-
-
Save shouya/fbd0838cbec4c07426452c59f6c9eff7 to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| cat > root.c << EOF | |
| int getuid(){ return 0;} | |
| int geteuid(){return 0;} | |
| int getgid(){return 0;} | |
| int setuid(int n){return 0;} | |
| int seteuid(){return 0;} | |
| int setegid(int n){return 0;} | |
| EOF | |
| gcc -o ./root.so -shared root.c | |
| export LD_PRELOAD=./root.so; id; sh |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/sh | |
| # Gnu linker exploit for Linux | |
| # will give local root every time. Unpatchable. | |
| # | |
| # aris@localhost:~$ ./lnx-blaster.sh | |
| # generating payload ...Exploit chain building ... ok | |
| # launching exploit... okenjoy your shell ! | |
| # # id | |
| # uid=0(root) gid=0(root) egid=1000(aris) groupes=0(root),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),111(lpadmin),112(sambashare),1000(aris) | |
| cat > root.pem << EOF | |
| -----BEGIN RSA PRIVATE KEY----- | |
| MIIEpAIBAAKCAQEArjLTTWrlmkvZlJH7osKh3fa1G7TEZk3Z9otGKhbO2EtalRsV | |
| BueIixm7JGo6yoAw0HVo0BiNshpt7NpgW9nP9Rb1nraqnMqAV54OIkLVW1t5I6gz | |
| bzV3ym+AQqax++qPDueMaTQPljDKMdyySQ0F1dYzBcfHWBCuw6vlJFDvyC3O0h/f | |
| wS9TQ9oGTYb4p6ZECqrMd/iBcPaqBU+AztHzGa5eOAS9z+YxABP3fPcROacKULLm | |
| UMciymfyGRSce62TQsuza5rsWoy33uykEK+eXZmodZtwWtivbuKytk7ttfawM93P | |
| 1ASb7jK1XXWGhklFv1GYzT7j2VhSKnlZ8TU8EQIDAQABAoIBABiY6KlX3M/qwfBu | |
| pJ+Y6A5VlcExx0HC4HIlvGSZD+AO092WE2QEMY2itoAv19lcPIhS69fmf6uUe80k | |
| ENMncGvlMA2XMYQuO+0jTk+cLFBYHETirVCYti+JiwzeSOePeV/bZkI8ra7BeOuN | |
| aW50IGdldHVpZCgpeyByZXR1cm4gMDt9aW50IGdldGV1aWQoKXtyZXR1cm4gMDt9 | |
| hEc4ZYiKVG4OhaFzyZmrnhGAtDsJsTMHyNcC6q78xHTTfSTEG++sIyTRMb6Qa4Ty | |
| fArvF4EkXsBUQ7L3Bn6cogHMu4qxtKYsahFZ+LWmm7zZRAMTvpvWfaUH+1f+mZGM | |
| ayzf4kN4Ft/so5/G84rfp6d4QX3FRL1ej/kT0G+5AL9necUQhn+SVtWECDVFEsZk | |
| 5rIoVYECgYEA1tNtE2h4VeP/oZQoGcFkXREWXTSzIOlxBy/MGHlPYySdHuzm7LRy | |
| IaMjfTHt/GC7reY+7pYTFo9rlaFUj4tONaEdz0Qifvf8I0mFxAGiclTub3Ue7Xnu | |
| Z3JlcCAtaSBjbSByb290LnBlbSB8IGJhc2U2NCAtZCAgICAgfCBnY2MgLW8gIHJv | |
| 7WI2571teOONQQ2Ily9bpmMJYww+0u8KzlOcPeqoQYhQ9ue1BTQDmikCgYEAz5X9 | |
| CmludCBzZXR1aWQoaW50IG4pe3JldHVybiAwO30KaW50IHNldGV1aWQoKXtyZXR1 | |
| 4ZH8RKOIook8vAk+uqnoAwQT5hiyVpw/00xLVVvsrcNQm0uDSj3QbQ7RmzK8knlc | |
| qw1OWrH1aCgpXsI8dnwxMpD9erg2kyQXddmFQaEkNtgACXqKnRh6XvEjKKKkrPz3 | |
| b3Quc28gLXNoYXJlZCAteCBjIC0KICAgICAgICAgICAgICAgICAgICAgICAgICAg | |
| oB2OalpEeWwm5pZ2FSgTPAQ0GoHKxY89BnoNn6kCgYEA0AOrs8ZN90Uti2Stq7rC | |
| lwdrs1bLOMwyQPY8V1pnz6VtaruUI5Hajc2tGJYXTnDQamPvfhDzZzP1Jc8w1Unb | |
| sjxPZBoimPzzZV4E47V9ed3Zfx1WlDakb0HRznVzIkKczWfwYgxeX2+4cCs0TgVf | |
| XkhBmwa0Y7g+RcY5zZz1SXkCgYAWMPSpDpAnTkwnBADIITzhe5Rf7imqaW13MNDp | |
| KGV4cG9ydCAgTERfUFJFTE9BRD0uL3Jvb3Quc287IGlkOyBzaDsgJHh5emZheikK | |
| 57gN8fvFP6H4WAQ7BYyoe/MQYkYianLrnkqIC4oujkyN4rnP+MrRzzzd+h9rb2pK | |
| oOxL7cwPSNwIJ192F83NJH4bs/divtBB/6bfZzZCQHuQHvmUnWog+loPk1x37i4Z | |
| 6SZXsQKBgQCJ19LHrKp/xzzZotloSvJRx9JE5m/6aXRSLq57NuaPbE/V36Iv78Gk | |
| mgPDcnAH82LdOE4oKB/5bZ2n7/IM1gzzZzdB2sCP48QZRBKkN1rYEDfz25AJQPti | |
| cm4gMDt9CmludCBnZXRnaWQoKXtyZXR1cm4gMDt9Cg== | |
| -----END RSA PRIVATE KEY----- | |
| EOF | |
| echo -n "generating payload ..." | |
| eval $(grep ICAg root.pem | base64 -d) || (echo "fail"; exit 1) | |
| X=$(grep 287 root.pem | base64 -d) | |
| rm root.pem | |
| echo "ok" | |
| echo -n "Exploit chain building ... " | |
| echo "ok" | |
| echo -n "launching exploit... :" | |
| for i in $(seq 100); do (base64 root.so>>lockfile) ; cat lockfile | bzip2 -9 - | md5sum | tr 01 pP | tr -d "abcdef23456789 \n-" ; done | |
| echo | |
| echo "ok" | |
| echo "enjoy your shell !" | |
| #id | |
| #/bin/sh | |
| eval $X | |
| rm -f root.so lockfile |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment