Recently, I was writing an exploit for a vulnerability that I had discovered in a Linux based server application. The flaw, when successfully exploited, allowed a file to be written anywhere on the file system with the permissions of the user running the server. In the case of the application I was targeting, it was often executed as root in order to bind to a privileged port and offered no ability to drop privileges after doing so.
After completing a proof of concept exploit that allowed a simple text file to be written to the root users home directory, I immediately wanted to explore options that could leverage this to provide code execution. The technique I settled on overwrote the existing /etc/crontab to execute my provided command payload. Being of sound body and mind, I typically want my shells to be delivered as soon as they can be. In terms for writing a payload to be executed by the Cron daemon, this involves executing the command every minute which may result in “too many” shells, if such a thing exists.
To avoid having the payload executed more than once, I crafted a crontab file which would execute one or more commands at the next minute change and then remove the malicious lines from the file. By removing the lines, the payload cleans up after itself to ensure it is not executed again. I achieved this by simply using a reverse grep (-v flag) to remove the crontab lines that execute every minute and rewrite the remaining lines.
The final result is a template crontab file which could be used in similar situations to execute a payload once at the next minute. The command to be executed as the payload needs to be inserted on line 15. Additional commands can be executed by specifying additional lines starting with the same */1 * * * * root prefix.
