedora based system)

apt-get (To see if it was an Ubuntu based system and it was)

cat /etc/issue (To check what flavor of Ubuntu, turned out it was “Ubuntu 8.04”)

Next I wanted to get Root access without resetting the Root account password. I figured this would prevent me from having to deal with any restrictions issues.

Created a user called testuser
user@host:~$ sudo adduser testuser

Edit the password file and changed UID and GID to that of root (testuser:x:0:0)
user@host:~$ sudo nano /etc/passwd

Then once  I logged in newly created testuser and I am automatically given root access.
user@host:~$ su – testuser

Since I know that the service I am interest is running on port 443, I will run  few  commands to get a better ideal of whats really going on with this port.

Netstat to view the connection stated and PID for the services running on port 443:

root@host:~# netstat -tulpn | grep 443

tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN      5548/pound

To confirm the processes PID use the fuser command:

root@host:~# fuser 443/tcp
443/tcp:              5548  5549

To find out process name and working directory associated with PID # 5548, enter:

root@host:~# ls -l /proc/5548/exe
lrwxrwxrwx 1 root root 0 Jan 21 14:15 /proc/5548/exe -> /opt/pound/sbin/pound

root@host:~# ls -l /proc/5548/cwd
lrwxrwxrwx 1 root root 0 Jan 21 14:15 /proc/5548/cwd -> /opt/app_name/rails/ssl

Now I have an application name and working directory to go investigate. After further research I found out that Pound is a reverse-proxy load balancing server, and the config file showed me it was passing all connection on port 443 to another port on the same server.

I then used lsof to further investigate the newly discovered port:

root@host:# lsof -Pnl +M -i4
mongrel_r 5623      112    3u  IPv4  14528       TCP 127.0.0.1:3000 (LISTEN)

Then to find out the processes own:
root@host:# ps aux | grep 5623

app_user      5623  0.0  1.3  40048 28536 ?        Sl   14:14   0:02 /usr/bin/ruby1.8 /usr/bin/mongrel_rails start -d -e production -p 3000 -a 127.0.0.1 -P log/mongrel.3000.pid –user app_user –group app_name

A bit more research and I found out what mongrel_rails was. Mongrel is a fast HTTP library and server for Ruby that is intended for hosting Ruby web applications of any kind using plain HTTP rather than FastCGI or SCGI.

After poking around a bit more I notice the tie in with a postgres SQL server that I notice in a few earlier commands. Now on to the fun part!

Phase two “Modifying the system”:

Now that I have realized that the system has a database, and the user account is not location in the /etc/passwd file its time to access database identify the user account and make some modifications.

su – postgres to change to the postgres SQL user:
root@host:~# su – postgres

Launching PostgresSQL interactive terminal:
postgres@piab:~$ psql

List all the roles and Superusers :
postgres-# du
List of roles
Role name | Superuser | Create role | Create DB | Connections | Member of
———–+———–+————-+———–+————-+———–
postgres  | yes       | yes         | yes       | no limit    |
App_User  | no        | no          | no        | no limit    |
(2 rows)

List all database on the system:

postgres=# l
List of databases
Name    |  Owner   | Encoding
———–+———-+———-
postgres  | postgres | UTF8
App_Name  | postgres | UTF8

Connect to a database:
postgres=# c App_Name

List of tables:
App_Name=# dt

Schema |        Name        | Type  | Owner
——–+——————–+——-+——-
public | schema_info        | table | App_User
public | users              | table | App_User

Query table users:
select * from users;

Fields of interest to me were (id, login, email, password, salt_val,passwd_create,passwd_updated)

Now before I went any further I ensured to dump the DB using pg_dump and pg_dumpall
postgres@host:~$ pg_dump dbname > /tmp/dbname.out
postgres@host:~$ pg_dumpall > /tmp/db.out

At this point I had a few options:

  • Try to reverse the password encryption and salting mechanism
  • Try to find the code that handles the authentication and bypass that
  • Get access to another box, create a password and copy that hash and encrypted value over to the DB on the other system.

Luckily for me I had access to another device so I  created a password there, and queried that DB and copied over the encrypted password and hash into notepad then used an insert statement to add to the values to the db along with a test user.

Connected back to the DB:
postgres=# c App_Name

Insert new records:
INSERT INTO users (id,login,email,password,salt_val,created_at) values (‘2′,’demo’,’demo@localhost’,’9abdgagf42324243240fdbd’,’8d5d6cd8fa6a0323jb3240988324′,’2006-12-05 21:15:32′);

Went back to the login portal https://ipaddress and bingo! Big shout out to byte_bucket over at irc.freenode.net #pauldotcom, he was very helpful in helping me work through this.

Additional reading:

http://www.cyberciti.biz/faq/what-process-has-open-linux-port/

http://linux.die.net/man/8/pound

http://linux.die.net/man/1/pg_dump

https://support.eapps.com/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=180

http://www.cyberciti.biz/faq/understanding-etcpasswd-file-format/


LinuxBasix 034 Podcast segment notes

FWKNOP Tech Segment

In computer networking, port knocking is a method of externally opening ports on a firewall by generating a connection attempt on a set of prespecified closed ports. Once a correct sequence of connection attempts is received, the firewall rules are dynamically modified to allow the host which sent the connection attempts to connect over specific port(s). A variant called Single Packet Authorization exists, where only a single ‘knock’ is needed, consisting of an encrypted packet.[1

Single Packet Authorization

Single Packet Authorization (a form of Port Knocking), is a technique for securely communicating authentication and authorization information across closed firewall ports, usually with the goal of opening certain ports to allow temporary access. By keeping most or all ports closed on a server hosting remotely-accessible services, it is possible to make that host invisible to the outside, thus protecting each listening service.

fwknop stands for the “FireWall KNock OPerator”, and implements an authorization scheme called Single Packet Authorization (SPA).

Steps to take:

Install fwknop Server

pre-requisite for fwknop:
# apt-get install libgdbm-dev

Download and install fwknop(client and server)
# wget -c http://www.cipherdyne.org/fwknop/download/fwknop-2.0.0rc2.tar.gz
# tar -zxvf fwknop-2.0.0rc2.tar.gz
# ./configure
# make
# make install

Side note: If you get the following error while loading  “shared libraries: libfko.so.0: cannot open shared object file: no such file or directory” then you may need to create a symbolic link in the /usr/lib directory for the library file:

# cd /usr/lib
# ln -s /usr/local/lib/libfko.so.o.o.2 libfko.so.0

Config files:

Browse to –> /usr/local/etc/fwknop), you will see two files access.conf and fwknop.conf.

Edit the  fwknop.conf file, and  uncomment and set the options  for your interface “PCAP_INTF eth0”.

Next edit your access.conf file to allow access  based on your liking (users, port, key, etc).

A simple suitable config:

SOURCE: ANY;
KEY: P@$$W0r); //must be over 8 characters
REQUIRE_USERNAME: infolookup;
OPEN_PORTS: tcp/222;
FW_ACCESS_TIMEOUT: 30;

clear out your old IP rules and some default rules to drop all incoming traffic.

IP Tables rule:

#!/bin/sh
# Script to reset your iptable rules

# Load modules for  tracking and NAT
modprobe iptable_nat

# Initialize all the chains by removing all rules
iptables –flush
iptables -t nat –flush
iptables -t mangle –flush

# Delete any user-defined chains
iptables –delete-chain
iptables -t nat –delete-chain
iptables -t mangle –delete-chain

# Set default policies
iptables –policy INPUT DROP
iptables –policy OUTPUT ACCEPT
iptables –policy FORWARD DROP

# Accept all traffic on the loopback (lo) device
iptables -A INPUT -i lo -p all -j ACCEPT
iptables -A OUTPUT -o lo -p all -j ACCEPT

# log all incoming and forward traffic on eth0 device
#iptables -A INPUT -i eth0 -p all -j DROP
iptables -A INPUT -i eth0 -j LOG –log-prefix “DROP”
iptables -A FORWARD -i eth0 -j LOG –log-prefix “DROP”

# Accept internally-requested input
iptables -A INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT

# Accept internally-requested forward
iptables -A FORWARD -m state –state ESTABLISHED,RELATED -j ACCEPT

# Accept user-specified traffic
iptables -A INPUT -p tcp –dport 80 -j ACCEPT
iptables -A INPUT -p udp –dport 53 -j ACCEPT
echo 1 > /proc/sys/net/ipv4/ip_forward
echo “iptables policy enabled”

Start the server with –> # fwknopd -f -vv

Testing rules after configuration:

I tried to ssh to the Ubuntu server via my windows box which is IP 192.168.19.1 on port 22 and as you can see from the below image I was block and it was logged as expected:

Next I launched the windows client and typed in my configured information that was set-up during the config stage. Once you click “Send SPA” then try to login again via your SSH client within 30 secs and you should be able to now get in.

Additional reading:

http://www.cipherdyne.org/fwknop/

http://www.securitygeneration.com/single-packet-authorization/

http://aerokid240.blogspot.com/

http://www.cipherdyne.org/fwknop/download/ –> Windows client

Linux Kernel Exploit PoC Testing

About an hour or so ago I notice a posting on the Full Disclosure mailing list with a proof of concept code (PoC) that will allow a non-privileged user to gain Root access on a Linux system , below is a snippet from the comment section of the code that explains it.

–snip–

/*
* Linux Kernel <= 2.6.37 local privilege escalation
* by Dan Rosenberg
* @djrbliss on twitter
*
* Usage:
* gcc full-nelson.c -o full-nelson
* ./full-nelson
*
* This exploit leverages three vulnerabilities to get root, all of which were
* discovered by Nelson Elhage:
*
* CVE-2010-4258
* ————-
* This is the interesting one, and the reason I wrote this exploit.  If a
* thread is created via clone(2) using the CLONE_CHILD_CLEARTID flag, a NULL
* word will be written to a user-specified pointer when that thread exits.
* This write is done using put_user(), which ensures the provided destination
* resides in valid userspace by invoking access_ok().  However, Nelson
* discovered that when the kernel performs an address limit override via
* set_fs(KERNEL_DS) and the thread subsequently OOPSes (via BUG, page fault,
* etc.), this override is not reverted before calling put_user() in the exit
* path, allowing a user to write a NULL word to an arbitrary kernel address.
* Note that this issue requires an additional vulnerability to trigger.
*
* CVE-2010-3849
* ————-
* This is a NULL pointer dereference in the Econet protocol.  By itself, it’s
* fairly benign as a local denial-of-service.  It’s a perfect candidate to
* trigger the above issue, since it’s reachable via sock_no_sendpage(), which
* subsequently calls sendmsg under KERNEL_DS.
*
* CVE-2010-3850
* ————-
* I wouldn’t be able to reach the NULL pointer dereference and trigger the
* OOPS if users weren’t able to assign Econet addresses to arbitrary
* interfaces due to a missing capabilities check.
*
* In the interest of public safety, this exploit was specifically designed to
* be limited:
*
*  * The particular symbols I resolve are not exported on Slackware or Debian
*  * Red Hat does not support Econet by default
*  * CVE-2010-3849 and CVE-2010-3850 have both been patched by Ubuntu and
*    Debian
*
* However, the important issue, CVE-2010-4258, affects everyone, and it would
* be trivial to find an unpatched DoS under KERNEL_DS and write a slightly
* more sophisticated version of this that doesn’t have the roadblocks I put in
* to prevent abuse by script kiddies.
*
* Tested on unpatched Ubuntu 10.04 kernels, both x86 and x86-64.
*
* NOTE: the exploit process will deadlock and stay in a zombie state after you
* exit your root shell because the Econet thread OOPSes while holding the
* Econet mutex.  It wouldn’t be too hard to fix this up, but I didn’t bother.
*
* Greets to spender, taviso, stealth, pipacs, jono, kees, and bla
*/

Naturally I would feel incline to turn up a Linux VM to test this exploit, I decided to go with a fully patched Ubuntu 10.10 with kernel version 2.6.35-23-generic to start my testing however the exploit fail on this system. I then decided to go with a default install of Unbuntu 10.10 with Kernel version 2.6.35-22-generic and to my amazement it worked.

Steps taken:

Ensure that I have gcc isntalled since the exploit was written in C.

infolookup@ubuntu:/tmp/exploitpoc$ touch full-nelson.c

Once the file is created simply copy the PoC from http://pastebin.com/qKZp2Qic or from the original post
and paste it into your newly created file.

infolookup@ubuntu:/tmp/exploitpoc$ nano full-nelson.c

Next just execute it….

infolookup@ubuntu:/tmp/exploitpoc$ gcc full-nelson.c -o full-nelson

infolookup@ubuntu:/tmp/exploitpoc$ ./full-nelson.c

And as you can see from the image above “Got Root”!