it would help if the exploit bothered to invoke bash (/bin/sh on almost all linux distros) with -p so that it didnt drop euid root. There are alot of reasons why this shouldnt work on selinux, using a strict policy, other than (file?) contexts.
"\n* * * * * root /bin/sh /tmp/commands_to_run_as_root.sh;exit;\n" might work better as a payload. <3 advisory. On Thu, 13 Jul 2006 01:23:10 +0300 Ariel Biener <[EMAIL PROTECTED]> wrote: > On Wednesday 12 July 2006 03:15, Roman Medina-Heigl Hernandez wrote: > > Ignore my previous post, it does create a setuid bash version in /tmp/sh, the > reason it doesn't work is due to SELinux contexts. > > --Ariel > > Maybe this is obvious for Paul Starzetz (as well as many other people) but > > full-disclosure is not really "full" without exploit code. > > > > Working exploit attached. You can also download it from: > > http://www.rs-labs.com/exploitsntools/rs_prctl_kernel.c > > > > Greetz to !dSR ppl :-) > > -- > -- > Ariel Biener > e-mail: [EMAIL PROTECTED] > PGP: http://www.tau.ac.il/~ariel/pgp.html > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > -- Jack - [EMAIL PROTECTED] _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
