>> >> > I don't have an exploit script, but replacing your portmap with >> > Wietse's would probably not hurt. Heres the blurb: >> >> I can Wietse's portmapper easily under SunOS, but other >> architectures (Solaris, Irix, etc.) will not cooperate. >> >> Does anyone have any diffs or porting info? I'll post a summary. >> > >rpcbind "plays" role of portmapper on Solaris 2.X, and there is a secure >version of it, ftp.win.tue.nl:/pub/security, rpcbind on Solaris 2.X >also allows you to steal filehandes; mount daemon doesn't do reserved >port checking, and once a directory is exported to the host itself >you can steal the filehandle. If anyone is interested, I have a mountd for Solaris 2.3 that does reserved port checking. Casper